From 8422b8d141d799a995da06fb1f17046f9c7847aa Mon Sep 17 00:00:00 2001 From: Andrew Block Date: Fri, 1 Dec 2023 09:42:27 -0600 Subject: [PATCH 01/64] Added ability to create namespaces (#103) * Added ability to create namespaces Signed-off-by: Andrew Block * Add openshift labels Signed-off-by: Mariusz Sabath --------- Signed-off-by: Andrew Block Signed-off-by: Mariusz Sabath Co-authored-by: Mariusz Sabath Co-authored-by: kfox1111 --- charts/spire/README.md | 34 ++++++++++++------- .../templates/spire-server-namespace.yaml | 14 ++++++++ .../templates/spire-system-namespace.yaml | 14 ++++++++ charts/spire/values.yaml | 21 ++++++++++++ examples/openshift/openshift-values.yaml | 14 ++++++++ 5 files changed, 84 insertions(+), 13 deletions(-) create mode 100644 charts/spire/templates/spire-server-namespace.yaml create mode 100644 charts/spire/templates/spire-system-namespace.yaml diff --git a/charts/spire/README.md b/charts/spire/README.md index b079db7bf..a63b267ca 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -150,19 +150,27 @@ Now you can interact with the Spire agent socket from your own application. The ### Global parameters -| Name | Description | Value | -| --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | -| `global.k8s.clusterDomain` | Cluster domain name configured for Spire install | `cluster.local` | -| `global.spire.bundleConfigMap` | A configmap containing the Spire bundle | `""` | -| `global.spire.clusterName` | The name of the k8s cluster for Spire install | `example-cluster` | -| `global.spire.jwtIssuer` | The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset | `""` | -| `global.spire.trustDomain` | The trust domain for Spire install | `example.org` | -| `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` | -| `global.spire.image.registry` | Override all Spire image registries at once | `""` | -| `global.spire.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `false` | -| `global.spire.ingressControllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | -| `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | -| `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` | +| Name | Description | Value | +| -------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | +| `global.k8s.clusterDomain` | Cluster domain name configured for Spire install | `cluster.local` | +| `global.spire.bundleConfigMap` | A configmap containing the Spire bundle | `""` | +| `global.spire.clusterName` | The name of the k8s cluster for Spire install | `example-cluster` | +| `global.spire.jwtIssuer` | The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset | `""` | +| `global.spire.trustDomain` | The trust domain for Spire install | `example.org` | +| `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` | +| `global.spire.image.registry` | Override all Spire image registries at once | `""` | +| `global.spire.namespaces.system.name` | Name of the Spire system Namespace. | `spire-system` | +| `global.spire.namespaces.system.create` | Create a Namespace for Spire system resources. | `false` | +| `global.spire.namespaces.system.annotations` | Annotations to apply to the Spire system Namespace. | `{}` | +| `global.spire.namespaces.system.labels` | Labels to apply to the Spire system Namespace. | `{}` | +| `global.spire.namespaces.server.name` | Name of the Spire server Namespace. | `spire-server` | +| `global.spire.namespaces.server.create` | Create a Namespace for Spire server resources. | `false` | +| `global.spire.namespaces.server.annotations` | Annotations to apply to the Spire server Namespace. | `{}` | +| `global.spire.namespaces.server.labels` | Labels to apply to the Spire server Namespace. | `{}` | +| `global.spire.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `false` | +| `global.spire.ingressControllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | +| `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | +| `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` | ### Spire server parameters diff --git a/charts/spire/templates/spire-server-namespace.yaml b/charts/spire/templates/spire-server-namespace.yaml new file mode 100644 index 000000000..4eae22d6a --- /dev/null +++ b/charts/spire/templates/spire-server-namespace.yaml @@ -0,0 +1,14 @@ +{{- if .Values.global.spire.namespaces.server.create }} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.global.spire.namespaces.server.name }} + {{- if .Values.global.spire.namespaces.server.labels }} + labels: + {{- .Values.global.spire.namespaces.server.labels | toYaml | nindent 4 }} + {{- end }} + {{- if .Values.global.spire.namespaces.server.annotations }} + annotations: + {{- .Values.global.spire.namespaces.server.annotations | toYaml | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/spire/templates/spire-system-namespace.yaml b/charts/spire/templates/spire-system-namespace.yaml new file mode 100644 index 000000000..689038e88 --- /dev/null +++ b/charts/spire/templates/spire-system-namespace.yaml @@ -0,0 +1,14 @@ +{{- if .Values.global.spire.namespaces.system.create }} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.global.spire.namespaces.system.name }} + {{- if .Values.global.spire.namespaces.system.labels }} + labels: + {{- .Values.global.spire.namespaces.system.labels | toYaml | nindent 4 }} + {{- end }} + {{- if .Values.global.spire.namespaces.system.annotations }} + annotations: + {{- .Values.global.spire.namespaces.system.annotations | toYaml | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 77e769c0b..c3145e959 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -8,6 +8,7 @@ global: k8s: ## @param global.k8s.clusterDomain Cluster domain name configured for Spire install clusterDomain: cluster.local + spire: ## @param global.spire.bundleConfigMap A configmap containing the Spire bundle bundleConfigMap: "" @@ -24,6 +25,26 @@ global: ## @param global.spire.image.registry Override all Spire image registries at once registry: "" + namespaces: + system: + ## @param global.spire.namespaces.system.name Name of the Spire system Namespace. + name: "spire-system" + ## @param global.spire.namespaces.system.create Create a Namespace for Spire system resources. + create: false + ## @param global.spire.namespaces.system.annotations [object] Annotations to apply to the Spire system Namespace. + annotations: {} + ## @param global.spire.namespaces.system.labels [object] Labels to apply to the Spire system Namespace. + labels: {} + server: + ## @param global.spire.namespaces.server.name Name of the Spire server Namespace. + name: "spire-server" + ## @param global.spire.namespaces.server.create Create a Namespace for Spire server resources. + create: false + ## @param global.spire.namespaces.server.annotations [object] Annotations to apply to the Spire server Namespace. + annotations: {} + ## @param global.spire.namespaces.server.labels [object] Labels to apply to the Spire server Namespace. + labels: {} + ## @param global.spire.strictMode Check values, such as trustDomain, are overridden with a suitable value for production. strictMode: false diff --git a/examples/openshift/openshift-values.yaml b/examples/openshift/openshift-values.yaml index 6f5dad69a..d88641de5 100644 --- a/examples/openshift/openshift-values.yaml +++ b/examples/openshift/openshift-values.yaml @@ -3,6 +3,20 @@ global: telemetry: prometheus: enabled: true + spire: + namespaces: + system: + labels: + security.openshift.io/scc.podSecurityLabelSync: "false" + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged + pod-security.kubernetes.io/audit: privileged + server: + labels: + security.openshift.io/scc.podSecurityLabelSync: "false" + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged + pod-security.kubernetes.io/audit: privileged spire-server: tornjak: From 692d463718714a4157759ca6ba1f1c5de9a7160e Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Fri, 1 Dec 2023 10:49:29 -0800 Subject: [PATCH 02/64] Remove unneeded lookup function from upgrade hook (#104) Those upgrading to 0.17.0 should no longer need the code to check for the old webhook. Signed-off-by: Kevin Fox Co-authored-by: Faisal Memon --- .../charts/spire-server/templates/pre-upgrade-hook.yaml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml index a72e0437f..27a73d9dd 100644 --- a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml @@ -1,9 +1,4 @@ {{- if eq ((dig "installAndUpgradeHooks" "enabled" .Values.controllerManager.installAndUpgradeHook.enabled .Values.global) | toString) "true" }} -{{- $webhookname := printf "%s-%s-webhook" .Release.Namespace (include "spire-controller-manager.fullname" .) }} -{{- $oldwebhookname := printf "%s-webhook" (include "spire-controller-manager.fullname" .) }} -{{- if not (lookup "admissionregistration.k8s.io/v1" "ValidatingWebhookConfiguration" "" $webhookname) }} -{{- $webhookname = $oldwebhookname }} -{{- end }} {{- if eq (.Values.controllerManager.enabled | toString) "true" }} {{- if eq .Values.controllerManager.validatingWebhookConfiguration.failurePolicy "Fail" }} apiVersion: v1 @@ -27,7 +22,7 @@ metadata: rules: - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations"] - resourceNames: [{{ $webhookname | quote }}] + resourceNames: [{{ printf "%s-%s-webhook" .Release.Namespace (include "spire-controller-manager.fullname" .) | quote }}] verbs: ["get", "patch"] --- kind: ClusterRoleBinding @@ -73,7 +68,7 @@ spec: args: - patch - validatingwebhookconfiguration - - {{ $webhookname }} + - {{ printf "%s-%s-webhook" .Release.Namespace (include "spire-controller-manager.fullname" .) }} - --type=strategic - -p - | From 3e8335c0ee7436022e625ca4b7a09c34c13b2615 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Sat, 2 Dec 2023 05:15:32 -0800 Subject: [PATCH 03/64] Add a flag to enable recommendations (#121) * Add a flag to enable recommendations Signed-off-by: Kevin Fox * Fix merge issue Signed-off-by: Kevin Fox * Update after reaching consensus. Signed-off-by: Kevin Fox * Apply suggestions from code review Co-authored-by: Faisal Memon Signed-off-by: kfox1111 * Fix docs Signed-off-by: Kevin Fox * Apply suggestions from code review Co-authored-by: Faisal Memon Signed-off-by: kfox1111 * Fix docs Signed-off-by: Kevin Fox --------- Signed-off-by: Kevin Fox Signed-off-by: kfox1111 Co-authored-by: Faisal Memon --- charts/spire/README.md | 1 + charts/spire/values.yaml | 4 ++++ examples/production/values.yaml | 2 ++ 3 files changed, 7 insertions(+) diff --git a/charts/spire/README.md b/charts/spire/README.md index a63b267ca..446abf2fc 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -158,6 +158,7 @@ Now you can interact with the Spire agent socket from your own application. The | `global.spire.jwtIssuer` | The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset | `""` | | `global.spire.trustDomain` | The trust domain for Spire install | `example.org` | | `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` | +| `global.spire.recommendations.enabled` | Use recommended settings for production deployments. Default is off. | `false` | | `global.spire.image.registry` | Override all Spire image registries at once | `""` | | `global.spire.namespaces.system.name` | Name of the Spire system Namespace. | `spire-system` | | `global.spire.namespaces.system.create` | Create a Namespace for Spire system resources. | `false` | diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index c3145e959..788242f7b 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -21,6 +21,10 @@ global: ## @param global.spire.upstreamServerAddress Set what address to use for the upstream server when using nested spire upstreamServerAddress: "" + ## @param global.spire.recommendations.enabled Use recommended settings for production deployments. Default is off. + recommendations: + enabled: false + image: ## @param global.spire.image.registry Override all Spire image registries at once registry: "" diff --git a/examples/production/values.yaml b/examples/production/values.yaml index dd6fb4eb5..97797a49f 100644 --- a/examples/production/values.yaml +++ b/examples/production/values.yaml @@ -4,6 +4,8 @@ global: enabled: true spire: strictMode: true + recommendations: + enabled: true spire-server: nodeAttestor: From 6fda639237caceb29a172e5160ae248762cb9340 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Dec 2023 04:32:42 -0800 Subject: [PATCH 04/64] Bump actions/setup-go from 4.1.0 to 5.0.0 (#136) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.1.0 to 5.0.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v4.1.0...v5.0.0) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/check-versions.yaml | 2 +- .github/workflows/helm-chart-ci.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check-versions.yaml b/.github/workflows/check-versions.yaml index 766fe14e9..845278dfd 100644 --- a/.github/workflows/check-versions.yaml +++ b/.github/workflows/check-versions.yaml @@ -33,7 +33,7 @@ jobs: git diff - name: Setup go - uses: actions/setup-go@v4.1.0 + uses: actions/setup-go@v5.0.0 with: go-version: '1.21' cache: false diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index e2a2abd97..060fabf5e 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -73,7 +73,7 @@ jobs: fi - name: Setup Go - uses: actions/setup-go@v4.1.0 + uses: actions/setup-go@v5.0.0 with: go-version-file: tests/go.mod cache-dependency-path: tests/go.sum From c017d8259443a5b43f25c54e3ed04b9bcce51589 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Dec 2023 12:40:31 +0000 Subject: [PATCH 05/64] Bump actions/setup-python from 4 to 5 (#137) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4 to 5. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/check-versions.yaml | 2 +- .github/workflows/helm-chart-ci.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/check-versions.yaml b/.github/workflows/check-versions.yaml index 845278dfd..26f6f3915 100644 --- a/.github/workflows/check-versions.yaml +++ b/.github/workflows/check-versions.yaml @@ -41,7 +41,7 @@ jobs: - name: Setup crane uses: imjasonh/setup-crane@v0.3 - - uses: actions/setup-python@v4.6.1 + - uses: actions/setup-python@v5 with: python-version: '3.9' diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index 060fabf5e..db23d9669 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -104,7 +104,7 @@ jobs: version: ${{ env.HELM_VERSION }} - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ env.PYTHON_VERSION }} @@ -146,7 +146,7 @@ jobs: version: ${{ env.HELM_VERSION }} - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ env.PYTHON_VERSION }} @@ -225,7 +225,7 @@ jobs: version: ${{ env.HELM_VERSION }} - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ env.PYTHON_VERSION }} @@ -269,7 +269,7 @@ jobs: version: ${{ env.HELM_VERSION }} - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ env.PYTHON_VERSION }} From 13f6028ccd2e7da41d2f6674ad68b9cb10a1c0dd Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Thu, 7 Dec 2023 11:02:06 -0800 Subject: [PATCH 06/64] SELinux support (#122) * SELinux support Add support to the chart to set the SELinux context to enable a working system. Enable it by default on OpenShift clusters. Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox --------- Signed-off-by: Kevin Fox --- .../spire/charts/spiffe-csi-driver/README.md | 6 +++++ .../templates/daemonset.yaml | 26 +++++++++++++++++-- .../charts/spiffe-csi-driver/values.yaml | 15 +++++++++++ examples/openshift/openshift-values.yaml | 21 --------------- 4 files changed, 45 insertions(+), 23 deletions(-) diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index c1371d688..e3e88ef50 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -64,3 +64,9 @@ A Helm chart to install the SPIFFE CSI driver. | `restrictedScc.enabled` | Enables the creation of a SecurityContextConstraint based on the restricted SCC with CSI volume support | `false` | | `restrictedScc.name` | Set the name of the restricted SCC with CSI support | `""` | | `restrictedScc.version` | Version of the restricted SCC | `2` | +| `selinux.enabled` | Enable selinux support | `false` | +| `selinux.context` | Which selinux context to use | `container_file_t` | +| `selinux.image.registry` | The OCI registry to pull the image from | `registry.access.redhat.com` | +| `selinux.image.repository` | The repository within the registry | `ubi9` | +| `selinux.image.pullPolicy` | The image pull policy | `Always` | +| `selinux.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest` | diff --git a/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml b/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml index 7d5339ed0..e13023ed4 100644 --- a/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml +++ b/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml @@ -36,9 +36,31 @@ spec: {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} - {{- with .Values.initContainers }} + {{- if or (gt (len .Values.initContainers) 0) (dig "openshift" false .Values.global) (dig "selinux" false .Values.global) .Values.selinux.enabled }} initContainers: - {{- toYaml . | nindent 8 }} + {{- if or (dig "openshift" false .Values.global) (dig "selinux" false .Values.global) .Values.selinux.enabled }} + - name: set-context + command: + - chcon + - '-Rvt' + - {{ .Values.selinux.context }} + - spire-agent-socket/ + image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.selinux.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.selinux.image.pullPolicy }} + securityContext: + capabilities: + drop: + - all + privileged: true + volumeMounts: + - name: spire-agent-socket-dir + mountPath: /spire-agent-socket + terminationMessagePolicy: File + terminationMessagePath: /dev/termination-log + {{- end }} + {{- if gt (len .Values.initContainers) 0 }} + {{- toYaml .Values.initContainers | nindent 8 }} + {{- end }} {{- end }} containers: # This is the container which runs the SPIFFE CSI driver. diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index 12eeb7b94..2bced8ba2 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -141,3 +141,18 @@ restrictedScc: name: "" ## @param restrictedScc.version Version of the restricted SCC version: 2 + +selinux: + ## @param selinux.enabled Enable selinux support + enabled: false + ## @param selinux.context Which selinux context to use + context: container_file_t + ## @param selinux.image.registry The OCI registry to pull the image from + ## @param selinux.image.repository The repository within the registry + ## @param selinux.image.pullPolicy The image pull policy + ## @param selinux.image.tag Overrides the image tag whose default is the chart appVersion + image: + registry: registry.access.redhat.com + repository: ubi9 + pullPolicy: Always + tag: latest diff --git a/examples/openshift/openshift-values.yaml b/examples/openshift/openshift-values.yaml index d88641de5..b44759747 100644 --- a/examples/openshift/openshift-values.yaml +++ b/examples/openshift/openshift-values.yaml @@ -64,24 +64,3 @@ tornjak-frontend: runAsUser: null runAsGroup: null fsGroup: null - -spiffe-csi-driver: - initContainers: - - terminationMessagePath: /dev/termination-log - name: set-context - command: - - chcon - - '-Rvt' - - container_file_t - - spire-agent-socket/ - securityContext: - capabilities: - drop: - - all - privileged: true - imagePullPolicy: Always - volumeMounts: - - name: spire-agent-socket-dir - mountPath: /spire-agent-socket - terminationMessagePolicy: File - image: 'registry.access.redhat.com/ubi9:latest' From 80c7653a21c40e3f3dee6d8c4d2adac898825c68 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 7 Dec 2023 22:47:38 +0000 Subject: [PATCH 07/64] Bump test chart dependencies (#134) * Bump test chart dependencies Signed-off-by: GitHub * Update charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml Signed-off-by: kfox1111 * Fix Docs Signed-off-by: Kevin Fox --------- Signed-off-by: GitHub Signed-off-by: kfox1111 Signed-off-by: Kevin Fox Co-authored-by: marcofranssen Co-authored-by: kfox1111 --- .github/tests/charts.json | 6 +++--- .../spire/charts/spiffe-oidc-discovery-provider/README.md | 2 +- .../spire/charts/spiffe-oidc-discovery-provider/values.yaml | 2 +- charts/spire/charts/spire-agent/README.md | 4 ++-- charts/spire/charts/spire-agent/values.yaml | 4 ++-- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 6 ++---- charts/spire/charts/tornjak-frontend/README.md | 2 +- charts/spire/charts/tornjak-frontend/values.yaml | 2 +- 9 files changed, 14 insertions(+), 16 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 79594ddad..60c13bb9a 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,7 +2,7 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "54.2.2" + "version": "55.0.0" }, { "name": "cert-manager", @@ -12,7 +12,7 @@ { "name": "ingress-nginx", "repo": "https://kubernetes.github.io/ingress-nginx", - "version": "4.8.3" + "version": "4.8.4" }, { "name": "mysql", @@ -22,6 +22,6 @@ { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "13.2.18" + "version": "13.2.23" } ] diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 788f69493..902ed3ec3 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -105,7 +105,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3dc87ab5263b3e6a0a082aa08fe2f1188eff62de3aee9e63b2cbad8594c62404` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 405f96ed0..adb07722e 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -289,7 +289,7 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e + tag: latest@sha256:3dc87ab5263b3e6a0a082aa08fe2f1188eff62de3aee9e63b2cbad8594c62404 toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index a4e9c0b73..b168dcf0d 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -64,13 +64,13 @@ A Helm chart to install the SPIRE agent. | `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` | | `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `waitForIt.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:ffab5a8d7b7da2d04f433d0321cc5c34d8aa53bd15dd54eb2e4cd9c0d3d3cf5e` | +| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f7843d89d707fe0f7ee4cbb768f6485b6bb4f9fe4fdca20d98be8e9bb2d1dc6d` | | `waitForIt.resources` | Resource requests and limits | `{}` | | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | | `fsGroupFix.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3dc87ab5263b3e6a0a082aa08fe2f1188eff62de3aee9e63b2cbad8594c62404` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | | `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 80e3fb412..b8352183b 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -134,7 +134,7 @@ waitForIt: repository: chainguard/wait-for-it pullPolicy: IfNotPresent version: "" - tag: latest@sha256:ffab5a8d7b7da2d04f433d0321cc5c34d8aa53bd15dd54eb2e4cd9c0d3d3cf5e + tag: latest@sha256:f7843d89d707fe0f7ee4cbb768f6485b6bb4f9fe4fdca20d98be8e9bb2d1dc6d ## @param waitForIt.resources [object] Resource requests and limits resources: {} @@ -153,7 +153,7 @@ fsGroupFix: repository: chainguard/bash pullPolicy: Always version: "" - tag: latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e + tag: latest@sha256:3dc87ab5263b3e6a0a082aa08fe2f1188eff62de3aee9e63b2cbad8594c62404 ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 0c219892c..fb1f221e1 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -316,4 +316,4 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3dc87ab5263b3e6a0a082aa08fe2f1188eff62de3aee9e63b2cbad8594c62404` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 170d46e68..209201ea0 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -479,7 +479,7 @@ controllerManager: downstream: false ## @param controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames Auto populate DNS names from services attached to pods autoPopulateDNSNames: false - + # You can specify additional ClusterSPIFFEIDs following this example: # foo: # labels: @@ -488,7 +488,6 @@ controllerManager: # namespaceSelector: # matchLabels: # foo: bar - ## @param controllerManager.identities.clusterStaticEntries Specify ClusterStaticEntry objects. clusterStaticEntries: {} # foo: @@ -498,7 +497,6 @@ controllerManager: # spiffeID: spiffe://example.com/foo # selectors: # - k8s:pod-label:app.kubernetes.io/name:server - ## @param controllerManager.identities.clusterFederatedTrustDomains Specify ClusterFederatedTrustDomain objects. clusterFederatedTrustDomains: {} # foo: @@ -756,4 +754,4 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e + tag: latest@sha256:3dc87ab5263b3e6a0a082aa08fe2f1188eff62de3aee9e63b2cbad8594c62404 diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index fc1ec957f..92eb99937 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -100,4 +100,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3dc87ab5263b3e6a0a082aa08fe2f1188eff62de3aee9e63b2cbad8594c62404` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 78a06899e..75c2740ab 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -158,4 +158,4 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e + tag: latest@sha256:3dc87ab5263b3e6a0a082aa08fe2f1188eff62de3aee9e63b2cbad8594c62404 From a3d37020498498704d3904903d7870ffa06be4be Mon Sep 17 00:00:00 2001 From: marcofranssen Date: Mon, 11 Dec 2023 08:01:45 +0000 Subject: [PATCH 08/64] Bump test chart dependencies Signed-off-by: GitHub --- .github/tests/charts.json | 4 ++-- charts/spire/charts/spiffe-csi-driver/README.md | 2 +- charts/spire/charts/spiffe-csi-driver/values.yaml | 2 +- .../spire/charts/spiffe-oidc-discovery-provider/README.md | 6 +++--- .../spire/charts/spiffe-oidc-discovery-provider/values.yaml | 6 +++--- charts/spire/charts/spire-agent/README.md | 4 ++-- charts/spire/charts/spire-agent/values.yaml | 4 ++-- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/charts/tornjak-frontend/README.md | 2 +- charts/spire/charts/tornjak-frontend/values.yaml | 2 +- 11 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 60c13bb9a..b6033aaa4 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,7 +2,7 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "55.0.0" + "version": "55.1.0" }, { "name": "cert-manager", @@ -22,6 +22,6 @@ { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "13.2.23" + "version": "13.2.24" } ] diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index e3e88ef50..5485afe93 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -56,7 +56,7 @@ A Helm chart to install the SPIFFE CSI driver. | `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` | | `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `nodeDriverRegistrar.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.1` | +| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.2` | | `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` | | `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | | `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` | diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index 2bced8ba2..71b9133fd 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -110,7 +110,7 @@ nodeDriverRegistrar: repository: sig-storage/csi-node-driver-registrar pullPolicy: IfNotPresent version: "" - tag: v2.9.1 + tag: v2.9.2 ## @param nodeDriverRegistrar.resources Resource requests and limits for CSI driver pods resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 902ed3ec3..f1d88d814 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -88,7 +88,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry | `nginx/nginx-prometheus-exporter` | | `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `telemetry.prometheus.nginxExporter.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.11.0` | +| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.0.0` | | `telemetry.prometheus.nginxExporter.resources` | Resource requests and limits | `{}` | | `ingress.enabled` | Flag to enable ingress | `false` | | `ingress.className` | Ingress class name | `""` | @@ -105,12 +105,12 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3dc87ab5263b3e6a0a082aa08fe2f1188eff62de3aee9e63b2cbad8594c62404` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:2f93669e39cbd3c7866058bb7d446e56cabd17e17192134aa6b135dae82cd6e3` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.toolkit.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:99cafee4f14fe07a3298fcb7b90d4f0c396cba150b65d937856788b42ad83f79` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:38fb3c5dcda9e1dbd97165f08c428f345eb0bdcf3c7b485d86f9a2fe91d828b1` | | `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | | `tests.busybox.image.repository` | The repository within the registry | `busybox` | | `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index adb07722e..e5ceeb6bf 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -221,7 +221,7 @@ telemetry: repository: nginx/nginx-prometheus-exporter pullPolicy: IfNotPresent version: "" - tag: "0.11.0" + tag: "1.0.0" ## @param telemetry.prometheus.nginxExporter.resources [object] Resource requests and limits resources: {} @@ -289,7 +289,7 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:3dc87ab5263b3e6a0a082aa08fe2f1188eff62de3aee9e63b2cbad8594c62404 + tag: latest@sha256:2f93669e39cbd3c7866058bb7d446e56cabd17e17192134aa6b135dae82cd6e3 toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from @@ -303,7 +303,7 @@ tests: repository: chainguard/slim-toolkit-debug pullPolicy: IfNotPresent version: "" - tag: latest@sha256:99cafee4f14fe07a3298fcb7b90d4f0c396cba150b65d937856788b42ad83f79 + tag: latest@sha256:38fb3c5dcda9e1dbd97165f08c428f345eb0bdcf3c7b485d86f9a2fe91d828b1 busybox: ## @param tests.busybox.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index b168dcf0d..1677ee629 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -64,13 +64,13 @@ A Helm chart to install the SPIRE agent. | `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` | | `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `waitForIt.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f7843d89d707fe0f7ee4cbb768f6485b6bb4f9fe4fdca20d98be8e9bb2d1dc6d` | +| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:ceb278e61a71f6f36454d01b55434bae46ae654e9a786b634f1d485d9448e114` | | `waitForIt.resources` | Resource requests and limits | `{}` | | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | | `fsGroupFix.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3dc87ab5263b3e6a0a082aa08fe2f1188eff62de3aee9e63b2cbad8594c62404` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:2f93669e39cbd3c7866058bb7d446e56cabd17e17192134aa6b135dae82cd6e3` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | | `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index b8352183b..17006fc10 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -134,7 +134,7 @@ waitForIt: repository: chainguard/wait-for-it pullPolicy: IfNotPresent version: "" - tag: latest@sha256:f7843d89d707fe0f7ee4cbb768f6485b6bb4f9fe4fdca20d98be8e9bb2d1dc6d + tag: latest@sha256:ceb278e61a71f6f36454d01b55434bae46ae654e9a786b634f1d485d9448e114 ## @param waitForIt.resources [object] Resource requests and limits resources: {} @@ -153,7 +153,7 @@ fsGroupFix: repository: chainguard/bash pullPolicy: Always version: "" - tag: latest@sha256:3dc87ab5263b3e6a0a082aa08fe2f1188eff62de3aee9e63b2cbad8594c62404 + tag: latest@sha256:2f93669e39cbd3c7866058bb7d446e56cabd17e17192134aa6b135dae82cd6e3 ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index fb1f221e1..6400bcdd5 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -316,4 +316,4 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3dc87ab5263b3e6a0a082aa08fe2f1188eff62de3aee9e63b2cbad8594c62404` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:2f93669e39cbd3c7866058bb7d446e56cabd17e17192134aa6b135dae82cd6e3` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 209201ea0..5d2fa3f65 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -754,4 +754,4 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:3dc87ab5263b3e6a0a082aa08fe2f1188eff62de3aee9e63b2cbad8594c62404 + tag: latest@sha256:2f93669e39cbd3c7866058bb7d446e56cabd17e17192134aa6b135dae82cd6e3 diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 92eb99937..23fb07ee8 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -100,4 +100,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3dc87ab5263b3e6a0a082aa08fe2f1188eff62de3aee9e63b2cbad8594c62404` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:2f93669e39cbd3c7866058bb7d446e56cabd17e17192134aa6b135dae82cd6e3` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 75c2740ab..e5220e482 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -158,4 +158,4 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:3dc87ab5263b3e6a0a082aa08fe2f1188eff62de3aee9e63b2cbad8594c62404 + tag: latest@sha256:2f93669e39cbd3c7866058bb7d446e56cabd17e17192134aa6b135dae82cd6e3 From 89c07e2d041aac21e98c0c222101201313f2a325 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Mon, 11 Dec 2023 06:33:24 -0800 Subject: [PATCH 09/64] Revert openssl 3.2 change (#142) Signed-off-by: Kevin Fox --- charts/spire/charts/spiffe-oidc-discovery-provider/README.md | 2 +- charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index f1d88d814..79e0b2088 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -110,7 +110,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.toolkit.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:38fb3c5dcda9e1dbd97165f08c428f345eb0bdcf3c7b485d86f9a2fe91d828b1` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:99cafee4f14fe07a3298fcb7b90d4f0c396cba150b65d937856788b42ad83f79` | | `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | | `tests.busybox.image.repository` | The repository within the registry | `busybox` | | `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index e5ceeb6bf..05907c329 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -303,7 +303,7 @@ tests: repository: chainguard/slim-toolkit-debug pullPolicy: IfNotPresent version: "" - tag: latest@sha256:38fb3c5dcda9e1dbd97165f08c428f345eb0bdcf3c7b485d86f9a2fe91d828b1 + tag: latest@sha256:99cafee4f14fe07a3298fcb7b90d4f0c396cba150b65d937856788b42ad83f79 busybox: ## @param tests.busybox.image.registry The OCI registry to pull the image from From 7726351955491c5cba79381fc779cf1994ede350 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Mon, 11 Dec 2023 06:56:58 -0800 Subject: [PATCH 10/64] Tornjak UBI support (#123) * Tornjak UBI support The Tornjak containers now have two different flavors. Vanilla and UBI. Automatically select the UBI image when deploying on OpenShift. Signed-off-by: Kevin Fox Co-authored-by: Mariusz Sabath --- charts/spire/charts/spire-server/README.md | 3 ++- .../spire/charts/spire-server/templates/statefulset.yaml | 2 +- charts/spire/charts/spire-server/values.yaml | 6 ++++-- charts/spire/charts/tornjak-frontend/Chart.yaml | 2 +- .../charts/tornjak-frontend/templates/deployment.yaml | 2 +- charts/spire/templates/_spire-lib.tpl | 6 +++++- examples/openshift/openshift-values.yaml | 9 --------- 7 files changed, 14 insertions(+), 16 deletions(-) diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 6400bcdd5..85f7949f6 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -277,7 +277,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tornjak.image.repository` | The repository within the registry | `spiffe/tornjak-backend` | | `tornjak.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tornjak.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tornjak.image.tag` | Overrides the image tag whose default is the chart appVersion | `v1.4.0` | +| `tornjak.image.tag` | Overrides the image tag to be whatever you need it to be. It will always be the flag you set without modifications | `""` | +| `tornjak.image.defaultTag` | Sets the default image to use when image.tag is not set. It will automatically be updated with a ubi- prefix if on OpenShift. | `v1.4.1` | | `tornjak.service.type` | Type of service resource | `ClusterIP` | | `tornjak.service.ports.http` | Insecure port for tornjak service | `10000` | | `tornjak.service.ports.https` | Secure port for tornjak service | `10443` | diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index ca26abb52..1b1f0ed66 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -231,7 +231,7 @@ spec: - name: tornjak securityContext: {{- toYaml .Values.controllerManager.securityContext | nindent 12 }} - image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tornjak.image "global" .Values.global) }} + image: {{ template "spire-lib.image" (dict "appVersion" .Values.tornjak.image.defaultTag "image" .Values.tornjak.image "global" .Values.global "ubi" true) }} imagePullPolicy: {{ .Values.tornjak.image.pullPolicy }} {{- if eq (include "spire-tornjak.connectionType" .) "http" }} startupProbe: diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 5d2fa3f65..3082a5082 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -608,14 +608,16 @@ tornjak: ## @param tornjak.image.repository The repository within the registry ## @param tornjak.image.pullPolicy The image pull policy ## @param tornjak.image.version This value is deprecated in favor of tag. (Will be removed in a future release) - ## @param tornjak.image.tag Overrides the image tag whose default is the chart appVersion + ## @param tornjak.image.tag Overrides the image tag to be whatever you need it to be. It will always be the flag you set without modifications + ## @param tornjak.image.defaultTag Sets the default image to use when image.tag is not set. It will automatically be updated with a ubi- prefix if on OpenShift. ## image: registry: ghcr.io repository: spiffe/tornjak-backend pullPolicy: IfNotPresent version: "" - tag: "v1.4.0" + tag: "" + defaultTag: "v1.4.1" service: ## @param tornjak.service.type Type of service resource diff --git a/charts/spire/charts/tornjak-frontend/Chart.yaml b/charts/spire/charts/tornjak-frontend/Chart.yaml index 1e72c8e0e..761a9164c 100644 --- a/charts/spire/charts/tornjak-frontend/Chart.yaml +++ b/charts/spire/charts/tornjak-frontend/Chart.yaml @@ -3,7 +3,7 @@ name: tornjak-frontend description: A Helm chart to deploy Tornjak frontend type: application version: 0.1.0 -appVersion: "v1.4.0" +appVersion: "v1.4.1" home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: - https://github.com/spiffe/tornjak diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml index 8fbf2105f..5cc188a0a 100644 --- a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -24,7 +24,7 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: {{ include "tornjak-frontend.fullname" . }} - image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }} + image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global "ubi" true) }} imagePullPolicy: {{ .Values.image.pullPolicy }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl index 8536e22bc..658b0e76a 100644 --- a/charts/spire/templates/_spire-lib.tpl +++ b/charts/spire/templates/_spire-lib.tpl @@ -55,7 +55,11 @@ {{- if eq (substr 0 7 $tag) "sha256:" }} {{- printf "%s/%s@%s" $registry $repo $tag }} {{- else if .appVersion }} -{{- printf "%s%s:%s" $registry $repo (default .appVersion $tag) }} +{{- $appVersion := .appVersion }} +{{- if and (hasKey . "ubi") (dig "openshift" false .global) }} +{{- $appVersion = printf "ubi-%s" $appVersion }} +{{- end }} +{{- printf "%s%s:%s" $registry $repo (default $appVersion $tag) }} {{- else if $tag }} {{- printf "%s%s:%s" $registry $repo $tag }} {{- else }} diff --git a/examples/openshift/openshift-values.yaml b/examples/openshift/openshift-values.yaml index b44759747..cef5b03b5 100644 --- a/examples/openshift/openshift-values.yaml +++ b/examples/openshift/openshift-values.yaml @@ -19,11 +19,6 @@ global: pod-security.kubernetes.io/audit: privileged spire-server: - tornjak: - image: - registry: ghcr.io - repository: spiffe/tornjak-backend - tag: ubi-v1.4.1 nodeAttestor: k8sPsat: serviceAccountAllowList: ["spire-system:spire-agent"] @@ -56,10 +51,6 @@ spiffe-oidc-discovery-provider: tornjak-frontend: workingDir: /opt/app-root/src - image: - registry: ghcr.io - repository: spiffe/tornjak-frontend - tag: ubi-v1.4.1 podSecurityContext: runAsUser: null runAsGroup: null From 9f72a8f97110629d79ce86b8da41010276a9a4af Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Mon, 11 Dec 2023 07:52:44 -0800 Subject: [PATCH 11/64] Use good and automatic defaults for tornjak frontend workingDir (#129) Signed-off-by: Kevin Fox Signed-off-by: kfox1111 --- charts/spire/charts/tornjak-frontend/README.md | 2 +- .../charts/tornjak-frontend/templates/_helpers.tpl | 10 ++++++++++ .../charts/tornjak-frontend/templates/deployment.yaml | 4 ++-- charts/spire/charts/tornjak-frontend/values.yaml | 4 ++-- examples/openshift/openshift-values.yaml | 1 - 5 files changed, 15 insertions(+), 6 deletions(-) diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 23fb07ee8..63a03737f 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -87,7 +87,7 @@ port forwarding. See the chart NOTES output for more details. | `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | | `startupProbe.failureThreshold` | Failure threshold count for startupProbe | `6` | | `startupProbe.successThreshold` | Success threshold count for startupProbe | `1` | -| `workingDir` | Path containing the Tornjak frontend within the image | `/usr/src/app` | +| `workingDir` | Set to override the default path containing the Tornjak frontend within the image | `""` | | `ingress.enabled` | Flag to enable ingress for Tornjak frontend service | `false` | | `ingress.className` | Ingress class name for Tornjak frontend service | `""` | | `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | diff --git a/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl b/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl index fd7a92bc9..535df2b9b 100644 --- a/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl +++ b/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl @@ -84,3 +84,13 @@ Create URL for accessing Tornjak APIs {{- print "http://localhost:" .Values.service.port }} {{- end }} {{- end }} + +{{- define "tornjak-frontend.workingDir" }} +{{- if .Values.workingDir }} +{{- .Values.workingDir }} +{{- else if (dig "openshift" false .Values.global) }} +{{- printf "/opt/app-root/src" }} +{{- else }} +{{- printf "/usr/src/app" }} +{{- end }} +{{- end }} diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml index 5cc188a0a..79fe5dd67 100644 --- a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -53,9 +53,9 @@ spec: {{- end }} volumeMounts: - name: cache - mountPath: {{ .Values.workingDir }}/node_modules/.cache + mountPath: {{ include "tornjak-frontend.workingDir" . }}/node_modules/.cache - name: env - mountPath: {{ .Values.workingDir }}/build/tmp + mountPath: {{ include "tornjak-frontend.workingDir" . }}/build/tmp - name: logs mountPath: /opt/app-root/src/.npm/ {{- with .Values.nodeSelector }} diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index e5220e482..9c6eb2298 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -113,8 +113,8 @@ startupProbe: failureThreshold: 6 successThreshold: 1 -## @param workingDir Path containing the Tornjak frontend within the image -workingDir: /usr/src/app +## @param workingDir Set to override the default path containing the Tornjak frontend within the image +workingDir: "" ## @param ingress.enabled Flag to enable ingress for Tornjak frontend service ## @param ingress.className Ingress class name for Tornjak frontend service diff --git a/examples/openshift/openshift-values.yaml b/examples/openshift/openshift-values.yaml index cef5b03b5..44efaca86 100644 --- a/examples/openshift/openshift-values.yaml +++ b/examples/openshift/openshift-values.yaml @@ -50,7 +50,6 @@ spiffe-oidc-discovery-provider: fsGroup: null tornjak-frontend: - workingDir: /opt/app-root/src podSecurityContext: runAsUser: null runAsGroup: null From e35838c30923069d3550f98187f8e12bfb31402a Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Mon, 11 Dec 2023 11:42:40 -0800 Subject: [PATCH 12/64] Add recommendation for priorityClass (#124) * Add a flag to enable recommendations Signed-off-by: Kevin Fox * Add recommendation for priorityClass Signed-off-by: Kevin Fox * Fix vars Signed-off-by: Kevin Fox * Apply suggestions from code review Co-authored-by: Faisal Memon Signed-off-by: kfox1111 * Update docs. Fix typo. Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox * Apply suggestions from code review Co-authored-by: Faisal Memon Signed-off-by: kfox1111 * Fix docs Signed-off-by: Kevin Fox --------- Signed-off-by: Kevin Fox Signed-off-by: kfox1111 Co-authored-by: Faisal Memon --- charts/spire/README.md | 45 +++++----- .../spire/charts/spiffe-csi-driver/README.md | 90 +++++++++---------- .../templates/daemonset.yaml | 4 +- .../charts/spiffe-csi-driver/values.yaml | 2 +- charts/spire/charts/spire-agent/README.md | 2 +- .../spire-agent/templates/daemonset.yaml | 4 +- charts/spire/charts/spire-agent/values.yaml | 2 +- charts/spire/charts/spire-server/README.md | 2 +- .../spire-server/templates/statefulset.yaml | 4 +- charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/templates/_spire-lib.tpl | 16 ++++ charts/spire/values.yaml | 2 + examples/production/values.yaml | 5 -- 13 files changed, 94 insertions(+), 86 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 446abf2fc..a1be77db9 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -150,28 +150,29 @@ Now you can interact with the Spire agent socket from your own application. The ### Global parameters -| Name | Description | Value | -| -------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | -| `global.k8s.clusterDomain` | Cluster domain name configured for Spire install | `cluster.local` | -| `global.spire.bundleConfigMap` | A configmap containing the Spire bundle | `""` | -| `global.spire.clusterName` | The name of the k8s cluster for Spire install | `example-cluster` | -| `global.spire.jwtIssuer` | The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset | `""` | -| `global.spire.trustDomain` | The trust domain for Spire install | `example.org` | -| `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` | -| `global.spire.recommendations.enabled` | Use recommended settings for production deployments. Default is off. | `false` | -| `global.spire.image.registry` | Override all Spire image registries at once | `""` | -| `global.spire.namespaces.system.name` | Name of the Spire system Namespace. | `spire-system` | -| `global.spire.namespaces.system.create` | Create a Namespace for Spire system resources. | `false` | -| `global.spire.namespaces.system.annotations` | Annotations to apply to the Spire system Namespace. | `{}` | -| `global.spire.namespaces.system.labels` | Labels to apply to the Spire system Namespace. | `{}` | -| `global.spire.namespaces.server.name` | Name of the Spire server Namespace. | `spire-server` | -| `global.spire.namespaces.server.create` | Create a Namespace for Spire server resources. | `false` | -| `global.spire.namespaces.server.annotations` | Annotations to apply to the Spire server Namespace. | `{}` | -| `global.spire.namespaces.server.labels` | Labels to apply to the Spire server Namespace. | `{}` | -| `global.spire.