Merge branch 'main' into release

.editorconfig

@@ -8,3 +8,8 @@ indent_size = 2
 tab_width = 2
 trim_trailing_whitespace = true
 insert_final_newline = true
+
+[Makefile]
+indent_style = tab
+indent_size = 4
+tab_width = 4

.github/tests/charts.json

@@ -2,17 +2,17 @@
   {
     "name": "kube-prometheus-stack",
     "repo": "https://prometheus-community.github.io/helm-charts",
-    "version": "45.29.0"
+    "version": "46.6.0"
   },
   {
     "name": "cert-manager",
     "repo": "https://charts.jetstack.io",
-    "version": "v1.12.0"
+    "version": "v1.12.1"
   },
   {
     "name": "ingress-nginx",
     "repo": "https://kubernetes.github.io/ingress-nginx",
-    "version": "4.6.1"
+    "version": "4.7.0"
   },
   {
     "name": "mysql",
@@ -22,6 +22,6 @@
   {
     "name": "postgresql",
     "repo": "https://charts.bitnami.com/bitnami",
-    "version": "12.5.3"
+    "version": "12.5.6"
   }
 ]

.github/tests/upstream-authority-cert-manager/pre-install.sh

@@ -5,5 +5,3 @@ SCRIPTPATH="$(dirname "${SCRIPT}")"
 scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
 
 helm install cert-manager cert-manager --namespace cert-manager --create-namespace --version "$VERSION_CERT_MANAGER" --set installCRDs=true --repo "$HELM_REPO_CERT_MANAGER" --wait
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-kubectl apply -f "${SCRIPT_DIR}/cert-manager-ca.yaml" -n "$scenario"

.github/tests/upstream-authority-cert-manager/values.yaml

@@ -2,4 +2,5 @@ spire-server:
   upstreamAuthority:
     certManager:
       enabled: true
-      issuer_name: "demo-ca"
+      ca:
+        create: true

.github/workflows/check-versions.yaml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3.5.0
+        uses: actions/checkout@v3.5.3
 
       - name: Set up Helm
         uses: azure/setup-helm@v3.5
@@ -34,7 +34,7 @@ jobs:
 
       - name: Create Pull Request
         id: cpr
-        uses: peter-evans/create-pull-request@v5.0.1
+        uses: peter-evans/create-pull-request@v5.0.2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           title: Bump test chart dependencies

.github/workflows/helm-chart-ci-ignore.yaml

@@ -30,7 +30,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3.5.2
+        uses: actions/checkout@v3.5.3
 
       - id: set-matrix
         name: Collect all tests

.github/workflows/helm-chart-ci.yaml

@@ -29,7 +29,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3.5.2
+        uses: actions/checkout@v3.5.3
 
       - name: Verify Docs updated
         run: ./helm-docs.sh
@@ -56,7 +56,7 @@ jobs:
           set -o pipefail
           # Look for image: definitions that are not templated. If we find none, exit is not 0 and we invert the error code to get the
           # test to pass. Ignore tests for now...
-          grep "image:" charts/spire/charts/*/templates/*.* | grep -v 'image: {{ template "' > /tmp/findings
+          grep -r "image:" charts/spire  | grep "templates/" | grep -v 'image: {{ template "' > /tmp/findings
           res=$?
           if [ $res -eq 0 ]; then
             {
@@ -74,7 +74,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3.5.2
+        uses: actions/checkout@v3.5.3
         with:
           fetch-depth: 0
 
@@ -94,9 +94,7 @@ jobs:
           version: ${{ env.CHART_TESTING_VERSION }}
 
       - name: Run chart-testing (lint)
-        run: |
-          ct lint --debug ${{ github.base_ref != 'release' && '--check-version-increment=false' || '' }} \
-            --target-branch ${{ github.base_ref }}
+        run: TARGET_BRANCH=${{ github.base_ref }} make lint${{ github.base_ref == 'release' && '-release' || '' }}
 
     outputs:
       changed: ${{ steps.list-changed.outputs.changed }}
@@ -109,7 +107,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3.5.2
+        uses: actions/checkout@v3.5.3
 
