From 8d9b73496da6df821896a4931cf1c997ca0e1215 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Sun, 14 May 2023 17:39:08 -0700 Subject: [PATCH 01/55] Switch the spire tests to always run (#250) This patch sets the spire chart tests to always run. This enables changes in tests to be tested and sets a base for split out charts. --------- Signed-off-by: Kevin Fox --- .github/workflows/helm-chart-ci.yaml | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index 4ac7bb0d0..2fab7f015 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -92,14 +92,6 @@ jobs: with: version: ${{ env.CHART_TESTING_VERSION }} - - name: Run chart-testing (list-changed) - id: list-changed - run: | - changed=$(ct list-changed --target-branch ${{ github.base_ref }}) - if [[ -n "$changed" ]]; then - echo "changed=true" >> $GITHUB_OUTPUT - fi - - name: Run chart-testing (lint) run: | ct lint --debug ${{ github.base_ref != 'release' && '--check-version-increment=false' || '' }} \ @@ -114,8 +106,6 @@ jobs: needs: [lint-chart] - if: needs.lint-chart.outputs.changed == 'true' - steps: - name: Checkout uses: actions/checkout@v3.5.2 @@ -137,8 +127,6 @@ jobs: - lint-chart - build-matrix - if: needs.lint-chart.outputs.changed == 'true' - strategy: fail-fast: false matrix: @@ -209,6 +197,7 @@ jobs: "${TEST_DIR}/install.sh" else ct install --debug \ + --charts "charts/spire" \ --namespace "${scenario}" \ --target-branch ${{ github.base_ref }} \ --exclude-deprecated \ From 05addae90691c5fceecdead1418298945ae94096 Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Mon, 15 May 2023 16:16:03 -0700 Subject: [PATCH 02/55] Add json to test path (#280) Adds *.json to the workflow trigger so that changes to json files, such as updating versions, will trigger a pipeline run. Signed-off-by: Faisal Memon --- .github/workflows/helm-chart-ci.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index 2fab7f015..e6027dd11 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -10,6 +10,7 @@ on: - '.github/kind/conf/kind-config.yaml' - '.github/tests/**/*.yaml' - '.github/tests/**/*.sh' + - '.github/tests/**/*.json' - 'examples/**/*.yaml' - 'helm-docs.sh' From 7c71738d5727ada4f46a5889a3d96721aece722e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 15 May 2023 16:24:00 -0700 Subject: [PATCH 03/55] Bump test chart dependencies (#279) Bump the Helm charts used in test scenarios to latest available versions. Signed-off-by: GitHub Co-authored-by: marcofranssen Co-authored-by: Faisal Memon --- .github/tests/charts.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index eb72d77eb..2309183ae 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,12 +2,12 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "45.26.0" + "version": "45.27.2" }, { "name": "cert-manager", "repo": "https://charts.jetstack.io", - "version": "v1.11.1" + "version": "v1.11.2" }, { "name": "ingress-nginx", @@ -17,11 +17,11 @@ { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "9.7.2" + "version": "9.9.1" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "12.2.2" + "version": "12.5.1" } ] From 72596aea8d21d59040ebe05e8460cf4f3aeccf40 Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Tue, 16 May 2023 10:21:44 -0700 Subject: [PATCH 04/55] Skip tests for docs folders (#281) Our mandatory checks will fail if there are docs only changes. The helm-chart-ci.yaml skips these files, so the workflows never run, and the mandatory checks are stuck waiting for results. This adds a parallel workflow that runs fake tests for docs changes. So that docs only changes can pass the required status checks. It uses `paths-ignore` instead of `paths`. This is documented [here](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/troubleshooting-required-status-checks#handling-skipped-but-required-checks). --------- Signed-off-by: Faisal Memon Co-authored-by: Marco Franssen --- .github/workflows/helm-chart-ci-ignore.yaml | 61 +++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .github/workflows/helm-chart-ci-ignore.yaml diff --git a/.github/workflows/helm-chart-ci-ignore.yaml b/.github/workflows/helm-chart-ci-ignore.yaml new file mode 100644 index 000000000..d54a1fff8 --- /dev/null +++ b/.github/workflows/helm-chart-ci-ignore.yaml @@ -0,0 +1,61 @@ +name: Helm Chart CI + +on: + workflow_dispatch: + pull_request: + types: [synchronize, opened, reopened] + paths-ignore: + - 'charts/**' + - '.github/workflows/helm-chart-ci.yaml' + - '.github/kind/conf/kind-config.yaml' + - '.github/tests/**/*.yaml' + - '.github/tests/**/*.sh' + - '.github/tests/**/*.json' + - 'examples/**/*.yaml' + - 'helm-docs.sh' + +jobs: + lint-chart: + runs-on: ubuntu-22.04 + steps: + - run: 'echo "Skipping linter"' + + checks: + runs-on: ubuntu-22.04 + steps: + - run: 'echo "Skipping checks"' + + build-matrix: + name: Build matrix + runs-on: ubuntu-22.04 + + steps: + - name: Checkout + uses: actions/checkout@v3.5.2 + + - id: set-matrix + name: Collect all tests + run: | + tests="$(echo -e "default\n$(find .github/tests -maxdepth 1 -type d | grep -Ev 'tests$' | xargs -I % basename % | sort | uniq)")" + tests_json="$(echo "$tests" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')" + echo "tests=$tests_json" >> $GITHUB_OUTPUT + + outputs: + tests: ${{ steps.set-matrix.outputs.tests }} + + test: + runs-on: ubuntu-22.04 + needs: + - build-matrix + + strategy: + matrix: + k8s: + - v1.27.0 + - v1.26.3 + - v1.25.8 + values: + - ${{ fromJson(needs.build-matrix.outputs.tests) }} + + steps: + - run: 'echo "Skipping tests"' From 2669d8b5e2d4f1c8a92d14c8dc8a581f95b674c4 Mon Sep 17 00:00:00 2001 From: Edwin Buck Date: Tue, 16 May 2023 12:22:54 -0500 Subject: [PATCH 05/55] Add maintainer's handbook. (#265) The maintainer's handbook is a guide to remind the maintainers of the values and approaches that most maintainers already hold. Specifics of code quality will come later, but putting them into this document would make it too long, and thus unread. Closes #263 --------- Signed-off-by: Edwin Buck Co-authored-by: Marco Franssen Co-authored-by: Mariusz Sabath Co-authored-by: Faisal Memon --- project/maintainers.md | 237 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 237 insertions(+) create mode 100644 project/maintainers.md diff --git a/project/maintainers.md b/project/maintainers.md new file mode 100644 index 000000000..b8b33d029 --- /dev/null +++ b/project/maintainers.md @@ -0,0 +1,237 @@ + + +# Maintainers handbook + +This document is a guide for maintainers across the spire/helm-chart effort to +provide a consistent user interface for those going through the review process. + +## The Pull Request + +Pull requests are submitted through GitHub. They are contributions to change +the project. There is no difference between code and non-code submissions, in +procedure or policy. + +All maintainers should consider that pull requests are gifts. The project +survives due to the effort of frequent contributors and their generosity. As +such, to encourage future submissions, the default approach to handling a merge +request should be gratitude, even if the request cannot be merged. + +## Roles + +There are two primary roles within the scope of a pull request. + +- Committer - one who offers code to be merged. +- Maintainer - one who merges the code. + +To ensure that all code receives a proper review, these roles are mutually +exclusive for each pull request. Within the scope of a pull request, a +Committer cannot be a Maintainer, nor can a Maintainer be a Committer. + +For abandoned pull requests still requiring work, or efforts transferred between +people, a Maintainer may become a Committer, invalidating any of their prior +review work. + +### Committers + +Committers are people contributing changes to the repository. The first +committer is typically the one that opens the pull request. Additional people +can become committers in the same merge request if they change the pull request +directly. + +Suggestions to a committer by a maintainer, such as commentary that with a +change the merge request might be accepted, does not make a maintainer a +committer, as the committer will choose include the change at their discretion. + +### Maintainers + +Maintainers hold a dual role in the project. They are ambassadors of the +effort as well as the gatekeepers permitting changes to the repository. As +ambassadors, maintainers must present a fair and impartial demeanor when +dealing with contributors. + +Failure to be fair or impartial reflects poorly on the released product, as +guilt by association taints the product. The process of reviewing a merge +request often includes conflict. Contributors can become defensive about work +they've done while maintainers can become adamant in the changes they request. + +To prevent a breakdown in the review process, the project encourages all +reviewers to adhere to a standard set of review best practices. Reviewers +should familiarize themselves with these practices and suggest updates to keep +the practices relevant over time. + +## Review Standards + +These standards serve to prevent problems from cropping up during a review. The +intent is that consistent application of these standards permits a consistent +review process, leading to repeatable, suprise free, outcomes during a review. + +The intent of maintaining standards is to enhance productivity and improve team +morale. In the event the standards have a negative impact on productivity or +morale, the standard itself should be questioned. To clarify the kinds of +productivity to be improved, the intent is to reduce the time between initial +submission of a merge request and its resolution. + +### Challenges to the Review Process + +Whenever possible, a maintainer should not argue a point about the review +standards with a contributor. Instead they should provide this document to the +contributor, indicating that changes to the review process are to be initiated +with a standard-altering Issue. + +In the exceedingly rare situation that a reviewer opts to ignore a review +standard during a merge request, the reviewer must indicate they are purposefully +ignoring the standard and the reason why. There are valid reasons to ignore +standards, but whenever possible a maintainer should uphold the standard or +change it. + +### Review Outcomes + +From the Maintainers point of view, all merge requests require one of four +actions: + +- The maintainer accepts the pull request. +- The maintainer rejects the pull request. +- The maintainer requests the pull request be altered. +- The maintainer rewrites some or all of the pull request, becoming a + committer. + +Suggestions to the committer that a merge request be altered do not constitute +becoming an committer, even if the maintainer provides the lines of code +being suggested. + +### Review Tempo + +Maintainers should set aside and appropriate amount of time when reviewing. The +initial suggestion is one hour. Most reviews will complete well under this time, +but a few will take longer. Longer reviews should include review breaks, so the +reviewer remains fresh and attentive. Attempting a three hour long review often +yields worse results than two or three shorter efforts with breaks. + +The concept of going slow to complete items quickly is not a new one. With a +little extra time, comments can be thoughtful instead of reactive. + +### Review Goals + +Each review should have a defined set of goals established prior to the main +work of the review. The review process often challenges the committer, in the +hopes of improving the merge request. Keeping the review scoped to goals avoids +scenarios where the reviewer's requests seem capricious or autocratic. + +The current list of review goals include: + +- Keeping the code base readable +- Keeping the code base search-able +- Keeping the code base understandable +- Keeping the code base maintainable +- Keeping the code base testable +- Keeping the code base functional + +Note that quality, stability, and robustness are purposefully not included in +this list: + +- Quality is the combination of readable and testable. +- Stability is the combination of understandable, functional, and testable. +- Robustness is the combination of maintainable, functional, and testable. + +Code standards are being developed to clarify specific tests to support these +goals. + +### Developer Testing prior to Review + +Each submission should assume that the committer ran the unit tests and +small-scale (not requiring an environment) integration tests prior to submission. +The merge request CI pipeline also runs these tests automatically. Failure to +pass them leads to an automatic call for merge request modification. + +Attempts to pass this requirement by disabling tests or modifying them such that +they are effectively disabled are strongly discouraged. They violate the review +goals by reducing maintainability (no new failures will be detected) and +possibly functionality (for scenarios outside of the current mindset). + +At their leisure, maintainers may suggest code changes make the test suite pass. +Doing so is never required, nor part of the minimum duties of a maintainer. + +### Reviewer Count + +Two passing reviews are required for code to be merged. + +Whenever possible, the number of reviewers should be limited, as each additional +reviewer presents an extra set of communication channels between the review and +themselves. + +- One reviewer has one channel between the committer and the reviewer +- Increasing to two, adds one channel to the the committer, and one to the + reviewers. +- Increasing to three, adds one channel to the committer, and two to the + reviewers. +- Increasing to four, adds one channel to the committer, and three to the + reviewers. + +The amount of possible communication grows such that +`commChannels(reviewers) = reviewers + reviewers(reviewers-1)/2` leads to an +`O(n^2)` number of channels. Thus, keeping reviewer count low is critical to +velocity. + +### Reviewer Consensus + +Reviewers should coordinate among themselves when differences of opinion arise +in a review. The first reviewer is likely to make a statement before being +aware of the difference of opinion; but, once a difference of opinion is known, +the reviewers should coordinate privately to find a unified presentation of the +desired features to communicate back to the committer. + +The committer has no role in the evaluation of options to determine the proper +path forward, including them only diminishes the efficiency of the process and +increases the stress they endure while they observe the discussion. Once a path +is agreed upon: + +- If the request to the committer was reversed, the reviewer making that stance + should present the new path. +- If the request to the committer was refined, the second reviewer should + present the refined path. + +If no path forward can be agreed upon, the proposed path that is closest to the +committer submission is the accepted path. This guideline exists to promote +cooperation among reviewers. Ideas of merit which don't become part of the +merge request should be submitted as new issues and reviewed independently. + +### Review Automation + +Reviewers have a commitment to continuous improvement of the review process. +Whenever a reviewer sees an opportunity to reduce the manpower involved in the +review process by automating a portion of the process, the reviewer should +create an issue and submit it as an improvement to the CI process. + +Improvements are subject to the same review process and the same review goals +as other committer offerings. Readability, search-ability, understanding, +maintenance, testing, and functionality are goals of the review process just as +they are of the product code. + +Lack of speed in the review process is viewed as a failure to make the process +maintainable, understandable, and functional. + +### Review Communication + +Reviewers are encouraged to have meaningful dialogues with contributors and +reviewers during a merge request. For these dialogues to be effective, the +purpose of each communication should be considered. Mixing purposes in +communication creates problems in understanding intent, retarding progress. +Scope your communications to move efforts forward. + +Avoid mixing the following communication scopes: + +- Status update +- Decision making +- Problem solving +- Team building +- Information sharing +- Brainstorming + +Combining these scopes reduce the effectiveness of the communication. Ideally +they should be done in different settings. Mixing a brainstorming session with +a decision making session disrupts the evaluation of pros and cons with new +options. Attempting to problem solve a technical issue during a status update +draws focus away from identifying the challenges of delivering the project, +replacing them with the challenges of solving a single problem in the project. + From 6d221263fbf2cd1d995e8d463f7897d1d97438b9 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Thu, 30 Mar 2023 14:08:59 +0200 Subject: [PATCH 06/55] Add Tornjak This reverts commit 3210dfe49dfabc96437d1fe60a1b9a5eedb2312b. Signed-off-by: Marco Franssen --- charts/spire/charts/spire-server/README.md | 10 +++- .../charts/spire-server/templates/NOTES.txt | 18 ++++++ .../spire-server/templates/_helpers.tpl | 32 +++++++++++ .../spire-server/templates/service.yaml | 33 +++++++++++ .../spire-server/templates/statefulset.yaml | 55 +++++++++++++++++++ .../tests/test-tornjak-connection.yaml | 27 +++++++++ .../templates/tornjak-config.yaml | 23 ++++++++ charts/spire/charts/spire-server/values.yaml | 23 ++++++++ 8 files changed, 220 insertions(+), 1 deletion(-) create mode 100644 charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml create mode 100644 charts/spire/charts/spire-server/templates/tornjak-config.yaml diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index efc2ba583..8428259b2 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -106,7 +106,15 @@ A Helm chart to install the SPIRE server. | telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spire-server | | tolerations | list | `[]` | | | topologySpreadConstraints | list | `[]` | | -| trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers | +| tornjak.config.backend.dataStore.driver | string | `"sqlite3"` | | +| tornjak.config.backend.dataStore.file | string | `"/run/spire/data/tornjak.sqlite3"` | | +| tornjak.config.frontend.apiServerURL | string | `"http://localhost:10000"` | | +| tornjak.enabled | bool | `false` | | +| tornjak.image.pullPolicy | string | `"IfNotPresent"` | | +| tornjak.image.registry | string | `"ghcr.io"` | | +| tornjak.image.repository | string | `"spiffe/tornjak"` | | +| tornjak.image.version | string | `"latest"` | | +| trustDomain | string | `"example.org"` | | | upstreamAuthority.certManager.enabled | bool | `false` | | | upstreamAuthority.certManager.issuer_group | string | `"cert-manager.io"` | | | upstreamAuthority.certManager.issuer_kind | string | `"Issuer"` | | diff --git a/charts/spire/charts/spire-server/templates/NOTES.txt b/charts/spire/charts/spire-server/templates/NOTES.txt index b0137988f..7223e0f4b 100644 --- a/charts/spire/charts/spire-server/templates/NOTES.txt +++ b/charts/spire/charts/spire-server/templates/NOTES.txt @@ -4,3 +4,21 @@ Installed {{ .Chart.Name }}… kubectl exec -n {{ .Release.Namespace }} {{ include "spire-server.fullname" . }}-0 -c spire-server -- \ spire-server entry show + +{{- if eq (.Values.tornjak.enabled | toString) "true" }} + +### WARNING ### +This Tornjak is configured without authentication and it is intended for +testing only. Please do not use this version in production. + +Tornjak APIs (Backend): + kubectl -n {{ include "spire-server.namespace" . }} port-forward {{ include "spire-server.fullname" . }}-0 10000:10000 + +Tornjak UI (Frontend): + kubectl -n {{ include "spire-server.namespace" . }} port-forward {{ include "spire-server.fullname" . }}-0 3000:3000 + +Tornjak API access: {{ include "tornjak.apiURL" . }} +Tornjak UI access: {{ include "tornjak.frontendURL" . }} + +Installed {{ include "spire-tornjak.fullname" . }}… +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index 3fcff92e5..d4ee16e52 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -153,3 +153,35 @@ Create the name of the service account to use {{- end }} {{- $config | toYaml }} {{- end }} + +{{/* +Tornjak specific section +*/}} + +{{- define "spire-tornjak.fullname" -}} +{{ include "spire-server.fullname" . | trimSuffix "-server" }}-tornjak +{{- end }} +{{- define "spire-tornjak.config" -}} +{{ include "spire-tornjak.fullname" . }}-config +{{- end }} +{{- define "spire-tornjak.frontend" -}} +{{ include "spire-tornjak.fullname" . }}-fe +{{- end }} +{{- define "spire-tornjak.backend" -}} +{{ include "spire-tornjak.fullname" . }}-be +{{- end }} + +{{/* +Create URL for accessing Tornjak Backend +*/}} +{{- define "tornjak.apiURL" -}} +{{- default .Values.tornjak.config.frontend.apiServerURL }} +{{- end }} + +{{/* +Create URL for accessing Tornjak Frontend +*/}} +{{- define "tornjak.frontendURL" -}} +{{- $feurl := print "http://localhost:3000" }} +{{- $feurl }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/service.yaml b/charts/spire/charts/spire-server/templates/service.yaml index 1e57a0707..a9fb827cb 100644 --- a/charts/spire/charts/spire-server/templates/service.yaml +++ b/charts/spire/charts/spire-server/templates/service.yaml @@ -26,3 +26,36 @@ spec: {{- end }} selector: {{- include "spire-server.selectorLabels" . | nindent 4 }} + +{{- if eq (.Values.tornjak.enabled | toString) "true" }} +--- +apiVersion: v1 +kind: Service +metadata: + namespace: {{ include "spire-server.namespace" . }} + name: {{ include "spire-tornjak.frontend" . }} +spec: + type: {{ .Values.service.type }} # ClusterIP + selector: + {{- include "spire-server.selectorLabels" . | nindent 4 }} + ports: + - name: {{ include "spire-tornjak.frontend" . }} + port: 3000 + targetPort: 3000 + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + namespace: {{ include "spire-server.namespace" . }} + name: {{ include "spire-tornjak.backend" . }} +spec: + type: {{ .Values.service.type }} # ClusterIP + selector: + {{- include "spire-server.selectorLabels" . | nindent 4 }} + ports: + - name: {{ include "spire-tornjak.backend" . }} + port: 10000 + targetPort: 10000 + protocol: TCP +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index f9e6262e8..bea7d9edf 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -1,6 +1,7 @@ {{- $configSum := (include (print $.Template.BasePath "/configmap.yaml") . | sha256sum) }} {{- $configSum2 := (include (print $.Template.BasePath "/secret.yaml") . | sha256sum) }} {{- $configSum3 := (include (print $.Template.BasePath "/controller-manager-configmap.yaml") . | sha256sum) }} +{{- $configSumTornjak := (include (print $.Template.BasePath "/tornjak-config.yaml") . | sha256sum) }} {{- $fullname := include "spire-server.fullname" . }} apiVersion: apps/v1 kind: StatefulSet @@ -26,6 +27,7 @@ spec: checksum/config: {{ $configSum }} checksum/config2: {{ $configSum2 }} checksum/config3: {{ $configSum3 }} + checksum/configTornjak: {{ $configSumTornjak }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -155,6 +157,51 @@ spec: mountPath: /tmp readOnly: false {{- end }} + + {{- if eq (.Values.tornjak.enabled | toString) "true" }} + - name: tornjak + securityContext: + {{- toYaml .Values.controllerManager.securityContext | nindent 12 }} + image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tornjak.image) }} + imagePullPolicy: {{ .Values.tornjak.image.pullPolicy }} + startupProbe: + httpGet: + scheme: HTTP + port: 3000 + failureThreshold: 6 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + env: + {{- if .Values.tornjak.config.frontend }} + - name: REACT_APP_API_SERVER_URI + value: {{ include "tornjak.apiURL" . | required "Either .Values.tornjak.config.backend.ingress or .Values.tornjak.config.frontend.apiServerURL is required." }} + {{- end }} + args: + - -c + - /run/spire/config/server.conf + - -t + - /run/spire/tornjak-config/server.conf + ports: + - containerPort: 3000 + protocol: TCP + volumeMounts: + - name: {{ include "spire-tornjak.config" . }} + mountPath: /run/spire/tornjak-config + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: true + - name: spire-config + mountPath: /run/spire/config + readOnly: true + {{- if eq (.Values.dataStorage.enabled | toString) "true" }} + - name: spire-data + mountPath: /run/spire/data + readOnly: false + {{- end }} + {{- end }} + {{- if gt (len .Values.extraContainers) 0 }} {{- toYaml .Values.extraContainers | nindent 8 }} {{- end }} @@ -192,6 +239,14 @@ spec: configMap: name: {{ include "spire-controller-manager.fullname" . }} {{- end }} + {{- if eq (.Values.tornjak.enabled | toString) "true" }} + {{- if .Values.tornjak.config }} + - name: {{ include "spire-tornjak.config" . }} + configMap: + defaultMode: 420 + name: {{ include "spire-tornjak.config" . }} + {{- end }} + {{- end }} {{- if gt (len .Values.extraVolumes) 0 }} {{- toYaml .Values.extraVolumes | nindent 8 }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml b/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml new file mode 100644 index 000000000..9dd5ca70d --- /dev/null +++ b/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml @@ -0,0 +1,27 @@ +{{- if eq (.Values.tornjak.enabled | toString) "true" }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "spire-tornjak.fullname" . }}-test-connection" + namespace: {{ include "spire-server.namespace" . }} + labels: + annotations: + "helm.sh/hook": test +spec: + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 4 }} + containers: + - name: wget-tornjak-backend + image: busybox + command: ['wget'] + args: ['--no-check-certificate', '-O', '/dev/null', 'http://{{ include "spire-tornjak.backend" . }}:10000/api/tornjak/serverinfo'] + securityContext: + {{- toYaml .Values.securityContext | nindent 8 }} + - name: wget-tornjak-frontend + image: busybox + command: ['wget'] + args: ['--no-check-certificate', '-O', '/dev/null', 'http://{{ include "spire-tornjak.frontend" . }}:3000'] + securityContext: + {{- toYaml .Values.securityContext | nindent 8 }} + restartPolicy: Never +{{- end }} \ No newline at end of file diff --git a/charts/spire/charts/spire-server/templates/tornjak-config.yaml b/charts/spire/charts/spire-server/templates/tornjak-config.yaml new file mode 100644 index 000000000..f1bd3cee5 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/tornjak-config.yaml @@ -0,0 +1,23 @@ +{{- if eq (.Values.tornjak.enabled | toString) "true" }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "spire-tornjak.config" . }} + namespace: {{ include "spire-server.namespace" . }} +data: + server.conf: | + server { + metadata = "insert