diff --git a/.editorconfig b/.editorconfig index 3955c5d6b..bbf1aba8b 100644 --- a/.editorconfig +++ b/.editorconfig @@ -8,3 +8,8 @@ indent_size = 2 tab_width = 2 trim_trailing_whitespace = true insert_final_newline = true + +[Makefile] +indent_style = tab +indent_size = 4 +tab_width = 4 diff --git a/.github/tests/charts.json b/.github/tests/charts.json index e1ab03e5f..09ee23720 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,17 +2,17 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "45.29.0" + "version": "46.6.0" }, { "name": "cert-manager", "repo": "https://charts.jetstack.io", - "version": "v1.12.0" + "version": "v1.12.1" }, { "name": "ingress-nginx", "repo": "https://kubernetes.github.io/ingress-nginx", - "version": "4.6.1" + "version": "4.7.0" }, { "name": "mysql", @@ -22,6 +22,6 @@ { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "12.5.3" + "version": "12.5.6" } ] diff --git a/.github/tests/upstream-authority-cert-manager/cert-manager-ca.yaml b/.github/tests/upstream-authority-cert-manager/cert-manager-ca.yaml deleted file mode 100644 index dbbe20158..000000000 --- a/.github/tests/upstream-authority-cert-manager/cert-manager-ca.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: selfsigned-issuer -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: demo-selfsigned-ca -spec: - isCA: true - commonName: demo-selfsigned-ca - secretName: root-secret - privateKey: - algorithm: ECDSA - size: 256 - issuerRef: - name: selfsigned-issuer - kind: Issuer - group: cert-manager.io ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: demo-ca -spec: - ca: - secretName: root-secret diff --git a/.github/tests/upstream-authority-cert-manager/pre-install.sh b/.github/tests/upstream-authority-cert-manager/pre-install.sh index 9508f5d48..69f25fdeb 100755 --- a/.github/tests/upstream-authority-cert-manager/pre-install.sh +++ b/.github/tests/upstream-authority-cert-manager/pre-install.sh @@ -5,5 +5,3 @@ SCRIPTPATH="$(dirname "${SCRIPT}")" scenario="${scenario:-$(basename "${SCRIPTPATH}")}" helm install cert-manager cert-manager --namespace cert-manager --create-namespace --version "$VERSION_CERT_MANAGER" --set installCRDs=true --repo "$HELM_REPO_CERT_MANAGER" --wait -SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -kubectl apply -f "${SCRIPT_DIR}/cert-manager-ca.yaml" -n "$scenario" diff --git a/.github/tests/upstream-authority-cert-manager/values.yaml b/.github/tests/upstream-authority-cert-manager/values.yaml index 08fbec755..ddb0a5a17 100644 --- a/.github/tests/upstream-authority-cert-manager/values.yaml +++ b/.github/tests/upstream-authority-cert-manager/values.yaml @@ -2,4 +2,5 @@ spire-server: upstreamAuthority: certManager: enabled: true - issuer_name: "demo-ca" + ca: + create: true diff --git a/.github/workflows/check-versions.yaml b/.github/workflows/check-versions.yaml index 4f3fbf24d..913808ce4 100644 --- a/.github/workflows/check-versions.yaml +++ b/.github/workflows/check-versions.yaml @@ -20,7 +20,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3.5.0 + uses: actions/checkout@v3.5.3 - name: Set up Helm uses: azure/setup-helm@v3.5 @@ -34,7 +34,7 @@ jobs: - name: Create Pull Request id: cpr - uses: peter-evans/create-pull-request@v5.0.1 + uses: peter-evans/create-pull-request@v5.0.2 with: token: ${{ secrets.GITHUB_TOKEN }} title: Bump test chart dependencies diff --git a/.github/workflows/helm-chart-ci-ignore.yaml b/.github/workflows/helm-chart-ci-ignore.yaml index 8a63936bb..2e50a0f1c 100644 --- a/.github/workflows/helm-chart-ci-ignore.yaml +++ b/.github/workflows/helm-chart-ci-ignore.yaml @@ -30,7 +30,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3.5.2 + uses: actions/checkout@v3.5.3 - id: set-matrix name: Collect all tests diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index 6099ba45b..3210c9929 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -29,7 +29,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3.5.2 + uses: actions/checkout@v3.5.3 - name: Verify Docs updated run: ./helm-docs.sh @@ -56,7 +56,7 @@ jobs: set -o pipefail # Look for image: definitions that are not templated. If we find none, exit is not 0 and we invert the error code to get the # test to pass. Ignore tests for now... - grep "image:" charts/spire/charts/*/templates/*.* | grep -v 'image: {{ template "' > /tmp/findings + grep -r "image:" charts/spire | grep "templates/" | grep -v 'image: {{ template "' > /tmp/findings res=$? if [ $res -eq 0 ]; then { @@ -74,7 +74,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3.5.2 + uses: actions/checkout@v3.5.3 with: fetch-depth: 0 @@ -94,9 +94,7 @@ jobs: version: ${{ env.CHART_TESTING_VERSION }} - name: Run chart-testing (lint) - run: | - ct lint --debug ${{ github.base_ref != 'release' && '--check-version-increment=false' || '' }} \ - --target-branch ${{ github.base_ref }} + run: TARGET_BRANCH=${{ github.base_ref }} make lint${{ github.base_ref == 'release' && '-release' || '' }} outputs: changed: ${{ steps.list-changed.outputs.changed }} @@ -109,7 +107,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3.5.2 + uses: actions/checkout@v3.5.3 - id: set-matrix name: Collect all tests @@ -139,15 +137,12 @@ jobs: - v1.27.2 - v1.26.4 - v1.25.9 - - v1.24.13 - - v1.23.17 - - v1.22.17 values: - ${{ fromJson(needs.build-matrix.outputs.tests) }} steps: - name: Checkout - uses: actions/checkout@v3.5.2 + uses: actions/checkout@v3.5.3 with: fetch-depth: 0 @@ -170,7 +165,7 @@ jobs: uses: helm/kind-action@v1.7.0 # Only build a kind cluster if there are chart changes to test. with: - version: v0.18.0 + version: v0.19.0 node_image: kindest/node:${{ matrix.k8s }} config: .github/kind/conf/kind-config.yaml verbosity: 1 diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index 035ae8b3d..bcaa57d65 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3.5.2 + uses: actions/checkout@v3.5.3 with: fetch-depth: 0 diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml index 1bed14c35..71a5ec23f 100644 --- a/.github/workflows/shellcheck.yaml +++ b/.github/workflows/shellcheck.yaml @@ -21,7 +21,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3.5.2 + uses: actions/checkout@v3.5.3 - name: Run Shellcheck uses: ludeeus/action-shellcheck@2.0.0 diff --git a/.gitignore b/.gitignore index f1b09facc..1ad54ad80 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ bin/ .idea/ *.swp +charts/**/*.tgz +.DS_Store diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0d86cc98e..11f1c1c95 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -34,6 +34,18 @@ git checkout «your-branch» git rebase main ``` +## Testing + +Our CI pipeline takes care of the majority of the testing of this Chart. Other ways for you to test are by running `make test` locally using: + +> **Warning**: Ensure to run the test on a dedicated k8s cluster that does not have Spire installed yet. + +```shell +make test +``` + +Another approach to testing the chart is by installing one of the examples in your own cluster to verify your contributed changes work before issueing your PR. + ## Generating documentation Any changes to Chart.yaml or values.yaml require an update of the README.md. This update can easily be generated using [helm-docs][]. diff --git a/Makefile b/Makefile new file mode 100644 index 000000000..6b550d561 --- /dev/null +++ b/Makefile @@ -0,0 +1,37 @@ +TARGET_BRANCH ?