       - id: set-matrix
         name: Collect all tests
@@ -139,15 +137,12 @@ jobs:
           - v1.27.2
           - v1.26.4
           - v1.25.9
-          - v1.24.13
-          - v1.23.17
-          - v1.22.17
         values:
           - ${{ fromJson(needs.build-matrix.outputs.tests) }}
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3.5.2
+        uses: actions/checkout@v3.5.3
         with:
           fetch-depth: 0
 
@@ -170,7 +165,7 @@ jobs:
         uses: helm/kind-action@v1.7.0
         # Only build a kind cluster if there are chart changes to test.
         with:
-          version: v0.18.0
+          version: v0.19.0
           node_image: kindest/node:${{ matrix.k8s }}
           config: .github/kind/conf/kind-config.yaml
           verbosity: 1

.github/workflows/helm-release.yaml

@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3.5.2
+        uses: actions/checkout@v3.5.3
         with:
           fetch-depth: 0
 

.github/workflows/shellcheck.yaml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3.5.2
+        uses: actions/checkout@v3.5.3
 
       - name: Run Shellcheck
         uses: ludeeus/action-shellcheck@2.0.0

.gitignore

@@ -1,3 +1,5 @@
 bin/
 .idea/
 *.swp
+charts/**/*.tgz
+.DS_Store

CONTRIBUTING.md

@@ -34,6 +34,18 @@ git checkout «your-branch»
 git rebase main
 ```
 
+## Testing
+
+Our CI pipeline takes care of the majority of the testing of this Chart. Other ways for you to test are by running `make test` locally using:
+
+> **Warning**: Ensure to run the test on a dedicated k8s cluster that does not have Spire installed yet.
+
+```shell
+make test
+```
+
+Another approach to testing the chart is by installing one of the examples in your own cluster to verify your contributed changes work before issueing your PR.
+
 ## Generating documentation
 
 Any changes to Chart.yaml or values.yaml require an update of the README.md. This update can easily be generated using [helm-docs][].

Makefile

@@ -0,0 +1,37 @@
+TARGET_BRANCH ?= main
+
+.PHONY: help
+help: ## Display this help.
+	@$(MAKE) help
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+##@ Linting:
+
+.PHONY: lint
+lint: ## Lint the charts using chart-testing
+	@echo Linting charts…
+	@ct lint --config ct.yaml --target-branch $(TARGET_BRANCH) --check-version-increment=false
+
+lint-release: ## Lint the charts using chart-testing for release
+	@echo Linting charts…
+	@ct lint --config ct.yaml --target-branch $(TARGET_BRANCH)
+
+##@ Testing:
+
+.PHONY: clean-lingering-resources
+clean-lingering-resources:
+	@echo Cleanup potential leftovers…
+	@-kubectl delete csidrivers.storage.k8s.io csi.spiffe.io \
+		&>/dev/null || true
+	@-kubectl delete ns \
+		$$(kubectl get ns -o json | jq -r '.items[] | .metadata.name' | grep spire) \
+		&>/dev/null || true
+	@-kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io \
+		$$(kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io -o json | jq -r '.items[] | .metadata.name' | grep spire) \
+		&>/dev/null || true
+
+.PHONY: test
+test: ## Run tests using Helm chart-testing (ensure to run on dedicated test cluster)
+	@echo Running tests…
+	@ct install --debug \
+		--charts charts/spire

README.md

@@ -21,7 +21,7 @@ Unless otherwise noted in an application chart README, the following dependencie
 
 | Dependency | Supported Versions |
 |:-----------|:-------------------|
-| SPIRE      | `1.5.3`+, `1.6.x`  |
+| SPIRE      | `1.6.x`, `1.7.x`   |
 | Helm       | `3.x`              |
 | Kubernetes | `1.22+`            |
 

charts/spire/Chart.yaml

@@ -3,8 +3,8 @@ name: spire
 description: >
   A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 type: application
-version: 0.8.1
-appVersion: "1.6.4"
+version: 0.9.0
+appVersion: "1.7.0"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts/tree/main/charts/spire
 sources:

charts/spire/README.md

@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 