metadata" + } + + plugins { + {{- if .Values.tornjak.config.backend.dataStore }} + DataStore "sql" { + plugin_data { + drivername = "{{ .Values.tornjak.config.backend.dataStore.driver }}" + filename = "{{ .Values.tornjak.config.backend.dataStore.file }}" + } + } + {{- end }} + } + {{- end }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 2d31c5ce8..4a3267fc8 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -255,3 +255,26 @@ nodeAttestor: k8sPsat: enabled: true serviceAccountAllowList: [] + +# tornjak - Tornjak specific configuration +tornjak: + enabled: false + # image - Tornjak image (frontend + backend) if not separated above + image: # ghcr.io/spiffe/tornjak + registry: ghcr.io + repository: spiffe/tornjak + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + # TODO we should use a specific Tornjak version instead of 'latest' + version: "latest" + config: + # Front-end specific configuration: + frontend: + # apiServerURL - URL of the Tornjak back-end + apiServerURL: "http://localhost:10000" # 👈 Use it for minikube or kind + # Back-end specific configuration + backend: + # dataStore - persistent DB for storing Tornjak specific information + dataStore: + driver: "sqlite3" + file: "/run/spire/data/tornjak.sqlite3" From da186c5f5349cb6a4a1087b098d8be5bc281a61e Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Thu, 13 Apr 2023 14:57:15 -0400 Subject: [PATCH 07/55] Split Tornjak Frontend into separate subchart (#179) Signed-off-by: Mariusz Sabath Signed-off-by: Marco Franssen Co-authored-by: Marco Franssen --- charts/spire/Chart.yaml | 4 + charts/spire/README.md | 2 + charts/spire/charts/spire-server/README.md | 15 ++- .../charts/spire-server/templates/NOTES.txt | 9 +- .../spire-server/templates/_helpers.tpl | 3 - .../spire-server/templates/service.yaml | 27 ++--- .../spire-server/templates/statefulset.yaml | 54 ++++----- .../tests/test-tornjak-connection.yaml | 17 +-- .../templates/tornjak-config.yaml | 6 +- charts/spire/charts/spire-server/values.yaml | 32 +++-- .../spire/charts/tornjak-frontend/Chart.yaml | 10 ++ .../spire/charts/tornjak-frontend/README.md | 64 ++++++++++ .../charts/tornjak-frontend/README.md.gotmpl | 47 ++++++++ .../tornjak-frontend/templates/NOTES.txt | 25 ++++ .../tornjak-frontend/templates/_helpers.tpl | 109 ++++++++++++++++++ .../templates/deployment.yaml | 46 ++++++++ .../tornjak-frontend/templates/service.yaml | 19 +++ .../templates/serviceaccount.yaml | 13 +++ .../tests/test-tornjak-connection.yaml | 21 ++++ .../spire/charts/tornjak-frontend/values.yaml | 47 ++++++++ charts/spire/values.yaml | 3 + 21 files changed, 478 insertions(+), 95 deletions(-) create mode 100644 charts/spire/charts/tornjak-frontend/Chart.yaml create mode 100644 charts/spire/charts/tornjak-frontend/README.md create mode 100644 charts/spire/charts/tornjak-frontend/README.md.gotmpl create mode 100644 charts/spire/charts/tornjak-frontend/templates/NOTES.txt create mode 100644 charts/spire/charts/tornjak-frontend/templates/_helpers.tpl create mode 100644 charts/spire/charts/tornjak-frontend/templates/deployment.yaml create mode 100644 charts/spire/charts/tornjak-frontend/templates/service.yaml create mode 100644 charts/spire/charts/tornjak-frontend/templates/serviceaccount.yaml create mode 100644 charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml create mode 100644 charts/spire/charts/tornjak-frontend/values.yaml diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 62af05f56..12af3d9c7 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -38,6 +38,10 @@ dependencies: condition: spiffe-oidc-discovery-provider.enabled repository: file://./charts/spiffe-oidc-discovery-provider version: 0.1.0 + - name: tornjak-frontend + condition: tornjak-frontend.enabled + repository: file://./charts/tornjak-frontend + version: 0.1.0 annotations: artifacthub.io/category: security artifacthub.io/license: Apache-2.0 diff --git a/charts/spire/README.md b/charts/spire/README.md index e77bf5c1b..7054fe553 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -104,6 +104,7 @@ Kubernetes: `>=1.21.0-0` | file://./charts/spiffe-oidc-discovery-provider | spiffe-oidc-discovery-provider | 0.1.0 | | file://./charts/spire-agent | spire-agent | 0.1.0 | | file://./charts/spire-server | spire-server | 0.1.0 | +| file://./charts/tornjak-frontend | tornjak-frontend | 0.1.0 | ## Values @@ -355,5 +356,6 @@ Kubernetes: `>=1.21.0-0` | spire-server.upstreamAuthority.disk.secret.create | bool | `true` | If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. | | spire-server.upstreamAuthority.disk.secret.data | object | `{"bundle":"","certificate":"","key":""}` | If secret creation is enabled, will create a secret with following certificate info | | spire-server.upstreamAuthority.disk.secret.name | string | `"spiffe-upstream-ca"` | If secret creation is disabled, the secret with this name will be used. | +| tornjak-frontend.enabled | bool | `false` | | ---------------------------------------------- diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 8428259b2..0eef5fb92 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -106,14 +106,13 @@ A Helm chart to install the SPIRE server. | telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spire-server | | tolerations | list | `[]` | | | topologySpreadConstraints | list | `[]` | | -| tornjak.config.backend.dataStore.driver | string | `"sqlite3"` | | -| tornjak.config.backend.dataStore.file | string | `"/run/spire/data/tornjak.sqlite3"` | | -| tornjak.config.frontend.apiServerURL | string | `"http://localhost:10000"` | | -| tornjak.enabled | bool | `false` | | -| tornjak.image.pullPolicy | string | `"IfNotPresent"` | | -| tornjak.image.registry | string | `"ghcr.io"` | | -| tornjak.image.repository | string | `"spiffe/tornjak"` | | -| tornjak.image.version | string | `"latest"` | | +| tornjak.config.dataStore | object | `{"driver":"sqlite3","file":"/run/spire/data/tornjak.sqlite3"}` | persistent DB for storing Tornjak specific information | +| tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) | +| tornjak.image | object | `{"pullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"spiffe/tornjak-be","version":"v1.0.2"}` | Tornjak API image | +| tornjak.image.version | string | `"v1.0.2"` | Overrides the image tag whose default is the chart appVersion. | +| tornjak.service.annotations | object | `{}` | | +| tornjak.service.port | int | `10000` | | +| tornjak.service.type | string | `"ClusterIP"` | | | trustDomain | string | `"example.org"` | | | upstreamAuthority.certManager.enabled | bool | `false` | | | upstreamAuthority.certManager.issuer_group | string | `"cert-manager.io"` | | diff --git a/charts/spire/charts/spire-server/templates/NOTES.txt b/charts/spire/charts/spire-server/templates/NOTES.txt index 7223e0f4b..580244e44 100644 --- a/charts/spire/charts/spire-server/templates/NOTES.txt +++ b/charts/spire/charts/spire-server/templates/NOTES.txt @@ -8,17 +8,14 @@ Installed {{ .Chart.Name }}… {{- if eq (.Values.tornjak.enabled | toString) "true" }} ### WARNING ### + This Tornjak is configured without authentication and it is intended for testing only. Please do not use this version in production. Tornjak APIs (Backend): - kubectl -n {{ include "spire-server.namespace" . }} port-forward {{ include "spire-server.fullname" . }}-0 10000:10000 - -Tornjak UI (Frontend): - kubectl -n {{ include "spire-server.namespace" . }} port-forward {{ include "spire-server.fullname" . }}-0 3000:3000 + kubectl -n {{ include "spire-server.namespace" . }} port-forward {{ include "spire-server.fullname" . }}-0 {{ .Values.tornjak.service.port }}:10000 -Tornjak API access: {{ include "tornjak.apiURL" . }} -Tornjak UI access: {{ include "tornjak.frontendURL" . }} +Open browser to: http://localhost:{{ .Values.tornjak.service.port }} Installed {{ include "spire-tornjak.fullname" . }}… {{- end }} diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index d4ee16e52..864b9f767 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -164,9 +164,6 @@ Tornjak specific section {{- define "spire-tornjak.config" -}} {{ include "spire-tornjak.fullname" . }}-config {{- end }} -{{- define "spire-tornjak.frontend" -}} -{{ include "spire-tornjak.fullname" . }}-fe -{{- end }} {{- define "spire-tornjak.backend" -}} {{ include "spire-tornjak.fullname" . }}-be {{- end }} diff --git a/charts/spire/charts/spire-server/templates/service.yaml b/charts/spire/charts/spire-server/templates/service.yaml index a9fb827cb..bfa354abd 100644 --- a/charts/spire/charts/spire-server/templates/service.yaml +++ b/charts/spire/charts/spire-server/templates/service.yaml @@ -31,31 +31,22 @@ spec: --- apiVersion: v1 kind: Service -metadata: - namespace: {{ include "spire-server.namespace" . }} - name: {{ include "spire-tornjak.frontend" . }} -spec: - type: {{ .Values.service.type }} # ClusterIP - selector: - {{- include "spire-server.selectorLabels" . | nindent 4 }} - ports: - - name: {{ include "spire-tornjak.frontend" . }} - port: 3000 - targetPort: 3000 - protocol: TCP ---- -apiVersion: v1 -kind: Service metadata: namespace: {{ include "spire-server.namespace" . }} name: {{ include "spire-tornjak.backend" . }} + {{- with .Values.tornjak.service.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "spire-server.labels" . | nindent 4 }} spec: - type: {{ .Values.service.type }} # ClusterIP + type: {{ .Values.tornjak.service.type }} selector: {{- include "spire-server.selectorLabels" . | nindent 4 }} ports: - name: {{ include "spire-tornjak.backend" . }} - port: 10000 - targetPort: 10000 + port: {{ .Values.tornjak.service.port }} + targetPort: tornjak protocol: TCP {{- end }} diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index bea7d9edf..6e93b91fb 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -167,39 +167,35 @@ spec: startupProbe: httpGet: scheme: HTTP - port: 3000 - failureThreshold: 6 - initialDelaySeconds: 60 - periodSeconds: 30 + port: 10000 + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 10 successThreshold: 1 - timeoutSeconds: 10 - env: - {{- if .Values.tornjak.config.frontend }} - - name: REACT_APP_API_SERVER_URI - value: {{ include "tornjak.apiURL" . | required "Either .Values.tornjak.config.backend.ingress or .Values.tornjak.config.frontend.apiServerURL is required." }} - {{- end }} + timeoutSeconds: 5 args: - - -c - - /run/spire/config/server.conf - - -t - - /run/spire/tornjak-config/server.conf + - -c + - /run/spire/config/server.conf + - -t + - /run/spire/tornjak-config/server.conf ports: - - containerPort: 3000 - protocol: TCP + - name: tornjak + containerPort: 10000 + protocol: TCP volumeMounts: - - name: {{ include "spire-tornjak.config" . }} - mountPath: /run/spire/tornjak-config - - name: spire-server-socket - mountPath: /tmp/spire-server/private - readOnly: true - - name: spire-config - mountPath: /run/spire/config - readOnly: true - {{- if eq (.Values.dataStorage.enabled | toString) "true" }} - - name: spire-data - mountPath: /run/spire/data - readOnly: false - {{- end }} + - name: {{ include "spire-tornjak.config" . }} + mountPath: /run/spire/tornjak-config + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: true + - name: spire-config + mountPath: /run/spire/config + readOnly: true + {{- if eq (.Values.dataStorage.enabled | toString) "true" }} + - name: spire-data + mountPath: /run/spire/data + readOnly: false + {{- end }} {{- end }} {{- if gt (len .Values.extraContainers) 0 }} diff --git a/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml b/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml index 9dd5ca70d..a80410984 100644 --- a/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml +++ b/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml @@ -4,7 +4,8 @@ kind: Pod metadata: name: "{{ include "spire-tornjak.fullname" . }}-test-connection" namespace: {{ include "spire-server.namespace" . }} - labels: + labels: + {{- include "spire-server.labels" . | nindent 4 }} annotations: "helm.sh/hook": test spec: @@ -12,16 +13,10 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 4 }} containers: - name: wget-tornjak-backend - image: busybox - command: ['wget'] - args: ['--no-check-certificate', '-O', '/dev/null', 'http://{{ include "spire-tornjak.backend" . }}:10000/api/tornjak/serverinfo'] - securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} - - name: wget-tornjak-frontend - image: busybox - command: ['wget'] - args: ['--no-check-certificate', '-O', '/dev/null', 'http://{{ include "spire-tornjak.frontend" . }}:3000'] + image: cgr.dev/chainguard/bash:latest + command: ['curl'] + args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.backend" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.port }}'] securityContext: {{- toYaml .Values.securityContext | nindent 8 }} restartPolicy: Never -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/tornjak-config.yaml b/charts/spire/charts/spire-server/templates/tornjak-config.yaml index f1bd3cee5..54103569e 100644 --- a/charts/spire/charts/spire-server/templates/tornjak-config.yaml +++ b/charts/spire/charts/spire-server/templates/tornjak-config.yaml @@ -11,11 +11,11 @@ data: } plugins { - {{- if .Values.tornjak.config.backend.dataStore }} + {{- if .Values.tornjak.config.dataStore }} DataStore "sql" { plugin_data { - drivername = "{{ .Values.tornjak.config.backend.dataStore.driver }}" - filename = "{{ .Values.tornjak.config.backend.dataStore.file }}" + drivername = "{{ .Values.tornjak.config.dataStore.driver }}" + filename = "{{ .Values.tornjak.config.dataStore.file }}" } } {{- end }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 4a3267fc8..2ff322bc4 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -12,7 +12,7 @@ image: repository: spiffe/spire-server # -- The image pull policy pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. + # -- Overrides the image tag whose default is the chart appVersion. version: "" imagePullSecrets: [] @@ -258,23 +258,21 @@ nodeAttestor: # tornjak - Tornjak specific configuration tornjak: + # -- Deploys Tornjak API (backend) enabled: false - # image - Tornjak image (frontend + backend) if not separated above - image: # ghcr.io/spiffe/tornjak + # -- Tornjak API image + image: registry: ghcr.io - repository: spiffe/tornjak + repository: spiffe/tornjak-be pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - # TODO we should use a specific Tornjak version instead of 'latest' - version: "latest" + # -- Overrides the image tag whose default is the chart appVersion. + version: "v1.0.2" + service: + type: ClusterIP + port: 10000 + annotations: {} config: - # Front-end specific configuration: - frontend: - # apiServerURL - URL of the Tornjak back-end - apiServerURL: "http://localhost:10000" # 👈 Use it for minikube or kind - # Back-end specific configuration - backend: - # dataStore - persistent DB for storing Tornjak specific information - dataStore: - driver: "sqlite3" - file: "/run/spire/data/tornjak.sqlite3" + # -- persistent DB for storing Tornjak specific information + dataStore: + driver: "sqlite3" + file: "/run/spire/data/tornjak.sqlite3" diff --git a/charts/spire/charts/tornjak-frontend/Chart.yaml b/charts/spire/charts/tornjak-frontend/Chart.yaml new file mode 100644 index 000000000..790d5c8b1 --- /dev/null +++ b/charts/spire/charts/tornjak-frontend/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +name: tornjak-frontend +description: A Helm chart to deploy Tornjak frontend +type: application +version: 0.1.0 +appVersion: "v1.0.2" +maintainers: + - name: mrsabath + email: mrsabath@gmail.com + url: https://mrsabath.github.io diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md new file mode 100644 index 000000000..126d2dea8 --- /dev/null +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -0,0 +1,64 @@ +# tornjak-frontend + + + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.2](https://img.shields.io/badge/AppVersion-v1.0.2-informational?style=flat-square) +[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) + +A Helm chart to deploy Tornjak frontend + +## Version support + +> **Note**: This Chart is still in development and still subject to change the API (`values.yaml`). +> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although +> we do aim for as much stability as possible. + +| Dependency | Supported Versions | +|:-----------|:-------------------| +| SPIRE | `1.5.3+`, `1.6.x` | +| Tornjak | `1.0.x` | +| Helm | `3.x` | + +## Prerequisites + +This chart requires access to Tornjak Backend (`tornjakFrontend.apiServerURL`). +This URL needs to be reachable from your webbrowser and can therefore not be a cluster internal URL. + +Obtain the URL for Tornjak APIs. If deployed in the same cluster, locally, +Tornjak APIs are typically available at `http://localhost:10000`. +Review Tornjak documentation for more details. + +## Usage + +Since this is just a demo version, to access Tornjak APIs you can use +port forwarding. See the chart NOTES output for more details. + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| mrsabath | | | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| apiServerURL | string | `"http://localhost:10000/"` | URL of the Tornjak APIs (backend) Since Tornjak Frontend runs in the browser, this URL must be accessible from the machine running a browser. | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.registry | string | `"ghcr.io"` | | +| image.repository | string | `"spiffe/tornjak-fe"` | | +| image.version | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| imagePullSecrets | list | `[]` | | +| labels | object | `{}` | | +| nameOverride | string | `""` | | +| namespaceOverride | string | `""` | | +| podSecurityContext | object | `{}` | | +| securityContext | object | `{}` | | +| service.annotations | object | `{}` | | +| service.port | int | `3000` | | +| service.type | string | `"ClusterIP"` | | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +---------------------------------------------- diff --git a/charts/spire/charts/tornjak-frontend/README.md.gotmpl b/charts/spire/charts/tornjak-frontend/README.md.gotmpl new file mode 100644 index 000000000..eaf51ce4b --- /dev/null +++ b/charts/spire/charts/tornjak-frontend/README.md.gotmpl @@ -0,0 +1,47 @@ +{{ template "chart.header" . }} + + + +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.badgesSection" . }} +[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) + +{{ template "chart.description" . }} + +{{ template "chart.homepageLine" . }} + +## Version support + +> **Note**: This Chart is still in development and still subject to change the API (`values.yaml`). +> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although +> we do aim for as much stability as possible. + +| Dependency | Supported Versions | +|:-----------|:-------------------| +| SPIRE | `1.5.3+`, `1.6.x` | +| Tornjak | `1.0.x` | +| Helm | `3.x` | + +## Prerequisites + +This chart requires access to Tornjak Backend (`tornjakFrontend.apiServerURL`). +This URL needs to be reachable from your webbrowser and can therefore not be a cluster internal URL. + +Obtain the URL for Tornjak APIs. If deployed in the same cluster, locally, +Tornjak APIs are typically available at `http://localhost:10000`. +Review Tornjak documentation for more details. + +## Usage + +Since this is just a demo version, to access Tornjak APIs you can use +port forwarding. See the chart NOTES output for more details. + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} +---------------------------------------------- diff --git a/charts/spire/charts/tornjak-frontend/templates/NOTES.txt b/charts/spire/charts/tornjak-frontend/templates/NOTES.txt new file mode 100644 index 000000000..50d8fe49d --- /dev/null +++ b/charts/spire/charts/tornjak-frontend/templates/NOTES.txt @@ -0,0 +1,25 @@ +Installed {{ .Chart.Name }}… + +Name: {{ include "tornjak-frontend.name" . }} +Fullname: {{ include "tornjak-frontend.fullname" . }} +Your release is named: {{ .Release.Name }} +Namespace: {{ include "tornjak-frontend.namespace" . }} + +Tornjak UI (Frontend) + image: {{ template "tornjak-frontend.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image) }} + pull policy: {{ .Values.image.pullPolicy }} +Configured with Tornjak API (Backend): {{ include "tornjak-frontend.apiURL" . }} + +### WARNING ### +This Tornjak is configured without authentication and it is intended for +testing only. Please do not use this version in production. + +You can use port forwarding to access UI: + kubectl -n {{ include "tornjak-frontend.namespace" . }} port-forward service/{{ include "tornjak-frontend.fullname" . }} {{ .Values.service.port }}:3000 + +Open browser to: http://localhost:{{ .Values.service.port }} + +To learn more about the release, try: + + $ helm status {{ .Release.Name }} + $ helm get all {{ .Release.Name }} diff --git a/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl b/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl new file mode 100644 index 000000000..77f7c1239 --- /dev/null +++ b/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl @@ -0,0 +1,109 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "tornjak-frontend.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "tornjak-frontend.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "tornjak-frontend.namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "tornjak-frontend.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "tornjak-frontend.cluster-domain" -}} +{{- if ne (len (dig "k8s" "clusterDomain" "" .Values.global)) 0 }} +{{- .Values.global.k8s.clusterDomain }} +{{- else }} +{{- .Values.clusterDomain }} +{{- end }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "tornjak-frontend.labels" -}} +helm.sh/chart: {{ include "tornjak-frontend.chart" . }} +{{ include "tornjak-frontend.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "tornjak-frontend.selectorLabels" -}} +app.kubernetes.io/name: {{ include "tornjak-frontend.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "tornjak-frontend.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "tornjak-frontend.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create an image name +*/}} +{{- define "tornjak-frontend.image" -}} +{{- if eq (substr 0 7 .image.version) "sha256:" -}} +{{- printf "%s/%s@%s" .image.registry .image.repository .image.version -}} +{{- else if .appVersion -}} +{{- printf "%s/%s:%s" .image.registry .image.repository (default .appVersion .image.version) -}} +{{- else if + .Values.tornjakFrontend.image.version -}} +{{- printf "%s/%s:%s" .Values.tornjakFrontend.image.registry .Values.tornjakFrontend.image.repository .Values.tornjakFrontend.image.version -}} +{{- else -}} +{{- printf "%s/%s" .Values.tornjakFrontend.image.registry .Values.tornjakFrontend.image.repository -}} +{{- end -}} +{{- end }} + +{{/* +Create URL for accessing Tornjak APIs +*/}} +{{- define "tornjak-frontend.apiURL" -}} +{{- if .Values.apiServerURL -}} +{{- .Values.apiServerURL -}} +{{- else }} +{{- $feurl := print "http://localhost:" .Values.service.port }} +{{- $feurl }} +{{- end }} +{{- end }} diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml new file mode 100644 index 000000000..e383594ef --- /dev/null +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -0,0 +1,46 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "tornjak-frontend.fullname" . }} + namespace: {{ include "tornjak-frontend.namespace" . }} + labels: + {{- include "tornjak-frontend.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "tornjak-frontend.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "tornjak-frontend.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "tornjak-frontend.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ include "tornjak-frontend.fullname" . }} + image: {{ template "tornjak-frontend.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image) }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + ports: + - name: http + containerPort: 3000 + protocol: TCP + env: + - name: REACT_APP_API_SERVER_URI + value: {{ include "tornjak-frontend.apiURL" . }} + startupProbe: + httpGet: + scheme: HTTP + port: {{ .Values.service.port }} + failureThreshold: 6 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 diff --git a/charts/spire/charts/tornjak-frontend/templates/service.yaml b/charts/spire/charts/tornjak-frontend/templates/service.yaml new file mode 100644 index 000000000..5a49fca3f --- /dev/null +++ b/charts/spire/charts/tornjak-frontend/templates/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: {{ include "tornjak-frontend.namespace" . }} + name: {{ include "tornjak-frontend.fullname" . }} + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "tornjak-frontend.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + selector: + {{- include "tornjak-frontend.selectorLabels" . | nindent 4 }} + ports: + - name: {{ include "tornjak-frontend.fullname" . }} + port: {{ .Values.service.port }} + targetPort: http diff --git a/charts/spire/charts/tornjak-frontend/templates/serviceaccount.yaml b/charts/spire/charts/tornjak-frontend/templates/serviceaccount.yaml new file mode 100644 index 000000000..15640ac0d --- /dev/null +++ b/charts/spire/charts/tornjak-frontend/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "tornjak-frontend.serviceAccountName" . }} + namespace: {{ include "tornjak-frontend.namespace" . }} + labels: + {{- include "tornjak-frontend.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml b/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml new file mode 100644 index 000000000..af4aea49a --- /dev/null +++ b/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "tornjak-frontend.fullname" . }}-test-connection" + namespace: {{ include "tornjak-frontend.namespace" . }} + labels: + {{- include "tornjak-frontend.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 4 }} + containers: + - name: curl-tornjak-frontend + image: cgr.dev/chainguard/bash:latest + command: ['curl'] + args: ['-k', '-s', '-f', 'http://{{ include "tornjak-frontend.fullname" . }}.{{ include "tornjak-frontend.namespace" . }}.svc.