= main + +.PHONY: help +help: ## Display this help. + @$(MAKE) help + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) + +##@ Linting: + +.PHONY: lint +lint: ## Lint the charts using chart-testing + @echo Linting charts… + @ct lint --config ct.yaml --target-branch $(TARGET_BRANCH) --check-version-increment=false + +lint-release: ## Lint the charts using chart-testing for release + @echo Linting charts… + @ct lint --config ct.yaml --target-branch $(TARGET_BRANCH) + +##@ Testing: + +.PHONY: clean-lingering-resources +clean-lingering-resources: + @echo Cleanup potential leftovers… + @-kubectl delete csidrivers.storage.k8s.io csi.spiffe.io \ + &>/dev/null || true + @-kubectl delete ns \ + $$(kubectl get ns -o json | jq -r '.items[] | .metadata.name' | grep spire) \ + &>/dev/null || true + @-kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io \ + $$(kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io -o json | jq -r '.items[] | .metadata.name' | grep spire) \ + &>/dev/null || true + +.PHONY: test +test: ## Run tests using Helm chart-testing (ensure to run on dedicated test cluster) + @echo Running tests… + @ct install --debug \ + --charts charts/spire diff --git a/README.md b/README.md index e14c7a5c4..6ccbade74 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ Unless otherwise noted in an application chart README, the following dependencie | Dependency | Supported Versions | |:-----------|:-------------------| -| SPIRE | `1.5.3`+, `1.6.x` | +| SPIRE | `1.6.x`, `1.7.x` | | Helm | `3.x` | | Kubernetes | `1.22+` | diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index bc7b13dfa..44a5a8c8c 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,8 +3,8 @@ name: spire description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.8.1 -appVersion: "1.6.4" +version: 0.9.0 +appVersion: "1.7.0" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: diff --git a/charts/spire/README.md b/charts/spire/README.md index 0c9bb1345..1dc8d5365 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -2,7 +2,7 @@ -![Version: 0.8.1](https://img.shields.io/badge/Version-0.8.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) +![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.0](https://img.shields.io/badge/AppVersion-1.7.0-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. @@ -219,6 +219,11 @@ Now you can interact with the Spire agent socket from your own application. The | spiffe-oidc-discovery-provider.telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spiffe-oidc-discovery-provider | | spiffe-oidc-discovery-provider.telemetry.prometheus.port | int | `9988` | | | spiffe-oidc-discovery-provider.tolerations | list | `[]` | | +| spiffe-oidc-discovery-provider.tools.kubectl.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | +| spiffe-oidc-discovery-provider.tools.kubectl.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | +| spiffe-oidc-discovery-provider.tools.kubectl.image.repository | string | `"rancher/kubectl"` | The repository within the registry | +| spiffe-oidc-discovery-provider.tools.kubectl.image.tag | string | `""` | Overrides the image tag | +| spiffe-oidc-discovery-provider.tools.kubectl.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spiffe-oidc-discovery-provider.trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers | | spire-agent.bundleConfigMap | string | `"spire-bundle"` | | | spire-agent.clusterName | string | `"example-cluster"` | | @@ -226,6 +231,12 @@ Now you can interact with the Spire agent socket from your own application. The | spire-agent.extraContainers | list | `[]` | | | spire-agent.extraVolumeMounts | list | `[]` | | | spire-agent.extraVolumes | list | `[]` | | +| spire-agent.fsGroupFix.image.pullPolicy | string | `"Always"` | The image pull policy | +| spire-agent.fsGroupFix.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from | +| spire-agent.fsGroupFix.image.repository | string | `"chainguard/bash"` | The repository within the registry | +| spire-agent.fsGroupFix.image.tag | string | `"5.2.15"` | Overrides the image tag | +| spire-agent.fsGroupFix.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | +| spire-agent.fsGroupFix.resources | object | `{}` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | | spire-agent.fullnameOverride | string | `""` | | | spire-agent.healthChecks.port | int | `9980` | override the host port used for health checking | | spire-agent.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | @@ -306,11 +317,6 @@ Now you can interact with the Spire agent socket from your own application. The | spire-server.controllerManager.service.port | int | `443` | | | spire-server.controllerManager.service.type | string | `"ClusterIP"` | | | spire-server.controllerManager.validatingWebhookConfiguration.failurePolicy | string | `"Fail"` | | -| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | -| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | -| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.repository | string | `"rancher/kubectl"` | The repository within the registry | -| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.tag | string | `""` | Overrides the image tag | -| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spire-server.dataStore.sql.databaseName | string | `"spire"` | Only used by "postgres" or "mysql" | | spire-server.dataStore.sql.databaseType | string | `"sqlite3"` | Other supported databases are "postgres" and "mysql" | | spire-server.dataStore.sql.host | string | `""` | Only used by "postgres" or "mysql" | @@ -382,13 +388,18 @@ Now you can interact with the Spire agent socket from your own application. The | spire-server.telemetry.prometheus.podMonitor.labels | object | `{}` | | | spire-server.telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spire-server | | spire-server.tolerations | list | `[]` | | +| spire-server.tools.kubectl.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | +| spire-server.tools.kubectl.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | +| spire-server.tools.kubectl.image.repository | string | `"rancher/kubectl"` | The repository within the registry | +| spire-server.tools.kubectl.image.tag | string | `""` | Overrides the image tag | +| spire-server.tools.kubectl.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spire-server.topologySpreadConstraints | list | `[]` | | | spire-server.tornjak.config.dataStore | object | `{"driver":"sqlite3","file":"/run/spire/data/tornjak.sqlite3"}` | persistent DB for storing Tornjak specific information | | spire-server.tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) (Not for production) | | spire-server.tornjak.image.pullPolicy | string | `"IfNotPresent"` | The Tornjak image pull policy | | spire-server.tornjak.image.registry | string | `"ghcr.io"` | The OCI registry to pull the Tornjak image from | | spire-server.tornjak.image.repository | string | `"spiffe/tornjak-backend"` | The repository within the registry | -| spire-server.tornjak.image.tag | string | `"v1.2.1"` | Overrides the image tag | +| spire-server.tornjak.image.tag | string | `"v1.2.2"` | Overrides the image tag | | spire-server.tornjak.