diff --git a/.github/tests/charts.json b/.github/tests/charts.json
index 221f97ec6..575ee077e 100644
--- a/.github/tests/charts.json
+++ b/.github/tests/charts.json
@@ -2,7 +2,7 @@
{
"name": "kube-prometheus-stack",
"repo": "https://prometheus-community.github.io/helm-charts",
- "version": "57.0.3"
+ "version": "57.1.1"
},
{
"name": "cert-manager",
@@ -17,11 +17,11 @@
{
"name": "mysql",
"repo": "https://charts.bitnami.com/bitnami",
- "version": "9.23.0"
+ "version": "10.1.0"
},
{
"name": "postgresql",
"repo": "https://charts.bitnami.com/bitnami",
- "version": "14.3.3"
+ "version": "15.1.4"
}
]
diff --git a/.github/tests/common.sh b/.github/tests/common.sh
index 3211e3863..7d5323b2e 100755
--- a/.github/tests/common.sh
+++ b/.github/tests/common.sh
@@ -55,6 +55,7 @@ print_spire_workload_status () {
| Namespace | Workload | Status |
| --------- | ---------------------------------------------- | ------ |
| ${ns1} | ${release_name}-server | $(k_rollout_status "${ns1}" statefulset "${release_name}-server") |
+| ${ns1} | ${release_name}-server | $(k_rollout_status "${ns1}" deployments.apps "${release_name}-server") |
| ${ns2} | ${release_name}-spiffe-csi-driver | $(k_rollout_status "${ns2}" daemonset "${release_name}-spiffe-csi-driver") |
| ${ns2} | ${release_name}-agent | $(k_rollout_status "${ns2}" daemonset "${release_name}-agent") |
| ${ns1} | ${release_name}-spiffe-oidc-discovery-provider | $(k_rollout_status "${ns1}" deployments.apps "${release_name}-spiffe-oidc-discovery-provider") |
diff --git a/.github/tests/images.json b/.github/tests/images.json
index 12863b587..3baf2e165 100644
--- a/.github/tests/images.json
+++ b/.github/tests/images.json
@@ -7,11 +7,6 @@
}
],
"spire-agent/values.yaml": [
- {
- "query": "waitForIt.image",
- "filter": "LATESTSHA",
- "sort-flags": []
- },
{
"query": "socketAlternate.image",
"filter": "LATESTSHA",
diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml
index f1bb4371a..4411997ed 100644
--- a/charts/spire/Chart.yaml
+++ b/charts/spire/Chart.yaml
@@ -3,8 +3,8 @@ name: spire
description: >
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
type: application
-version: 0.19.0
-appVersion: "1.9.1"
+version: 0.19.1
+appVersion: "1.9.2"
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources:
diff --git a/charts/spire/README.md b/charts/spire/README.md
index 570d01ac6..911a34e49 100644
--- a/charts/spire/README.md
+++ b/charts/spire/README.md
@@ -1,6 +1,6 @@
# spire
-  
+  
[](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
@@ -244,11 +244,12 @@ Now you can interact with the Spire agent socket from your own application. The
### Spire server parameters
-| Name | Description | Value |
-| ---------------------------------------- | --------------------------------------------- | -------- |
-| `spire-server.enabled` | Flag to enable Spire server | `true` |
-| `spire-server.nameOverride` | Overrides the name of Spire server pods | `server` |
-| `spire-server.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` |
+| Name | Description | Value |
+| ---------------------------------------- | ------------------------------------------------------------------------- | ------------- |
+| `spire-server.enabled` | Flag to enable Spire server | `true` |
+| `spire-server.nameOverride` | Overrides the name of Spire server pods | `server` |
+| `spire-server.kind` | Run spire server as deployment/statefulset. This feature is experimental. | `statefulset` |
+| `spire-server.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` |
### Spire agent parameters
diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md
index f527f9d34..5a3bd3aa9 100644
--- a/charts/spire/charts/spiffe-csi-driver/README.md
+++ b/charts/spire/charts/spiffe-csi-driver/README.md
@@ -57,7 +57,7 @@ A Helm chart to install the SPIFFE CSI driver.