{{ include "tornjak-frontend.cluster-domain" . }}:{{ .Values.service.port }}'] + securityContext: + {{- toYaml .Values.securityContext | nindent 8 }} + restartPolicy: Never + diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml new file mode 100644 index 000000000..a27ef485c --- /dev/null +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -0,0 +1,47 @@ +# Default values for Tornjak UI (Frontend). +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + registry: ghcr.io + repository: spiffe/tornjak-fe + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion. + version: "" + +imagePullSecrets: [] +nameOverride: "" +namespaceOverride: "" +fullnameOverride: "" + +serviceAccount: + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +labels: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 3000 + annotations: {} + +# -- URL of the Tornjak APIs (backend) +# Since Tornjak Frontend runs in the browser, this URL must be accessible from +# the machine running a browser. +apiServerURL: "http://localhost:10000/" # 👈 Use it for minikube or kind diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 76ca44537..3f0a7a434 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -41,3 +41,6 @@ spiffe-csi-driver: spiffe-oidc-discovery-provider: enabled: false + +tornjak-frontend: + enabled: false From bdba97b62902ac1592a5a863ce93f7ef560e5d5e Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 18 Apr 2023 22:19:09 -0400 Subject: [PATCH 08/55] Add empty directory to Tornjak to support npm cache (#224) Resolves issue #223 Signed-off-by: Mariusz Sabath --- .../spire/charts/tornjak-frontend/templates/deployment.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml index e383594ef..eb2fe4dcf 100644 --- a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -44,3 +44,9 @@ spec: periodSeconds: 30 successThreshold: 1 timeoutSeconds: 10 + volumeMounts: + - name: cache + mountPath: /usr/src/app/node_modules/.cache + volumes: + - name: cache + emptyDir: {} From 5e827ee45e0a29ec0d8181190ee92f31d044ff99 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Fri, 21 Apr 2023 11:45:39 -0400 Subject: [PATCH 09/55] Add Tornjak Tests (#220) Signed-off-by: Mariusz Sabath Signed-off-by: Marco Franssen Signed-off-by: kfox1111 Co-authored-by: Marco Franssen Co-authored-by: kfox1111 --- .github/tests/tornjak/install.sh | 13 +++++ .github/tests/tornjak/post-install.sh | 54 +++++++++++++++++++ .github/tests/tornjak/pre-install.sh | 6 +++ .../spire/charts/tornjak-frontend/Chart.yaml | 4 ++ .../spire/charts/tornjak-frontend/README.md | 6 +++ examples/production/values.yaml | 15 ++++++ examples/tornjak/README.md | 19 +++++++ examples/tornjak/values.yaml | 10 ++++ 8 files changed, 127 insertions(+) create mode 100755 .github/tests/tornjak/install.sh create mode 100755 .github/tests/tornjak/post-install.sh create mode 100755 .github/tests/tornjak/pre-install.sh create mode 100644 examples/tornjak/README.md create mode 100644 examples/tornjak/values.yaml diff --git a/.github/tests/tornjak/install.sh b/.github/tests/tornjak/install.sh new file mode 100755 index 000000000..bfb0139b0 --- /dev/null +++ b/.github/tests/tornjak/install.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +set -x + +SCRIPT=$(readlink -f "$0") +SCRIPTPATH=$(dirname "$SCRIPT") + +helm install \ + --namespace spire-server \ + --values "${SCRIPTPATH}/../../../examples/production/values.yaml" \ + --values "${SCRIPTPATH}/../../../examples/tornjak/values.yaml" \ + spire charts/spire --wait +helm test spire -n spire-server diff --git a/.github/tests/tornjak/post-install.sh b/.github/tests/tornjak/post-install.sh new file mode 100755 index 000000000..50b34af07 --- /dev/null +++ b/.github/tests/tornjak/post-install.sh @@ -0,0 +1,54 @@ +#!/usr/bin/env bash + +set -x + +SCRIPT=$(readlink -f "$0") +SCRIPTPATH=$(dirname "$SCRIPT") + +k_wait=(kubectl wait --for condition=available --timeout 30s --namespace) +k_rollout_status=(kubectl rollout status --watch --timeout 30s --namespace) + +function get_namespace_details { +cat <>"$GITHUB_STEP_SUMMARY" +### Namespace $1 + +#### Events + +\`\`\`shell +$(kubectl --request-timeout=30s get events --output wide --namespace "$1") +\`\`\` + +#### Pods + +\`\`\`shell +$(kubectl --request-timeout=30s describe pods --namespace "$1") +\`\`\` + +#### Logs + +\`\`\`shell +$(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --all-containers=true --ignore-errors=true; done) +\`\`\` + +EOF +} + +cat <>"$GITHUB_STEP_SUMMARY" +### spire + +| workload | Status | +| ------------------------------------ | ------ | +| spire-server | "$("${k_rollout_status[@]}" spire-server statefulset spire-server)" | +| spire-controller-manager | "$("${k_rollout_status[@]}" spire-server statefulset spire-controller-manager)" | +| spire-spiffe-oidc-discovery-provider | "$("${k_wait[@]}" spire-server deployments.apps spire-spiffe-oidc-discovery-provider)" | +| spire-spiffe-csi-driver | "$("${k_rollout_status[@]}" spire-system daemonset spire-spiffe-csi-driver)" | +| spire-agent | "$("${k_rollout_status[@]}" spire-system daemonset spire-agent)" | +| tornjak-frontend | "$("${k_wait[@]}" spire-server deployments.apps spire-tornjak-frontend)" | +EOF + +kubectl -n spire-server get service spire-tornjak-frontend + +if [ $1 -ne 0 ]; then + get_namespace_details spire-server + get_namespace_details spire-system +fi diff --git a/.github/tests/tornjak/pre-install.sh b/.github/tests/tornjak/pre-install.sh new file mode 100755 index 000000000..b33d1edbc --- /dev/null +++ b/.github/tests/tornjak/pre-install.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +kubectl create namespace spire-system +kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged +kubectl create namespace spire-server +kubectl label namespace spire-server pod-security.kubernetes.io/enforce=restricted diff --git a/charts/spire/charts/tornjak-frontend/Chart.yaml b/charts/spire/charts/tornjak-frontend/Chart.yaml index 790d5c8b1..9b77c939b 100644 --- a/charts/spire/charts/tornjak-frontend/Chart.yaml +++ b/charts/spire/charts/tornjak-frontend/Chart.yaml @@ -4,6 +4,10 @@ description: A Helm chart to deploy Tornjak frontend type: application version: 0.1.0 appVersion: "v1.0.2" +home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +sources: + - https://github.com/spiffe/tornjak +icon: https://raw.githubusercontent.com/spiffe/tornjak/main/logos/logo%2Btornjak.2132x1291.png maintainers: - name: mrsabath email: mrsabath@gmail.com diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 126d2dea8..c5255c110 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -7,6 +7,8 @@ A Helm chart to deploy Tornjak frontend +**Homepage:** + ## Version support > **Note**: This Chart is still in development and still subject to change the API (`values.yaml`). @@ -39,6 +41,10 @@ port forwarding. See the chart NOTES output for more details. | ---- | ------ | --- | | mrsabath | | | +## Source Code + +* + ## Values | Key | Type | Default | Description | diff --git a/examples/production/values.yaml b/examples/production/values.yaml index d81d285ce..fcbb883b5 100644 --- a/examples/production/values.yaml +++ b/examples/production/values.yaml @@ -77,3 +77,18 @@ spiffe-oidc-discovery-provider: drop: [ALL] seccompProfile: type: RuntimeDefault + +tornjak-frontend: + podSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + readOnlyRootFilesystem: false + capabilities: + drop: [ALL] + seccompProfile: + type: RuntimeDefault diff --git a/examples/tornjak/README.md b/examples/tornjak/README.md new file mode 100644 index 000000000..0863b0573 --- /dev/null +++ b/examples/tornjak/README.md @@ -0,0 +1,19 @@ +# Recommended setup to deploy Tornjak + +To install Spire with the least privileges possible we deploy spire across 2 namespaces. + +```shell +kubectl create namespace "spire-system" +kubectl label namespace "spire-system" pod-security.kubernetes.io/enforce=privileged +kubectl create namespace "spire-server" +kubectl label namespace "spire-server" pod-security.kubernetes.io/enforce=restricted + +# deploy SPIRE with Tornjak enabled +helm upgrade --install --namespace spire-server --values ../production/values.yaml \ + --values ./values.yaml spire charts/spire + +# test the Tornjak deployment +helm test spire -n spire-server +``` + +See [values.yaml](./values.yaml) for more details on the chart configurations to achieve this setup. diff --git a/examples/tornjak/values.yaml b/examples/tornjak/values.yaml new file mode 100644 index 000000000..c4ff6f24a --- /dev/null +++ b/examples/tornjak/values.yaml @@ -0,0 +1,10 @@ +spire-server: + tornjak: + enabled: true + +tornjak-frontend: + enabled: true + service: + type: ClusterIP + port: 3000 + apiServerURL: "http://localhost:10000/" From 1675997748f0c2d45bae3568f33dc9c9192e6f80 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Fri, 21 Apr 2023 11:14:39 -0700 Subject: [PATCH 10/55] Tornjak global image fix (#228) This pr updates the Tornjak branch to work with the merged global registry configuration support. Signed-off-by: Mariusz Sabath Signed-off-by: kfox1111 --- .../spire-server/templates/statefulset.yaml | 2 +- .../charts/tornjak-frontend/templates/NOTES.txt | 2 +- .../tornjak-frontend/templates/_helpers.tpl | 16 ---------------- .../tornjak-frontend/templates/deployment.yaml | 2 +- 4 files changed, 3 insertions(+), 19 deletions(-) diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index 6e93b91fb..3a1322bc6 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -162,7 +162,7 @@ spec: - name: tornjak securityContext: {{- toYaml .Values.controllerManager.securityContext | nindent 12 }} - image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tornjak.image) }} + image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tornjak.image "global" .Values.global) }} imagePullPolicy: {{ .Values.tornjak.image.pullPolicy }} startupProbe: httpGet: diff --git a/charts/spire/charts/tornjak-frontend/templates/NOTES.txt b/charts/spire/charts/tornjak-frontend/templates/NOTES.txt index 50d8fe49d..ea06ed1ad 100644 --- a/charts/spire/charts/tornjak-frontend/templates/NOTES.txt +++ b/charts/spire/charts/tornjak-frontend/templates/NOTES.txt @@ -6,7 +6,7 @@ Your release is named: {{ .Release.Name }} Namespace: {{ include "tornjak-frontend.namespace" . }} Tornjak UI (Frontend) - image: {{ template "tornjak-frontend.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image) }} + image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }} pull policy: {{ .Values.image.pullPolicy }} Configured with Tornjak API (Backend): {{ include "tornjak-frontend.apiURL" . }} diff --git a/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl b/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl index 77f7c1239..1ad456776 100644 --- a/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl +++ b/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl @@ -80,22 +80,6 @@ Create the name of the service account to use {{- end }} {{- end }} -{{/* -Create an image name -*/}} -{{- define "tornjak-frontend.image" -}} -{{- if eq (substr 0 7 .image.version) "sha256:" -}} -{{- printf "%s/%s@%s" .image.registry .image.repository .image.version -}} -{{- else if .appVersion -}} -{{- printf "%s/%s:%s" .image.registry .image.repository (default .appVersion .image.version) -}} -{{- else if - .Values.tornjakFrontend.image.version -}} -{{- printf "%s/%s:%s" .Values.tornjakFrontend.image.registry .Values.tornjakFrontend.image.repository .Values.tornjakFrontend.image.version -}} -{{- else -}} -{{- printf "%s/%s" .Values.tornjakFrontend.image.registry .Values.tornjakFrontend.image.repository -}} -{{- end -}} -{{- end }} - {{/* Create URL for accessing Tornjak APIs */}} diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml index eb2fe4dcf..116b9a1d0 100644 --- a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -24,7 +24,7 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: {{ include "tornjak-frontend.fullname" . }} - image: {{ template "tornjak-frontend.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image) }} + image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }} imagePullPolicy: {{ .Values.image.pullPolicy }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} From 91bdea2a1db8c8ec6239b9cbc1d13d1a23c95ab7 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Mon, 24 Apr 2023 14:17:47 -0400 Subject: [PATCH 11/55] Provide minimal resources to prevent accidental crashes due to resource exhaustion Signed-off-by: Mariusz Sabath --- charts/spire/charts/tornjak-frontend/values.yaml | 9 +++++++++ examples/tornjak/values.yaml | 7 +++++++ 2 files changed, 16 insertions(+) diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index a27ef485c..0d1d645c9 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -41,6 +41,15 @@ service: port: 3000 annotations: {} +# -- Provide minimal resources to prevent accidental crashes due to resource exhaustion +# resources: +# requests: +# cpu: 50m +# memory: 128Mi +# limits: +# cpu: 100m +# memory: 512Mi + # -- URL of the Tornjak APIs (backend) # Since Tornjak Frontend runs in the browser, this URL must be accessible from # the machine running a browser. diff --git a/examples/tornjak/values.yaml b/examples/tornjak/values.yaml index c4ff6f24a..a4072655c 100644 --- a/examples/tornjak/values.yaml +++ b/examples/tornjak/values.yaml @@ -8,3 +8,10 @@ tornjak-frontend: type: ClusterIP port: 3000 apiServerURL: "http://localhost:10000/" + resources: + requests: + cpu: 50m + memory: 128Mi + limits: + cpu: 100m + memory: 512Mi From bd86518abce71ab5b688c3b67bdf30eae7548e66 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Mon, 1 May 2023 16:32:58 -0400 Subject: [PATCH 12/55] Fixing shellcheck Signed-off-by: Mariusz Sabath --- .github/tests/tornjak/post-install.