Merge branch 'main' into release

.github/tests/charts.json

@@ -2,26 +2,26 @@
  {
  "name": "kube-prometheus-stack",
  "repo": "https://prometheus-community.github.io/helm-charts",
- "version": "57.2.0"
+ "version": "58.7.2"
  },
  {
  "name": "cert-manager",
  "repo": "https://charts.jetstack.io",
- "version": "v1.14.4"
+ "version": "v1.14.5"
  },
  {
  "name": "ingress-nginx",
  "repo": "https://kubernetes.github.io/ingress-nginx",
- "version": "4.10.0"
+ "version": "4.10.1"
  },
  {
  "name": "mysql",
  "repo": "https://charts.bitnami.com/bitnami",
- "version": "10.1.0"
+ "version": "11.0.0"
  },
  {
  "name": "postgresql",
  "repo": "https://charts.bitnami.com/bitnami",
- "version": "15.1.4"
+ "version": "15.4.0"
  }
 ]

.github/tests/common.sh

@@ -21,7 +21,7 @@ $(kubectl --request-timeout=30s describe pods --namespace "$1")
 #### Logs
 
 \`\`\`shell
-$(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --all-containers=true --ignore-errors=true; done)
+$(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --prefix --all-containers=true --ignore-errors=true; done)
 $( ([[ -n "$2" ]] && kubectl get pods -o name -n "$2") | while read -r line; do echo logs for "${line}"; kubectl logs -n "$2" "${line}" --all-containers=true --ignore-errors=true; done)
 \`\`\`
 

.github/workflows/helm-chart-ci.yaml

@@ -249,7 +249,7 @@ jobs:
 
  - name: Install and test example
  run: |
- if [ "${{ matrix.example }}" = "examples/federation" ]; then
+ if [ "${{ matrix.example }}" = "examples/federation" -o "${{ matrix.example }}" = "examples/nested-full" -o "${{ matrix.example }}" = "examples/nested-security" ]; then
  kubectl create namespace spire-mgmt
  helm install -n spire-mgmt spire-crds charts/spire-crds
  else
@@ -300,8 +300,7 @@ jobs:
 
  - name: Install and test integration
  run: |
- kubectl create namespace spire-server
- helm install -n spire-server spire-crds charts/spire-crds
+ helm install --create-namespace -n spire-mgmt spire-crds charts/spire-crds
  ${{ matrix.integrationtest }}/run-tests.sh
 
  upgrade-test:

charts/spire-nested/.helmignore

@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+ci/

charts/spire-nested/Chart.yaml

@@ -0,0 +1,116 @@
+apiVersion: v2
+name: spire-nested
+description: >
+ A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
+type: application
+version: 0.20.0
+appVersion: "1.9.6"
+keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
+home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
+sources:
+ - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
+icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
+maintainers:
+ - name: marcofranssen
+ email: [email protected]
+ url: https://marcofranssen.nl
+ - name: kfox1111
+ email: [email protected]
+ - name: faisal-memon
+ email: [email protected]
+kubeVersion: ">=1.21.0-0"
+dependencies:
+ - name: spire-lib
+ repository: file://../spire/charts/spire-lib
+ version: 0.1.0
+ - name: spire-server
+ alias: root-spire-server
+ condition: root-spire-server.enabled
+ tags:
+ - nestedRoot
+ repository: file://../spire/charts/spire-server
+ version: 0.1.0
+ - name: spire-server
+ alias: external-root-spire-server-full
+ condition: external-root-spire-server-full.enabled
+ tags:
+ - nestedChildFull
+ repository: file://../spire/charts/spire-server
+ version: 0.1.0
+ - name: spire-server
+ alias: external-root-spire-server-security
+ condition: external-root-spire-server-security.enabled
+ tags:
+ - nestedChildSecurity
+ repository: file://../spire/charts/spire-server
+ version: 0.1.0
+ - name: spire-server
+ alias: internal-spire-server
+ condition: internal-spire-server.enabled
+ tags:
+ - nestedRoot
+ - nestedChildFull
+ repository: file://../spire/charts/spire-server
+ version: 0.1.0
+ - name: spire-server
+ alias: external-spire-server
+ condition: external-spire-server.enabled
+ tags:
+ - nestedRoot
+ repository: file://../spire/charts/spire-server
+ version: 0.1.0
+ - name: spire-agent
+ alias: downstream-spire-agent-full
+ condition: downstream-spire-agent-full.enabled
+ tags:
+ - nestedRoot
+ - nestedChildFull
+ repository: file://../spire/charts/spire-agent
+ version: 0.1.0
+ - name: spire-agent
+ alias: downstream-spire-agent-security
+ condition: downstream-spire-agent-security.enabled
+ tags:
+ - nestedChildSecurity
+ repository: file://../spire/charts/spire-agent
+ version: 0.1.0
+ - name: spire-agent
+ alias: upstream-spire-agent
+ condition: upstream-spire-agent.enabled
+ tags:
+ - nestedRoot
+ - nestedChildFull
+ repository: file://../spire/charts/spire-agent
+ version: 0.1.0
+ - name: spiffe-csi-driver
+ alias: downstream-spiffe-csi-driver
+ condition: downstream-spiffe-csi-driver.enabled
+ tags:
+ - nestedRoot
+ - nestedChildFull
+ - nestedChildSecurity
+ repository: file://../spire/charts/spiffe-csi-driver
+ version: 0.1.0
+ - name: spiffe-csi-driver
+ alias: upstream-spiffe-csi-driver
+ condition: upstream-spiffe-csi-driver.enabled
+ tags:
+ - nestedRoot
+ - nestedChildFull
+ repository: file://../spire/charts/spiffe-csi-driver
+ version: 0.1.0
+ - name: spiffe-oidc-discovery-provider
+ condition: spiffe-oidc-discovery-provider.enabled
+ tags:
+ - nestedRoot
+ - nestedChildFull
+ - nestedChildSecurity
+ repository: file://../spire/charts/spiffe-oidc-discovery-provider
+ version: 0.1.0
+ - name: tornjak-frontend
+ condition: tornjak-frontend.enabled
+ repository: file://../spire/charts/tornjak-frontend
+ version: 0.1.0
+annotations:
+ artifacthub.io/category: security
+ artifacthub.io/license: Apache-2.0