| `nodeDriverRegistrar.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` |
| `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` |
| `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` |
-| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.3` |
+| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.4` |
| `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` |
| `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` |
| `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` |
diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml
index a1ebe659f..3381a96ec 100644
--- a/charts/spire/charts/spiffe-csi-driver/values.yaml
+++ b/charts/spire/charts/spiffe-csi-driver/values.yaml
@@ -116,7 +116,7 @@ nodeDriverRegistrar:
registry: registry.k8s.io
repository: sig-storage/csi-node-driver-registrar
pullPolicy: IfNotPresent
- tag: v2.9.3
+ tag: v2.9.4
## @param nodeDriverRegistrar.resources Resource requests and limits for CSI driver pods
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md
index e5eb881b8..7bcc8f049 100644
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md
@@ -115,11 +115,11 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` |
| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
-| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d69268f206bc7914c25f7377309a73406517678458ebccec0e6bfab7b9b7e9d2` |
+| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3b5e8046bc76624f645b97684845c3aef3c27d001db0f3f71d1ffbdf885edea7` |
| `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` |
| `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` |
-| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:faaccf708167925bbbf1dbfcbaf6ab733a170074bce7901542a0c38b87838842` |
+| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:803995505bc612174a9594a85493916a5234b6a8e0fa619763eceaf2d189cd75` |
| `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` |
| `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` |
| `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` |
diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml
index 728a83790..e5e814393 100644
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml
@@ -328,7 +328,7 @@ tests:
registry: cgr.dev
repository: chainguard/bash
pullPolicy: IfNotPresent
- tag: latest@sha256:d69268f206bc7914c25f7377309a73406517678458ebccec0e6bfab7b9b7e9d2
+ tag: latest@sha256:3b5e8046bc76624f645b97684845c3aef3c27d001db0f3f71d1ffbdf885edea7
toolkit:
## @param tests.toolkit.image.registry The OCI registry to pull the image from
@@ -340,7 +340,7 @@ tests:
registry: cgr.dev
repository: chainguard/slim-toolkit-debug
pullPolicy: IfNotPresent
- tag: latest@sha256:faaccf708167925bbbf1dbfcbaf6ab733a170074bce7901542a0c38b87838842
+ tag: latest@sha256:803995505bc612174a9594a85493916a5234b6a8e0fa619763eceaf2d189cd75
step:
## @param tests.step.image.registry The OCI registry to pull the image from
diff --git a/charts/spire/charts/spire-agent/Chart.yaml b/charts/spire/charts/spire-agent/Chart.yaml
index 98cf207e9..c1b7811fa 100644
--- a/charts/spire/charts/spire-agent/Chart.yaml
+++ b/charts/spire/charts/spire-agent/Chart.yaml
@@ -3,7 +3,7 @@ name: spire-agent
description: A Helm chart to install the SPIRE agent.
type: application
version: 0.1.0
-appVersion: "1.9.1"
+appVersion: "1.9.2"
keywords: ["spiffe", "spire-agent"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources:
diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md
index f3af4fff0..1fff20169 100644
--- a/charts/spire/charts/spire-agent/README.md
+++ b/charts/spire/charts/spire-agent/README.md
@@ -66,15 +66,10 @@ A Helm chart to install the SPIRE agent.
| `livenessProbe.periodSeconds` | Period seconds for probe | `60` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for probe | `10` |
| `readinessProbe.periodSeconds` | Period seconds for probe | `30` |
-| `waitForIt.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
-| `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` |
-| `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` |
-| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:1f449e8972f7ffc876cafae20f58e2ff9015141b02cfc637a71ce9a5dddd73ba` |
-| `waitForIt.resources` | Resource requests and limits | `{}` |
| `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` |
| `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` |
-| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d69268f206bc7914c25f7377309a73406517678458ebccec0e6bfab7b9b7e9d2` |
+| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3b5e8046bc76624f645b97684845c3aef3c27d001db0f3f71d1ffbdf885edea7` |
| `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` |
| `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` |
| `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s Node Attestor | `true` |
@@ -110,7 +105,7 @@ A Helm chart to install the SPIRE agent.
