From 5b779dc88afbb5b9dfcd1fe13be4d66d8224bbb1 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 30 May 2023 17:28:35 -0400 Subject: [PATCH 01/33] Improve Tornjak frontend test (#320) --- charts/spire/charts/tornjak-frontend/templates/deployment.yaml | 1 + .../templates/tests/test-tornjak-connection.yaml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml index e4449b2c7..2b2b950ae 100644 --- a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -50,6 +50,7 @@ spec: startupProbe: httpGet: scheme: HTTP + path: /tornjak/serverinfo port: {{ .Values.service.port }} failureThreshold: {{ .Values.startupProbe.failureThreshold }} initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} diff --git a/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml b/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml index 4afec4514..19d117c01 100644 --- a/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml @@ -14,7 +14,7 @@ spec: - name: curl-tornjak-frontend image: cgr.dev/chainguard/bash:latest command: ['curl'] - args: ['-k', '-s', '-f', 'http://{{ include "tornjak-frontend.fullname" . }}.{{ include "tornjak-frontend.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }}'] + args: ['-k', '-s', '-f', 'http://{{ include "tornjak-frontend.fullname" . }}.{{ include "tornjak-frontend.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }}/tornjak/serverinfo'] securityContext: {{- toYaml .Values.securityContext | nindent 8 }} restartPolicy: Never From 9fa1ec28a715062d1c23e4975f931595fcbdaf80 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 30 May 2023 17:29:29 -0400 Subject: [PATCH 02/33] Improve Tornjak backend test (#321) --- .../spire/charts/spire-server/templates/statefulset.yaml | 1 + .../templates/tests/test-tornjak-connection.yaml | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index bb3cc7899..883bbcbf2 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -163,6 +163,7 @@ spec: startupProbe: httpGet: scheme: HTTP + path: /api/tornjak/serverinfo port: 10000 {{- toYaml .Values.tornjak.startupProbe | nindent 12 }} args: diff --git a/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml b/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml index 5b386925f..5ef7f85cf 100644 --- a/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml +++ b/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml @@ -15,7 +15,13 @@ spec: - name: curl-tornjak-backend image: cgr.dev/chainguard/bash:latest command: ['curl'] - args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.backend" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.port }}'] + args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.backend" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.port }}/api/tornjak/serverinfo'] + securityContext: + {{- toYaml .Values.securityContext | nindent 8 }} + - name: curl-tornjak-backend-and-spire + image: cgr.dev/chainguard/bash:latest + command: ['curl'] + args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.backend" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.port }}/api/healthcheck'] securityContext: {{- toYaml .Values.securityContext | nindent 8 }} restartPolicy: Never From d333154369ce58829c1c15bac4054a361bb7f006 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Wed, 31 May 2023 01:19:23 +0200 Subject: [PATCH 03/33] Add Makefile for local testing (#327) --- .editorconfig | 5 +++++ .gitignore | 1 + CONTRIBUTING.md | 12 ++++++++++++ Makefile | 25 +++++++++++++++++++++++++ 4 files changed, 43 insertions(+) create mode 100644 Makefile diff --git a/.editorconfig b/.editorconfig index 3955c5d6b..bbf1aba8b 100644 --- a/.editorconfig +++ b/.editorconfig @@ -8,3 +8,8 @@ indent_size = 2 tab_width = 2 trim_trailing_whitespace = true insert_final_newline = true + +[Makefile] +indent_style = tab +indent_size = 4 +tab_width = 4 diff --git a/.gitignore b/.gitignore index f1b09facc..2fd91b671 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ bin/ .idea/ *.swp +charts/**/*.tgz diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0d86cc98e..11f1c1c95 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -34,6 +34,18 @@ git checkout «your-branch» git rebase main ``` +## Testing + +Our CI pipeline takes care of the majority of the testing of this Chart. Other ways for you to test are by running `make test` locally using: + +> **Warning**: Ensure to run the test on a dedicated k8s cluster that does not have Spire installed yet. + +```shell +make test +``` + +Another approach to testing the chart is by installing one of the examples in your own cluster to verify your contributed changes work before issueing your PR. + ## Generating documentation Any changes to Chart.yaml or values.yaml require an update of the README.md. This update can easily be generated using [helm-docs][]. diff --git a/Makefile b/Makefile new file mode 100644 index 000000000..ac98f14fc --- /dev/null +++ b/Makefile @@ -0,0 +1,25 @@ +.PHONY: help +help: ## Display this help. + @$(MAKE) help + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) + + +##@ Testing: + +.PHONY: clean-lingering-resources +clean-lingering-resources: + @echo Cleanup potential leftovers… + @-kubectl delete csidrivers.storage.k8s.io csi.spiffe.io \ + &>/dev/null || true + @-kubectl delete ns \ + $$(kubectl get ns -o json | jq -r '.items[] | .metadata.name' | grep spire) \ + &>/dev/null || true + @-kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io \ + $$(kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io -o json | jq -r '.items[] | .metadata.name' | grep spire) \ + &>/dev/null || true + +.PHONY: test +test: ## Run tests using Helm chart-testing (ensure to run on dedicated test cluster) + @echo Running tests… + @ct install --debug \ + --charts charts/spire From 28c082471462ad88f6b1a7eac631998d0f73b6d0 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 2 Jun 2023 08:37:25 +0200 Subject: [PATCH 04/33] Bump test chart dependencies (#322) Co-authored-by: marcofranssen --- .github/tests/charts.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index e1ab03e5f..50f3c231e 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,12 +2,12 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "45.29.0" + "version": "46.4.1" }, { "name": "cert-manager", "repo": "https://charts.jetstack.io", - "version": "v1.12.0" + "version": "v1.12.1" }, { "name": "ingress-nginx", @@ -22,6 +22,6 @@ { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "12.5.3" + "version": "12.5.5" } ] From c3213abe37117df99c755a5d097e610aab2b89ab Mon Sep 17 00:00:00 2001 From: Edwin Buck Date: Sat, 3 Jun 2023 09:55:35 -0700 Subject: [PATCH 05/33] Initial submission of Helm Chart key naming conventions. Closes #329 Signed-off-by: Edwin Buck --- project/conventions.md | 108 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 project/conventions.md diff --git a/project/conventions.md b/project/conventions.md new file mode 100644 index 000000000..d1aa33c91 --- /dev/null +++ b/project/conventions.md @@ -0,0 +1,108 @@ + +# Development Conventions + +This document intends to capture the current coding conventions for +the SPIRE Helm Chart project, permitting multiple developers to align +to a similar style and standard when offering their contributions. + +It is impossible to describe every scenario a developer might encounter, +likewise it is equally impossible to describe the best choice to make +under all future circumstances. For this reason, many conventions also +have a small explanation of the rationale behind the guidance, allowing +future development efforts to weigh and balance the conflicting forces +in ambiguous situations not clearly covered. + +This document is intended to be a living document. If you have an issue +with a convention, we hope that you will create an issue describing the +problem, and a pull request suggesting the update. By addressing the +convention, we hope to avoid arguments about conventions in the pull +request review process, which slow the process and are often subject to +the popular whims of the moment. + +## Conventions used in this document + +While this is not a software specification, the key words "MUST", +"MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", +"RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be +interpreted as closely to the convention as it would be to a +specification described in RFC 2119. + +Use of the word in its non-all caps form SHOULD NOT be interpreted in +the strict definitions user RFC 2119, but SHOULD be interpreted in +context with a meaning aligned to RFC 2119. + +## Helm Chart conventions + +Helm values are organized in a tree structure, with each entry having +a key, the path within the structure, and a value, the contents held +at that path. Some of the contents include objects and arrays, which +are structures that permit multiple values under a particular path. + +This design choice mimics the representation of a file system, and we +may use file system analogies to describe the conventions and choices +in the project. + +### Preference for absolute paths in templates + +Outside of looping constructs that require relative paths, templates +should use absolute paths (paths starting with the `.` character) for +their value references. + +### Helm Key path elements + +Elements refer to items in the configuration. Some of those items are +external to the project, while others are components the project choose +to implement the Helm Chart packaging solution. + +### Preferred characters for helm path elements + +Elements within a helm chart path SHOULD limit the use of special +characters, even when such characters are supported by Helm. ASCII +letters, upper and lower case, ASCII numerals, and the ASCII underscore +character are always permitted. + +Other characters, such as `@`, `~`, `-`, `&`, `+` are often used as +shorthand to represent, respectively `at`, `similar / not`, +`minus / without`, `and / reference`, `plus / with`. Helm key elements +MUST NOT contain such symbols, as it burdens the reader to deduce the +intent of the writer. + +### Camel Case for created elements. +Elements that refer to components that the project has created should +exclusively use camel case, with a the first word being lower case. To +illustrate, a "card sort order" path element would read "cardsharper". + +### Acronyms and Minimalists + +Occasionally the use of an Acronym or Minimalist is used as part of an +element name. An acronym is the use of the first letter of a phrase +or multi-word proper name that is pronounceable, while an initialisim is +the use of the first letter of a phrase or multi-word proper name +pronounced by naming the letters. `NASA` is an example of an acronym, +while `NFL` is an example of an Initialisim. + +To keep the recognition of the Acronym or Initialisim, an all capital +representation of the Acronym or Initialisim MUST be maintained. To +reduce the confusion this can create in camel case elements, we recommend +that such Acronyms and Initialisim be placed at the end of the element +or the element is restructured to avoid confusion. For example, +`mailingListNASA` or `mailingList.NASA` is preferred over +`NASAMailingList`. + +Acronyms and Initialisim occasionally use periods in their presentation. +When they do, the periods MUST be removed without replacement by +another character. To illustrate `U.S.S.R.