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spire-server.tornjak.resources | object | `{}` | | | spire-server.tornjak.service.annotations | object | `{}` | | @@ -400,10 +411,16 @@ Now you can interact with the Spire agent socket from your own application. The | spire-server.tornjak.startupProbe.successThreshold | int | `1` | | | spire-server.tornjak.startupProbe.timeoutSeconds | int | `5` | | | spire-server.trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers | +| spire-server.upstreamAuthority.certManager.ca.create | bool | `false` | Creates a Cert-Manager CA | +| spire-server.upstreamAuthority.certManager.ca.duration | string | `"87600h"` | Duration of the CA. Defaults to 10 years. | +| spire-server.upstreamAuthority.certManager.ca.privateKey.algorithm | string | `"ECDSA"` | | +| spire-server.upstreamAuthority.certManager.ca.privateKey.rotationPolicy | string | `""` | | +| spire-server.upstreamAuthority.certManager.ca.privateKey.size | int | `256` | | +| spire-server.upstreamAuthority.certManager.ca.renewBefore | string | `""` | How long to wait before renewing the CA | | spire-server.upstreamAuthority.certManager.enabled | bool | `false` | | | spire-server.upstreamAuthority.certManager.issuer_group | string | `"cert-manager.io"` | | | spire-server.upstreamAuthority.certManager.issuer_kind | string | `"Issuer"` | | -| spire-server.upstreamAuthority.certManager.issuer_name | string | `"spire-ca"` | | +| spire-server.upstreamAuthority.certManager.issuer_name | string | `""` | Defaults to the release name, override if CA is provided outside of the chart | | spire-server.upstreamAuthority.certManager.kube_config_file | string | `""` | | | spire-server.upstreamAuthority.certManager.namespace | string | `""` | Specify to use a namespace other then the one the chart is installed into | | spire-server.upstreamAuthority.certManager.rbac.create | bool | `true` | | diff --git a/charts/spire/charts/spiffe-csi-driver/Chart.yaml b/charts/spire/charts/spiffe-csi-driver/Chart.yaml index 9aaefb15a..a7d5ab008 100644 --- a/charts/spire/charts/spiffe-csi-driver/Chart.yaml +++ b/charts/spire/charts/spiffe-csi-driver/Chart.yaml @@ -4,3 +4,18 @@ description: A Helm chart to install the SPIFFE CSI driver. type: application version: 0.1.0 appVersion: "0.2.3" +keywords: ["spiffe", "csi-driver"] +home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +sources: + - https://github.com/spiffe/helm-charts/tree/main/charts/spire +icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png +maintainers: + - name: marcofranssen + email: marco.franssen@gmail.com + url: https://marcofranssen.nl + - name: kfox1111 + email: Kevin.Fox@pnnl.gov + - name: faisal-memon + email: fymemon@yahoo.com + - name: edwbuck + email: edwbuck@gmail.com diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index 1d08183b2..954456acb 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -6,9 +6,24 @@ A Helm chart to install the SPIFFE CSI driver. +**Homepage:** + > **Note**: The recommended version is `0.2.3` to support arm64 nodes. If running with any > prior version to `0.2.3` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`. +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| marcofranssen | | | +| kfox1111 | | | +| faisal-memon | | | +| edwbuck | | | + +## Source Code + +* + ## Values | Key | Type | Default | Description | diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index 563f264b9..64ea54c11 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -1,3 +1,6 @@ +# @ignored +global: {} + # -- Set the csi driver name deployed to Kubernetes. pluginName: csi.spiffe.io diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml index 3c1e0491b..5bd5c3ec2 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml @@ -3,4 +3,19 @@ name: spiffe-oidc-discovery-provider description: A Helm chart to install the SPIFFE OIDC discovery provider. type: application version: 0.1.0 -appVersion: "1.6.4" +appVersion: "1.7.0" +keywords: ["spiffe", "oidc"] +home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +sources: + - https://github.com/spiffe/helm-charts/tree/main/charts/spire +icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png +maintainers: + - name: marcofranssen + email: marco.franssen@gmail.com + url: https://marcofranssen.nl + - name: kfox1111 + email: Kevin.Fox@pnnl.gov + - name: faisal-memon + email: fymemon@yahoo.com + - name: edwbuck + email: edwbuck@gmail.com diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 2079babab..dd1e23d6a 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -2,14 +2,29 @@ -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.0](https://img.shields.io/badge/AppVersion-1.7.0-informational?style=flat-square) A Helm chart to install the SPIFFE OIDC discovery provider. +**Homepage:** + > **Note**: Minimum Spire version is `1.5.3`. > The recommended version is `1.6.0` to support arm64 nodes. If running with any > prior version to `1.6.0` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`. +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| marcofranssen | | | +| kfox1111 | | | +| faisal-memon | | | +| edwbuck | | | + +## Source Code + +* + ## Values | Key | Type | Default | Description | @@ -81,6 +96,11 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spiffe-oidc-discovery-provider | | telemetry.prometheus.port | int | `9988` | | | tolerations | list | `[]` | | +| tools.kubectl.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | +| tools.kubectl.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | +| tools.kubectl.image.repository | string | `"rancher/kubectl"` | The repository within the registry | +| tools.kubectl.image.tag | string | `""` | Overrides the image tag | +| tools.kubectl.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers | ---------------------------------------------- diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl index 72b90773c..70d6de2f7 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl @@ -85,4 +85,3 @@ Create the name of the service account to use {{- define "spiffe-oidc-discovery-provider.workload-api-socket-path" -}} {{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }} {{- end }} - diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml new file mode 100644 index 000000000..6b2af6960 --- /dev/null +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml @@ -0,0 +1,71 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }}-pre-delete + namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }} + labels: + {{- include "spiffe-oidc-discovery-provider.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}-pre-delete + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +rules: + - apiGroups: ["apps"] + resources: ["deployments"] + resourceNames: [{{ include "spiffe-oidc-discovery-provider.fullname" . | quote }}] + verbs: ["get", "delete"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}-pre-delete + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +subjects: + - kind: ServiceAccount + name: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }}-pre-delete + namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }} +roleRef: + kind: Role + name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}-pre-delete + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}-pre-delete + namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }} + labels: + {{- include "spiffe-oidc-discovery-provider.