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `false` | -| `global.spire.ingressControllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | -| `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | -| `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` | +| Name | Description | Value | +| ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | +| `global.k8s.clusterDomain` | Cluster domain name configured for Spire install | `cluster.local` | +| `global.spire.bundleConfigMap` | A configmap containing the Spire bundle | `""` | +| `global.spire.clusterName` | The name of the k8s cluster for Spire install | `example-cluster` | +| `global.spire.jwtIssuer` | The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset | `""` | +| `global.spire.trustDomain` | The trust domain for Spire install | `example.org` | +| `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` | +| `global.spire.recommendations.enabled` | Use recommended settings for production deployments. Default is off. | `false` | +| `global.spire.recommendations.priorityClassName` | Set to true to use recommended values for Pod Priority Class Names | `true` | +| `global.spire.image.registry` | Override all Spire image registries at once | `""` | +| `global.spire.namespaces.system.name` | Name of the Spire system Namespace. | `spire-system` | +| `global.spire.namespaces.system.create` | Create a Namespace for Spire system resources. | `false` | +| `global.spire.namespaces.system.annotations` | Annotations to apply to the Spire system Namespace. | `{}` | +| `global.spire.namespaces.system.labels` | Labels to apply to the Spire system Namespace. | `{}` | +| `global.spire.namespaces.server.name` | Name of the Spire server Namespace. | `spire-server` | +| `global.spire.namespaces.server.create` | Create a Namespace for Spire server resources. | `false` | +| `global.spire.namespaces.server.annotations` | Annotations to apply to the Spire server Namespace. | `{}` | +| `global.spire.namespaces.server.labels` | Labels to apply to the Spire server Namespace. | `{}` | +| `global.spire.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `false` | +| `global.spire.ingressControllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | +| `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | +| `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` | ### Spire server parameters diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index 5485afe93..7365262db 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -25,48 +25,48 @@ A Helm chart to install the SPIFFE CSI driver. ### SPIFFE CSI Driver Chart parameters -| Name | Description | Value | -| ---------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------------------------------------- | -| `pluginName` | Set the csi driver name deployed to Kubernetes. | `csi.spiffe.io` | -| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `image.repository` | The repository within the registry | `spiffe/spiffe-csi-driver` | -| `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `resources` | Resource requests and limits for spiffe-csi-driver | `{}` | -| `healthChecks.port` | The healthcheck port for spiffe-csi-driver | `9809` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | -| `livenessProbe.timeoutSeconds` | Timeout value in seconds for livenessProbe | `5` | -| `imagePullSecrets` | Image pull secret details for spiffe-csi-driver | `[]` | -| `nameOverride` | Name override for spiffe-csi-driver | `""` | -| `namespaceOverride` | Namespace to install spiffe-csi-driver | `""` | -| `fullnameOverride` | Full name override for spiffe-csi-driver | `""` | -| `csiDriverLabels` | Labels to apply to the CSIDriver | `{}` | -| `initContainers` | Init Containers to apply to the CSI Driver DaemonSet | `[]` | -| `serviceAccount.create` | Specifies whether a service account should be created | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | -| `podAnnotations` | Pod annotations for spiffe-csi-driver | `{}` | -| `podSecurityContext` | Security context for CSI driver pods | `{}` | -| `securityContext.readOnlyRootFilesystem` | Flag for read only root filesystem | `true` | -| `securityContext.privileged` | Flag for specifying privileged mode | `true` | -| `nodeSelector` | Node selector for CSI driver pods | `{}` | -| `tolerations` | Tolerations for CSI driver pods | `[]` | -| `nodeDriverRegistrar.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` | -| `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` | -| `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `nodeDriverRegistrar.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.2` | -| `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` | -| `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | -| `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` | -| `priorityClassName` | Priority class assigned to daemonset pods | `""` | -| `restrictedScc.enabled` | Enables the creation of a SecurityContextConstraint based on the restricted SCC with CSI volume support | `false` | -| `restrictedScc.name` | Set the name of the restricted SCC with CSI support | `""` | -| `restrictedScc.version` | Version of the restricted SCC | `2` | -| `selinux.enabled` | Enable selinux support | `false` | -| `selinux.context` | Which selinux context to use | `container_file_t` | -| `selinux.image.registry` | The OCI registry to pull the image from | `registry.access.redhat.com` | -| `selinux.image.repository` | The repository within the registry | `ubi9` | -| `selinux.image.pullPolicy` | The image pull policy | `Always` | -| `selinux.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest` | +| Name | Description | Value | +| ---------------------------------------- | --------------------------------------------------------------------------------------------------------- | ------------------------------------------- | +| `pluginName` | Set the csi driver name deployed to Kubernetes. | `csi.spiffe.io` | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/spiffe-csi-driver` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `resources` | Resource requests and limits for spiffe-csi-driver | `{}` | +| `healthChecks.port` | The healthcheck port for spiffe-csi-driver | `9809` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | +| `livenessProbe.timeoutSeconds` | Timeout value in seconds for livenessProbe | `5` | +| `imagePullSecrets` | Image pull secret details for spiffe-csi-driver | `[]` | +| `nameOverride` | Name override for spiffe-csi-driver | `""` | +| `namespaceOverride` | Namespace to install spiffe-csi-driver | `""` | +| `fullnameOverride` | Full name override for spiffe-csi-driver | `""` | +| `csiDriverLabels` | Labels to apply to the CSIDriver | `{}` | +| `initContainers` | Init Containers to apply to the CSI Driver DaemonSet | `[]` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | +| `podAnnotations` | Pod annotations for spiffe-csi-driver | `{}` | +| `podSecurityContext` | Security context for CSI driver pods | `{}` | +| `securityContext.readOnlyRootFilesystem` | Flag for read only root filesystem | `true` | +| `securityContext.privileged` | Flag for specifying privileged mode | `true` | +| `nodeSelector` | Node selector for CSI driver pods | `{}` | +| `tolerations` | Tolerations for CSI driver pods | `[]` | +| `nodeDriverRegistrar.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` | +| `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` | +| `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `nodeDriverRegistrar.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.2` | +| `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` | +| `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | +| `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` | +| `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | +| `restrictedScc.enabled` | Enables the creation of a SecurityContextConstraint based on the restricted SCC with CSI volume support | `false` | +| `restrictedScc.name` | Set the name of the restricted SCC with CSI support | `""` | +| `restrictedScc.version` | Version of the restricted SCC | `2` | +| `selinux.enabled` | Enable selinux support | `false` | +| `selinux.context` | Which selinux context to use | `container_file_t` | +| `selinux.image.registry` | The OCI registry to pull the image from | `registry.access.redhat.com` | +| `selinux.image.repository` | The repository within the registry | `ubi9` | +| `selinux.image.pullPolicy` | The image pull policy | `Always` | +| `selinux.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest` | diff --git a/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml b/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml index e13023ed4..f81804057 100644 --- a/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml +++ b/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml @@ -33,9 +33,7 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} + {{- include "spire-lib.default_node_priority_class_name" . | nindent 6 }} {{- if or (gt (len .Values.initContainers) 0) (dig "openshift" false .Values.global) (dig "selinux" false .Values.global) .Values.selinux.enabled }} initContainers: {{- if or (dig "openshift" false .Values.global) (dig "selinux" false .Values.global) .Values.selinux.enabled }} diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index 71b9133fd..d8bd3e021 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -130,7 +130,7 @@ agentSocketPath: /run/spire/agent-sockets/spire-agent.sock ## @param kubeletPath Path to kubelet file kubeletPath: /var/lib/kubelet -## @param priorityClassName Priority class assigned to daemonset pods +## @param priorityClassName Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. priorityClassName: "" restrictedScc: diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 1677ee629..9db4b9f12 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -88,7 +88,7 @@ A Helm chart to install the SPIRE agent. | `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | | `kubeletConnectByHostname` | If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise. | `""` | | `socketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | -| `priorityClassName` | Priority class assigned to daemonset pods | `""` | +| `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | | `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | | `extraVolumes` | Extra volumes to be mounted on Spire Agent pods | `[]` | | `extraVolumeMounts` | Extra volume mounts for Spire Agent pods | `[]` | diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 071534ab1..ffe706f5c 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -31,9 +31,7 @@ spec: serviceAccountName: {{ include "spire-agent.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} + {{- include "spire-lib.default_node_priority_class_name" . | nindent 6 }} {{- if ne (len .Values.hostAliases) 0 }} hostAliases: {{- toYaml .Values.hostAliases | nindent 8 }} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 17006fc10..3774e50e5 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -204,7 +204,7 @@ kubeletConnectByHostname: "" ## @param socketPath The unix socket path to the spire-agent socketPath: /run/spire/agent-sockets/spire-agent.sock -## @param priorityClassName Priority class assigned to daemonset pods +## @param priorityClassName Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. priorityClassName: "" ## @param extraEnvVars [array] Extra environment variables to be added to the Spire Agent container diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 85f7949f6..20bd96b99 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -97,7 +97,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `podAnnotations` | Annotations to add to pods | `{}` | | `podSecurityContext` | Pod security context | `{}` | | `securityContext` | Security context | `{}` | -| `priorityClassName` | Priority class assigned to statefulset pods | `""` | +| `priorityClassName` | Priority class assigned to statefulset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | | `service.type` | Type of the Spire server service created | `ClusterIP` | | `service.port` | Port for the created service | `8081` | | `service.annotations` | Annotations to add to the service object | `{}` | diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index 1b1f0ed66..2e1671995 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -48,9 +48,7 @@ spec: shareProcessNamespace: true securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} + {{- include "spire-lib.default_cluster_priority_class_name" . | nindent 6 }} {{- if or (gt (len .Values.initContainers) 0) (and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.ca.create) }} initContainers: {{- if and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.ca.create }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 3082a5082..1693ed9b0 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -59,7 +59,7 @@ securityContext: {} # runAsNonRoot: true # runAsUser: 1000 -## @param priorityClassName Priority class assigned to statefulset pods +## @param priorityClassName Priority class assigned to statefulset pods. Can be auto set with global.recommendations.priorityClassName. priorityClassName: "" ## @param service.type Type of the Spire server service created diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl index 658b0e76a..735e7ac60 100644 --- a/charts/spire/templates/_spire-lib.tpl +++ b/charts/spire/templates/_spire-lib.tpl @@ -247,3 +247,19 @@ to merge in values, but spire needs arrays. {{- $_ := set $config "plugins" $plugins }} {{- $config | toPrettyJson }} {{- end }} + +{{- define "spire-lib.default_node_priority_class_name" }} +{{- if .Values.priorityClassName }} +priorityClassName: {{ .Values.priorityClassName }} +{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "priorityClassName" true .Values.global) }} +priorityClassName: system-node-critical +{{- end }} +{{- end }} + +{{- define "spire-lib.default_cluster_priority_class_name" }} +{{- if .Values.priorityClassName }} +priorityClassName: {{ .Values.priorityClassName }} +{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "priorityClassName" true .Values.global) }} +priorityClassName: system-cluster-critical +{{- end }} +{{- end }} diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 788242f7b..0e45703c4 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -22,8 +22,10 @@ global: upstreamServerAddress: "" ## @param global.spire.recommendations.enabled Use recommended settings for production deployments. Default is off. + ## @param global.spire.recommendations.priorityClassName Set to true to use recommended values for Pod Priority Class Names recommendations: enabled: false + priorityClassName: true image: ## @param global.spire.image.registry Override all Spire image registries at once diff --git a/examples/production/values.yaml b/examples/production/values.yaml index 97797a49f..814b5bbdb 100644 --- a/examples/production/values.yaml +++ b/examples/production/values.yaml @@ -27,7 +27,6 @@ spire-server: drop: [ALL] seccompProfile: type: RuntimeDefault - priorityClassName: system-cluster-critical logLevel: info @@ -49,12 +48,10 @@ spire-server: spiffe-csi-driver: enabled: true namespaceOverride: spire-system - priorityClassName: system-node-critical upstream-spiffe-csi-driver: namespaceOverride: spire-system - priorityClassName: system-node-critical spire-agent: enabled: true @@ -63,7 +60,6 @@ spire-agent: name: spire-agent server: namespaceOverride: spire-server - priorityClassName: system-node-critical podSecurityContext: runAsUser: 1000 runAsGroup: 1000 @@ -81,7 +77,6 @@ spire-agent: upstream-spire-agent: namespaceOverride: spire-system - priorityClassName: system-node-critical podSecurityContext: runAsUser: 1000 runAsGroup: 1000 From 8615cb0840e82345a7c1f23c9aa37be53e775d33 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 12 Dec 2023 03:50:32 -0800 Subject: [PATCH 13/64] Add devcontainer support to the repo (#98) --- .devcontainer/Dockerfile | 82 +++++++++++++++++++ .devcontainer/devcontainer.json | 30 +++++++ .../workflows/update-devcontainer-image.yaml | 44 ++++++++++ CONTRIBUTING.md | 4 + 4 files changed, 160 insertions(+) create mode 100644 .devcontainer/Dockerfile create mode 100644 .devcontainer/devcontainer.json create mode 100644 .github/workflows/update-devcontainer-image.yaml diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile new file mode 100644 index 000000000..adf8dc398 --- /dev/null +++ b/.devcontainer/Dockerfile @@ -0,0 +1,82 @@ +FROM ubuntu:22.04 +RUN \ + apt-get update && \ + apt-get install -y bash ca-certificates gnupg make curl vim sudo jq && \ + curl -sL https://deb.nodesource.com/setup_18.x -o nodesource_setup.sh && \ + mkdir -p /etc/apt/keyrings && \ + curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \ + echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | sudo tee /etc/apt/sources.list.d/nodesource.list && \ + apt-get update && \ + apt-get install -y nodejs && \ + apt-get clean && \ + curl -o /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.35.2/yq_linux_amd64 && \ + chmod +x /usr/local/bin/yq +RUN \ + curl -q -l -o /tmp/go.tgz "https://dl.google.com/go/go1.21.4.linux-amd64.tar.gz" && \ + cd /usr/local && \ + tar -xvf /tmp/go.tgz && \ + rm -f /tmp/go.tgz && \ + cd / +RUN \ + curl -L -o /usr/local/bin/minikube https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 && \ + chmod +x /usr/local/bin/minikube && \ + curl -L -o /usr/local/bin/kubectl "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \ + chmod +x /usr/local/bin/kubectl + +RUN \ + curl -fsSL -o /tmp/get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && \ + chmod +x /tmp/get_helm.sh && \ + /tmp/get_helm.sh && \ + rm /tmp/get_helm.sh + +RUN \ + groupadd -g 10001 dev && \ + useradd --uid 10001 -g 10001 -m dev && \ + echo 'dev ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/dev && \ + chmod 400 /etc/sudoers.d/dev + +ENV PATH /usr/local/go/bin:$PATH + +RUN \ + npm install -g "@bitnami/readme-generator-for-helm@2.6.0" + +RUN \ + go install github.com/onsi/ginkgo/v2/ginkgo@latest + +RUN \ + apt-get install -y git zsh strace lsof graphviz && \ + mv /root/go/bin/ginkgo /usr/local/bin + +RUN \ + curl -L -o /tmp/ct.tar.gz https://github.com/helm/chart-testing/releases/download/v3.8.0/chart-testing_3.8.0_linux_amd64.tar.gz && \ + cd /usr/local/bin && \ + tar -xvf /tmp/ct.tar.gz ct && \ + cd / && \ + tar -xvf /tmp/ct.tar.gz etc && \ + mkdir /etc/ct && \ + mv /etc/chart_schema.yaml /etc/ct/ && \ + mv /etc/lintconf.yaml /etc/ct/ && \ + curl -o /tmp/gh.tar.gz https://github.com/cli/cli/releases/download/v2.40.0/gh_2.40.0_linux_amd64.tar.gz -L && \ + cd && \ + cd /tmp && \ + tar -zxvf gh.tar.gz && \ + mv gh_*_linux_amd64/bin/* /usr/local/bin && \ + mkdir -p /usr/local/share/main/man1/ && \ + mv gh_*_linux_amd64/share/man/man1/* /usr/local/share/main/man1/ && \ + cd + +RUN \ + cd /tmp && \ + git clone https://github.com/devcontainers/features && \ + cd features/src/docker-in-docker && \ + export MOBY=true && \ + export INSTALLDOCKERBUILDX=false && \ + ./install.sh && \ + cd ../../../ && \ + rm -rf features + +RUN \ + usermod -a -G docker dev + +USER dev + diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 000000000..6371257b3 --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,30 @@ +{ + "name": "spiffe-helm-charts-hardened", + "image": "ghcr.io/spiffe/helm-charts-hardened-devcontainer:latest", + "features": { + "ghcr.io/devcontainers/features/docker-in-docker:2": { + "version": "latest", + "moby": true, + "installDockerBuildx": false + } + }, + "customizations": { + "vscode": { + "extensions": [ + "ms-kubernetes-tools.vscode-kubernetes-tools" + ], + "settings": { + "terminal.integrated.defaultProfile.linux": "bash", + "terminal.integrated.profiles.linux": { + "zsh": { "path": "/bin/zsh" }, + "bash": { "path": "/bin/bash" } + } + } + } + }, + "postStartCommand": "minikube start && helm upgrade --install -n spire-server spire-crds charts/spire-crds --create-namespace && kubectl version", + "hostRequirements": { + "cpus": 1 + }, + "remoteUser": "dev" +} diff --git a/.github/workflows/update-devcontainer-image.yaml b/.github/workflows/update-devcontainer-image.yaml new file mode 100644 index 000000000..54fc4fb48 --- /dev/null +++ b/.github/workflows/update-devcontainer-image.yaml @@ -0,0 +1,44 @@ +name: Update devcontainer image + +on: + schedule: + - cron: '0 8 * * 1' + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +env: + HELM_VERSION: v3.11.1 + +jobs: + build-and-push-devcontainer-image: + runs-on: ubuntu-20.04 + permissions: + contents: read + id-token: write + packages: write + + env: + COSIGN_EXPERIMENTAL: 1 + + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Install cosign + uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 + with: + cosign-release: v1.13.1 + - name: Install regctl + uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main + - name: Log in to GHCR + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build / Push images + run: | + set -e + cd .devcontainer/ + docker build -t ghcr.io/spiffe/helm-charts-hardened-devcontainer:latest . + docker push ghcr.io/spiffe/helm-charts-hardened-devcontainer:latest diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 1d4a7ae5e..b66b87790 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -60,3 +60,7 @@ Any changes to Chart.yaml or values.yaml require an update of the README.md. Thi In contrary to many other Helm repositories we do NOT require contributors to increate the Chart version. We have customized our release pipeline so we can bundle various PRs in a single release. Maintainers of the helm-charts in this repo will take care of the semantic versioning. [readme-generator]: https://github.com/bitnami-labs/readme-generator-for-helm "Auto generate READMEs for Helm Charts." + +## devcontainer support + +We have a usable devcontainer with all the dev tools preinstalled to make contributions easier. You should be able to use it via Codespaces (https://github.com/codespaces/), Visual Studio Code (https://code.visualstudio.com/), DevPod (https://devpod.sh), etc. Please consult the documentation for those tools for how to use them. From 9d483e276e3f34119801b9e5b7a95f6e44735188 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Dec 2023 03:17:15 +0000 Subject: [PATCH 14/64] Bump sigstore/cosign-installer from 3.2.0 to 3.3.0 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/v3.2.0...v3.3.0) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/helm-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index 99b35089a..5d84dde7f 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -29,7 +29,7 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Setup cosign - uses: sigstore/cosign-installer@v3.2.0 + uses: sigstore/cosign-installer@v3.3.0 with: cosign-release: v2.2.0 From 6e997d4f47d0fe07e667289de8201c97c3d311e6 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 12 Dec 2023 12:51:41 +0100 Subject: [PATCH 15/64] Bump cosign to v2.2.2 Signed-off-by: Marco Franssen --- .github/workflows/helm-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index 5d84dde7f..a5b24c3b7 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -31,7 +31,7 @@ jobs: - name: Setup cosign uses: sigstore/cosign-installer@v3.3.0 with: - cosign-release: v2.2.0 + cosign-release: v2.2.2 - name: Set up Helm uses: azure/setup-helm@v3.5 From 152453731836120c3479813df6d6b5c139f58ec5 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 12 Dec 2023 08:14:16 -0800 Subject: [PATCH 16/64] Update default for additionalDomains not to include localhost (#146) Its pretty much only useful if you want to port forward the discovery provider and use localhost to access it. An uncommon use case. Its easy to add back for that case. This simplifies production deploymnet. Signed-off-by: Kevin Fox --- .../spire/charts/spiffe-oidc-discovery-provider/values.yaml | 4 ++-- examples/production/values.yaml | 2 -- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 05907c329..f543dbe20 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -132,8 +132,8 @@ config: ## @param config.logLevel The log level, valid values are "debug", "info", "warn", and "error" logLevel: info ## @param config.additionalDomains [array] Add additional domains that can be used for oidc discovery - additionalDomains: - - localhost + additionalDomains: [] + # - localhost acme: ## @param config.acme.tosAccepted Flag for Terms of Service acceptance diff --git a/examples/production/values.yaml b/examples/production/values.yaml index 814b5bbdb..4868ae7ef 100644 --- a/examples/production/values.yaml +++ b/examples/production/values.yaml @@ -94,8 +94,6 @@ upstream-spire-agent: spiffe-oidc-discovery-provider: enabled: true - config: - additionalDomains: [] insecureScheme: enabled: true podSecurityContext: From a097606d77584f599ff3f8330462183d853e43a2 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 12 Dec 2023 08:23:23 -0800 Subject: [PATCH 17/64] Remove extra example values that are already set by default (#128) Signed-off-by: Kevin Fox Signed-off-by: kfox1111 Co-authored-by: Faisal Memon --- examples/openshift/openshift-values.yaml | 9 --------- examples/production/values.yaml | 14 -------------- 2 files changed, 23 deletions(-) diff --git a/examples/openshift/openshift-values.yaml b/examples/openshift/openshift-values.yaml index 44efaca86..7b219c024 100644 --- a/examples/openshift/openshift-values.yaml +++ b/examples/openshift/openshift-values.yaml @@ -1,8 +1,5 @@ global: openshift: true - telemetry: - prometheus: - enabled: true spire: namespaces: system: @@ -19,12 +16,6 @@ global: pod-security.kubernetes.io/audit: privileged spire-server: - nodeAttestor: - k8sPsat: - serviceAccountAllowList: ["spire-system:spire-agent"] - notifier: - k8sbundle: - namespace: spire-system podSecurityContext: # These are unset so that openshift can automatically assign its own restricted uids to the pods runAsUser: null diff --git a/examples/production/values.yaml b/examples/production/values.yaml index 4868ae7ef..fb5c4ccba 100644 --- a/examples/production/values.yaml +++ b/examples/production/values.yaml @@ -28,8 +28,6 @@ spire-server: seccompProfile: type: RuntimeDefault - logLevel: info - controllerManager: securityContext: allowPrivilegeEscalation: false @@ -40,21 +38,13 @@ spire-server: seccompProfile: type: RuntimeDefault - ignoreNamespaces: - - kube-system - - kube-public - - local-path-storage - spiffe-csi-driver: - enabled: true namespaceOverride: spire-system - upstream-spiffe-csi-driver: namespaceOverride: spire-system spire-agent: - enabled: true namespaceOverride: spire-system serviceAccount: name: spire-agent @@ -73,8 +63,6 @@ spire-agent: seccompProfile: type: RuntimeDefault - logLevel: info - upstream-spire-agent: namespaceOverride: spire-system podSecurityContext: @@ -90,8 +78,6 @@ upstream-spire-agent: seccompProfile: type: RuntimeDefault - logLevel: info - spiffe-oidc-discovery-provider: enabled: true insecureScheme: From b7e98c4c95d5af155e3fd8d395c8eadee7cca231 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Dec 2023 03:15:02 +0000 Subject: [PATCH 18/64] Bump sigstore/cosign-installer from 3.2.0 to 3.3.0 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/v3.2.0...v3.3.0) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/update-devcontainer-image.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-devcontainer-image.yaml b/.github/workflows/update-devcontainer-image.yaml index 54fc4fb48..5931a2d1a 100644 --- a/.github/workflows/update-devcontainer-image.yaml +++ b/.github/workflows/update-devcontainer-image.yaml @@ -25,7 +25,7 @@ jobs: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install cosign - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 + uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 with: cosign-release: v1.13.1 - name: Install regctl From 94498c0a31d00de1150eab49eb173603c042488d Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Wed, 13 Dec 2023 08:55:53 +0100 Subject: [PATCH 19/64] Bump cosign to v2.2.2 Signed-off-by: Marco Franssen --- .github/workflows/update-devcontainer-image.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-devcontainer-image.yaml b/.github/workflows/update-devcontainer-image.yaml index 5931a2d1a..6bd3368f0 100644 --- a/.github/workflows/update-devcontainer-image.yaml +++ b/.github/workflows/update-devcontainer-image.yaml @@ -27,7 +27,7 @@ jobs: - name: Install cosign uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 with: - cosign-release: v1.13.1 + cosign-release: v2.2.2 - name: Install regctl uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main - name: Log in to GHCR From 1f74f6bc1355a83f100d873f5a1e9aaa865060fc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Dec 2023 19:47:49 -0800 Subject: [PATCH 20/64] Bump helm.sh/helm/v3 from 3.13.2 to 3.13.3 in /tests (#149) Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.13.2 to 3.13.3. - [Release notes](https://github.com/helm/helm/releases) - [Commits](https://github.com/helm/helm/compare/v3.13.2...v3.13.3) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/go.mod | 12 ++++++------ tests/go.sum | 24 ++++++++++++------------ 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index 44a6a0810..1f639f9d3 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -5,7 +5,7 @@ go 1.20 require ( github.com/onsi/ginkgo/v2 v2.13.2 github.com/onsi/gomega v1.30.0 - helm.sh/helm/v3 v3.13.2 + helm.sh/helm/v3 v3.13.3 ) require ( @@ -54,14 +54,14 @@ require ( golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.14.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/protobuf v1.30.0 // indirect + google.golang.org/protobuf v1.31.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v0.28.2 // indirect - k8s.io/apiextensions-apiserver v0.28.2 // indirect - k8s.io/apimachinery v0.28.2 // indirect - k8s.io/client-go v0.28.2 // indirect + k8s.io/api v0.28.4 // indirect + k8s.io/apiextensions-apiserver v0.28.4 // indirect + k8s.io/apimachinery v0.28.4 // indirect + k8s.io/client-go v0.28.4 // indirect k8s.io/klog/v2 v2.100.1 // indirect k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect diff --git a/tests/go.sum b/tests/go.sum index 0140bd971..d4db994c2 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -189,8 +189,8 @@ google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= -google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= @@ -205,16 +205,16 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -helm.sh/helm/v3 v3.13.2 h1:IcO9NgmmpetJODLZhR3f3q+6zzyXVKlRizKFwbi7K8w= -helm.sh/helm/v3 v3.13.2/go.mod h1:GIHDwZggaTGbedevTlrQ6DB++LBN6yuQdeGj0HNaDx0= -k8s.io/api v0.28.2 h1:9mpl5mOb6vXZvqbQmankOfPIGiudghwCoLl1EYfUZbw= -k8s.io/api v0.28.2/go.mod h1:RVnJBsjU8tcMq7C3iaRSGMeaKt2TWEUXcpIt/90fjEg= -k8s.io/apiextensions-apiserver v0.28.2 h1:J6/QRWIKV2/HwBhHRVITMLYoypCoPY1ftigDM0Kn+QU= -k8s.io/apiextensions-apiserver v0.28.2/go.mod h1:5tnkxLGa9nefefYzWuAlWZ7RZYuN/765Au8cWLA6SRg= -k8s.io/apimachinery v0.28.2 h1:KCOJLrc6gu+wV1BYgwik4AF4vXOlVJPdiqn0yAWWwXQ= -k8s.io/apimachinery v0.28.2/go.mod h1:RdzF87y/ngqk9H4z3EL2Rppv5jj95vGS/HaFXrLDApU= -k8s.io/client-go v0.28.2 h1:DNoYI1vGq0slMBN/SWKMZMw0Rq+0EQW6/AK4v9+3VeY= -k8s.io/client-go v0.28.2/go.mod h1:sMkApowspLuc7omj1FOSUxSoqjr+d5Q0Yc0LOFnYFJY= +helm.sh/helm/v3 v3.13.3 h1:0zPEdGqHcubehJHP9emCtzRmu8oYsJFRrlVF3TFj8xY= +helm.sh/helm/v3 v3.13.3/go.mod h1:3OKO33yI3p4YEXtTITN2+4oScsHeQe71KuzhlZ+aPfg= +k8s.io/api v0.28.4 h1:8ZBrLjwosLl/NYgv1P7EQLqoO8MGQApnbgH8tu3BMzY= +k8s.io/api v0.28.4/go.mod h1:axWTGrY88s/5YE+JSt4uUi6NMM+gur1en2REMR7IRj0= +k8s.io/apiextensions-apiserver v0.28.4 h1:AZpKY/7wQ8n+ZYDtNHbAJBb+N4AXXJvyZx6ww6yAJvU= +k8s.io/apiextensions-apiserver v0.28.4/go.mod h1:pgQIZ1U8eJSMQcENew/0ShUTlePcSGFq6dxSxf2mwPM= +k8s.io/apimachinery v0.28.4 h1:zOSJe1mc+GxuMnFzD4Z/U1wst50X28ZNsn5bhgIIao8= +k8s.io/apimachinery v0.28.4/go.mod h1:wI37ncBvfAoswfq626yPTe6Bz1c22L7uaJ8dho83mgg= +k8s.io/client-go v0.28.4 h1:Np5ocjlZcTrkyRJ3+T3PkXDpe4UpatQxj85+xjaD2wY= +k8s.io/client-go v0.28.4/go.mod h1:0VDZFpgoZfelyP5Wqu0/r/TRYcLYuJ2U1KEeoaPa1N4= k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= From 811123a2078d481c72612c66f6f0bcb387b5b0dc Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Thu, 14 Dec 2023 17:15:04 -0500 Subject: [PATCH 21/64] Update the Tornjak image version (#150) --- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/charts/tornjak-frontend/Chart.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 20bd96b99..970180e88 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -278,7 +278,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tornjak.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tornjak.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `tornjak.image.tag` | Overrides the image tag to be whatever you need it to be. It will always be the flag you set without modifications | `""` | -| `tornjak.image.defaultTag` | Sets the default image to use when image.tag is not set. It will automatically be updated with a ubi- prefix if on OpenShift. | `v1.4.1` | +| `tornjak.image.defaultTag` | Sets the default image to use when image.tag is not set. It will automatically be updated with a ubi- prefix if on OpenShift. | `v1.4.2` | | `tornjak.service.type` | Type of service resource | `ClusterIP` | | `tornjak.service.ports.http` | Insecure port for tornjak service | `10000` | | `tornjak.service.ports.https` | Secure port for tornjak service | `10443` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 1693ed9b0..4749bc5cc 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -617,7 +617,7 @@ tornjak: pullPolicy: IfNotPresent version: "" tag: "" - defaultTag: "v1.4.1" + defaultTag: "v1.4.2" service: ## @param tornjak.service.type Type of service resource diff --git a/charts/spire/charts/tornjak-frontend/Chart.yaml b/charts/spire/charts/tornjak-frontend/Chart.yaml index 761a9164c..d8f94c80d 100644 --- a/charts/spire/charts/tornjak-frontend/Chart.yaml +++ b/charts/spire/charts/tornjak-frontend/Chart.yaml @@ -3,7 +3,7 @@ name: tornjak-frontend description: A Helm chart to deploy Tornjak frontend type: application version: 0.1.0 -appVersion: "v1.4.1" +appVersion: "v1.4.2" home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: - https://github.com/spiffe/tornjak From 4fb9d18f500f8dc76867e66de3ac325c9840111d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 18 Dec 2023 09:12:59 -0800 Subject: [PATCH 22/64] Bump test chart dependencies (#155) * Bump test chart dependencies Signed-off-by: GitHub * Revert broken image for now Signed-off-by: kfox1111 --------- Signed-off-by: GitHub Signed-off-by: kfox1111 Co-authored-by: marcofranssen Co-authored-by: kfox1111 --- .github/tests/charts.json | 6 +++--- .../spire/charts/spiffe-oidc-discovery-provider/README.md | 2 +- .../spire/charts/spiffe-oidc-discovery-provider/values.yaml | 2 +- charts/spire/charts/spire-agent/README.md | 4 ++-- charts/spire/charts/spire-agent/values.yaml | 4 ++-- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/charts/tornjak-frontend/README.md | 2 +- charts/spire/charts/tornjak-frontend/values.yaml | 2 +- 9 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index b6033aaa4..3a8437bc6 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,12 +2,12 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "55.1.0" + "version": "55.5.0" }, { "name": "cert-manager", "repo": "https://charts.jetstack.io", - "version": "v1.13.2" + "version": "v1.13.3" }, { "name": "ingress-nginx", @@ -17,7 +17,7 @@ { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "9.14.4" + "version": "9.15.0" }, { "name": "postgresql", diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 79e0b2088..3320014ce 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -105,7 +105,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:2f93669e39cbd3c7866058bb7d446e56cabd17e17192134aa6b135dae82cd6e3` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0b3904b9ac440671549e2391d4148e129e581fb16d9d98ae2cbf2b135dda82c8` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index f543dbe20..d324753ea 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -289,7 +289,7 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:2f93669e39cbd3c7866058bb7d446e56cabd17e17192134aa6b135dae82cd6e3 + tag: latest@sha256:0b3904b9ac440671549e2391d4148e129e581fb16d9d98ae2cbf2b135dda82c8 toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 9db4b9f12..4a4bd7292 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -64,13 +64,13 @@ A Helm chart to install the SPIRE agent. | `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` | | `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `waitForIt.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:ceb278e61a71f6f36454d01b55434bae46ae654e9a786b634f1d485d9448e114` | +| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:69b2e2d1534cbceddc0d172bf414cd41b9ad341535bc2fc4cd73c96b1a345900` | | `waitForIt.resources` | Resource requests and limits | `{}` | | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | | `fsGroupFix.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:2f93669e39cbd3c7866058bb7d446e56cabd17e17192134aa6b135dae82cd6e3` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0b3904b9ac440671549e2391d4148e129e581fb16d9d98ae2cbf2b135dda82c8` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | | `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 3774e50e5..f9d391b28 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -134,7 +134,7 @@ waitForIt: repository: chainguard/wait-for-it pullPolicy: IfNotPresent version: "" - tag: latest@sha256:ceb278e61a71f6f36454d01b55434bae46ae654e9a786b634f1d485d9448e114 + tag: latest@sha256:69b2e2d1534cbceddc0d172bf414cd41b9ad341535bc2fc4cd73c96b1a345900 ## @param waitForIt.resources [object] Resource requests and limits resources: {} @@ -153,7 +153,7 @@ fsGroupFix: repository: chainguard/bash pullPolicy: Always version: "" - tag: latest@sha256:2f93669e39cbd3c7866058bb7d446e56cabd17e17192134aa6b135dae82cd6e3 + tag: latest@sha256:0b3904b9ac440671549e2391d4148e129e581fb16d9d98ae2cbf2b135dda82c8 ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 970180e88..f5da446cf 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -317,4 +317,4 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:2f93669e39cbd3c7866058bb7d446e56cabd17e17192134aa6b135dae82cd6e3` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0b3904b9ac440671549e2391d4148e129e581fb16d9d98ae2cbf2b135dda82c8` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 4749bc5cc..1c515e349 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -756,4 +756,4 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:2f93669e39cbd3c7866058bb7d446e56cabd17e17192134aa6b135dae82cd6e3 + tag: latest@sha256:0b3904b9ac440671549e2391d4148e129e581fb16d9d98ae2cbf2b135dda82c8 diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 63a03737f..adada80c6 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -100,4 +100,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:2f93669e39cbd3c7866058bb7d446e56cabd17e17192134aa6b135dae82cd6e3` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0b3904b9ac440671549e2391d4148e129e581fb16d9d98ae2cbf2b135dda82c8` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 9c6eb2298..0ca2b2cb5 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -158,4 +158,4 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:2f93669e39cbd3c7866058bb7d446e56cabd17e17192134aa6b135dae82cd6e3 + tag: latest@sha256:0b3904b9ac440671549e2391d4148e129e581fb16d9d98ae2cbf2b135dda82c8 From 50c4ac35b03d61322bf3593daf5b36d41f1d1606 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 19 Dec 2023 03:12:53 -0800 Subject: [PATCH 23/64] Add recommendation for strictMode (#143) --- charts/spire/README.md | 1 + charts/spire/templates/_spire-lib.tpl | 2 +- charts/spire/values.yaml | 2 ++ examples/production/values.yaml | 1 - 4 files changed, 4 insertions(+), 2 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index a1be77db9..ae6d2fb62 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -160,6 +160,7 @@ Now you can interact with the Spire agent socket from your own application. The | `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` | | `global.spire.recommendations.enabled` | Use recommended settings for production deployments. Default is off. | `false` | | `global.spire.recommendations.priorityClassName` | Set to true to use recommended values for Pod Priority Class Names | `true` | +| `global.spire.recommendations.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `true` | | `global.spire.image.registry` | Override all Spire image registries at once | `""` | | `global.spire.namespaces.system.name` | Name of the Spire system Namespace. | `spire-system` | | `global.spire.namespaces.system.create` | Create a Namespace for Spire system resources. | `false` | diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl index 735e7ac60..1641c72fd 100644 --- a/charts/spire/templates/_spire-lib.tpl +++ b/charts/spire/templates/_spire-lib.tpl @@ -184,7 +184,7 @@ if strictMode is enabled and the boolean is true {{ $root := index . 0 }} {{ $message := index . 1 }} {{ $condition := index . 2 }} -{{- if (dig "spire" "strictMode" false $root.Values.global) }} +{{- if or (dig "spire" "strictMode" false $root.Values.global) (and (dig "spire" "recommendations" "enabled" false $root.Values.global) (dig "spire" "recommendations" "strictMode" true $root.Values.global)) }} {{- if $condition }} {{- fail $message }} {{- end }} diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 0e45703c4..59c461ef0 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -23,9 +23,11 @@ global: ## @param global.spire.recommendations.enabled Use recommended settings for production deployments. Default is off. ## @param global.spire.recommendations.priorityClassName Set to true to use recommended values for Pod Priority Class Names + ## @param global.spire.recommendations.strictMode Check values, such as trustDomain, are overridden with a suitable value for production. recommendations: enabled: false priorityClassName: true + strictMode: true image: ## @param global.spire.image.registry Override all Spire image registries at once diff --git a/examples/production/values.yaml b/examples/production/values.yaml index fb5c4ccba..ca6b11674 100644 --- a/examples/production/values.yaml +++ b/examples/production/values.yaml @@ -3,7 +3,6 @@ global: prometheus: enabled: true spire: - strictMode: true recommendations: enabled: true From 6997d6a904578c3540ff630c321556e21e9a089c Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 19 Dec 2023 03:26:26 -0800 Subject: [PATCH 24/64] Add recommendation for securityContext and podSecurityContext (#125) Co-authored-by: Marco Franssen --- charts/spire/README.md | 1 + .../templates/deployment.yaml | 8 +- .../templates/pre-delete-hook.yaml | 4 +- .../templates/tests/test-connection.yaml | 10 +-- .../templates/tests/test-keys.yaml | 16 +--- .../spire-agent/templates/daemonset.yaml | 7 +- charts/spire/charts/spire-server/README.md | 1 + .../templates/post-install-hook.yaml | 4 +- .../templates/post-upgrade-hook.yaml | 4 +- .../templates/pre-delete-hook.yaml | 6 +- .../templates/pre-upgrade-hook.yaml | 4 +- .../spire-server/templates/statefulset.yaml | 10 +-- .../templates/tests/test-connection.yaml | 8 +- .../tests/test-tornjak-connection.yaml | 6 +- charts/spire/charts/spire-server/values.yaml | 3 + .../templates/deployment.yaml | 4 +- .../tests/test-tornjak-connection.yaml | 4 +- charts/spire/templates/_spire-lib.tpl | 55 ++++++++++++++ charts/spire/values.yaml | 2 + examples/openshift/openshift-values.yaml | 31 -------- examples/production/values.yaml | 75 ------------------- 21 files changed, 106 insertions(+), 157 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index ae6d2fb62..61b985a79 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -161,6 +161,7 @@ Now you can interact with the Spire agent socket from your own application. The | `global.spire.recommendations.enabled` | Use recommended settings for production deployments. Default is off. | `false` | | `global.spire.recommendations.priorityClassName` | Set to true to use recommended values for Pod Priority Class Names | `true` | | `global.spire.recommendations.