` should be written as +`USSR`. + +### Abbreviations + +Abbreviations shorten words by using some of the letters of the original +word. In all cases, element names that contain parts which are +abbreviations should be represented in the case determined by the part's +position. For example, a Junior administrator, should be written as +`jrAdmin`. + +Abbreviations occasionally use periods in their presentation. When they +do, the periods MUST be removed without replacement by another character. +To illustrate, use `acctSchedule` for Acct. Schedule. From cfa9f7888516b68ee8eeddee6f5d293bd3ee8cc3 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 5 Jun 2023 16:46:48 -0700 Subject: [PATCH 06/33] Bump test chart dependencies (#332) --- .github/tests/charts.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 50f3c231e..09ee23720 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,7 +2,7 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "46.4.1" + "version": "46.6.0" }, { "name": "cert-manager", @@ -12,7 +12,7 @@ { "name": "ingress-nginx", "repo": "https://kubernetes.github.io/ingress-nginx", - "version": "4.6.1" + "version": "4.7.0" }, { "name": "mysql", @@ -22,6 +22,6 @@ { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "12.5.5" + "version": "12.5.6" } ] From c4d19db98dc3cc2c777b9412f5999617c3d6d4c0 Mon Sep 17 00:00:00 2001 From: Edwin Buck Date: Wed, 7 Jun 2023 14:33:00 -0500 Subject: [PATCH 07/33] Update project/conventions.md Co-authored-by: Faisal Memon Signed-off-by: Edwin Buck --- project/conventions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/conventions.md b/project/conventions.md index d1aa33c91..df2b7bf79 100644 --- a/project/conventions.md +++ b/project/conventions.md @@ -71,7 +71,7 @@ intent of the writer. ### Camel Case for created elements. Elements that refer to components that the project has created should exclusively use camel case, with a the first word being lower case. To -illustrate, a "card sort order" path element would read "cardsharper". +illustrate, a "card sort order" path element would read "cardSortOrder". ### Acronyms and Minimalists From f6a7b62d9831e33cc02bad7aca6b6e4194e5b836 Mon Sep 17 00:00:00 2001 From: Edwin Buck Date: Wed, 7 Jun 2023 14:36:59 -0500 Subject: [PATCH 08/33] Update project/conventions.md Co-authored-by: Marco Franssen Signed-off-by: Edwin Buck --- project/conventions.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/project/conventions.md b/project/conventions.md index df2b7bf79..646fa7393 100644 --- a/project/conventions.md +++ b/project/conventions.md @@ -68,7 +68,8 @@ shorthand to represent, respectively `at`, `similar / not`, MUST NOT contain such symbols, as it burdens the reader to deduce the intent of the writer. -### Camel Case for created elements. +### Camel Case for created elements + Elements that refer to components that the project has created should exclusively use camel case, with a the first word being lower case. To illustrate, a "card sort order" path element would read "cardSortOrder". From d60d68c131a5782952931ad3e0a5d161fd5ab4f6 Mon Sep 17 00:00:00 2001 From: Edwin Buck Date: Thu, 8 Jun 2023 06:54:49 -0700 Subject: [PATCH 09/33] Added accidentally clipped explicit name guidelines. Signed-off-by: Edwin Buck --- project/conventions.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/project/conventions.md b/project/conventions.md index 646fa7393..05ad5122a 100644 --- a/project/conventions.md +++ b/project/conventions.md @@ -74,6 +74,17 @@ Elements that refer to components that the project has created should exclusively use camel case, with a the first word being lower case. To illustrate, a "card sort order" path element would read "cardSortOrder". +### Exact Case for non-created elements + +Elements that reflect components that have well known names should make +every effort to use the well known name exactly, even if the rules for +captialization don't follow other naming conventions. Exceptions to +this SHOULD include replacing problematic characters with underscores, +to improve template functionality. To illustrate, the operating system +NeXTSTEP would read as "NeXTSTEP" and "NeXT Computers" SHOULD be written +as "NeXT_Computers" but may also be written as "NeXTComputers" if clarity +is maintained. + ### Acronyms and Minimalists Occasionally the use of an Acronym or Minimalist is used as part of an From 28e2abf7627ba5a658e9b218b0d205ed87bb8c6f Mon Sep 17 00:00:00 2001 From: Edwin Buck Date: Thu, 8 Jun 2023 07:00:12 -0700 Subject: [PATCH 10/33] Choose a different example for dotted Acronyms. Signed-off-by: Edwin Buck --- project/conventions.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/project/conventions.md b/project/conventions.md index 05ad5122a..7d4b18701 100644 --- a/project/conventions.md +++ b/project/conventions.md @@ -104,8 +104,8 @@ or the element is restructured to avoid confusion. For example, Acronyms and Initialisim occasionally use periods in their presentation. When they do, the periods MUST be removed without replacement by -another character. To illustrate `U.S.S.R.` should be written as -`USSR`. +another character. To illustrate `U.N.` for the United Nations should +be written as `UN`. ### Abbreviations From 52e5c24947e07cb27521dbc375c5cbf0ed4c53a2 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Thu, 8 Jun 2023 14:29:01 -0400 Subject: [PATCH 11/33] Upgrade Tornjak to image v1.2.2 (#328) Upgrade Tornjak image to version v1.2.2 (https://github.com/spiffe/tornjak/releases/tag/v1.2.2) - Resolving issue #326 (remove an emergency patch) - Refactor and improve Tornajk image build process --------- Signed-off-by: Mariusz Sabath Co-authored-by: Edwin Buck --- charts/spire/README.md | 2 +- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/charts/tornjak-frontend/Chart.yaml | 2 +- charts/spire/charts/tornjak-frontend/README.md | 2 +- .../charts/tornjak-frontend/templates/deployment.yaml | 11 ++++------- 6 files changed, 9 insertions(+), 12 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 0c9bb1345..9bd432f7e 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -388,7 +388,7 @@ Now you can interact with the Spire agent socket from your own application. The | spire-server.tornjak.image.pullPolicy | string | `"IfNotPresent"` | The Tornjak image pull policy | | spire-server.tornjak.image.registry | string | `"ghcr.io"` | The OCI registry to pull the Tornjak image from | | spire-server.tornjak.image.repository | string | `"spiffe/tornjak-backend"` | The repository within the registry | -| spire-server.tornjak.image.tag | string | `"v1.2.1"` | Overrides the image tag | +| spire-server.tornjak.image.tag | string | `"v1.2.2"` | Overrides the image tag | | spire-server.tornjak.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spire-server.tornjak.resources | object | `{}` | | | spire-server.tornjak.service.annotations | object | `{}` | | diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 9fba830fb..ccccebc2b 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -134,7 +134,7 @@ A Helm chart to install the SPIRE server. | tornjak.image.pullPolicy | string | `"IfNotPresent"` | The Tornjak image pull policy | | tornjak.image.registry | string | `"ghcr.io"` | The OCI registry to pull the Tornjak image from | | tornjak.image.repository | string | `"spiffe/tornjak-backend"` | The repository within the registry | -| tornjak.image.tag | string | `"v1.2.1"` | Overrides the image tag | +| tornjak.image.tag | string | `"v1.2.2"` | Overrides the image tag | | tornjak.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | tornjak.resources | object | `{}` | | | tornjak.service.annotations | object | `{}` | | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index ebe31a598..aaf4e91ea 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -337,7 +337,7 @@ tornjak: # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" # -- Overrides the image tag - tag: "v1.2.1" + tag: "v1.2.2" service: type: ClusterIP port: 10000 diff --git a/charts/spire/charts/tornjak-frontend/Chart.yaml b/charts/spire/charts/tornjak-frontend/Chart.yaml index 532f259dd..64c44f125 100644 --- a/charts/spire/charts/tornjak-frontend/Chart.yaml +++ b/charts/spire/charts/tornjak-frontend/Chart.yaml @@ -3,7 +3,7 @@ name: tornjak-frontend description: A Helm chart to deploy Tornjak frontend type: application version: 0.1.0 -appVersion: "v1.2.1" +appVersion: "v1.2.2" home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: - https://github.com/spiffe/tornjak diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index bb2af0ab6..b380e3411 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -2,7 +2,7 @@ -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.2.1](https://img.shields.io/badge/AppVersion-v1.2.1-informational?style=flat-square) +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.2.2](https://img.shields.io/badge/AppVersion-v1.2.2-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart to deploy Tornjak frontend diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml index 2b2b950ae..c7ba33712 100644 --- a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -28,13 +28,6 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - command: - - /bin/sh - - -c - - | - ln -s /tmp/env.js build/env.js - npx react-inject-env set -n /tmp/env.js - serve -s build -p $PORT_FE ports: - name: http containerPort: 3000 @@ -61,6 +54,8 @@ spec: volumeMounts: - name: cache mountPath: /usr/src/app/node_modules/.cache + - name: env + mountPath: /usr/src/app/build/tmp {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -80,3 +75,5 @@ spec: volumes: - name: cache emptyDir: {} + - name: env + emptyDir: {} From cb182558153c59517da07596c87c639d22d3dba3 Mon Sep 17 00:00:00 2001 From: Edwin Buck Date: Fri, 9 Jun 2023 11:07:51 -0500 Subject: [PATCH 12/33] Update project/conventions.md Co-authored-by: kfox1111 Signed-off-by: Edwin Buck --- project/conventions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/conventions.md b/project/conventions.md index 7d4b18701..126d27588 100644 --- a/project/conventions.md +++ b/project/conventions.md @@ -62,7 +62,7 @@ characters, even when such characters are supported by Helm. ASCII letters, upper and lower case, ASCII numerals, and the ASCII underscore character are always permitted. -Other characters, such as `@`, `~`, `-`, `&`, `+` are often used as +Other characters, such as `@`, `~`, `&`, `+` are often used as shorthand to represent, respectively `at`, `similar / not`, `minus / without`, `and / reference`, `plus / with`. Helm key elements MUST NOT contain such symbols, as it burdens the reader to deduce the From 0cae9ce7c7ca9bb024e43e4c231afdcbc63fa166 Mon Sep 17 00:00:00 2001 From: Edwin Buck Date: Fri, 9 Jun 2023 11:08:10 -0500 Subject: [PATCH 13/33] Update project/conventions.md Co-authored-by: kfox1111 Signed-off-by: Edwin Buck --- project/conventions.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/project/conventions.md b/project/conventions.md index 126d27588..65b897989 100644 --- a/project/conventions.md +++ b/project/conventions.md @@ -68,6 +68,8 @@ shorthand to represent, respectively `at`, `similar / not`, MUST NOT contain such symbols, as it burdens the reader to deduce the intent of the writer. +`-` SHOULD NOT be used when there are good alternatives. Its reasonable to use when spire itself uses it for config such as plugin names or required by helm for child charts. + ### Camel Case for created elements Elements that refer to components that the project has created should From ddc0166689f35e48bd48d140a96c358592938bf4 Mon Sep 17 00:00:00 2001 From: Edwin Buck Date: Fri, 9 Jun 2023 11:47:11 -0500 Subject: [PATCH 14/33] Fix line wrapping. Signed-off-by: Edwin Buck --- project/conventions.