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed +spec: + template: + metadata: + name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}-pre-delete + spec: + restartPolicy: Never + serviceAccountName: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }}-pre-delete + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: pre-delete-job + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} + args: + - delete + - -n + - {{ include "spiffe-oidc-discovery-provider.namespace" . }} + - deployment + - {{ include "spiffe-oidc-discovery-provider.fullname" . }} + - --wait diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml index 3f11d1195..3c028d8b4 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml @@ -12,26 +12,26 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 4 }} containers: - name: curl-service-name - image: cgr.dev/chainguard/bash:latest + image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}:{{ .Values.service.port }}/.well-known/openid-configuration'] securityContext: {{- toYaml .Values.securityContext | nindent 8 }} - name: curl-service-name-namespace - image: cgr.dev/chainguard/bash:latest + image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}:{{ .Values.service.port }}/.well-known/openid-configuration'] securityContext: {{- toYaml .Values.securityContext | nindent 8 }} - name: curl-service-name-namespace-svc-cluster-local - image: cgr.dev/chainguard/bash:latest + image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }}/.well-known/openid-configuration'] securityContext: {{- toYaml .Values.securityContext | nindent 8 }} {{- if .Values.ingress.enabled }} - name: curl-ingress - image: cgr.dev/chainguard/bash:latest + image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-s', '-f', 'http://{{ index .Values.config.domains 0 }}/.well-known/openid-configuration'] securityContext: diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 42d959f0f..5b9fa08f8 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -2,6 +2,9 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# @ignored +global: {} + # -- The name of the spire-agent unix socket agentSocketName: spire-agent.sock @@ -197,3 +200,32 @@ ingress: # - secretName: chart-example-tls # hosts: # - oidc-discovery.example.org + +# @ignored +tests: + bash: + image: + # -- The OCI registry to pull the tests image from + registry: cgr.dev + # -- The repository within the registry + repository: chainguard/bash + # -- The tests image pull policy + pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" + # -- Overrides the image tag + tag: 5.2.15 + +tools: + kubectl: + image: + # -- The OCI registry to pull the image from + registry: docker.io + # -- The repository within the registry + repository: rancher/kubectl + # -- The image pull policy + pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" + # -- Overrides the image tag + tag: "" diff --git a/charts/spire/charts/spire-agent/Chart.yaml b/charts/spire/charts/spire-agent/Chart.yaml index 5a566bccb..5b585f36e 100644 --- a/charts/spire/charts/spire-agent/Chart.yaml +++ b/charts/spire/charts/spire-agent/Chart.yaml @@ -3,4 +3,19 @@ name: spire-agent description: A Helm chart to install the SPIRE agent. type: application version: 0.1.0 -appVersion: "1.6.4" +appVersion: "1.7.0" +keywords: ["spiffe", "spire-agent"] +home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +sources: + - https://github.com/spiffe/helm-charts/tree/main/charts/spire +icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png +maintainers: + - name: marcofranssen + email: marco.franssen@gmail.com + url: https://marcofranssen.nl + - name: kfox1111 + email: Kevin.Fox@pnnl.gov + - name: faisal-memon + email: fymemon@yahoo.com + - name: edwbuck + email: edwbuck@gmail.com diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 25be0e9e7..63da2b584 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -2,14 +2,29 @@ -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.0](https://img.shields.io/badge/AppVersion-1.7.0-informational?style=flat-square) A Helm chart to install the SPIRE agent. +**Homepage:** + > **Note**: Minimum Spire version is `1.5.3`. > The recommended version is `1.6.0` to support arm64 nodes. If running with any > prior version to `1.6.0` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`. +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| marcofranssen | | | +| kfox1111 | | | +| faisal-memon | | | +| edwbuck | | | + +## Source Code + +* + ## Values | Key | Type | Default | Description | @@ -20,6 +35,12 @@ A Helm chart to install the SPIRE agent. | extraContainers | list | `[]` | | | extraVolumeMounts | list | `[]` | | | extraVolumes | list | `[]` | | +| fsGroupFix.image.pullPolicy | string | `"Always"` | The image pull policy | +| fsGroupFix.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from | +| fsGroupFix.image.repository | string | `"chainguard/bash"` | The repository within the registry | +| fsGroupFix.image.tag | string | `"5.2.15"` | Overrides the image tag | +| fsGroupFix.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | +| fsGroupFix.resources | object | `{}` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | | fullnameOverride | string | `""` | | | healthChecks.port | int | `9980` | override the host port used for health checking | | image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 00af61361..075d74374 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -43,6 +43,22 @@ spec: args: ["-t", "30", "-h", "{{ include "spire-agent.server-address" . | trim }}", "-p", {{ .Values.server.port | quote }}] resources: {{- toYaml .Values.waitForIt.resources | nindent 12 }} + {{- if gt (int (dig "fsGroup" 0 .Values.podSecurityContext)) 0 }} + - name: fsgroupfix + image: {{ template "spire-lib.image" (dict "image" .Values.fsGroupFix.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.fsGroupFix.image.pullPolicy }} + command: ["bash", "-c"] + args: + - "chown -R {{ .Values.podSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ include "spire-agent.socket-path" . | dir }}" + resources: + {{- toYaml .Values.fsGroupFix.resources | nindent 12 }} + volumeMounts: + - name: spire-agent-socket-dir + mountPath: {{ include "spire-agent.socket-path" . | dir }} + securityContext: + runAsUser: 0 + runAsGroup: 0 + {{- end }} {{- if gt (len .Values.initContainers) 0 }} {{- toYaml .Values.initContainers | nindent 8 }} {{- end }} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index c237dc4a2..0d6f913db 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -2,6 +2,9 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# @ignored +global: {} + image: # -- The OCI registry to pull the image from registry: ghcr.io @@ -106,6 +109,23 @@ waitForIt: tag: latest-20230517 resources: {} +# When running as non root, needed to ensure the socket path has the correct permissions. +# Set runAsUser to a non-zero value in podSecurityContext to run as non-root user. +fsGroupFix: + image: + # -- The OCI registry to pull the image from + registry: cgr.dev + # -- The repository within the registry + repository: chainguard/bash + # -- The image pull policy + pullPolicy: Always + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" + # -- Overrides the image tag + tag: 5.2.15 + # -- Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # workloadAttestors determine a workload's properties and then generate a set of selectors associated with it. workloadAttestors: # unix is a workload attestor which generates unix-based selectors like 'uid' and 'gid'. diff --git a/charts/spire/charts/spire-server/Chart.yaml b/charts/spire/charts/spire-server/Chart.yaml index 3614da407..39460ad8a 100644 --- a/charts/spire/charts/spire-server/Chart.yaml +++ b/charts/spire/charts/spire-server/Chart.yaml @@ -3,4 +3,19 @@ name: spire-server description: A Helm chart to install the SPIRE server. type: application version: 0.1.0 -appVersion: "1.6.4" +appVersion: "1.7.0" +keywords: ["spiffe", "spire-server", "spire-controller-manager"] +home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +sources: + - https://github.com/spiffe/helm-charts/tree/main/charts/spire +icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png +maintainers: + - name: marcofranssen + email: marco.franssen@gmail.com + url: https://marcofranssen.nl + - name: kfox1111 + email: Kevin.Fox@pnnl.gov + - name: faisal-memon + email: fymemon@yahoo.com + - name: edwbuck + email: edwbuck@gmail.com diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 9fba830fb..36bcbe409 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -2,10 +2,12 @@ -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.0](https://img.shields.io/badge/AppVersion-1.7.0-informational?style=flat-square) A Helm chart to install the SPIRE server. +**Homepage:** + > **Note**: Minimum Spire version is `1.5.3`. > The recommended version is `1.6.0` to support arm64 nodes. If running with any > prior version to `1.6.0` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`. @@ -13,6 +15,19 @@ A Helm chart to install the SPIRE server. > The recommended spire-controller-manager version is `0.2.2` to support arm64 nodes. If running with any > prior version to `0.2.2` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`. +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| marcofranssen | | | +| kfox1111 | | | +| faisal-memon | | | +| edwbuck | | | + +## Source Code + +* + ## Values | Key | Type | Default | Description | @@ -52,11 +67,6 @@ A Helm chart to install the SPIRE server. | controllerManager.service.port | int | `443` | | | controllerManager.service.type | string | `"ClusterIP"` | | | controllerManager.validatingWebhookConfiguration.failurePolicy | string | `"Fail"` | | -| controllerManager.validatingWebhookConfiguration.upgradeHook.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | -| controllerManager.validatingWebhookConfiguration.upgradeHook.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | -| controllerManager.validatingWebhookConfiguration.upgradeHook.image.repository | string | `"rancher/kubectl"` | The repository within the registry | -| controllerManager.validatingWebhookConfiguration.upgradeHook.image.tag | string | `""` | Overrides the image tag | -| controllerManager.validatingWebhookConfiguration.upgradeHook.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | dataStore.sql.databaseName | string | `"spire"` | Only used by "postgres" or "mysql" | | dataStore.sql.databaseType | string | `"sqlite3"` | Other supported databases are "postgres" and "mysql" | | dataStore.sql.host | string | `""` | Only used by "postgres" or "mysql" | @@ -128,13 +138,18 @@ A Helm chart to install the SPIRE server. | telemetry.prometheus.podMonitor.labels | object | `{}` | | | telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spire-server | | tolerations | list | `[]` | | +| tools.kubectl.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | +| tools.kubectl.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | +| tools.kubectl.image.repository | string | `"rancher/kubectl"` | The repository within the registry | +| tools.kubectl.image.tag | string | `""` | Overrides the image tag | +| tools.kubectl.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | topologySpreadConstraints | list | `[]` | | | tornjak.config.dataStore | object | `{"driver":"sqlite3","file":"/run/spire/data/tornjak.sqlite3"}` | persistent DB for storing Tornjak specific information | | tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) (Not for production) | | tornjak.image.pullPolicy | string | `"IfNotPresent"` | The Tornjak image pull policy | | tornjak.image.registry | string | `"ghcr.io"` | The OCI registry to pull the Tornjak image from | | tornjak.image.repository | string | `"spiffe/tornjak-backend"` | The repository within the registry | -| tornjak.image.tag | string | `"v1.2.1"` | Overrides the image tag | +| tornjak.image.tag | string | `"v1.2.2"` | Overrides the image tag | | tornjak.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | tornjak.resources | object | `{}` | | | tornjak.service.annotations | object | `{}` | | @@ -146,10 +161,16 @@ A Helm chart to install the SPIRE server. | tornjak.startupProbe.successThreshold | int | `1` | | | tornjak.startupProbe.timeoutSeconds | int | `5` | | | trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers | +| upstreamAuthority.certManager.ca.create | bool | `false` | Creates a Cert-Manager CA | +| upstreamAuthority.certManager.ca.duration | string | `"87600h"` | Duration of the CA. Defaults to 10 years. | +| upstreamAuthority.certManager.ca.privateKey.algorithm | string | `"ECDSA"` | | +| upstreamAuthority.certManager.ca.privateKey.rotationPolicy | string | `""` | | +| upstreamAuthority.certManager.ca.privateKey.size | int | `256` | | +| upstreamAuthority.certManager.ca.renewBefore | string | `""` | How long to wait before renewing the CA | | upstreamAuthority.certManager.enabled | bool | `false` | | | upstreamAuthority.certManager.issuer_group | string | `"cert-manager.io"` | | | upstreamAuthority.certManager.issuer_kind | string | `"Issuer"` | | -| upstreamAuthority.certManager.issuer_name | string | `"spire-ca"` | | +| upstreamAuthority.certManager.issuer_name | string | `""` | Defaults to the release name, override if CA is provided outside of the chart | | upstreamAuthority.certManager.kube_config_file | string | `""` | | | upstreamAuthority.certManager.namespace | string | `""` | Specify to use a namespace other then the one the chart is installed into | | upstreamAuthority.certManager.rbac.create | bool | `true` | | diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index af1e65277..7df362661 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -105,15 +105,6 @@ Create the name of the service account to use {{- end }} {{- end }} -{{- define "spire-server.kubectl-image" }} -{{- $root := deepCopy . }} -{{- $tag := (default $root.image.tag $root.image.version) | toString }} -{{- if eq (len $tag) 0 }} -{{- $_ := set $root.image "tag" (regexReplaceAll "^(v?\\d+\\.\\d+\\.\\d+).*" $root.KubeVersion "${1}") }} -{{- end }} -{{- include "spire-lib.image" $root }} -{{- end }} - {{- define "spire-server.config-mysql-query" }} {{- $lst := list }} {{- range . }} diff --git a/charts/spire/charts/spire-server/templates/bundle-configmap.yaml b/charts/spire/charts/spire-server/templates/bundle-configmap.yaml index ea4224eab..95b7dd230 100644 --- a/charts/spire/charts/spire-server/templates/bundle-configmap.yaml +++ b/charts/spire/charts/spire-server/templates/bundle-configmap.yaml @@ -4,3 +4,7 @@ kind: ConfigMap metadata: name: {{ include "spire-lib.bundle-configmap" . }} namespace: {{ .Values.notifier.k8sbundle.namespace | default $namespace }} + {{- with .Values.configMap.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index ad228241f..cf53d4855 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -78,7 +78,7 @@ plugins: UpstreamAuthority: - cert-manager: plugin_data: - issuer_name: {{ .issuer_name | quote }} + issuer_name: {{ default .issuer_name (include "spire-server.fullname" $root) }} issuer_kind: {{ .issuer_kind | quote }} issuer_group: {{ .issuer_group | quote }} namespace: {{ default $root.Release.Namespace .namespace | quote }} diff --git a/charts/spire/charts/spire-server/templates/federation-ingress.yaml b/charts/spire/charts/spire-server/templates/federation-ingress.yaml index 013be910b..e7d0fea57 100644 --- a/charts/spire/charts/spire-server/templates/federation-ingress.yaml +++ b/charts/spire/charts/spire-server/templates/federation-ingress.yaml @@ -8,7 +8,7 @@ metadata: namespace: {{ include "spire-server.namespace" . }} labels: {{ include "spire-server.