-![Version: 0.8.1](https://img.shields.io/badge/Version-0.8.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square)
+![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.0](https://img.shields.io/badge/AppVersion-1.7.0-informational?style=flat-square)
 [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
 
 A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
@@ -219,13 +219,24 @@ Now you can interact with the Spire agent socket from your own application. The
 | spiffe-oidc-discovery-provider.telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spiffe-oidc-discovery-provider |
 | spiffe-oidc-discovery-provider.telemetry.prometheus.port | int | `9988` |  |
 | spiffe-oidc-discovery-provider.tolerations | list | `[]` |  |
+| spiffe-oidc-discovery-provider.tools.kubectl.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
+| spiffe-oidc-discovery-provider.tools.kubectl.image.registry | string | `"docker.io"` | The OCI registry to pull the image from |
+| spiffe-oidc-discovery-provider.tools.kubectl.image.repository | string | `"rancher/kubectl"` | The repository within the registry |
+| spiffe-oidc-discovery-provider.tools.kubectl.image.tag | string | `""` | Overrides the image tag |
+| spiffe-oidc-discovery-provider.tools.kubectl.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
 | spiffe-oidc-discovery-provider.trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers |
 | spire-agent.bundleConfigMap | string | `"spire-bundle"` |  |
 | spire-agent.clusterName | string | `"example-cluster"` |  |
 | spire-agent.configMap.annotations | object | `{}` | Annotations to add to the SPIRE Agent ConfigMap |
 | spire-agent.extraContainers | list | `[]` |  |
 | spire-agent.extraVolumeMounts | list | `[]` |  |
 | spire-agent.extraVolumes | list | `[]` |  |
+| spire-agent.fsGroupFix.image.pullPolicy | string | `"Always"` | The image pull policy |
+| spire-agent.fsGroupFix.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from |
+| spire-agent.fsGroupFix.image.repository | string | `"chainguard/bash"` | The repository within the registry |
+| spire-agent.fsGroupFix.image.tag | string | `"5.2.15"` | Overrides the image tag |
+| spire-agent.fsGroupFix.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
+| spire-agent.fsGroupFix.resources | object | `{}` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
 | spire-agent.fullnameOverride | string | `""` |  |
 | spire-agent.healthChecks.port | int | `9980` | override the host port used for health checking |
 | spire-agent.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
@@ -306,11 +317,6 @@ Now you can interact with the Spire agent socket from your own application. The
 | spire-server.controllerManager.service.port | int | `443` |  |
 | spire-server.controllerManager.service.type | string | `"ClusterIP"` |  |
 | spire-server.controllerManager.validatingWebhookConfiguration.failurePolicy | string | `"Fail"` |  |
-| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
-| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.registry | string | `"docker.io"` | The OCI registry to pull the image from |
-| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.repository | string | `"rancher/kubectl"` | The repository within the registry |
-| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.tag | string | `""` | Overrides the image tag |
-| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
 | spire-server.dataStore.sql.databaseName | string | `"spire"` | Only used by "postgres" or "mysql" |
 | spire-server.dataStore.sql.databaseType | string | `"sqlite3"` | Other supported databases are "postgres" and "mysql" |
 | spire-server.dataStore.sql.host | string | `""` | Only used by "postgres" or "mysql" |
@@ -382,13 +388,18 @@ Now you can interact with the Spire agent socket from your own application. The
 | spire-server.telemetry.prometheus.podMonitor.labels | object | `{}` |  |
 | spire-server.telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spire-server |
 | spire-server.tolerations | list | `[]` |  |