| `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` |
| `socketAlternate.image.pullPolicy` | The image pull policy | `Always` |
-| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d69268f206bc7914c25f7377309a73406517678458ebccec0e6bfab7b9b7e9d2` |
+| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3b5e8046bc76624f645b97684845c3aef3c27d001db0f3f71d1ffbdf885edea7` |
| `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` |
| `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` |
| `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` |
diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml
index 4de965b10..215bee637 100644
--- a/charts/spire/charts/spire-agent/templates/configmap.yaml
+++ b/charts/spire/charts/spire-agent/templates/configmap.yaml
@@ -37,6 +37,7 @@ agent:
{{- end }}
data_dir: "/run/spire"
log_level: {{ .Values.logLevel | quote }}
+ retry_bootstrap: true
server_address: {{ include "spire-agent.server-address" . | trim | quote }}
server_port: {{ .Values.server.port | quote }}
socket_path: /tmp/spire-agent/public/{{ include "spire-agent.socket-path" . | base }}
diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml
index db8fe9dbb..3a785541f 100644
--- a/charts/spire/charts/spire-agent/templates/daemonset.yaml
+++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml
@@ -115,17 +115,6 @@ spec:
mountPath: /tpm
imagePullPolicy: {{ .Values.nodeAttestor.tpmDirect.plugin.image.pullPolicy }}
{{- end }}
- - name: init
- # This is a small image with wait-for-it, choose whatever image
- # you prefer that waits for a service to be up. This image is built
- # from https://github.com/vishnubob/wait-for-it
- image: {{ template "spire-lib.image" (dict "image" .Values.waitForIt.image "global" .Values.global) }}
- imagePullPolicy: {{ .Values.waitForIt.image.pullPolicy }}
- args: ["-t", "30", "-h", "{{ include "spire-agent.server-address" . | trim }}", "-p", {{ .Values.server.port | quote }}]
- resources:
- {{- toYaml .Values.waitForIt.resources | nindent 12 }}
- securityContext:
- {{- toYaml .Values.securityContext | nindent 12 }}
{{- if gt (len $socketAlternateNames) 0 }}
- name: ensure-alternate-names
image: {{ template "spire-lib.image" (dict "image" .Values.socketAlternate.image "global" .Values.global) }}
diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml
index ea10d1244..9253e7ac0 100644
--- a/charts/spire/charts/spire-agent/values.yaml
+++ b/charts/spire/charts/spire-agent/values.yaml
@@ -140,21 +140,6 @@ readinessProbe:
initialDelaySeconds: 10
periodSeconds: 30
-waitForIt:
- ## @param waitForIt.image.registry The OCI registry to pull the image from
- ## @param waitForIt.image.repository The repository within the registry
- ## @param waitForIt.image.pullPolicy The image pull policy
- ## @param waitForIt.image.tag Overrides the image tag whose default is the chart appVersion
- ##
- image:
- registry: cgr.dev
- repository: chainguard/wait-for-it
- pullPolicy: IfNotPresent
- tag: latest@sha256:1f449e8972f7ffc876cafae20f58e2ff9015141b02cfc637a71ce9a5dddd73ba
-
- ## @param waitForIt.resources [object] Resource requests and limits
- resources: {}
-
# When running as non root, needed to ensure the socket path has the correct permissions.
# Set runAsUser to a non-zero value in podSecurityContext to run as non-root user.
fsGroupFix:
@@ -167,7 +152,7 @@ fsGroupFix:
registry: cgr.dev
repository: chainguard/bash
pullPolicy: Always
- tag: latest@sha256:d69268f206bc7914c25f7377309a73406517678458ebccec0e6bfab7b9b7e9d2
+ tag: latest@sha256:3b5e8046bc76624f645b97684845c3aef3c27d001db0f3f71d1ffbdf885edea7
## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources: {}
@@ -275,7 +260,7 @@ socketAlternate:
registry: cgr.dev
repository: chainguard/bash
pullPolicy: Always
- tag: latest@sha256:d69268f206bc7914c25f7377309a73406517678458ebccec0e6bfab7b9b7e9d2
+ tag: latest@sha256:3b5e8046bc76624f645b97684845c3aef3c27d001db0f3f71d1ffbdf885edea7
## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources: {}
diff --git a/charts/spire/charts/spire-server/Chart.yaml b/charts/spire/charts/spire-server/Chart.yaml
index 8cdb0569f..ec9c217c5 100644
--- a/charts/spire/charts/spire-server/Chart.yaml
+++ b/charts/spire/charts/spire-server/Chart.yaml
@@ -3,7 +3,7 @@ name: spire-server
description: A Helm chart to install the SPIRE server.