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/tests/tornjak/post-install.sh b/.github/tests/tornjak/post-install.sh index 50b34af07..d2b9a8d5c 100755 --- a/.github/tests/tornjak/post-install.sh +++ b/.github/tests/tornjak/post-install.sh @@ -5,6 +5,10 @@ set -x SCRIPT=$(readlink -f "$0") SCRIPTPATH=$(dirname "$SCRIPT") + +# shellcheck source=/dev/null +source "${SCRIPTPATH}/../common.sh" + k_wait=(kubectl wait --for condition=available --timeout 30s --namespace) k_rollout_status=(kubectl rollout status --watch --timeout 30s --namespace) @@ -48,7 +52,7 @@ EOF kubectl -n spire-server get service spire-tornjak-frontend -if [ $1 -ne 0 ]; then +if [ "$1" -ne 0 ]; then get_namespace_details spire-server get_namespace_details spire-system fi From f5efa0cefd46462f6bd9798d80267ce97b929d3a Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Thu, 4 May 2023 10:29:25 -0400 Subject: [PATCH 13/55] Remove dead macros Signed-off-by: Mariusz Sabath --- .../charts/spire-server/templates/_helpers.tpl | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index 864b9f767..2851e4b3c 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -167,18 +167,3 @@ Tornjak specific section {{- define "spire-tornjak.backend" -}} {{ include "spire-tornjak.fullname" . }}-be {{- end }} - -{{/* -Create URL for accessing Tornjak Backend -*/}} -{{- define "tornjak.apiURL" -}} -{{- default .Values.tornjak.config.frontend.apiServerURL }} -{{- end }} - -{{/* -Create URL for accessing Tornjak Frontend -*/}} -{{- define "tornjak.frontendURL" -}} -{{- $feurl := print "http://localhost:3000" }} -{{- $feurl }} -{{- end }} From 80d34f0485f7c238cfe8dffd4e4390b04ecbfa76 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Thu, 11 May 2023 22:58:23 -0400 Subject: [PATCH 14/55] Use common post-install scripts for testing Signed-off-by: Mariusz Sabath --- .github/tests/tornjak/post-install.sh | 53 +++++---------------------- 1 file changed, 9 insertions(+), 44 deletions(-) diff --git a/.github/tests/tornjak/post-install.sh b/.github/tests/tornjak/post-install.sh index d2b9a8d5c..69ca32e2a 100755 --- a/.github/tests/tornjak/post-install.sh +++ b/.github/tests/tornjak/post-install.sh @@ -2,57 +2,22 @@ set -x -SCRIPT=$(readlink -f "$0") -SCRIPTPATH=$(dirname "$SCRIPT") - +SCRIPT="$(readlink -f "$0")" +SCRIPTPATH="$(dirname "${SCRIPT}")" +scenario="${scenario:-$(basename "${SCRIPTPATH}")}" # shellcheck source=/dev/null source "${SCRIPTPATH}/../common.sh" -k_wait=(kubectl wait --for condition=available --timeout 30s --namespace) -k_rollout_status=(kubectl rollout status --watch --timeout 30s --namespace) - -function get_namespace_details { -cat <>"$GITHUB_STEP_SUMMARY" -### Namespace $1 - -#### Events - -\`\`\`shell -$(kubectl --request-timeout=30s get events --output wide --namespace "$1") -\`\`\` - -#### Pods - -\`\`\`shell -$(kubectl --request-timeout=30s describe pods --namespace "$1") -\`\`\` - -#### Logs - -\`\`\`shell -$(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --all-containers=true --ignore-errors=true; done) -\`\`\` - -EOF -} - -cat <>"$GITHUB_STEP_SUMMARY" -### spire - -| workload | Status | -| ------------------------------------ | ------ | -| spire-server | "$("${k_rollout_status[@]}" spire-server statefulset spire-server)" | -| spire-controller-manager | "$("${k_rollout_status[@]}" spire-server statefulset spire-controller-manager)" | -| spire-spiffe-oidc-discovery-provider | "$("${k_wait[@]}" spire-server deployments.apps spire-spiffe-oidc-discovery-provider)" | -| spire-spiffe-csi-driver | "$("${k_rollout_status[@]}" spire-system daemonset spire-spiffe-csi-driver)" | -| spire-agent | "$("${k_rollout_status[@]}" spire-system daemonset spire-agent)" | -| tornjak-frontend | "$("${k_wait[@]}" spire-server deployments.apps spire-tornjak-frontend)" | -EOF +print_helm_releases +print_spire_workload_status spire-server spire-system +kubectl rollout status --watch --timeout 30s --namespace spire-server deployments.apps spire-tornjak-frontend +kubectl -n spire-server get deploy spire-tornjak-frontend kubectl -n spire-server get service spire-tornjak-frontend -if [ "$1" -ne 0 ]; then + +if [[ "$1" -ne 0 ]]; then get_namespace_details spire-server get_namespace_details spire-system fi From 6ddf6ab9fa99085100dc665a973f89b88c8ce472 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Fri, 12 May 2023 13:37:59 +0200 Subject: [PATCH 15/55] Improve tornjak docs (#276) - Align tornjak backend naming with same convention as frontend - Align Tornjak backend and frontend notes style - Add disclaimer for Tornjak usage to example --------- Signed-off-by: Marco Franssen --- .../charts/spire-server/templates/NOTES.txt | 12 ++++++---- .../spire-server/templates/_helpers.tpl | 4 +++- .../spire-server/templates/service.yaml | 24 ------------------- .../templates/tornjak-service.yaml | 22 +++++++++++++++++ .../tornjak-frontend/templates/NOTES.txt | 12 ++++++---- examples/tornjak/README.md | 22 +++++++++++++++-- 6 files changed, 60 insertions(+), 36 deletions(-) create mode 100644 charts/spire/charts/spire-server/templates/tornjak-service.yaml diff --git a/charts/spire/charts/spire-server/templates/NOTES.txt b/charts/spire/charts/spire-server/templates/NOTES.txt index 580244e44..1c008830e 100644 --- a/charts/spire/charts/spire-server/templates/NOTES.txt +++ b/charts/spire/charts/spire-server/templates/NOTES.txt @@ -7,15 +7,17 @@ Installed {{ .Chart.Name }}… {{- if eq (.Values.tornjak.enabled | toString) "true" }} +Installed {{ include "spire-tornjak.fullname" . }}… + ### WARNING ### -This Tornjak is configured without authentication and it is intended for -testing only. Please do not use this version in production. +Tornjak runs without authentication and is therefore NOT suitable to run in production environments. +Only use in test environments! -Tornjak APIs (Backend): - kubectl -n {{ include "spire-server.namespace" . }} port-forward {{ include "spire-server.fullname" . }}-0 {{ .Values.tornjak.service.port }}:10000 +Access Tornjak: + + kubectl -n {{ include "spire-server.namespace" . }} port-forward service/{{ include "spire-tornjak.backend" . }} {{ .Values.tornjak.service.port }}:10000 Open browser to: http://localhost:{{ .Values.tornjak.service.port }} -Installed {{ include "spire-tornjak.fullname" . }}… {{- end }} diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index 2851e4b3c..7df362661 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -161,9 +161,11 @@ Tornjak specific section {{- define "spire-tornjak.fullname" -}} {{ include "spire-server.fullname" . | trimSuffix "-server" }}-tornjak {{- end }} + {{- define "spire-tornjak.config" -}} {{ include "spire-tornjak.fullname" . }}-config {{- end }} + {{- define "spire-tornjak.backend" -}} -{{ include "spire-tornjak.fullname" . }}-be +{{ include "spire-tornjak.fullname" . }}-backend {{- end }} diff --git a/charts/spire/charts/spire-server/templates/service.yaml b/charts/spire/charts/spire-server/templates/service.yaml index bfa354abd..1e57a0707 100644 --- a/charts/spire/charts/spire-server/templates/service.yaml +++ b/charts/spire/charts/spire-server/templates/service.yaml @@ -26,27 +26,3 @@ spec: {{- end }} selector: {{- include "spire-server.selectorLabels" . | nindent 4 }} - -{{- if eq (.Values.tornjak.enabled | toString) "true" }} ---- -apiVersion: v1 -kind: Service -metadata: - namespace: {{ include "spire-server.namespace" . }} - name: {{ include "spire-tornjak.backend" . }} - {{- with .Values.tornjak.service.annotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "spire-server.labels" . | nindent 4 }} -spec: - type: {{ .Values.tornjak.service.type }} - selector: - {{- include "spire-server.selectorLabels" . | nindent 4 }} - ports: - - name: {{ include "spire-tornjak.backend" . }} - port: {{ .Values.tornjak.service.port }} - targetPort: tornjak - protocol: TCP -{{- end }} diff --git a/charts/spire/charts/spire-server/templates/tornjak-service.yaml b/charts/spire/charts/spire-server/templates/tornjak-service.yaml new file mode 100644 index 000000000..a4a95bdf4 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/tornjak-service.yaml @@ -0,0 +1,22 @@ +{{- if eq (.Values.tornjak.enabled | toString) "true" }} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ include "spire-server.namespace" . }} + name: {{ include "spire-tornjak.backend" . }} + {{- with .Values.tornjak.service.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "spire-server.labels" . | nindent 4 }} +spec: + type: {{ .Values.tornjak.service.type }} + selector: + {{- include "spire-server.selectorLabels" . | nindent 4 }} + ports: + - name: {{ include "spire-tornjak.backend" . }} + port: {{ .Values.tornjak.service.port }} + targetPort: tornjak + protocol: TCP +{{- end }} diff --git a/charts/spire/charts/tornjak-frontend/templates/NOTES.txt b/charts/spire/charts/tornjak-frontend/templates/NOTES.txt index ea06ed1ad..8e08f810d 100644 --- a/charts/spire/charts/tornjak-frontend/templates/NOTES.txt +++ b/charts/spire/charts/tornjak-frontend/templates/NOTES.txt @@ -8,15 +8,19 @@ Namespace: {{ include "tornjak-frontend.namespace" . }} Tornjak UI (Frontend) image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }} pull policy: {{ .Values.image.pullPolicy }} -Configured with Tornjak API (Backend): {{ include "tornjak-frontend.apiURL" . }} + Tornjak API (Backend): {{ include "tornjak-frontend.apiURL" . }} ### WARNING ### -This Tornjak is configured without authentication and it is intended for -testing only. Please do not use this version in production. -You can use port forwarding to access UI: +Tornjak runs without authentication and is therefore NOT suitable to run in production environments. +Only use in test environments! + +Access Tornjak: + kubectl -n {{ include "tornjak-frontend.namespace" . }} port-forward service/{{ include "tornjak-frontend.fullname" . }} {{ .Values.service.port }}:3000 +Ensure you have port-forwarding for tornjak-backend as well. + Open browser to: http://localhost:{{ .Values.service.port }} To learn more about the release, try: diff --git a/examples/tornjak/README.md b/examples/tornjak/README.md index 0863b0573..4108c3b7e 100644 --- a/examples/tornjak/README.md +++ b/examples/tornjak/README.md @@ -1,5 +1,7 @@ # Recommended setup to deploy Tornjak +> **Warning**: The current version of Tornjak in this chart is deployed without authentication. Therefore it is not suitable to run this version in production. + To install Spire with the least privileges possible we deploy spire across 2 namespaces. ```shell @@ -9,11 +11,27 @@ kubectl create namespace "spire-server" kubectl label namespace "spire-server" pod-security.kubernetes.io/enforce=restricted # deploy SPIRE with Tornjak enabled -helm upgrade --install --namespace spire-server --values ../production/values.yaml \ - --values ./values.yaml spire charts/spire +helm upgrade --install --namespace spire-server \ + --values ../production/values.yaml \ + --values ./values.yaml \ + --render-subchart-notes \ + spire charts/spire # test the Tornjak deployment helm test spire -n spire-server ``` +## Access tornjak + +To access Tornjak you will have to use port-forwarding for the time being *(until we add authentication and ingress)*. + +Run following commands from your shell, if you ran with different values your namespace might differ. Consult the install notes printed when running above `helm upgrade` command in that case. + +```shell +kubectl -n spire-server port-forward service/spire-tornjak-backend 10000:10000 +kubectl -n spire-server port-forward service/spire-tornjak-frontend 3000:3000 +``` + +You can now access Tornjak at [localhost:3000](http://localhost:3000). + See [values.yaml](./values.yaml) for more details on the chart configurations to achieve this setup. From b64c352b157601d5f7d0f2f769c41371bacfcf6f Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Fri, 12 May 2023 08:31:45 -0400 Subject: [PATCH 16/55] Update charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml Co-authored-by: Marco Franssen Signed-off-by: Mariusz Sabath --- .../spire-server/templates/tests/test-tornjak-connection.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml b/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml index a80410984..5b386925f 100644 --- a/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml +++ b/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml @@ -12,7 +12,7 @@ spec: securityContext: {{- toYaml .Values.podSecurityContext | nindent 4 }} containers: - - name: wget-tornjak-backend + - name: curl-tornjak-backend image: cgr.dev/chainguard/bash:latest command: ['curl'] args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.backend" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.port }}'] From 7521cafcc6bfb3c8895401f344dab1af9f9987b2 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Fri, 12 May 2023 08:31:58 -0400 Subject: [PATCH 17/55] Update charts/spire/charts/spire-server/templates/tornjak-config.yaml Co-authored-by: Marco Franssen Signed-off-by: Mariusz Sabath --- charts/spire/charts/spire-server/templates/tornjak-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-server/templates/tornjak-config.yaml b/charts/spire/charts/spire-server/templates/tornjak-config.yaml index 54103569e..a112051a7 100644 --- a/charts/spire/charts/spire-server/templates/tornjak-config.yaml +++ b/charts/spire/charts/spire-server/templates/tornjak-config.yaml @@ -20,4 +20,4 @@ data: } {{- end }} } - {{- end }} +{{- end }} From 657c460e67119315875e3b48868a03789aa8964b Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Fri, 12 May 2023 08:32:10 -0400 Subject: [PATCH 18/55] Update charts/spire/charts/tornjak-frontend/templates/service.yaml Co-authored-by: Marco Franssen Signed-off-by: Mariusz Sabath --- charts/spire/charts/tornjak-frontend/templates/service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/charts/tornjak-frontend/templates/service.yaml b/charts/spire/charts/tornjak-frontend/templates/service.yaml index 5a49fca3f..6208d9a87 100644 --- a/charts/spire/charts/tornjak-frontend/templates/service.