-
Notifications
You must be signed in to change notification settings - Fork 22
Conversation
8093ea0
to
8b7d176
Compare
charts/spire/charts/spire-server/templates/tests/test-connection.yaml
Outdated
Show resolved
Hide resolved
aa801fb
to
b905d08
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally looking pretty good now. Thanks for working on this. Some questions/issues inline.
charts/spire/charts/spiffe-oidc-discovery-provider/templates/roles-test.yaml
Outdated
Show resolved
Hide resolved
charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml
Outdated
Show resolved
Hide resolved
Here's something that seems to work as a base. I've asked for the ability for spire-agent to write to a file directly, so we wouldn't need the busybox thing.
|
6d75141
to
d7197b2
Compare
There a reason to run as root? I would think the pod's identity should work reguardless of which user its using? Thinking this will break on the production example. |
hope not, using some big uids and giving the tests a whirl |
Marking draft as there has been ongoing active development for a while. When your ready for more review, please hit the "Ready for review" button |
I’m not following how running these test pods as non root will break spire
agent. These restrictive settings will indeed make them run in all
environments included the production example.
On August 15, 2023, Anthony Sottile ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml
<#423 (comment)>:
+ allowPrivilegeEscalation: false
+ runAsNonRoot: true
+ runAsUser: 10001
+ runAsGroup: 10001
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
The recommended production setup includes examples/production/values.yaml.
You gotta use all those settings or it will break. Having the values here
just gives a false sense that it will work without it, which it wont. the
csi driver will break, the spire-agent will break, etc. Moving the settings
there makes sure it either all works together or not at all.
In another issue/pr, we can look at merging everything in
examples/production/values.yaml into the chart proper. but thats a much
bigger issue/pr then belongs here.
—
Reply to this email directly, view it on GitHub
<#423 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAB2ME5JUYSHYBYVXDVBKS3XVQIFZANCNFSM6AAAAAA3DO6HCY>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Signed-off-by: Drew Wells <dwells@infoblox.com>
@kfox1111 Those sha tags are failing, where did you get those
|
I was pretty sure I test pulled it. Sorry. You can get the newest with:
so, this looks to be the newest:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few nitpicks and suggestions, as well some questions.
charts/spire/charts/spiffe-oidc-discovery-provider/files/test/jwt-decode.sh
Show resolved
Hide resolved
charts/spire/charts/spiffe-oidc-discovery-provider/files/test/jwt-decode.sh
Outdated
Show resolved
Hide resolved
charts/spire/charts/spiffe-oidc-discovery-provider/templates/test-config.yaml
Outdated
Show resolved
Hide resolved
charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml
Outdated
Show resolved
Hide resolved
charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml
Outdated
Show resolved
Hide resolved
Signed-off-by: Drew Wells <drew.wells00@gmail.com>
Signed-off-by: Drew Wells <dwells@infoblox.com>
f8046af
to
f6bff53
Compare
charts/spire/charts/spiffe-oidc-discovery-provider/files/test/jwt-decode.sh
Outdated
Show resolved
Hide resolved
Signed-off-by: Drew Wells <dwells@infoblox.com>
e02e34c
to
282abdc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I figured out why the tests are failing. Mentioned inline. Couple of files that don't need changing anymore left and then I'm good with approving this. Its working well :)
charts/spire/charts/spiffe-oidc-discovery-provider/templates/serviceaccount.yaml
Outdated
Show resolved
Hide resolved
charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml
Outdated
Show resolved
Hide resolved
charts/spire/charts/spiffe-oidc-discovery-provider/templates/serviceaccount.yaml
Outdated
Show resolved
Hide resolved
Co-authored-by: kfox1111 <Kevin.Fox@pnnl.gov> Signed-off-by: Drew Wells <drew.wells00@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thanks! :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🚀