type: application
version: 0.1.0
-appVersion: "1.9.1"
+appVersion: "1.9.2"
keywords: ["spiffe", "spire-server", "spire-controller-manager"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources:
diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md
index 1c6d8fad8..9309b48af 100644
--- a/charts/spire/charts/spire-server/README.md
+++ b/charts/spire/charts/spire-server/README.md
@@ -86,6 +86,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `image.repository` | The repository within the registry | `spiffe/spire-server` |
| `image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
+| `kind` | Define SPIRE server deployment type. Can be statefulset/deployment. Defaults to statefulset if not set. This feature is experimental. | `statefulset` |
| `imagePullSecrets` | Pull secrets for images | `[]` |
| `nameOverride` | Name override | `""` |
| `crNameOverride` | Name override for any custom resources | `""` |
@@ -119,9 +120,9 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
| `persistence.type` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `pvc` |
-| `persistence.size` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `1Gi` |
-| `persistence.accessMode` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `ReadWriteOnce` |
-| `persistence.storageClass` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `nil` |
+| `persistence.size` | What size volume to use for persistence | `1Gi` |
+| `persistence.accessMode` | What access mode to use for persistence. Valid options are ReadWriteOnce (recommended), ReadWriteOncePod, ReadWriteMany (not recommended) | `ReadWriteOnce` |
+| `persistence.storageClass` | What storage class to use for persistence | `nil` |
| `persistence.hostPath` | Which path to use on the host when type = hostPath | `""` |
| `dataStore.sql.databaseType` | Other supported databases are "postgres" and "mysql" | `sqlite3` |
| `dataStore.sql.databaseName` | Only used by "postgres" or "mysql" | `spire` |
@@ -301,7 +302,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `defaultX509SvidTTL` | TTL for X509 Svids | `4h` |
| `defaultJwtSvidTTL` | TTL for JWT Svids | `1h` |
| `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s nodeattestor | `true` |
-| `nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` |
+| `nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor. If namespace isn't specified, release namespace will be used. | `[]` |
| `nodeAttestor.k8sPsat.audience` | Audience for token validation. If set to [] (empty array), Kubernetes API server audience is used | `[]` |
| `nodeAttestor.k8sPsat.allowedNodeLabelKeys` | Node label keys considered for selectors | `[]` |
| `nodeAttestor.k8sPsat.allowedPodLabelKeys` | Pod label keys considered for selectors | `[]` |
@@ -372,5 +373,5 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` |
| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
-| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d69268f206bc7914c25f7377309a73406517678458ebccec0e6bfab7b9b7e9d2` |
+| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3b5e8046bc76624f645b97684845c3aef3c27d001db0f3f71d1ffbdf885edea7` |
| `kubeConfigs` | Manage additional kubeconfig files to talk to external Kubernetes clusters | `{}` |
diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl
index cd81b6ad5..b3b606232 100644
--- a/charts/spire/charts/spire-server/templates/_helpers.tpl
+++ b/charts/spire/charts/spire-server/templates/_helpers.tpl
@@ -5,6 +5,17 @@ Expand the name of the chart.
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
+{{/*
+Spire Server deployment/statefulset
+*/}}
+{{- define "spire-server.kind" -}}
+{{- if not (has .Values.kind (list "statefulset" "deployment")) -}}
+ {{- fail "Unsupported deployment type" -}}
+{{- else -}}
+ {{- .Values.kind -}}
+{{- end -}}
+{{- end }}
+
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
@@ -134,10 +145,19 @@ Create the name of the service account to use
{{- end }}
{{- define "spire-server.serviceAccountAllowedList" }}
+{{- $releaseNamespace := include "spire-server.agent-namespace" . }}
{{- if ne (len .Values.nodeAttestor.k8sPsat.serviceAccountAllowList) 0 }}
-{{- .Values.nodeAttestor.k8sPsat.serviceAccountAllowList | toJson }}
+{{- $list := list }}
+{{- range .Values.nodeAttestor.k8sPsat.serviceAccountAllowList }}
+{{- if contains ":" . }}
+{{- $list = append $list . }}