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `true` | +| `global.spire.recommendations.securityContexts` | Set to true to use recommended values for Pod and Container Security Contexts | `true` | | `global.spire.image.registry` | Override all Spire image registries at once | `""` | | `global.spire.namespaces.system.name` | Name of the Spire system Namespace. | `spire-system` | | `global.spire.namespaces.system.create` | Create a Namespace for Spire system resources. | `false` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml index c34f3a23f..b5db41380 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml @@ -33,11 +33,11 @@ spec: {{- end }} serviceAccountName: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} containers: - name: {{ .Chart.Name }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- include "spire-lib.securitycontext" . | nindent 12 }} image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: @@ -76,7 +76,7 @@ spec: {{- if .Values.insecureScheme.enabled }} - name: nginx securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- include "spire-lib.securitycontext" . | nindent 12 }} image: {{ template "spire-lib.image" (dict "image" .Values.insecureScheme.nginx.image "global" .Values.global) }} imagePullPolicy: {{ .Values.insecureScheme.nginx.image.pullPolicy }} ports: @@ -98,7 +98,7 @@ spec: {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} - name: nginx-exporter securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- include "spire-lib.securitycontext" . | nindent 12 }} image: {{ template "spire-lib.image" (dict "image" .Values.telemetry.prometheus.nginxExporter.image "global" .Values.global) }} imagePullPolicy: {{ .Values.telemetry.prometheus.nginxExporter.image.pullPolicy }} args: diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml index 452fea0ab..a2ad605a0 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml @@ -59,11 +59,11 @@ spec: restartPolicy: Never serviceAccountName: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }}-pre-delete securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} containers: - name: pre-delete-job securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + {{- include "spire-lib.securitycontext" . | nindent 10 }} image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - delete diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml index 73a8b3535..93ce0d375 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml @@ -14,26 +14,26 @@ metadata: "helm.sh/hook": test spec: securityContext: - {{- toYaml .Values.podSecurityContext | nindent 4 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 4 }} containers: - name: curl-service-name image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}:{{ .Values.service.port }}/.well-known/openid-configuration'] securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} - name: curl-service-name-namespace image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}:{{ .Values.service.port }}/.well-known/openid-configuration'] securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} - name: curl-service-name-namespace-svc-cluster-local image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }}/.well-known/openid-configuration'] securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} {{- if .Values.ingress.enabled }} - name: curl-ingress image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} @@ -53,7 +53,7 @@ spec: args: ['-s', '-f', 'http://{{ $host }}/.well-known/openid-configuration'] {{- end }} securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} {{- end }} {{- if ne (len (dig "tests" "hostAliases" "" $values)) 0 }} hostAliases: diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml index e2bbc4350..531b1ef6d 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml @@ -8,10 +8,8 @@ metadata: annotations: "helm.sh/hook": test spec: - {{- with .Values.podSecurityContext }} securityContext: - {{- toYaml . | nindent 4 }} - {{- end }} + {{- include "spire-lib.podsecuritycontext" . | nindent 4 }} serviceAccountName: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }} initContainers: - name: static-busybox @@ -22,10 +20,8 @@ spec: - | cp /bin/busybox /data/busybox chmod +x /data/busybox - {{- with .Values.securityContext }} securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} volumeMounts: - name: data-volume mountPath: /data @@ -41,10 +37,8 @@ spec: [ $? -eq 0 ] && break sleep 1 done - {{- with .Values.securityContext }} securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} volumeMounts: - name: data-volume mountPath: /data @@ -69,10 +63,8 @@ spec: {{- (.Files.Get "files/test/jwt-decode.sh") | nindent 10 }} EOF bash /data/jwt-decode.sh "${URL}"/keys "${JWT}" - {{- with .Values.securityContext }} securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} volumeMounts: - mountPath: /data name: data-volume diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index ffe706f5c..5ab152c12 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -1,4 +1,5 @@ {{- $configSum := (include (print $.Template.BasePath "/configmap.yaml") . | sha256sum) }} +{{- $podSecurityContext := fromYaml (include "spire-lib.podsecuritycontext" .) }} {{- $cbh := eq (include "spire-agent.connect-by-hostname" .) "true" }} apiVersion: apps/v1 kind: DaemonSet @@ -30,7 +31,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet serviceAccountName: {{ include "spire-agent.serviceAccountName" . }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml $podSecurityContext | nindent 8 }} {{- include "spire-lib.default_node_priority_class_name" . | nindent 6 }} {{- if ne (len .Values.hostAliases) 0 }} hostAliases: @@ -46,13 +47,13 @@ spec: args: ["-t", "30", "-h", "{{ include "spire-agent.server-address" . | trim }}", "-p", {{ .Values.server.port | quote }}] resources: {{- toYaml .Values.waitForIt.resources | nindent 12 }} - {{- if gt (int (dig "fsGroup" 0 .Values.podSecurityContext)) 0 }} + {{- if gt (int (dig "fsGroup" 0 $podSecurityContext)) 0 }} - name: fsgroupfix image: {{ template "spire-lib.image" (dict "image" .Values.fsGroupFix.image "global" .Values.global) }} imagePullPolicy: {{ .Values.fsGroupFix.image.pullPolicy }} command: ["bash", "-c"] args: - - "chown -R {{ .Values.podSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ include "spire-agent.socket-path" . | dir }}" + - "chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} {{ include "spire-agent.socket-path" . | dir }}" resources: {{- toYaml .Values.fsGroupFix.resources | nindent 12 }} volumeMounts: diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index f5da446cf..a8c089148 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -303,6 +303,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tornjak.config.clientCA.type` | Type of delivery for the user CA for TLS client verification. Options are `Secret` or `ConfigMap` (required for `mtls` connectionType) | `Secret` | | `tornjak.config.clientCA.name` | Name of the resource secret or configMap with user CA for TLS | `tornjak-client-ca` | | `tornjak.resources` | Resource requests and limits | `{}` | +| `tornjak.securityContext` | Security Context to use | `{}` | | `customPlugins.keyManager` | Custom plugins of type KeyManager are configured here | `{}` | | `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` | | `customPlugins.upstreamAuthority` | Custom plugins of type upstreamAuthority are configured here | `{}` | diff --git a/charts/spire/charts/spire-server/templates/post-install-hook.yaml b/charts/spire/charts/spire-server/templates/post-install-hook.yaml index 77b647075..457f46ba4 100644 --- a/charts/spire/charts/spire-server/templates/post-install-hook.yaml +++ b/charts/spire/charts/spire-server/templates/post-install-hook.yaml @@ -59,11 +59,11 @@ spec: restartPolicy: Never serviceAccountName: {{ include "spire-server.serviceAccountName" . }}-post-install securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} containers: - name: post-install-job securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + {{- include "spire-lib.securitycontext" . | nindent 10 }} image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - patch diff --git a/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml index d1b255fd8..4d4d5179d 100644 --- a/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml @@ -59,11 +59,11 @@ spec: restartPolicy: Never serviceAccountName: {{ include "spire-server.serviceAccountName" . }}-post-upgrade securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} containers: - name: post-upgrade-job securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + {{- include "spire-lib.securitycontext" . | nindent 10 }} image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - patch diff --git a/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml b/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml index 1416a828d..86226a1a7 100644 --- a/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml +++ b/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml @@ -63,11 +63,11 @@ spec: restartPolicy: Never serviceAccountName: {{ include "spire-server.serviceAccountName" . }}-pre-delete securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} containers: - name: pre-delete-job securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + {{- include "spire-lib.securitycontext" . | nindent 10 }} image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - delete @@ -78,7 +78,7 @@ spec: - --wait - name: pre-delete-check securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + {{- include "spire-lib.securitycontext" . | nindent 10 }} image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - wait diff --git a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml index 27a73d9dd..1d462bca1 100644 --- a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml @@ -59,11 +59,11 @@ spec: restartPolicy: Never serviceAccountName: {{ include "spire-server.serviceAccountName" . }}-pre-upgrade securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} containers: - name: post-install-job securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + {{- include "spire-lib.securitycontext" . | nindent 10 }} image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - patch diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index 2e1671995..69201d8b5 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -47,14 +47,14 @@ spec: serviceAccountName: {{ include "spire-server.serviceAccountName" . }} shareProcessNamespace: true securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} {{- include "spire-lib.default_cluster_priority_class_name" . | nindent 6 }} {{- if or (gt (len .Values.initContainers) 0) (and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.ca.create) }} initContainers: {{- if and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.ca.create }} - name: wait securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- include "spire-lib.securitycontext" . | nindent 12 }} image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - wait @@ -73,7 +73,7 @@ spec: containers: - name: {{ .Chart.Name }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- include "spire-lib.securitycontext" . | nindent 12 }} image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: @@ -187,7 +187,7 @@ spec: {{- if eq (.Values.controllerManager.enabled | toString) "true" }} - name: spire-controller-manager securityContext: - {{- toYaml .Values.controllerManager.securityContext | nindent 12 }} + {{- include "spire-lib.securitycontext-extended" (dict "root" . "securityContext" .Values.controllerManager.securityContext) | nindent 12 }} image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.image "global" .Values.global) }} imagePullPolicy: {{ .Values.controllerManager.image.pullPolicy }} args: @@ -228,7 +228,7 @@ spec: {{- if eq (.Values.tornjak.enabled | toString) "true" }} - name: tornjak securityContext: - {{- toYaml .Values.controllerManager.securityContext | nindent 12 }} + {{- include "spire-lib.securitycontext-extended" (dict "root" . "securityContext" .Values.tornjak.securityContext) | nindent 12 }} image: {{ template "spire-lib.image" (dict "appVersion" .Values.tornjak.image.defaultTag "image" .Values.tornjak.image "global" .Values.global "ubi" true) }} imagePullPolicy: {{ .Values.tornjak.image.pullPolicy }} {{- if eq (include "spire-tornjak.connectionType" .) "http" }} diff --git a/charts/spire/charts/spire-server/templates/tests/test-connection.yaml b/charts/spire/charts/spire-server/templates/tests/test-connection.yaml index 12850e935..9c48b620e 100644 --- a/charts/spire/charts/spire-server/templates/tests/test-connection.yaml +++ b/charts/spire/charts/spire-server/templates/tests/test-connection.yaml @@ -11,7 +11,7 @@ metadata: "helm.sh/hook": test spec: securityContext: - {{- toYaml .Values.podSecurityContext | nindent 4 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 4 }} containers: - name: curl image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} @@ -30,14 +30,14 @@ spec: fi exit 1 securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} {{- if eq (.Values.federation.enabled | toString) "true" }} - name: curl-federation-bundle-endpoint image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-k', '-s', '-f', 'https://{{ include "spire-server.fullname" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.federation.bundleEndpoint.port }}'] securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} {{- end }} {{- if .Values.federation.ingress.enabled }} - name: federation-ingress @@ -51,7 +51,7 @@ spec: mountPath: /ca {{- end }} securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} {{- end }} {{- if ne (len (dig "tests" "hostAliases" "" $values)) 0 }} hostAliases: diff --git a/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml b/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml index cacc94de3..c259f12f5 100644 --- a/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml +++ b/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml @@ -12,20 +12,20 @@ metadata: "helm.sh/hook": test spec: securityContext: - {{- toYaml .Values.podSecurityContext | nindent 4 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 4 }} containers: - name: curl-tornjak-backend image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.servicename" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.ports.http }}/api/tornjak/serverinfo'] securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} - name: curl-tornjak-backend-and-spire image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.servicename" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.ports.http }}/api/healthcheck'] securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} restartPolicy: Never {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 1c515e349..69e4ccb77 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -708,6 +708,9 @@ tornjak: # cpu: 100m # memory: 128Mi + ## @param tornjak.securityContext [object] Security Context to use + securityContext: {} + # NOTE: This is unsupported and only to configure currently supported spire built in plugins but plugins unsupported by the chart. # Upgrades wont be tested for anything under this config. If you need this, please let the chart developers know your needs so we # can prioritize proper support. diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml index 79fe5dd67..84e152ba4 100644 --- a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -21,13 +21,13 @@ spec: {{- end }} serviceAccountName: {{ include "tornjak-frontend.serviceAccountName" . }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} containers: - name: {{ include "tornjak-frontend.fullname" . }} image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global "ubi" true) }} imagePullPolicy: {{ .Values.image.pullPolicy }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- include "spire-lib.securitycontext" . | nindent 12 }} ports: - name: http containerPort: 3000 diff --git a/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml b/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml index 7f5bdc4c5..a528ae385 100644 --- a/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml @@ -9,13 +9,13 @@ metadata: "helm.sh/hook": test spec: securityContext: - {{- toYaml .Values.podSecurityContext | nindent 4 }} + {{- include "spire-lib.podsecuritycontext" . | nindent 4 }} containers: - name: curl-tornjak-frontend image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-k', '-s', '-f', 'http://{{ include "tornjak-frontend.fullname" . }}.{{ include "tornjak-frontend.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }}/tornjak/serverinfo'] securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- include "spire-lib.securitycontext" . | nindent 8 }} restartPolicy: Never diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl index 1641c72fd..71c2ad966 100644 --- a/charts/spire/templates/_spire-lib.tpl +++ b/charts/spire/templates/_spire-lib.tpl @@ -248,6 +248,61 @@ to merge in values, but spire needs arrays. {{- $config | toPrettyJson }} {{- end }} +{{- define "spire-lib.default_securitycontext_values" }} +allowPrivilegeEscalation: false +runAsNonRoot: true +readOnlyRootFilesystem: true +capabilities: + drop: [ALL] +seccompProfile: + type: RuntimeDefault +{{- end }} + +{{- define "spire-lib.default_k8s_podsecuritycontext_values" }} +fsGroupChangePolicy: OnRootMismatch +runAsUser: 1000 +runAsGroup: 1000 +fsGroup: 1000 +{{- end }} + +{{/* +Note: runAsUser, runAsGroup, fsGroup, are not needed due to it autoassigning restricted users feature of openshift +*/}} +{{- define "spire-lib.default_openshift_podsecuritycontext_values" }} +fsGroupChangePolicy: OnRootMismatch +{{- end }} + +{{- define "spire-lib.securitycontext" }} +{{ include "spire-lib.securitycontext-extended" (dict "root" . "securityContext" .Values.securityContext) }} +{{- end }} + +{{/* Same as securitycontext but takes in: +root - global . context for the chart +securityContext - the subbranch of values that contains the securityContext to merge +*/}} +{{- define "spire-lib.securitycontext-extended" }} +{{- if and (dig "spire" "recommendations" "enabled" false .root.Values.global) (dig "spire" "recommendations" "securityContexts" true .root.Values.global) }} +{{- $vals := deepCopy (include "spire-lib.default_securitycontext_values" .root | fromYaml) }} +{{- $vals = mergeOverwrite $vals .securityContext }} +{{- toYaml $vals }} +{{- else }} +{{- toYaml .securityContext }} +{{- end }} +{{- end }} + +{{- define "spire-lib.podsecuritycontext" }} +{{- $vals := dict }} +{{- if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "securityContexts" true .Values.global) }} +{{- if (dig "openshift" false .Values.global) }} +{{- $vals = mergeOverwrite $vals (include "spire-lib.default_openshift_podsecuritycontext_values" . | fromYaml) }} +{{- else }} +{{- $vals = mergeOverwrite $vals (include "spire-lib.default_k8s_podsecuritycontext_values" . | fromYaml) }} +{{- end }} +{{- end }} +{{- $vals = mergeOverwrite $vals .Values.podSecurityContext }} +{{- toYaml $vals }} +{{- end }} + {{- define "spire-lib.default_node_priority_class_name" }} {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 59c461ef0..52d8dea44 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -24,10 +24,12 @@ global: ## @param global.spire.recommendations.enabled Use recommended settings for production deployments. Default is off. ## @param global.spire.recommendations.priorityClassName Set to true to use recommended values for Pod Priority Class Names ## @param global.spire.recommendations.strictMode Check values, such as trustDomain, are overridden with a suitable value for production. + ## @param global.spire.recommendations.securityContexts Set to true to use recommended values for Pod and Container Security Contexts recommendations: enabled: false priorityClassName: true strictMode: true + securityContexts: true image: ## @param global.spire.image.registry Override all Spire image registries at once diff --git a/examples/openshift/openshift-values.yaml b/examples/openshift/openshift-values.yaml index 7b219c024..d0d01d354 100644 --- a/examples/openshift/openshift-values.yaml +++ b/examples/openshift/openshift-values.yaml @@ -14,34 +14,3 @@ global: pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged pod-security.kubernetes.io/audit: privileged - -spire-server: - podSecurityContext: - # These are unset so that openshift can automatically assign its own restricted uids to the pods - runAsUser: null - runAsGroup: null - fsGroup: null - -spire-agent: - podSecurityContext: - runAsUser: null - runAsGroup: null - fsGroup: null - -upstream-spire-agent: - podSecurityContext: - runAsUser: null - runAsGroup: null - fsGroup: null - -spiffe-oidc-discovery-provider: - podSecurityContext: - runAsUser: null - runAsGroup: null - fsGroup: null - -tornjak-frontend: - podSecurityContext: - runAsUser: null - runAsGroup: null - fsGroup: null diff --git a/examples/production/values.yaml b/examples/production/values.yaml index ca6b11674..a62e66140 100644 --- a/examples/production/values.yaml +++ b/examples/production/values.yaml @@ -13,29 +13,6 @@ spire-server: notifier: k8sbundle: namespace: spire-system - podSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - readOnlyRootFilesystem: true - capabilities: - drop: [ALL] - seccompProfile: - type: RuntimeDefault - - controllerManager: - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - readOnlyRootFilesystem: true - capabilities: - drop: [ALL] - seccompProfile: - type: RuntimeDefault spiffe-csi-driver: namespaceOverride: spire-system @@ -49,63 +26,11 @@ spire-agent: name: spire-agent server: namespaceOverride: spire-server - podSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - readOnlyRootFilesystem: true - capabilities: - drop: [ALL] - seccompProfile: - type: RuntimeDefault upstream-spire-agent: namespaceOverride: spire-system - podSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - readOnlyRootFilesystem: true - capabilities: - drop: [ALL] - seccompProfile: - type: RuntimeDefault spiffe-oidc-discovery-provider: enabled: true insecureScheme: enabled: true - podSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - readOnlyRootFilesystem: true - capabilities: - drop: [ALL] - seccompProfile: - type: RuntimeDefault - -tornjak-frontend: - podSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - readOnlyRootFilesystem: true - capabilities: - drop: [ALL] - seccompProfile: - type: RuntimeDefault From 33cacd2ee8ae7e64518ad314ea9bf46897c0f295 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 19 Dec 2023 03:38:20 -0800 Subject: [PATCH 25/64] Add recommendation for prometheus exporter (#144) --- charts/spire/README.md | 1 + .../spiffe-oidc-discovery-provider/templates/deployment.yaml | 2 +- charts/spire/charts/spire-agent/templates/configmap.yaml | 2 +- charts/spire/charts/spire-agent/templates/daemonset.yaml | 2 +- charts/spire/charts/spire-server/templates/configmap.yaml | 2 +- charts/spire/charts/spire-server/templates/statefulset.yaml | 4 ++-- charts/spire/values.yaml | 2 ++ examples/production/values.yaml | 3 --- 8 files changed, 9 insertions(+), 9 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 61b985a79..c7ce935ca 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -162,6 +162,7 @@ Now you can interact with the Spire agent socket from your own application. The | `global.spire.recommendations.priorityClassName` | Set to true to use recommended values for Pod Priority Class Names | `true` | | `global.spire.recommendations.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `true` | | `global.spire.recommendations.securityContexts` | Set to true to use recommended values for Pod and Container Security Contexts | `true` | +| `global.spire.recommendations.prometheus` | Enable prometheus exporters for monitoring | `true` | | `global.spire.image.registry` | Override all Spire image registries at once | `""` | | `global.spire.namespaces.system.name` | Name of the Spire system Namespace. | `spire-system` | | `global.spire.namespaces.system.create` | Create a Namespace for Spire system resources. | `false` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml index b5db41380..62ef2a452 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml @@ -95,7 +95,7 @@ spec: readOnly: false resources: {{- toYaml .Values.insecureScheme.nginx.resources | nindent 12 }} - {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + {{- if or (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) (and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "prometheus" true .Values.global)) }} - name: nginx-exporter securityContext: {{- include "spire-lib.securitycontext" . | nindent 12 }} diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index 0bfd9d935..f0e1d87e5 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -86,7 +86,7 @@ health_checks: live_path: "/live" ready_path: "/ready" -{{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} +{{- if or (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) (and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "prometheus" true .Values.global)) }} telemetry: - Prometheus: - host: "0.0.0.0" diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 5ab152c12..0ee60cd86 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -86,7 +86,7 @@ spec: ports: - containerPort: {{ .Values.healthChecks.port }} name: healthz - {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + {{- if or (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) (and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "prometheus" true .Values.global)) }} - containerPort: {{ .Values.telemetry.prometheus.port }} name: prom {{- end }} diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index a6778101a..9b172efae 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -242,7 +242,7 @@ health_checks: live_path: "/live" ready_path: "/ready" -{{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} +{{- if or (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) (and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "prometheus" true .Values.global)) }} telemetry: - Prometheus: - host: "0.0.0.0" diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index 69201d8b5..713201a04 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -125,7 +125,7 @@ spec: protocol: TCP {{- end }} {{- end }} - {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + {{- if or (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) (and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "prometheus" true .Values.global)) }} - containerPort: 9988 name: prom {{- end }} @@ -198,7 +198,7 @@ spec: protocol: TCP - containerPort: 8083 name: healthz - {{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }} + {{- if or (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) (and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "prometheus" true .Values.global)) }} - containerPort: 8082 name: prom2 {{- end }} diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 52d8dea44..81b2371d3 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -25,11 +25,13 @@ global: ## @param global.spire.recommendations.priorityClassName Set to true to use recommended values for Pod Priority Class Names ## @param global.spire.recommendations.strictMode Check values, such as trustDomain, are overridden with a suitable value for production. ## @param global.spire.recommendations.securityContexts Set to true to use recommended values for Pod and Container Security Contexts + ## @param global.spire.recommendations.prometheus Enable prometheus exporters for monitoring recommendations: enabled: false priorityClassName: true strictMode: true securityContexts: true + prometheus: true image: ## @param global.spire.image.registry Override all Spire image registries at once diff --git a/examples/production/values.yaml b/examples/production/values.yaml index a62e66140..aed747135 100644 --- a/examples/production/values.yaml +++ b/examples/production/values.yaml @@ -1,7 +1,4 @@ global: - telemetry: - prometheus: - enabled: true spire: recommendations: enabled: true From f642feafef65bd20ee7874769fbf9b278d82a655 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 19 Dec 2023 03:52:21 -0800 Subject: [PATCH 26/64] Fix test logging (#154) Co-authored-by: Marco Franssen --- .github/tests/common.sh | 3 ++- examples/external-mysql/run-tests.sh | 20 ++++++++++---------- examples/external-postgresql/run-tests.sh | 20 ++++++++++---------- examples/nested/run-tests.sh | 21 ++++++++++----------- examples/production/run-tests.sh | 16 ++++++++-------- examples/tornjak/run-tests.sh | 16 ++++++++-------- 6 files changed, 48 insertions(+), 48 deletions(-) diff --git a/.github/tests/common.sh b/.github/tests/common.sh index 3fa18df23..6cb4f6e02 100755 --- a/.github/tests/common.sh +++ b/.github/tests/common.sh @@ -22,6 +22,7 @@ $(kubectl --request-timeout=30s describe pods --namespace "$1") \`\`\`shell $(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --all-containers=true --ignore-errors=true; done) +$( ([[ -n "$2" ]] && kubectl get pods -o name -n "$2") | while read -r line; do echo logs for "${line}"; kubectl logs -n "$2" "${line}" --all-containers=true --ignore-errors=true; done) \`\`\` EOF @@ -36,7 +37,7 @@ k_rollout_status () { } get_spire_release_name () { - helm ls -A | grep '^spire' | awk '{print $1}' + helm ls -A | grep '^spire' | grep -v spire-crds | awk '{print $1}' } print_spire_workload_status () { diff --git a/examples/external-mysql/run-tests.sh b/examples/external-mysql/run-tests.sh index aeaf62731..0f41ea87c 100755 --- a/examples/external-mysql/run-tests.sh +++ b/examples/external-mysql/run-tests.sh @@ -24,6 +24,15 @@ for i in "$@"; do done teardown() { + print_helm_releases + print_spire_workload_status spire-server + print_spire_workload_status spire-system + + if [[ "$1" -ne 0 ]]; then + get_namespace_details spire-server + get_namespace_details spire-system + fi + if [ "${CLEANUP}" -eq 1 ]; then helm uninstall --namespace "spire-server" spire 2>/dev/null || true helm uninstall --namespace mysql mysql 2>/dev/null || true @@ -32,7 +41,7 @@ teardown() { fi } -trap 'trap - SIGTERM && teardown' SIGINT SIGTERM EXIT +trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT kubectl create namespace spire-system --dry-run=client -o yaml | kubectl apply -f - kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged || true @@ -48,12 +57,3 @@ helm upgrade --install --namespace "spire-server" \ --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml,${SCRIPTPATH}/../production/example-your-values.yaml" \ --set 'spire-server.dataStore.sql.password=sp1ff3Test' --wait spire charts/spire helm test --namespace "spire-server" spire - -print_helm_releases -print_spire_workload_status spire-server -print_spire_workload_status spire-system - -if [[ "$1" -ne 0 ]]; then - get_namespace_details spire-server - get_namespace_details spire-system -fi diff --git a/examples/external-postgresql/run-tests.sh b/examples/external-postgresql/run-tests.sh index 8cfe700e6..3a93f68ef 100755 --- a/examples/external-postgresql/run-tests.sh +++ b/examples/external-postgresql/run-tests.sh @@ -24,6 +24,15 @@ for i in "$@"; do done teardown() { + print_helm_releases + print_spire_workload_status spire-server + print_spire_workload_status spire-system + + if [[ "$1" -ne 0 ]]; then + get_namespace_details spire-server + get_namespace_details spire-system + fi + if [ "${CLEANUP}" -eq 1 ]; then helm uninstall --namespace "spire-server" spire 2>/dev/null || true helm uninstall --namespace "spire-server" postgresql 2>/dev/null || true @@ -32,7 +41,7 @@ teardown() { fi } -trap 'trap - SIGTERM && teardown' SIGINT SIGTERM EXIT +trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT kubectl create namespace spire-system --dry-run=client -o yaml | kubectl apply -f - kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged || true @@ -48,12 +57,3 @@ helm upgrade --install --namespace "spire-server" \ --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml,${SCRIPTPATH}/../production/example-your-values.yaml" \ --set 'spire-server.dataStore.sql.password=sp1ff3Test' --wait spire charts/spire helm test --namespace "spire-server" spire - -print_helm_releases -print_spire_workload_status spire-server -print_spire_workload_status spire-system - -if [[ "$1" -ne 0 ]]; then - get_namespace_details spire-server - get_namespace_details spire-system -fi diff --git a/examples/nested/run-tests.sh b/examples/nested/run-tests.sh index 407715e1d..8fd5fe43e 100755 --- a/examples/nested/run-tests.sh +++ b/examples/nested/run-tests.sh @@ -24,6 +24,15 @@ for i in "$@"; do done teardown() { + print_helm_releases + print_spire_workload_status spire-root-server + print_spire_workload_status spire-server spire-system + + if [[ "$1" -ne 0 ]]; then + get_namespace_details spire-root-server + get_namespace_details spire-server spire-system + fi + if [ "${CLEANUP}" -eq 1 ]; then helm uninstall --namespace spire-server spire 2>/dev/null || true kubectl delete ns spire-server 2>/dev/null || true @@ -34,7 +43,7 @@ teardown() { fi } -trap 'trap - SIGTERM && teardown' SIGINT SIGTERM EXIT +trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT kubectl create namespace spire-system --dry-run=client -o yaml | kubectl apply -f - kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged || true @@ -50,13 +59,3 @@ helm upgrade --install --create-namespace --namespace spire-server --values "${S --wait spire charts/spire helm test --namespace spire-server spire -print_helm_releases -print_spire_workload_status spire-root-server -print_spire_workload_status spire-server -print_spire_workload_status spire-system - -if [[ "$1" -ne 0 ]]; then - get_namespace_details spire-root-server - get_namespace_details spire-server - get_namespace_details spire-system -fi diff --git a/examples/production/run-tests.sh b/examples/production/run-tests.sh index a60342a05..595b96b4b 100755 --- a/examples/production/run-tests.sh +++ b/examples/production/run-tests.sh @@ -35,6 +35,13 @@ for i in "$@"; do done teardown() { + print_helm_releases + print_spire_workload_status spire-server spire-system + + if [[ "$1" -ne 0 ]]; then + get_namespace_details spire-server spire-system + fi + if [ "${CLEANUP}" -eq 1 ]; then helm uninstall --namespace "${ns}" spire 2>/dev/null || true kubectl delete ns "${ns}" 2>/dev/null || true @@ -46,7 +53,7 @@ teardown() { fi } -trap 'trap - SIGTERM && teardown' SIGINT SIGTERM EXIT +trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT if [[ -n "$UPGRADE_ARGS" ]]; then pushd "${SCRIPTPATH}" @@ -132,10 +139,3 @@ if helm get manifest -n spire-server spire | grep -i example; then echo Global settings did not work. Please fix. exit 1 fi - -print_helm_releases -print_spire_workload_status "${ns}" - -if [[ "$1" -ne 0 ]]; then - get_namespace_details "${ns}" -fi diff --git a/examples/tornjak/run-tests.sh b/examples/tornjak/run-tests.sh index f911ee08d..f91ed826a 100755 --- a/examples/tornjak/run-tests.sh +++ b/examples/tornjak/run-tests.sh @@ -24,20 +24,20 @@ for i in "$@"; do done teardown() { + print_helm_releases + print_spire_workload_status "${ns}" + + if [[ "$1" -ne 0 ]]; then + get_namespace_details "${ns}" + fi + if [ "${CLEANUP}" -eq 1 ]; then helm uninstall --namespace "${ns}" spire 2>/dev/null || true kubectl delete ns "${ns}" 2>/dev/null || true fi } -trap 'trap - SIGTERM && teardown' SIGINT SIGTERM EXIT +trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT "${helm_install[@]}" --namespace "${ns}" --values "${SCRIPTPATH}/values.yaml" --wait spire charts/spire helm test --namespace "${ns}" spire - -print_helm_releases -print_spire_workload_status "${ns}" - -if [[ "$1" -ne 0 ]]; then - get_namespace_details "${ns}" -fi From 2496c7116401618cb9f1f0fb6f4e2fc49dab25ca Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 19 Dec 2023 15:52:45 +0100 Subject: [PATCH 27/64] Bump k8s versions for ci workflow (#156) --- .github/workflows/helm-chart-ci-ignore.yaml | 14 ++++++++------ .github/workflows/helm-chart-ci.yaml | 21 ++++++++++++--------- 2 files changed, 20 insertions(+), 15 deletions(-) diff --git a/.github/workflows/helm-chart-ci-ignore.yaml b/.github/workflows/helm-chart-ci-ignore.yaml index 07841e4f3..7ffa79ebe 100644 --- a/.github/workflows/helm-chart-ci-ignore.yaml +++ b/.github/workflows/helm-chart-ci-ignore.yaml @@ -30,9 +30,10 @@ jobs: strategy: matrix: k8s: - - v1.27.2 - - v1.26.4 - - v1.25.9 + - v1.29.0 + - v1.28.0 + - v1.27.3 + - v1.26.6 steps: - run: 'echo "Skipping tests"' @@ -65,9 +66,10 @@ jobs: strategy: matrix: k8s: - - v1.27.2 - - v1.26.4 - - v1.25.9 + - v1.29.0 + - v1.28.0 + - v1.27.3 + - v1.26.6 example: - ${{ fromJson(needs.build-matrix.outputs.examples) }} diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index db23d9669..aba2a733e 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -130,9 +130,10 @@ jobs: # Kubernetes, but can go back farther as long as we don't need heroics # to pull it off (i.e. kubectl version juggling). k8s: - - v1.27.2 - - v1.26.4 - - v1.25.9 + - v1.29.0 + - v1.28.0 + - v1.27.3 + - v1.26.6 steps: - name: Checkout @@ -209,9 +210,10 @@ jobs: fail-fast: false matrix: k8s: - - v1.27.2 - - v1.26.4 - - v1.25.9 + - v1.29.0 + - v1.28.0 + - v1.27.3 + - v1.26.6 example: - ${{ fromJson(needs.build-matrix.outputs.examples) }} @@ -255,9 +257,10 @@ jobs: fail-fast: false matrix: k8s: - - v1.27.2 - - v1.26.4 - - v1.25.9 + - v1.29.0 + - v1.28.0 + - v1.27.3 + - v1.26.6 steps: - name: Checkout From 49beb64584ee0f530833c399354d675591c4e9b1 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 19 Dec 2023 07:02:57 -0800 Subject: [PATCH 28/64] Add recommendation for namespaceLayout (#127) Co-authored-by: Marco Franssen --- charts/spire/README.md | 1 + .../spiffe-csi-driver/templates/_helpers.tpl | 6 +++ .../templates/_helpers.tpl | 6 +++ .../charts/spire-agent/templates/_helpers.tpl | 18 ++++++--- .../spire-server/templates/_helpers.tpl | 38 ++++++++++++++++++- .../templates/bundle-configmap.yaml | 4 +- .../spire-server/templates/configmap.yaml | 2 +- .../charts/spire-server/templates/roles.yaml | 5 ++- .../tornjak-frontend/templates/_helpers.tpl | 6 +++ charts/spire/values.yaml | 2 + examples/production/values.yaml | 18 --------- 11 files changed, 77 insertions(+), 29 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index c7ce935ca..301f7c306 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -159,6 +159,7 @@ Now you can interact with the Spire agent socket from your own application. The | `global.spire.trustDomain` | The trust domain for Spire install | `example.org` | | `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` | | `global.spire.recommendations.enabled` | Use recommended settings for production deployments. Default is off. | `false` | +| `global.spire.recommendations.namespaceLayout` | Set to true to use recommended values for installing across namespaces | `true` | | `global.spire.recommendations.priorityClassName` | Set to true to use recommended values for Pod Priority Class Names | `true` | | `global.spire.recommendations.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `true` | | `global.spire.recommendations.securityContexts` | Set to true to use recommended values for Pod and Container Security Contexts | `true` | diff --git a/charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl b/charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl index 3df9f55ba..4fd5fcd04 100644 --- a/charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl +++ b/charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl @@ -29,6 +29,12 @@ Allow the release namespace to be overridden for multi-namespace deployments in {{- define "spiffe-csi-driver.namespace" -}} {{- if .Values.namespaceOverride -}} {{- .Values.namespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "system" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.system.name }} + {{- else }} + {{- printf "spire-system" }} + {{- end }} {{- else -}} {{- .Release.Namespace -}} {{- end -}} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl index 70d6de2f7..3ac006ee2 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl @@ -29,6 +29,12 @@ Allow the release namespace to be overridden for multi-namespace deployments in {{- define "spiffe-oidc-discovery-provider.namespace" -}} {{- if .Values.namespaceOverride -}} {{- .Values.namespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.server.name }} + {{- else }} + {{- printf "spire-server" }} + {{- end }} {{- else -}} {{- .Release.Namespace -}} {{- end -}} diff --git a/charts/spire/charts/spire-agent/templates/_helpers.tpl b/charts/spire/charts/spire-agent/templates/_helpers.tpl index 69642052c..89d5624d9 100644 --- a/charts/spire/charts/spire-agent/templates/_helpers.tpl +++ b/charts/spire/charts/spire-agent/templates/_helpers.tpl @@ -29,6 +29,12 @@ Allow the release namespace to be overridden for multi-namespace deployments in {{- define "spire-agent.namespace" -}} {{- if .Values.namespaceOverride -}} {{- .Values.namespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "system" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.system.name }} + {{- else }} + {{- printf "spire-system" }} + {{- end }} {{- else -}} {{- .Release.Namespace -}} {{- end -}} @@ -37,6 +43,12 @@ Allow the release namespace to be overridden for multi-namespace deployments in {{- define "spire-agent.server.namespace" -}} {{- if .Values.server.namespaceOverride -}} {{- .Values.server.namespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.server.name }} + {{- else }} + {{- printf "spire-server" }} + {{- end }} {{- else -}} {{- .Release.Namespace -}} {{- end -}} @@ -83,11 +95,7 @@ app.kubernetes.io/instance: {{ .Release.Name }} Create the name of the service account to use */}} {{- define "spire-agent.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "spire-agent.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} +{{- default (printf "%s-agent" .Release.Name) .Values.serviceAccount.name }} {{- end }} {{- define "spire-agent.server-address" }} diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index 3652f5407..75050af9a 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -29,6 +29,42 @@ Allow the release namespace to be overridden for multi-namespace deployments in {{- define "spire-server.namespace" -}} {{- if .Values.namespaceOverride -}} {{- .Values.namespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.server.name }} + {{- else }} + {{- printf "spire-server" }} + {{- end }} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{- define "spire-server.agent-namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "system" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.system.name }} + {{- else }} + {{- printf "spire-system" }} + {{- end }} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{- define "spire-server.bundle-namespace" -}} + {{- if .Values.notifier.k8sbundle.namespace }} + {{- .Values.notifier.k8sbundle.namespace }} + {{- else if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "system" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.system.name }} + {{- else }} + {{- printf "spire-system" }} + {{- end }} {{- else -}} {{- .Release.Namespace -}} {{- end -}} @@ -101,7 +137,7 @@ Create the name of the service account to use {{- if ne (len .Values.nodeAttestor.k8sPsat.serviceAccountAllowList) 0 }} {{- .Values.nodeAttestor.k8sPsat.serviceAccountAllowList | toJson }} {{- else }} -[{{ printf "%s:%s-agent" .Release.Namespace .Release.Name | quote }}] +[{{ printf "%s:%s-agent" (include "spire-server.agent-namespace" .) .Release.Name | quote }}] {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/bundle-configmap.yaml b/charts/spire/charts/spire-server/templates/bundle-configmap.yaml index 95b7dd230..4217322b5 100644 --- a/charts/spire/charts/spire-server/templates/bundle-configmap.yaml +++ b/charts/spire/charts/spire-server/templates/bundle-configmap.yaml @@ -1,9 +1,9 @@ -{{- $namespace := include "spire-server.namespace" . }} +{{- $namespace := include "spire-server.bundle-namespace" . }} apiVersion: v1 kind: ConfigMap metadata: name: {{ include "spire-lib.bundle-configmap" . }} - namespace: {{ .Values.notifier.k8sbundle.namespace | default $namespace }} + namespace: {{ $namespace }} {{- with .Values.configMap.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index 9b172efae..d631806ee 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -131,7 +131,7 @@ plugins: Notifier: k8sbundle: plugin_data: - namespace: {{ .Values.notifier.k8sbundle.namespace | default (include "spire-server.namespace" .) | quote }} + namespace: {{ include "spire-server.bundle-namespace" . | quote }} config_map: {{ include "spire-lib.bundle-configmap" . | quote }} {{- with .Values.upstreamAuthority.disk }} diff --git a/charts/spire/charts/spire-server/templates/roles.yaml b/charts/spire/charts/spire-server/templates/roles.yaml index 6c667e723..c09bedecd 100644 --- a/charts/spire/charts/spire-server/templates/roles.yaml +++ b/charts/spire/charts/spire-server/templates/roles.yaml @@ -1,10 +1,11 @@ {{- $namespace := include "spire-server.namespace" . }} +{{- $bundleNamespace := include "spire-server.bundle-namespace" . }} # Role to be able to push certificate bundles to a configmap kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ include "spire-lib.bundle-configmap" . }} - namespace: {{ .Values.notifier.k8sbundle.namespace | default $namespace }} + namespace: {{ $bundleNamespace }} rules: - apiGroups: [""] resources: [configmaps] @@ -52,7 +53,7 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ include "spire-lib.bundle-configmap" . }} - namespace: {{ .Values.notifier.k8sbundle.namespace | default $namespace }} + namespace: {{ $bundleNamespace }} subjects: - kind: ServiceAccount name: {{ include "spire-server.serviceAccountName" . }} diff --git a/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl b/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl index 535df2b9b..c810f0f0a 100644 --- a/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl +++ b/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl @@ -29,6 +29,12 @@ Allow the release namespace to be overridden for multi-namespace deployments in {{- define "tornjak-frontend.namespace" -}} {{- if .Values.namespaceOverride -}} {{- .Values.namespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.server.name }} + {{- else }} + {{- printf "spire-server" }} + {{- end }} {{- else -}} {{- .Release.Namespace -}} {{- end -}} diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 81b2371d3..c52ebe20f 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -22,12 +22,14 @@ global: upstreamServerAddress: "" ## @param global.spire.recommendations.enabled Use recommended settings for production deployments. Default is off. + ## @param global.spire.recommendations.namespaceLayout Set to true to use recommended values for installing across namespaces ## @param global.spire.recommendations.priorityClassName Set to true to use recommended values for Pod Priority Class Names ## @param global.spire.recommendations.strictMode Check values, such as trustDomain, are overridden with a suitable value for production. ## @param global.spire.recommendations.securityContexts Set to true to use recommended values for Pod and Container Security Contexts ## @param global.spire.recommendations.prometheus Enable prometheus exporters for monitoring recommendations: enabled: false + namespaceLayout: true priorityClassName: true strictMode: true securityContexts: true diff --git a/examples/production/values.yaml b/examples/production/values.yaml index aed747135..de8c821f9 100644 --- a/examples/production/values.yaml +++ b/examples/production/values.yaml @@ -4,28 +4,10 @@ global: enabled: true spire-server: - nodeAttestor: - k8sPsat: - serviceAccountAllowList: ["spire-system:spire-agent"] - notifier: - k8sbundle: - namespace: spire-system - -spiffe-csi-driver: - namespaceOverride: spire-system - -upstream-spiffe-csi-driver: - namespaceOverride: spire-system spire-agent: - namespaceOverride: spire-system - serviceAccount: - name: spire-agent - server: - namespaceOverride: spire-server upstream-spire-agent: - namespaceOverride: spire-system spiffe-oidc-discovery-provider: enabled: true From ad905d9c3e2be2ba3f4ef4e6089620632f85709d Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 19 Dec 2023 16:12:46 -0800 Subject: [PATCH 29/64] Fix the nested test (#158) Signed-off-by: Kevin Fox --- examples/production/values.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/examples/production/values.yaml b/examples/production/values.yaml index de8c821f9..5da73c96c 100644 --- a/examples/production/values.yaml +++ b/examples/production/values.yaml @@ -3,12 +3,6 @@ global: recommendations: enabled: true -spire-server: - -spire-agent: - -upstream-spire-agent: - spiffe-oidc-discovery-provider: enabled: true insecureScheme: From cb7e7e82c0b2e02fcc3ac88dabc18e032ad46a98 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 19 Dec 2023 19:00:41 -0800 Subject: [PATCH 30/64] Remove 1.29.0 until deps catch up. (#159) Related issue: https://github.com/rancher/kubectl/pull/94 Signed-off-by: Kevin Fox --- .github/workflows/helm-chart-ci-ignore.yaml | 2 -- .github/workflows/helm-chart-ci.yaml | 3 --- 2 files changed, 5 deletions(-) diff --git a/.github/workflows/helm-chart-ci-ignore.yaml b/.github/workflows/helm-chart-ci-ignore.yaml index 7ffa79ebe..b2aad512b 100644 --- a/.github/workflows/helm-chart-ci-ignore.yaml +++ b/.github/workflows/helm-chart-ci-ignore.yaml @@ -30,7 +30,6 @@ jobs: strategy: matrix: k8s: - - v1.29.0 - v1.28.0 - v1.27.3 - v1.26.6 @@ -66,7 +65,6 @@ jobs: strategy: matrix: k8s: - - v1.29.0 - v1.28.0 - v1.27.3 - v1.26.6 diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index aba2a733e..7e8a5c899 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -130,7 +130,6 @@ jobs: # Kubernetes, but can go back farther as long as we don't need heroics # to pull it off (i.e. kubectl version juggling). k8s: - - v1.29.0 - v1.28.0 - v1.27.3 - v1.26.6 @@ -210,7 +209,6 @@ jobs: fail-fast: false matrix: k8s: - - v1.29.0 - v1.28.0 - v1.27.3 - v1.26.6 @@ -257,7 +255,6 @@ jobs: fail-fast: false matrix: k8s: - - v1.29.0 - v1.28.0 - v1.27.3 - v1.26.6 From 80f9d3823c3d7274f84741127cb80992996c4a34 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Wed, 20 Dec 2023 09:05:23 -0800 Subject: [PATCH 31/64] Revert to older ingress-nginx to fix tests (#161) Signed-off-by: Kevin Fox --- .github/tests/charts.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 3a8437bc6..30c4a73fc 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -12,7 +12,7 @@ { "name": "ingress-nginx", "repo": "https://kubernetes.github.io/ingress-nginx", - "version": "4.8.4" + "version": "4.8.3" }, { "name": "mysql", From 0555c87eef89609ab931d9a8d3bb944cd0852443 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Dec 2023 09:50:41 -0800 Subject: [PATCH 32/64] Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /tests (#162) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.14.0 to 0.17.0. - [Commits](https://github.com/golang/crypto/compare/v0.14.