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/project/conventions.md b/project/conventions.md index 65b897989..6fe195b0c 100644 --- a/project/conventions.md +++ b/project/conventions.md @@ -68,7 +68,9 @@ shorthand to represent, respectively `at`, `similar / not`, MUST NOT contain such symbols, as it burdens the reader to deduce the intent of the writer. -`-` SHOULD NOT be used when there are good alternatives. Its reasonable to use when spire itself uses it for config such as plugin names or required by helm for child charts. +`-` SHOULD NOT be used when there are good alternatives. Its reasonable +to use when spire itself uses it for config such as plugin names or +required by helm for child charts. ### Camel Case for created elements From ea091991964e1b7b2a0c0b89d4082cdd7be522bc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Jun 2023 01:37:24 +0000 Subject: [PATCH 15/33] Bump actions/checkout from 3.5.0 to 3.5.3 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.0 to 3.5.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.5.0...v3.5.3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/check-versions.yaml | 2 +- .github/workflows/helm-chart-ci-ignore.yaml | 2 +- .github/workflows/helm-chart-ci.yaml | 8 ++++---- .github/workflows/helm-release.yaml | 2 +- .github/workflows/shellcheck.yaml | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/check-versions.yaml b/.github/workflows/check-versions.yaml index 4f3fbf24d..12523b163 100644 --- a/.github/workflows/check-versions.yaml +++ b/.github/workflows/check-versions.yaml @@ -20,7 +20,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3.5.0 + uses: actions/checkout@v3.5.3 - name: Set up Helm uses: azure/setup-helm@v3.5 diff --git a/.github/workflows/helm-chart-ci-ignore.yaml b/.github/workflows/helm-chart-ci-ignore.yaml index 8a63936bb..2e50a0f1c 100644 --- a/.github/workflows/helm-chart-ci-ignore.yaml +++ b/.github/workflows/helm-chart-ci-ignore.yaml @@ -30,7 +30,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3.5.2 + uses: actions/checkout@v3.5.3 - id: set-matrix name: Collect all tests diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index 6099ba45b..9a53764c8 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -29,7 +29,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3.5.2 + uses: actions/checkout@v3.5.3 - name: Verify Docs updated run: ./helm-docs.sh @@ -74,7 +74,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3.5.2 + uses: actions/checkout@v3.5.3 with: fetch-depth: 0 @@ -109,7 +109,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3.5.2 + uses: actions/checkout@v3.5.3 - id: set-matrix name: Collect all tests @@ -147,7 +147,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3.5.2 + uses: actions/checkout@v3.5.3 with: fetch-depth: 0 diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index 035ae8b3d..bcaa57d65 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3.5.2 + uses: actions/checkout@v3.5.3 with: fetch-depth: 0 diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml index 1bed14c35..71a5ec23f 100644 --- a/.github/workflows/shellcheck.yaml +++ b/.github/workflows/shellcheck.yaml @@ -21,7 +21,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3.5.2 + uses: actions/checkout@v3.5.3 - name: Run Shellcheck uses: ludeeus/action-shellcheck@2.0.0 From 4e0745078175749df2f33531f6101341629002ba Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Mon, 12 Jun 2023 05:50:26 -0700 Subject: [PATCH 16/33] Fix ingress annotations for federation (#337) fixes: https://github.com/spiffe/helm-charts/issues/336 Signed-off-by: Kevin Fox --- .../spire/charts/spire-server/templates/federation-ingress.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-server/templates/federation-ingress.yaml b/charts/spire/charts/spire-server/templates/federation-ingress.yaml index 013be910b..e7d0fea57 100644 --- a/charts/spire/charts/spire-server/templates/federation-ingress.yaml +++ b/charts/spire/charts/spire-server/templates/federation-ingress.yaml @@ -8,7 +8,7 @@ metadata: namespace: {{ include "spire-server.namespace" . }} labels: {{ include "spire-server.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} + {{- with .Values.federation.ingress.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} From 8748933548116e37ec96b1639f8ed3b29f8f7815 Mon Sep 17 00:00:00 2001 From: Drew Wells Date: Mon, 12 Jun 2023 13:25:14 -0500 Subject: [PATCH 17/33] Update upstream-ca-secret.yaml (#341) Fix an issue with nested context being used for namespace Fixes this issue: ``` Error: UPGRADE FAILED: template: spire/charts/spire-server/templates/upstream-ca-secret.yaml:8:16: executing "spire/charts/spire-server/templates/upstream-ca-secret.yaml" at : error calling include: template: spire/charts/spire-server/templates/_helpers.tpl:30:16: executing "spire-server.namespace" at <.Values.namespaceOverride>: nil pointer evaluating interface {}. namespaceOverride helm.go:84: [debug] template: spire/charts/spire-server/templates/upstream-ca-secret.yaml:8:16: executing "spire/charts/spire-server/templates/upstream-ca-secret.yaml" at : error calling include: template: spire/charts/spire-server/templates/_helpers.tpl:30:16: executing "spire-server.namespace" at <.Values.namespaceOverride>: nil pointer evaluating interface {}.nam espaceOverride ``` Signed-off-by: Drew Wells --- .../spire/charts/spire-server/templates/upstream-ca-secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-server/templates/upstream-ca-secret.yaml b/charts/spire/charts/spire-server/templates/upstream-ca-secret.yaml index 2adc10945..b855065fa 100644 --- a/charts/spire/charts/spire-server/templates/upstream-ca-secret.yaml +++ b/charts/spire/charts/spire-server/templates/upstream-ca-secret.yaml @@ -5,7 +5,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "spire-server.upstream-ca-secret" $root }} - namespace: {{ include "spire-server.namespace" . }} + namespace: {{ include "spire-server.namespace" $root }} labels: {{- include "spire-server.labels" $root | nindent 4 }} data: From 5d8c9079a1742ffc732a8bd2ab27dbe3ad6df434 Mon Sep 17 00:00:00 2001 From: Drew Wells Date: Tue, 13 Jun 2023 13:54:30 -0500 Subject: [PATCH 18/33] Dropping k8s versions in CI older than 3, as per readme (#344) --- .github/workflows/helm-chart-ci.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index 9a53764c8..08a7098c1 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -139,9 +139,6 @@ jobs: - v1.27.2 - v1.26.4 - v1.25.9 - - v1.24.13 - - v1.23.17 - - v1.22.17 values: - ${{ fromJson(needs.build-matrix.outputs.tests) }} @@ -170,7 +167,7 @@ jobs: uses: helm/kind-action@v1.7.0 # Only build a kind cluster if there are chart changes to test. with: - version: v0.18.0 + version: v0.19.0 node_image: kindest/node:${{ matrix.k8s }} config: .github/kind/conf/kind-config.yaml verbosity: 1 From 250fd5db0067dced9fce29058a4c0993955377d1 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Wed, 14 Jun 2023 00:16:02 -0700 Subject: [PATCH 19/33] Add missing global values to charts (#311) --- charts/spire/charts/spiffe-csi-driver/values.yaml | 3 +++ charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml | 3 +++ charts/spire/charts/spire-agent/values.yaml | 3 +++ charts/spire/charts/spire-server/values.yaml | 3 +++ charts/spire/charts/tornjak-frontend/values.yaml | 3 +++ 5 files changed, 15 insertions(+) diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index 563f264b9..64ea54c11 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -1,3 +1,6 @@ +# @ignored +global: {} + # -- Set the csi driver name deployed to Kubernetes. pluginName: csi.spiffe.io diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 42d959f0f..d32ee12b0 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -2,6 +2,9 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# @ignored +global: {} + # -- The name of the spire-agent unix socket agentSocketName: spire-agent.sock diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index c237dc4a2..a1b42722f 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -2,6 +2,9 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# @ignored +global: {} + image: # -- The OCI registry to pull the image from registry: ghcr.io diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index aaf4e91ea..a46f7a5ab 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -2,6 +2,9 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# @ignored +global: {} + # -- SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. replicaCount: 1 diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index ac574899b..23c78189b 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -2,6 +2,9 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# @ignored +global: {} + image: registry: ghcr.io repository: spiffe/tornjak-frontend From 4c0a1d52c52ad691f428bb6c24a5b9cc46a00d10 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Wed, 14 Jun 2023 12:17:08 -0700 Subject: [PATCH 20/33] Allow overriding test images (#186) --- .github/workflows/helm-chart-ci.yaml | 2 +- .../templates/tests/test-connection.yaml | 8 ++++---- .../spiffe-oidc-discovery-provider/values.yaml | 15 +++++++++++++++ .../templates/tests/test-connection.yaml | 4 ++-- .../templates/tests/test-tornjak-connection.yaml | 4 ++-- charts/spire/charts/spire-server/values.yaml | 15 +++++++++++++++ .../templates/tests/test-tornjak-connection.yaml | 2 +- charts/spire/charts/tornjak-frontend/values.yaml | 15 +++++++++++++++ 8 files changed, 55 insertions(+), 10 deletions(-) diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index 08a7098c1..3d5fa5063 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -56,7 +56,7 @@ jobs: set -o pipefail # Look for image: definitions that are not templated. If we find none, exit is not 0 and we invert the error code to get the # test to pass. Ignore tests for now... - grep "image:" charts/spire/charts/*/templates/*.