+{{- else }}
+{{- $list = append $list ( printf "%s:%s" $releaseNamespace . ) | }}
+{{- end }}
+{{- end }}
+{{- $list | toJson }}
{{- else }}
-[{{ printf "%s:%s-agent" (include "spire-server.agent-namespace" .) .Release.Name | quote }}]
+[{{ printf "%s:%s-agent" $releaseNamespace .Release.Name | quote }}]
{{- end }}
{{- end }}
diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml
index 8ee8d5e24..35e32a682 100644
--- a/charts/spire/charts/spire-server/templates/configmap.yaml
+++ b/charts/spire/charts/spire-server/templates/configmap.yaml
@@ -97,7 +97,8 @@ plugins:
{{- if or .Values.nodeAttestor.k8sPsat.enabled .Values.nodeAttestor.externalK8sPsat.enabled .Values.nodeAttestor.joinToken.enabled .Values.nodeAttestor.tpmDirect.enabled }}
NodeAttestor:
- {{- if or (eq (.Values.nodeAttestor.k8sPsat.enabled | toString) "true") (eq (.Values.nodeAttestor.externalK8sPsat.enabled | toString) "true") }}
+ {{- $clusters := default .Values.kubeConfigs .Values.nodeAttestor.externalK8sPsat.clusters }}
+ {{- if or (eq (.Values.nodeAttestor.k8sPsat.enabled | toString) "true") (and (eq (.Values.nodeAttestor.externalK8sPsat.enabled | toString) "true") (gt (len $clusters) 0)) }}
k8s_psat:
plugin_data:
clusters:
@@ -113,7 +114,6 @@ plugins:
{{- end }}
{{- end }}
{{- if eq (.Values.nodeAttestor.externalK8sPsat.enabled | toString) "true" }}
- {{- $clusters := default .Values.kubeConfigs .Values.nodeAttestor.externalK8sPsat.clusters }}
{{- $clusterDefaults := .Values.nodeAttestor.externalK8sPsat.defaults }}
{{- range $name, $_ := $clusters }}
{{- $clusterSettings := dict }}
@@ -205,7 +205,8 @@ plugins:
{{- fail (printf "You have to enable exactly one Key Manager. There are %d enabled." $keyManagerUsed) }}
{{- end }}
- {{- if or .Values.notifier.k8sbundle.enabled .Values.notifier.externalK8sBundle.enabled }}
+ {{- $externalK8sBundleClusters := default .Values.kubeConfigs .Values.notifier.externalK8sBundle.clusters }}
+ {{- if or .Values.notifier.k8sbundle.enabled (and .Values.notifier.externalK8sBundle.enabled (ne (len $externalK8sBundleClusters) 0)) }}
Notifier:
k8sbundle:
plugin_data:
@@ -213,12 +214,11 @@ plugins:
namespace: {{ include "spire-server.bundle-namespace" . | quote }}
config_map: {{ include "spire-lib.bundle-configmap" . | quote }}
{{- end }}
- {{- $clusters := default .Values.kubeConfigs .Values.notifier.externalK8sBundle.clusters }}
- {{- if and (eq (.Values.notifier.externalK8sBundle.enabled | toString) "true") (ne (len $clusters) 0) }}
+ {{- if and (eq (.Values.notifier.externalK8sBundle.enabled | toString) "true") (ne (len $externalK8sBundleClusters) 0) }}
clusters:
- "":
{{- $clusterDefaults := .Values.notifier.externalK8sBundle.defaults }}
- {{- range $name, $_ := $clusters }}
+ {{- range $name, $_ := $externalK8sBundleClusters }}
{{- $clusterSettings := dict }}
{{- if hasKey $root.Values.notifier.externalK8sBundle.clusters $name }}
{{- $clusterSettings = index $root.Values.notifier.externalK8sBundle.clusters $name }}
diff --git a/charts/spire/charts/spire-server/templates/hpa.yaml b/charts/spire/charts/spire-server/templates/hpa.yaml
index 4c1c41c83..65b195e52 100644
--- a/charts/spire/charts/spire-server/templates/hpa.yaml
+++ b/charts/spire/charts/spire-server/templates/hpa.yaml
@@ -9,7 +9,11 @@ metadata:
spec:
scaleTargetRef:
apiVersion: apps/v1
+ {{- if eq .Values.kind "statefulset" }}
kind: StatefulSet
+ {{- else if eq .Values.kind "deployment" }}
+ kind: Deployment
+ {{- end }}
name: {{ include "spire-server.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
{{- if and (eq .Values.dataStore.sql.databaseType "sqlite3") .Values.autoscaling.enabled (gt (int .Values.autoscaling.maxReplicas) 1) }}
diff --git a/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml b/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml
index 86226a1a7..2a14be910 100644
--- a/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml
+++ b/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml
@@ -21,7 +21,7 @@ metadata:
"helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
rules:
- apiGroups: ["apps"]
- resources: ["statefulsets"]
+ resources: ["{{ include "spire-server.kind" . }}s"]
resourceNames: [{{ include "spire-server.fullname" . | quote }}]
verbs: ["get", "delete"]
- apiGroups: [""]
@@ -73,7 +73,7 @@ spec:
- delete
- -n
- {{ include "spire-server.namespace" . }}