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} + {{- with .Values.federation.ingress.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/issuer.yaml b/charts/spire/charts/spire-server/templates/issuer.yaml new file mode 100644 index 000000000..4ce6c2522 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/issuer.yaml @@ -0,0 +1,55 @@ +{{- with .Values.upstreamAuthority.certManager }} +{{ if and .enabled .ca.create }} +{{/* +Configuring CA Issuer: https://cert-manager.io/docs/configuration/ca/ +*/}} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "spire-server.fullname" $ }}-selfsigned + namespace: {{ include "spire-server.namespace" $ }} + labels: + {{- include "spire-server.labels" $ | nindent 4}} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "spire-server.fullname" $ }} + namespace: {{ include "spire-server.namespace" $ }} +spec: + isCA: true + commonName: {{ $.Values.ca_subject.common_name }} + secretName: {{ include "spire-server.fullname" $ }}-ca-keys + duration: {{ $.Values.upstreamAuthority.certManager.ca.duration }} + subject: + countries: + - {{ $.Values.ca_subject.country }} + organizations: + - {{ $.Values.ca_subject.organization }} + privateKey: + algorithm: {{ $.Values.upstreamAuthority.certManager.ca.privateKey.algorithm }} + size: {{ $.Values.upstreamAuthority.certManager.ca.privateKey.size }} + {{- with $.Values.upstreamAuthority.certManager.ca.privateKey.rotationPolicy }} + rotationPolicy: {{ . }} + {{- end }} + {{- with $.Values.upstreamAuthority.certManager.ca.renewBefore }} + renewBefore: {{ . }} + {{- end }} + issuerRef: + name: {{ include "spire-server.fullname" $ }}-selfsigned + kind: Issuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "spire-server.fullname" $ }} + namespace: {{ include "spire-server.namespace" $ }} +spec: + ca: + secretName: {{ include "spire-server.fullname" $ }}-ca-keys +--- +{{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/post-install-hook.yaml b/charts/spire/charts/spire-server/templates/post-install-hook.yaml index 39607e225..14e5b9977 100644 --- a/charts/spire/charts/spire-server/templates/post-install-hook.yaml +++ b/charts/spire/charts/spire-server/templates/post-install-hook.yaml @@ -63,7 +63,7 @@ spec: - name: post-install-job securityContext: {{- toYaml .Values.securityContext | nindent 10 }} - image: {{ template "spire-server.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} + image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - patch - validatingwebhookconfiguration diff --git a/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml index d518116b2..628ee8de2 100644 --- a/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml @@ -56,14 +56,14 @@ spec: name: {{ include "spire-server.fullname" . }}-post-upgrade spec: restartPolicy: Never - serviceAccountName: {{ include "spire-server.serviceAccountName" . }}-post-upgrade + serviceAccountName: {{ include "spire-server.serviceAccountName" . }}-post-upgrade securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: post-upgrade-job securityContext: {{- toYaml .Values.securityContext | nindent 10 }} - image: {{ template "spire-server.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} + image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - patch - validatingwebhookconfiguration diff --git a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml index 47f8ab1c2..f96250e2b 100644 --- a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml @@ -63,7 +63,7 @@ spec: - name: post-install-job securityContext: {{- toYaml .Values.securityContext | nindent 10 }} - image: {{ template "spire-server.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} + image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} args: - patch - validatingwebhookconfiguration diff --git a/charts/spire/charts/spire-server/templates/roles.yaml b/charts/spire/charts/spire-server/templates/roles.yaml index f1bf0fafd..6c667e723 100644 --- a/charts/spire/charts/spire-server/templates/roles.yaml +++ b/charts/spire/charts/spire-server/templates/roles.yaml @@ -3,7 +3,7 @@ kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ include "spire-server.fullname" . }}-bundle + name: {{ include "spire-lib.bundle-configmap" . }} namespace: {{ .Values.notifier.k8sbundle.namespace | default $namespace }} rules: - apiGroups: [""] @@ -24,6 +24,7 @@ rules: - apiGroups: ["cert-manager.io"] resources: - certificaterequests + - issuers verbs: - list - get @@ -50,7 +51,7 @@ roleRef: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ include "spire-server.fullname" . }}-bundle + name: {{ include "spire-lib.bundle-configmap" . }} namespace: {{ .Values.notifier.k8sbundle.namespace | default $namespace }} subjects: - kind: ServiceAccount @@ -58,7 +59,7 @@ subjects: namespace: {{ $namespace }} roleRef: kind: Role - name: {{ include "spire-server.fullname" . }}-bundle + name: {{ include "spire-lib.bundle-configmap" . }} apiGroup: rbac.authorization.k8s.io {{- if and .Values.nodeAttestor.k8sPsat.enabled }} diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index bb3cc7899..1540dd0d1 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -42,8 +42,23 @@ spec: shareProcessNamespace: true securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- if gt (len .Values.initContainers) 0 }} initContainers: + {{- if and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.createCA }} + - name: wait + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: {{ template "spire-server.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} + args: + - wait + - --namespace + - {{ .Release.Namespace }} + - --timeout=3m + - --for=condition=ready + - issuer + - {{ include "spire-server.fullname" $ }} + imagePullPolicy: {{ .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image.pullPolicy }} + {{- end }} + {{- if gt (len .Values.initContainers) 0 }} {{- toYaml .Values.initContainers | nindent 8 }} {{- end }} containers: @@ -163,6 +178,7 @@ spec: startupProbe: httpGet: scheme: HTTP + path: /api/tornjak/serverinfo port: 10000 {{- toYaml .Values.tornjak.startupProbe | nindent 12 }} args: diff --git a/charts/spire/charts/spire-server/templates/tests/test-connection.yaml b/charts/spire/charts/spire-server/templates/tests/test-connection.yaml index 7674197eb..9e1740612 100644 --- a/charts/spire/charts/spire-server/templates/tests/test-connection.yaml +++ b/charts/spire/charts/spire-server/templates/tests/test-connection.yaml @@ -12,7 +12,7 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 4 }} containers: - name: curl - image: cgr.dev/chainguard/bash:latest + image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['bash'] args: - -c @@ -31,7 +31,7 @@ spec: {{- toYaml .Values.securityContext | nindent 8 }} {{- if eq (.Values.federation.enabled | toString) "true" }} - name: curl-federation-bundle-endpoint - image: cgr.dev/chainguard/bash:latest + image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] args: ['-k', '-s', '-f', 'https://{{ include "spire-server.fullname" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.federation.bundleEndpoint.port }}'] securityContext: diff --git