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: kfox1111 --- tests/go.mod | 8 ++++---- tests/go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index 1f639f9d3..5eb113258 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -45,12 +45,12 @@ require ( github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect - golang.org/x/crypto v0.14.0 // indirect + golang.org/x/crypto v0.17.0 // indirect golang.org/x/net v0.17.0 // indirect golang.org/x/oauth2 v0.8.0 // indirect - golang.org/x/sys v0.14.0 // indirect - golang.org/x/term v0.13.0 // indirect - golang.org/x/text v0.13.0 // indirect + golang.org/x/sys v0.15.0 // indirect + golang.org/x/term v0.15.0 // indirect + golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.14.0 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/tests/go.sum b/tests/go.sum index d4db994c2..8982f9726 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -127,8 +127,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= +golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= @@ -158,20 +158,20 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= -golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= -golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= -golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= From c39dd44526b8fcca6810ec0ce54adfa6c4f89cfa Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Wed, 20 Dec 2023 16:15:56 -0800 Subject: [PATCH 33/64] Add recommendation for namespacePSS (#131) Co-authored-by: Marco Franssen --- charts/spire/README.md | 2 ++ .../templates/spire-server-namespace.yaml | 26 +++++++++++++++---- .../templates/spire-system-namespace.yaml | 23 ++++++++++++---- charts/spire/values.yaml | 4 +++ examples/openshift/openshift-values.yaml | 14 ---------- 5 files changed, 45 insertions(+), 24 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 301f7c306..076d383a0 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -160,11 +160,13 @@ Now you can interact with the Spire agent socket from your own application. The | `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` | | `global.spire.recommendations.enabled` | Use recommended settings for production deployments. Default is off. | `false` | | `global.spire.recommendations.namespaceLayout` | Set to true to use recommended values for installing across namespaces | `true` | +| `global.spire.recommendations.namespacePSS` | When chart namespace creation is enabled, label them with preffered Pod Security Standard labels | `true` | | `global.spire.recommendations.priorityClassName` | Set to true to use recommended values for Pod Priority Class Names | `true` | | `global.spire.recommendations.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `true` | | `global.spire.recommendations.securityContexts` | Set to true to use recommended values for Pod and Container Security Contexts | `true` | | `global.spire.recommendations.prometheus` | Enable prometheus exporters for monitoring | `true` | | `global.spire.image.registry` | Override all Spire image registries at once | `""` | +| `global.spire.namespaces.create` | Set to true to Create all namespaces. If this or either of the namespace specific create flags is set, the namespace will be created. | `false` | | `global.spire.namespaces.system.name` | Name of the Spire system Namespace. | `spire-system` | | `global.spire.namespaces.system.create` | Create a Namespace for Spire system resources. | `false` | | `global.spire.namespaces.system.annotations` | Annotations to apply to the Spire system Namespace. | `{}` | diff --git a/charts/spire/templates/spire-server-namespace.yaml b/charts/spire/templates/spire-server-namespace.yaml index 4eae22d6a..a0ac41b91 100644 --- a/charts/spire/templates/spire-server-namespace.yaml +++ b/charts/spire/templates/spire-server-namespace.yaml @@ -1,14 +1,30 @@ -{{- if .Values.global.spire.namespaces.server.create }} +{{- define "spire.namespace.default_server_labels" }} +"pod-security.kubernetes.io/warn": restricted +"pod-security.kubernetes.io/audit": restricted +"pod-security.kubernetes.io/enforce": restricted +{{- end }} +{{- if or .Values.global.spire.namespaces.create .Values.global.spire.namespaces.server.create }} +{{- $labels := dict }} +{{- if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespacePSS" true .Values.global) }} +{{- $labels = mergeOverwrite $labels (include "spire.namespace.default_server_labels" . | fromYaml) }} +{{- if (dig "openshift" false .Values.global) }} +{{- $_ := set $labels "security.openshift.io/scc.podSecurityLabelSync" "false" }} +{{- if (index .Values "spiffe-oidc-discovery-provider").enabled }} +{{- $_ := set $labels "pod-security.kubernetes.io/enforce" "privileged" }} +{{- end }} +{{- end }} +{{- end }} +{{- $labels = mergeOverwrite $labels .Values.global.spire.namespaces.server.labels }} apiVersion: v1 kind: Namespace metadata: name: {{ .Values.global.spire.namespaces.server.name }} - {{- if .Values.global.spire.namespaces.server.labels }} + {{- with $labels }} labels: - {{- .Values.global.spire.namespaces.server.labels | toYaml | nindent 4 }} + {{- toYaml . | nindent 4 }} {{- end }} - {{- if .Values.global.spire.namespaces.server.annotations }} + {{- with .Values.global.spire.namespaces.server.annotations }} annotations: - {{- .Values.global.spire.namespaces.server.annotations | toYaml | nindent 4 }} + {{- toYaml . | nindent 4 }} {{- end }} {{- end }} diff --git a/charts/spire/templates/spire-system-namespace.yaml b/charts/spire/templates/spire-system-namespace.yaml index 689038e88..3ddf3c150 100644 --- a/charts/spire/templates/spire-system-namespace.yaml +++ b/charts/spire/templates/spire-system-namespace.yaml @@ -1,14 +1,27 @@ -{{- if .Values.global.spire.namespaces.system.create }} +{{- define "spire.namespace.default_system_labels" }} +"pod-security.kubernetes.io/warn": privileged +"pod-security.kubernetes.io/audit": privileged +"pod-security.kubernetes.io/enforce": privileged +{{- end }} +{{- if or .Values.global.spire.namespaces.create .Values.global.spire.namespaces.system.create }} +{{- $labels := dict }} +{{- if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespacePSS" true .Values.global) }} +{{- $labels = mergeOverwrite $labels (include "spire.namespace.default_system_labels" . | fromYaml) }} +{{- if (dig "openshift" false .Values.global) }} +{{- $_ := set $labels "security.openshift.io/scc.podSecurityLabelSync" "false" }} +{{- end }} +{{- end }} +{{- $labels = mergeOverwrite $labels .Values.global.spire.namespaces.server.labels }} apiVersion: v1 kind: Namespace metadata: name: {{ .Values.global.spire.namespaces.system.name }} - {{- if .Values.global.spire.namespaces.system.labels }} + {{- with $labels }} labels: - {{- .Values.global.spire.namespaces.system.labels | toYaml | nindent 4 }} + {{- toYaml . | nindent 4 }} {{- end }} - {{- if .Values.global.spire.namespaces.system.annotations }} + {{- with .Values.global.spire.namespaces.system.annotations }} annotations: - {{- .Values.global.spire.namespaces.system.annotations | toYaml | nindent 4 }} + {{- toYaml . | nindent 4 }} {{- end }} {{- end }} diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index c52ebe20f..6d2cfef27 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -23,6 +23,7 @@ global: ## @param global.spire.recommendations.enabled Use recommended settings for production deployments. Default is off. ## @param global.spire.recommendations.namespaceLayout Set to true to use recommended values for installing across namespaces + ## @param global.spire.recommendations.namespacePSS When chart namespace creation is enabled, label them with preffered Pod Security Standard labels ## @param global.spire.recommendations.priorityClassName Set to true to use recommended values for Pod Priority Class Names ## @param global.spire.recommendations.strictMode Check values, such as trustDomain, are overridden with a suitable value for production. ## @param global.spire.recommendations.securityContexts Set to true to use recommended values for Pod and Container Security Contexts @@ -30,6 +31,7 @@ global: recommendations: enabled: false namespaceLayout: true + namespacePSS: true priorityClassName: true strictMode: true securityContexts: true @@ -40,6 +42,8 @@ global: registry: "" namespaces: + ## @param global.spire.namespaces.create Set to true to Create all namespaces. If this or either of the namespace specific create flags is set, the namespace will be created. + create: false system: ## @param global.spire.namespaces.system.name Name of the Spire system Namespace. name: "spire-system" diff --git a/examples/openshift/openshift-values.yaml b/examples/openshift/openshift-values.yaml index d0d01d354..87ea5a320 100644 --- a/examples/openshift/openshift-values.yaml +++ b/examples/openshift/openshift-values.yaml @@ -1,16 +1,2 @@ global: openshift: true - spire: - namespaces: - system: - labels: - security.openshift.io/scc.podSecurityLabelSync: "false" - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - pod-security.kubernetes.io/audit: privileged - server: - labels: - security.openshift.io/scc.podSecurityLabelSync: "false" - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - pod-security.kubernetes.io/audit: privileged From e6300087b726d8c4ffe0471b568704769a6e7d74 Mon Sep 17 00:00:00 2001 From: Drew Wells Date: Wed, 20 Dec 2023 21:14:54 -0600 Subject: [PATCH 34/64] Update jwt test to work with newer slim images (#139) * install newer version of slim debug - switch to step tool for jwt verification against jwk public keys Signed-off-by: Drew Wells * use step-cli image Signed-off-by: Drew Wells * Fix image tag and add upgrade logic Signed-off-by: Kevin Fox * use registry for consistency Signed-off-by: Kevin Fox * Fix merge conflicts Signed-off-by: Kevin Fox --------- Signed-off-by: Drew Wells Signed-off-by: kfox1111 Signed-off-by: Kevin Fox Co-authored-by: kfox1111 --- .github/tests/images.json | 4 +++ .../spiffe-oidc-discovery-provider/README.md | 7 ++++- .../templates/tests/test-keys.yaml | 30 ++++++++++++++----- .../values.yaml | 16 +++++++++- 4 files changed, 48 insertions(+), 9 deletions(-) diff --git a/.github/tests/images.json b/.github/tests/images.json index 7ecacdb74..271dca192 100644 --- a/.github/tests/images.json +++ b/.github/tests/images.json @@ -34,6 +34,10 @@ "query": "telemetry.prometheus.nginxExporter.image", "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$", "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"] + }, { + "query": "tests.step.image", + "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$", + "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"] }, { "query": "tests.bash.image", diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 3320014ce..c3ff4013a 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -110,7 +110,12 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.toolkit.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:99cafee4f14fe07a3298fcb7b90d4f0c396cba150b65d937856788b42ad83f79` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:b7b4cb6a241990f1caba892e061b6b4fa014d778e9608a94b97580a40ab361bb` | +| `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | +| `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.step.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.25.1` | | `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | | `tests.busybox.image.repository` | The repository within the registry | `busybox` | | `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml index 531b1ef6d..f7f21ebfd 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml @@ -25,6 +25,19 @@ spec: volumeMounts: - name: data-volume mountPath: /data + - name: install-step + image: {{ template "spire-lib.image" (dict "image" .Values.tests.step.image "global" .Values.global) }} + workingDir: /data + command: + - sh + - -c + - | + cp /usr/local/bin/step /data/step + securityContext: + {{- include "spire-lib.securitycontext" . | nindent 8 }} + volumeMounts: + - name: data-volume + mountPath: /data - name: gettoken image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version "image" .Values.tests.agent.image) }} command: @@ -50,19 +63,22 @@ spec: image: {{ template "spire-lib.image" (dict "image" .Values.tests.toolkit.image "global" .Values.global) }} command: - bash + workingDir: /data env: - name: TMPDIR value: /data args: - - -c + - -cx - | URL=http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }} - curl -k -s -f "${URL}"/keys - JWT=$(cat /data/token.svid | jq -r '.[].svids[0].svid' | xargs) - cat <<'EOF' >> /data/jwt-decode.sh - {{- (.Files.Get "files/test/jwt-decode.sh") | nindent 10 }} - EOF - bash /data/jwt-decode.sh "${URL}"/keys "${JWT}" + + cat /data/token.svid + JWT=$(cat /data/token.svid | jq -r '.[] | select(.svids) | .svids[0].svid' | xargs) + KID=$(echo $JWT | base64 -d 2>/dev/null | jq -r '.kid') + # Retrieve public key from JWK set, match kid from JWT to locate the correct one + curl -k -s --fail-with-body "${URL}"/keys | jq '.keys[] | select(.kid == "'${KID}'")' > public.pem + # Verify JWT with public pem + echo $JWT | /data/step crypto jwt verify --key=public.pem --alg=RS256 --subtle securityContext: {{- include "spire-lib.securitycontext" . | nindent 8 }} volumeMounts: diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index d324753ea..ad0c142ca 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -303,7 +303,21 @@ tests: repository: chainguard/slim-toolkit-debug pullPolicy: IfNotPresent version: "" - tag: latest@sha256:99cafee4f14fe07a3298fcb7b90d4f0c396cba150b65d937856788b42ad83f79 + tag: latest@sha256:b7b4cb6a241990f1caba892e061b6b4fa014d778e9608a94b97580a40ab361bb + + step: + ## @param tests.step.image.registry The OCI registry to pull the image from + ## @param tests.step.image.repository The repository within the registry + ## @param tests.step.image.pullPolicy The image pull policy + ## @param tests.step.image.version This value is deprecated in favor of tag. (Will be removed in a future release) + ## @param tests.step.image.tag Overrides the image tag whose default is the chart appVersion + ## + image: + registry: "docker.io" + repository: smallstep/step-cli + pullPolicy: IfNotPresent + version: "" + tag: 0.25.1 busybox: ## @param tests.busybox.image.registry The OCI registry to pull the image from From e5c5527fd71f7b514f9300cc787dae210e664ebc Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 25 Dec 2023 14:32:18 -0800 Subject: [PATCH 35/64] Bump test chart dependencies (#165) Signed-off-by: GitHub Co-authored-by: marcofranssen --- .github/tests/charts.json | 4 ++-- charts/spire/charts/spiffe-oidc-discovery-provider/README.md | 2 +- .../spire/charts/spiffe-oidc-discovery-provider/values.yaml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 30c4a73fc..9e0ee8603 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -12,7 +12,7 @@ { "name": "ingress-nginx", "repo": "https://kubernetes.github.io/ingress-nginx", - "version": "4.8.3" + "version": "4.9.0" }, { "name": "mysql", @@ -22,6 +22,6 @@ { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "13.2.24" + "version": "13.2.25" } ] diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index c3ff4013a..0c7dc4482 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -110,7 +110,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.toolkit.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:b7b4cb6a241990f1caba892e061b6b4fa014d778e9608a94b97580a40ab361bb` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:201305e2ad567a4387a92663f58068073c0833cdc2d84ed9f69be385aa4ece98` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index ad0c142ca..4bbdae8fa 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -303,7 +303,7 @@ tests: repository: chainguard/slim-toolkit-debug pullPolicy: IfNotPresent version: "" - tag: latest@sha256:b7b4cb6a241990f1caba892e061b6b4fa014d778e9608a94b97580a40ab361bb + tag: latest@sha256:201305e2ad567a4387a92663f58068073c0833cdc2d84ed9f69be385aa4ece98 step: ## @param tests.step.image.registry The OCI registry to pull the image from From 2454b8cd2a61996a13d42e91620bfe59df1840de Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Wed, 27 Dec 2023 17:10:49 -0800 Subject: [PATCH 36/64] Fix links still pointing at older git repo (#167) Signed-off-by: Kevin Fox --- charts/spire-crds/Chart.yaml | 4 ++-- charts/spire-crds/README.md | 4 ++-- charts/spire/Chart.yaml | 4 ++-- charts/spire/README.md | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/spire-crds/Chart.yaml b/charts/spire-crds/Chart.yaml index 8df8b6f9d..d59472f3c 100644 --- a/charts/spire-crds/Chart.yaml +++ b/charts/spire-crds/Chart.yaml @@ -6,9 +6,9 @@ type: application version: 0.2.0 appVersion: "0.0.1" keywords: ["spire-crds"] -home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: - - https://github.com/spiffe/helm-charts/tree/main/charts/spire + - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png maintainers: - name: marcofranssen diff --git a/charts/spire-crds/README.md b/charts/spire-crds/README.md index 9f69df414..63134e185 100644 --- a/charts/spire-crds/README.md +++ b/charts/spire-crds/README.md @@ -4,7 +4,7 @@ A Helm chart to install the SPIRE CRDS. -**Homepage:** +**Homepage:** ## Maintainers @@ -17,7 +17,7 @@ A Helm chart to install the SPIRE CRDS. ## Source Code -* +* diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 98e78959e..ef530cd09 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -6,9 +6,9 @@ type: application version: 0.16.0 appVersion: "1.8.5" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] -home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: - - https://github.com/spiffe/helm-charts/tree/main/charts/spire + - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png maintainers: - name: marcofranssen diff --git a/charts/spire/README.md b/charts/spire/README.md index 076d383a0..92e09bce8 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -5,7 +5,7 @@ A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. -**Homepage:** +**Homepage:** ## Install notes @@ -130,7 +130,7 @@ Now you can interact with the Spire agent socket from your own application. The ## Source Code -* +* ## Requirements From 8f1aba8ad3cd3ca65c9d8c5bfaf756b89c235903 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 1 Jan 2024 06:05:30 -0800 Subject: [PATCH 37/64] Bump test chart dependencies (#171) Signed-off-by: GitHub Co-authored-by: marcofranssen --- .github/tests/charts.json | 6 +++--- charts/spire/charts/spiffe-csi-driver/README.md | 2 +- charts/spire/charts/spiffe-csi-driver/values.yaml | 2 +- .../spire/charts/spiffe-oidc-discovery-provider/README.md | 2 +- .../spire/charts/spiffe-oidc-discovery-provider/values.yaml | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 9e0ee8603..277be2b9d 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,7 +2,7 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "55.5.0" + "version": "55.5.1" }, { "name": "cert-manager", @@ -17,11 +17,11 @@ { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "9.15.0" + "version": "9.16.1" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "13.2.25" + "version": "13.2.27" } ] diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index 7365262db..f6297fb8c 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -56,7 +56,7 @@ A Helm chart to install the SPIFFE CSI driver. | `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` | | `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `nodeDriverRegistrar.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.2` | +| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.3` | | `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` | | `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | | `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` | diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index d8bd3e021..84822f12c 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -110,7 +110,7 @@ nodeDriverRegistrar: repository: sig-storage/csi-node-driver-registrar pullPolicy: IfNotPresent version: "" - tag: v2.9.2 + tag: v2.9.3 ## @param nodeDriverRegistrar.resources Resource requests and limits for CSI driver pods resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 0c7dc4482..2b020ad16 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -110,7 +110,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.toolkit.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:201305e2ad567a4387a92663f58068073c0833cdc2d84ed9f69be385aa4ece98` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:c33000bbf5fc823722d1a190ce96c58ee0baa3780e23d148c27773bbc7e884e1` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 4bbdae8fa..046daa8c1 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -303,7 +303,7 @@ tests: repository: chainguard/slim-toolkit-debug pullPolicy: IfNotPresent version: "" - tag: latest@sha256:201305e2ad567a4387a92663f58068073c0833cdc2d84ed9f69be385aa4ece98 + tag: latest@sha256:c33000bbf5fc823722d1a190ce96c58ee0baa3780e23d148c27773bbc7e884e1 step: ## @param tests.step.image.registry The OCI registry to pull the image from From 183e9aa534da5a6b1dfc1daaab3d348a26f2336a Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Wed, 3 Jan 2024 02:40:14 -0800 Subject: [PATCH 38/64] SPIFFE OIDC Discovery Provider Rework (#152) Co-authored-by: Faisal Memon --- .../spire-root-server-values.yaml | 21 +- .../spiffe-oidc-discovery-provider/README.md | 30 +- .../templates/_helpers.tpl | 8 + .../templates/certificate.yaml | 26 ++ .../templates/configmap.yaml | 29 +- .../templates/deployment.yaml | 25 +- .../templates/ingress.yaml | 27 +- .../templates/issuer.yaml | 22 + .../templates/podmonitor.yaml | 2 +- .../templates/service.yaml | 6 +- .../templates/tests/test-connection.yaml | 12 +- .../templates/tests/test-keys.yaml | 11 +- .../values.yaml | 73 +++- charts/spire/charts/spire-server/README.md | 382 +++++++++--------- .../controller-manager-cluster-ids.yaml | 53 ++- .../spire-server/templates/statefulset.yaml | 3 + charts/spire/charts/spire-server/values.yaml | 17 + .../ci/namespace-override-values-skip.yaml | 5 +- .../no-spire-controller-manager-values.yaml | 2 + charts/spire/ci/oidc-values.yaml | 5 +- charts/spire/ci/prometheus-values.yaml | 5 +- examples/nested/values.yaml | 7 +- examples/production/values.yaml | 5 +- 23 files changed, 512 insertions(+), 264 deletions(-) create mode 100644 charts/spire/charts/spiffe-oidc-discovery-provider/templates/certificate.yaml create mode 100644 charts/spire/charts/spiffe-oidc-discovery-provider/templates/issuer.yaml diff --git a/.github/tests/dependencies/spire-root-server-values.yaml b/.github/tests/dependencies/spire-root-server-values.yaml index 124c8dd4a..e7bda6298 100644 --- a/.github/tests/dependencies/spire-root-server-values.yaml +++ b/.github/tests/dependencies/spire-root-server-values.yaml @@ -8,13 +8,23 @@ spire-server: identities: clusterSPIFFEIDs: default: + type: raw + spiffeIDTemplate: spiffe://{{ .TrustDomain }}/k8s/{{ .ClusterName }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} namespaceSelector: - kubernetes.io/metadata.name: spire-server + matchExpressions: + - key: "kubernetes.io/metadata.name" + operator: In + values: [spire-server] podSelector: - app.kubernetes.io/component: server - app.kubernetes.io/instance: spire - app.kubernetes.io/name: server + matchLabels: + release: spire + release-namespace: spire-server + component: server downstream: true + oidc-discovery-provider: + enabled: false + test-keys: + enabled: false nodeAttestor: k8sPsat: serviceAccountAllowList: @@ -24,6 +34,9 @@ spire-server: k8sbundle: namespace: spire-system +spiffe-oidc-discovery-provider: + enabled: false + spire-agent: enabled: false diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 2b020ad16..8b2435783 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -28,6 +28,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | Name | Description | Value | | ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | | `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` | +| `csiDriverName` | The csi driver to use | `csi.spiffe.io` | | `replicaCount` | Replica count | `1` | | `namespaceOverride` | Namespace override | `""` | | `annotations` | Annotations for the deployment | `{}` | @@ -38,7 +39,8 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | | `resources` | Resource requests and limits | `{}` | | `service.type` | Service type | `ClusterIP` | -| `service.port` | Service port | `80` | +| `service.ports.http` | Insecure port for the service | `80` | +| `service.ports.https` | Secure port for the service | `443` | | `service.annotations` | Annotations for service resource | `{}` | | `configMap.annotations` | Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap | `{}` | | `podSecurityContext` | Pod security context for OIDC discovery provider pods | `{}` | @@ -48,20 +50,26 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | | `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | | `podAnnotations` | Pod annotations for Spire OIDC discovery provider | `{}` | -| `insecureScheme.enabled` | Flag to enable insecure schema | `false` | -| `insecureScheme.nginx.image.registry` | The OCI registry to pull the image from | `docker.io` | -| `insecureScheme.nginx.image.repository` | The repository within the registry | `nginxinc/nginx-unprivileged` | -| `insecureScheme.nginx.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `insecureScheme.nginx.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.25.3-alpine` | +| `tls.spire.enabled` | Use spire to secure the oidc-discovery-provider | `true` | +| `tls.externalSecret.enabled` | Provide your own certificate/key via tls style Kubernetes Secret | `false` | +| `tls.externalSecret.secretName` | Specify which Secret to use | `""` | +| `tls.certManager.enabled` | Use certificateManager to create the certificate | `false` | +| `tls.certManager.issuer.create` | Create an issuer to use to issue the certificate | `true` | +| `tls.certManager.issuer.acme.email` | Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service | `""` | +| `tls.certManager.issuer.acme.server` | Server to use to get certificate. Defaults to LetsEncrypt | `https://acme-v02.api.letsencrypt.org/directory` | +| `tls.certManager.issuer.acme.solvers` | Configure the issuer solvers. Defaults to http01 via ingress. | `{}` | +| `tls.certManager.certificate.dnsNames` | Override the dnsNames on the certificate request. Defaults to the same settings as Ingress | `[]` | +| `tls.certManager.certificate.issuerRef.group` | If you are using an external plugin, specify the group for it here | `""` | +| `tls.certManager.certificate.issuerRef.kind` | Kind of the issuer reference. Override if you want to use a ClusterIssuer | `Issuer` | +| `tls.certManager.certificate.issuerRef.name` | Name of the issuer to use. If unset, it will use the name of the built in issuer | `""` | +| `insecureScheme.nginx.image.registry` | The OCI registry to pull the image from. Only used when TLS is disabled. | `docker.io` | +| `insecureScheme.nginx.image.repository` | The repository within the registry. Only used when TLS is disabled. | `nginxinc/nginx-unprivileged` | +| `insecureScheme.nginx.image.pullPolicy` | The image pull policy. Only used when TLS is disabled. | `IfNotPresent` | +| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. | `1.25.3-alpine` | | `insecureScheme.nginx.resources` | Resource requests and limits | `{}` | | `jwtIssuer` | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset | `""` | | `config.logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | | `config.additionalDomains` | Add additional domains that can be used for oidc discovery | `[]` | -| `config.acme.tosAccepted` | Flag for Terms of Service acceptance | `false` | -| `config.acme.cacheDir` | Path for cache directory | `/run/spire` | -| `config.acme.directoryUrl` | URL for acme directory | `https://acme-v02.api.letsencrypt.org/directory` | -| `config.acme.emailAddress` | Email address for registration | `letsencrypt@example.org` | | `imagePullSecrets` | Image pull secret names | `[]` | | `nameOverride` | Name override | `""` | | `fullnameOverride` | Full name override | `""` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl index 3ac006ee2..7780aa725 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl @@ -91,3 +91,11 @@ Create the name of the service account to use {{- define "spiffe-oidc-discovery-provider.workload-api-socket-path" -}} {{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }} {{- end }} + +{{- define "spiffe-oidc-discovery-provider.tls-enabled" -}} +{{- if and .Values.enabled (or .Values.tls.spire.enabled .Values.tls.externalSecret.enabled .Values.tls.certManager.enabled) }} +{{- true }} +{{- else }} +{{- false }} +{{- end }} +{{- end }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/certificate.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/certificate.yaml new file mode 100644 index 000000000..3dce910ae --- /dev/null +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/certificate.yaml @@ -0,0 +1,26 @@ +{{- define "spiffe-oidc-discovery-provider.cert-manager-default-cert" }} +{{- $fullName := include "spiffe-oidc-discovery-provider.fullname" . }} +dnsNames: + {{- if ne (len .Values.tls.certManager.certificate.dnsNames) 0 }} + {{- toYaml .Values.tls.certManager.certificate.dnsNames | nindent 4 }} + {{- else }} + - {{ include "spire-lib.ingress-calculated-name" (dict "ingress" .Values.ingress "Values" .Values) }} + {{- end }} +issuerRef: + {{- with .Values.tls.certManager.certificate.issuerRef.group }} + group: {{ . }} + {{- end }} + kind: {{ default "Issuer" .Values.tls.certManager.certificate.issuerRef.kind }} + name: {{ default $fullName .Values.tls.certManager.certificate.issuerRef.name }} +secretName: {{ $fullName }}-cert +{{- end }} +{{- if .Values.tls.certManager.enabled }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "spiffe-oidc-discovery-provider.fullname" . }} + namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }} +spec: + {{ merge (include "spiffe-oidc-discovery-provider.cert-manager-default-cert" . | fromYaml) .Values.tls.certManager.certificate | toYaml | nindent 2 }} +{{- end }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml index ed554059b..66930ef94 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml @@ -1,3 +1,17 @@ +{{- $tlsCount := 0 }} +{{- if and .Values.enabled .Values.tls.spire.enabled }} +{{- fail "Built in SPIRE support is not yet supported." }} +{{- $tlsCount = add $tlsCount 1 }} +{{- end }} +{{- if and .Values.enabled .Values.tls.externalSecret.enabled }} +{{- $tlsCount = add $tlsCount 1 }} +{{- end }} +{{- if and .Values.enabled .Values.tls.certManager.enabled }} +{{- $tlsCount = add $tlsCount 1 }} +{{- end }} +{{- if gt $tlsCount 1 }} +{{- fail "You can only have one TLS configuration enabled" }} +{{- end }} {{- include "spire-lib.check-strict-mode" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}} {{- include "spire-lib.check-strict-mode" (list . "jwtIssuer must be set" (eq (include "spire-lib.jwt-issuer" .) "https://oidc-discovery.example.org"))}} {{- $oidcSocket := "/run/spire/oidc-sockets/spire-oidc-server.sock" }} @@ -14,15 +28,14 @@ domains: {{- $jwtIssuer := (default $uri.path $uri.host) }} {{- uniq (concat (list $jwtIssuer) .Values.config.additionalDomains) | toYaml | nindent 2 }} -{{- if .Values.insecureScheme.enabled }} -allow_insecure_scheme: {{ .Values.insecureScheme.enabled }} +{{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }} +allow_insecure_scheme: true listen_socket_path: {{ $oidcSocket | quote }} {{- else }} -acme: - directory_url: {{ .Values.config.acme.directoryUrl | quote }} - cache_dir: {{ .Values.config.acme.cacheDir | quote }} - tos_accepted: {{ .Values.config.acme.tosAccepted }} - email: {{ .Values.config.acme.emailAddress | quote }} +serving_cert_file: + cert_file_path: /certs/tls.crt + key_file_path: /certs/tls.key + addr: ':8443' {{- end }} workload_api: @@ -47,7 +60,7 @@ metadata: data: oidc-discovery-provider.conf: | {{- include "spiffe-oidc-discovery-provider.yaml-config" (dict "oidcSocket" $oidcSocket "root" .) | fromYaml | toPrettyJson | nindent 4 }} - {{- if .Values.insecureScheme.enabled }} + {{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }} default.conf: | upstream oidc { server unix:{{ $oidcSocket }}; diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml index 62ef2a452..eaa0e7902 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml @@ -1,3 +1,4 @@ +{{- $tlsEnabled := eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "true" }} {{- $configSum := (include (print $.Template.BasePath "/configmap.yaml") . | sha256sum) }} apiVersion: apps/v1 kind: Deployment @@ -26,6 +27,9 @@ spec: {{- end }} labels: {{- include "spiffe-oidc-discovery-provider.selectorLabels" . | nindent 8 }} + release: {{ .Release.Name }} + release-namespace: {{ .Release.Namespace }} + component: oidc-discovery-provider spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: @@ -46,8 +50,8 @@ spec: ports: - containerPort: 8008 name: healthz - {{- if not .Values.insecureScheme.enabled }} - - containerPort: 443 + {{- if $tlsEnabled }} + - containerPort: 8443 name: https {{- end }} volumeMounts: @@ -61,6 +65,9 @@ spec: mountPath: /run/spire/oidc/config/oidc-discovery-provider.conf subPath: oidc-discovery-provider.conf readOnly: true + - name: certdir + mountPath: /certs + readOnly: true readinessProbe: httpGet: path: /ready @@ -73,7 +80,7 @@ spec: {{- toYaml .Values.livenessProbe | nindent 12 }} resources: {{- toYaml .Values.resources | nindent 12 }} - {{- if .Values.insecureScheme.enabled }} + {{- if not $tlsEnabled }} - name: nginx securityContext: {{- include "spire-lib.securitycontext" . | nindent 12 }} @@ -113,7 +120,7 @@ spec: volumes: - name: spiffe-workload-api csi: - driver: "csi.spiffe.io" + driver: "{{ .Values.csiDriverName }}" readOnly: true - name: spire-oidc-sockets emptyDir: {} @@ -122,6 +129,16 @@ spec: name: {{ include "spiffe-oidc-discovery-provider.fullname" . }} - name: nginx-tmp emptyDir: {} + - name: certdir + {{- if .Values.tls.externalSecret.enabled }} + secret: + secretName: {{ .Values.tls.externalSecret.secretName }} + {{- else if .Values.tls.certManager.enabled }} + secret: + secretName: {{ include "spiffe-oidc-discovery-provider.fullname" . }}-cert + {{- else }} + emptyDir: {} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/ingress.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/ingress.yaml index 6f5913efc..53c3813a9 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/ingress.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/ingress.yaml @@ -1,13 +1,36 @@ {{- if .Values.ingress.enabled -}} +{{- $tlsEnabled := eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "true" }} +{{- $port := .Values.service.ports.https }} +{{- if not $tlsEnabled }} +{{- $port = .Values.service.ports.http }} +{{- end }} {{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.ingress) }} {{- $fullName := include "spiffe-oidc-discovery-provider.fullname" . }} +{{- $path := "/" }} +{{- $pathType := "Prefix" }} {{- $tlsSection := true }} {{- $annotations := deepCopy .Values.ingress.annotations }} {{- if eq $ingressControllerType "ingress-nginx" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }} +{{- if $tlsEnabled }} +{{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }} +{{- if not (and .Values.ingress.enabled .Values.ingress.tlsSecret) }} +{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }} +{{- end }} +{{- end }} {{- else if eq $ingressControllerType "openshift" }} -{{- $_ := set $annotations "route.openshift.io/termination" "edge" }} +{{- if not $tlsEnabled }} +{{- $_ := set $annotations "route.openshift.io/termination" "edge" }} +{{- else }} +{{- if and .Values.ingress.enabled .Values.ingress.tlsSecret }} +{{- $_ := set $annotations "route.openshift.io/termination" "reencrypt" }} +{{- else }} +{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }} +{{- end }} +{{- end }} +{{- $path = "" }} +{{- $pathType = "ImplementationSpecific" }} {{- $tlsSection = false }} {{- end }} apiVersion: networking.k8s.io/v1 @@ -22,5 +45,5 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.ingress "svcName" $fullName "port" .Values.service.port "path" "/" "pathType" "Prefix" "tlsSection" $tlsSection "Values" .Values) | nindent 2 }} + {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.ingress "svcName" $fullName "port" $port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }} {{- end }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/issuer.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/issuer.yaml new file mode 100644 index 000000000..e12755c00 --- /dev/null +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/issuer.yaml @@ -0,0 +1,22 @@ +{{- define "spiffe-oidc-discovery-provider.cert-manager-default-issuer" }} +{{- if not .Values.tls.certManager.issuer.acme.email }} +{{- fail "You must specify an email address via certManager.issuer.acme.email" }} +{{- end }} +email: {{ .Values.tls.certManager.issuer.acme.email | quote}} +server: {{ .Values.tls.certManager.issuer.acme.server | quote}} +privateKeySecretRef: + name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}-issuer +solvers: +- http01: + ingress: {} +{{- end }} +{{- if and .Values.tls.certManager.enabled .Values.tls.certManager.issuer.create }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "spiffe-oidc-discovery-provider.fullname" . }} + namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }} +spec: + acme: + {{ mergeOverwrite (include "spiffe-oidc-discovery-provider.cert-manager-default-issuer" . | fromYaml) .Values.tls.certManager.issuer.acme | toYaml | nindent 4 }} +{{- end }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/podmonitor.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/podmonitor.yaml index dec060f91..b0457dcbc 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/podmonitor.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/podmonitor.yaml @@ -1,4 +1,4 @@ -{{- if .Values.insecureScheme.enabled }} +{{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }} {{- if (dig "telemetry" "prometheus" "podMonitor" "enabled" .Values.telemetry.prometheus.podMonitor.enabled .Values.global) }} {{- $namespace := include "spiffe-oidc-discovery-provider.podMonitor.namespace" . }} {{- $podNamespace := ( include "spiffe-oidc-discovery-provider.namespace" . ) }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/service.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/service.yaml index e39821634..fb8de108f 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/service.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/service.yaml @@ -10,14 +10,14 @@ metadata: spec: type: {{ .Values.service.type }} ports: - {{- if .Values.insecureScheme.enabled }} + {{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }} - name: http - port: {{ .Values.service.port }} + port: {{ .Values.service.ports.http }} targetPort: http protocol: TCP {{- else }} - name: https - port: 443 + port: {{ .Values.service.ports.https }} targetPort: https protocol: TCP {{- end }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml index 93ce0d375..99c7c2743 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml @@ -1,5 +1,11 @@ {{- $values := merge .Values }} {{- $host := include "spire-lib.ingress-calculated-name" (dict "Values" .Values "ingress" .Values.ingress) }} +{{- $protocol := "https" }} +{{- $port := .Values.service.ports.https }} +{{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }} +{{- $protocol = "http" }} +{{- $port = .Values.service.ports.http }} +{{- end }} {{- if gt (len .Values.ingress.hosts) 0 }} {{- $host = (index .Values.ingress.hosts 0).host }} {{- end }} @@ -19,19 +25,19 @@ spec: - name: curl-service-name image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] - args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}:{{ .Values.service.port }}/.well-known/openid-configuration'] + args: ['-s', '-f', '-k', '{{ $protocol }}://{{ include "spiffe-oidc-discovery-provider.fullname" . }}:{{ $port }}/.well-known/openid-configuration'] securityContext: {{- include "spire-lib.securitycontext" . | nindent 8 }} - name: curl-service-name-namespace image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] - args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}:{{ .Values.service.port }}/.well-known/openid-configuration'] + args: ['-s', '-f', '-k', '{{ $protocol }}://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}:{{ $port }}/.well-known/openid-configuration'] securityContext: {{- include "spire-lib.securitycontext" . | nindent 8 }} - name: curl-service-name-namespace-svc-cluster-local image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] - args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }}/.well-known/openid-configuration'] + args: ['-s', '-f', '-k', '{{ $protocol }}://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ $port }}/.well-known/openid-configuration'] securityContext: {{- include "spire-lib.securitycontext" . | nindent 8 }} {{- if .Values.ingress.enabled }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml index f7f21ebfd..8157e498d 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-keys.yaml @@ -1,3 +1,9 @@ +{{- $protocol := "https" }} +{{- $port := .Values.service.ports.https }} +{{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }} +{{- $protocol = "http" }} +{{- $port = .Values.service.ports.http }} +{{- end }} apiVersion: v1 kind: Pod metadata: @@ -5,6 +11,9 @@ metadata: namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }} labels: {{- include "spiffe-oidc-discovery-provider.labels" . | nindent 4 }} + release: {{ .Release.Name }} + release-namespace: {{ .Release.Namespace }} + component: test-keys annotations: "helm.sh/hook": test spec: @@ -70,7 +79,7 @@ spec: args: - -cx - | - URL=http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }} + URL={{ $protocol }}://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ $port }} cat /data/token.svid JWT=$(cat /data/token.svid | jq -r '.[] | select(.svids) | .svids[0].svid' | xargs) diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 046daa8c1..f0d5eb98b 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -8,6 +8,8 @@ global: {} ## ## @param agentSocketName The name of the spire-agent unix socket agentSocketName: spire-agent.sock +## @param csiDriverName The csi driver to use +csiDriverName: csi.spiffe.io ## @param replicaCount Replica count replicaCount: 1 @@ -45,12 +47,15 @@ resources: {} # memory: 64Mi ## @param service.type Service type -## @param service.port Service port +## @param service.ports.http Insecure port for the service +## @param service.ports.https Secure port for the service ## @param service.annotations Annotations for service resource ## service: type: ClusterIP - port: 80 + ports: + http: 80 + https: 443 annotations: {} # external-dns.alpha.kubernetes.io/hostname: oidc-discovery.example.org @@ -88,16 +93,53 @@ livenessProbe: ## @param podAnnotations [object] Pod annotations for Spire OIDC discovery provider podAnnotations: {} -insecureScheme: - ## @param insecureScheme.enabled Flag to enable insecure schema - enabled: false +# Select from one of the options below to be the source of certificates for OIDC Discovery Provider. +# If none are enabled, connections won't be TLS encrypted. +tls: + spire: + ## @param tls.spire.enabled Use spire to secure the oidc-discovery-provider + enabled: true + externalSecret: + ## @param tls.externalSecret.enabled Provide your own certificate/key via tls style Kubernetes Secret + enabled: false + ## @param tls.externalSecret.secretName Specify which Secret to use + secretName: "" + + certManager: + ## @param tls.certManager.enabled Use certificateManager to create the certificate + enabled: false + issuer: + ## @param tls.certManager.issuer.create Create an issuer to use to issue the certificate + create: true + acme: + ## @param tls.certManager.issuer.acme.email Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service + email: "" + ## @param tls.certManager.issuer.acme.server Server to use to get certificate. Defaults to LetsEncrypt + server: https://acme-v02.api.letsencrypt.org/directory + # Testing server: https://acme-staging-v02.api.letsencrypt.org/directory + ## @param tls.certManager.issuer.acme.solvers [object] Configure the issuer solvers. Defaults to http01 via ingress. + solvers: {} + # - http01: + # ingress: + # ingressClassName: nginx + certificate: + ## @param tls.certManager.certificate.dnsNames Override the dnsNames on the certificate request. Defaults to the same settings as Ingress + dnsNames: [] + ## @param tls.certManager.certificate.issuerRef.group If you are using an external plugin, specify the group for it here + ## @param tls.certManager.certificate.issuerRef.kind Kind of the issuer reference. Override if you want to use a ClusterIssuer + ## @param tls.certManager.certificate.issuerRef.name Name of the issuer to use. If unset, it will use the name of the built in issuer + issuerRef: + group: "" + kind: Issuer + name: "" + +insecureScheme: nginx: - ## @param insecureScheme.nginx.image.registry The OCI registry to pull the image from - ## @param insecureScheme.nginx.image.repository The repository within the registry - ## @param insecureScheme.nginx.image.pullPolicy The image pull policy - ## @param insecureScheme.nginx.image.version This value is deprecated in favor of tag. (Will be removed in a future release) - ## @param insecureScheme.nginx.image.tag Overrides the image tag whose default is the chart appVersion + ## @param insecureScheme.nginx.image.registry The OCI registry to pull the image from. Only used when TLS is disabled. + ## @param insecureScheme.nginx.image.repository The repository within the registry. Only used when TLS is disabled. + ## @param insecureScheme.nginx.image.pullPolicy The image pull policy. Only used when TLS is disabled. + ## @param insecureScheme.nginx.image.tag Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. ## Example: ## chainguard image does not support the templates feature ## https://github.com/chainguard-images/nginx/issues/43 @@ -110,7 +152,6 @@ insecureScheme: registry: docker.io repository: nginxinc/nginx-unprivileged pullPolicy: IfNotPresent - version: "" tag: 1.25.3-alpine ## @param insecureScheme.nginx.resources Resource requests and limits resources: {} @@ -135,16 +176,6 @@ config: additionalDomains: [] # - localhost - acme: - ## @param config.acme.tosAccepted Flag for Terms of Service acceptance - tosAccepted: false - ## @param config.acme.cacheDir Path for cache directory - cacheDir: /run/spire - ## @param config.acme.directoryUrl URL for acme directory - directoryUrl: https://acme-v02.api.letsencrypt.org/directory - ## @param config.acme.emailAddress Email address for registration - emailAddress: letsencrypt@example.org - ## @param imagePullSecrets [array] Image pull secret names imagePullSecrets: [] diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index a8c089148..558d16b32 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -79,194 +79,200 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr ### Chart parameters -| Name | Description | Value | -| --------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | -| `replicaCount` | SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. | `1` | -| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `image.repository` | The repository within the registry | `spiffe/spire-server` | -| `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `imagePullSecrets` | Pull secrets for images | `[]` | -| `nameOverride` | Name override | `""` | -| `namespaceOverride` | Namespace override | `""` | -| `fullnameOverride` | Fullname override | `""` | -| `serviceAccount.create` | Specifies whether a service account should be created | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | -| `podAnnotations` | Annotations to add to pods | `{}` | -| `podSecurityContext` | Pod security context | `{}` | -| `securityContext` | Security context | `{}` | -| `priorityClassName` | Priority class assigned to statefulset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | -| `service.type` | Type of the Spire server service created | `ClusterIP` | -| `service.port` | Port for the created service | `8081` | -| `service.annotations` | Annotations to add to the service object | `{}` | -| `configMap.annotations` | Annotations to add to the SPIRE Server ConfigMap | `{}` | -| `resources` | Resource requests and limits | `{}` | -| `autoscaling.enabled` | Flag to enable autoscaling | `false` | -| `autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | -| `autoscaling.maxReplicas` | Maximum replicas for autoscaling | `100` | -| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utlization that triggers autoscaling | `80` | -| `nodeSelector` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | `{}` | -| `tolerations` | List of tolerations | `[]` | -| `affinity` | List of node affinities | `{}` | -| `topologySpreadConstraints` | Topology spread constraints for resilience | `[]` | -| `livenessProbe.failureThreshold` | Failure threshold count for livenessProbe | `2` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | -| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `60` | -| `livenessProbe.timeoutSeconds` | Timeout in seconds for livenessProbe | `3` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `persistence.type` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `pvc` | -| `persistence.size` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `1Gi` | -| `persistence.accessMode` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `ReadWriteOnce` | -| `persistence.storageClass` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `nil` | -| `persistence.hostPath` | Which path to use on the host when type = hostPath | `""` | -| `dataStore.sql.databaseType` | Other supported databases are "postgres" and "mysql" | `sqlite3` | -| `dataStore.sql.databaseName` | Only used by "postgres" or "mysql" | `spire` | -| `dataStore.sql.host` | Only used by "postgres" or "mysql" | `""` | -| `dataStore.sql.port` | If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases. | `0` | -| `dataStore.sql.username` | Only used by "postgres" or "mysql" | `spire` | -| `dataStore.sql.password` | Only used by "postgres" or "mysql" | `""` | -| `dataStore.sql.options` | Only used by "postgres" or "mysql" | `[]` | -| `dataStore.sql.plugin_data` | Settings from https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md go in this section | `{}` | -| `dataStore.sql.externalSecret.enabled` | Enable external secret for datastore creds | `false` | -| `dataStore.sql.externalSecret.name` | The name of the secret object | `""` | -| `dataStore.sql.externalSecret.key` | The key of the secret object whose value is the dataStore.sql password | `""` | -| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | -| `jwtIssuer` | The JWT issuer domain. Defaults to oidc-discovery.