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/service.yaml @@ -5,7 +5,7 @@ metadata: name: {{ include "tornjak-frontend.fullname" . }} {{- with .Values.service.annotations }} annotations: - {{- toYaml . | nindent 8 }} + {{- toYaml . | nindent 4 }} {{- end }} labels: {{- include "tornjak-frontend.labels" . | nindent 4 }} From 382e0d4a4711138161fdfc9f34b0256b108bcb55 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Fri, 12 May 2023 13:10:25 -0400 Subject: [PATCH 19/55] Upgrade Tornjak image to version v1.2.0 (#259) Signed-off-by: Mariusz Sabath Co-authored-by: Marco Franssen --- .github/tests/tornjak/post-install.sh | 2 +- charts/spire/charts/spire-server/README.md | 4 ++-- charts/spire/charts/spire-server/values.yaml | 4 ++-- charts/spire/charts/tornjak-frontend/Chart.yaml | 2 +- charts/spire/charts/tornjak-frontend/README.md | 5 +++-- .../spire/charts/tornjak-frontend/templates/NOTES.txt | 1 + .../charts/tornjak-frontend/templates/deployment.yaml | 10 +++++++--- charts/spire/charts/tornjak-frontend/values.yaml | 8 +++++++- 8 files changed, 24 insertions(+), 12 deletions(-) diff --git a/.github/tests/tornjak/post-install.sh b/.github/tests/tornjak/post-install.sh index 69ca32e2a..c5040ec2a 100755 --- a/.github/tests/tornjak/post-install.sh +++ b/.github/tests/tornjak/post-install.sh @@ -12,7 +12,7 @@ source "${SCRIPTPATH}/../common.sh" print_helm_releases print_spire_workload_status spire-server spire-system -kubectl rollout status --watch --timeout 30s --namespace spire-server deployments.apps spire-tornjak-frontend +kubectl rollout status --watch --timeout 180s --namespace spire-server deployments.apps spire-tornjak-frontend kubectl -n spire-server get deploy spire-tornjak-frontend kubectl -n spire-server get service spire-tornjak-frontend diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 0eef5fb92..7c051c3f1 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -108,8 +108,8 @@ A Helm chart to install the SPIRE server. | topologySpreadConstraints | list | `[]` | | | tornjak.config.dataStore | object | `{"driver":"sqlite3","file":"/run/spire/data/tornjak.sqlite3"}` | persistent DB for storing Tornjak specific information | | tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) | -| tornjak.image | object | `{"pullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"spiffe/tornjak-be","version":"v1.0.2"}` | Tornjak API image | -| tornjak.image.version | string | `"v1.0.2"` | Overrides the image tag whose default is the chart appVersion. | +| tornjak.image | object | `{"pullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"spiffe/tornjak-backend","version":"v1.2.0"}` | Tornjak API image | +| tornjak.image.version | string | `"v1.2.0"` | Overrides the image tag whose default is the chart appVersion. | | tornjak.service.annotations | object | `{}` | | | tornjak.service.port | int | `10000` | | | tornjak.service.type | string | `"ClusterIP"` | | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 2ff322bc4..904dcc1f7 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -263,10 +263,10 @@ tornjak: # -- Tornjak API image image: registry: ghcr.io - repository: spiffe/tornjak-be + repository: spiffe/tornjak-backend pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion. - version: "v1.0.2" + version: "v1.2.0" service: type: ClusterIP port: 10000 diff --git a/charts/spire/charts/tornjak-frontend/Chart.yaml b/charts/spire/charts/tornjak-frontend/Chart.yaml index 9b77c939b..15167cfc1 100644 --- a/charts/spire/charts/tornjak-frontend/Chart.yaml +++ b/charts/spire/charts/tornjak-frontend/Chart.yaml @@ -3,7 +3,7 @@ name: tornjak-frontend description: A Helm chart to deploy Tornjak frontend type: application version: 0.1.0 -appVersion: "v1.0.2" +appVersion: "v1.2.0" home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: - https://github.com/spiffe/tornjak diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index c5255c110..fba5649cf 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -2,7 +2,7 @@ -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.2](https://img.shields.io/badge/AppVersion-v1.0.2-informational?style=flat-square) +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.2.0](https://img.shields.io/badge/AppVersion-v1.2.0-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart to deploy Tornjak frontend @@ -53,7 +53,7 @@ port forwarding. See the chart NOTES output for more details. | fullnameOverride | string | `""` | | | image.pullPolicy | string | `"IfNotPresent"` | | | image.registry | string | `"ghcr.io"` | | -| image.repository | string | `"spiffe/tornjak-fe"` | | +| image.repository | string | `"spiffe/tornjak-frontend"` | | | image.version | string | `""` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | | | labels | object | `{}` | | @@ -67,4 +67,5 @@ port forwarding. See the chart NOTES output for more details. | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| spireHealthCheck.enabled | bool | `true` | Enables the SPIRE Healthchecker indicator | ---------------------------------------------- diff --git a/charts/spire/charts/tornjak-frontend/templates/NOTES.txt b/charts/spire/charts/tornjak-frontend/templates/NOTES.txt index 8e08f810d..85a568e41 100644 --- a/charts/spire/charts/tornjak-frontend/templates/NOTES.txt +++ b/charts/spire/charts/tornjak-frontend/templates/NOTES.txt @@ -9,6 +9,7 @@ Tornjak UI (Frontend) image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }} pull policy: {{ .Values.image.pullPolicy }} Tornjak API (Backend): {{ include "tornjak-frontend.apiURL" . }} + SPIRE health check enabled: "{{ .Values.spireHealthCheck.enabled }}" ### WARNING ### diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml index 116b9a1d0..141b77113 100644 --- a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -35,15 +35,19 @@ spec: env: - name: REACT_APP_API_SERVER_URI value: {{ include "tornjak-frontend.apiURL" . }} + {{- if eq (.Values.spireHealthCheck.enabled | toString) "true" }} + - name: REACT_APP_SPIRE_HEALTH_CHECK_ENABLE + value: "{{ .Values.spireHealthCheck.enabled }}" + {{- end }} startupProbe: httpGet: scheme: HTTP port: {{ .Values.service.port }} failureThreshold: 6 - initialDelaySeconds: 60 - periodSeconds: 30 + initialDelaySeconds: 120 + periodSeconds: 45 successThreshold: 1 - timeoutSeconds: 10 + timeoutSeconds: 20 volumeMounts: - name: cache mountPath: /usr/src/app/node_modules/.cache diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 0d1d645c9..896769f9e 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -4,7 +4,7 @@ image: registry: ghcr.io - repository: spiffe/tornjak-fe + repository: spiffe/tornjak-frontend pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion. version: "" @@ -54,3 +54,9 @@ service: # Since Tornjak Frontend runs in the browser, this URL must be accessible from # the machine running a browser. apiServerURL: "http://localhost:10000/" # 👈 Use it for minikube or kind + +# SPIRE Healthchecker indicator +spireHealthCheck: + # -- Enables the SPIRE Healthchecker indicator + enabled: true + From a11cfc99ac23854120f3815127e92e11a3561de3 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Fri, 12 May 2023 19:52:38 +0200 Subject: [PATCH 20/55] Allow to define the resources for tornjak backend Signed-off-by: Marco Franssen --- charts/spire/charts/spire-server/README.md | 1 + .../charts/spire-server/templates/statefulset.yaml | 2 ++ charts/spire/charts/spire-server/values.yaml | 11 +++++++++++ 3 files changed, 14 insertions(+) diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 7c051c3f1..60f31588a 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -110,6 +110,7 @@ A Helm chart to install the SPIRE server. | tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) | | tornjak.image | object | `{"pullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"spiffe/tornjak-backend","version":"v1.2.0"}` | Tornjak API image | | tornjak.image.version | string | `"v1.2.0"` | Overrides the image tag whose default is the chart appVersion. | +| tornjak.resources | object | `{}` | | | tornjak.service.annotations | object | `{}` | | | tornjak.service.port | int | `10000` | | | tornjak.service.type | string | `"ClusterIP"` | | diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index 3a1322bc6..dc67dab96 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -182,6 +182,8 @@ spec: - name: tornjak containerPort: 10000 protocol: TCP + resources: + {{- toYaml .Values.tornjak.resources | nindent 12 }} volumeMounts: - name: {{ include "spire-tornjak.config" . }} mountPath: /run/spire/tornjak-config diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 904dcc1f7..96fc42553 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -276,3 +276,14 @@ tornjak: dataStore: driver: "sqlite3" file: "/run/spire/data/tornjak.sqlite3" + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi From ed472aa98bd6de9f2a3148690183aca7658737d8 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Fri, 12 May 2023 18:46:59 -0400 Subject: [PATCH 21/55] Update documentation Signed-off-by: Mariusz Sabath --- charts/spire/README.md | 31 ++++++++++++++++++++-- charts/spire/charts/spire-server/README.md | 4 +-- 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 7054fe553..582fdfe5f 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -122,6 +122,7 @@ Kubernetes: `>=1.21.0-0` | spire-server.controllerManager.enabled | bool | `true` | | | spire-server.enabled | bool | `true` | | | spire-server.nameOverride | string | `"server"` | | +| tornjak-frontend.enabled | bool | `false` | | | spiffe-csi-driver.agentSocketPath | string | `"/run/spire/agent-sockets/spire-agent.sock"` | The unix socket path to the spire-agent | | spiffe-csi-driver.fullnameOverride | string | `""` | | | spiffe-csi-driver.healthChecks.port | int | `9809` | | @@ -313,7 +314,7 @@ Kubernetes: `>=1.21.0-0` | spire-server.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spire-server.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | spire-server.image.repository | string | `"spiffe/spire-server"` | The repository within the registry | -| spire-server.image.version | string | `""` | | +| spire-server.image.version | string | `""` | Overrides the image tag whose default is the chart appVersion. | | spire-server.imagePullSecrets | list | `[]` | | | spire-server.initContainers | list | `[]` | | | spire-server.jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain | @@ -344,6 +345,14 @@ Kubernetes: `>=1.21.0-0` | spire-server.telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spire-server | | spire-server.tolerations | list | `[]` | | | spire-server.topologySpreadConstraints | list | `[]` | | +| spire-server.tornjak.config.dataStore | object | `{"driver":"sqlite3","file":"/run/spire/data/tornjak.sqlite3"}` | persistent DB for storing Tornjak specific information | +| spire-server.tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) | +| spire-server.tornjak.image | object | `{"pullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"spiffe/tornjak-backend","version":"v1.2.0"}` | Tornjak API image | +| spire-server.tornjak.image.version | string | `"v1.2.0"` | Overrides the image tag whose default is the chart appVersion. | +| spire-server.tornjak.resources | object | `{}` | | +| spire-server.tornjak.service.annotations | object | `{}` | | +| spire-server.tornjak.service.port | int | `10000` | | +| spire-server.tornjak.service.type | string | `"ClusterIP"` | | | spire-server.trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers | | spire-server.upstreamAuthority.certManager.enabled | bool | `false` | | | spire-server.upstreamAuthority.certManager.issuer_group | string | `"cert-manager.io"` | | @@ -356,6 +365,24 @@ Kubernetes: `>=1.21.0-0` | spire-server.upstreamAuthority.disk.secret.create | bool | `true` | If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. | | spire-server.upstreamAuthority.disk.secret.data | object | `{"bundle":"","certificate":"","key":""}` | If secret creation is enabled, will create a secret with following certificate info | | spire-server.upstreamAuthority.disk.secret.name | string | `"spiffe-upstream-ca"` | If secret creation is disabled, the secret with this name will be used. | -| tornjak-frontend.enabled | bool | `false` | | +| tornjak-frontend.apiServerURL | string | `"http://localhost:10000/"` | URL of the Tornjak APIs (backend) Since Tornjak Frontend runs in the browser, this URL must be accessible from the machine running a browser. | +| tornjak-frontend.fullnameOverride | string | `""` | | +| tornjak-frontend.image.pullPolicy | string | `"IfNotPresent"` | | +| tornjak-frontend.image.registry | string | `"ghcr.io"` | | +| tornjak-frontend.image.repository | string | `"spiffe/tornjak-frontend"` | | +| tornjak-frontend.image.version | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| tornjak-frontend.imagePullSecrets | list | `[]` | | +| tornjak-frontend.labels | object | `{}` | | +| tornjak-frontend.nameOverride | string | `""` | | +| tornjak-frontend.namespaceOverride | string | `""` | | +| tornjak-frontend.podSecurityContext | object | `{}` | | +| tornjak-frontend.securityContext | object | `{}` | | +| tornjak-frontend.service.annotations | object | `{}` | | +| tornjak-frontend.service.port | int | `3000` | | +| tornjak-frontend.service.type | string | `"ClusterIP"` | | +| tornjak-frontend.serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| tornjak-frontend.