* | grep -v 'image: {{ template "' > /tmp/findings + grep -r "image:" charts/spire | grep "templates/" | grep -v 'image: {{ template "' > /tmp/findings res=$? if [ $res -eq 0 ]; then { diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml index 3f11d1195..3c028d8b4 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml @@ -12,26 +12,26 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 4 }} containers: - name: curl-service-name - image: cgr.dev/chainguard/bash:latest + image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}:{{ .Values.service.port }}/.well-known/openid-configuration'] securityContext: {{- toYaml .Values.securityContext | nindent 8 }} - name: curl-service-name-namespace - image: cgr.dev/chainguard/bash:latest + image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}:{{ .Values.service.port }}/.well-known/openid-configuration'] securityContext: {{- toYaml .Values.securityContext | nindent 8 }} - name: curl-service-name-namespace-svc-cluster-local - image: cgr.dev/chainguard/bash:latest + image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }}/.well-known/openid-configuration'] securityContext: {{- toYaml .Values.securityContext | nindent 8 }} {{- if .Values.ingress.enabled }} - name: curl-ingress - image: cgr.dev/chainguard/bash:latest + image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-s', '-f', 'http://{{ index .Values.config.domains 0 }}/.well-known/openid-configuration'] securityContext: diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index d32ee12b0..90c555a2a 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -200,3 +200,18 @@ ingress: # - secretName: chart-example-tls # hosts: # - oidc-discovery.example.org + +# @ignored +tests: + bash: + image: + # -- The OCI registry to pull the tests image from + registry: cgr.dev + # -- The repository within the registry + repository: chainguard/bash + # -- The tests image pull policy + pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" + # -- Overrides the image tag + tag: 5.2.15 diff --git a/charts/spire/charts/spire-server/templates/tests/test-connection.yaml b/charts/spire/charts/spire-server/templates/tests/test-connection.yaml index 7674197eb..9e1740612 100644 --- a/charts/spire/charts/spire-server/templates/tests/test-connection.yaml +++ b/charts/spire/charts/spire-server/templates/tests/test-connection.yaml @@ -12,7 +12,7 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 4 }} containers: - name: curl - image: cgr.dev/chainguard/bash:latest + image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['bash'] args: - -c @@ -31,7 +31,7 @@ spec: {{- toYaml .Values.securityContext | nindent 8 }} {{- if eq (.Values.federation.enabled | toString) "true" }} - name: curl-federation-bundle-endpoint - image: cgr.dev/chainguard/bash:latest + image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-k', '-s', '-f', 'https://{{ include "spire-server.fullname" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.federation.bundleEndpoint.port }}'] securityContext: diff --git a/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml b/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml index 5ef7f85cf..9c9e6cdc9 100644 --- a/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml +++ b/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml @@ -13,13 +13,13 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 4 }} containers: - name: curl-tornjak-backend - image: cgr.dev/chainguard/bash:latest + image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.backend" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.port }}/api/tornjak/serverinfo'] securityContext: {{- toYaml .Values.securityContext | nindent 8 }} - name: curl-tornjak-backend-and-spire - image: cgr.dev/chainguard/bash:latest + image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.backend" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.port }}/api/healthcheck'] securityContext: diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index a46f7a5ab..564d4f553 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -370,3 +370,18 @@ tornjak: # requests: # cpu: 100m # memory: 128Mi + +# @ignored +tests: + bash: + image: + # -- The OCI registry to pull the image from + registry: cgr.dev + # -- The repository within the registry + repository: chainguard/bash + # -- The image pull policy + pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" + # -- Overrides the image tag + tag: 5.2.15 diff --git a/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml b/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml index 19d117c01..7f5bdc4c5 100644 --- a/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml @@ -12,7 +12,7 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 4 }} containers: - name: curl-tornjak-frontend - image: cgr.dev/chainguard/bash:latest + image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-k', '-s', '-f', 'http://{{ include "tornjak-frontend.fullname" . }}.{{ include "tornjak-frontend.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }}/tornjak/serverinfo'] securityContext: diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 23c78189b..7edc63387 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -91,3 +91,18 @@ startupProbe: failureThreshold: 6 # -- Success threshold count for startupProbe successThreshold: 1 + +# @ignored +tests: + bash: + image: + # -- The OCI registry to pull the image from + registry: cgr.dev + # -- The repository within the registry + repository: chainguard/bash + # -- The image pull policy + pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" + # -- Overrides the image tag + tag: 5.2.15 From d0da864113a6845a1dddd4110662e117858b15fc Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Wed, 14 Jun 2023 12:46:22 -0700 Subject: [PATCH 21/33] Add missing metadata to subcharts (#347) --- charts/spire/charts/spiffe-csi-driver/Chart.yaml | 15 +++++++++++++++ charts/spire/charts/spiffe-csi-driver/README.md | 15 +++++++++++++++ .../spiffe-oidc-discovery-provider/Chart.yaml | 15 +++++++++++++++ .../spiffe-oidc-discovery-provider/README.md | 15 +++++++++++++++ charts/spire/charts/spire-agent/Chart.yaml | 15 +++++++++++++++ charts/spire/charts/spire-agent/README.md | 15 +++++++++++++++ charts/spire/charts/spire-server/Chart.yaml | 15 +++++++++++++++ charts/spire/charts/spire-server/README.md | 15 +++++++++++++++ 8 files changed, 120 insertions(+) diff --git a/charts/spire/charts/spiffe-csi-driver/Chart.yaml b/charts/spire/charts/spiffe-csi-driver/Chart.yaml index 9aaefb15a..a7d5ab008 100644 --- a/charts/spire/charts/spiffe-csi-driver/Chart.yaml +++ b/charts/spire/charts/spiffe-csi-driver/Chart.yaml @@ -4,3 +4,18 @@ description: A Helm chart to install the SPIFFE CSI driver. type: application version: 0.1.0 appVersion: "0.2.3" +keywords: ["spiffe", "csi-driver"] +home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +sources: + - https://github.com/spiffe/helm-charts/tree/main/charts/spire +icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png +maintainers: + - name: marcofranssen + email: marco.franssen@gmail.com + url: https://marcofranssen.nl + - name: kfox1111 + email: Kevin.Fox@pnnl.gov + - name: faisal-memon + email: fymemon@yahoo.com + - name: edwbuck + email: edwbuck@gmail.com diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index 1d08183b2..954456acb 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -6,9 +6,24 @@ A Helm chart to install the SPIFFE CSI driver. +**Homepage:** + > **Note**: The recommended version is `0.2.3` to support arm64 nodes. If running with any > prior version to `0.2.3` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`. +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| marcofranssen | | | +| kfox1111 | | | +| faisal-memon | | | +| edwbuck | | | + +## Source Code + +* + ## Values | Key | Type | Default | Description | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml index 3c1e0491b..46eb477c3 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml @@ -4,3 +4,18 @@ description: A Helm chart to install the SPIFFE OIDC discovery provider. type: application version: 0.1.0 appVersion: "1.6.4" +keywords: ["spiffe", "oidc"] +home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +sources: + - https://github.com/spiffe/helm-charts/tree/main/charts/spire +icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png +maintainers: + - name: marcofranssen + email: marco.franssen@gmail.com + url: https://marcofranssen.nl + - name: kfox1111 + email: Kevin.Fox@pnnl.gov + - name: faisal-memon + email: fymemon@yahoo.com + - name: edwbuck + email: edwbuck@gmail.com diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 2079babab..037327097 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -6,10 +6,25 @@ A Helm chart to install the SPIFFE OIDC discovery provider. +**Homepage:** + > **Note**: Minimum Spire version is `1.5.3`. > The recommended version is `1.6.0` to support arm64 nodes. If running with any > prior version to `1.6.0` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`. +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| marcofranssen | | | +| kfox1111 | | | +| faisal-memon | | | +| edwbuck | | | + +## Source Code + +* + ## Values | Key | Type | Default | Description | diff --git a/charts/spire/charts/spire-agent/Chart.yaml b/charts/spire/charts/spire-agent/Chart.yaml index 5a566bccb..f6ab3f0b1 100644 --- a/charts/spire/charts/spire-agent/Chart.yaml +++ b/charts/spire/charts/spire-agent/Chart.yaml @@ -4,3 +4,18 @@ description: A Helm chart to install the SPIRE agent. type: application version: 0.1.0 appVersion: "1.6.4" +keywords: ["spiffe", "spire-agent"] +home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +sources: + - https://github.com/spiffe/helm-charts/tree/main/charts/spire +icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png +maintainers: + - name: marcofranssen + email: marco.franssen@gmail.com + url: https://marcofranssen.nl + - name: kfox1111 + email: Kevin.Fox@pnnl.gov + - name: faisal-memon + email: fymemon@yahoo.com + - name: edwbuck + email: edwbuck@gmail.com diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 25be0e9e7..ccaa07b1c 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -6,10 +6,25 @@ A Helm chart to install the SPIRE agent. +**Homepage:** + > **Note**: Minimum Spire version is `1.5.3`. > The recommended version is `1.6.0` to support arm64 nodes. If running with any > prior version to `1.6.0` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`. +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| marcofranssen | | | +| kfox1111 | | | +| faisal-memon | | | +| edwbuck | | | + +## Source Code + +* + ## Values | Key | Type | Default | Description | diff --git a/charts/spire/charts/spire-server/Chart.yaml b/charts/spire/charts/spire-server/Chart.yaml index 3614da407..bf2caf64f 100644 --- a/charts/spire/charts/spire-server/Chart.yaml +++ b/charts/spire/charts/spire-server/Chart.yaml @@ -4,3 +4,18 @@ description: A Helm chart to install the SPIRE server. type: application version: 0.1.0 appVersion: "1.6.4" +keywords: ["spiffe", "spire-server", "spire-controller-manager"] +home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +sources: + - https://github.com/spiffe/helm-charts/tree/main/charts/spire +icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png +maintainers: + - name: marcofranssen + email: marco.franssen@gmail.com + url: https://marcofranssen.nl + - name: kfox1111 + email: Kevin.Fox@pnnl.gov + - name: faisal-memon + email: fymemon@yahoo.com + - name: edwbuck + email: edwbuck@gmail.com diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index ccccebc2b..c5aaa9d68 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -6,6 +6,8 @@ A Helm chart to install the SPIRE server. +**Homepage:** + > **Note**: Minimum Spire version is `1.5.3`. > The recommended version is `1.6.0` to support arm64 nodes. If running with any > prior version to `1.6.0` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`. @@ -13,6 +15,19 @@ A Helm chart to install the SPIRE server. > The recommended spire-controller-manager version is `0.2.2` to support arm64 nodes. If running with any > prior version to `0.2.2` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`. +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| marcofranssen | | | +| kfox1111 | | | +| faisal-memon | | | +| edwbuck | | | + +## Source Code + +* + ## Values | Key | Type | Default | Description | From b66077eff1732d78d4351d69f390775bce67d759 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 15 Jun 2023 09:53:51 -0700 Subject: [PATCH 22/33] Bump peter-evans/create-pull-request from 5.0.1 to 5.0.2 (#349) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 5.0.1 to 5.0.2.
Release notes

Sourced from peter-evans/create-pull-request's releases.

Create Pull Request v5.0.2

⚙️ Fixes an issue that occurs when using push-to-fork and both base and head repositories are in the same org/user account.