a/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml b/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml index 5b386925f..9c9e6cdc9 100644 --- a/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml +++ b/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml @@ -13,9 +13,15 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 4 }} containers: - name: curl-tornjak-backend - image: cgr.dev/chainguard/bash:latest + image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] - args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.backend" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.port }}'] + args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.backend" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.port }}/api/tornjak/serverinfo'] + securityContext: + {{- toYaml .Values.securityContext | nindent 8 }} + - name: curl-tornjak-backend-and-spire + image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} + command: ['curl'] + args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.backend" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.port }}/api/healthcheck'] securityContext: {{- toYaml .Values.securityContext | nindent 8 }} restartPolicy: Never diff --git a/charts/spire/charts/spire-server/templates/upstream-ca-secret.yaml b/charts/spire/charts/spire-server/templates/upstream-ca-secret.yaml index 2adc10945..b855065fa 100644 --- a/charts/spire/charts/spire-server/templates/upstream-ca-secret.yaml +++ b/charts/spire/charts/spire-server/templates/upstream-ca-secret.yaml @@ -5,7 +5,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "spire-server.upstream-ca-secret" $root }} - namespace: {{ include "spire-server.namespace" . }} + namespace: {{ include "spire-server.namespace" $root }} labels: {{- include "spire-server.labels" $root | nindent 4 }} data: diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index ebe31a598..17095b012 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -2,6 +2,9 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# @ignored +global: {} + # -- SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. replicaCount: 1 @@ -185,12 +188,25 @@ upstreamAuthority: enabled: false rbac: create: true - issuer_name: "spire-ca" + # -- Defaults to the release name, override if CA is provided outside of the chart + issuer_name: "" issuer_kind: "Issuer" issuer_group: "cert-manager.io" # -- Specify to use a namespace other then the one the chart is installed into namespace: "" kube_config_file: "" + + ca: + # -- Creates a Cert-Manager CA + create: false + # -- Duration of the CA. Defaults to 10 years. + duration: 87600h + privateKey: + algorithm: ECDSA + size: 256 + rotationPolicy: "" + # -- How long to wait before renewing the CA + renewBefore: "" spire: enabled: false server: @@ -266,18 +282,20 @@ controllerManager: validatingWebhookConfiguration: failurePolicy: Fail - upgradeHook: - image: - # -- The OCI registry to pull the image from - registry: docker.io - # -- The repository within the registry - repository: rancher/kubectl - # -- The image pull policy - pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) - version: "" - # -- Overrides the image tag - tag: "" + +tools: + kubectl: + image: + # -- The OCI registry to pull the image from + registry: docker.io + # -- The repository within the registry + repository: rancher/kubectl + # -- The image pull policy + pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" + # -- Overrides the image tag + tag: "" telemetry: prometheus: @@ -337,7 +355,7 @@ tornjak: # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" # -- Overrides the image tag - tag: "v1.2.1" + tag: "v1.2.2" service: type: ClusterIP port: 10000 @@ -367,3 +385,18 @@ tornjak: # requests: # cpu: 100m # memory: 128Mi + +# @ignored +tests: + bash: + image: + # -- The OCI registry to pull the image from + registry: cgr.dev + # -- The repository within the registry + repository: chainguard/bash + # -- The image pull policy + pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" + # -- Overrides the image tag + tag: 5.2.15 diff --git a/charts/spire/charts/tornjak-frontend/Chart.yaml b/charts/spire/charts/tornjak-frontend/Chart.yaml index 532f259dd..64c44f125 100644 --- a/charts/spire/charts/tornjak-frontend/Chart.yaml +++ b/charts/spire/charts/tornjak-frontend/Chart.yaml @@ -3,7 +3,7 @@ name: tornjak-frontend description: A Helm chart to deploy Tornjak frontend type: application version: 0.1.0 -appVersion: "v1.2.1" +appVersion: "v1.2.2" home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: - https://github.com/spiffe/tornjak diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index bb2af0ab6..b380e3411 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -2,7 +2,7 @@ -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.2.1](https://img.shields.io/badge/AppVersion-v1.2.1-informational?style=flat-square) +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.2.2](https://img.shields.io/badge/AppVersion-v1.2.2-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart to deploy Tornjak frontend diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml index e4449b2c7..c7ba33712 100644 --- a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -28,13 +28,6 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - command: - - /bin/sh - - -c - - | - ln -s /tmp/env.js build/env.js - npx react-inject-env set -n /tmp/env.js - serve -s build -p $PORT_FE ports: - name: http containerPort: 3000 @@ -50,6 +43,7 @@ spec: startupProbe: httpGet: scheme: HTTP + path: /tornjak/serverinfo port: {{ .Values.service.port }} failureThreshold: {{ .Values.startupProbe.failureThreshold }} initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} @@ -60,6 +54,8 @@ spec: volumeMounts: - name: cache mountPath: /usr/src/app/node_modules/.cache + - name: env + mountPath: /usr/src/app/build/tmp {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -79,3 +75,5 @@ spec: volumes: - name: cache emptyDir: {} + - name: env + emptyDir: {} diff --git a/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml b/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml index 4afec4514..7f5bdc4c5 100644 --- a/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml @@ -12,9 +12,9 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 4 }} containers: - name: curl-tornjak-frontend - image: cgr.dev/chainguard/bash:latest + image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} command: ['curl'] - args: ['-k', '-s', '-f', 'http://{{ include "tornjak-frontend.fullname" . }}.{{ include "tornjak-frontend.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }}'] + args: ['-k', '-s', '-f', 'http://{{ include "tornjak-frontend.fullname" . }}.{{ include "tornjak-frontend.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }}/tornjak/serverinfo'] securityContext: {{- toYaml .Values.securityContext | nindent 8 }} restartPolicy: Never diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index ac574899b..7edc63387 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -2,6 +2,9 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# @ignored +global: {} + image: registry: ghcr.io repository: spiffe/tornjak-frontend @@ -88,3 +91,18 @@ startupProbe: failureThreshold: 6 # -- Success threshold count for startupProbe successThreshold: 1 + +# @ignored +tests: + bash: + image: + # -- The OCI registry to pull the image from + registry: cgr.dev + # -- The repository within the registry + repository: chainguard/bash + # -- The image pull policy + pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" + # -- Overrides the image tag + tag: 5.2.15 diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl index 7fca6ef07..108412539 100644 --- a/charts/spire/templates/_spire-lib.tpl +++ b/charts/spire/templates/_spire-lib.tpl @@ -90,3 +90,12 @@ rules: {{- end }} {{- end }} {{- end }} + +{{- define "spire-lib.kubectl-image" }} +{{- $root := deepCopy . }} +{{- $tag := (default $root.image.tag $root.image.version) | toString }} +{{- if eq (len $tag) 0 }} +{{- $_ := set $root.image "tag" (regexReplaceAll "^(v?