demo/config/cluster1/spire/spire-server.yaml

# ServiceAccount used by the SPIRE server.
apiVersion: v1
kind: ServiceAccount
metadata:
  name: spire-server
  namespace: spire-system

---

# Required cluster role to allow spire-server to query k8s API server
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: spire-server-cluster-role
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get"]
  # allow TokenReview requests (to verify service account tokens for PSAT
  # attestation)
- apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["get", "create"]

---

# Binds above cluster role to spire-server service account
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: spire-server-cluster-role-binding
  namespace: spire-system
subjects:
- kind: ServiceAccount
  name: spire-server
  namespace: spire-system
roleRef:
  kind: ClusterRole
  name: spire-server-cluster-role
  apiGroup: rbac.authorization.k8s.io

---

# Role for the SPIRE server
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: spire-system
  name: spire-server-role
rules:
  # allow "get" access to pods (to resolve selectors for PSAT attestation)
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get"]
  # allow access to "get" and "patch" the spire-bundle ConfigMap (for SPIRE
  # agent bootstrapping, see the spire-bundle ConfigMap below)
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["spire-bundle"]
  verbs: ["get", "patch"]

---

# RoleBinding granting the spire-server-role to the SPIRE server
# service account.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: spire-server-role-binding
  namespace: spire-system
subjects:
- kind: ServiceAccount
  name: spire-server
  namespace: spire-system
roleRef:
  kind: Role
  name: spire-server-role
  apiGroup: rbac.authorization.k8s.io

---

# ConfigMap containing the latest trust bundle for the trust domain. It is
# updated by SPIRE using the k8sbundle notifier plugin. SPIRE agents mount
# this config map and use the certificate to bootstrap trust with the SPIRE
# server during attestation.
apiVersion: v1
kind: ConfigMap
metadata:
  name: spire-bundle
  namespace: spire-system

---

# ConfigMap containing the SPIRE server configuration.
apiVersion: v1
kind: ConfigMap
metadata:
  name: spire-server
  namespace: spire-system
data:
  server.conf: |
    server {
      bind_address = "0.0.0.0"
      bind_port = "8081"
      trust_domain = "cluster1.demo"
      data_dir = "/run/spire/server/data"
      log_level = "DEBUG"
      federation {
        bundle_endpoint {
          address = "0.0.0.0"
          port = 8443
        }
      }
    }

    plugins {
      DataStore "sql" {
        plugin_data {
          database_type = "sqlite3"
          connection_string = "/run/spire/server/data/datastore.sqlite3"
        }
      }

      NodeAttestor "k8s_psat" {
        plugin_data {
          clusters = {
            "cluster1" = {
              service_account_allow_list = ["spire-system:spire-agent"]
            }
          }
        }
      }

      KeyManager "disk" {
        plugin_data {
          keys_path = "/run/spire/server/data/keys.json"
        }
      }

      Notifier "k8sbundle" {
        plugin_data {
          namespace = "spire-system"
        }
      }
    }

    health_checks {
      listener_enabled = true
      bind_address = "0.0.0.0"
      bind_port = "8080"
      live_path = "/live"
      ready_path = "/ready"
    }

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: spire-server
  namespace: spire-system
  labels:
    app: spire-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: spire-server
  template:
    metadata:
      namespace: spire-system
      labels:
        app: spire-server
    spec:
      serviceAccountName: spire-server
      shareProcessNamespace: true
      containers:
        - name: spire-server
          image: ghcr.io/spiffe/spire-server:1.10.4
          imagePullPolicy: IfNotPresent
          args: ["-config", "/run/spire/server/config/server.conf"]
          ports:
            - containerPort: 8081
          volumeMounts:
            - name: spire-config
              mountPath: /run/spire/server/config
              readOnly: true
            - name: spire-server-socket
              mountPath: /tmp/spire-server/private
        - name: spire-controller-manager
          image: ghcr.io/spiffe/spire-controller-manager:nightly
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 9443
            - containerPort: 8083
              name: healthz
          readinessProbe:
            httpGet:
              path: /readyz
              port: healthz
          args:
          - "--config=spire-controller-manager-config.yaml"
          volumeMounts:
            - name: spire-server-socket
              mountPath: /spire-server
              readOnly: true
            - name: spire-controller-manager-config
              mountPath: /spire-controller-manager-config.yaml
              subPath: spire-controller-manager-config.yaml
      volumes:
        - name: spire-config
          configMap:
            name: spire-server
        - name: spire-server-socket
          emptyDir: {}
        - name: spire-controller-manager-config
          configMap:
            name: spire-controller-manager-config

---

# Service definition for SPIRE server defining the gRPC port.
apiVersion: v1
kind: Service
metadata:
  name: spire-server
  namespace: spire-system
spec:
  type: NodePort
  ports:
    - name: api
      port: 8081
      targetPort: 8081
      protocol: TCP
  selector:
    app: spire-server

---

# Service definition for SPIRE server bundle endpoint
apiVersion: v1
kind: Service
metadata:
  name: spire-server-bundle-endpoint
  namespace: spire-system
spec:
  type: NodePort
  ports:
    - name: api
      port: 8443
      protocol: TCP
  selector:
    app: spire-server


---
#
# Service definition for SPIRE controller manager webhook
apiVersion: v1
kind: Service
metadata:
  name: spire-controller-manager-webhook-service
  namespace: spire-system
spec:
  ports:
    - port: 443
      protocol: TCP
      targetPort: 9443
  selector:
    app: spire-server