- - statefulset
+ - {{ include "spire-server.kind" . }}
- {{ include "spire-server.fullname" . }}
- --wait
- name: pre-delete-check
diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/server-resource.yaml
similarity index 95%
rename from charts/spire/charts/spire-server/templates/statefulset.yaml
rename to charts/spire/charts/spire-server/templates/server-resource.yaml
index 2d3f48a7c..8a0634bbf 100644
--- a/charts/spire/charts/spire-server/templates/statefulset.yaml
+++ b/charts/spire/charts/spire-server/templates/server-resource.yaml
@@ -3,11 +3,30 @@
{{- $configSum3 := (include (print $.Template.BasePath "/controller-manager-configmap.yaml") . | sha256sum) }}
{{- $configSumTornjak := (include (print $.Template.BasePath "/tornjak-config.yaml") . | sha256sum) }}
{{- $fullname := include "spire-server.fullname" . }}
-{{- if not (has .Values.persistence.type (list "pvc" "hostPath" "emptyDir")) }}
-{{- fail "persistence.type must be one of [\"pvc\", \"hostPath\", \"emptyDir\"]" }}
+
+{{- if eq .Values.kind "statefulset" }}
+{{- if not (has .Values.persistence.type (list "pvc" "hostPath" "emptyDir")) }}
+{{- fail "persistence.type must be one of [\"pvc\", \"hostPath\", \"emptyDir\"]" }}
+{{- end }}
+{{- else if eq .Values.kind "deployment" }}
+{{- if (has .Values.persistence.type (list "pvc" "hostPath")) }}
+{{- fail "When running as deployment, persistence can't be set. 'persistence.type' must be [\"emptyDir\"]" }}
+{{- end }}
+{{- if (eq .Values.dataStore.sql.databaseType "sqlite3") }}
+{{- fail "When running as deployment, sqlite3 can't be used." }}
+{{- end }}
+{{- if (eq (.Values.keyManager.disk.enabled | toString) "true") }}
+{{- fail "When running as deployment, disk keymanager can't be used. 'keyManager.disk.enabled' must be false." }}
+{{- end }}
+{{- else }}
+{{- fail "Unsupported kind." }}
{{- end }}
apiVersion: apps/v1
+{{- if eq .Values.kind "statefulset" }}
kind: StatefulSet
+{{- else if eq .Values.kind "deployment" }}
+kind: Deployment
+{{- end }}
metadata:
name: {{ include "spire-server.fullname" . }}
namespace: {{ include "spire-server.namespace" . }}
@@ -21,7 +40,9 @@ spec:
{{- end }}
replicas: {{ .Values.replicaCount }}
{{- end }}
+ {{- if eq .Values.kind "statefulset" }}
serviceName: {{ include "spire-server.fullname" . }}
+ {{- end }}
selector:
matchLabels:
{{- include "spire-server.selectorLabels" . | nindent 6 }}
@@ -491,4 +512,4 @@ spec:
{{- if .Values.persistence.storageClass }}
storageClassName: {{ .Values.persistence.storageClass }}
{{- end }}
- {{- end }}
+ {{- end }}
\ No newline at end of file
diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml
index e32e11ab8..82db88820 100644
--- a/charts/spire/charts/spire-server/values.yaml
+++ b/charts/spire/charts/spire-server/values.yaml
@@ -20,6 +20,9 @@ image:
pullPolicy: IfNotPresent
tag: ""
+## @param kind Define SPIRE server deployment type. Can be statefulset/deployment. Defaults to statefulset if not set. This feature is experimental.
+kind: statefulset
+
## @param imagePullSecrets [array] Pull secrets for images
imagePullSecrets: []
@@ -135,9 +138,9 @@ readinessProbe:
periodSeconds: 5
## @param persistence.type What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only)
-## @param persistence.size What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only)
-## @param persistence.accessMode What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only)
-## @param persistence.storageClass What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only)
+## @param persistence.size What size volume to use for persistence
+## @param persistence.accessMode What access mode to use for persistence. Valid options are ReadWriteOnce (recommended), ReadWriteOncePod, ReadWriteMany (not recommended)
+## @param persistence.storageClass What storage class to use for persistence
## @param persistence.hostPath Which path to use on the host when type = hostPath
##
persistence:
@@ -715,7 +718,7 @@ nodeAttestor:
k8sPsat:
## @param nodeAttestor.k8sPsat.enabled Enable Psat k8s nodeattestor
enabled: true
- ## @param nodeAttestor.k8sPsat.serviceAccountAllowList [array] Allowed service accounts for Psat nodeattestor
+ ## @param nodeAttestor.k8sPsat.serviceAccountAllowList [array] Allowed service accounts for Psat nodeattestor. If namespace isn't specified, release namespace will be used.
