Merge branch 'main' into release

.github/tests/charts.json

@@ -2,7 +2,7 @@
  {
  "name": "kube-prometheus-stack",
  "repo": "https://prometheus-community.github.io/helm-charts",
- "version": "52.1.0"
+ "version": "54.2.2"
  },
  {
  "name": "cert-manager",
@@ -17,11 +17,11 @@
  {
  "name": "mysql",
  "repo": "https://charts.bitnami.com/bitnami",
- "version": "9.14.1"
+ "version": "9.14.4"
  },
  {
  "name": "postgresql",
  "repo": "https://charts.bitnami.com/bitnami",
- "version": "13.2.1"
+ "version": "13.2.18"
  }
 ]

.github/tests/dependencies/spire-root-server-values.yaml

@@ -6,13 +6,15 @@ global:
 spire-server:
  controllerManager:
  identities:
- namespaceSelector:
- kubernetes.io/metadata.name: spire-server
- podSelector:
- app.kubernetes.io/component: server
- app.kubernetes.io/instance: spire
- app.kubernetes.io/name: server
- downstream: true
+ clusterSPIFFEIDs:
+ default:
+ namespaceSelector:
+ kubernetes.io/metadata.name: spire-server
+ podSelector:
+ app.kubernetes.io/component: server
+ app.kubernetes.io/instance: spire
+ app.kubernetes.io/name: server
+ downstream: true
  nodeAttestor:
  k8sPsat:
  serviceAccountAllowList:

Makefile

@@ -63,3 +63,8 @@ test-example-%:
 
 .PHONY: test-examples
 test-examples: $(patsubst examples/%/values.yaml,test-example-%,$(wildcard examples/*/values.yaml)) ## Run `helm install` and `helm test` for all the examples containing `run-tests.sh`
+
+.PHONY: diagrams
+diagrams: ## Builds diagrams
+ @dot -Tpng examples/nested/singlehardened.dot > examples/nested/singlehardened.png
+ @dot -Tpng examples/nested/multicluster.dot > examples/nested/multicluster.png

README.md

@@ -1,4 +1,4 @@
-> [!Note]
+>  **Note**
 > Things to consider:
 > 1. We do not support running out of the git main branch. This is where development happens. Please use released versions via the published repo or git tags.
 > 2. All the helm charts in this repo are beta. We encourage you to try them out and contribute. The API may change as we move towards a production ready release.
@@ -14,7 +14,7 @@ A suite of [Helm Charts](https://helm.sh/docs) for standardized installations of
 ## How to install or upgrade
 
 You most likely want to do an integrated setup based on the spire chart.
-See the [Instructions](https://artifacthub.io/packages/helm/spiffe/spire).
+See the [Instructions](https://artifacthub.io/packages/helm/spiffe/spire#install-notes).
 
 ## Contributing
 

charts/spire/Chart.yaml

@@ -3,8 +3,8 @@ name: spire
 description: >
  A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 type: application
-version: 0.15.1
-appVersion: "1.8.4"
+version: 0.16.0
+appVersion: "1.8.5"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts/tree/main/charts/spire
 sources:

charts/spire/README.md

@@ -1,6 +1,6 @@
 # spire
 
-![Version: 0.15.1](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square)
+![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.5](https://img.shields.io/badge/AppVersion-1.8.5-informational?style=flat-square)
 [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
 
 A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
@@ -12,8 +12,8 @@ A Helm chart for deploying the complete Spire stack including: spire-server, spi
 To do a quick non production install suitable for quick testing in something like minikube:
 
 ```shell
-helm install -n spire-server spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
-helm install -n spire-server spire --repo https://spiffe.github.io/helm-charts-hardened/
+helm install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
+helm install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/
 ```
 