What's Changed

Full Changelog: https://github.com/peter-evans/create-pull-request/compare/v5.0.1...v5.0.2

Commits
  • 1534078 fix: specify head repo (#2044)
  • 143be5d build(deps-dev): bump @​typescript-eslint/parser from 5.59.9 to 5.59.11 (#2048)
  • 51e8ca2 build(deps-dev): bump @​types/node from 18.16.16 to 18.16.18 (#2047)
  • 712add8 build(deps-dev): bump @​types/jest from 29.5.1 to 29.5.2 (#2026)
  • a9e8aab build(deps-dev): bump eslint from 8.41.0 to 8.42.0 (#2024)
  • 37be4ff build(deps-dev): bump @​typescript-eslint/parser from 5.59.8 to 5.59.9 (#2023)
  • a5f0e5d build(deps-dev): bump eslint-plugin-github from 4.7.0 to 4.8.0 (#2025)
  • 9ef70ee build(deps-dev): bump @​types/node from 18.16.14 to 18.16.16 (#2009)
  • 0a28773 build(deps-dev): bump @​typescript-eslint/parser from 5.59.7 to 5.59.8 (#2008)
  • 4ddb8c8 build: update distribution (#1986)
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=peter-evans/create-pull-request&package-manager=github_actions&previous-version=5.0.1&new-version=5.0.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/check-versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-versions.yaml b/.github/workflows/check-versions.yaml index 12523b163..913808ce4 100644 --- a/.github/workflows/check-versions.yaml +++ b/.github/workflows/check-versions.yaml @@ -34,7 +34,7 @@ jobs: - name: Create Pull Request id: cpr - uses: peter-evans/create-pull-request@v5.0.1 + uses: peter-evans/create-pull-request@v5.0.2 with: token: ${{ secrets.GITHUB_TOKEN }} title: Bump test chart dependencies From c97a788c850918470a0a1af74fb410af5e4f96bd Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Thu, 15 Jun 2023 23:55:49 -0700 Subject: [PATCH 23/33] Fix bundle role/rolebinding naming conflict (#333) --- charts/spire/charts/spire-server/templates/roles.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/spire/charts/spire-server/templates/roles.yaml b/charts/spire/charts/spire-server/templates/roles.yaml index f1bf0fafd..fc08e6adc 100644 --- a/charts/spire/charts/spire-server/templates/roles.yaml +++ b/charts/spire/charts/spire-server/templates/roles.yaml @@ -3,7 +3,7 @@ kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ include "spire-server.fullname" . }}-bundle + name: {{ include "spire-lib.bundle-configmap" . }} namespace: {{ .Values.notifier.k8sbundle.namespace | default $namespace }} rules: - apiGroups: [""] @@ -50,7 +50,7 @@ roleRef: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ include "spire-server.fullname" . }}-bundle + name: {{ include "spire-lib.bundle-configmap" . }} namespace: {{ .Values.notifier.k8sbundle.namespace | default $namespace }} subjects: - kind: ServiceAccount @@ -58,7 +58,7 @@ subjects: namespace: {{ $namespace }} roleRef: kind: Role - name: {{ include "spire-server.fullname" . }}-bundle + name: {{ include "spire-lib.bundle-configmap" . }} apiGroup: rbac.authorization.k8s.io {{- if and .Values.nodeAttestor.k8sPsat.enabled }} From e6b608c9fdde3aa9454b96ec0f95dc8dc8949249 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Fri, 16 Jun 2023 00:26:59 -0700 Subject: [PATCH 24/33] Bump spire images to 1.7.0 (#348) --- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 2 +- charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml | 2 +- charts/spire/charts/spiffe-oidc-discovery-provider/README.md | 2 +- charts/spire/charts/spire-agent/Chart.yaml | 2 +- charts/spire/charts/spire-agent/README.md | 2 +- charts/spire/charts/spire-server/Chart.yaml | 2 +- charts/spire/charts/spire-server/README.md | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index bc7b13dfa..6d0a84f58 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -4,7 +4,7 @@ description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application version: 0.8.1 -appVersion: "1.6.4" +appVersion: "1.7.0" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: diff --git a/charts/spire/README.md b/charts/spire/README.md index 9bd432f7e..54298dae0 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -2,7 +2,7 @@ -![Version: 0.8.1](https://img.shields.io/badge/Version-0.8.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) +![Version: 0.8.1](https://img.shields.io/badge/Version-0.8.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.0](https://img.shields.io/badge/AppVersion-1.7.0-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml index 46eb477c3..5bd5c3ec2 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml @@ -3,7 +3,7 @@ name: spiffe-oidc-discovery-provider description: A Helm chart to install the SPIFFE OIDC discovery provider. type: application version: 0.1.0 -appVersion: "1.6.4" +appVersion: "1.7.0" keywords: ["spiffe", "oidc"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 037327097..7b608e9b1 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -2,7 +2,7 @@ -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.0](https://img.shields.io/badge/AppVersion-1.7.0-informational?style=flat-square) A Helm chart to install the SPIFFE OIDC discovery provider. diff --git a/charts/spire/charts/spire-agent/Chart.yaml b/charts/spire/charts/spire-agent/Chart.yaml index f6ab3f0b1..5b585f36e 100644 --- a/charts/spire/charts/spire-agent/Chart.yaml +++ b/charts/spire/charts/spire-agent/Chart.yaml @@ -3,7 +3,7 @@ name: spire-agent description: A Helm chart to install the SPIRE agent. type: application version: 0.1.0 -appVersion: "1.6.4" +appVersion: "1.7.0" keywords: ["spiffe", "spire-agent"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index ccaa07b1c..dbe043058 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -2,7 +2,7 @@ -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.0](https://img.shields.io/badge/AppVersion-1.7.0-informational?style=flat-square) A Helm chart to install the SPIRE agent. diff --git a/charts/spire/charts/spire-server/Chart.yaml b/charts/spire/charts/spire-server/Chart.yaml index bf2caf64f..39460ad8a 100644 --- a/charts/spire/charts/spire-server/Chart.yaml +++ b/charts/spire/charts/spire-server/Chart.yaml @@ -3,7 +3,7 @@ name: spire-server description: A Helm chart to install the SPIRE server. type: application version: 0.1.0 -appVersion: "1.6.4" +appVersion: "1.7.0" keywords: ["spiffe", "spire-server", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index c5aaa9d68..fc2e78a70 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -2,7 +2,7 @@ -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.0](https://img.shields.io/badge/AppVersion-1.7.0-informational?style=flat-square) A Helm chart to install the SPIRE server. From 9d504de05b20813e0b3c13d60b402e3a9e11d10a Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Thu, 15 Jun 2023 16:18:51 -0700 Subject: [PATCH 25/33] Ignore .DS_Store files Signed-off-by: Faisal Memon --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 2fd91b671..1ad54ad80 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ bin/ .idea/ *.swp charts/**/*.tgz +.DS_Store From 020bde8561d69a20c3a64b8dee60ffb9d6dc9bab Mon Sep 17 00:00:00 2001 From: Drew Wells Date: Fri, 16 Jun 2023 16:04:11 -0500 Subject: [PATCH 26/33] Add support to create a issuer and CA via cert-manager (#342) Co-authored-by: Kevin Fox --- .../cert-manager-ca.yaml | 31 ----------- .../pre-install.sh | 2 - .../values.yaml | 3 +- charts/spire/README.md | 18 ++++-- charts/spire/charts/spire-server/README.md | 18 ++++-- .../spire-server/templates/configmap.yaml | 2 +- .../charts/spire-server/templates/issuer.yaml | 55 +++++++++++++++++++ .../templates/post-install-hook.yaml | 2 +- .../templates/post-upgrade-hook.yaml | 2 +- .../templates/pre-upgrade-hook.yaml | 2 +- .../charts/spire-server/templates/roles.yaml | 1 + .../spire-server/templates/statefulset.yaml | 17 +++++- charts/spire/charts/spire-server/values.yaml | 41 +++++++++----- 13 files changed, 130 insertions(+), 64 deletions(-) delete mode 100644 .github/tests/upstream-authority-cert-manager/cert-manager-ca.yaml create mode 100644 charts/spire/charts/spire-server/templates/issuer.yaml diff --git a/.github/tests/upstream-authority-cert-manager/cert-manager-ca.yaml b/.github/tests/upstream-authority-cert-manager/cert-manager-ca.yaml deleted file mode 100644 index dbbe20158..000000000 --- a/.github/tests/upstream-authority-cert-manager/cert-manager-ca.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: selfsigned-issuer -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: demo-selfsigned-ca -spec: - isCA: true - commonName: demo-selfsigned-ca - secretName: root-secret - privateKey: - algorithm: ECDSA - size: 256 - issuerRef: - name: selfsigned-issuer - kind: Issuer - group: cert-manager.io ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: demo-ca -spec: - ca: - secretName: root-secret diff --git a/.github/tests/upstream-authority-cert-manager/pre-install.sh b/.github/tests/upstream-authority-cert-manager/pre-install.sh index 9508f5d48..69f25fdeb 100755 --- a/.github/tests/upstream-authority-cert-manager/pre-install.sh +++ b/.github/tests/upstream-authority-cert-manager/pre-install.sh @@ -5,5 +5,3 @@ SCRIPTPATH="$(dirname "${SCRIPT}")" scenario="${scenario:-$(basename "${SCRIPTPATH}")}" helm install cert-manager cert-manager --namespace cert-manager --create-namespace --version "$VERSION_CERT_MANAGER" --set installCRDs=true --repo "$HELM_REPO_CERT_MANAGER" --wait -SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -kubectl apply -f "${SCRIPT_DIR}/cert-manager-ca.yaml" -n "$scenario" diff --git a/.github/tests/upstream-authority-cert-manager/values.yaml b/.github/tests/upstream-authority-cert-manager/values.yaml index 08fbec755..ddb0a5a17 100644 --- a/.github/tests/upstream-authority-cert-manager/values.yaml +++ b/.github/tests/upstream-authority-cert-manager/values.yaml @@ -2,4 +2,5 @@ spire-server: upstreamAuthority: certManager: enabled: true - issuer_name: "demo-ca" + ca: + create: true diff --git a/charts/spire/README.md b/charts/spire/README.md index 54298dae0..010941d30 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -306,11 +306,6 @@ Now you can interact with the Spire agent socket from your own application. The | spire-server.controllerManager.service.port | int | `443` | | | spire-server.controllerManager.service.type | string | `"ClusterIP"` | | | spire-server.controllerManager.validatingWebhookConfiguration.failurePolicy | string | `"Fail"` | | -| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | -| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | -| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.repository | string | `"rancher/kubectl"` | The repository within the registry | -| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.tag | string | `""` | Overrides the image tag | -| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spire-server.dataStore.sql.databaseName | string | `"spire"` | Only used by "postgres" or "mysql" | | spire-server.dataStore.sql.databaseType | string | `"sqlite3"` | Other supported databases are "postgres" and "mysql" | | spire-server.dataStore.sql.host | string | `""` | Only used by "postgres" or "mysql" | @@ -382,6 +377,11 @@ Now you can interact with the Spire agent socket from your own application. The | spire-server.telemetry.prometheus.podMonitor.labels | object | `{}` | | | spire-server.telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spire-server | | spire-server.tolerations | list | `[]` | | +| spire-server.tools.kubectl.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | +| spire-server.tools.kubectl.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | +| spire-server.tools.kubectl.image.repository | string | `"rancher/kubectl"` | The repository within the registry | +| spire-server.tools.kubectl.image.tag | string | `""` | Overrides the image tag | +| spire-server.tools.kubectl.