+| spire-server.tools.kubectl.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
+| spire-server.tools.kubectl.image.registry | string | `"docker.io"` | The OCI registry to pull the image from |
+| spire-server.tools.kubectl.image.repository | string | `"rancher/kubectl"` | The repository within the registry |
+| spire-server.tools.kubectl.image.tag | string | `""` | Overrides the image tag |
+| spire-server.tools.kubectl.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
 | spire-server.topologySpreadConstraints | list | `[]` |  |
 | spire-server.tornjak.config.dataStore | object | `{"driver":"sqlite3","file":"/run/spire/data/tornjak.sqlite3"}` | persistent DB for storing Tornjak specific information |
 | spire-server.tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) (Not for production) |
 | spire-server.tornjak.image.pullPolicy | string | `"IfNotPresent"` | The Tornjak image pull policy |
 | spire-server.tornjak.image.registry | string | `"ghcr.io"` | The OCI registry to pull the Tornjak image from |
 | spire-server.tornjak.image.repository | string | `"spiffe/tornjak-backend"` | The repository within the registry |
-| spire-server.tornjak.image.tag | string | `"v1.2.1"` | Overrides the image tag |
+| spire-server.tornjak.image.tag | string | `"v1.2.2"` | Overrides the image tag |
 | spire-server.tornjak.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
 | spire-server.tornjak.resources | object | `{}` |  |
 | spire-server.tornjak.service.annotations | object | `{}` |  |
@@ -400,10 +411,16 @@ Now you can interact with the Spire agent socket from your own application. The
 | spire-server.tornjak.startupProbe.successThreshold | int | `1` |  |
 | spire-server.tornjak.startupProbe.timeoutSeconds | int | `5` |  |
 | spire-server.trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers |
+| spire-server.upstreamAuthority.certManager.ca.create | bool | `false` | Creates a Cert-Manager CA |
+| spire-server.upstreamAuthority.certManager.ca.duration | string | `"87600h"` | Duration of the CA. Defaults to 10 years. |
+| spire-server.upstreamAuthority.certManager.ca.privateKey.algorithm | string | `"ECDSA"` |  |
+| spire-server.upstreamAuthority.certManager.ca.privateKey.rotationPolicy | string | `""` |  |
+| spire-server.upstreamAuthority.certManager.ca.privateKey.size | int | `256` |  |
+| spire-server.upstreamAuthority.certManager.ca.renewBefore | string | `""` | How long to wait before renewing the CA |
 | spire-server.upstreamAuthority.certManager.enabled | bool | `false` |  |
 | spire-server.upstreamAuthority.certManager.issuer_group | string | `"cert-manager.io"` |  |
 | spire-server.upstreamAuthority.certManager.issuer_kind | string | `"Issuer"` |  |
-| spire-server.upstreamAuthority.certManager.issuer_name | string | `"spire-ca"` |  |
+| spire-server.upstreamAuthority.certManager.issuer_name | string | `""` | Defaults to the release name, override if CA is provided outside of the chart |
 | spire-server.upstreamAuthority.certManager.kube_config_file | string | `""` |  |
 | spire-server.upstreamAuthority.certManager.namespace | string | `""` | Specify to use a namespace other then the one the chart is installed into |
 | spire-server.upstreamAuthority.certManager.rbac.create | bool | `true` |  |

charts/spire/charts/spiffe-csi-driver/Chart.yaml

@@ -4,3 +4,18 @@ description: A Helm chart to install the SPIFFE CSI driver.
 type: application
 version: 0.1.0
 appVersion: "0.2.3"
+keywords: ["spiffe", "csi-driver"]
+home: https://github.com/spiffe/helm-charts/tree/main/charts/spire
+sources:
+  - https://github.com/spiffe/helm-charts/tree/main/charts/spire
+icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
+maintainers:
+  - name: marcofranssen
+    email: marco.franssen@gmail.com
+    url: https://marcofranssen.nl
+  - name: kfox1111
+    email: Kevin.Fox@pnnl.gov
+  - name: faisal-memon
+    email: fymemon@yahoo.com
+  - name: edwbuck
+    email: edwbuck@gmail.com