Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat: enable securityContext on spire server pod #27363

Merged
merged 1 commit into from
Aug 21, 2023
Merged

Feat: enable securityContext on spire server pod #27363

merged 1 commit into from
Aug 21, 2023

Conversation

ishuar
Copy link
Contributor

@ishuar ishuar commented Aug 8, 2023
edited

Please ensure your pull request adheres to the following guidelines:

  • For first time contributors, read Submitting a pull request
  • All code is covered by unit and/or runtime tests where feasible.
  • All commits contain a well written commit description including a title,
    description and a Fixes: #XXX line if the commit addresses a particular
    GitHub issue.
  • If your commit description contains a Fixes: <commit-id> tag, then
    please add the commit author[s] as reviewer[s] to this issue.
  • All commits are signed off. See the section Developer’s Certificate of Origin
  • Provide a title or release-note blurb suitable for the release notes.
  • Are you a user of Cilium? Please add yourself to the Users doc
  • Thanks for contributing!
Add securityContext for spire pod in helm chart

@ishuar ishuar requested review from a team as code owners August 8, 2023 23:56
@ishuar ishuar requested a review from nebril August 8, 2023 23:56
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Aug 8, 2023
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Aug 8, 2023
@ishuar ishuar changed the title Feat/enable podsecuritycontext on spire server Feat: enable securitycontext on spire server pod Aug 8, 2023
@ishuar ishuar changed the title Feat: enable securitycontext on spire server pod Feat: enable securityContext on spire server pod Aug 8, 2023
@maintainer-s-little-helper
Copy link

Commit 0e68c6f5661f8c87d50103b6c07b06734db11cfb does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Aug 9, 2023
@ishuar ishuar force-pushed the feat/enable-podsecuritycontext-on-spire-server branch from 0e68c6f to 959e531 Compare August 9, 2023 08:18
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Aug 9, 2023
nebril
nebril requested changes Aug 10, 2023
View reviewed changes
Copy link
Member

@nebril nebril left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR! The change itself looks good. I think the PR should be squashed into one commit though, please do that and re-request review when you have repushed branch, I will run CI then.

@nebril nebril added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Aug 10, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Aug 10, 2023
@ishuar ishuar force-pushed the feat/enable-podsecuritycontext-on-spire-server branch from 96a2d37 to 170b69d Compare August 10, 2023 23:01
@ishuar ishuar requested review from a team as code owners August 10, 2023 23:01
@ishuar ishuar requested review from qmonnet and kaworu August 10, 2023 23:01
@maintainer-s-little-helper
Copy link

Commit 5dee268eb610644b91f3640d5f9401146271e3f5 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Aug 10, 2023
@ishuar ishuar force-pushed the feat/enable-podsecuritycontext-on-spire-server branch from 5dee268 to c627c7d Compare August 10, 2023 23:09
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Aug 10, 2023
@ishuar ishuar requested a review from nebril August 10, 2023 23:10
@ishuar
Copy link
Contributor Author

ishuar commented Aug 10, 2023

Thanks for the PR! The change itself looks good. I think the PR should be squashed into one commit though, please do that and re-request review when you have repushed branch, I will run CI then.

Thank you for your response, I have squashed my commits and pushed it.

Just curious if we could also use squash and commit while merging this PR in case this is needed for the future too?

nebril
nebril requested changes Aug 11, 2023
View reviewed changes
Copy link
Member

@nebril nebril left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ishuar we don't use squash and merge from GH because we usually want PRs to be structured logically. If the change is big, we want to have multiple commits, but your change simply seemed too fragmented. So we end up rebasing most PRs to have clean git history.

I can still see merge commit in your PR, can you get rid of it?