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spire-server.topologySpreadConstraints | list | `[]` | | | spire-server.tornjak.config.dataStore | object | `{"driver":"sqlite3","file":"/run/spire/data/tornjak.sqlite3"}` | persistent DB for storing Tornjak specific information | | spire-server.tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) (Not for production) | @@ -400,10 +400,16 @@ Now you can interact with the Spire agent socket from your own application. The | spire-server.tornjak.startupProbe.successThreshold | int | `1` | | | spire-server.tornjak.startupProbe.timeoutSeconds | int | `5` | | | spire-server.trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers | +| spire-server.upstreamAuthority.certManager.ca.create | bool | `false` | Creates a Cert-Manager CA | +| spire-server.upstreamAuthority.certManager.ca.duration | string | `"87600h"` | Duration of the CA. Defaults to 10 years. | +| spire-server.upstreamAuthority.certManager.ca.privateKey.algorithm | string | `"ECDSA"` | | +| spire-server.upstreamAuthority.certManager.ca.privateKey.rotationPolicy | string | `""` | | +| spire-server.upstreamAuthority.certManager.ca.privateKey.size | int | `256` | | +| spire-server.upstreamAuthority.certManager.ca.renewBefore | string | `""` | How long to wait before renewing the CA | | spire-server.upstreamAuthority.certManager.enabled | bool | `false` | | | spire-server.upstreamAuthority.certManager.issuer_group | string | `"cert-manager.io"` | | | spire-server.upstreamAuthority.certManager.issuer_kind | string | `"Issuer"` | | -| spire-server.upstreamAuthority.certManager.issuer_name | string | `"spire-ca"` | | +| spire-server.upstreamAuthority.certManager.issuer_name | string | `""` | Defaults to the release name, override if CA is provided outside of the chart | | spire-server.upstreamAuthority.certManager.kube_config_file | string | `""` | | | spire-server.upstreamAuthority.certManager.namespace | string | `""` | Specify to use a namespace other then the one the chart is installed into | | spire-server.upstreamAuthority.certManager.rbac.create | bool | `true` | | diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index fc2e78a70..36bcbe409 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -67,11 +67,6 @@ A Helm chart to install the SPIRE server. | controllerManager.service.port | int | `443` | | | controllerManager.service.type | string | `"ClusterIP"` | | | controllerManager.validatingWebhookConfiguration.failurePolicy | string | `"Fail"` | | -| controllerManager.validatingWebhookConfiguration.upgradeHook.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | -| controllerManager.validatingWebhookConfiguration.upgradeHook.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | -| controllerManager.validatingWebhookConfiguration.upgradeHook.image.repository | string | `"rancher/kubectl"` | The repository within the registry | -| controllerManager.validatingWebhookConfiguration.upgradeHook.image.tag | string | `""` | Overrides the image tag | -| controllerManager.validatingWebhookConfiguration.upgradeHook.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | dataStore.sql.databaseName | string | `"spire"` | Only used by "postgres" or "mysql" | | dataStore.sql.databaseType | string | `"sqlite3"` | Other supported databases are "postgres" and "mysql" | | dataStore.sql.host | string | `""` | Only used by "postgres" or "mysql" | @@ -143,6 +138,11 @@ A Helm chart to install the SPIRE server. | telemetry.prometheus.podMonitor.labels | object | `{}` | | | telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spire-server | | tolerations | list | `[]` | | +| tools.kubectl.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | +| tools.kubectl.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | +| tools.kubectl.image.repository | string | `"rancher/kubectl"` | The repository within the registry | +| tools.kubectl.image.tag | string | `""` | Overrides the image tag | +| tools.kubectl.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | topologySpreadConstraints | list | `[]` | | | tornjak.config.dataStore | object | `{"driver":"sqlite3","file":"/run/spire/data/tornjak.sqlite3"}` | persistent DB for storing Tornjak specific information | | tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) (Not for production) | @@ -161,10 +161,16 @@ A Helm chart to install the SPIRE server. | tornjak.startupProbe.successThreshold | int | `1` | | | tornjak.startupProbe.timeoutSeconds | int | `5` | | | trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers | +| upstreamAuthority.certManager.ca.create | bool | `false` | Creates a Cert-Manager CA | +| upstreamAuthority.certManager.ca.duration | string | `"87600h"` | Duration of the CA. Defaults to 10 years. | +| upstreamAuthority.certManager.ca.privateKey.algorithm | string | `"ECDSA"` | | +| upstreamAuthority.certManager.ca.privateKey.rotationPolicy | string | `""` | | +| upstreamAuthority.certManager.ca.privateKey.size | int | `256` | | +| upstreamAuthority.certManager.ca.renewBefore | string | `""` | How long to wait before renewing the CA | | upstreamAuthority.certManager.enabled | bool | `false` | | | upstreamAuthority.certManager.issuer_group | string | `"cert-manager.io"` | | | upstreamAuthority.certManager.issuer_kind | string | `"Issuer"` | | -| upstreamAuthority.certManager.issuer_name | string | `"spire-ca"` | | +| upstreamAuthority.certManager.issuer_name | string | `""` | Defaults to the release name, override if CA is provided outside of the chart | | upstreamAuthority.certManager.kube_config_file | string | `""` | | | upstreamAuthority.certManager.namespace | string | `""` | Specify to use a namespace other then the one the chart is installed into | | upstreamAuthority.certManager.rbac.create | bool | `true` | | diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index ad228241f..cf53d4855 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -78,7 +78,7 @@ plugins: UpstreamAuthority: - cert-manager: plugin_data: - issuer_name: {{ .issuer_name | quote }} + issuer_name: {{ default .issuer_name (include "spire-server.fullname" $root) }} issuer_kind: {{ .issuer_kind | quote }} issuer_group: {{ .issuer_group | quote }} namespace: {{ default $root.Release.Namespace .namespace | quote }} diff --git a/charts/spire/charts/spire-server/templates/issuer.yaml b/charts/spire/charts/spire-server/templates/issuer.yaml new file mode 100644 index 000000000..4ce6c2522 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/issuer.yaml @@ -0,0 +1,55 @@ +{{- with .Values.upstreamAuthority.certManager }} +{{ if and .enabled .ca.create }} +{{/* +Configuring CA Issuer: https://cert-manager.io/docs/configuration/ca/ +*/}} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "spire-server.fullname" $ }}-selfsigned + namespace: {{ include "spire-server.namespace" $ }} + labels: + {{- include "spire-server.labels" $ | nindent 4}} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "spire-server.fullname" $ }} + namespace: {{ include "spire-server.namespace" $ }} +spec: + isCA: true + commonName: {{ $.Values.ca_subject.common_name }} + secretName: {{ include "spire-server.fullname" $ }}-ca-keys + duration: {{ $.Values.upstreamAuthority.certManager.ca.duration }} + subject: + countries: + - {{ $.Values.ca_subject.country }} + organizations: + - {{ $.Values.ca_subject.organization }} + privateKey: + algorithm: {{ $.Values.upstreamAuthority.certManager.ca.privateKey.algorithm }} + size: {{ $.Values.upstreamAuthority.certManager.ca.privateKey.size }} + {{- with $.Values.upstreamAuthority.certManager.ca.privateKey.rotationPolicy }} + rotationPolicy: {{ . }} + {{- end }} + {{- with $.Values.upstreamAuthority.certManager.ca.renewBefore }} + renewBefore: {{ . }} + {{- end }} + issuerRef: + name: {{ include "spire-server.fullname" $ }}-selfsigned + kind: Issuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "spire-server.fullname" $ }} + namespace: {{ include "spire-server.namespace" $ }} +spec: + ca: + secretName: {{ include "spire-server.fullname" $ }}-ca-keys +--- +{{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/post-install-hook.yaml b/charts/spire/charts/spire-server/templates/post-install-hook.yaml index 39607e225..98d6ac91b 100644 --- a/charts/spire/charts/spire-server/templates/post-install-hook.yaml +++ b/charts/spire/charts/spire-server/templates/post-install-hook.yaml @@ -63,7 +63,7 @@ spec: - name: post-install-job securityContext: {{- toYaml .Values.securityContext | nindent 10 }} - image: {{ template "spire-server.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} + image: {{ template "spire-server.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - patch - validatingwebhookconfiguration diff --git a/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml index d518116b2..b179be45d 100644 --- a/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml @@ -63,7 +63,7 @@ spec: - name: post-upgrade-job securityContext: {{- toYaml .Values.securityContext | nindent 10 }} - image: {{ template "spire-server.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} + image: {{ template "spire-server.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - patch - validatingwebhookconfiguration diff --git a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml index 47f8ab1c2..54f9ae06b 100644 --- a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml @@ -63,7 +63,7 @@ spec: - name: post-install-job securityContext: {{- toYaml .Values.securityContext | nindent 10 }} - image: {{ template "spire-server.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} + image: {{ template "spire-server.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - patch - validatingwebhookconfiguration diff --git a/charts/spire/charts/spire-server/templates/roles.yaml b/charts/spire/charts/spire-server/templates/roles.yaml index fc08e6adc..6c667e723 100644 --- a/charts/spire/charts/spire-server/templates/roles.yaml +++ b/charts/spire/charts/spire-server/templates/roles.yaml @@ -24,6 +24,7 @@ rules: - apiGroups: ["cert-manager.io"] resources: - certificaterequests + - issuers verbs: - list - get diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index 883bbcbf2..1540dd0d1 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -42,8 +42,23 @@ spec: shareProcessNamespace: true securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- if gt (len .Values.initContainers) 0 }} initContainers: + {{- if and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.createCA }} + - name: wait + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: {{ template "spire-server.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} + args: + - wait + - --namespace + - {{ .Release.Namespace }} + - --timeout=3m + - --for=condition=ready + - issuer + - {{ include "spire-server.fullname" $ }} + imagePullPolicy: {{ .