$trustDomain if unset | `""` | -| `clusterName` | Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`) | `example-cluster` | -| `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` | -| `bundleConfigMap` | Set the trust domain to be used for the SPIFFE identifiers | `spire-bundle` | -| `clusterDomain` | This is the value of your clusters `kubeadm init --service-dns-domain` flag | `cluster.local` | -| `federation.enabled` | Flag to enable federation | `false` | -| `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` | -| `federation.bundleEndpoint.address` | Address for trust bundle federation | `0.0.0.0` | -| `federation.ingress.enabled` | Flag to enable ingress for federation | `false` | -| `federation.ingress.className` | Ingress class name for federation | `""` | -| `federation.ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | -| `federation.ingress.annotations` | Annotations for the ingress object | `{}` | -| `federation.ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server-federation` | -| `federation.ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | -| `federation.ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | -| `federation.ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | -| `ca_subject.country` | Country for Spire server CA | `ARPA` | -| `ca_subject.organization` | Organization for Spire server CA | `Example` | -| `ca_subject.common_name` | Common Name for Spire server CA | `example.org` | -| `keyManager.disk.enabled` | Flag to enable keyManager on disk | `true` | -| `keyManager.memory.enabled` | Flag to enable keyManager in memory | `false` | -| `keyManager.awsKMS.enabled` | Flag to enable keyManager in memory | `false` | -| `keyManager.awsKMS.region` | Specify the region for AWS KMS | `""` | -| `keyManager.awsKMS.keyPolicy` | Policy to use when creating keys. If no policy is specified, a default policy will be used. | | -| `keyManager.awsKMS.keyPolicy.policy` | Key policy in JSON format. | `""` | -| `keyManager.awsKMS.keyPolicy.existingConfigMap` | Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. | `""` | -| `keyManager.awsKMS.accessKeyID` | Access key ID for the AWS account. It's recommended to use an IAM role instead. See [here](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) to learn how to annotate your SPIRE Server Service Account to assume an IAM role. | `""` | -| `keyManager.awsKMS.secretAccessKey` | Secret access key for the AWS account. | `""` | -| `upstreamAuthority.disk.enabled` | Flag to enable upstream authority plugin on disk | `false` | -| `upstreamAuthority.disk.secret.create` | If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. | `true` | -| `upstreamAuthority.disk.secret.name` | If secret creation is disabled, the secret with this name will be used. | `spiffe-upstream-ca` | -| `upstreamAuthority.disk.secret.data` | If secret creation is enabled, will create a secret with following certificate info | | -| `upstreamAuthority.disk.secret.data.certificate` | Certificate to store within disk upstreamAuthority. | `""` | -| `upstreamAuthority.disk.secret.data.key` | Key corresponding to the upstreamAuthority. | `""` | -| `upstreamAuthority.disk.secret.data.bundle` | Trust bundle for upstreamAuthority. | `""` | -| `upstreamAuthority.awsPCA.enabled` | Flag to enable upstream authority plugin with AWS PCA | `false` | -| `upstreamAuthority.awsPCA.region` | AWS Region to use | `""` | -| `upstreamAuthority.awsPCA.certificateAuthorityARN` | ARN of the "upstream" CA certificate | `""` | -| `upstreamAuthority.awsPCA.assumeRoleARN` | (Optional) ARN of an IAM role to assume | `""` | -| `upstreamAuthority.awsPCA.caSigningTemplateARN` | (Optional) ARN of the signing template to use for the server's CA. Defaults to a signing template for end-entity certificates only. See Using Templates (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html) for possible values. | `""` | -| `upstreamAuthority.awsPCA.signingAlgorithm` | (Optional) Signing algorithm to use for the server's CA. Defaults to the CA's default. See Issue Certificate (https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) for possible values. | `""` | -| `upstreamAuthority.awsPCA.endpoint` | (Optional) Endpoint as hostname or fully-qualified URI that overrides the default endpoint. See AWS SDK Config docs (https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config) for more information. | `""` | -| `upstreamAuthority.awsPCA.supplementalBundlePath` | (Optional) Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle. | `""` | -| `upstreamAuthority.certManager.enabled` | Flag to enable upstream authority plugin with cert manager | `false` | -| `upstreamAuthority.certManager.rbac.create` | Flag to create RBAC roles | `true` | -| `upstreamAuthority.certManager.issuer_name` | Defaults to the release name, override if CA is provided outside of the chart | `""` | -| `upstreamAuthority.certManager.issuer_kind` | Defaults to "Issuer", override if CA is provided outside of the chart | `Issuer` | -| `upstreamAuthority.certManager.issuer_group` | Defaults to "cert-manager.io", override if CA is provided outside of the chart | `cert-manager.io` | -| `upstreamAuthority.certManager.namespace` | Specify to use a namespace other then the one the chart is installed into | `""` | -| `upstreamAuthority.certManager.kube_config_file` | Path to kube_config_file on node to setup cert manager | `""` | -| `upstreamAuthority.certManager.ca.create` | Creates a Cert-Manager CA | `false` | -| `upstreamAuthority.certManager.ca.duration` | Duration of the CA. Defaults to 10 years | `87600h` | -| `upstreamAuthority.certManager.ca.privateKey.algorithm` | Algorithm to generate private key for CA | `ECDSA` | -| `upstreamAuthority.certManager.ca.privateKey.size` | Size of generated private key for CA | `256` | -| `upstreamAuthority.certManager.ca.privateKey.rotationPolicy` | Rotation policy for generated private key | `""` | -| `upstreamAuthority.certManager.ca.renewBefore` | How long to wait before renewing the CA | `""` | -| `upstreamAuthority.spire.enabled` | Flag to use another Spire install as upstream CA | `false` | -| `upstreamAuthority.spire.upstreamDriver` | Driver for Spire as upstream CA | `""` | -| `upstreamAuthority.spire.server` | Server details for the Spire instance use as upstream CA | | -| `upstreamAuthority.spire.server.address` | Address for upstream Spire server | `""` | -| `upstreamAuthority.spire.server.port` | Port for upstream Spire server | `8081` | -| `upstreamAuthority.vault.enabled` | Enable Hashicorp Vault as upstream CA | `false` | -| `upstreamAuthority.vault.vaultAddr` | The URL of the Vault server. (e.g., https://vault.example.com:8443/) | `""` | -| `upstreamAuthority.vault.namespace` | Name of the Vault namespace. This is only available in the Vault Enterprise. | `""` | -| `upstreamAuthority.vault.pkiMountPoint` | Name of the mount point where PKI secret engine is mounted | `pki` | -| `upstreamAuthority.vault.insecureSkipVerify` | If true, caCert options are ignored and Spire accepts any server certificates claiming to be Vault | `false` | -| `upstreamAuthority.vault.caCert.type` | Type of resource representing the Vault server certificate, options are 'Secret' or 'Configmap', the item must be named `ca.crt` | `Secret` | -| `upstreamAuthority.vault.caCert.name` | Name of the Kubernetes resource containing the Vault server certificate | `vault-ca` | -| `upstreamAuthority.vault.k8sAuth.enabled` | Enable k8s authentication to Hashicorp Vault | `false` | -| `upstreamAuthority.vault.k8sAuth.k8sAuthMountPoint` | Name of the mount point where the Kubernetes auth method is mounted | `kubernetes` | -| `upstreamAuthority.vault.k8sAuth.k8sAuthRoleName` | Required - Name of the Vault role. The plugin authenticates against the named role | `""` | -| `upstreamAuthority.vault.k8sAuth.token.audience` | Intended audience of the PSAT, it must match one of the audiences supported by the Kubernetes API server. If no audience is specified, it defaults to the identifier of API Server. See ['Service Account Documentation'](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) for more info. | `vault` | -| `upstreamAuthority.vault.k8sAuth.token.expiry` | Expiry time in seconds for the token | `7200` | -| `notifier.k8sbundle.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` | -| `controllerManager.enabled` | Flag to enable controller manager | `false` | -| `controllerManager.className` | specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs. | `""` | -| `controllerManager.watchClassless` | specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. | `false` | -| `controllerManager.installAndUpgradeHook.enabled` | Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | -| `controllerManager.deleteHook.enabled` | Enable Helm hook to autofix common delete issues (should be disabled when using `helm template`) | `true` | -| `controllerManager.image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `controllerManager.image.repository` | The repository within the registry | `spiffe/spire-controller-manager` | -| `controllerManager.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `controllerManager.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.4.0` | -| `controllerManager.resources` | Resource requests and limits for controller manager | `{}` | -| `controllerManager.securityContext` | Security context | `{}` | -| `controllerManager.service.type` | Service type for controller manager | `ClusterIP` | -| `controllerManager.service.port` | Service port for controller manager | `443` | -| `controllerManager.service.annotations` | Annotations for service resource | `{}` | -| `controllerManager.configMap.annotations` | Annotations to add to the Controller Manager ConfigMap | `{}` | -| `controllerManager.ignoreNamespaces` | These namespaces are ignored by controller manager | `[]` | -| `controllerManager.identities.clusterSPIFFEIDs.default.enabled` | Enable this identity for controller manager | `true` | -| `controllerManager.identities.clusterSPIFFEIDs.default.spiffeIDTemplate` | Spiffe ID template for identities | `spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}` | -| `controllerManager.identities.clusterSPIFFEIDs.default.podSelector` | Selector for pods to issue identity | `{}` | -| `controllerManager.identities.clusterSPIFFEIDs.default.namespaceSelector` | Selector for namespacs to issue identity | `{}` | -| `controllerManager.identities.clusterSPIFFEIDs.default.dnsNameTemplates` | DNS name template for issued identities | `[]` | -| `controllerManager.identities.clusterSPIFFEIDs.default.federatesWith` | Other Spire server URLs for identity federation | `[]` | -| `controllerManager.identities.clusterSPIFFEIDs.default.workloadSelectorTemplates` | Templates to produce selectors that apply to a given workload before it will receive an ID | `[]` | -| `controllerManager.identities.clusterSPIFFEIDs.default.ttl` | Indicates an upper-bound time-to-live for X509 SVIDs. If unset, the cluster default will be chosen. | `""` | -| `controllerManager.identities.clusterSPIFFEIDs.default.jwtTTL` | Indicates an upper-bound time-to-live for JWT SVIDs. If unset, the cluster default will be chosen. | `""` | -| `controllerManager.identities.clusterSPIFFEIDs.default.admin` | Indicates any pod matched by this identity will be an admin. Use this with extreme care. | `false` | -| `controllerManager.identities.clusterSPIFFEIDs.default.downstream` | Set if this spire instance is a root server and the workloads are downstream servers. | `false` | -| `controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames` | Auto populate DNS names from services attached to pods | `false` | -| `controllerManager.identities.clusterStaticEntries` | Specify ClusterStaticEntry objects. | `{}` | -| `controllerManager.identities.clusterFederatedTrustDomains` | Specify ClusterFederatedTrustDomain objects. | `{}` | -| `controllerManager.validatingWebhookConfiguration.failurePolicy` | Action when identity is not issued | `Fail` | -| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | -| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | -| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tools.kubectl.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | -| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | -| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | -| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | -| `ingress.enabled` | Flag to enable ingress | `false` | -| `ingress.className` | Ingress class name | `""` | -| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | -| `ingress.annotations` | Annotations for the ingress object | `{}` | -| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server` | -| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | -| `ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | -| `ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | -| `extraVolumes` | Extra volumes to be mounted | `[]` | -| `extraVolumeMounts` | Extra volume mounts | `[]` | -| `extraContainers` | Additional containers to create | `[]` | -| `initContainers` | Additional init containers to create | `[]` | -| `caKeyType` | The CA key type to use, possible values are rsa-2048, rsa-4096, ec-p256, ec-p384 (AWS requires the use of RSA. EC cryptography is not supported) | `rsa-2048` | -| `caTTL` | TTL for CA | `24h` | -| `defaultX509SvidTTL` | TTL for X509 Svids | `4h` | -| `defaultJwtSvidTTL` | TTL for JWT Svids | `1h` | -| `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s nodeattestor | `true` | -| `nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` | +| Name | Description | Value | +| -------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | +| `replicaCount` | SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. | `1` | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/spire-server` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `imagePullSecrets` | Pull secrets for images | `[]` | +| `nameOverride` | Name override | `""` | +| `namespaceOverride` | Namespace override | `""` | +| `fullnameOverride` | Fullname override | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | +| `podAnnotations` | Annotations to add to pods | `{}` | +| `podSecurityContext` | Pod security context | `{}` | +| `securityContext` | Security context | `{}` | +| `priorityClassName` | Priority class assigned to statefulset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | +| `service.type` | Type of the Spire server service created | `ClusterIP` | +| `service.port` | Port for the created service | `8081` | +| `service.annotations` | Annotations to add to the service object | `{}` | +| `configMap.annotations` | Annotations to add to the SPIRE Server ConfigMap | `{}` | +| `resources` | Resource requests and limits | `{}` | +| `autoscaling.enabled` | Flag to enable autoscaling | `false` | +| `autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | +| `autoscaling.maxReplicas` | Maximum replicas for autoscaling | `100` | +| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utlization that triggers autoscaling | `80` | +| `nodeSelector` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | `{}` | +| `tolerations` | List of tolerations | `[]` | +| `affinity` | List of node affinities | `{}` | +| `topologySpreadConstraints` | Topology spread constraints for resilience | `[]` | +| `livenessProbe.failureThreshold` | Failure threshold count for livenessProbe | `2` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `60` | +| `livenessProbe.timeoutSeconds` | Timeout in seconds for livenessProbe | `3` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `persistence.type` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `pvc` | +| `persistence.size` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `1Gi` | +| `persistence.accessMode` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `ReadWriteOnce` | +| `persistence.storageClass` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `nil` | +| `persistence.hostPath` | Which path to use on the host when type = hostPath | `""` | +| `dataStore.sql.databaseType` | Other supported databases are "postgres" and "mysql" | `sqlite3` | +| `dataStore.sql.databaseName` | Only used by "postgres" or "mysql" | `spire` | +| `dataStore.sql.host` | Only used by "postgres" or "mysql" | `""` | +| `dataStore.sql.port` | If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases. | `0` | +| `dataStore.sql.username` | Only used by "postgres" or "mysql" | `spire` | +| `dataStore.sql.password` | Only used by "postgres" or "mysql" | `""` | +| `dataStore.sql.options` | Only used by "postgres" or "mysql" | `[]` | +| `dataStore.sql.plugin_data` | Settings from https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md go in this section | `{}` | +| `dataStore.sql.externalSecret.enabled` | Enable external secret for datastore creds | `false` | +| `dataStore.sql.externalSecret.name` | The name of the secret object | `""` | +| `dataStore.sql.externalSecret.key` | The key of the secret object whose value is the dataStore.sql password | `""` | +| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | +| `jwtIssuer` | The JWT issuer domain. Defaults to oidc-discovery.$trustDomain if unset | `""` | +| `clusterName` | Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`) | `example-cluster` | +| `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` | +| `bundleConfigMap` | Set the trust domain to be used for the SPIFFE identifiers | `spire-bundle` | +| `clusterDomain` | This is the value of your clusters `kubeadm init --service-dns-domain` flag | `cluster.local` | +| `federation.enabled` | Flag to enable federation | `false` | +| `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` | +| `federation.bundleEndpoint.address` | Address for trust bundle federation | `0.0.0.0` | +| `federation.ingress.enabled` | Flag to enable ingress for federation | `false` | +| `federation.ingress.className` | Ingress class name for federation | `""` | +| `federation.ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | +| `federation.ingress.annotations` | Annotations for the ingress object | `{}` | +| `federation.ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server-federation` | +| `federation.ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | +| `federation.ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | +| `federation.ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | +| `ca_subject.country` | Country for Spire server CA | `ARPA` | +| `ca_subject.organization` | Organization for Spire server CA | `Example` | +| `ca_subject.common_name` | Common Name for Spire server CA | `example.org` | +| `keyManager.disk.enabled` | Flag to enable keyManager on disk | `true` | +| `keyManager.memory.enabled` | Flag to enable keyManager in memory | `false` | +| `keyManager.awsKMS.enabled` | Flag to enable keyManager in memory | `false` | +| `keyManager.awsKMS.region` | Specify the region for AWS KMS | `""` | +| `keyManager.awsKMS.keyPolicy` | Policy to use when creating keys. If no policy is specified, a default policy will be used. | | +| `keyManager.awsKMS.keyPolicy.policy` | Key policy in JSON format. | `""` | +| `keyManager.awsKMS.keyPolicy.existingConfigMap` | Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. | `""` | +| `keyManager.awsKMS.accessKeyID` | Access key ID for the AWS account. It's recommended to use an IAM role instead. See [here](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) to learn how to annotate your SPIRE Server Service Account to assume an IAM role. | `""` | +| `keyManager.awsKMS.secretAccessKey` | Secret access key for the AWS account. | `""` | +| `upstreamAuthority.disk.enabled` | Flag to enable upstream authority plugin on disk | `false` | +| `upstreamAuthority.disk.secret.create` | If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. | `true` | +| `upstreamAuthority.disk.secret.name` | If secret creation is disabled, the secret with this name will be used. | `spiffe-upstream-ca` | +| `upstreamAuthority.disk.secret.data` | If secret creation is enabled, will create a secret with following certificate info | | +| `upstreamAuthority.disk.secret.data.certificate` | Certificate to store within disk upstreamAuthority. | `""` | +| `upstreamAuthority.disk.secret.data.key` | Key corresponding to the upstreamAuthority. | `""` | +| `upstreamAuthority.disk.secret.data.bundle` | Trust bundle for upstreamAuthority. | `""` | +| `upstreamAuthority.awsPCA.enabled` | Flag to enable upstream authority plugin with AWS PCA | `false` | +| `upstreamAuthority.awsPCA.region` | AWS Region to use | `""` | +| `upstreamAuthority.awsPCA.certificateAuthorityARN` | ARN of the "upstream" CA certificate | `""` | +| `upstreamAuthority.awsPCA.assumeRoleARN` | (Optional) ARN of an IAM role to assume | `""` | +| `upstreamAuthority.awsPCA.caSigningTemplateARN` | (Optional) ARN of the signing template to use for the server's CA. Defaults to a signing template for end-entity certificates only. See Using Templates (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html) for possible values. | `""` | +| `upstreamAuthority.awsPCA.signingAlgorithm` | (Optional) Signing algorithm to use for the server's CA. Defaults to the CA's default. See Issue Certificate (https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) for possible values. | `""` | +| `upstreamAuthority.awsPCA.endpoint` | (Optional) Endpoint as hostname or fully-qualified URI that overrides the default endpoint. See AWS SDK Config docs (https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config) for more information. | `""` | +| `upstreamAuthority.awsPCA.supplementalBundlePath` | (Optional) Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle. | `""` | +| `upstreamAuthority.certManager.enabled` | Flag to enable upstream authority plugin with cert manager | `false` | +| `upstreamAuthority.certManager.rbac.create` | Flag to create RBAC roles | `true` | +| `upstreamAuthority.certManager.issuer_name` | Defaults to the release name, override if CA is provided outside of the chart | `""` | +| `upstreamAuthority.certManager.issuer_kind` | Defaults to "Issuer", override if CA is provided outside of the chart | `Issuer` | +| `upstreamAuthority.certManager.issuer_group` | Defaults to "cert-manager.io", override if CA is provided outside of the chart | `cert-manager.io` | +| `upstreamAuthority.certManager.namespace` | Specify to use a namespace other then the one the chart is installed into | `""` | +| `upstreamAuthority.certManager.kube_config_file` | Path to kube_config_file on node to setup cert manager | `""` | +| `upstreamAuthority.certManager.ca.create` | Creates a Cert-Manager CA | `false` | +| `upstreamAuthority.certManager.ca.duration` | Duration of the CA. Defaults to 10 years | `87600h` | +| `upstreamAuthority.certManager.ca.privateKey.algorithm` | Algorithm to generate private key for CA | `ECDSA` | +| `upstreamAuthority.certManager.ca.privateKey.size` | Size of generated private key for CA | `256` | +| `upstreamAuthority.certManager.ca.privateKey.rotationPolicy` | Rotation policy for generated private key | `""` | +| `upstreamAuthority.certManager.ca.renewBefore` | How long to wait before renewing the CA | `""` | +| `upstreamAuthority.spire.enabled` | Flag to use another Spire install as upstream CA | `false` | +| `upstreamAuthority.spire.upstreamDriver` | Driver for Spire as upstream CA | `""` | +| `upstreamAuthority.spire.server` | Server details for the Spire instance use as upstream CA | | +| `upstreamAuthority.spire.server.address` | Address for upstream Spire server | `""` | +| `upstreamAuthority.spire.server.port` | Port for upstream Spire server | `8081` | +| `upstreamAuthority.vault.enabled` | Enable Hashicorp Vault as upstream CA | `false` | +| `upstreamAuthority.vault.vaultAddr` | The URL of the Vault server. (e.g., https://vault.example.com:8443/) | `""` | +| `upstreamAuthority.vault.namespace` | Name of the Vault namespace. This is only available in the Vault Enterprise. | `""` | +| `upstreamAuthority.vault.pkiMountPoint` | Name of the mount point where PKI secret engine is mounted | `pki` | +| `upstreamAuthority.vault.insecureSkipVerify` | If true, caCert options are ignored and Spire accepts any server certificates claiming to be Vault | `false` | +| `upstreamAuthority.vault.caCert.type` | Type of resource representing the Vault server certificate, options are 'Secret' or 'Configmap', the item must be named `ca.crt` | `Secret` | +| `upstreamAuthority.vault.caCert.name` | Name of the Kubernetes resource containing the Vault server certificate | `vault-ca` | +| `upstreamAuthority.vault.k8sAuth.enabled` | Enable k8s authentication to Hashicorp Vault | `false` | +| `upstreamAuthority.vault.k8sAuth.k8sAuthMountPoint` | Name of the mount point where the Kubernetes auth method is mounted | `kubernetes` | +| `upstreamAuthority.vault.k8sAuth.k8sAuthRoleName` | Required - Name of the Vault role. The plugin authenticates against the named role | `""` | +| `upstreamAuthority.vault.k8sAuth.token.audience` | Intended audience of the PSAT, it must match one of the audiences supported by the Kubernetes API server. If no audience is specified, it defaults to the identifier of API Server. See ['Service Account Documentation'](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) for more info. | `vault` | +| `upstreamAuthority.vault.k8sAuth.token.expiry` | Expiry time in seconds for the token | `7200` | +| `notifier.k8sbundle.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` | +| `controllerManager.enabled` | Flag to enable controller manager | `false` | +| `controllerManager.className` | specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs. | `""` | +| `controllerManager.watchClassless` | specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. | `false` | +| `controllerManager.installAndUpgradeHook.enabled` | Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | +| `controllerManager.deleteHook.enabled` | Enable Helm hook to autofix common delete issues (should be disabled when using `helm template`) | `true` | +| `controllerManager.image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `controllerManager.image.repository` | The repository within the registry | `spiffe/spire-controller-manager` | +| `controllerManager.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `controllerManager.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.4.0` | +| `controllerManager.resources` | Resource requests and limits for controller manager | `{}` | +| `controllerManager.securityContext` | Security context | `{}` | +| `controllerManager.service.type` | Service type for controller manager | `ClusterIP` | +| `controllerManager.service.port` | Service port for controller manager | `443` | +| `controllerManager.service.annotations` | Annotations for service resource | `{}` | +| `controllerManager.configMap.annotations` | Annotations to add to the Controller Manager ConfigMap | `{}` | +| `controllerManager.ignoreNamespaces` | These namespaces are ignored by controller manager | `[]` | +| `controllerManager.identities.clusterSPIFFEIDs.default.enabled` | Enable this identity for controller manager | `true` | +| `controllerManager.identities.clusterSPIFFEIDs.default.spiffeIDTemplate` | Spiffe ID template for identities | `spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}` | +| `controllerManager.identities.clusterSPIFFEIDs.default.podSelector` | Selector for pods to issue identity | `{}` | +| `controllerManager.identities.clusterSPIFFEIDs.default.namespaceSelector` | Selector for namespacs to issue identity | `{}` | +| `controllerManager.identities.clusterSPIFFEIDs.default.dnsNameTemplates` | DNS name template for issued identities | `[]` | +| `controllerManager.identities.clusterSPIFFEIDs.default.federatesWith` | Other Spire server URLs for identity federation | `[]` | +| `controllerManager.identities.clusterSPIFFEIDs.default.workloadSelectorTemplates` | Templates to produce selectors that apply to a given workload before it will receive an ID | `[]` | +| `controllerManager.identities.clusterSPIFFEIDs.default.ttl` | Indicates an upper-bound time-to-live for X509 SVIDs. If unset, the cluster default will be chosen. | `""` | +| `controllerManager.identities.clusterSPIFFEIDs.default.jwtTTL` | Indicates an upper-bound time-to-live for JWT SVIDs. If unset, the cluster default will be chosen. | `""` | +| `controllerManager.identities.clusterSPIFFEIDs.default.admin` | Indicates any pod matched by this identity will be an admin. Use this with extreme care. | `false` | +| `controllerManager.identities.clusterSPIFFEIDs.default.downstream` | Set if this spire instance is a root server and the workloads are downstream servers. | `false` | +| `controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames` | Auto populate DNS names from services attached to pods | `false` | +| `controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled` | Enable this identity for controller manager | `true` | +| `controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.type` | The type of rule this is. | `oidc-discovery-provider` | +| `controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.autoPopulateDNSNames` | Auto populate DNS names to the discovery provider | `true` | +| `controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.dnsNameTemplates` | DNS name template for issued identities | `[]` | +| `controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled` | Enable this identity for controller manager | `true` | +| `controllerManager.identities.clusterSPIFFEIDs.test-keys.type` | The type of rule this is. | `test-keys` | +| `controllerManager.identities.clusterStaticEntries` | Specify ClusterStaticEntry objects. | `{}` | +| `controllerManager.identities.clusterFederatedTrustDomains` | Specify ClusterFederatedTrustDomain objects. | `{}` | +| `controllerManager.validatingWebhookConfiguration.failurePolicy` | Action when identity is not issued | `Fail` | +| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | +| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tools.kubectl.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | +| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | +| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | +| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | +| `ingress.enabled` | Flag to enable ingress | `false` | +| `ingress.className` | Ingress class name | `""` | +| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | +| `ingress.annotations` | Annotations for the ingress object | `{}` | +| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server` | +| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | +| `ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | +| `ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | +| `extraVolumes` | Extra volumes to be mounted | `[]` | +| `extraVolumeMounts` | Extra volume mounts | `[]` | +| `extraContainers` | Additional containers to create | `[]` | +| `initContainers` | Additional init containers to create | `[]` | +| `caKeyType` | The CA key type to use, possible values are rsa-2048, rsa-4096, ec-p256, ec-p384 (AWS requires the use of RSA. EC cryptography is not supported) | `rsa-2048` | +| `caTTL` | TTL for CA | `24h` | +| `defaultX509SvidTTL` | TTL for X509 Svids | `4h` | +| `defaultJwtSvidTTL` | TTL for JWT Svids | `1h` | +| `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s nodeattestor | `true` | +| `nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` | ### Tornjak diff --git a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml index 8670f7332..c22e9c0e9 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml @@ -1,17 +1,50 @@ +{{- define "spire-controller-manager-identity-nsselector" }} +key: "kubernetes.io/metadata.name" +{{- if eq .type "base" }} +operator: NotIn +{{- else }} +operator: In +{{- end }} +values: + {{ .namespaces | toYaml | nindent 2 }} +{{- end }} +{{- define "spire-controller-manager-identity-podselector" }} +{{- if eq .type "oidc-discovery-provider" }} +matchLabels: + release: {{ .Release.Name }} + release-namespace: {{ .Release.Namespace }} + component: oidc-discovery-provider +{{- else if eq .type "test-keys" }} +matchLabels: + release: {{ .Release.Name }} + release-namespace: {{ .Release.Namespace }} + component: test-keys +{{- else }} +{} +{{- end }} +{{- end }} {{- $root := . }} +{{ $namespaces := list .Release.Namespace .Values.namespaceOverride (dig "spire" "namespaces" "server" "name" "" .Values.global) (dig "spire" "namespaces" "system" "name" "" .Values.global) | compact | uniq }} {{- range $key, $value := .Values.controllerManager.identities.clusterSPIFFEIDs }} {{- range $skey, $svalue := $value }} -{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames")) }} +{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "type" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames")) }} {{- fail (printf "Unsupported property specified: %s" $skey) }} {{- end }} {{- end }} -{{- range $rprop := list "spiffeIDTemplate" }} -{{- if not (hasKey $value $rprop) }} -{{- fail (printf "Required property %s was not specified" $rprop) }} -{{- end }} -{{- end }} {{- if eq ($root.Values.controllerManager.enabled | toString) "true" }} {{- if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }} +{{- $type := dig "type" "base" $value }} +{{- if not (has $type (list "base" "raw" "oidc-discovery-provider" "test-keys")) }} +{{- fail (printf "Type given: %s, must be one of [base, raw, oidc-discovery-provider, test-keys]" $type) }} +{{- end }} +{{- $namespaceSelector := deepCopy (dig "namespaceSelector" (dict) $value) }} +{{- if ne $type "raw" }} +{{- $namespaceSelector := merge $namespaceSelector (dict "matchExpressions" (list)) }} +{{- $namespaceSelectorToAdd := include "spire-controller-manager-identity-nsselector" (dict "type" $type "namespaces" $namespaces) | fromYaml }} +{{- $_ := set $namespaceSelector "matchExpressions" (append $namespaceSelector.matchExpressions $namespaceSelectorToAdd) }} +{{- end }} +{{- $podSelector := deepCopy (dig "podSelector" (dict) $value) }} +{{- $podSelector := merge $podSelector (include "spire-controller-manager-identity-podselector" (dict "type" $type "Release" $root.Release) | fromYaml ) }} --- apiVersion: spire.spiffe.io/v1alpha1 kind: ClusterSPIFFEID @@ -27,16 +60,20 @@ metadata: {{- end }} spec: className: {{ include "spire-server.controller-manager-class-name" $root | quote }} + {{- if and (hasKey $value "spiffeIDTemplate") (ne (len $value.spiffeIDTemplate) 0) }} spiffeIDTemplate: {{ $value.spiffeIDTemplate | quote }} + {{- else }} + spiffeIDTemplate: {{ $root.Values.controllerManager.identities.clusterSPIFFEIDs.default.spiffeIDTemplate | quote }} + {{- end }} {{- with $value.federatesWith }} federatesWith: {{- toYaml . | nindent 4 }} {{- end }} - {{- with $value.podSelector }} + {{- with $podSelector }} podSelector: {{- toYaml . | nindent 4 }} {{- end }} - {{- with $value.namespaceSelector }} + {{- with $namespaceSelector }} namespaceSelector: {{- toYaml . | nindent 4 }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index 713201a04..460447749 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -39,6 +39,9 @@ spec: labels: {{- include "spire-server.selectorLabels" . | nindent 8 }} app.kubernetes.io/component: server + component: server + release: {{ .Release.Name }} + release-namespace: {{ .Release.Namespace }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 69e4ccb77..efe2cc11b 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -480,6 +480,23 @@ controllerManager: ## @param controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames Auto populate DNS names from services attached to pods autoPopulateDNSNames: false + oidc-discovery-provider: + ## @param controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled Enable this identity for controller manager + enabled: true + ## @param controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.type The type of rule this is. + type: oidc-discovery-provider + ## @param controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.autoPopulateDNSNames Auto populate DNS names to the discovery provider + autoPopulateDNSNames: true + ## @param controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.dnsNameTemplates [array] DNS name template for issued identities + dnsNameTemplates: + - oidc-discovery.{{ .TrustDomain }} + + test-keys: + ## @param controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled Enable this identity for controller manager + enabled: true + ## @param controllerManager.identities.clusterSPIFFEIDs.test-keys.type The type of rule this is. + type: test-keys + # You can specify additional ClusterSPIFFEIDs following this example: # foo: # labels: diff --git a/charts/spire/ci/namespace-override-values-skip.yaml b/charts/spire/ci/namespace-override-values-skip.yaml index fdff671c0..b91f0c325 100644 --- a/charts/spire/ci/namespace-override-values-skip.yaml +++ b/charts/spire/ci/namespace-override-values-skip.yaml @@ -1,8 +1,9 @@ spiffe-oidc-discovery-provider: enabled: true namespaceOverride: spire-server - insecureScheme: - enabled: true + tls: + spire: + enabled: false spire-server: namespaceOverride: spire-server diff --git a/charts/spire/ci/no-spire-controller-manager-values.yaml b/charts/spire/ci/no-spire-controller-manager-values.yaml index 772eaf3a5..1e885e74c 100644 --- a/charts/spire/ci/no-spire-controller-manager-values.yaml +++ b/charts/spire/ci/no-spire-controller-manager-values.yaml @@ -1,3 +1,5 @@ spire-server: controllerManager: enabled: false +spiffe-oidc-discovery-provider: + enabled: false diff --git a/charts/spire/ci/oidc-values.yaml b/charts/spire/ci/oidc-values.yaml index 8164ef2b1..2b519deb4 100644 --- a/charts/spire/ci/oidc-values.yaml +++ b/charts/spire/ci/oidc-values.yaml @@ -21,8 +21,9 @@ spire-agent: spiffe-oidc-discovery-provider: enabled: true - insecureScheme: - enabled: true + tls: + spire: + enabled: false config: additionalDomains: diff --git a/charts/spire/ci/prometheus-values.yaml b/charts/spire/ci/prometheus-values.yaml index a0886e435..a38435b43 100644 --- a/charts/spire/ci/prometheus-values.yaml +++ b/charts/spire/ci/prometheus-values.yaml @@ -9,5 +9,6 @@ global: spiffe-oidc-discovery-provider: enabled: true - insecureScheme: - enabled: true + tls: + spire: + enabled: false diff --git a/examples/nested/values.yaml b/examples/nested/values.yaml index 0a26f7334..2e1094571 100644 --- a/examples/nested/values.yaml +++ b/examples/nested/values.yaml @@ -14,11 +14,14 @@ spire-server: clusterSPIFFEIDs: default: spiffeIDTemplate: spiffe://{{ .TrustDomain }}/k8s/{{ .ClusterName }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} + oidc-discovery-provider: + autoPopulateDNSNames: false spiffe-oidc-discovery-provider: enabled: true - insecureScheme: - enabled: true + tls: + spire: + enabled: false upstream: enabled: true diff --git a/examples/production/values.yaml b/examples/production/values.yaml index 5da73c96c..4aeb061c4 100644 --- a/examples/production/values.yaml +++ b/examples/production/values.yaml @@ -5,5 +5,6 @@ global: spiffe-oidc-discovery-provider: enabled: true - insecureScheme: - enabled: true + tls: + spire: + enabled: false From e7a61a9ec5d31a1e52eacc1f33ca4289a87dadda Mon Sep 17 00:00:00 2001 From: marcofranssen Date: Mon, 8 Jan 2024 08:01:19 +0000 Subject: [PATCH 39/64] Bump test chart dependencies Signed-off-by: GitHub --- .github/tests/charts.json | 2 +- charts/spire/charts/spiffe-oidc-discovery-provider/README.md | 4 ++-- .../spire/charts/spiffe-oidc-discovery-provider/values.yaml | 4 ++-- charts/spire/charts/spire-agent/README.md | 4 ++-- charts/spire/charts/spire-agent/values.yaml | 4 ++-- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/charts/tornjak-frontend/README.md | 2 +- charts/spire/charts/tornjak-frontend/values.yaml | 2 +- 9 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 277be2b9d..c8befd8e9 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,7 +2,7 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "55.5.1" + "version": "55.6.0" }, { "name": "cert-manager", diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 8b2435783..5b4babec6 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -113,12 +113,12 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0b3904b9ac440671549e2391d4148e129e581fb16d9d98ae2cbf2b135dda82c8` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.toolkit.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:c33000bbf5fc823722d1a190ce96c58ee0baa3780e23d148c27773bbc7e884e1` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:9cb7fff3f1b11f2b8f699abb33e287b3edec0dd1efc81d085550f7c88731ec12` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index f0d5eb98b..ee5f85950 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -320,7 +320,7 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:0b3904b9ac440671549e2391d4148e129e581fb16d9d98ae2cbf2b135dda82c8 + tag: latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from @@ -334,7 +334,7 @@ tests: repository: chainguard/slim-toolkit-debug pullPolicy: IfNotPresent version: "" - tag: latest@sha256:c33000bbf5fc823722d1a190ce96c58ee0baa3780e23d148c27773bbc7e884e1 + tag: latest@sha256:9cb7fff3f1b11f2b8f699abb33e287b3edec0dd1efc81d085550f7c88731ec12 step: ## @param tests.step.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 4a4bd7292..20038b387 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -64,13 +64,13 @@ A Helm chart to install the SPIRE agent. | `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` | | `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `waitForIt.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:69b2e2d1534cbceddc0d172bf414cd41b9ad341535bc2fc4cd73c96b1a345900` | +| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:fdd8d70cdb1e0383f77b6f7820552f0b330a526d967ed996b01ee30cc026f4fb` | | `waitForIt.resources` | Resource requests and limits | `{}` | | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | | `fsGroupFix.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0b3904b9ac440671549e2391d4148e129e581fb16d9d98ae2cbf2b135dda82c8` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | | `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index f9d391b28..6690daff2 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -134,7 +134,7 @@ waitForIt: repository: chainguard/wait-for-it pullPolicy: IfNotPresent version: "" - tag: latest@sha256:69b2e2d1534cbceddc0d172bf414cd41b9ad341535bc2fc4cd73c96b1a345900 + tag: latest@sha256:fdd8d70cdb1e0383f77b6f7820552f0b330a526d967ed996b01ee30cc026f4fb ## @param waitForIt.resources [object] Resource requests and limits resources: {} @@ -153,7 +153,7 @@ fsGroupFix: repository: chainguard/bash pullPolicy: Always version: "" - tag: latest@sha256:0b3904b9ac440671549e2391d4148e129e581fb16d9d98ae2cbf2b135dda82c8 + tag: latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 558d16b32..2cd2dc1ca 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -324,4 +324,4 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0b3904b9ac440671549e2391d4148e129e581fb16d9d98ae2cbf2b135dda82c8` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index efe2cc11b..8a2b827eb 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -776,4 +776,4 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:0b3904b9ac440671549e2391d4148e129e581fb16d9d98ae2cbf2b135dda82c8 + tag: latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index adada80c6..1fdaef9b8 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -100,4 +100,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0b3904b9ac440671549e2391d4148e129e581fb16d9d98ae2cbf2b135dda82c8` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 0ca2b2cb5..d1bbf5b07 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -158,4 +158,4 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:0b3904b9ac440671549e2391d4148e129e581fb16d9d98ae2cbf2b135dda82c8 + tag: latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea From ae4ef6e992c9a1c57e22e4d83c448ea06e969262 Mon Sep 17 00:00:00 2001 From: Jerome Meyer Date: Thu, 11 Jan 2024 05:19:41 -0500 Subject: [PATCH 40/64] Update HorizontalPodAutoscaler API to autoscaling/v2 (#153) --- .../templates/hpa.yaml | 18 ++++++++++------- .../charts/spire-server/templates/hpa.yaml | 20 +++++++++++-------- charts/spire/templates/_spire-lib.tpl | 14 +++++++++++++ 3 files changed, 37 insertions(+), 15 deletions(-) diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/hpa.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/hpa.yaml index fcacb3f22..0a6dfa310 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/hpa.