Bump spire-agent and spire-server to 0.11.0 (#2185)

Should fix issue #2183. The issue seems to be caused by incorrect cgroup namespace path parsing in spire-agent:0.9.0. The cgroup namespace path of a container depends on its QoS class. Consider the following cgroup namespaces examples: /docker/0ae0b671d2553a17173876dfed1986eb3a3fbd9cbaad878ea100db8b32a46280/kubepods/besteffort/pod90d75b24-7573-494d-86be-73a1f6c53cf2/45abc7d03395c056a6a79643211272a3e4e28cef9f70e6e4d36283398ac2a101 (of a container with BestEffort QoS class) /docker/0ae0b671d2553a17173876dfed1986eb3a3fbd9cbaad878ea100db8b32a46280/kubepods/pod02f1e446-526c-46fd-b6be-ae78a807a4c1/96057b397de140bf4a2fd9a6b2bd97a78d0fcd05987f33a36ac0a14e49dbde89 (of a container with a Guranteed QoS class) Spire-agent 0.9.0 expects at least 4 slashes in the path starting from `/kubepods/`, which is not the case for the second example. The parsing bug is fixed in spire-agent version 0.10.1 in spiffe/spire#1547 . Since we are bumping the spire version anyway, bump it to the latest version 0.11.0. Signed-off-by: Albert Safin <albert.safin@xored.com>
networkservicemesh · Sep 11, 2020 · 8f0e4e2 · 8f0e4e2
1 parent 4cafcc6
commit 8f0e4e2
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 8 deletions.
diff --git a/deployments/helm/nsm/charts/spire/templates/agent-daemonset.tpl b/deployments/helm/nsm/charts/spire/templates/agent-daemonset.tpl
@@ -28,7 +28,7 @@ spec:
           args: ["-t", "30", "spire-server:8081"]
       containers:
         - name: spire-agent
-          image: gcr.io/spiffe-io/spire-agent:0.9.0
+          image: gcr.io/spiffe-io/spire-agent:0.11.0
           args: ["-config", "/run/spire/config/agent.conf"]
           volumeMounts:
             - name: spire-config

diff --git a/deployments/helm/nsm/charts/spire/templates/server-configmap.tpl b/deployments/helm/nsm/charts/spire/templates/server-configmap.tpl
@@ -17,13 +17,12 @@ data:
       trust_domain = "test.com"
       data_dir = "/run/spire/data"
       log_level = "DEBUG"
-      svid_ttl = "1h"
-      upstream_bundle = true
+      default_svid_ttl = "1h"
       registration_uds_path = "/run/spire/sockets/registration.sock"
       ca_subject = {
-        Country = ["US"],
-        Organization = ["SPIFFE"],
-        CommonName = "",
+        country = ["US"],
+        organization = ["SPIFFE"],
+        common_name = "",
       }
     }
     plugins {
@@ -53,7 +52,7 @@ data:
         }
       }
       {{- if not .Values.selfSignedCA }}
-      UpstreamCA "disk" {
+      UpstreamAuthority "disk" {
         plugin_data {
           ttl = "12h"
           key_file_path = "/run/spire/secret/bootstrap.key"

diff --git a/deployments/helm/nsm/charts/spire/templates/server-statefulset.tpl b/deployments/helm/nsm/charts/spire/templates/server-statefulset.tpl
@@ -33,7 +33,7 @@ spec:
               readOnly: true
 
         - name: spire-server
-          image: gcr.io/spiffe-io/spire-server:0.9.0
+          image: gcr.io/spiffe-io/spire-server:0.11.0
           args:
             - -config
             - /run/spire/config/server.conf