serviceAccountAllowList: []
## @param nodeAttestor.k8sPsat.audience [array] Audience for token validation. If set to [] (empty array), Kubernetes API server audience is used
audience: ["spire-server"]
@@ -927,7 +930,7 @@ tests:
registry: cgr.dev
repository: chainguard/bash
pullPolicy: IfNotPresent
- tag: latest@sha256:d69268f206bc7914c25f7377309a73406517678458ebccec0e6bfab7b9b7e9d2
+ tag: latest@sha256:3b5e8046bc76624f645b97684845c3aef3c27d001db0f3f71d1ffbdf885edea7
## @param kubeConfigs [object] Manage additional kubeconfig files to talk to external Kubernetes clusters
kubeConfigs: {}
diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md
index 493a69dec..765a36e27 100644
--- a/charts/spire/charts/tornjak-frontend/README.md
+++ b/charts/spire/charts/tornjak-frontend/README.md
@@ -98,4 +98,4 @@ port forwarding. See the chart NOTES output for more details.
| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` |
| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
-| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d69268f206bc7914c25f7377309a73406517678458ebccec0e6bfab7b9b7e9d2` |
+| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3b5e8046bc76624f645b97684845c3aef3c27d001db0f3f71d1ffbdf885edea7` |
diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml
index 67acd5d14..0cac271e5 100644
--- a/charts/spire/charts/tornjak-frontend/values.yaml
+++ b/charts/spire/charts/tornjak-frontend/values.yaml
@@ -154,4 +154,4 @@ tests:
registry: cgr.dev
repository: chainguard/bash
pullPolicy: IfNotPresent
- tag: latest@sha256:d69268f206bc7914c25f7377309a73406517678458ebccec0e6bfab7b9b7e9d2
+ tag: latest@sha256:3b5e8046bc76624f645b97684845c3aef3c27d001db0f3f71d1ffbdf885edea7
diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml
index e5de0548d..81558a3b9 100644
--- a/charts/spire/values.yaml
+++ b/charts/spire/values.yaml
@@ -108,6 +108,8 @@ spire-server:
enabled: true
## @param spire-server.nameOverride Overrides the name of Spire server pods
nameOverride: server
+ ## @param spire-server.kind Run spire server as deployment/statefulset. This feature is experimental.
+ kind: statefulset
controllerManager:
## @param spire-server.controllerManager.enabled Enable controller manager and provision CRD's
enabled: true
diff --git a/examples/stateless-server/README.md b/examples/stateless-server/README.md
new file mode 100644
index 000000000..4475fae2d
--- /dev/null
+++ b/examples/stateless-server/README.md
@@ -0,0 +1,23 @@
+# Example stateless server
+
+To install Spire Server as a deployment(stateless), you need to use an external database. This runs spire-server as stateless microservice enabling HA.
+
+### WARNING
+The following configurations are not supported for running spire-server as deployment.
+1. spire-server.persistence.type
+2. spire-server.dataStore.sql.databaseType: "sqlite3"
+3. spire-server.keyManager.disk
+4. spire-server.tornjak
+
+If manually deploying for testing, you can create an incluster or use an external database and put the database password into an environment variable.
+
+Next, edit your-values.yaml with your settings as described in the [production install instructions](https://artifacthub.io/packages/helm/spiffe/spire#production). Check it into your git repo if using one.
+
+Then, deploy the chart pointing at your mysql instance like so:
+
+```shell
+helm upgrade --install --namespace spire-mgmt spire spire --repo https://spiffe.github.io/helm-charts-hardened/ -f examples/stateless-server/values.yaml --set "spire-server.dataStore.sql.password=${DBPW}" -f your-values.yaml
+```
+
+See the [production install instructions](https://artifacthub.io/packages/helm/spiffe/spire#production) for production recommendations.