* 38f0af4 Add support for Vault UpstreamAuthority plugin - K8s Auth (#415) * 1aac2d4 Bump docker/login-action from 2 to 3 * 1f90867 Allow configuration of priorityClassName on spire-server statefulset (#480) * 9ad2ed5 option to configure agent sds (#479) * 693ce08 Remove ## values section from chart readms * 65d5695 Migrate to readme-generator for helm maintained by bitnami (#431) * dcc60a2 fix(charts/spire/spire-agent): podmonitor templating (#478) * 48adb88 Bump actions/checkout from 3.6.0 to 4.0.0 * d1f52d6 Bump sigstore/cosign-installer from 3.1.1 to 3.1.2 (#473) * 5273f4e Switch mysql and postgresql tests to HA Production configs (#471) * e81a59a ingress-nginx production tests and spiffe-oidc-discovery-provider example (#136) * b05175e Bump actions/checkout from 3.5.3 to 3.6.0 * 51cba5b Add customPlugins and unsupportedBuiltInPlugins sections to spire-server (#198) * f4ee2c2 Bump github.com/onsi/ginkgo/v2 from 2.11.0 to 2.12.0 in /tests (#468) * c817dd2 support datastore password secret created by external resources (#464) * 71ac5af Split steps in check-versions wf for easier debugging (#467) * d91403a Scan for updates to new images (#466) * 7a5456e Bump helm.sh/helm/v3 from 3.11.3 to 3.12.3 in /tests (#462) * cbe0001 Federation test (#423) Signed-off-by: Marco Franssen <marco.franssen@gmail.com>
* 38f0af4 Add support for Vault UpstreamAuthority plugin - K8s Auth (#415) * 1aac2d4 Bump docker/login-action from 2 to 3 * 1f90867 Allow configuration of priorityClassName on spire-server statefulset (#480) * 9ad2ed5 option to configure agent sds (#479) * 693ce08 Remove ## values section from chart readms * 65d5695 Migrate to readme-generator for helm maintained by bitnami (#431) * dcc60a2 fix(charts/spire/spire-agent): podmonitor templating (#478) * 48adb88 Bump actions/checkout from 3.6.0 to 4.0.0 * d1f52d6 Bump sigstore/cosign-installer from 3.1.1 to 3.1.2 (#473) * 5273f4e Switch mysql and postgresql tests to HA Production configs (#471) * e81a59a ingress-nginx production tests and spiffe-oidc-discovery-provider example (#136) * b05175e Bump actions/checkout from 3.5.3 to 3.6.0 * 51cba5b Add customPlugins and unsupportedBuiltInPlugins sections to spire-server (#198) * f4ee2c2 Bump github.com/onsi/ginkgo/v2 from 2.11.0 to 2.12.0 in /tests (#468) * c817dd2 support datastore password secret created by external resources (#464) * 71ac5af Split steps in check-versions wf for easier debugging (#467) * d91403a Scan for updates to new images (#466) * 7a5456e Bump helm.sh/helm/v3 from 3.11.3 to 3.12.3 in /tests (#462) * cbe0001 Federation test (#423) Signed-off-by: Marco Franssen <marco.franssen@gmail.com>
* 38f0af4 Add support for Vault UpstreamAuthority plugin - K8s Auth (#415) * 1aac2d4 Bump docker/login-action from 2 to 3 * 1f90867 Allow configuration of priorityClassName on spire-server statefulset (#480) * 9ad2ed5 option to configure agent sds (#479) * 693ce08 Remove ## values section from chart readms * 65d5695 Migrate to readme-generator for helm maintained by bitnami (#431) * dcc60a2 fix(charts/spire/spire-agent): podmonitor templating (#478) * 48adb88 Bump actions/checkout from 3.6.0 to 4.0.0 * d1f52d6 Bump sigstore/cosign-installer from 3.1.1 to 3.1.2 (#473) * 5273f4e Switch mysql and postgresql tests to HA Production configs (#471) * e81a59a ingress-nginx production tests and spiffe-oidc-discovery-provider example (#136) * b05175e Bump actions/checkout from 3.5.3 to 3.6.0 * 51cba5b Add customPlugins and unsupportedBuiltInPlugins sections to spire-server (#198) * f4ee2c2 Bump github.com/onsi/ginkgo/v2 from 2.11.0 to 2.12.0 in /tests (#468) * c817dd2 support datastore password secret created by external resources (#464) * 71ac5af Split steps in check-versions wf for easier debugging (#467) * d91403a Scan for updates to new images (#466) * 7a5456e Bump helm.sh/helm/v3 from 3.11.3 to 3.12.3 in /tests (#462) * cbe0001 Federation test (#423) Signed-off-by: Marco Franssen <marco.franssen@gmail.com>
* 38f0af4 Add support for Vault UpstreamAuthority plugin - K8s Auth (#415) * 1aac2d4 Bump docker/login-action from 2 to 3 * 1f90867 Allow configuration of priorityClassName on spire-server statefulset (#480) * 9ad2ed5 option to configure agent sds (#479) * 693ce08 Remove ## values section from chart readms * 65d5695 Migrate to readme-generator for helm maintained by bitnami (#431) * dcc60a2 fix(charts/spire/spire-agent): podmonitor templating (#478) * 48adb88 Bump actions/checkout from 3.6.0 to 4.0.0 * d1f52d6 Bump sigstore/cosign-installer from 3.1.1 to 3.1.2 (#473) * 5273f4e Switch mysql and postgresql tests to HA Production configs (#471) * e81a59a ingress-nginx production tests and spiffe-oidc-discovery-provider example (#136) * b05175e Bump actions/checkout from 3.5.3 to 3.6.0 * 51cba5b Add customPlugins and unsupportedBuiltInPlugins sections to spire-server (#198) * f4ee2c2 Bump github.com/onsi/ginkgo/v2 from 2.11.0 to 2.12.0 in /tests (#468) * c817dd2 support datastore password secret created by external resources (#464) * 71ac5af Split steps in check-versions wf for easier debugging (#467) * d91403a Scan for updates to new images (#466) * 7a5456e Bump helm.sh/helm/v3 from 3.11.3 to 3.12.3 in /tests (#462) * cbe0001 Federation test (#423) Signed-off-by: Marco Franssen <marco.franssen@gmail.com>
The helm tests are very limited. This test will pull the federation keys and verify a minted jwt with them.