Merge branch 'main' into release

.github/tests/charts.json

@@ -2,12 +2,12 @@
  {
  "name": "kube-prometheus-stack",
  "repo": "https://prometheus-community.github.io/helm-charts",
- "version": "56.20.0"
+ "version": "57.0.3"
  },
  {
  "name": "cert-manager",
  "repo": "https://charts.jetstack.io",
- "version": "v1.14.3"
+ "version": "v1.14.4"
  },
  {
  "name": "ingress-nginx",
@@ -17,11 +17,11 @@
  {
  "name": "mysql",
  "repo": "https://charts.bitnami.com/bitnami",
- "version": "9.22.0"
+ "version": "9.23.0"
  },
  {
  "name": "postgresql",
  "repo": "https://charts.bitnami.com/bitnami",
- "version": "14.2.3"
+ "version": "14.3.3"
  }
 ]

.github/tests/common.sh

@@ -70,3 +70,23 @@ $(helm ls -A | sed 's/\t/ | /g' | sed 's/^/| /' | sed 's/$/ |/' | sed '/^| NAME.
 
 EOF
 }
+
+# Used just for testing. You should provide your own values as described in the install instructions.
+common_test_your_values () {
+cat > /tmp/$$.example-your-values.yaml <<EOF
+global:
+ spire:
+ recommendations:
+ enabled: true
+ clusterName: production
+ trustDomain: production.other
+ caSubject:
+ country: US
+ organization: Production
+ commonName: production.other
+EOF
+echo "/tmp/$$.example-your-values.yaml"
+}
+
+COMMON_TEST_YOUR_VALUES="$(common_test_your_values)"
+export COMMON_TEST_YOUR_VALUES

.github/workflows/check-versions.yaml

@@ -59,11 +59,18 @@ jobs:
  ./.github/scripts/update-tags.sh
  git diff
 
+ - name: Generate Token
+ uses: tibdex/[email protected]
+ id: generate-token
+ with:
+ app_id: ${{ vars.APP_ID }}
+ private_key: ${{ secrets.APP_PRIVATE_KEY }}
+
  - name: Create Pull Request
  id: cpr
- uses: peter-evans/[email protected].1
+ uses: peter-evans/[email protected].2
  with:
- token: ${{ secrets.GITHUB_TOKEN }}
+ token: ${{ steps.generate-token.outputs.token }}
  title: Bump test chart dependencies
  branch: bump-test-chart-deps
  commit-message: Bump test chart dependencies

.github/workflows/helm-chart-ci.yaml

@@ -343,4 +343,4 @@ jobs:
  verbosity: 1
 
  - name: Install and test example
- run: examples/production/run-tests.sh -u
+ run: tests/integration/production/run-tests.sh -u

.github/workflows/helm-release.yaml

@@ -44,7 +44,7 @@ jobs:
  CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
 
  - name: Login to GitHub Container Registry
- uses: docker/login-action@v3
+ uses: docker/login-action@v3.1.0
  with:
  registry: ghcr.io
  username: ${{ github.actor }}

.github/workflows/update-devcontainer-image.yaml

@@ -31,7 +31,7 @@ jobs:
  - name: Install regctl
  uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
  - name: Log in to GHCR
- uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+ uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
  with:
  registry: ghcr.io
  username: ${{ github.actor }}

charts/spire/Chart.yaml

@@ -3,7 +3,7 @@ name: spire
 description: >
  A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 type: application
-version: 0.18.2
+version: 0.19.0
 appVersion: "1.9.1"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire

charts/spire/README.md

@@ -1,6 +1,6 @@
 # spire
 
-![Version: 0.18.2](https://img.shields.io/badge/Version-0.18.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.1](https://img.shields.io/badge/AppVersion-1.9.1-informational?style=flat-square)
+![Version: 0.19.0](https://img.shields.io/badge/Version-0.19.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.1](https://img.shields.io/badge/AppVersion-1.9.1-informational?style=flat-square)
 [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
 
 A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
@@ -75,7 +75,11 @@ kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeid
 
 We only support upgrading one major version at a time. Version skipping isn't supported.
 
-### 0.18.x
+### 0.19.X
+
+- The spire-agent daemonset gained a new label. For those disabling the upgrade hooks, you need to delete the spire-agent daemonset before issuing the helm upgrade.
+
+### 0.18.X
 
 - SPIRE no longer emits x509UniqueIdentifiers in x509-SVIDS by default. The old behavior can be reenabled with spire-server.credentialComposer.uniqueID.enabled=true. See https://github.com/spiffe/spire/pull/4862 for details.
 - SPIRE agents will now automatically reattest when they can. The old behavior can be reenabled with spire-agent.disableReattestToRenew=true. See https://github.com/spiffe/spire/pull/4791 for details.

charts/spire/charts/spiffe-oidc-discovery-provider/README.md

@@ -115,11 +115,11 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
 | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
 | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` |
 | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
-| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:81f0b434b297453ff101de0b5f4f5cd8d4af1c015a1d34162e9ae9a4a9f38669` |
+| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d69268f206bc7914c25f7377309a73406517678458ebccec0e6bfab7b9b7e9d2` |
 | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
 | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` |
 | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` |
-| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:606810cf1076a226dfb85fa4102ee0ed2d8e2b7c7a8a2a53f9788c65501ecca8` |
+| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:faaccf708167925bbbf1dbfcbaf6ab733a170074bce7901542a0c38b87838842` |
 | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` |
 | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` |
 | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` |

charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml

@@ -328,7 +328,7 @@ tests:
  registry: cgr.dev
  repository: chainguard/bash
  pullPolicy: IfNotPresent
- tag: latest@sha256:81f0b434b297453ff101de0b5f4f5cd8d4af1c015a1d34162e9ae9a4a9f38669
+ tag: latest@sha256:d69268f206bc7914c25f7377309a73406517678458ebccec0e6bfab7b9b7e9d2
 
  toolkit:
  ## @param tests.toolkit.image.registry The OCI registry to pull the image from
@@ -340,7 +340,7 @@ tests:
  registry: cgr.dev
  repository: chainguard/slim-toolkit-debug
  pullPolicy: IfNotPresent
- tag: latest@sha256:606810cf1076a226dfb85fa4102ee0ed2d8e2b7c7a8a2a53f9788c65501ecca8
+ tag: latest@sha256:faaccf708167925bbbf1dbfcbaf6ab733a170074bce7901542a0c38b87838842
 
  step:
  ## @param tests.step.image.registry The OCI registry to pull the image from