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: {{ include "spire-lib.autoscalingVersion" . }} kind: HorizontalPodAutoscaler metadata: name: {{ include "spiffe-oidc-discovery-provider.fullname" . }} @@ -14,16 +14,20 @@ spec: minReplicas: {{ .Values.autoscaling.minReplicas }} maxReplicas: {{ .Values.autoscaling.maxReplicas }} metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Resource resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/hpa.yaml b/charts/spire/charts/spire-server/templates/hpa.yaml index 921abf632..4c1c41c83 100644 --- a/charts/spire/charts/spire-server/templates/hpa.yaml +++ b/charts/spire/charts/spire-server/templates/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: {{ include "spire-lib.autoscalingVersion" . }} kind: HorizontalPodAutoscaler metadata: name: {{ include "spire-server.fullname" . }} @@ -9,7 +9,7 @@ metadata: spec: scaleTargetRef: apiVersion: apps/v1 - kind: Deployment + kind: StatefulSet name: {{ include "spire-server.fullname" . }} minReplicas: {{ .Values.autoscaling.minReplicas }} {{- if and (eq .Values.dataStore.sql.databaseType "sqlite3") .Values.autoscaling.enabled (gt (int .Values.autoscaling.maxReplicas) 1) }} @@ -17,16 +17,20 @@ spec: {{- end }} maxReplicas: {{ .Values.autoscaling.maxReplicas }} metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Resource resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- end }} diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl index 71c2ad966..614e05e9a 100644 --- a/charts/spire/templates/_spire-lib.tpl +++ b/charts/spire/templates/_spire-lib.tpl @@ -318,3 +318,17 @@ priorityClassName: {{ .Values.priorityClassName }} priorityClassName: system-cluster-critical {{- end }} {{- end }} + +{{/* +Use autoscaling/v2 (Kubernetes 1.23 and newer) or autoscaling/v2beta2 (Kubernetes 1.12-1.25) based on cluster capabilities. +Anything lower has an incompatible API. +*/}} +{{- define "spire-lib.autoscalingVersion" -}} +{{- if (.Capabilities.APIVersions.Has "autoscaling/v2") }} +{{- print "autoscaling/v2" }} +{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2") }} +{{- print "autoscaling/v2beta2" }} +{{- else }} +{{- fail "Unsupported autoscaling API version" }} +{{- end }} +{{- end }} From 912c61e05c4cb9c4671f8aae0c372336c49591aa Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Thu, 11 Jan 2024 02:29:56 -0800 Subject: [PATCH 41/64] Remove deprecated version values (#179) --- charts/spire/charts/spiffe-csi-driver/README.md | 2 -- .../spire/charts/spiffe-csi-driver/values.yaml | 4 ---- .../spiffe-oidc-discovery-provider/README.md | 8 -------- .../spiffe-oidc-discovery-provider/values.yaml | 16 ---------------- charts/spire/charts/spire-agent/README.md | 3 --- charts/spire/charts/spire-agent/values.yaml | 6 ------ charts/spire/charts/spire-server/README.md | 5 ----- charts/spire/charts/spire-server/values.yaml | 10 ---------- charts/spire/charts/tornjak-frontend/README.md | 2 -- charts/spire/charts/tornjak-frontend/values.yaml | 4 ---- charts/spire/templates/_spire-lib.tpl | 4 ++-- 11 files changed, 2 insertions(+), 62 deletions(-) diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index f6297fb8c..cfcb62849 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -31,7 +31,6 @@ A Helm chart to install the SPIFFE CSI driver. | `image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `image.repository` | The repository within the registry | `spiffe/spiffe-csi-driver` | | `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | | `resources` | Resource requests and limits for spiffe-csi-driver | `{}` | | `healthChecks.port` | The healthcheck port for spiffe-csi-driver | `9809` | @@ -55,7 +54,6 @@ A Helm chart to install the SPIFFE CSI driver. | `nodeDriverRegistrar.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` | | `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` | | `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `nodeDriverRegistrar.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.3` | | `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` | | `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index 84822f12c..8eebf6f80 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -12,14 +12,12 @@ pluginName: csi.spiffe.io ## @param image.registry The OCI registry to pull the image from ## @param image.repository The repository within the registry ## @param image.pullPolicy The image pull policy -## @param image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: ghcr.io repository: spiffe/spiffe-csi-driver pullPolicy: IfNotPresent - version: "" tag: "" ## @param resources [object] Resource requests and limits for spiffe-csi-driver @@ -102,14 +100,12 @@ nodeDriverRegistrar: ## @param nodeDriverRegistrar.image.registry The OCI registry to pull the image from ## @param nodeDriverRegistrar.image.repository The repository within the registry ## @param nodeDriverRegistrar.image.pullPolicy The image pull policy - ## @param nodeDriverRegistrar.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param nodeDriverRegistrar.image.tag Overrides the image tag ## image: registry: registry.k8s.io repository: sig-storage/csi-node-driver-registrar pullPolicy: IfNotPresent - version: "" tag: v2.9.3 ## @param nodeDriverRegistrar.resources Resource requests and limits for CSI driver pods resources: {} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 5b4babec6..7ba8d5c4e 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -35,7 +35,6 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `image.repository` | The repository within the registry | `spiffe/oidc-discovery-provider` | | `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | | `resources` | Resource requests and limits | `{}` | | `service.type` | Service type | `ClusterIP` | @@ -95,7 +94,6 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `telemetry.prometheus.nginxExporter.image.registry` | The OCI registry to pull the image from | `docker.io` | | `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry | `nginx/nginx-prometheus-exporter` | | `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `telemetry.prometheus.nginxExporter.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.0.0` | | `telemetry.prometheus.nginxExporter.resources` | Resource requests and limits | `{}` | | `ingress.enabled` | Flag to enable ingress | `false` | @@ -112,30 +110,24 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:9cb7fff3f1b11f2b8f699abb33e287b3edec0dd1efc81d085550f7c88731ec12` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.step.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.25.1` | | `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | | `tests.busybox.image.repository` | The repository within the registry | `busybox` | | `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.busybox.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `tests.busybox.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.36.1-uclibc` | | `tests.agent.image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `tests.agent.image.repository` | The repository within the registry | `spiffe/spire-agent` | | `tests.agent.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.agent.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `tests.agent.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | | `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | | `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tools.kubectl.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index ee5f85950..80fcc5d44 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -24,13 +24,11 @@ image: ## @param image.registry The OCI registry to pull the image from ## @param image.repository The repository within the registry ## @param image.pullPolicy The image pull policy - ## @param image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param image.tag Overrides the image tag whose default is the chart appVersion ## registry: ghcr.io repository: spiffe/oidc-discovery-provider pullPolicy: IfNotPresent - version: "" tag: "" ## @param resources [object] Resource requests and limits @@ -244,14 +242,12 @@ telemetry: ## @param telemetry.prometheus.nginxExporter.image.registry The OCI registry to pull the image from ## @param telemetry.prometheus.nginxExporter.image.repository The repository within the registry ## @param telemetry.prometheus.nginxExporter.image.pullPolicy The image pull policy - ## @param telemetry.prometheus.nginxExporter.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param telemetry.prometheus.nginxExporter.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: docker.io repository: nginx/nginx-prometheus-exporter pullPolicy: IfNotPresent - version: "" tag: "1.0.0" ## @param telemetry.prometheus.nginxExporter.resources [object] Resource requests and limits @@ -312,70 +308,60 @@ tests: ## @param tests.bash.image.registry The OCI registry to pull the image from ## @param tests.bash.image.repository The repository within the registry ## @param tests.bash.image.pullPolicy The image pull policy - ## @param tests.bash.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param tests.bash.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - version: "" tag: latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from ## @param tests.toolkit.image.repository The repository within the registry ## @param tests.toolkit.image.pullPolicy The image pull policy - ## @param tests.toolkit.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param tests.toolkit.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: cgr.dev repository: chainguard/slim-toolkit-debug pullPolicy: IfNotPresent - version: "" tag: latest@sha256:9cb7fff3f1b11f2b8f699abb33e287b3edec0dd1efc81d085550f7c88731ec12 step: ## @param tests.step.image.registry The OCI registry to pull the image from ## @param tests.step.image.repository The repository within the registry ## @param tests.step.image.pullPolicy The image pull policy - ## @param tests.step.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param tests.step.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: "docker.io" repository: smallstep/step-cli pullPolicy: IfNotPresent - version: "" tag: 0.25.1 busybox: ## @param tests.busybox.image.registry The OCI registry to pull the image from ## @param tests.busybox.image.repository The repository within the registry ## @param tests.busybox.image.pullPolicy The image pull policy - ## @param tests.busybox.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param tests.busybox.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: "" repository: busybox pullPolicy: IfNotPresent - version: "" tag: 1.36.1-uclibc agent: ## @param tests.agent.image.registry The OCI registry to pull the image from ## @param tests.agent.image.repository The repository within the registry ## @param tests.agent.image.pullPolicy The image pull policy - ## @param tests.agent.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param tests.agent.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: ghcr.io repository: spiffe/spire-agent pullPolicy: IfNotPresent - version: "" tag: "" tools: @@ -383,12 +369,10 @@ tools: ## @param tools.kubectl.image.registry The OCI registry to pull the image from ## @param tools.kubectl.image.repository The repository within the registry ## @param tools.kubectl.image.pullPolicy The image pull policy - ## @param tools.kubectl.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: docker.io repository: rancher/kubectl pullPolicy: IfNotPresent - version: "" tag: "" diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 20038b387..a178397b5 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -30,7 +30,6 @@ A Helm chart to install the SPIRE agent. | `image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `image.repository` | The repository within the registry | `spiffe/spire-agent` | | `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | | `imagePullSecrets` | Pull secrets for images | `[]` | | `nameOverride` | Name override | `""` | @@ -63,13 +62,11 @@ A Helm chart to install the SPIRE agent. | `waitForIt.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` | | `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `waitForIt.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:fdd8d70cdb1e0383f77b6f7820552f0b330a526d967ed996b01ee30cc026f4fb` | | `waitForIt.resources` | Resource requests and limits | `{}` | | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | -| `fsGroupFix.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 6690daff2..c3115acda 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -9,14 +9,12 @@ global: {} ## @param image.registry The OCI registry to pull the image from ## @param image.repository The repository within the registry ## @param image.pullPolicy The image pull policy -## @param image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: ghcr.io repository: spiffe/spire-agent pullPolicy: IfNotPresent - version: "" tag: "" ## @param imagePullSecrets [array] Pull secrets for images @@ -126,14 +124,12 @@ waitForIt: ## @param waitForIt.image.registry The OCI registry to pull the image from ## @param waitForIt.image.repository The repository within the registry ## @param waitForIt.image.pullPolicy The image pull policy - ## @param waitForIt.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param waitForIt.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: cgr.dev repository: chainguard/wait-for-it pullPolicy: IfNotPresent - version: "" tag: latest@sha256:fdd8d70cdb1e0383f77b6f7820552f0b330a526d967ed996b01ee30cc026f4fb ## @param waitForIt.resources [object] Resource requests and limits @@ -145,14 +141,12 @@ fsGroupFix: ## @param fsGroupFix.image.registry The OCI registry to pull the image from ## @param fsGroupFix.image.repository The repository within the registry ## @param fsGroupFix.image.pullPolicy The image pull policy - ## @param fsGroupFix.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param fsGroupFix.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - version: "" tag: latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 2cd2dc1ca..a9d6ff0f2 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -85,7 +85,6 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `image.repository` | The repository within the registry | `spiffe/spire-server` | | `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | | `imagePullSecrets` | Pull secrets for images | `[]` | | `nameOverride` | Name override | `""` | @@ -216,7 +215,6 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `controllerManager.image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `controllerManager.image.repository` | The repository within the registry | `spiffe/spire-controller-manager` | | `controllerManager.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `controllerManager.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.4.0` | | `controllerManager.resources` | Resource requests and limits for controller manager | `{}` | | `controllerManager.securityContext` | Security context | `{}` | @@ -249,7 +247,6 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | | `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tools.kubectl.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | | `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | | `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | @@ -282,7 +279,6 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tornjak.image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `tornjak.image.repository` | The repository within the registry | `spiffe/tornjak-backend` | | `tornjak.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tornjak.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `tornjak.image.tag` | Overrides the image tag to be whatever you need it to be. It will always be the flag you set without modifications | `""` | | `tornjak.image.defaultTag` | Sets the default image to use when image.tag is not set. It will automatically be updated with a ubi- prefix if on OpenShift. | `v1.4.2` | | `tornjak.service.type` | Type of service resource | `ClusterIP` | @@ -323,5 +319,4 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 8a2b827eb..3f5b4e530 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -12,14 +12,12 @@ replicaCount: 1 ## @param image.registry The OCI registry to pull the image from ## @param image.repository The repository within the registry ## @param image.pullPolicy The image pull policy -## @param image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: ghcr.io repository: spiffe/spire-server pullPolicy: IfNotPresent - version: "" tag: "" ## @param imagePullSecrets [array] Pull secrets for images @@ -393,14 +391,12 @@ controllerManager: ## @param controllerManager.image.registry The OCI registry to pull the image from ## @param controllerManager.image.repository The repository within the registry ## @param controllerManager.image.pullPolicy The image pull policy - ## @param controllerManager.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param controllerManager.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: ghcr.io repository: spiffe/spire-controller-manager pullPolicy: IfNotPresent - version: "" tag: "0.4.0" ## @param controllerManager.resources [object] Resource requests and limits for controller manager @@ -534,14 +530,12 @@ tools: ## @param tools.kubectl.image.registry The OCI registry to pull the image from ## @param tools.kubectl.image.repository The repository within the registry ## @param tools.kubectl.image.pullPolicy The image pull policy - ## @param tools.kubectl.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: docker.io repository: rancher/kubectl pullPolicy: IfNotPresent - version: "" tag: "" telemetry: @@ -624,7 +618,6 @@ tornjak: ## @param tornjak.image.registry The OCI registry to pull the image from ## @param tornjak.image.repository The repository within the registry ## @param tornjak.image.pullPolicy The image pull policy - ## @param tornjak.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param tornjak.image.tag Overrides the image tag to be whatever you need it to be. It will always be the flag you set without modifications ## @param tornjak.image.defaultTag Sets the default image to use when image.tag is not set. It will automatically be updated with a ubi- prefix if on OpenShift. ## @@ -632,7 +625,6 @@ tornjak: registry: ghcr.io repository: spiffe/tornjak-backend pullPolicy: IfNotPresent - version: "" tag: "" defaultTag: "v1.4.2" @@ -768,12 +760,10 @@ tests: ## @param tests.bash.image.registry The OCI registry to pull the image from ## @param tests.bash.image.repository The repository within the registry ## @param tests.bash.image.pullPolicy The image pull policy - ## @param tests.bash.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param tests.bash.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - version: "" tag: latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 1fdaef9b8..b8c947a85 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -60,7 +60,6 @@ port forwarding. See the chart NOTES output for more details. | `image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `image.repository` | The repository within the registry | `spiffe/tornjak-frontend` | | `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | | `imagePullSecrets` | Pull secrets for images | `[]` | | `nameOverride` | Name override | `""` | @@ -99,5 +98,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | | `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index d1bbf5b07..bdac7e5ac 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -9,14 +9,12 @@ global: {} ## @param image.registry The OCI registry to pull the image from ## @param image.repository The repository within the registry ## @param image.pullPolicy The image pull policy -## @param image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: ghcr.io repository: spiffe/tornjak-frontend pullPolicy: IfNotPresent - version: "" tag: "" ## @param imagePullSecrets [array] Pull secrets for images @@ -150,12 +148,10 @@ tests: ## @param tests.bash.image.registry The OCI registry to pull the image from ## @param tests.bash.image.repository The repository within the registry ## @param tests.bash.image.pullPolicy The image pull policy - ## @param tests.bash.image.version This value is deprecated in favor of tag. (Will be removed in a future release) ## @param tests.bash.image.tag Overrides the image tag whose default is the chart appVersion ## image: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - version: "" tag: latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl index 614e05e9a..99a2e079c 100644 --- a/charts/spire/templates/_spire-lib.tpl +++ b/charts/spire/templates/_spire-lib.tpl @@ -51,7 +51,7 @@ {{- define "spire-lib.image" -}} {{- $registry := include "spire-lib.registry" . }} {{- $repo := .image.repository }} -{{- $tag := (default .image.tag .image.version) | toString }} +{{- $tag := .image.tag | toString }} {{- if eq (substr 0 7 $tag) "sha256:" }} {{- printf "%s/%s@%s" $registry $repo $tag }} {{- else if .appVersion }} @@ -169,7 +169,7 @@ rules: {{- define "spire-lib.kubectl-image" }} {{- $root := deepCopy . }} -{{- $tag := (default $root.image.tag $root.image.version) | toString }} +{{- $tag := $root.image.tag | toString }} {{- if eq (len $tag) 0 }} {{- $_ := set $root.image "tag" (regexReplaceAll "^(v?\\d+\\.\\d+\\.\\d+).*" $root.KubeVersion "${1}") }} {{- end }} From befa0747637c880b86a42d4336425c7d004b69bc Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Thu, 11 Jan 2024 02:31:02 -0800 Subject: [PATCH 42/64] Fix notes bug (#178) --- charts/spire/templates/NOTES.txt | 10 ++++++---- tests/unit/spire_test.go | 11 +++++++++++ 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/charts/spire/templates/NOTES.txt b/charts/spire/templates/NOTES.txt index 6da26815c..0b8a7296f 100644 --- a/charts/spire/templates/NOTES.txt +++ b/charts/spire/templates/NOTES.txt @@ -21,13 +21,15 @@ Warning: You're using an unsupported plugin. Functionality of this release and f Warning: You're using an experimental config. Functionality of this release and future upgrades aren't guaranteed to work smoothly. {{- end }} -{{- $className := include "spire-server.controller-manager-class-name" (dict "Values" (index .Values "spire-server") "Release" .Release) }} -{{- if (index .Values "spire-server").controllerManager.enabled }} -{{- if (index .Values "spire-server").controllerManager.watchClassless }} +{{- if (index .Values "spire-server").enabled }} +{{- $className := include "spire-server.controller-manager-class-name" (dict "Values" (index .Values "spire-server") "Release" .Release) }} +{{- if (index .Values "spire-server").controllerManager.enabled }} +{{- if (index .Values "spire-server").controllerManager.watchClassless }} Spire CR's will be handled if no className is specified or if className is set to "{{ $className }}" -{{- else }} +{{- else }} Spire CR's will be handled only if className is set to "{{ $className }}" +{{- end }} {{- end }} {{- end }} diff --git a/tests/unit/spire_test.go b/tests/unit/spire_test.go index 891771b8e..0c849ca0a 100644 --- a/tests/unit/spire_test.go +++ b/tests/unit/spire_test.go @@ -133,4 +133,15 @@ spire-agent: Expect(notes).Should(ContainSubstring("join_token")) }) }) + Describe("spire-server.disabled", func() { + It("spire server off", func() { + objs, err := ValueStringRender(chart, ` +spire-server: + enabled: false +`) + Expect(err).Should(Succeed()) + notes := objs["spire/templates/NOTES.txt"] + Expect(notes).Should(ContainSubstring("Installed")) + }) + }) }) From b61d4f5ae1fa072d1ca09bb73a48fe08896c9c71 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Thu, 11 Jan 2024 02:39:12 -0800 Subject: [PATCH 43/64] Add spire-agent to spire-agent pod path (#180) --- charts/spire/charts/spire-agent/templates/daemonset.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 0ee60cd86..9c6a16c17 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -71,8 +71,9 @@ spec: image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: ["-config", "/run/spire/config/agent.conf"] - {{- if or (gt (len .Values.extraEnvVars) 0) $cbh }} env: + - name: PATH + value: "/opt/spire/bin:/bin" {{- if $cbh }} - name: MY_NODE_NAME valueFrom: @@ -82,7 +83,6 @@ spec: {{- with .Values.extraEnvVars }} {{- toYaml . | nindent 12 }} {{- end }} - {{- end }} ports: - containerPort: {{ .Values.healthChecks.port }} name: healthz From f3a85bdb989cfe81aacbcb92090759d864459a9b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Jan 2024 00:55:06 -0800 Subject: [PATCH 44/64] Bump github.com/onsi/ginkgo/v2 from 2.13.2 to 2.14.0 in /tests (#183) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.13.2 to 2.14.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.13.2...v2.14.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/go.mod | 6 +++--- tests/go.sum | 13 ++++++------- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index 5eb113258..1d60dcb65 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -3,7 +3,7 @@ module github.com/spiffe/helm-charts/tests go 1.20 require ( - github.com/onsi/ginkgo/v2 v2.13.2 + github.com/onsi/ginkgo/v2 v2.14.0 github.com/onsi/gomega v1.30.0 helm.sh/helm/v3 v3.13.3 ) @@ -46,13 +46,13 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect golang.org/x/crypto v0.17.0 // indirect - golang.org/x/net v0.17.0 // indirect + golang.org/x/net v0.19.0 // indirect golang.org/x/oauth2 v0.8.0 // indirect golang.org/x/sys v0.15.0 // indirect golang.org/x/term v0.15.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.14.0 // indirect + golang.org/x/tools v0.16.1 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/protobuf v1.31.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/tests/go.sum b/tests/go.sum index 8982f9726..1077b631d 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -85,8 +85,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.13.2 h1:Bi2gGVkfn6gQcjNjZJVO8Gf0FHzMPf2phUei9tejVMs= -github.com/onsi/ginkgo/v2 v2.13.2/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM= +github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY= +github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw= github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -132,7 +132,6 @@ golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -141,8 +140,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= +golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -179,8 +178,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc= -golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg= +golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= +golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 6d19a76f012ac9f44c245285ea3786f034e3e647 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Fri, 12 Jan 2024 16:20:10 -0500 Subject: [PATCH 45/64] Fix agent daemonset format (#184) Signed-off-by: Mariusz Sabath --- charts/spire/charts/spire-agent/templates/daemonset.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 9c6a16c17..0ac2ad8dd 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -72,8 +72,8 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} args: ["-config", "/run/spire/config/agent.conf"] env: - - name: PATH - value: "/opt/spire/bin:/bin" + - name: PATH + value: "/opt/spire/bin:/bin" {{- if $cbh }} - name: MY_NODE_NAME valueFrom: From 81e9523e03ed2f9123c823807fc75de7b6de5e3c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 15 Jan 2024 06:11:02 -0800 Subject: [PATCH 46/64] Bump test chart dependencies (#186) Signed-off-by: GitHub Co-authored-by: marcofranssen --- .github/tests/charts.json | 6 +++--- .../spire/charts/spiffe-oidc-discovery-provider/README.md | 6 +++--- .../spire/charts/spiffe-oidc-discovery-provider/values.yaml | 6 +++--- charts/spire/charts/spire-agent/README.md | 4 ++-- charts/spire/charts/spire-agent/values.yaml | 4 ++-- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/charts/tornjak-frontend/README.md | 2 +- charts/spire/charts/tornjak-frontend/values.yaml | 2 +- 9 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index c8befd8e9..8117a0eb9 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,7 +2,7 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "55.6.0" + "version": "55.8.1" }, { "name": "cert-manager", @@ -17,11 +17,11 @@ { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "9.16.1" + "version": "9.16.2" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "13.2.27" + "version": "13.2.29" } ] diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 7ba8d5c4e..1d0ccd72e 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -94,7 +94,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `telemetry.prometheus.nginxExporter.image.registry` | The OCI registry to pull the image from | `docker.io` | | `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry | `nginx/nginx-prometheus-exporter` | | `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.0.0` | +| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.1.0` | | `telemetry.prometheus.nginxExporter.resources` | Resource requests and limits | `{}` | | `ingress.enabled` | Flag to enable ingress | `false` | | `ingress.className` | Ingress class name | `""` | @@ -110,11 +110,11 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:9cb7fff3f1b11f2b8f699abb33e287b3edec0dd1efc81d085550f7c88731ec12` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:6caf789aa5d2fd1539689ecbee638b6ebf7cdddb4c737a6e09b898943463bbec` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 80fcc5d44..0dcf2293f 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -248,7 +248,7 @@ telemetry: registry: docker.io repository: nginx/nginx-prometheus-exporter pullPolicy: IfNotPresent - tag: "1.0.0" + tag: "1.1.0" ## @param telemetry.prometheus.nginxExporter.resources [object] Resource requests and limits resources: {} @@ -314,7 +314,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea + tag: latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from @@ -326,7 +326,7 @@ tests: registry: cgr.dev repository: chainguard/slim-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:9cb7fff3f1b11f2b8f699abb33e287b3edec0dd1efc81d085550f7c88731ec12 + tag: latest@sha256:6caf789aa5d2fd1539689ecbee638b6ebf7cdddb4c737a6e09b898943463bbec step: ## @param tests.step.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index a178397b5..d9d664861 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -62,12 +62,12 @@ A Helm chart to install the SPIRE agent. | `waitForIt.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` | | `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:fdd8d70cdb1e0383f77b6f7820552f0b330a526d967ed996b01ee30cc026f4fb` | +| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:9500241a8a6a5912ded07445991b9d3a0834beef810b10c302af593aee1b33dc` | | `waitForIt.resources` | Resource requests and limits | `{}` | | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | | `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index c3115acda..7cbbf33a4 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -130,7 +130,7 @@ waitForIt: registry: cgr.dev repository: chainguard/wait-for-it pullPolicy: IfNotPresent - tag: latest@sha256:fdd8d70cdb1e0383f77b6f7820552f0b330a526d967ed996b01ee30cc026f4fb + tag: latest@sha256:9500241a8a6a5912ded07445991b9d3a0834beef810b10c302af593aee1b33dc ## @param waitForIt.resources [object] Resource requests and limits resources: {} @@ -147,7 +147,7 @@ fsGroupFix: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea + tag: latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index a9d6ff0f2..28ecc5942 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -319,4 +319,4 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 3f5b4e530..a19d517af 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -766,4 +766,4 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea + tag: latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index b8c947a85..6431c8594 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -98,4 +98,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index bdac7e5ac..07d544784 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -154,4 +154,4 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea + tag: latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d From c7ab1319cc1569b5b93352c198a289d107a2e384 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 16 Jan 2024 14:52:39 -0800 Subject: [PATCH 47/64] Add join_token server nodeattestor support (#187) Signed-off-by: Kevin Fox --- charts/spire/charts/spire-server/README.md | 1 + .../spire/charts/spire-server/templates/configmap.yaml | 10 +++++++++- charts/spire/charts/spire-server/values.yaml | 3 +++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 28ecc5942..a61bd4330 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -270,6 +270,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `defaultJwtSvidTTL` | TTL for JWT Svids | `1h` | | `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s nodeattestor | `true` | | `nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` | +| `nodeAttestor.joinToken.enabled` | Enable the join_token nodeattestor | `false` | ### Tornjak diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index d631806ee..a0aca757a 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -74,9 +74,10 @@ plugins: plugin_data: {{ include "spire-server.datastore-config" . | nindent 10 }} + {{- if or .Values.nodeAttestor.k8sPsat.enabled .Values.nodeAttestor.joinToken.enabled }} + NodeAttestor: {{- with .Values.nodeAttestor.k8sPsat }} {{- if eq (.enabled | toString) "true" }} - NodeAttestor: k8s_psat: plugin_data: clusters: @@ -84,6 +85,13 @@ plugins: service_account_allow_list: {{ include "spire-server.serviceAccountAllowedList" $root | trim }} {{- end }} {{- end }} + {{- with .Values.nodeAttestor.joinToken }} + {{- if eq (.enabled | toString) "true" }} + join_token: + plugin_data: {} + {{- end }} + {{- end }} + {{- end }} {{- with .Values.keyManager.disk }} {{- if eq (.enabled | toString) "true" }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index a19d517af..8ec0c5e55 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -610,6 +610,9 @@ nodeAttestor: enabled: true ## @param nodeAttestor.k8sPsat.serviceAccountAllowList [array] Allowed service accounts for Psat nodeattestor serviceAccountAllowList: [] + joinToken: + ## @param nodeAttestor.joinToken.enabled Enable the join_token nodeattestor + enabled: false ## @section Tornjak tornjak: From 3ccdb5e4c1efa97515a2de0ccaa6030552bf286d Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Wed, 17 Jan 2024 00:17:15 -0800 Subject: [PATCH 48/64] Add tls section to federation bundle endpoint and fix up annotations (#173) * Add cert-manager support to the federation bundle endpoint and fix up bundle endpoint ingress annotations Signed-off-by: Kevin Fox * Add external secret too Signed-off-by: Kevin Fox * Add forgotten files Signed-off-by: Kevin Fox * Apply suggestions from code review Signed-off-by: kfox1111 --------- Signed-off-by: Kevin Fox Signed-off-by: kfox1111 --- charts/spire/charts/spire-server/README.md | 12 ++++++ .../spire-server/templates/configmap.yaml | 13 +++++++ .../templates/federation-certificate.yaml | 27 +++++++++++++ .../templates/federation-ingress.yaml | 24 ++++++++++-- .../templates/federation-issuer.yaml | 22 +++++++++++ charts/spire/charts/spire-server/values.yaml | 39 +++++++++++++++++++ 6 files changed, 134 insertions(+), 3 deletions(-) create mode 100644 charts/spire/charts/spire-server/templates/federation-certificate.yaml create mode 100644 charts/spire/charts/spire-server/templates/federation-issuer.yaml diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index a61bd4330..4d0252854 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -141,6 +141,18 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `federation.enabled` | Flag to enable federation | `false` | | `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` | | `federation.bundleEndpoint.address` | Address for trust bundle federation | `0.0.0.0` | +| `federation.tls.spire.enabled` | Use spire to secure the federation bundle endpoint | `true` | +| `federation.tls.externalSecret.enabled` | Provide your own certificate/key via tls style Kubernetes Secret | `false` | +| `federation.tls.externalSecret.secretName` | Specify which Secret to use | `""` | +| `federation.tls.certManager.enabled` | Use certificateManager to create the certificate | `false` | +| `federation.tls.certManager.issuer.create` | Create an issuer to use to issue the certificate | `true` | +| `federation.tls.certManager.issuer.acme.email` | Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service | `""` | +| `federation.tls.certManager.issuer.acme.server` | Server to use to get certificate. Defaults to LetsEncrypt | `https://acme-v02.api.letsencrypt.org/directory` | +| `federation.tls.certManager.issuer.acme.solvers` | Configure the issuer solvers. Defaults to http01 via ingress. | `{}` | +| `federation.tls.certManager.certificate.dnsNames` | Override the dnsNames on the certificate request. Defaults to the same settings as Ingress | `[]` | +| `federation.tls.certManager.certificate.issuerRef.group` | If you are using an external plugin, specify the group for it here | `""` | +| `federation.tls.certManager.certificate.issuerRef.kind` | Kind of the issuer reference. Override if you want to use a ClusterIssuer | `Issuer` | +| `federation.tls.certManager.certificate.issuerRef.name` | Name of the issuer to use. If unset, it will use the name of the built in issuer | `""` | | `federation.ingress.enabled` | Flag to enable ingress for federation | `false` | | `federation.ingress.className` | Ingress class name for federation | `""` | | `federation.ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index a0aca757a..eea9d3a91 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -22,6 +22,19 @@ {{- end }} {{- end }} {{- end }} +{{- $tlsFederationCount := 0 }} +{{- if .Values.federation.tls.spire.enabled }} +{{- $tlsFederationCount = add $tlsFederationCount 1 }} +{{- end }} +{{- if .Values.federation.tls.externalSecret.enabled }} +{{- $tlsFederationCount = add $tlsFederationCount 1 }} +{{- end }} +{{- if .Values.federation.tls.certManager.enabled }} +{{- $tlsFederationCount = add $tlsFederationCount 1 }} +{{- end }} +{{- if ne $tlsFederationCount 1 }} +{{- fail "You must enable one and only one federation TLS configuration" }} +{{- end }} {{- define "spire-server.yaml-config" -}} {{- $upstreamAuthorityUsed := 0 }} {{- $keyManagerUsed := 0 }} diff --git a/charts/spire/charts/spire-server/templates/federation-certificate.yaml b/charts/spire/charts/spire-server/templates/federation-certificate.yaml new file mode 100644 index 000000000..013d3026f --- /dev/null +++ b/charts/spire/charts/spire-server/templates/federation-certificate.yaml @@ -0,0 +1,27 @@ +{{- define "spire-server.federation-cert-manager-default-cert" }} +{{- $fullName := include "spire-server.fullname" . }} +{{- $issuerFullName := printf "%s-federation" $fullName }} +dnsNames: + {{- if ne (len .Values.federation.tls.certManager.certificate.dnsNames) 0 }} + {{- toYaml .Values.federation.tls.certManager.certificate.dnsNames | nindent 4 }} + {{- else }} + - {{ include "spire-lib.ingress-calculated-name" (dict "ingress" .Values.federation.ingress "Values" .Values) }} + {{- end }} +issuerRef: + {{- with .Values.federation.tls.certManager.certificate.issuerRef.group }} + group: {{ . }} + {{- end }} + kind: {{ default "Issuer" .Values.federation.tls.certManager.certificate.issuerRef.kind }} + name: {{ default $issuerFullName .Values.federation.tls.certManager.certificate.issuerRef.name }} +secretName: {{ $issuerFullName }}-cert +{{- end }} +{{- if .Values.federation.tls.certManager.enabled }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "spire-server.fullname" . }} + namespace: {{ include "spire-server.namespace" . }} +spec: + {{ merge (include "spire-server.federation-cert-manager-default-cert" . | fromYaml) .Values.federation.tls.certManager.certificate | toYaml | nindent 2 }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/federation-ingress.yaml b/charts/spire/charts/spire-server/templates/federation-ingress.yaml index 009deaaf1..c61bb88f3 100644 --- a/charts/spire/charts/spire-server/templates/federation-ingress.yaml +++ b/charts/spire/charts/spire-server/templates/federation-ingress.yaml @@ -1,16 +1,34 @@ {{- if .Values.federation.enabled }} {{- if .Values.federation.ingress.enabled -}} -{{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.federation.ingress) }} {{- $svcName := include "spire-server.fullname" . }} +{{/* Until https://github.com/spiffe/spire/issues/2202 is resolved, use ingress to implement cert-manager and externalSecret support. */}} +{{- $federationIngress := deepCopy .Values.federation.ingress }} +{{- if .Values.federation.tls.certManager.enabled }} +{{- $secret := printf "%s-federation-cert" $svcName }} +{{- $_ := set $federationIngress "tlsSecret" $secret }} +{{- end }} +{{- if .Values.federation.tls.externalSecret.enabled }} +{{- $_ := set $federationIngress "tlsSecret" .Values.federation.tls.externalSecret.secretName }} +{{- end }} +{{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.federation.ingress) }} {{- $tlsSection := true }} {{- $annotations := deepCopy .Values.federation.ingress.annotations }} {{- if eq $ingressControllerType "ingress-nginx" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }} +{{- if not .Values.federation.ingress.tlsSecret }} +{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }} +{{- end }} {{- else if eq $ingressControllerType "openshift" }} -{{- $_ := set $annotations "route.openshift.io/termination" "edge" }} +{{- if $federationIngress.tlsSecret }} +{{- $_ := set $annotations "route.openshift.io/termination" "reencrypt" }} +{{- else }} +{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }} +{{- $path = "" }} +{{- $pathType = "ImplementationSpecific" }} {{- $tlsSection = false }} +{{- end }} {{- end }} apiVersion: networking.k8s.io/v1 kind: Ingress @@ -24,6 +42,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.federation.ingress "svcName" $svcName "port" .Values.federation.bundleEndpoint.port "path" "/" "pathType" "Prefix" "tlsSection" $tlsSection "Values" .Values) | nindent 2 }} + {{ include "spire-lib.ingress-spec" (dict "ingress" $federationIngress "svcName" $svcName "port" .Values.federation.bundleEndpoint.port "path" "/" "pathType" "Prefix" "tlsSection" $tlsSection "Values" .Values) | nindent 2 }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/federation-issuer.yaml b/charts/spire/charts/spire-server/templates/federation-issuer.yaml new file mode 100644 index 000000000..2a159f537 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/federation-issuer.yaml @@ -0,0 +1,22 @@ +{{- define "spire-server.federation-cert-manager-default-issuer" }} +{{- if not .Values.federation.tls.certManager.issuer.acme.email }} +{{- fail "You must specify an email address via certManager.issuer.acme.email" }} +{{- end }} +email: {{ .Values.federation.tls.certManager.issuer.acme.email | quote}} +server: {{ .Values.federation.tls.certManager.issuer.acme.server | quote}} +privateKeySecretRef: + name: {{ include "spire-server.fullname" . }}-federation-issuer +solvers: +- http01: + ingress: {} +{{- end }} +{{- if and .Values.federation.tls.certManager.enabled .Values.federation.tls.certManager.issuer.create }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "spire-server.fullname" . }}-federation + namespace: {{ include "spire-server.namespace" . }} +spec: + acme: + {{ mergeOverwrite (include "spire-server.federation-cert-manager-default-issuer" . | fromYaml) .Values.federation.tls.certManager.issuer.acme | toYaml | nindent 4 }} +{{- end }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 8ec0c5e55..e9e5a1c2e 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -195,6 +195,45 @@ federation: ## @param federation.bundleEndpoint.address Address for trust bundle federation address: "0.0.0.0" + tls: + spire: + ## @param federation.tls.spire.enabled Use spire to secure the federation bundle endpoint + enabled: true + + externalSecret: + ## @param federation.tls.externalSecret.enabled Provide your own certificate/key via tls style Kubernetes Secret + enabled: false + ## @param federation.tls.externalSecret.secretName Specify which Secret to use + secretName: "" + + certManager: + ## @param federation.tls.certManager.enabled Use certificateManager to create the certificate + enabled: false + issuer: + ## @param federation.tls.certManager.issuer.create Create an issuer to use to issue the certificate + create: true + acme: + ## @param federation.tls.certManager.issuer.acme.email Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service + email: "" + ## @param federation.tls.certManager.issuer.acme.server Server to use to get certificate. Defaults to LetsEncrypt + server: https://acme-v02.api.letsencrypt.org/directory + # Testing server: https://acme-staging-v02.api.letsencrypt.org/directory + ## @param federation.tls.certManager.issuer.acme.solvers [object] Configure the issuer solvers. Defaults to http01 via ingress. + solvers: {} + # - http01: + # ingress: + # ingressClassName: nginx + certificate: + ## @param federation.tls.certManager.certificate.dnsNames Override the dnsNames on the certificate request. Defaults to the same settings as Ingress + dnsNames: [] + ## @param federation.tls.certManager.certificate.issuerRef.group If you are using an external plugin, specify the group for it here + ## @param federation.tls.certManager.certificate.issuerRef.kind Kind of the issuer reference. Override if you want to use a ClusterIssuer + ## @param federation.tls.certManager.certificate.issuerRef.name Name of the issuer to use. If unset, it will use the name of the built in issuer + issuerRef: + group: "" + kind: Issuer + name: "" + ingress: ## @param federation.ingress.enabled Flag to enable ingress for federation enabled: false From f8327657cdc673a3bcd9d08c325ebbe60a9e5d6d Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Wed, 17 Jan 2024 15:09:32 -0800 Subject: [PATCH 49/64] Add a test and example for federation support (#169) * SPIFFE OIDC Discovery Provider Rework Fixes: https://github.com/spiffe/helm-charts-hardened/issues/151 Signed-off-by: Kevin Fox * Enhance clusterspiffeid's so the discovery provider is independently configurable Signed-off-by: Kevin Fox * Fix tests Signed-off-by: Kevin Fox * More fix tests Signed-off-by: Kevin Fox * More fix tests Signed-off-by: Kevin Fox * Undo Signed-off-by: Kevin Fox * Fix logging Signed-off-by: Kevin Fox * Try to get output Signed-off-by: Kevin Fox * Try and get error code Signed-off-by: Kevin Fox * Fix more logging. Switch port used. Signed-off-by: Kevin Fox * Fix logging Signed-off-by: Kevin Fox * Fix port Signed-off-by: Kevin Fox * Fix up logs for nested test and fix values Signed-off-by: Kevin Fox * Make consistent Signed-off-by: Kevin Fox * Fix nested test Signed-off-by: Kevin Fox * Fix insecure mode and test. Signed-off-by: Kevin Fox * Fix test. Signed-off-by: Kevin Fox * Fix var scoping issue Signed-off-by: Kevin Fox * Set the right flags for ingress Signed-off-by: Kevin Fox * Update dns template Signed-off-by: Kevin Fox * Use more standard port Signed-off-by: Kevin Fox * Fix test logging Signed-off-by: Kevin Fox * Allow reencrypt. Signed-off-by: Kevin Fox * Remove testing changes Signed-off-by: Kevin Fox * Fix formatting Signed-off-by: Kevin Fox * Add LetsEncrypt/ACME/cert-manager support. Remove broken ACME support. Signed-off-by: Kevin Fox * Use spiffe-helper as a sidecar. Significant space savings and read only cert dir Signed-off-by: Kevin Fox * Fix the nested test Signed-off-by: Kevin Fox * Fix merge issue Signed-off-by: Kevin Fox * Remove 1.29.0 until deps catch up. Related issue: https://github.com/rancher/kubectl/pull/94 Signed-off-by: Kevin Fox * Add more error checking Signed-off-by: Kevin Fox * Remove testing code Signed-off-by: Kevin Fox * Simplify the ids. Fix docs Signed-off-by: Kevin Fox * Fix logic Signed-off-by: Kevin Fox * Fix var Signed-off-by: Kevin Fox * Make cert-manager bits more readable Signed-off-by: Kevin Fox * Fix template Signed-off-by: Kevin Fox * Fix openshift ingress Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox * Update docs Signed-off-by: Kevin Fox * Add resource spec Signed-off-by: Kevin Fox * Remove parts that cant merge yet Signed-off-by: Kevin Fox * Fix tests Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox * Fix test Signed-off-by: Kevin Fox * Apply suggestions from code review Co-authored-by: Faisal Memon Signed-off-by: kfox1111 * Fix docs Signed-off-by: Kevin Fox * Apply suggestions from code review Co-authored-by: Faisal Memon Signed-off-by: kfox1111 * Incorperate feedback Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox * Fix test Signed-off-by: Kevin Fox * Fix test Signed-off-by: Kevin Fox * Apply suggestions from code review Co-authored-by: Faisal Memon Signed-off-by: kfox1111 * Fix docs Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox * Add missing configurable for the discovery providers csi driver Signed-off-by: Kevin Fox * Add a test and example for federation support Signed-off-by: Kevin Fox * Fix test Signed-off-by: Kevin Fox * Fix test Signed-off-by: Kevin Fox * Fix test Signed-off-by: Kevin Fox * Fix ingress annotations for federation bundle endpoint Signed-off-by: Kevin Fox * Add cert-manager support to the federation bundle endpoint and fix up bundle endpoint ingress annotations Signed-off-by: Kevin Fox * Add external secret too Signed-off-by: Kevin Fox * Add forgotten files Signed-off-by: Kevin Fox * Apply suggestions from code review Signed-off-by: kfox1111 --------- Signed-off-by: Kevin Fox Signed-off-by: kfox1111 Co-authored-by: Faisal Memon --- .github/workflows/helm-chart-ci.yaml | 9 +++- examples/federation/a-values.yaml | 51 +++++++++++++++++++ examples/federation/b-values.yaml | 58 +++++++++++++++++++++ examples/federation/client-pod.yaml | 44 ++++++++++++++++ examples/federation/run-tests.sh | 75 ++++++++++++++++++++++++++++ examples/federation/server-pod.yaml | 50 +++++++++++++++++++ examples/federation/server-svc.yaml | 11 ++++ 7 files changed, 296 insertions(+), 2 deletions(-) create mode 100644 examples/federation/a-values.yaml create mode 100644 examples/federation/b-values.yaml create mode 100644 examples/federation/client-pod.yaml create mode 100755 examples/federation/run-tests.sh create mode 100644 examples/federation/server-pod.yaml create mode 100644 examples/federation/server-svc.yaml diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index 7e8a5c899..a0d865936 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -240,8 +240,13 @@ jobs: - name: Install and test example run: | - kubectl create namespace spire-server - helm install -n spire-server spire-crds charts/spire-crds + if [ "${{ matrix.example }}" = "examples/federation" ]; then + kubectl create namespace spire-mgmt + helm install -n spire-mgmt spire-crds charts/spire-crds + else + kubectl create namespace spire-server + helm install -n spire-server spire-crds charts/spire-crds + fi ${{ matrix.example }}/run-tests.sh upgrade-test: diff --git a/examples/federation/a-values.yaml b/examples/federation/a-values.yaml new file mode 100644 index 000000000..6ca171f10 --- /dev/null +++ b/examples/federation/a-values.yaml @@ -0,0 +1,51 @@ +global: + openshift: false + spire: + recommendations: + enabled: true + namespaces: + create: true + ingressControllerType: ingress-nginx + clusterName: a + trustDomain: a-org.local + bundleConfigMap: spire-bundle-a + +spire-server: + ca_subject: + country: US + organization: A + common_name: a.local + federation: + enabled: true + ingress: + enabled: true + controllerManager: + identities: + clusterSPIFFEIDs: + default: + federatesWith: + - b-org.local + clusterFederatedTrustDomains: + b: + bundleEndpointProfile: + endpointSPIFFEID: spiffe://b-org.local/spire/server + type: https_spiffe + bundleEndpointURL: https://spire-server-federation.b-org.local + trustDomain: b-org.local + +spiffe-oidc-discovery-provider: + enabled: true + tls: + spire: + enabled: false + csiDriverName: a.csi.spiffe.io + ingress: + enabled: true + +spire-agent: + socketPath: /run/spire/agent-sockets-a/spire-agent.sock + +spiffe-csi-driver: + pluginName: a.csi.spiffe.io + agentSocketPath: /run/spire/agent-sockets-a/spire-agent.sock + diff --git a/examples/federation/b-values.yaml b/examples/federation/b-values.yaml new file mode 100644 index 000000000..b76ec6b0d --- /dev/null +++ b/examples/federation/b-values.yaml @@ -0,0 +1,58 @@ +global: + openshift: false + spire: + recommendations: + enabled: true + namespaces: + create: false + ingressControllerType: ingress-nginx + clusterName: b + trustDomain: b-org.local + bundleConfigMap: spire-bundle-b + +spire-server: + ca_subject: + country: US + organization: B + common_name: b.local + federation: + enabled: true + ingress: + enabled: true + controllerManager: + identities: + clusterSPIFFEIDs: + default: + federatesWith: + - a-org.local + clusterFederatedTrustDomains: + a: + bundleEndpointProfile: + endpointSPIFFEID: spiffe://a-org.local/spire/server + type: https_spiffe + bundleEndpointURL: https://spire-server-federation.a-org.local + trustDomain: a-org.local + +spiffe-oidc-discovery-provider: + enabled: true + tls: + spire: + enabled: false + csiDriverName: b.csi.spiffe.io + ingress: + enabled: true + +spire-agent: + healthChecks: + port: 9983 + telemetry: + prometheus: + port: 9990 + socketPath: /run/spire/agent-sockets-b/spire-agent.sock + +spiffe-csi-driver: + healthChecks: + port: 9811 + pluginName: b.csi.spiffe.io + agentSocketPath: /run/spire/agent-sockets-b/spire-agent.sock + diff --git a/examples/federation/client-pod.yaml b/examples/federation/client-pod.yaml new file mode 100644 index 000000000..dc003f80b --- /dev/null +++ b/examples/federation/client-pod.