 To customize, start with a base values file and edit as needed:
@@ -28,10 +28,16 @@ Then:
 helm install -n spire-server spire --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml
 ```
 
-For production installs, please see [the production example](https://github.com/spiffe/helm-charts-hardened/tree/main/examples/production).
+For production installs, please see [the production example](https://github.com/spiffe/helm-charts-hardened/tree/spire-0.16.0/examples/production).
 
 ## Upgrade notes
 
+We only support upgrading one major version at a time. Version skipping isn't supported.
+
+### 0.16.X
+
+The settings under "spire-server.controllerManager.identities" have all been moved under "spire-server.controllerManager.identities.clusterSPIFFEIDs.default". If you have changed any from the defaults, please update them to the new location during upgrade.
+
 ### 0.15.X
 
 The spire-crds chart has been updated. Please ensure you have upgraded spire-crds before upgrading the spire chart.

charts/spire/charts/spiffe-csi-driver/Chart.yaml

@@ -5,9 +5,9 @@ type: application
 version: 0.1.0
 appVersion: "0.2.3"
 keywords: ["spiffe", "csi-driver"]
-home: https://github.com/spiffe/helm-charts/tree/main/charts/spire
+home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:
- - https://github.com/spiffe/helm-charts/tree/main/charts/spire
+ - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
 maintainers:
  - name: marcofranssen

charts/spire/charts/spiffe-csi-driver/README.md

@@ -4,11 +4,7 @@
 
 A Helm chart to install the SPIFFE CSI driver.
 
-**Homepage:** <https://github.com/spiffe/helm-charts/tree/main/charts/spire>
-
-> [!Note]
-> The recommended version is `0.2.3` to support arm64 nodes. If running with any
-> prior version to `0.2.3` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`.
+**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
 
 ## Maintainers
 
@@ -21,7 +17,7 @@ A Helm chart to install the SPIFFE CSI driver.
 
 ## Source Code
 
-* <https://github.com/spiffe/helm-charts/tree/main/charts/spire>
+* <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
 
 <!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
 
@@ -60,7 +56,7 @@ A Helm chart to install the SPIFFE CSI driver.
 | `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` |
 | `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` |
 | `nodeDriverRegistrar.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
-| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.0` |
+| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.1` |
 | `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` |
 | `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` |
 | `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` |

charts/spire/charts/spiffe-csi-driver/templates/spiffe-csi-driver.yaml

@@ -1,8 +1,13 @@
+{{- $labels := dict }}
+{{- if (dig "openshift" false .Values.global) }}
+{{- $_ := set $labels "security.openshift.io/csi-ephemeral-volume-profile" "restricted" }}
+{{- end }}
+{{- $labels = mergeOverwrite $labels .Values.csiDriverLabels }}
 apiVersion: storage.k8s.io/v1
 kind: CSIDriver
 metadata:
  name: {{ .Values.pluginName | quote }}
- {{- with .Values.csiDriverLabels }}
+ {{- with $labels }}
  labels:
  {{- toYaml . | nindent 4 }}
  {{- end }}

charts/spire/charts/spiffe-csi-driver/values.yaml

@@ -110,7 +110,7 @@ nodeDriverRegistrar:
  repository: sig-storage/csi-node-driver-registrar
  pullPolicy: IfNotPresent
  version: ""
- tag: v2.9.0
+ tag: v2.9.1
  ## @param nodeDriverRegistrar.resources Resource requests and limits for CSI driver pods
  resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious

charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml

@@ -3,11 +3,11 @@ name: spiffe-oidc-discovery-provider
 description: A Helm chart to install the SPIFFE OIDC discovery provider.
 type: application
 version: 0.1.0
-appVersion: "1.8.4"
+appVersion: "1.8.5"
 keywords: ["spiffe", "oidc"]
-home: https://github.com/spiffe/helm-charts/tree/main/charts/spire
+home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:
- - https://github.com/spiffe/helm-charts/tree/main/charts/spire
+ - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
 maintainers:
  - name: marcofranssen

charts/spire/charts/spiffe-oidc-discovery-provider/README.md

@@ -4,12 +4,7 @@
 
 A Helm chart to install the SPIFFE OIDC discovery provider.
 
-**Homepage:** <https://github.com/spiffe/helm-charts/tree/main/charts/spire>
-
-> [!Note]
-> Minimum Spire version is `1.5.3`.
-> The recommended version is `1.6.0` to support arm64 nodes. If running with any
-> prior version to `1.6.0` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`.
+**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
 
 ## Maintainers
 
@@ -22,7 +17,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
 
 ## Source Code
 
-* <https://github.com/spiffe/helm-charts/tree/main/charts/spire>
+* <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
 
 <!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
 
@@ -58,7 +53,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
 | `insecureScheme.nginx.image.repository` | The repository within the registry | `nginxinc/nginx-unprivileged` |
 | `insecureScheme.nginx.image.pullPolicy` | The image pull policy | `IfNotPresent` |
 | `insecureScheme.nginx.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
-| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.25.2-alpine` |
+| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.25.3-alpine` |
 | `insecureScheme.nginx.resources` | Resource requests and limits | `{}` |
 | `jwtIssuer` | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset | `""` |
 | `config.logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` |
@@ -110,12 +105,12 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
 | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` |
 | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
 | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
-| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3d077aae77eb552abd85a015d087047a7a7353d974e5f7fc6a402180c1501214` |
+| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e` |
 | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
 | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` |
 | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` |
 | `tests.toolkit.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
-| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d1fc4d296994f28d7e0264c933a12ba75c9a80478ff1eb4b6f692bb91a073a4c` |
+| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:99cafee4f14fe07a3298fcb7b90d4f0c396cba150b65d937856788b42ad83f79` |
 | `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` |
 | `tests.busybox.image.repository` | The repository within the registry | `busybox` |
 | `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` |

charts/spire/charts/spiffe-oidc-discovery-provider/templates/scc-spire-oidc-discovery-provider.yaml

@@ -15,13 +15,13 @@ users:
  - system:serviceaccount:{{ include "spiffe-oidc-discovery-provider.namespace" . }}:{{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }}-pre-delete
 volumes:
  - configMap
+ - csi
+ - downwardAPI
+ - emptyDir
+ - ephemeral
  - hostPath
  - projected
  - secret
- - ephemeral
- - downwardAPI
- - csi
- - emptyDir
 allowHostDirVolumePlugin: true
 allowHostIPC: true
 allowHostNetwork: true