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image.pullPolicy }} + {{- end }} + {{- if gt (len .Values.initContainers) 0 }} {{- toYaml .Values.initContainers | nindent 8 }} {{- end }} containers: diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 564d4f553..17095b012 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -188,12 +188,25 @@ upstreamAuthority: enabled: false rbac: create: true - issuer_name: "spire-ca" + # -- Defaults to the release name, override if CA is provided outside of the chart + issuer_name: "" issuer_kind: "Issuer" issuer_group: "cert-manager.io" # -- Specify to use a namespace other then the one the chart is installed into namespace: "" kube_config_file: "" + + ca: + # -- Creates a Cert-Manager CA + create: false + # -- Duration of the CA. Defaults to 10 years. + duration: 87600h + privateKey: + algorithm: ECDSA + size: 256 + rotationPolicy: "" + # -- How long to wait before renewing the CA + renewBefore: "" spire: enabled: false server: @@ -269,18 +282,20 @@ controllerManager: validatingWebhookConfiguration: failurePolicy: Fail - upgradeHook: - image: - # -- The OCI registry to pull the image from - registry: docker.io - # -- The repository within the registry - repository: rancher/kubectl - # -- The image pull policy - pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) - version: "" - # -- Overrides the image tag - tag: "" + +tools: + kubectl: + image: + # -- The OCI registry to pull the image from + registry: docker.io + # -- The repository within the registry + repository: rancher/kubectl + # -- The image pull policy + pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" + # -- Overrides the image tag + tag: "" telemetry: prometheus: From e88f7f6fe2ffacc7b158cd3f4a3a390d7fc63d4f Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Fri, 16 Jun 2023 14:22:44 -0700 Subject: [PATCH 27/33] Add configmap annotation to spire-bundle configmap (#351) --- .../spire/charts/spire-server/templates/bundle-configmap.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/spire/charts/spire-server/templates/bundle-configmap.yaml b/charts/spire/charts/spire-server/templates/bundle-configmap.yaml index ea4224eab..95b7dd230 100644 --- a/charts/spire/charts/spire-server/templates/bundle-configmap.yaml +++ b/charts/spire/charts/spire-server/templates/bundle-configmap.yaml @@ -4,3 +4,7 @@ kind: ConfigMap metadata: name: {{ include "spire-lib.bundle-configmap" . }} namespace: {{ .Values.notifier.k8sbundle.namespace | default $namespace }} + {{- with .Values.configMap.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} From 9cf6049afd11c3dd44b3fc5d3bffa6dda4c2195b Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Fri, 16 Jun 2023 23:37:06 +0200 Subject: [PATCH 28/33] Allow contributors to run linting easily on local Signed-off-by: Marco Franssen --- .github/workflows/helm-chart-ci.yaml | 4 +--- Makefile | 12 ++++++++++++ ct.yaml | 11 +++++++++++ 3 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 ct.yaml diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index 3d5fa5063..3210c9929 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -94,9 +94,7 @@ jobs: version: ${{ env.CHART_TESTING_VERSION }} - name: Run chart-testing (lint) - run: | - ct lint --debug ${{ github.base_ref != 'release' && '--check-version-increment=false' || '' }} \ - --target-branch ${{ github.base_ref }} + run: TARGET_BRANCH=${{ github.base_ref }} make lint${{ github.base_ref == 'release' && '-release' || '' }} outputs: changed: ${{ steps.list-changed.outputs.changed }} diff --git a/Makefile b/Makefile index ac98f14fc..6b550d561 100644 --- a/Makefile +++ b/Makefile @@ -1,8 +1,20 @@ +TARGET_BRANCH ?= main + .PHONY: help help: ## Display this help. @$(MAKE) help @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) +##@ Linting: + +.PHONY: lint +lint: ## Lint the charts using chart-testing + @echo Linting charts… + @ct lint --config ct.yaml --target-branch $(TARGET_BRANCH) --check-version-increment=false + +lint-release: ## Lint the charts using chart-testing for release + @echo Linting charts… + @ct lint --config ct.yaml --target-branch $(TARGET_BRANCH) ##@ Testing: diff --git a/ct.yaml b/ct.yaml new file mode 100644 index 000000000..affa496e1 --- /dev/null +++ b/ct.yaml @@ -0,0 +1,11 @@ +remote: origin +target-branch: main +chart-dirs: + - charts +chart-repos: + - spiffe=https://spiffe.github.io/helm-charts/ + - bitnami=https://charts.bitnami.com/bitnami + - ingress-nginx=https://kubernetes.github.io/ingress-nginx +exclude-deprecated: true +debug: true +helm-extra-args: "--timeout 15m" From a6dcf267d1204a652181eb9a27c47f78be0b7ac9 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Sat, 17 Jun 2023 01:32:41 -0700 Subject: [PATCH 29/33] Allow for SPIRE Agent to run as non root user (#209) Co-authored-by: Marco Franssen Co-authored-by: Faisal Memon --- charts/spire/README.md | 6 ++++++ charts/spire/charts/spire-agent/README.md | 6 ++++++ .../charts/spire-agent/templates/daemonset.yaml | 16 ++++++++++++++++ charts/spire/charts/spire-agent/values.yaml | 17 +++++++++++++++++ examples/production/values.yaml | 12 ++++++++++++ 5 files changed, 57 insertions(+) diff --git a/charts/spire/README.md b/charts/spire/README.md index 010941d30..0f4a12cd8 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -226,6 +226,12 @@ Now you can interact with the Spire agent socket from your own application. The | spire-agent.extraContainers | list | `[]` | | | spire-agent.extraVolumeMounts | list | `[]` | | | spire-agent.extraVolumes | list | `[]` | | +| spire-agent.fsGroupFix.image.pullPolicy | string | `"Always"` | The image pull policy | +| spire-agent.fsGroupFix.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from | +| spire-agent.fsGroupFix.image.repository | string | `"chainguard/bash"` | The repository within the registry | +| spire-agent.fsGroupFix.image.tag | string | `"latest-20230517"` | Overrides the image tag | +| spire-agent.fsGroupFix.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | +| spire-agent.fsGroupFix.resources | object | `{}` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | | spire-agent.fullnameOverride | string | `""` | | | spire-agent.healthChecks.port | int | `9980` | override the host port used for health checking | | spire-agent.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index dbe043058..27d8994ef 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -35,6 +35,12 @@ A Helm chart to install the SPIRE agent. | extraContainers | list | `[]` | | | extraVolumeMounts | list | `[]` | | | extraVolumes | list | `[]` | | +| fsGroupFix.image.pullPolicy | string | `"Always"` | The image pull policy | +| fsGroupFix.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from | +| fsGroupFix.image.repository | string | `"chainguard/bash"` | The repository within the registry | +| fsGroupFix.image.tag | string | `"latest-20230517"` | Overrides the image tag | +| fsGroupFix.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | +| fsGroupFix.resources | object | `{}` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | | fullnameOverride | string | `""` | | | healthChecks.port | int | `9980` | override the host port used for health checking | | image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 00af61361..075d74374 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -43,6 +43,22 @@ spec: args: ["-t", "30", "-h", "{{ include "spire-agent.server-address" . | trim }}", "-p", {{ .Values.server.port | quote }}] resources: {{- toYaml .Values.waitForIt.resources | nindent 12 }} + {{- if gt (int (dig "fsGroup" 0 .Values.podSecurityContext)) 0 }} + - name: fsgroupfix + image: {{ template "spire-lib.image" (dict "image" .Values.fsGroupFix.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.fsGroupFix.image.pullPolicy }} + command: ["bash", "-c"] + args: + - "chown -R {{ .Values.podSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ include "spire-agent.socket-path" . | dir }}" + resources: + {{- toYaml .Values.fsGroupFix.resources | nindent 12 }} + volumeMounts: + - name: spire-agent-socket-dir + mountPath: {{ include "spire-agent.socket-path" . | dir }} + securityContext: + runAsUser: 0 + runAsGroup: 0 + {{- end }} {{- if gt (len .Values.initContainers) 0 }} {{- toYaml .Values.initContainers | nindent 8 }} {{- end }} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index a1b42722f..932e4ff5e 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -109,6 +109,23 @@ waitForIt: tag: latest-20230517 resources: {} +# When running as non root, needed to ensure the socket path has the correct permissions. +# Set runAsUser to a non-zero value in podSecurityContext to run as non-root user. +fsGroupFix: + image: + # -- The OCI registry to pull the image from + registry: cgr.dev + # -- The repository within the registry + repository: chainguard/bash + # -- The image pull policy + pullPolicy: Always + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" + # -- Overrides the image tag + tag: latest-20230517 + # -- Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # workloadAttestors determine a workload's properties and then generate a set of selectors associated with it. workloadAttestors: # unix is a workload attestor which generates unix-based selectors like 'uid' and 'gid'. diff --git a/examples/production/values.yaml b/examples/production/values.yaml index 683666a6d..4ddb95b6f 100644 --- a/examples/production/values.yaml +++ b/examples/production/values.yaml @@ -54,6 +54,18 @@ spire-agent: server: namespaceOverride: spire-server priorityClassName: system-node-critical + podSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + seccompProfile: + type: RuntimeDefault logLevel: info From c11a8c00e745ba16b8a41f614aaa8cb9d5d028e9 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Sat, 17 Jun 2023 15:06:27 +0200 Subject: [PATCH 30/33] Implement pre-delete hook for graceful delete of spiffe-oidc-discovery-provider (#353) --- charts/spire/README.md | 5 ++ .../spiffe-oidc-discovery-provider/README.md | 5 ++ .../templates/_helpers.tpl | 1 - .../templates/pre-delete-hook.yaml | 71 +++++++++++++++++++ .../values.yaml | 14 ++++ .../spire-server/templates/_helpers.tpl | 9 --- .../templates/post-install-hook.yaml | 2 +- .../templates/post-upgrade-hook.yaml | 4 +- .../templates/pre-upgrade-hook.yaml | 2 +- charts/spire/templates/_spire-lib.tpl | 9 +++ 10 files changed, 108 insertions(+), 14 deletions(-) create mode 100644 charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml diff --git a/charts/spire/README.md b/charts/spire/README.md index 0f4a12cd8..d4a57597f 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -219,6 +219,11 @@ Now you can interact with the Spire agent socket from your own application. The | spiffe-oidc-discovery-provider.telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spiffe-oidc-discovery-provider | | spiffe-oidc-discovery-provider.telemetry.prometheus.port | int | `9988` | | | spiffe-oidc-discovery-provider.tolerations | list | `[]` | | +| spiffe-oidc-discovery-provider.tools.kubectl.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | +| spiffe-oidc-discovery-provider.tools.kubectl.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | +| spiffe-oidc-discovery-provider.tools.kubectl.image.repository | string | `"rancher/kubectl"` | The repository within the registry | +| spiffe-oidc-discovery-provider.tools.kubectl.image.tag | string | `""` | Overrides the image tag | +| spiffe-oidc-discovery-provider.tools.kubectl.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spiffe-oidc-discovery-provider.trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers | | spire-agent.bundleConfigMap | string | `"spire-bundle"` | | | spire-agent.clusterName | string | `"example-cluster"` | | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 7b608e9b1..dd1e23d6a 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -96,6 +96,11 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spiffe-oidc-discovery-provider | | telemetry.prometheus.port | int | `9988` | | | tolerations | list | `[]` | | +| tools.kubectl.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | +| tools.kubectl.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | +| tools.kubectl.image.repository | string | `"rancher/kubectl"` | The repository within the registry | +| tools.kubectl.image.tag | string | `""` | Overrides the image tag | +| tools.kubectl.