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: Pod +metadata: + name: client +spec: + terminationGracePeriodSeconds: 1 + containers: + - name: busybox + image: busybox + command: + - /bin/sh + - -c + - 'while true; do wget -q -O - localhost:8080 && touch /tmp/healthy; sleep 1; done' + readinessProbe: + exec: + command: + - cat + - /tmp/healthy + initialDelaySeconds: 5 + periodSeconds: 5 + - name: ghostunnel + image: ghostunnel/ghostunnel:v1.7.2 + command: + - ghostunnel + - client + - --use-workload-api-addr + - unix:/spire-workload-api/spire-agent.sock + - --listen + - localhost:8080 + - --target + - server:8443 + - --verify-uri + - spiffe://b-org.local/ns/default/sa/default + volumeMounts: + - name: agent + mountPath: /spire-workload-api + readOnly: true + ports: + - containerPort: 8443 + volumes: + - name: agent + csi: + driver: a.csi.spiffe.io + readOnly: true diff --git a/examples/federation/run-tests.sh b/examples/federation/run-tests.sh new file mode 100755 index 000000000..f320e4c3c --- /dev/null +++ b/examples/federation/run-tests.sh @@ -0,0 +1,75 @@ +#!/usr/bin/env bash + +set -xe + +SCRIPT="$(readlink -f "$0")" +SCRIPTPATH="$(dirname "${SCRIPT}")" +TESTDIR="${SCRIPTPATH}/../../.github/tests" + +# shellcheck source=/dev/null +source "${SCRIPTPATH}/../../.github/scripts/parse-versions.sh" +# shellcheck source=/dev/null +source "${TESTDIR}/common.sh" + +CLEANUP=1 + +for i in "$@"; do + case $i in + -c) + CLEANUP=0 + shift # past argument=value + ;; + esac +done + +teardown() { + print_helm_releases + print_spire_workload_status spire-server spire-system + + if [[ "$1" -ne 0 ]]; then + get_namespace_details spire-server spire-system + fi + + if [ "${CLEANUP}" -eq 1 ]; then + helm uninstall --namespace spire-mgmt spire-b 2>/dev/null || true + helm uninstall --namespace spire-mgmt spire-a 2>/dev/null || true + kubectl delete ns spire-mgmt 2>/dev/null || true + fi +} + +trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT + +helm upgrade --install ingress-nginx ingress-nginx --version "$VERSION_INGRESS_NGINX" --repo "$HELM_REPO_INGRESS_NGINX" \ + --namespace ingress-nginx \ + --create-namespace \ + --set controller.extraArgs.enable-ssl-passthrough=,controller.admissionWebhooks.enabled=false,controller.service.type=ClusterIP \ + --set controller.ingressClassResource.default=true \ + --wait + +IP=$(kubectl get svc -n ingress-nginx ingress-nginx-controller -o yaml | yq e .spec.clusterIPs[0] -) +kubectl get configmap -n kube-system coredns -o yaml | grep hosts || kubectl get configmap -n kube-system coredns -o yaml | sed "/ready/a\ hosts {\n fallthrough\n }" | kubectl apply -f - +kubectl get configmap -n kube-system coredns -o yaml | grep a-org || kubectl get configmap -n kube-system coredns -o yaml | sed "/hosts/a\ $IP spire-server-federation.a-org.local\n $IP spire-server-federation.b-org.local\n" | kubectl apply -f - + +kubectl rollout restart -n kube-system deployment/coredns +kubectl rollout status -w --timeout=1m deploy/coredns -n kube-system + +kubectl create namespace spire-mgmt --dry-run=client -o yaml | kubectl apply -f - +kubectl label namespace spire-mgmt pod-security.kubernetes.io/enforce=restricted || true + +helm upgrade --install --namespace spire-mgmt --values "${SCRIPTPATH}/a-values.yaml" \ + --wait spire-a charts/spire + +helm upgrade --install --namespace spire-mgmt --values "${SCRIPTPATH}/b-values.yaml" \ + --wait spire-b charts/spire + +kubectl exec -it -n spire-server spire-a-server-0 -c spire-server -- spire-server bundle show -format spiffe | kubectl exec -i -n spire-server spire-b-server-0 -c spire-server -- spire-server bundle set -format spiffe -id spiffe://a-org.local +kubectl exec -it -n spire-server spire-b-server-0 -c spire-server -- spire-server bundle show -format spiffe | kubectl exec -i -n spire-server spire-a-server-0 -c spire-server -- spire-server bundle set -format spiffe -id spiffe://b-org.local + +kubectl exec -it -n spire-server spire-b-server-0 -c spire-server -- spire-server bundle list +kubectl exec -it -n spire-server spire-a-server-0 -c spire-server -- spire-server bundle list + +kubectl apply -f "${SCRIPTPATH}/server-svc.yaml" +kubectl apply -f "${SCRIPTPATH}/server-pod.yaml" +kubectl apply -f "${SCRIPTPATH}/client-pod.yaml" + +kubectl wait --for=condition=Ready pod/client --timeout 5m diff --git a/examples/federation/server-pod.yaml b/examples/federation/server-pod.yaml new file mode 100644 index 000000000..db992f46d --- /dev/null +++ b/examples/federation/server-pod.yaml @@ -0,0 +1,50 @@ +apiVersion: v1 +kind: Pod +metadata: + name: server + labels: + app.kubernetes.io/name: server +spec: + containers: + - name: nginx + image: nginx + command: + - /bin/sh + - -c + - | + cat > /etc/nginx/conf.d/default.conf < /usr/share/nginx/html/index.html + exec nginx -g "daemon off;" + - name: ghostunnel + image: ghostunnel/ghostunnel:v1.7.2 + command: + - ghostunnel + - server + - --use-workload-api-addr + - unix:/spire-workload-api/spire-agent.sock + - --listen + - 0.0.0.0:8443 + - --target + - localhost:8080 + - --allow-uri + - spiffe://a-org.local/ns/default/sa/default + volumeMounts: + - name: agent + mountPath: /spire-workload-api + readOnly: true + ports: + - containerPort: 8443 + volumes: + - name: agent + csi: + driver: b.csi.spiffe.io + readOnly: true diff --git a/examples/federation/server-svc.yaml b/examples/federation/server-svc.yaml new file mode 100644 index 000000000..caef658ac --- /dev/null +++ b/examples/federation/server-svc.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: server +spec: + selector: + app.kubernetes.io/name: server + ports: + - protocol: TCP + port: 8443 + targetPort: 8443 From 2c56c4a5b1b62c6f92d48d4b4e635ec6a4842fb0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Jan 2024 03:15:51 -0800 Subject: [PATCH 50/64] Bump github.com/onsi/ginkgo/v2 from 2.14.0 to 2.15.0 in /tests (#191) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.14.0 to 2.15.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.14.0...v2.15.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/go.mod | 2 +- tests/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index 1d60dcb65..9f09aa9e8 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -3,7 +3,7 @@ module github.com/spiffe/helm-charts/tests go 1.20 require ( - github.com/onsi/ginkgo/v2 v2.14.0 + github.com/onsi/ginkgo/v2 v2.15.0 github.com/onsi/gomega v1.30.0 helm.sh/helm/v3 v3.13.3 ) diff --git a/tests/go.sum b/tests/go.sum index 1077b631d..374fbc4e4 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -85,8 +85,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY= -github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw= +github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY= +github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM= github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= From a59220dd86dc54f1584f0065c9668ed998737b7e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Jan 2024 03:31:32 -0800 Subject: [PATCH 51/64] Bump helm.sh/helm/v3 from 3.13.3 to 3.14.0 in /tests (#190) Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.13.3 to 3.14.0. - [Release notes](https://github.com/helm/helm/releases) - [Commits](https://github.com/helm/helm/compare/v3.13.3...v3.14.0) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/go.mod | 22 +++++++++++----------- tests/go.sum | 47 ++++++++++++++++++++++++----------------------- 2 files changed, 35 insertions(+), 34 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index 9f09aa9e8..1ef4fb6e1 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -5,7 +5,7 @@ go 1.20 require ( github.com/onsi/ginkgo/v2 v2.15.0 github.com/onsi/gomega v1.30.0 - helm.sh/helm/v3 v3.13.3 + helm.sh/helm/v3 v3.14.0 ) require ( @@ -15,7 +15,7 @@ require ( github.com/Masterminds/sprig/v3 v3.2.3 // indirect github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/davecgh/go-spew v1.1.1 // indirect - github.com/emicklei/go-restful/v3 v3.10.1 // indirect + github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/go-logr/logr v1.3.0 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect @@ -47,7 +47,7 @@ require ( github.com/xeipuuv/gojsonschema v1.2.0 // indirect golang.org/x/crypto v0.17.0 // indirect golang.org/x/net v0.19.0 // indirect - golang.org/x/oauth2 v0.8.0 // indirect + golang.org/x/oauth2 v0.10.0 // indirect golang.org/x/sys v0.15.0 // indirect golang.org/x/term v0.15.0 // indirect golang.org/x/text v0.14.0 // indirect @@ -58,14 +58,14 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v0.28.4 // indirect - k8s.io/apiextensions-apiserver v0.28.4 // indirect - k8s.io/apimachinery v0.28.4 // indirect - k8s.io/client-go v0.28.4 // indirect - k8s.io/klog/v2 v2.100.1 // indirect - k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect - k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect + k8s.io/api v0.29.0 // indirect + k8s.io/apiextensions-apiserver v0.29.0 // indirect + k8s.io/apimachinery v0.29.0 // indirect + k8s.io/client-go v0.29.0 // indirect + k8s.io/klog/v2 v2.110.1 // indirect + k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect + k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) diff --git a/tests/go.sum b/tests/go.sum index 374fbc4e4..6a77680ad 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -16,10 +16,10 @@ github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxG github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ= -github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= +github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE= -github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= @@ -41,6 +41,7 @@ github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiu github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -142,8 +143,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= -golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= -golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= +golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -204,25 +205,25 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -helm.sh/helm/v3 v3.13.3 h1:0zPEdGqHcubehJHP9emCtzRmu8oYsJFRrlVF3TFj8xY= -helm.sh/helm/v3 v3.13.3/go.mod h1:3OKO33yI3p4YEXtTITN2+4oScsHeQe71KuzhlZ+aPfg= -k8s.io/api v0.28.4 h1:8ZBrLjwosLl/NYgv1P7EQLqoO8MGQApnbgH8tu3BMzY= -k8s.io/api v0.28.4/go.mod h1:axWTGrY88s/5YE+JSt4uUi6NMM+gur1en2REMR7IRj0= -k8s.io/apiextensions-apiserver v0.28.4 h1:AZpKY/7wQ8n+ZYDtNHbAJBb+N4AXXJvyZx6ww6yAJvU= -k8s.io/apiextensions-apiserver v0.28.4/go.mod h1:pgQIZ1U8eJSMQcENew/0ShUTlePcSGFq6dxSxf2mwPM= -k8s.io/apimachinery v0.28.4 h1:zOSJe1mc+GxuMnFzD4Z/U1wst50X28ZNsn5bhgIIao8= -k8s.io/apimachinery v0.28.4/go.mod h1:wI37ncBvfAoswfq626yPTe6Bz1c22L7uaJ8dho83mgg= -k8s.io/client-go v0.28.4 h1:Np5ocjlZcTrkyRJ3+T3PkXDpe4UpatQxj85+xjaD2wY= -k8s.io/client-go v0.28.4/go.mod h1:0VDZFpgoZfelyP5Wqu0/r/TRYcLYuJ2U1KEeoaPa1N4= -k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= -k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= -k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= -k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= -k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +helm.sh/helm/v3 v3.14.0 h1:TaZIH6uOchn7L27ptwnnuHJiFrT/BsD4dFdp/HLT2nM= +helm.sh/helm/v3 v3.14.0/go.mod h1:2itvvDv2WSZXTllknfQo6j7u3VVgMAvm8POCDgYH424= +k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A= +k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA= +k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0= +k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc= +k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o= +k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis= +k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8= +k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38= +k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= +k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= From 9a483c174ae3537022955d472322b9e2374b1683 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Jan 2024 04:07:00 -0800 Subject: [PATCH 52/64] Bump github.com/onsi/gomega from 1.30.0 to 1.31.0 in /tests (#192) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.30.0 to 1.31.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.30.0...v1.31.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/go.mod | 2 +- tests/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index 1ef4fb6e1..c1b5cabd1 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -4,7 +4,7 @@ go 1.20 require ( github.com/onsi/ginkgo/v2 v2.15.0 - github.com/onsi/gomega v1.30.0 + github.com/onsi/gomega v1.31.0 helm.sh/helm/v3 v3.14.0 ) diff --git a/tests/go.sum b/tests/go.sum index 6a77680ad..9459de19d 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -88,8 +88,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY= github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM= -github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= -github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/onsi/gomega v1.31.0 h1:54UJxxj6cPInHS3a35wm6BK/F9nHYueZ1NVujHDrnXE= +github.com/onsi/gomega v1.31.0/go.mod h1:DW9aCi7U6Yi40wNVAvT6kzFnEVEI5n3DloYBiKiT6zk= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= From af155c2edcabe6321360c071db1efd445dfe31ec Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Thu, 18 Jan 2024 16:08:22 -0800 Subject: [PATCH 53/64] Add support for running spiffe secured discovery provider (default) (#163) * SPIFFE OIDC Discovery Provider Rework Fixes: https://github.com/spiffe/helm-charts-hardened/issues/151 Signed-off-by: Kevin Fox * Enhance clusterspiffeid's so the discovery provider is independently configurable Signed-off-by: Kevin Fox * Fix tests Signed-off-by: Kevin Fox * More fix tests Signed-off-by: Kevin Fox * More fix tests Signed-off-by: Kevin Fox * Undo Signed-off-by: Kevin Fox * Fix logging Signed-off-by: Kevin Fox * Try to get output Signed-off-by: Kevin Fox * Try and get error code Signed-off-by: Kevin Fox * Fix more logging. Switch port used. Signed-off-by: Kevin Fox * Fix logging Signed-off-by: Kevin Fox * Fix port Signed-off-by: Kevin Fox * Fix up logs for nested test and fix values Signed-off-by: Kevin Fox * Make consistent Signed-off-by: Kevin Fox * Fix nested test Signed-off-by: Kevin Fox * Fix insecure mode and test. Signed-off-by: Kevin Fox * Fix test. Signed-off-by: Kevin Fox * Fix var scoping issue Signed-off-by: Kevin Fox * Set the right flags for ingress Signed-off-by: Kevin Fox * Update dns template Signed-off-by: Kevin Fox * Use more standard port Signed-off-by: Kevin Fox * Fix test logging Signed-off-by: Kevin Fox * Allow reencrypt. Signed-off-by: Kevin Fox * Remove testing changes Signed-off-by: Kevin Fox * Fix formatting Signed-off-by: Kevin Fox * Add LetsEncrypt/ACME/cert-manager support. Remove broken ACME support. Signed-off-by: Kevin Fox * Use spiffe-helper as a sidecar. Significant space savings and read only cert dir Signed-off-by: Kevin Fox * Fix the nested test Signed-off-by: Kevin Fox * Fix merge issue Signed-off-by: Kevin Fox * Remove 1.29.0 until deps catch up. Related issue: https://github.com/rancher/kubectl/pull/94 Signed-off-by: Kevin Fox * Add more error checking Signed-off-by: Kevin Fox * Remove testing code Signed-off-by: Kevin Fox * Simplify the ids. Fix docs Signed-off-by: Kevin Fox * Fix logic Signed-off-by: Kevin Fox * Fix var Signed-off-by: Kevin Fox * Make cert-manager bits more readable Signed-off-by: Kevin Fox * Fix template Signed-off-by: Kevin Fox * Fix openshift ingress Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox * Update docs Signed-off-by: Kevin Fox * Add resource spec Signed-off-by: Kevin Fox * Remove parts that cant merge yet Signed-off-by: Kevin Fox * Add support for running spiffe secured discovery provider (default) Signed-off-by: Kevin Fox * Fix tests Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox * Fix test Signed-off-by: Kevin Fox * Apply suggestions from code review Co-authored-by: Faisal Memon Signed-off-by: kfox1111 * Fix docs Signed-off-by: Kevin Fox * Apply suggestions from code review Co-authored-by: Faisal Memon Signed-off-by: kfox1111 * Incorperate feedback Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox * Fix test Signed-off-by: Kevin Fox * Fix test Signed-off-by: Kevin Fox * Fix merge conflict Signed-off-by: Kevin Fox * Fix merge conflict Signed-off-by: Kevin Fox * Remove defaults Signed-off-by: Kevin Fox * Apply suggestions from code review Co-authored-by: Faisal Memon Signed-off-by: kfox1111 * Fix docs Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox * Add missing configurable for the discovery providers csi driver Signed-off-by: Kevin Fox * Update for changes in spiffe-helper Signed-off-by: Kevin Fox * Point at upstream Signed-off-by: Kevin Fox --------- Signed-off-by: Kevin Fox Signed-off-by: kfox1111 Co-authored-by: Faisal Memon --- charts/spire/README.md | 6 +- .../spiffe-oidc-discovery-provider/README.md | 217 +++++++++--------- .../templates/configmap.yaml | 7 +- .../templates/deployment.yaml | 46 ++++ .../values.yaml | 14 ++ charts/spire/values.yaml | 2 +- examples/nested/values.yaml | 6 - examples/production/values.yaml | 6 - 8 files changed, 181 insertions(+), 123 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 92e09bce8..d5f3b3abf 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -229,9 +229,9 @@ Now you can interact with the Spire agent socket from your own application. The ### SPIFFE oidc discovery provider parameters -| Name | Description | Value | -| ---------------------------------------- | ------------------------------------------------------------- | ------- | -| `spiffe-oidc-discovery-provider.enabled` | Flag to enable spiffe-oidc-discovery-provider for the cluster | `false` | +| Name | Description | Value | +| ---------------------------------------- | ------------------------------------------------------------- | ------ | +| `spiffe-oidc-discovery-provider.enabled` | Flag to enable spiffe-oidc-discovery-provider for the cluster | `true` | ### Tornjak frontend parameters diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 1d0ccd72e..bf84e9551 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -25,109 +25,114 @@ A Helm chart to install the SPIFFE OIDC discovery provider. ### Chart parameters -| Name | Description | Value | -| ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | -| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` | -| `csiDriverName` | The csi driver to use | `csi.spiffe.io` | -| `replicaCount` | Replica count | `1` | -| `namespaceOverride` | Namespace override | `""` | -| `annotations` | Annotations for the deployment | `{}` | -| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `image.repository` | The repository within the registry | `spiffe/oidc-discovery-provider` | -| `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `resources` | Resource requests and limits | `{}` | -| `service.type` | Service type | `ClusterIP` | -| `service.ports.http` | Insecure port for the service | `80` | -| `service.ports.https` | Secure port for the service | `443` | -| `service.annotations` | Annotations for service resource | `{}` | -| `configMap.annotations` | Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap | `{}` | -| `podSecurityContext` | Pod security context for OIDC discovery provider pods | `{}` | -| `securityContext` | Security context for OIDC discovery provider deployment | `{}` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | -| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | -| `podAnnotations` | Pod annotations for Spire OIDC discovery provider | `{}` | -| `tls.spire.enabled` | Use spire to secure the oidc-discovery-provider | `true` | -| `tls.externalSecret.enabled` | Provide your own certificate/key via tls style Kubernetes Secret | `false` | -| `tls.externalSecret.secretName` | Specify which Secret to use | `""` | -| `tls.certManager.enabled` | Use certificateManager to create the certificate | `false` | -| `tls.certManager.issuer.create` | Create an issuer to use to issue the certificate | `true` | -| `tls.certManager.issuer.acme.email` | Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service | `""` | -| `tls.certManager.issuer.acme.server` | Server to use to get certificate. Defaults to LetsEncrypt | `https://acme-v02.api.letsencrypt.org/directory` | -| `tls.certManager.issuer.acme.solvers` | Configure the issuer solvers. Defaults to http01 via ingress. | `{}` | -| `tls.certManager.certificate.dnsNames` | Override the dnsNames on the certificate request. Defaults to the same settings as Ingress | `[]` | -| `tls.certManager.certificate.issuerRef.group` | If you are using an external plugin, specify the group for it here | `""` | -| `tls.certManager.certificate.issuerRef.kind` | Kind of the issuer reference. Override if you want to use a ClusterIssuer | `Issuer` | -| `tls.certManager.certificate.issuerRef.name` | Name of the issuer to use. If unset, it will use the name of the built in issuer | `""` | -| `insecureScheme.nginx.image.registry` | The OCI registry to pull the image from. Only used when TLS is disabled. | `docker.io` | -| `insecureScheme.nginx.image.repository` | The repository within the registry. Only used when TLS is disabled. | `nginxinc/nginx-unprivileged` | -| `insecureScheme.nginx.image.pullPolicy` | The image pull policy. Only used when TLS is disabled. | `IfNotPresent` | -| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. | `1.25.3-alpine` | -| `insecureScheme.nginx.resources` | Resource requests and limits | `{}` | -| `jwtIssuer` | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset | `""` | -| `config.logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | -| `config.additionalDomains` | Add additional domains that can be used for oidc discovery | `[]` | -| `imagePullSecrets` | Image pull secret names | `[]` | -| `nameOverride` | Name override | `""` | -| `fullnameOverride` | Full name override | `""` | -| `serviceAccount.create` | Specifies whether a service account should be created | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | -| `deleteHook.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` | -| `autoscaling.enabled` | Flag to enable autoscaling | `false` | -| `autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | -| `autoscaling.maxReplicas` | Maximum replicas for autoscaling | `5` | -| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utlization that triggers autoscaling | `80` | -| `autoscaling.targetMemoryUtilizationPercentage` | Target Memory utlization that triggers autoscaling | `80` | -| `nodeSelector` | Node selector | `{}` | -| `tolerations` | iist of tolerations | `[]` | -| `affinity` | Node affinity | `{}` | -| `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` | -| `clusterDomain` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `cluster.local` | -| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | -| `telemetry.prometheus.port` | Port for prometheus metrics | `9988` | -| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | -| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the helm release | `""` | -| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | -| `telemetry.prometheus.nginxExporter.image.registry` | The OCI registry to pull the image from | `docker.io` | -| `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry | `nginx/nginx-prometheus-exporter` | -| `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.1.0` | -| `telemetry.prometheus.nginxExporter.resources` | Resource requests and limits | `{}` | -| `ingress.enabled` | Flag to enable ingress | `false` | -| `ingress.className` | Ingress class name | `""` | -| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | -| `ingress.annotations` | Annotations for ingress object | `{}` | -| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `oidc-discovery` | -| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | -| `ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | -| `ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | -| `tests.hostAliases` | List of host aliases for testing | `[]` | -| `tests.tls.enabled` | Flag for enabling tls for tests | `false` | -| `tests.tls.customCA` | Custom CA value for tests | `""` | -| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | -| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | -| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d` | -| `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | -| `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | -| `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:6caf789aa5d2fd1539689ecbee638b6ebf7cdddb4c737a6e09b898943463bbec` | -| `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | -| `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | -| `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.25.1` | -| `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | -| `tests.busybox.image.repository` | The repository within the registry | `busybox` | -| `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.busybox.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.36.1-uclibc` | -| `tests.agent.image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `tests.agent.image.repository` | The repository within the registry | `spiffe/spire-agent` | -| `tests.agent.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.agent.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | -| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | -| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- | +| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` | +| `csiDriverName` | The csi driver to use | `csi.spiffe.io` | +| `replicaCount` | Replica count | `1` | +| `namespaceOverride` | Namespace override | `""` | +| `annotations` | Annotations for the deployment | `{}` | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/oidc-discovery-provider` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `spiffeHelper.image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `spiffeHelper.image.repository` | The repository within the registry | `spiffe/spiffe-helper` | +| `spiffeHelper.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `spiffeHelper.image.tag` | Overrides the image tag whose default is the chart appVersion | `nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6` | +| `spiffeHelper.resources` | Resource requests and limits | `{}` | +| `resources` | Resource requests and limits | `{}` | +| `service.type` | Service type | `ClusterIP` | +| `service.ports.http` | Insecure port for the service | `80` | +| `service.ports.https` | Secure port for the service | `443` | +| `service.annotations` | Annotations for service resource | `{}` | +| `configMap.annotations` | Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap | `{}` | +| `podSecurityContext` | Pod security context for OIDC discovery provider pods | `{}` | +| `securityContext` | Security context for OIDC discovery provider deployment | `{}` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `podAnnotations` | Pod annotations for Spire OIDC discovery provider | `{}` | +| `tls.spire.enabled` | Use spire to secure the oidc-discovery-provider | `true` | +| `tls.externalSecret.enabled` | Provide your own certificate/key via tls style Kubernetes Secret | `false` | +| `tls.externalSecret.secretName` | Specify which Secret to use | `""` | +| `tls.certManager.enabled` | Use certificateManager to create the certificate | `false` | +| `tls.certManager.issuer.create` | Create an issuer to use to issue the certificate | `true` | +| `tls.certManager.issuer.acme.email` | Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service | `""` | +| `tls.certManager.issuer.acme.server` | Server to use to get certificate. Defaults to LetsEncrypt | `https://acme-v02.api.letsencrypt.org/directory` | +| `tls.certManager.issuer.acme.solvers` | Configure the issuer solvers. Defaults to http01 via ingress. | `{}` | +| `tls.certManager.certificate.dnsNames` | Override the dnsNames on the certificate request. Defaults to the same settings as Ingress | `[]` | +| `tls.certManager.certificate.issuerRef.group` | If you are using an external plugin, specify the group for it here | `""` | +| `tls.certManager.certificate.issuerRef.kind` | Kind of the issuer reference. Override if you want to use a ClusterIssuer | `Issuer` | +| `tls.certManager.certificate.issuerRef.name` | Name of the issuer to use. If unset, it will use the name of the built in issuer | `""` | +| `insecureScheme.nginx.image.registry` | The OCI registry to pull the image from. Only used when TLS is disabled. | `docker.io` | +| `insecureScheme.nginx.image.repository` | The repository within the registry. Only used when TLS is disabled. | `nginxinc/nginx-unprivileged` | +| `insecureScheme.nginx.image.pullPolicy` | The image pull policy. Only used when TLS is disabled. | `IfNotPresent` | +| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. | `1.25.3-alpine` | +| `insecureScheme.nginx.resources` | Resource requests and limits | `{}` | +| `jwtIssuer` | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset | `""` | +| `config.logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | +| `config.additionalDomains` | Add additional domains that can be used for oidc discovery | `[]` | +| `imagePullSecrets` | Image pull secret names | `[]` | +| `nameOverride` | Name override | `""` | +| `fullnameOverride` | Full name override | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | +| `deleteHook.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` | +| `autoscaling.enabled` | Flag to enable autoscaling | `false` | +| `autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | +| `autoscaling.maxReplicas` | Maximum replicas for autoscaling | `5` | +| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utlization that triggers autoscaling | `80` | +| `autoscaling.targetMemoryUtilizationPercentage` | Target Memory utlization that triggers autoscaling | `80` | +| `nodeSelector` | Node selector | `{}` | +| `tolerations` | iist of tolerations | `[]` | +| `affinity` | Node affinity | `{}` | +| `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` | +| `clusterDomain` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `cluster.local` | +| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | +| `telemetry.prometheus.port` | Port for prometheus metrics | `9988` | +| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | +| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the helm release | `""` | +| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | +| `telemetry.prometheus.nginxExporter.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry | `nginx/nginx-prometheus-exporter` | +| `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.1.0` | +| `telemetry.prometheus.nginxExporter.resources` | Resource requests and limits | `{}` | +| `ingress.enabled` | Flag to enable ingress | `false` | +| `ingress.className` | Ingress class name | `""` | +| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | +| `ingress.annotations` | Annotations for ingress object | `{}` | +| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `oidc-discovery` | +| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | +| `ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | +| `ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | +| `tests.hostAliases` | List of host aliases for testing | `[]` | +| `tests.tls.enabled` | Flag for enabling tls for tests | `false` | +| `tests.tls.customCA` | Custom CA value for tests | `""` | +| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | +| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d` | +| `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | +| `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:6caf789aa5d2fd1539689ecbee638b6ebf7cdddb4c737a6e09b898943463bbec` | +| `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | +| `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.25.1` | +| `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | +| `tests.busybox.image.repository` | The repository within the registry | `busybox` | +| `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.busybox.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.36.1-uclibc` | +| `tests.agent.image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `tests.agent.image.repository` | The repository within the registry | `spiffe/spire-agent` | +| `tests.agent.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.agent.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | +| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml index 66930ef94..cb3ca39ad 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml @@ -1,6 +1,5 @@ {{- $tlsCount := 0 }} {{- if and .Values.enabled .Values.tls.spire.enabled }} -{{- fail "Built in SPIRE support is not yet supported." }} {{- $tlsCount = add $tlsCount 1 }} {{- end }} {{- if and .Values.enabled .Values.tls.externalSecret.enabled }} @@ -82,3 +81,9 @@ data: } } {{- end }} + spiffe-helper.conf: | + agent_address = {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | quote }} + cert_dir = "/certs" + svid_file_name = "tls.crt" + svid_key_file_name = "tls.key" + svid_bundle_file_name = "ca.pem" diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml index eaa0e7902..407e39b3d 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml @@ -38,6 +38,30 @@ spec: serviceAccountName: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }} securityContext: {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} + initContainers: + {{- if .Values.tls.spire.enabled }} + - name: init + securityContext: + {{- include "spire-lib.securitycontext" . | nindent 12 }} + resources: + {{- toYaml .Values.spiffeHelper.resources | nindent 12 }} + image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }} + args: + - -config + - /etc/spiffe-helper.conf + - -exitWhenReady + volumeMounts: + - name: spiffe-workload-api + mountPath: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | dir }} + readOnly: true + - name: spire-oidc-config + mountPath: /etc/spiffe-helper.conf + subPath: spiffe-helper.conf + readOnly: true + - name: certdir + mountPath: /certs + {{- end }} containers: - name: {{ .Chart.Name }} securityContext: @@ -80,6 +104,28 @@ spec: {{- toYaml .Values.livenessProbe | nindent 12 }} resources: {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.tls.spire.enabled }} + - name: spiffe-helper + resources: + {{- toYaml .Values.spiffeHelper.resources | nindent 12 }} + securityContext: + {{- include "spire-lib.securitycontext" . | nindent 12 }} + image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }} + args: + - -config + - /etc/spiffe-helper.conf + volumeMounts: + - name: spiffe-workload-api + mountPath: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | dir }} + readOnly: true + - name: spire-oidc-config + mountPath: /etc/spiffe-helper.conf + subPath: spiffe-helper.conf + readOnly: true + - name: certdir + mountPath: /certs + {{- end }} {{- if not $tlsEnabled }} - name: nginx securityContext: diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 0dcf2293f..96e881b0f 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -31,6 +31,20 @@ image: pullPolicy: IfNotPresent tag: "" +spiffeHelper: + image: + ## @param spiffeHelper.image.registry The OCI registry to pull the image from + ## @param spiffeHelper.image.repository The repository within the registry + ## @param spiffeHelper.image.pullPolicy The image pull policy + ## @param spiffeHelper.image.tag Overrides the image tag whose default is the chart appVersion + ## + registry: ghcr.io + repository: spiffe/spiffe-helper + pullPolicy: IfNotPresent + tag: nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6 + ## @param spiffeHelper.resources [object] Resource requests and limits + resources: {} + ## @param resources [object] Resource requests and limits resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 6d2cfef27..125588427 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -162,7 +162,7 @@ upstream-spiffe-csi-driver: ## spiffe-oidc-discovery-provider: ## @param spiffe-oidc-discovery-provider.enabled Flag to enable spiffe-oidc-discovery-provider for the cluster - enabled: false + enabled: true ## @section Tornjak frontend parameters ## Parameter values for Tornjak frontend diff --git a/examples/nested/values.yaml b/examples/nested/values.yaml index 2e1094571..b2722b079 100644 --- a/examples/nested/values.yaml +++ b/examples/nested/values.yaml @@ -17,11 +17,5 @@ spire-server: oidc-discovery-provider: autoPopulateDNSNames: false -spiffe-oidc-discovery-provider: - enabled: true - tls: - spire: - enabled: false - upstream: enabled: true diff --git a/examples/production/values.yaml b/examples/production/values.yaml index 4aeb061c4..c5ce8bd45 100644 --- a/examples/production/values.yaml +++ b/examples/production/values.yaml @@ -2,9 +2,3 @@ global: spire: recommendations: enabled: true - -spiffe-oidc-discovery-provider: - enabled: true - tls: - spire: - enabled: false From 6fec1e598aa404ba2501b7374101b15df6d0ac2d Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Thu, 18 Jan 2024 21:07:53 -0800 Subject: [PATCH 54/64] Update SPIRE to 1.8.7 (#194) Signed-off-by: Kevin Fox --- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 2 +- .../spiffe-oidc-discovery-provider/Chart.yaml | 2 +- charts/spire/charts/spire-agent/Chart.yaml | 2 +- charts/spire/charts/spire-agent/README.md | 149 +++++++++--------- .../spire-agent/templates/configmap.yaml | 3 + charts/spire/charts/spire-agent/values.yaml | 2 + charts/spire/charts/spire-server/Chart.yaml | 2 +- 8 files changed, 85 insertions(+), 79 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index ef530cd09..e333e1959 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -4,7 +4,7 @@ description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application version: 0.16.0 -appVersion: "1.8.5" +appVersion: "1.8.7" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/README.md b/charts/spire/README.md index d5f3b3abf..4dbfbd014 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.5](https://img.shields.io/badge/AppVersion-1.8.5-informational?style=flat-square) +![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.7](https://img.shields.io/badge/AppVersion-1.8.7-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml index 5109dfab1..3f29481c0 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml @@ -3,7 +3,7 @@ name: spiffe-oidc-discovery-provider description: A Helm chart to install the SPIFFE OIDC discovery provider. type: application version: 0.1.0 -appVersion: "1.8.5" +appVersion: "1.8.7" keywords: ["spiffe", "oidc"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-agent/Chart.yaml b/charts/spire/charts/spire-agent/Chart.yaml index 24c25e30b..1fc821abe 100644 --- a/charts/spire/charts/spire-agent/Chart.yaml +++ b/charts/spire/charts/spire-agent/Chart.yaml @@ -3,7 +3,7 @@ name: spire-agent description: A Helm chart to install the SPIRE agent. type: application version: 0.1.0 -appVersion: "1.8.5" +appVersion: "1.8.7" keywords: ["spiffe", "spire-agent"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index d9d664861..f51ea1635 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -25,77 +25,78 @@ A Helm chart to install the SPIRE agent. ### Chart parameters -| Name | Description | Value | -| ------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | -| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `image.repository` | The repository within the registry | `spiffe/spire-agent` | -| `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `imagePullSecrets` | Pull secrets for images | `[]` | -| `nameOverride` | Name override | `""` | -| `namespaceOverride` | Namespace override | `""` | -| `fullnameOverride` | Fullname override | `""` | -| `serviceAccount.create` | Specifies whether a service account should be created | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | The name of the service account to use. | `""` | -| `configMap.annotations` | Annotations to add to the SPIRE Agent ConfigMap | `{}` | -| `podAnnotations` | Annotations to add to pods | `{}` | -| `podSecurityContext` | Pod security context | `{}` | -| `securityContext` | Security context | `{}` | -| `resources` | Resource requests and limits | `{}` | -| `nodeSelector` | Node selector | `{}` | -| `tolerations` | List of tolerations | `[]` | -| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | -| `clusterName` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `example-cluster` | -| `trustDomain` | The trust domain to be used for the SPIFFE identifiers | `example.org` | -| `trustBundleURL` | If set, obtain trust bundle from url instead of Kubernetes ConfigMap | `""` | -| `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `pem` | -| `bundleConfigMap` | Configmap name for Spire bundle | `spire-bundle` | -| `server.address` | Address for Spire server | `""` | -| `server.port` | Port number for Spire server | `8081` | -| `server.namespaceOverride` | Override the namespace for Spire server | `""` | -| `healthChecks.port` | override the host port used for health checking | `9982` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for probe | `15` | -| `livenessProbe.periodSeconds` | Period seconds for probe | `60` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for probe | `15` | -| `readinessProbe.periodSeconds` | Period seconds for probe | `60` | -| `waitForIt.image.registry` | The OCI registry to pull the image from | `cgr.dev` | -| `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` | -| `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:9500241a8a6a5912ded07445991b9d3a0834beef810b10c302af593aee1b33dc` | -| `waitForIt.resources` | Resource requests and limits | `{}` | -| `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | -| `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | -| `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d` | -| `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | -| `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | -| `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` | -| `workloadAttestors.k8s.skipKubeletVerification` | If true, kubelet certificate verification is skipped | `true` | -| `workloadAttestors.k8s.disableContainerSelectors` | Set to true if using holdApplicationUntilProxyStarts in Istio | `false` | -| `sds.enabled` | Enables Envoy SDS configuration | `false` | -| `sds.defaultSvidName` | The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS | `default` | -| `sds.defaultBundleName` | The Validation Context resource name to use for the default X.509 bundle with Envoy SDS | `ROOTCA` | -| `sds.defaultAllBundlesName` | The Validation Context resource name to use for all bundles (including federated) with Envoy SDS | `ALL` | -| `sds.disableSpiffeCertValidation` | Disable Envoy SDS custom validation | `false` | -| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | -| `telemetry.prometheus.port` | Port for prometheus metrics | `9988` | -| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | -| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | -| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | -| `kubeletConnectByHostname` | If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise. | `""` | -| `socketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | -| `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | -| `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | -| `extraVolumes` | Extra volumes to be mounted on Spire Agent pods | `[]` | -| `extraVolumeMounts` | Extra volume mounts for Spire Agent pods | `[]` | -| `extraContainers` | Additional containers to create with Spire Agent pods | `[]` | -| `initContainers` | Additional init containers to create with Spire Agent pods | `[]` | -| `hostAliases` | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ | `[]` | -| `customPlugins.keyManager` | Custom plugins of type KeyManager are configured here | `{}` | -| `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` | -| `customPlugins.svidStore` | Custom plugins of type SVIDStore are configured here | `{}` | -| `customPlugins.workloadAttestor` | Custom plugins of type WorkloadAttestor are configured here | `{}` | -| `experimental.enabled` | Allow configuration of experimental features | `false` | -| `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` | -| `experimental.featureFlags` | List of developer feature flags | `[]` | +| Name | Description | Value | +| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/spire-agent` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `imagePullSecrets` | Pull secrets for images | `[]` | +| `nameOverride` | Name override | `""` | +| `namespaceOverride` | Namespace override | `""` | +| `fullnameOverride` | Fullname override | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. | `""` | +| `configMap.annotations` | Annotations to add to the SPIRE Agent ConfigMap | `{}` | +| `podAnnotations` | Annotations to add to pods | `{}` | +| `podSecurityContext` | Pod security context | `{}` | +| `securityContext` | Security context | `{}` | +| `resources` | Resource requests and limits | `{}` | +| `nodeSelector` | Node selector | `{}` | +| `tolerations` | List of tolerations | `[]` | +| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | +| `clusterName` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `example-cluster` | +| `trustDomain` | The trust domain to be used for the SPIFFE identifiers | `example.org` | +| `trustBundleURL` | If set, obtain trust bundle from url instead of Kubernetes ConfigMap | `""` | +| `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `pem` | +| `bundleConfigMap` | Configmap name for Spire bundle | `spire-bundle` | +| `availabilityTarget` | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. | `""` | +| `server.address` | Address for Spire server | `""` | +| `server.port` | Port number for Spire server | `8081` | +| `server.namespaceOverride` | Override the namespace for Spire server | `""` | +| `healthChecks.port` | override the host port used for health checking | `9982` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for probe | `15` | +| `livenessProbe.periodSeconds` | Period seconds for probe | `60` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for probe | `15` | +| `readinessProbe.periodSeconds` | Period seconds for probe | `60` | +| `waitForIt.