Merge branch 'main' into release

.github/tests/charts.json

@@ -2,12 +2,12 @@
  {
  "name": "kube-prometheus-stack",
  "repo": "https://prometheus-community.github.io/helm-charts",
- "version": "56.2.1"
+ "version": "56.6.2"
  },
  {
  "name": "cert-manager",
  "repo": "https://charts.jetstack.io",
- "version": "v1.13.3"
+ "version": "v1.14.1"
  },
  {
  "name": "ingress-nginx",
@@ -17,11 +17,11 @@
  {
  "name": "mysql",
  "repo": "https://charts.bitnami.com/bitnami",
- "version": "9.18.0"
+ "version": "9.19.1"
  },
  {
  "name": "postgresql",
  "repo": "https://charts.bitnami.com/bitnami",
- "version": "13.4.3"
+ "version": "14.0.1"
  }
 ]

.github/tests/images.json

@@ -12,6 +12,11 @@
  "filter": "LATESTSHA",
  "sort-flags": []
  },
+ {
+ "query": "socketAlternate.image",
+ "filter": "LATESTSHA",
+ "sort-flags": []
+ },
  {
  "query": "fsGroupFix.image",
  "filter": "LATESTSHA",

.github/workflows/check-versions.yaml

@@ -61,7 +61,7 @@ jobs:
 
  - name: Create Pull Request
  id: cpr
- uses: peter-evans/create-pull-request@v5.0.2
+ uses: peter-evans/create-pull-request@v6.0.0
  with:
  token: ${{ secrets.GITHUB_TOKEN }}
  title: Bump test chart dependencies

.github/workflows/helm-chart-ci-ignore.yaml

@@ -73,3 +73,19 @@ jobs:
 
  steps:
  - run: 'echo "Skipping example-test"'
+
+ upgrade-test:
+ runs-on: ubuntu-22.04
+
+ needs:
+ - build-matrix
+
+ strategy:
+ matrix:
+ k8s:
+ - v1.28.0
+ - v1.27.3
+ - v1.26.6
+
+ steps:
+ - run: 'echo "Skipping upgrade-test"'

.github/workflows/helm-release.yaml

@@ -29,9 +29,9 @@ jobs:
  git config user.email "[email protected]"
 
  - name: Setup cosign
- uses: sigstore/cosign-installer@v3.3.0
+ uses: sigstore/cosign-installer@v3.4.0
  with:
- cosign-release: v2.2.2
+ cosign-release: v2.2.3
 
  - name: Set up Helm
  uses: azure/[email protected]

.github/workflows/update-devcontainer-image.yaml

@@ -25,9 +25,9 @@ jobs:
  - name: Checkout
  uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
  - name: Install cosign
- uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0
+ uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
  with:
- cosign-release: v2.2.2
+ cosign-release: v2.2.3
  - name: Install regctl
  uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
  - name: Log in to GHCR

charts/spire/Chart.yaml

@@ -3,7 +3,7 @@ name: spire
 description: >
  A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 type: application
-version: 0.17.1
+version: 0.17.2
 appVersion: "1.8.7"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire

charts/spire/README.md

@@ -1,6 +1,6 @@
 # spire
 
-![Version: 0.17.1](https://img.shields.io/badge/Version-0.17.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.7](https://img.shields.io/badge/AppVersion-1.8.7-informational?style=flat-square)
+![Version: 0.17.2](https://img.shields.io/badge/Version-0.17.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.7](https://img.shields.io/badge/AppVersion-1.8.7-informational?style=flat-square)
 [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
 
 A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
@@ -69,6 +69,7 @@ helm upgrade --install -n spire-mgmt spire spire --repo https://spiffe.github.io
 ```shell
 helm -n spire-mgmt uninstall spire-crds
 helm -n spire-mgmt uninstall spire
+kubectl -n spire-server delete pvc -l app.kubernetes.io/instance=spire
 kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeids.spire.spiffe.io clusterstaticentries.spire.spiffe.io
 ```
 

charts/spire/charts/spiffe-csi-driver/README.md

@@ -51,6 +51,7 @@ A Helm chart to install the SPIFFE CSI driver.
 | `securityContext.privileged` | Flag for specifying privileged mode | `true` |
 | `nodeSelector` | Node selector for CSI driver pods | `{}` |
 | `tolerations` | Tolerations for CSI driver pods | `[]` |
+| `affinity` | Node affinity | `{}` |
 | `nodeDriverRegistrar.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` |
 | `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` |
 | `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` |

charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml

@@ -29,6 +29,10 @@ spec:
  nodeSelector:
  {{- toYaml . | nindent 8 }}
  {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
  {{- with .Values.tolerations }}
  tolerations:
  {{- toYaml . | nindent 8 }}

charts/spire/charts/spiffe-csi-driver/values.yaml

@@ -96,6 +96,9 @@ nodeSelector: {}
 ## @param tolerations [array] Tolerations for CSI driver pods
 tolerations: []
 
+## @param affinity [object] Node affinity
+affinity: {}
+
 nodeDriverRegistrar:
  ## @param nodeDriverRegistrar.image.registry The OCI registry to pull the image from
  ## @param nodeDriverRegistrar.image.repository The repository within the registry

charts/spire/charts/spiffe-oidc-discovery-provider/README.md

@@ -115,11 +115,11 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
 | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
 | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` |
 | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
-| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f37793c4af2a98f6cc313ac8af635d713e92d19344b11d499f92d8c644dd3b9f` |
+| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:1b4e8389d2582d0b013fad55d7ad799a67bbdcbfbae0a053258ae24c8b03a19f` |
 | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
 | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` |
 | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` |
-| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:41c7d1fcb755339b883b0cf2998c52e77ba2e4fab9347665a54c6ef3e4d97838` |
+| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:9198d9e7e83ab4078df6f53dfa3e8e1e8f60d5718cc21fefa2ccb6604283e049` |
 | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` |
 | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` |
 | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` |

charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml

@@ -328,7 +328,7 @@ tests:
  registry: cgr.dev
  repository: chainguard/bash
  pullPolicy: IfNotPresent
- tag: latest@sha256:f37793c4af2a98f6cc313ac8af635d713e92d19344b11d499f92d8c644dd3b9f
+ tag: latest@sha256:1b4e8389d2582d0b013fad55d7ad799a67bbdcbfbae0a053258ae24c8b03a19f
 
  toolkit:
  ## @param tests.toolkit.image.registry The OCI registry to pull the image from
@@ -340,7 +340,7 @@ tests:
  registry: cgr.dev
  repository: chainguard/slim-toolkit-debug
  pullPolicy: IfNotPresent
- tag: latest@sha256:41c7d1fcb755339b883b0cf2998c52e77ba2e4fab9347665a54c6ef3e4d97838
+ tag: latest@sha256:9198d9e7e83ab4078df6f53dfa3e8e1e8f60d5718cc21fefa2ccb6604283e049
 
  step:
  ## @param tests.step.image.registry The OCI registry to pull the image from