@ishuar ishuar force-pushed the feat/enable-podsecuritycontext-on-spire-server branch from c627c7d to 8fdc139 Compare August 11, 2023 17:20
kaworu
kaworu requested changes Aug 16, 2023
View reviewed changes
Copy link
Member

@kaworu kaworu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure why @cilium/sig-hubble was required for review, probably an older revision of the patch. Helm changes LGTM, pulling in @mhofstetter to take a look at the spire stuff.

kaworu
kaworu approved these changes Aug 16, 2023
View reviewed changes
Copy link
Member

@kaworu kaworu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wrong button 😅

@ishuar ishuar force-pushed the feat/enable-podsecuritycontext-on-spire-server branch from 6a755e0 to ffe8d28 Compare August 16, 2023 17:22
@ishuar
Copy link
Contributor Author

ishuar commented Aug 16, 2023
edited

@ishuar Sorry, I'll ask you to rebase once more 😞. There's a conflict with #27229, which was just merged.

@qmonnet hopefully, this should be fine...

@ishuar ishuar force-pushed the feat/enable-podsecuritycontext-on-spire-server branch 2 times, most recently from 283efef to 8f31bfb Compare August 16, 2023 23:02
@qmonnet
Copy link
Member

qmonnet commented Aug 17, 2023

/test

mhofstetter
mhofstetter requested changes Aug 17, 2023
View reviewed changes
Copy link
Member

@mhofstetter mhofstetter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I get an error running the SPIRE server locally on kind (see inline comment).

We might want to change the default?

install/kubernetes/cilium/values.yaml.tmpl Outdated Show resolved Hide resolved
@mhofstetter mhofstetter mentioned this pull request Aug 17, 2023
Merged
@ishuar ishuar force-pushed the feat/enable-podsecuritycontext-on-spire-server branch from 8f31bfb to 0c3cbf1 Compare August 17, 2023 15:25
@mhofstetter
Copy link
Member

/test

@ishuar ishuar force-pushed the feat/enable-podsecuritycontext-on-spire-server branch from 0c3cbf1 to 7bbc609 Compare August 18, 2023 12:35
@mhofstetter
Copy link
Member

/test

@ishuar
added the securityContext in Spire server pod and container.
74d48e7 
- Updated docs (used gnu-sed in macOS for helm-values.rst) permanent fix in cilium#27495

Signed-off-by: ishuar <ishansharma887@gmail.com>
@ishuar ishuar force-pushed the feat/enable-podsecuritycontext-on-spire-server branch from 7bbc609 to 74d48e7 Compare August 18, 2023 21:16
@ishuar ishuar requested a review from a team as a code owner August 18, 2023 21:16
meyskens
meyskens approved these changes Aug 21, 2023
View reviewed changes
Copy link
Member

@meyskens meyskens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for me

mhofstetter
mhofstetter approved these changes Aug 21, 2023
View reviewed changes
Copy link
Member

@mhofstetter mhofstetter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - thanks for the contribution.

@mhofstetter
Copy link
Member

/test

@mhofstetter
Copy link
Member

Check "Conformance GatewayAPI" fails on main too and will be fixed with #27592

Marking this PR as ready-to-merge

@mhofstetter mhofstetter added ready-to-merge This PR has passed all tests and received consensus from code owners to merge. area/servicemesh GH issues or PRs regarding servicemesh feature/authentication kind/enhancement This would improve or streamline existing functionality. and removed dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. labels Aug 21, 2023
@joestringer joestringer merged commit eba103c into cilium:main Aug 21, 2023
59 of 60 checks passed
@ishuar ishuar deleted the feat/enable-podsecuritycontext-on-spire-server branch March 27, 2024 23:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaworu kaworu kaworu approved these changes

@nebril nebril nebril approved these changes

@meyskens meyskens meyskens approved these changes

@mhofstetter mhofstetter mhofstetter approved these changes

@qmonnet qmonnet qmonnet approved these changes

Assignees
No one assigned
Labels
area/helm Impacts helm charts and user deployment experience area/servicemesh GH issues or PRs regarding servicemesh feature/authentication kind/community-contribution This was a contribution made by a community member. kind/enhancement This would improve or streamline existing functionality. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SPIRE server missing correct SELinux context and capabilities options
7 participants
@ishuar @qmonnet @mhofstetter @kaworu @nebril @meyskens @joestringer