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers | ---------------------------------------------- diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl index 72b90773c..70d6de2f7 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl @@ -85,4 +85,3 @@ Create the name of the service account to use {{- define "spiffe-oidc-discovery-provider.workload-api-socket-path" -}} {{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }} {{- end }} - diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml new file mode 100644 index 000000000..6b2af6960 --- /dev/null +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml @@ -0,0 +1,71 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }}-pre-delete + namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }} + labels: + {{- include "spiffe-oidc-discovery-provider.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}-pre-delete + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +rules: + - apiGroups: ["apps"] + resources: ["deployments"] + resourceNames: [{{ include "spiffe-oidc-discovery-provider.fullname" . | quote }}] + verbs: ["get", "delete"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}-pre-delete + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +subjects: + - kind: ServiceAccount + name: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }}-pre-delete + namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }} +roleRef: + kind: Role + name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}-pre-delete + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}-pre-delete + namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }} + labels: + {{- include "spiffe-oidc-discovery-provider.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +spec: + template: + metadata: + name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}-pre-delete + spec: + restartPolicy: Never + serviceAccountName: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }}-pre-delete + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: pre-delete-job + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} + args: + - delete + - -n + - {{ include "spiffe-oidc-discovery-provider.namespace" . }} + - deployment + - {{ include "spiffe-oidc-discovery-provider.fullname" . }} + - --wait diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 90c555a2a..5b9fa08f8 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -215,3 +215,17 @@ tests: version: "" # -- Overrides the image tag tag: 5.2.15 + +tools: + kubectl: + image: + # -- The OCI registry to pull the image from + registry: docker.io + # -- The repository within the registry + repository: rancher/kubectl + # -- The image pull policy + pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" + # -- Overrides the image tag + tag: "" diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index af1e65277..7df362661 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -105,15 +105,6 @@ Create the name of the service account to use {{- end }} {{- end }} -{{- define "spire-server.kubectl-image" }} -{{- $root := deepCopy . }} -{{- $tag := (default $root.image.tag $root.image.version) | toString }} -{{- if eq (len $tag) 0 }} -{{- $_ := set $root.image "tag" (regexReplaceAll "^(v?\\d+\\.\\d+\\.\\d+).*" $root.KubeVersion "${1}") }} -{{- end }} -{{- include "spire-lib.image" $root }} -{{- end }} - {{- define "spire-server.config-mysql-query" }} {{- $lst := list }} {{- range . }} diff --git a/charts/spire/charts/spire-server/templates/post-install-hook.yaml b/charts/spire/charts/spire-server/templates/post-install-hook.yaml index 98d6ac91b..14e5b9977 100644 --- a/charts/spire/charts/spire-server/templates/post-install-hook.yaml +++ b/charts/spire/charts/spire-server/templates/post-install-hook.yaml @@ -63,7 +63,7 @@ spec: - name: post-install-job securityContext: {{- toYaml .Values.securityContext | nindent 10 }} - image: {{ template "spire-server.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} + image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - patch - validatingwebhookconfiguration diff --git a/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml index b179be45d..628ee8de2 100644 --- a/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml @@ -56,14 +56,14 @@ spec: name: {{ include "spire-server.fullname" . }}-post-upgrade spec: restartPolicy: Never - serviceAccountName: {{ include "spire-server.serviceAccountName" . }}-post-upgrade + serviceAccountName: {{ include "spire-server.serviceAccountName" . }}-post-upgrade securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: post-upgrade-job securityContext: {{- toYaml .Values.securityContext | nindent 10 }} - image: {{ template "spire-server.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} + image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - patch - validatingwebhookconfiguration diff --git a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml index 54f9ae06b..f96250e2b 100644 --- a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml @@ -63,7 +63,7 @@ spec: - name: post-install-job securityContext: {{- toYaml .Values.securityContext | nindent 10 }} - image: {{ template "spire-server.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} + image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - patch - validatingwebhookconfiguration diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl index 7fca6ef07..108412539 100644 --- a/charts/spire/templates/_spire-lib.tpl +++ b/charts/spire/templates/_spire-lib.tpl @@ -90,3 +90,12 @@ rules: {{- end }} {{- end }} {{- end }} + +{{- define "spire-lib.kubectl-image" }} +{{- $root := deepCopy . }} +{{- $tag := (default $root.image.tag $root.image.version) | toString }} +{{- if eq (len $tag) 0 }} +{{- $_ := set $root.image "tag" (regexReplaceAll "^(v?\\d+\\.\\d+\\.\\d+).*" $root.KubeVersion "${1}") }} +{{- end }} +{{- include "spire-lib.image" $root }} +{{- end }} From af36f7c09b77c982624c9049f18cc2008a9bca23 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Mon, 19 Jun 2023 20:28:35 +0200 Subject: [PATCH 31/33] Align the bash image version with other instances for spire-agent (#356) Signed-off-by: Marco Franssen Signed-off-by: Marco Franssen --- charts/spire/README.md | 2 +- charts/spire/charts/spire-agent/README.md | 2 +- charts/spire/charts/spire-agent/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index d4a57597f..55dec7f00 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -234,7 +234,7 @@ Now you can interact with the Spire agent socket from your own application. The | spire-agent.fsGroupFix.image.pullPolicy | string | `"Always"` | The image pull policy | | spire-agent.fsGroupFix.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from | | spire-agent.fsGroupFix.image.repository | string | `"chainguard/bash"` | The repository within the registry | -| spire-agent.fsGroupFix.image.tag | string | `"latest-20230517"` | Overrides the image tag | +| spire-agent.fsGroupFix.image.tag | string | `"5.2.15"` | Overrides the image tag | | spire-agent.fsGroupFix.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spire-agent.fsGroupFix.resources | object | `{}` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | | spire-agent.fullnameOverride | string | `""` | | diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 27d8994ef..63da2b584 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -38,7 +38,7 @@ A Helm chart to install the SPIRE agent. | fsGroupFix.image.pullPolicy | string | `"Always"` | The image pull policy | | fsGroupFix.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from | | fsGroupFix.image.repository | string | `"chainguard/bash"` | The repository within the registry | -| fsGroupFix.image.tag | string | `"latest-20230517"` | Overrides the image tag | +| fsGroupFix.image.tag | string | `"5.2.15"` | Overrides the image tag | | fsGroupFix.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | fsGroupFix.resources | object | `{}` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | | fullnameOverride | string | `""` | | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 932e4ff5e..0d6f913db 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -122,7 +122,7 @@ fsGroupFix: # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" # -- Overrides the image tag - tag: latest-20230517 + tag: 5.2.15 # -- Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} From 57a93205a704c876e439cb3fbcd0a0b5c32a4652 Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Mon, 19 Jun 2023 11:29:17 -0700 Subject: [PATCH 32/33] Add SPIRE 1.7.0 to main readme (#357) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e14c7a5c4..6ccbade74 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ Unless otherwise noted in an application chart README, the following dependencie | Dependency | Supported Versions | |:-----------|:-------------------| -| SPIRE | `1.5.3`+, `1.6.x` | +| SPIRE | `1.6.x`, `1.7.x` | | Helm | `3.x` | | Kubernetes | `1.22+` | From 44f35547086152acaab3226c1dca96d617237cb1 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Mon, 19 Jun 2023 22:46:16 +0200 Subject: [PATCH 33/33] Bump spire Helm Chart version from 0.8.1 to 0.9.0 * 57a9320 Add SPIRE 1.7.0 to main readme (#357) * af36f7c Align the bash image version with other instances for spire-agent (#356) * c11a8c0 Implement pre-delete hook for graceful delete of spiffe-oidc-discovery-provider (#353) * a6dcf26 Allow for SPIRE Agent to run as non root user (#209) * 9cf6049 Allow contributors to run linting easily on local * e88f7f6 Add configmap annotation to spire-bundle configmap (#351) * 020bde8 Add support to create a issuer and CA via cert-manager (#342) * 9d504de Ignore .DS_Store files * e6b608c Bump spire images to 1.7.0 (#348) * c97a788 Fix bundle role/rolebinding naming conflict (#333) * b66077e Bump peter-evans/create-pull-request from 5.0.1 to 5.0.2 (#349) * d0da864 Add missing metadata to subcharts (#347) * 4c0a1d5 Allow overriding test images (#186) * 250fd5d Add missing global values to charts (#311) * 5d8c907 Dropping k8s versions in CI older than 3, as per readme (#344) * 8748933 Update upstream-ca-secret.yaml (#341) * 4e07450 Fix ingress annotations for federation (#337) * ea09199 Bump actions/checkout from 3.5.0 to 3.5.3 * 87fe198 Merge pull request #331 from edwbuck/key_conventions * ddc0166 Fix line wrapping. * 0cae9ce Update project/conventions.md * cb18255 Update project/conventions.md * 52e5c24 Upgrade Tornjak to image v1.2.2 (#328) * 28e2abf Choose a different example for dotted Acronyms. * d60d68c Added accidentally clipped explicit name guidelines. * abe9fde Merge branch 'main' into key_conventions * f6a7b62 Update project/conventions.md * c4d19db Update project/conventions.md * cfa9f78 Bump test chart dependencies (#332) * c3213ab Initial submission of Helm Chart key naming conventions. * 28c0824 Bump test chart dependencies (#322) * d333154 Add Makefile for local testing (#327) * 9fa1ec2 Improve Tornjak backend test (#321) * 5b779dc Improve Tornjak frontend test (#320) Signed-off-by: Marco Franssen --- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 6d0a84f58..44a5a8c8c 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,7 +3,7 @@ name: spire description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.8.1 +version: 0.9.0 appVersion: "1.7.0" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire diff --git a/charts/spire/README.md b/charts/spire/README.md index 55dec7f00..1dc8d5365 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -2,7 +2,7 @@ -![Version: 0.8.1](https://img.shields.io/badge/Version-0.8.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.0](https://img.shields.io/badge/AppVersion-1.7.0-informational?style=flat-square) +![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.0](https://img.shields.io/badge/AppVersion-1.7.0-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.