\\d+\\.\\d+\\.\\d+).*" $root.KubeVersion "${1}") }} +{{- end }} +{{- include "spire-lib.image" $root }} +{{- end }} diff --git a/ct.yaml b/ct.yaml new file mode 100644 index 000000000..affa496e1 --- /dev/null +++ b/ct.yaml @@ -0,0 +1,11 @@ +remote: origin +target-branch: main +chart-dirs: + - charts +chart-repos: + - spiffe=https://spiffe.github.io/helm-charts/ + - bitnami=https://charts.bitnami.com/bitnami + - ingress-nginx=https://kubernetes.github.io/ingress-nginx +exclude-deprecated: true +debug: true +helm-extra-args: "--timeout 15m" diff --git a/examples/production/values.yaml b/examples/production/values.yaml index 683666a6d..4ddb95b6f 100644 --- a/examples/production/values.yaml +++ b/examples/production/values.yaml @@ -54,6 +54,18 @@ spire-agent: server: namespaceOverride: spire-server priorityClassName: system-node-critical + podSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + seccompProfile: + type: RuntimeDefault logLevel: info diff --git a/project/conventions.md b/project/conventions.md new file mode 100644 index 000000000..6fe195b0c --- /dev/null +++ b/project/conventions.md @@ -0,0 +1,124 @@ + +# Development Conventions + +This document intends to capture the current coding conventions for +the SPIRE Helm Chart project, permitting multiple developers to align +to a similar style and standard when offering their contributions. + +It is impossible to describe every scenario a developer might encounter, +likewise it is equally impossible to describe the best choice to make +under all future circumstances. For this reason, many conventions also +have a small explanation of the rationale behind the guidance, allowing +future development efforts to weigh and balance the conflicting forces +in ambiguous situations not clearly covered. + +This document is intended to be a living document. If you have an issue +with a convention, we hope that you will create an issue describing the +problem, and a pull request suggesting the update. By addressing the +convention, we hope to avoid arguments about conventions in the pull +request review process, which slow the process and are often subject to +the popular whims of the moment. + +## Conventions used in this document + +While this is not a software specification, the key words "MUST", +"MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", +"RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be +interpreted as closely to the convention as it would be to a +specification described in RFC 2119. + +Use of the word in its non-all caps form SHOULD NOT be interpreted in +the strict definitions user RFC 2119, but SHOULD be interpreted in +context with a meaning aligned to RFC 2119. + +## Helm Chart conventions + +Helm values are organized in a tree structure, with each entry having +a key, the path within the structure, and a value, the contents held +at that path. Some of the contents include objects and arrays, which +are structures that permit multiple values under a particular path. + +This design choice mimics the representation of a file system, and we +may use file system analogies to describe the conventions and choices +in the project. + +### Preference for absolute paths in templates + +Outside of looping constructs that require relative paths, templates +should use absolute paths (paths starting with the `.` character) for +their value references. + +### Helm Key path elements + +Elements refer to items in the configuration. Some of those items are +external to the project, while others are components the project choose +to implement the Helm Chart packaging solution. + +### Preferred characters for helm path elements + +Elements within a helm chart path SHOULD limit the use of special +characters, even when such characters are supported by Helm. ASCII +letters, upper and lower case, ASCII numerals, and the ASCII underscore +character are always permitted. + +Other characters, such as `@`, `~`, `&`, `+` are often used as +shorthand to represent, respectively `at`, `similar / not`, +`minus / without`, `and / reference`, `plus / with`. Helm key elements +MUST NOT contain such symbols, as it burdens the reader to deduce the +intent of the writer. + +`-` SHOULD NOT be used when there are good alternatives. Its reasonable +to use when spire itself uses it for config such as plugin names or +required by helm for child charts. + +### Camel Case for created elements + +Elements that refer to components that the project has created should +exclusively use camel case, with a the first word being lower case. To +illustrate, a "card sort order" path element would read "cardSortOrder". + +### Exact Case for non-created elements + +Elements that reflect components that have well known names should make +every effort to use the well known name exactly, even if the rules for +captialization don't follow other naming conventions. Exceptions to +this SHOULD include replacing problematic characters with underscores, +to improve template functionality. To illustrate, the operating system +NeXTSTEP would read as "NeXTSTEP" and "NeXT Computers" SHOULD be written +as "NeXT_Computers" but may also be written as "NeXTComputers" if clarity +is maintained. + +### Acronyms and Minimalists + +Occasionally the use of an Acronym or Minimalist is used as part of an +element name. An acronym is the use of the first letter of a phrase +or multi-word proper name that is pronounceable, while an initialisim is +the use of the first letter of a phrase or multi-word proper name +pronounced by naming the letters. `NASA` is an example of an acronym, +while `NFL` is an example of an Initialisim. + +To keep the recognition of the Acronym or Initialisim, an all capital +representation of the Acronym or Initialisim MUST be maintained. To +reduce the confusion this can create in camel case elements, we recommend +that such Acronyms and Initialisim be placed at the end of the element +or the element is restructured to avoid confusion. For example, +`mailingListNASA` or `mailingList.NASA` is preferred over +`NASAMailingList`. + +Acronyms and Initialisim occasionally use periods in their presentation. +When they do, the periods MUST be removed without replacement by +another character. To illustrate `U.N.` for the United Nations should +be written as `UN`. + +### Abbreviations + +Abbreviations shorten words by using some of the letters of the original +word. In all cases, element names that contain parts which are +abbreviations should be represented in the case determined by the part's +position. For example, a Junior administrator, should be written as +`jrAdmin`. + +Abbreviations occasionally use periods in their presentation. When they +do, the periods MUST be removed without replacement by another character. +To illustrate, use `acctSchedule` for Acct. Schedule.