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` | +| `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:9500241a8a6a5912ded07445991b9d3a0834beef810b10c302af593aee1b33dc` | +| `waitForIt.resources` | Resource requests and limits | `{}` | +| `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | +| `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d` | +| `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | +| `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | +| `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` | +| `workloadAttestors.k8s.skipKubeletVerification` | If true, kubelet certificate verification is skipped | `true` | +| `workloadAttestors.k8s.disableContainerSelectors` | Set to true if using holdApplicationUntilProxyStarts in Istio | `false` | +| `sds.enabled` | Enables Envoy SDS configuration | `false` | +| `sds.defaultSvidName` | The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS | `default` | +| `sds.defaultBundleName` | The Validation Context resource name to use for the default X.509 bundle with Envoy SDS | `ROOTCA` | +| `sds.defaultAllBundlesName` | The Validation Context resource name to use for all bundles (including federated) with Envoy SDS | `ALL` | +| `sds.disableSpiffeCertValidation` | Disable Envoy SDS custom validation | `false` | +| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | +| `telemetry.prometheus.port` | Port for prometheus metrics | `9988` | +| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | +| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | +| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | +| `kubeletConnectByHostname` | If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise. | `""` | +| `socketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | +| `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | +| `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | +| `extraVolumes` | Extra volumes to be mounted on Spire Agent pods | `[]` | +| `extraVolumeMounts` | Extra volume mounts for Spire Agent pods | `[]` | +| `extraContainers` | Additional containers to create with Spire Agent pods | `[]` | +| `initContainers` | Additional init containers to create with Spire Agent pods | `[]` | +| `hostAliases` | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ | `[]` | +| `customPlugins.keyManager` | Custom plugins of type KeyManager are configured here | `{}` | +| `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` | +| `customPlugins.svidStore` | Custom plugins of type SVIDStore are configured here | `{}` | +| `customPlugins.workloadAttestor` | Custom plugins of type WorkloadAttestor are configured here | `{}` | +| `experimental.enabled` | Allow configuration of experimental features | `false` | +| `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` | +| `experimental.featureFlags` | List of developer feature flags | `[]` | diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index f0e1d87e5..347ffcaf9 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -32,6 +32,9 @@ agent: trust_bundle_path: "/run/spire/bundle/bundle.crt" {{- end }} trust_domain: {{ include "spire-lib.trust-domain" . | quote }} + {{- with .Values.availabilityTarget }} + availability_target: {{ . | quote }} + {{- end }} {{- if .Values.sds.enabled }} sds: default_svid_name: {{ .Values.sds.defaultSvidName | quote }} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 7cbbf33a4..4d1850c0a 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -89,6 +89,8 @@ trustBundleURL: "" trustBundleFormat: pem ## @param bundleConfigMap Configmap name for Spire bundle bundleConfigMap: spire-bundle +## @param availabilityTarget The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. +availabilityTarget: "" ## @skip upstream upstream: false diff --git a/charts/spire/charts/spire-server/Chart.yaml b/charts/spire/charts/spire-server/Chart.yaml index 7d13241a4..21181447c 100644 --- a/charts/spire/charts/spire-server/Chart.yaml +++ b/charts/spire/charts/spire-server/Chart.yaml @@ -3,7 +3,7 @@ name: spire-server description: A Helm chart to install the SPIRE server. type: application version: 0.1.0 -appVersion: "1.8.5" +appVersion: "1.8.7" keywords: ["spiffe", "spire-server", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: From b9ac3c4aec287ac9ea911e1e8be3ec0d487a2c9b Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Fri, 19 Jan 2024 17:10:41 -0800 Subject: [PATCH 55/64] Update to spire-controller-manager 0.4.1 (#193) Signed-off-by: Kevin Fox --- charts/spire/charts/spire-server/README.md | 4 +++- .../controller-manager-configmap.yaml | 4 ++++ .../spire-server/templates/statefulset.yaml | 3 +++ charts/spire/charts/spire-server/values.yaml | 20 ++++++++++++++++++- 4 files changed, 29 insertions(+), 2 deletions(-) diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 4d0252854..2f7f0f43f 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -222,12 +222,13 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `controllerManager.enabled` | Flag to enable controller manager | `false` | | `controllerManager.className` | specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs. | `""` | | `controllerManager.watchClassless` | specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. | `false` | +| `controllerManager.expandEnv` | Set to true to enable environment variable substitution of config file options | `false` | | `controllerManager.installAndUpgradeHook.enabled` | Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | | `controllerManager.deleteHook.enabled` | Enable Helm hook to autofix common delete issues (should be disabled when using `helm template`) | `true` | | `controllerManager.image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `controllerManager.image.repository` | The repository within the registry | `spiffe/spire-controller-manager` | | `controllerManager.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.4.0` | +| `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.4.1` | | `controllerManager.resources` | Resource requests and limits for controller manager | `{}` | | `controllerManager.securityContext` | Security context | `{}` | | `controllerManager.service.type` | Service type for controller manager | `ClusterIP` | @@ -256,6 +257,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `controllerManager.identities.clusterStaticEntries` | Specify ClusterStaticEntry objects. | `{}` | | `controllerManager.identities.clusterFederatedTrustDomains` | Specify ClusterFederatedTrustDomain objects. | `{}` | | `controllerManager.validatingWebhookConfiguration.failurePolicy` | Action when identity is not issued | `Fail` | +| `controllerManager.cacheNamespaces` | If specified restricts the manager's cache to watch objects in the desired namespaces. Defaults to all namespaces. | `{}` | | `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | | `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml index 60f728ab0..80c530f9d 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml @@ -25,6 +25,10 @@ data: leaderElect: true resourceName: {{ .Release.Name | sha256sum | trunc 8 }}.spiffe.io resourceNamespace: {{ include "spire-server.namespace" . }} + {{- with .Values.controllerManager.cacheNamespaces }} + cacheNamespaces: + {{- toYaml . | nindent 6 }} + {{- end }} validatingWebhookConfigurationName: {{ .Release.Namespace }}-{{ include "spire-controller-manager.fullname" . }}-webhook clusterName: {{ include "spire-lib.cluster-name" . }} trustDomain: {{ include "spire-lib.trust-domain" . }} diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index 460447749..92c9a7b1c 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -195,6 +195,9 @@ spec: imagePullPolicy: {{ .Values.controllerManager.image.pullPolicy }} args: - --config=controller-manager-config.yaml + {{- if .Values.controllerManager.expandEnv }} + - --expand-env + {{- end }} ports: - name: https containerPort: 9443 diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index e9e5a1c2e..04595bb5a 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -420,6 +420,9 @@ controllerManager: ## @param controllerManager.watchClassless specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. watchClassless: false + ## @param controllerManager.expandEnv Set to true to enable environment variable substitution of config file options + expandEnv: false + installAndUpgradeHook: ## @param controllerManager.installAndUpgradeHook.enabled Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) enabled: true @@ -436,7 +439,7 @@ controllerManager: registry: ghcr.io repository: spiffe/spire-controller-manager pullPolicy: IfNotPresent - tag: "0.4.0" + tag: "0.4.1" ## @param controllerManager.resources [object] Resource requests and limits for controller manager resources: {} @@ -564,6 +567,21 @@ controllerManager: ## @param controllerManager.validatingWebhookConfiguration.failurePolicy Action when identity is not issued failurePolicy: Fail + ## @param controllerManager.cacheNamespaces If specified restricts the manager's cache to watch objects in the desired namespaces. Defaults to all namespaces. + cacheNamespaces: {} + # default: + # nsWithLabel: + # labelSelectors: + # lName: l1 + # nsWithField: + # fieldSelectors: + # fName: f1 + # nsWithBoth: + # labelSelectors: + # lName: l1 + # fieldSelectors: + # fName: f1 + tools: kubectl: ## @param tools.kubectl.image.registry The OCI registry to pull the image from From 808795379c6c6dd21594288bcfc24cce0a24e8e3 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Sat, 20 Jan 2024 10:54:00 -0800 Subject: [PATCH 56/64] Remove CRD that isn't really a CRD (#197) Signed-off-by: Kevin Fox --- charts/spire-crds/Chart.yaml | 2 +- ...re.spiffe.io_controllermanagerconfigs.yaml | 60 ------------------- 2 files changed, 1 insertion(+), 61 deletions(-) delete mode 100644 charts/spire-crds/templates/spire.spiffe.io_controllermanagerconfigs.yaml diff --git a/charts/spire-crds/Chart.yaml b/charts/spire-crds/Chart.yaml index d59472f3c..8ac17dcf6 100644 --- a/charts/spire-crds/Chart.yaml +++ b/charts/spire-crds/Chart.yaml @@ -3,7 +3,7 @@ name: spire-crds description: > A Helm chart for deploying the Spire CRDS type: application -version: 0.2.0 +version: 0.3.0 appVersion: "0.0.1" keywords: ["spire-crds"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire diff --git a/charts/spire-crds/templates/spire.spiffe.io_controllermanagerconfigs.yaml b/charts/spire-crds/templates/spire.spiffe.io_controllermanagerconfigs.yaml deleted file mode 100644 index 137616a6b..000000000 --- a/charts/spire-crds/templates/spire.spiffe.io_controllermanagerconfigs.yaml +++ /dev/null @@ -1,60 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - {{- .Values.annotations | toYaml | nindent 4 }} - creationTimestamp: null - name: controllermanagerconfigs.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ControllerManagerConfig - listKind: ControllerManagerConfigList - plural: controllermanagerconfigs - singular: controllermanagerconfig - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ControllerManagerConfig is the Schema for the controllermanagerconfigs - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ControllerManagerConfigSpec defines the desired state of - ControllerManagerConfig - properties: - foo: - description: Foo is an example field of ControllerManagerConfig. Edit - controllermanagerconfig_types.go to remove/update - type: string - type: object - status: - description: ControllerManagerConfigStatus defines the observed state - of ControllerManagerConfig - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] From 367292682b814c8d3965e584c14dd3ae0c29b227 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 21 Jan 2024 20:07:51 -0800 Subject: [PATCH 57/64] Bump github.com/onsi/gomega from 1.31.0 to 1.31.1 in /tests (#199) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.31.0 to 1.31.1. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.31.0...v1.31.1) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/go.mod | 2 +- tests/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index c1b5cabd1..883753d8d 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -4,7 +4,7 @@ go 1.20 require ( github.com/onsi/ginkgo/v2 v2.15.0 - github.com/onsi/gomega v1.31.0 + github.com/onsi/gomega v1.31.1 helm.sh/helm/v3 v3.14.0 ) diff --git a/tests/go.sum b/tests/go.sum index 9459de19d..e697dae38 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -88,8 +88,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY= github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM= -github.com/onsi/gomega v1.31.0 h1:54UJxxj6cPInHS3a35wm6BK/F9nHYueZ1NVujHDrnXE= -github.com/onsi/gomega v1.31.0/go.mod h1:DW9aCi7U6Yi40wNVAvT6kzFnEVEI5n3DloYBiKiT6zk= +github.com/onsi/gomega v1.31.1 h1:KYppCUK+bUgAZwHOu7EXVBKyQA6ILvOESHkn/tgoqvo= +github.com/onsi/gomega v1.31.1/go.mod h1:y40C95dwAD1Nz36SsEnxvfFe8FFfNxzI5eJ0EYGyAy0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= From 4668151ff7e026d8002c88f5009cdc778b8de24f Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Mon, 22 Jan 2024 02:09:10 -0800 Subject: [PATCH 58/64] Add missing extraVolumeMounts to the controllerManager (#196) --- charts/spire/charts/spire-server/templates/statefulset.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index 92c9a7b1c..9e6a8cfbe 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -229,6 +229,9 @@ spec: - name: spire-controller-manager-tmp mountPath: /tmp readOnly: false + {{- if gt (len .Values.extraVolumeMounts) 0 }} + {{- toYaml .Values.extraVolumeMounts | nindent 12 }} + {{- end }} {{- end }} {{- if eq (.Values.tornjak.enabled | toString) "true" }} From e59a29b2d44a101babd1e2ede127855e0d30ef5a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 22 Jan 2024 10:16:50 +0000 Subject: [PATCH 59/64] Bump test chart dependencies (#200) Co-authored-by: marcofranssen --- .github/tests/charts.json | 6 +++--- .../spire/charts/spiffe-oidc-discovery-provider/README.md | 4 ++-- .../spire/charts/spiffe-oidc-discovery-provider/values.yaml | 4 ++-- charts/spire/charts/spire-agent/README.md | 2 +- charts/spire/charts/spire-agent/values.yaml | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 8117a0eb9..0497334cd 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,7 +2,7 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "55.8.1" + "version": "56.0.1" }, { "name": "cert-manager", @@ -17,11 +17,11 @@ { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "9.16.2" + "version": "9.18.0" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "13.2.29" + "version": "13.3.1" } ] diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index bf84e9551..91a89bc5f 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -119,11 +119,11 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:6caf789aa5d2fd1539689ecbee638b6ebf7cdddb4c737a6e09b898943463bbec` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:55cbdb5d87d89ab2c02efcb3bbc06f88bc70828e09294fb8a39be0cbc5c0a3b6` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.25.1` | +| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.25.2` | | `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | | `tests.busybox.image.repository` | The repository within the registry | `busybox` | | `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 96e881b0f..27fa7bd73 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -340,7 +340,7 @@ tests: registry: cgr.dev repository: chainguard/slim-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:6caf789aa5d2fd1539689ecbee638b6ebf7cdddb4c737a6e09b898943463bbec + tag: latest@sha256:55cbdb5d87d89ab2c02efcb3bbc06f88bc70828e09294fb8a39be0cbc5c0a3b6 step: ## @param tests.step.image.registry The OCI registry to pull the image from @@ -352,7 +352,7 @@ tests: registry: "docker.io" repository: smallstep/step-cli pullPolicy: IfNotPresent - tag: 0.25.1 + tag: 0.25.2 busybox: ## @param tests.busybox.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index f51ea1635..d8835056a 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -63,7 +63,7 @@ A Helm chart to install the SPIRE agent. | `waitForIt.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` | | `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:9500241a8a6a5912ded07445991b9d3a0834beef810b10c302af593aee1b33dc` | +| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:84be7f9205d88f368097c3712a867c5d35d1d024633de4b5675b3f17f63f27cf` | | `waitForIt.resources` | Resource requests and limits | `{}` | | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 4d1850c0a..a8b4dc820 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -132,7 +132,7 @@ waitForIt: registry: cgr.dev repository: chainguard/wait-for-it pullPolicy: IfNotPresent - tag: latest@sha256:9500241a8a6a5912ded07445991b9d3a0834beef810b10c302af593aee1b33dc + tag: latest@sha256:84be7f9205d88f368097c3712a867c5d35d1d024633de4b5675b3f17f63f27cf ## @param waitForIt.resources [object] Resource requests and limits resources: {} From d724d1e690b5d83026c88e5f966cceeaf990cf0c Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 23 Jan 2024 08:05:49 -0800 Subject: [PATCH 60/64] Update the documentation (#172) * SPIFFE OIDC Discovery Provider Rework Fixes: https://github.com/spiffe/helm-charts-hardened/issues/151 Signed-off-by: Kevin Fox * Enhance clusterspiffeid's so the discovery provider is independently configurable Signed-off-by: Kevin Fox * Fix tests Signed-off-by: Kevin Fox * More fix tests Signed-off-by: Kevin Fox * More fix tests Signed-off-by: Kevin Fox * Undo Signed-off-by: Kevin Fox * Fix logging Signed-off-by: Kevin Fox * Try to get output Signed-off-by: Kevin Fox * Try and get error code Signed-off-by: Kevin Fox * Fix more logging. Switch port used. Signed-off-by: Kevin Fox * Fix logging Signed-off-by: Kevin Fox * Fix port Signed-off-by: Kevin Fox * Fix up logs for nested test and fix values Signed-off-by: Kevin Fox * Make consistent Signed-off-by: Kevin Fox * Fix nested test Signed-off-by: Kevin Fox * Fix insecure mode and test. Signed-off-by: Kevin Fox * Fix test. Signed-off-by: Kevin Fox * Fix var scoping issue Signed-off-by: Kevin Fox * Set the right flags for ingress Signed-off-by: Kevin Fox * Update dns template Signed-off-by: Kevin Fox * Use more standard port Signed-off-by: Kevin Fox * Fix test logging Signed-off-by: Kevin Fox * Allow reencrypt. Signed-off-by: Kevin Fox * Remove testing changes Signed-off-by: Kevin Fox * Fix formatting Signed-off-by: Kevin Fox * Add LetsEncrypt/ACME/cert-manager support. Remove broken ACME support. Signed-off-by: Kevin Fox * Use spiffe-helper as a sidecar. Significant space savings and read only cert dir Signed-off-by: Kevin Fox * Fix the nested test Signed-off-by: Kevin Fox * Fix merge issue Signed-off-by: Kevin Fox * Remove 1.29.0 until deps catch up. Related issue: https://github.com/rancher/kubectl/pull/94 Signed-off-by: Kevin Fox * Add more error checking Signed-off-by: Kevin Fox * Remove testing code Signed-off-by: Kevin Fox * Simplify the ids. Fix docs Signed-off-by: Kevin Fox * Fix logic Signed-off-by: Kevin Fox * Fix var Signed-off-by: Kevin Fox * Make cert-manager bits more readable Signed-off-by: Kevin Fox * Fix template Signed-off-by: Kevin Fox * Fix openshift ingress Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox * Update docs Signed-off-by: Kevin Fox * Add resource spec Signed-off-by: Kevin Fox * Remove parts that cant merge yet Signed-off-by: Kevin Fox * Add support for running spiffe secured discovery provider (default) Signed-off-by: Kevin Fox * Fix tests Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox * Fix test Signed-off-by: Kevin Fox * Apply suggestions from code review Co-authored-by: Faisal Memon Signed-off-by: kfox1111 * Fix docs Signed-off-by: Kevin Fox * Apply suggestions from code review Co-authored-by: Faisal Memon Signed-off-by: kfox1111 * Incorperate feedback Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox * Fix test Signed-off-by: Kevin Fox * Fix test Signed-off-by: Kevin Fox * Fix merge conflict Signed-off-by: Kevin Fox * Fix merge conflict Signed-off-by: Kevin Fox * Remove defaults Signed-off-by: Kevin Fox * Apply suggestions from code review Co-authored-by: Faisal Memon Signed-off-by: kfox1111 * Fix docs Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox * Add missing configurable for the discovery providers csi driver Signed-off-by: Kevin Fox * Update the documentation Signed-off-by: Kevin Fox * Apply suggestions from code review Signed-off-by: kfox1111 * Apply suggestions from code review Signed-off-by: kfox1111 * Apply suggestions from code review Signed-off-by: kfox1111 * Apply suggestions from code review Signed-off-by: kfox1111 * Add missing file Signed-off-by: Kevin Fox * Update for changes in spiffe-helper Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox * Apply suggestions from code review Co-authored-by: Faisal Memon Signed-off-by: kfox1111 * Incorperate feedback Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox --------- Signed-off-by: Kevin Fox Signed-off-by: kfox1111 Co-authored-by: Faisal Memon --- README.md | 2 +- charts/spire/README.md | 61 +++++++++++++++--- examples/nested/values.yaml | 2 - examples/openshift/README.md | 80 ------------------------ examples/openshift/openshift-values.yaml | 2 - examples/openshift/values-ibm-cloud.yaml | 5 ++ 6 files changed, 57 insertions(+), 95 deletions(-) delete mode 100644 examples/openshift/README.md delete mode 100644 examples/openshift/openshift-values.yaml create mode 100644 examples/openshift/values-ibm-cloud.yaml diff --git a/README.md b/README.md index 8e4903a7f..3b9b2917d 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ A suite of [Helm Charts](https://helm.sh/docs) for standardized installations of ## How to install or upgrade You most likely want to do an integrated setup based on the spire chart. -See the [Instructions](https://artifacthub.io/packages/helm/spiffe/spire#install-notes). +See the [Instructions](https://artifacthub.io/packages/helm/spiffe/spire#install-instructions). ## Contributing diff --git a/charts/spire/README.md b/charts/spire/README.md index 4dbfbd014..9d2d63516 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -7,33 +7,74 @@ A Helm chart for deploying the complete Spire stack including: spire-server, spi **Homepage:** -## Install notes +## Install Instructions -To do a quick non production install suitable for quick testing in something like minikube: +### Non Production +To do a quick install suitable for testing in something like minikube: ```shell -helm install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace -helm install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ +helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace +helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ ``` -To customize, start with a base values file and edit as needed: +### Production + +Preparing a production deployment requires a few steps. + +1. Save the following to your-values.yaml, ideally in your git repo. +```yaml +global: + openshift: false # If running on openshift, set to true + spire: + recommendations: + enabled: true + namespaces: + create: true + ingressControllerType: "" # If not openshift, and want to expose services, set to a supported option [ingress-nginx] + # Update these + clusterName: example-cluster + trustDomain: example.org +spire-server: + ca_subject: + # Update these + country: ARPA + organization: Example + common_name: example.org +``` +2. If you need a non default storageClass, append the following to the spire-server section and update: +``` + persistence: + storageClass: your-storage-class +``` + +3. If your Kubernetes cluster is OpenShift based, use the output of the following command to update the trustDomain setting: ```shell -curl -o your-values.yaml https://raw.githubusercontent.com/spiffe/helm-charts-hardened/main/examples/production/example-your-values.yaml +oc get cm -n openshift-config-managed console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//' ``` -Then: +4. Find any additional values you might want to set based on the documentation below or using the [examples](https://github.com/spiffe/helm-charts-hardened/tree/main/examples) + +In particular, consider using an external database. + +5. Deploy ```shell -helm install -n spire-server spire --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml +helm upgrade --install -n spire-mgmt spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace +helm upgrade --install -n spire-mgmt spire spire --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml ``` -For production installs, please see [the production example](https://github.com/spiffe/helm-charts-hardened/tree/spire-0.16.0/examples/production). - ## Upgrade notes We only support upgrading one major version at a time. Version skipping isn't supported. +### 0.17.X + +- The SPIFFE OIDC Discovery Provider now has many new TLS options and defaults to using SPIRE to issue its certificate. +- The `spiffe-oidc-discovery-provider.insecureScheme.enabled` flag was removed. If you previously set that flag, remove the setting from your values.yaml and see if the new default of using a SPIRE issued certificate is suitable for your deployment. If it isn't, please consider one of the other options under `spiffe-oidc-discovery-provider.tls`. If all other options are still unsuitable, you can still enable the previous mode by disabling TLS. (`spiffe-oidc-discovery-provider.spire.enabled=false`) + +- The SPIFFE OIDC Discovery Provider is now enabled by default. If you previously chose to have it off, you can disable it explicitly with `spiffe-oidc-discovery-provider.enabled=false`. + ### 0.16.X The settings under "spire-server.controllerManager.identities" have all been moved under "spire-server.controllerManager.identities.clusterSPIFFEIDs.default". If you have changed any from the defaults, please update them to the new location during upgrade. diff --git a/examples/nested/values.yaml b/examples/nested/values.yaml index b2722b079..f06b140c6 100644 --- a/examples/nested/values.yaml +++ b/examples/nested/values.yaml @@ -3,13 +3,11 @@ global: upstreamSpireAddress: spire-server.spire-root-server spire-server: - enabled: true upstreamAuthority: spire: enabled: true upstreamDriver: upstream.csi.spiffe.io controllerManager: - enabled: true identities: clusterSPIFFEIDs: default: diff --git a/examples/openshift/README.md b/examples/openshift/README.md deleted file mode 100644 index 1e5181586..000000000 --- a/examples/openshift/README.md +++ /dev/null @@ -1,80 +0,0 @@ -# Recommended setup for installing Spire on Openshift - -> [!Note] -> This functionality is under development. It works but has no automated testing and will have security tightened in the future. - -This deployment works only with Openshift version 4.13 or higher. Get the Openshift platform here: [try.openshift.com](try.openshift.com) - -To be consistent with the rest of the Spire helm-charts, -we deploy Spire across 2 namespaces. - -```shell -kubectl create namespace "spire-system" -kubectl create namespace "spire-server" - -#Note, the first install requires privilege due to helm ordering issue. After install it can be safely tightened back up. -kubectl label namespace "spire-server" pod-security.kubernetes.io/enforce=privileged - -kubectl label namespace "spire-system" security.openshift.io/scc.podSecurityLabelSync=false -kubectl label namespace "spire-system" pod-security.kubernetes.io/enforce=privileged -kubectl label namespace "spire-system" pod-security.kubernetes.io/warn=privileged --overwrite -kubectl label namespace "spire-system" pod-security.kubernetes.io/audit=privileged --overwrite - -helm upgrade --install --namespace spire-server spire-crds charts/spire-crds -``` - -Obtain you ingress subdomain: - -```shell -appdomain=$(oc get cm -n openshift-config-managed console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//') -echo "$appdomain" -``` - -Update the `example-your-values.yaml` file with your subdomain. - -> [!Note] -> The location of the apps subdomain may be different in certain environments_ - -## Standard Deployment - -```shell -helm upgrade --install --namespace spire-server spire charts/spire \ ---values examples/production/values.yaml \ ---values examples/openshift/openshift-values.yaml \ ---values examples/production/example-your-values.yaml \ ---render-subchart-notes -``` - -## IBM Cloud Deployment - -Openshift on IBM Cloud requires additional configuration: - -```shell -helm upgrade --install --namespace spire-server spire charts/spire \ ---values examples/production/values.yaml \ ---values examples/openshift/openshift-values.yaml \ ---set spiffe-csi-driver.kubeletPath=/var/data/kubelet \ ---set spiffe-csi-driver.restrictedScc.enabled=true \ ---values examples/production/example-your-values.yaml \ ---render-subchart-notes -``` - -## Feature Customization - -Additional features such as tornjak can be enabled by including their example values files before --values examples/production/example-your-values.yaml - -For example: - -```shell ---values examples/openshift/openshift-values.yaml \ ---values examples/tornjak/values.yaml \ ---values examples/production/example-your-values.yaml \ -``` - -## Finish install - -Once installed, the namespace security can be tightened back up. - -```shell -kubectl label namespace "spire-server" pod-security.kubernetes.io/enforce=restricted --overwrite -``` diff --git a/examples/openshift/openshift-values.yaml b/examples/openshift/openshift-values.yaml deleted file mode 100644 index 87ea5a320..000000000 --- a/examples/openshift/openshift-values.yaml +++ /dev/null @@ -1,2 +0,0 @@ -global: - openshift: true diff --git a/examples/openshift/values-ibm-cloud.yaml b/examples/openshift/values-ibm-cloud.yaml new file mode 100644 index 000000000..b83ce678a --- /dev/null +++ b/examples/openshift/values-ibm-cloud.yaml @@ -0,0 +1,5 @@ +spiffe-csi-driver: + kubeletPath: /var/data/kubelet + restrictedScc: + enabled: true + From 4c307c1be14de20f583a00e4577e09490beec5ed Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 23 Jan 2024 13:18:49 -0800 Subject: [PATCH 61/64] Add missing bundlePublisher section and extraEnv so settings can be set (#201) Signed-off-by: Kevin Fox Co-authored-by: Faisal Memon --- charts/spire/charts/spire-server/README.md | 3 +++ .../spire/charts/spire-server/templates/configmap.yaml | 2 +- .../spire/charts/spire-server/templates/statefulset.yaml | 7 +++++++ charts/spire/charts/spire-server/values.yaml | 9 +++++++++ 4 files changed, 20 insertions(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 2f7f0f43f..c43712cf4 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -223,6 +223,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `controllerManager.className` | specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs. | `""` | | `controllerManager.watchClassless` | specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. | `false` | | `controllerManager.expandEnv` | Set to true to enable environment variable substitution of config file options | `false` | +| `controllerManager.extraEnv` | Extra environment variables to add to the controller manager | `[]` | | `controllerManager.installAndUpgradeHook.enabled` | Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | | `controllerManager.deleteHook.enabled` | Enable Helm hook to autofix common delete issues (should be disabled when using `helm template`) | `true` | | `controllerManager.image.registry` | The OCI registry to pull the image from | `ghcr.io` | @@ -274,6 +275,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | | `ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | | `ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | +| `extraEnv` | Extra environment variables to add to the spire server | `[]` | | `extraVolumes` | Extra volumes to be mounted | `[]` | | `extraVolumeMounts` | Extra volume mounts | `[]` | | `extraContainers` | Additional containers to create | `[]` | @@ -321,6 +323,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tornjak.config.clientCA.name` | Name of the resource secret or configMap with user CA for TLS | `tornjak-client-ca` | | `tornjak.resources` | Resource requests and limits | `{}` | | `tornjak.securityContext` | Security Context to use | `{}` | +| `customPlugins.bundlePublisher` | Custom plugins of type BundlePublisher are configured here | `{}` | | `customPlugins.keyManager` | Custom plugins of type KeyManager are configured here | `{}` | | `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` | | `customPlugins.upstreamAuthority` | Custom plugins of type upstreamAuthority are configured here | `{}` | diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index eea9d3a91..37e369ba2 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -5,7 +5,7 @@ {{- include "spire-lib.check-strict-mode" (list . "ca_subject.organization must be set" (eq .Values.ca_subject.organization "Example"))}} {{- include "spire-lib.check-strict-mode" (list . "ca_subject.common_name must be set" (eq .Values.ca_subject.common_name "example.org"))}} {{- range $type, $tvals := .Values.customPlugins }} -{{- if not (has $type (list "keyManager" "nodeAttestor" "upstreamAuthority" "notifier")) }} +{{- if not (has $type (list "bundlePublisher" "keyManager" "nodeAttestor" "upstreamAuthority" "notifier")) }} {{- fail (printf "Unknown plugin type specified: %s" $type) }} {{- end }} {{- range $name, $nval := $tvals }} diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index 9e6a8cfbe..c628f92a7 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -86,6 +86,9 @@ spec: env: - name: PATH value: "/opt/spire/bin:/bin" + {{- with .Values.extraEnv }} + {{- . | toYaml | nindent 10 }} + {{- end }} {{- if ne .Values.dataStore.sql.databaseType "sqlite3" }} {{- if .Values.dataStore.sql.externalSecret.enabled }} - name: DBPW @@ -198,6 +201,10 @@ spec: {{- if .Values.controllerManager.expandEnv }} - --expand-env {{- end }} + {{- if gt (len .Values.controllerManager.extraEnv) 0 }} + env: + {{- .Values.controllerManager.extraEnv | toYaml | nindent 12 }} + {{- end }} ports: - name: https containerPort: 9443 diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 04595bb5a..f56226b0f 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -423,6 +423,9 @@ controllerManager: ## @param controllerManager.expandEnv Set to true to enable environment variable substitution of config file options expandEnv: false + ## @param controllerManager.extraEnv [array] Extra environment variables to add to the controller manager + extraEnv: [] + installAndUpgradeHook: ## @param controllerManager.installAndUpgradeHook.enabled Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) enabled: true @@ -640,6 +643,9 @@ ingress: # hosts: # - spire-server.example.org +## @param extraEnv [array] Extra environment variables to add to the spire server +extraEnv: [] + ## @param extraVolumes [array] Extra volumes to be mounted extraVolumes: [] @@ -785,16 +791,19 @@ tornjak: # can prioritize proper support. ## @skip unsupportedBuiltInPlugins unsupportedBuiltInPlugins: + bundlePublisher: {} keyManager: {} nodeAttestor: {} upstreamAuthority: {} notifier: {} +## @param customPlugins.bundlePublisher Custom plugins of type BundlePublisher are configured here ## @param customPlugins.keyManager Custom plugins of type KeyManager are configured here ## @param customPlugins.nodeAttestor Custom plugins of type NodeAttestor are configured here ## @param customPlugins.upstreamAuthority Custom plugins of type upstreamAuthority are configured here ## @param customPlugins.notifier Custom plugins of type notifier are configured here customPlugins: + bundlePublisher: {} keyManager: {} nodeAttestor: {} upstreamAuthority: {} From 4a6c705e6a9d7009328a623059dd7fb9b62ab72b Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Wed, 24 Jan 2024 00:20:18 -0800 Subject: [PATCH 62/64] Update the CRs to enable multiple instance nesting without naming conflicts (#189) --- charts/spire/charts/spire-server/README.md | 1 + charts/spire/charts/spire-server/templates/_helpers.tpl | 2 +- .../spire-server/templates/controller-manager-cluster-ids.yaml | 2 +- .../spire-server/templates/controller-manager-configmap.yaml | 2 +- .../charts/spire-server/templates/controller-manager-ftd.yaml | 2 +- .../templates/controller-manager-static-entries.yaml | 2 +- charts/spire/charts/spire-server/values.yaml | 3 +++ 7 files changed, 9 insertions(+), 5 deletions(-) diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index c43712cf4..1f8f7e9ec 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -88,6 +88,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | | `imagePullSecrets` | Pull secrets for images | `[]` | | `nameOverride` | Name override | `""` | +| `crNameOverride` | Name override for any custom resources | `""` | | `namespaceOverride` | Namespace override | `""` | | `fullnameOverride` | Fullname override | `""` | | `serviceAccount.create` | Specifies whether a service account should be created | `true` | diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index 75050af9a..d2ecb3967 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -261,6 +261,6 @@ The code below determines what connection type should be used. {{- if .Values.controllerManager.className }} {{- .Values.controllerManager.className }} {{- else }} -{{- .Release.Namespace }}-{{ .Release.Name }} +{{- .Release.Namespace }}-{{ default .Release.Name .Values.crNameOverride }} {{- end -}} {{- end -}} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml index c22e9c0e9..cbd5400c5 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml @@ -49,7 +49,7 @@ matchLabels: apiVersion: spire.spiffe.io/v1alpha1 kind: ClusterSPIFFEID metadata: - name: {{ $root.Release.Namespace }}-{{ $root.Release.Name }}-{{ $key }} + name: {{ $root.Release.Namespace }}-{{ default $root.Release.Name $root.Values.crNameOverride }}-{{ $key }} {{- with $value.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml index 80c530f9d..f11982f0d 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml @@ -23,7 +23,7 @@ data: healthProbeBindAddress: 0.0.0.0:8083 leaderElection: leaderElect: true - resourceName: {{ .Release.Name | sha256sum | trunc 8 }}.spiffe.io + resourceName: {{ printf "%s-%s" .Release.Namespace (default .Release.Name .Values.crNameOverride) | sha256sum | trunc 8 }}.spiffe.io resourceNamespace: {{ include "spire-server.namespace" . }} {{- with .Values.controllerManager.cacheNamespaces }} cacheNamespaces: diff --git a/charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml b/charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml index 1c2b659a0..d41c0b7b4 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml @@ -16,7 +16,7 @@ apiVersion: spire.spiffe.io/v1alpha1 kind: ClusterFederatedTrustDomain metadata: - name: {{ $root.Release.Namespace }}-{{ $root.Release.Name }}-{{ $key }} + name: {{ $root.Release.Namespace }}-{{ default $root.Release.Name $root.Values.crNameOverride }}-{{ $key }} {{- with $value.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-static-entries.yaml b/charts/spire/charts/spire-server/templates/controller-manager-static-entries.yaml index 47629c4a4..df76208c7 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-static-entries.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-static-entries.yaml @@ -16,7 +16,7 @@ apiVersion: spire.spiffe.io/v1alpha1 kind: ClusterStaticEntry metadata: - name: {{ $root.Release.Namespace }}-{{ $root.Release.Name }}-{{ $key }} + name: {{ $root.Release.Namespace }}-{{ default $root.Release.Name $root.Values.crNameOverride }}-{{ $key }} {{- with $value.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index f56226b0f..e89b097eb 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -26,6 +26,9 @@ imagePullSecrets: [] ## @param nameOverride Name override nameOverride: "" +## @param crNameOverride Name override for any custom resources +crNameOverride: "" + ## @param namespaceOverride Namespace override namespaceOverride: "" From 50d30fd6ef287216287b14dcea13f800d9214fb4 Mon Sep 17 00:00:00 2001 From: cccsss01 <56396984+cccsss01@users.noreply.github.com> Date: Tue, 23 Jan 2024 22:40:45 -0600 Subject: [PATCH 63/64] Update statefulset with default container annotation. Adding default container annotation to the stateful set Signed-off-by: cccsss01 <56396984+cccsss01@users.noreply.github.com> --- charts/spire/charts/spire-server/templates/statefulset.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index c628f92a7..45fe21df1 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -29,6 +29,7 @@ spec: template: metadata: annotations: + kubectl.kubernetes.io/default-container: spire-server checksum/config: {{ $configSum }} checksum/config2: {{ $configSum2 }} checksum/config3: {{ $configSum3 }} From 2df2e1661fe41a02c03e91b6a45e3b19524c1c39 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 23 Jan 2024 14:45:50 -0800 Subject: [PATCH 64/64] Bump spire Helm Chart version from 0.16.0 to 0.17.0 * 4c307c1 Add missing bundlePublisher section and extraEnv so settings can be set (#201) * d724d1e Update the documentation (#172) * e59a29b Bump test chart dependencies (#200) * 4668151 Add missing extraVolumeMounts to the controllerManager (#196) * b9ac3c4 Update to spire-controller-manager 0.4.1 (#193) * 6fec1e5 Update SPIRE to 1.8.7 (#194) * af155c2 Add support for running spiffe secured discovery provider (default) (#163) * 3ccdb5e Add tls section to federation bundle endpoint and fix up annotations (#173) * c7ab131 Add join_token server nodeattestor support (#187) * 81e9523 Bump test chart dependencies (#186) * 6d19a76 Fix agent daemonset format (#184) * b61d4f5 Add spire-agent to spire-agent pod path (#180) * befa074 Fix notes bug (#178) * 912c61e Remove deprecated version values (#179) * ae4ef6e Update HorizontalPodAutoscaler API to autoscaling/v2 (#153) * e7a61a9 Bump test chart dependencies * 183e9aa SPIFFE OIDC Discovery Provider Rework (#152) * 8f1aba8 Bump test chart dependencies (#171) * 2454b8c Fix links still pointing at older git repo (#167) * e5c5527 Bump test chart dependencies (#165) * e630008 Update jwt test to work with newer slim images (#139) * c39dd44 Add recommendation for namespacePSS (#131) * 49beb64 Add recommendation for namespaceLayout (#127) * 33cacd2 Add recommendation for prometheus exporter (#144) * 6997d6a Add recommendation for securityContext and podSecurityContext (#125) * 50c4ac3 Add recommendation for strictMode (#143) * 4fb9d18 Bump test chart dependencies (#155) * 811123a Update the Tornjak image version (#150) * 1524537 Update default for additionalDomains not to include localhost (#146) * e35838c Add recommendation for priorityClass (#124) * 9f72a8f Use good and automatic defaults for tornjak frontend workingDir (#129) * 7726351 Tornjak UBI support (#123) * 89c07e2 Revert openssl 3.2 change (#142) * a3d3702 Bump test chart dependencies * 80c7653 Bump test chart dependencies (#134) * 13f6028 SELinux support (#122) * 3e8335c Add a flag to enable recommendations (#121) * 692d463 Remove unneeded lookup function from upgrade hook (#104) * 8422b8d Added ability to create namespaces (#103) Signed-off-by: Kevin Fox --- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index e333e1959..8de538319 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,7 +3,7 @@ name: spire description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.16.0 +version: 0.17.0 appVersion: "1.8.7" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire diff --git a/charts/spire/README.md b/charts/spire/README.md index 9d2d63516..6b0b79554 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.7](https://img.shields.io/badge/AppVersion-1.8.7-informational?style=flat-square) +![Version: 0.17.0](https://img.shields.io/badge/Version-0.17.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.7](https://img.shields.io/badge/AppVersion-1.8.7-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.