+See [values.yaml](./values.yaml) for more details on the chart configurations to achieve this setup.
diff --git a/examples/stateless-server/run-tests.sh b/examples/stateless-server/run-tests.sh
new file mode 100755
index 000000000..6f3bd7a3a
--- /dev/null
+++ b/examples/stateless-server/run-tests.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+set -xe
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+TESTDIR="${SCRIPTPATH}/../../.github/tests"
+DEPS="${TESTDIR}/dependencies"
+
+# shellcheck source=/dev/null
+source "${SCRIPTPATH}/../../.github/scripts/parse-versions.sh"
+# shellcheck source=/dev/null
+source "${TESTDIR}/common.sh"
+
+CLEANUP=1
+
+for i in "$@"; do
+ case $i in
+ -c)
+ CLEANUP=0
+ shift # past argument=value
+ ;;
+ esac
+done
+
+teardown() {
+ print_helm_releases
+ print_spire_workload_status spire-server
+ print_spire_workload_status spire-system
+
+ if [[ "$1" -ne 0 ]]; then
+ get_namespace_details spire-server
+ get_namespace_details spire-system
+ fi
+
+ if [ "${CLEANUP}" -eq 1 ]; then
+ helm uninstall --namespace "spire-server" spire 2>/dev/null || true
+ helm uninstall --namespace mysql mysql 2>/dev/null || true
+ kubectl delete ns spire-server 2>/dev/null || true
+ kubectl delete ns spire-system 2>/dev/null || true
+ fi
+}
+
+trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT
+
+kubectl create namespace spire-system --dry-run=client -o yaml | kubectl apply -f -
+kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged || true
+kubectl create namespace spire-server --dry-run=client -o yaml | kubectl apply -f -
+kubectl label namespace spire-server pod-security.kubernetes.io/enforce=restricted || true
+
+helm upgrade --install mysql mysql --version "$VERSION_MYSQL" --repo "$HELM_REPO_MYSQL" \
+ --namespace spire-server \
+ --values "${DEPS}/mysql.yaml" \
+ --wait
+
+helm upgrade --install --namespace "spire-server" \
+ --values "${COMMON_TEST_YOUR_VALUES},${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../misc/values-node-pod-antiaffinity.yaml" \
+ --set 'spire-server.dataStore.sql.password=sp1ff3Test' --wait spire charts/spire
+helm test --namespace "spire-server" spire
diff --git a/examples/stateless-server/values.yaml b/examples/stateless-server/values.yaml
new file mode 100644
index 000000000..f9f2753aa
--- /dev/null
+++ b/examples/stateless-server/values.yaml
@@ -0,0 +1,18 @@
+spire-server:
+ deploymentType: deployment
+ replicaCount: 2
+ persistence:
+ type: emptyDir
+ keyManager:
+ disk:
+ enabled: false
+ memory:
+ enabled: true
+ dataStore:
+ sql:
+ databaseType: mysql
+ databaseName: spire-server
+ host: mysql
+ port: 3306
+ username: spire
+ # password: CHANGE_ME
diff --git a/tests/go.mod b/tests/go.mod
index 9cb21c328..463447c99 100644
--- a/tests/go.mod
+++ b/tests/go.mod
@@ -5,7 +5,7 @@ go 1.21
toolchain go1.21.5
require (
- github.com/onsi/ginkgo/v2 v2.17.0
+ github.com/onsi/ginkgo/v2 v2.17.1
github.com/onsi/gomega v1.32.0
helm.sh/helm/v3 v3.14.3
)
diff --git a/tests/go.sum b/tests/go.sum
index 245df192e..5f675dab7 100644
--- a/tests/go.sum
+++ b/tests/go.sum
@@ -90,8 +90,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/onsi/ginkgo/v2 v2.17.0 h1:kdnunFXpBjbzN56hcJHrXZ8M+LOkenKA7NnBzTNigTI=
-github.com/onsi/ginkgo/v2 v2.17.0/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
+github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8=
+github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
github.com/onsi/gomega v1.32.0 h1:JRYU78fJ1LPxlckP6Txi/EYqJvjtMrDC04/MM5XRHPk=
github.com/onsi/gomega v1.32.0/go.mod h1:a4x4gW6Pz2yK1MAmvluYme5lvYTn61afQ2ETw/8n4Lg=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
diff --git a/tests/integration/production/run-tests.sh b/tests/integration/production/run-tests.sh
index 8cf3adb99..c5cd8bbe4 100755
--- a/tests/integration/production/run-tests.sh
+++ b/tests/integration/production/run-tests.sh
@@ -65,7 +65,7 @@ if [[ -n "$UPGRADE_ARGS" ]]; then
pushd "${UPGRADE_VERSION}"
git checkout "${UPGRADE_VERSION/v/spire-}"
helm install --create-namespace -n spire-system spire-crds charts/spire-crds
- ./examples/production/run-tests.sh -c
+ ./tests/integration/production/run-tests.sh -c
popd
popd
# Any other upgrade steps go here. (Upgrade crds, delete statefulsets without cascade, etc.)