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| tornjak-frontend.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| tornjak-frontend.spireHealthCheck.enabled | bool | `true` | Enables the SPIRE Healthchecker indicator | ---------------------------------------------- diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 60f31588a..d6ac19025 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -75,7 +75,7 @@ A Helm chart to install the SPIRE server. | image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | image.repository | string | `"spiffe/spire-server"` | The repository within the registry | -| image.version | string | `""` | | +| image.version | string | `""` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | | | initContainers | list | `[]` | | | jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain | @@ -114,7 +114,7 @@ A Helm chart to install the SPIRE server. | tornjak.service.annotations | object | `{}` | | | tornjak.service.port | int | `10000` | | | tornjak.service.type | string | `"ClusterIP"` | | -| trustDomain | string | `"example.org"` | | +| trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers | | upstreamAuthority.certManager.enabled | bool | `false` | | | upstreamAuthority.certManager.issuer_group | string | `"cert-manager.io"` | | | upstreamAuthority.certManager.issuer_kind | string | `"Issuer"` | | From ee43c5e36f84ffeacd2bef5281f628bb202621e3 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 16 May 2023 20:02:14 +0200 Subject: [PATCH 22/55] Add nodeSelector for tornjak Tornjak only supports amd64 builds at the moment To prevent deployment failures on clusters with arm64 nodes I have added a nodeSelector for tornjak frontend, and documentation for spire-server Signed-off-by: Marco Franssen --- charts/spire/README.md | 3 ++- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 1 + charts/spire/charts/tornjak-frontend/README.md | 1 + .../spire/charts/tornjak-frontend/templates/deployment.yaml | 4 ++++ charts/spire/charts/tornjak-frontend/values.yaml | 5 ++++- 6 files changed, 13 insertions(+), 3 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 582fdfe5f..fdd9865e7 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -323,7 +323,7 @@ Kubernetes: `>=1.21.0-0` | spire-server.namespaceOverride | string | `""` | | | spire-server.nodeAttestor.k8sPsat.enabled | bool | `true` | | | spire-server.nodeAttestor.k8sPsat.serviceAccountAllowList | list | `[]` | | -| spire-server.nodeSelector | object | `{}` | | +| spire-server.nodeSelector | object | `{}` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | | spire-server.notifier.k8sbundle.namespace | string | `""` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | | spire-server.persistence.accessMode | string | `"ReadWriteOnce"` | | | spire-server.persistence.size | string | `"1Gi"` | | @@ -375,6 +375,7 @@ Kubernetes: `>=1.21.0-0` | tornjak-frontend.labels | object | `{}` | | | tornjak-frontend.nameOverride | string | `""` | | | tornjak-frontend.namespaceOverride | string | `""` | | +| tornjak-frontend.nodeSelector | object | `{"kubernetes.io/arch":"amd64"}` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | | tornjak-frontend.podSecurityContext | object | `{}` | | | tornjak-frontend.securityContext | object | `{}` | | | tornjak-frontend.service.annotations | object | `{}` | | diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index d6ac19025..18c7d7447 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -84,7 +84,7 @@ A Helm chart to install the SPIRE server. | namespaceOverride | string | `""` | | | nodeAttestor.k8sPsat.enabled | bool | `true` | | | nodeAttestor.k8sPsat.serviceAccountAllowList | list | `[]` | | -| nodeSelector | object | `{}` | | +| nodeSelector | object | `{}` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | | notifier.k8sbundle.namespace | string | `""` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | | persistence.accessMode | string | `"ReadWriteOnce"` | | | persistence.size | string | `"1Gi"` | | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 96fc42553..309e4201c 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -70,6 +70,7 @@ autoscaling: targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 +# -- Select specific nodes to run on (currently only amd64 is supported by Tornjak) nodeSelector: {} tolerations: [] diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index fba5649cf..b8a254f0b 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -59,6 +59,7 @@ port forwarding. See the chart NOTES output for more details. | labels | object | `{}` | | | nameOverride | string | `""` | | | namespaceOverride | string | `""` | | +| nodeSelector | object | `{"kubernetes.io/arch":"amd64"}` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | | podSecurityContext | object | `{}` | | | securityContext | object | `{}` | | | service.annotations | object | `{}` | | diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml index 141b77113..8566a31e5 100644 --- a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -51,6 +51,10 @@ spec: volumeMounts: - name: cache mountPath: /usr/src/app/node_modules/.cache + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} volumes: - name: cache emptyDir: {} diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 896769f9e..e17d5321e 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -41,6 +41,10 @@ service: port: 3000 annotations: {} +# -- Select specific nodes to run on (currently only amd64 is supported by Tornjak) +nodeSelector: + kubernetes.io/arch: amd64 + # -- Provide minimal resources to prevent accidental crashes due to resource exhaustion # resources: # requests: @@ -59,4 +63,3 @@ apiServerURL: "http://localhost:10000/" # 👈 Use it for minikube or kind spireHealthCheck: # -- Enables the SPIRE Healthchecker indicator enabled: true - From aed6fdfe4e1052f9600a4cae55f9dae5cc0250aa Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 16 May 2023 11:28:53 -0700 Subject: [PATCH 23/55] Use the correct kubectl for the cluster (#248) --- charts/spire/README.md | 6 +-- charts/spire/charts/spire-server/README.md | 6 +-- .../spire-server/templates/_helpers.tpl | 8 ++++ .../templates/post-install-hook.yaml | 38 ++++++++++--------- .../templates/post-upgrade-hook.yaml | 38 ++++++++++--------- .../templates/pre-upgrade-hook.yaml | 38 ++++++++++--------- charts/spire/charts/spire-server/values.yaml | 6 +-- 7 files changed, 77 insertions(+), 63 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index fdd9865e7..9d63c918d 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -291,9 +291,9 @@ Kubernetes: `>=1.21.0-0` | spire-server.controllerManager.service.type | string | `"ClusterIP"` | | | spire-server.controllerManager.validatingWebhookConfiguration.failurePolicy | string | `"Fail"` | | | spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | -| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from | -| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.repository | string | `"chainguard/kubectl"` | The repository within the registry | -| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.version | string | `"latest"` | | +| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | +| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.repository | string | `"rancher/kubectl"` | The repository within the registry | +| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.version | string | `""` | | | spire-server.dataStore.sql.databaseName | string | `"spire"` | Only used by "postgres" or "mysql" | | spire-server.dataStore.sql.databaseType | string | `"sqlite3"` | Other supported databases are "postgres" and "mysql" | | spire-server.dataStore.sql.host | string | `""` | Only used by "postgres" or "mysql" | diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 18c7d7447..a09b19edb 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -52,9 +52,9 @@ A Helm chart to install the SPIRE server. | controllerManager.service.type | string | `"ClusterIP"` | | | controllerManager.validatingWebhookConfiguration.failurePolicy | string | `"Fail"` | | | controllerManager.validatingWebhookConfiguration.upgradeHook.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | -| controllerManager.validatingWebhookConfiguration.upgradeHook.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from | -| controllerManager.validatingWebhookConfiguration.upgradeHook.image.repository | string | `"chainguard/kubectl"` | The repository within the registry | -| controllerManager.validatingWebhookConfiguration.upgradeHook.image.version | string | `"latest"` | | +| controllerManager.validatingWebhookConfiguration.upgradeHook.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | +| controllerManager.validatingWebhookConfiguration.upgradeHook.image.repository | string | `"rancher/kubectl"` | The repository within the registry | +| controllerManager.validatingWebhookConfiguration.upgradeHook.image.version | string | `""` | | | dataStore.sql.databaseName | string | `"spire"` | Only used by "postgres" or "mysql" | | dataStore.sql.databaseType | string | `"sqlite3"` | Other supported databases are "postgres" and "mysql" | | dataStore.sql.host | string | `""` | Only used by "postgres" or "mysql" | diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index 7df362661..2c7e45c97 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -105,6 +105,14 @@ Create the name of the service account to use {{- end }} {{- end }} +{{- define "spire-server.kubectl-image" }} +{{- $root := deepCopy . }} +{{- if eq (len $root.image.version) 0 }} +{{- $_ := set $root.image "version" $root.KubeVersion }} +{{- end }} +{{- include "spire-lib.image" $root }} +{{- end }} + {{- define "spire-server.config-mysql-query" }} {{- $lst := list }} {{- range . }} diff --git a/charts/spire/charts/spire-server/templates/post-install-hook.yaml b/charts/spire/charts/spire-server/templates/post-install-hook.yaml index 37fd2a8b3..39607e225 100644 --- a/charts/spire/charts/spire-server/templates/post-install-hook.yaml +++ b/charts/spire/charts/spire-server/templates/post-install-hook.yaml @@ -63,23 +63,25 @@ spec: - name: post-install-job securityContext: {{- toYaml .Values.securityContext | nindent 10 }} - image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image "global" .Values.global) }} - command: - - /bin/sh - - -c - - |- - kubectl patch validatingwebhookconfiguration {{ include "spire-controller-manager.fullname" . }}-webhook --type='strategic' -p ' - { - "webhooks":[ - { - "name":"vclusterspiffeid.kb.io", - "failurePolicy":"{{ .Values.controllerManager.validatingWebhookConfiguration.failurePolicy }}" - }, - { - "name":"vclusterfederatedtrustdomain.kb.io", - "failurePolicy":"{{ .Values.controllerManager.validatingWebhookConfiguration.failurePolicy }}" - } - ] - }' + image: {{ template "spire-server.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} + args: + - patch + - validatingwebhookconfiguration + - {{ include "spire-controller-manager.fullname" . }}-webhook + - --type=strategic + - -p + - | + { + "webhooks":[ + { + "name":"vclusterspiffeid.kb.io", + "failurePolicy":"{{ .Values.controllerManager.validatingWebhookConfiguration.failurePolicy }}" + }, + { + "name":"vclusterfederatedtrustdomain.kb.io", + "failurePolicy":"{{ .Values.controllerManager.validatingWebhookConfiguration.failurePolicy }}" + } + ] + } {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml index f73e9f237..d518116b2 100644 --- a/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml @@ -63,23 +63,25 @@ spec: - name: post-upgrade-job securityContext: {{- toYaml .Values.securityContext | nindent 10 }} - image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image "global" .Values.global) }} - command: - - /bin/sh - - -c - - |- - kubectl patch validatingwebhookconfiguration {{ include "spire-controller-manager.fullname" . }}-webhook --type='strategic' -p ' - { - "webhooks":[ - { - "name":"vclusterspiffeid.kb.io", - "failurePolicy":"{{ .Values.controllerManager.validatingWebhookConfiguration.failurePolicy }}" - }, - { - "name":"vclusterfederatedtrustdomain.kb.io", - "failurePolicy":"{{ .Values.controllerManager.validatingWebhookConfiguration.failurePolicy }}" - } - ] - }' + image: {{ template "spire-server.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} + args: + - patch + - validatingwebhookconfiguration + - {{ include "spire-controller-manager.fullname" . }}-webhook + - --type=strategic + - -p + - | + { + "webhooks":[ + { + "name":"vclusterspiffeid.kb.io", + "failurePolicy":"{{ .Values.controllerManager.validatingWebhookConfiguration.failurePolicy }}" + }, + { + "name":"vclusterfederatedtrustdomain.kb.io", + "failurePolicy":"{{ .Values.controllerManager.validatingWebhookConfiguration.failurePolicy }}" + } + ] + } {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml index d2445bcb0..47f8ab1c2 100644 --- a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml @@ -63,23 +63,25 @@ spec: - name: post-install-job securityContext: {{- toYaml .Values.securityContext | nindent 10 }} - image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image "global" .Values.global) }} - command: - - /bin/sh - - -c - - |- - kubectl patch validatingwebhookconfiguration {{ include "spire-controller-manager.fullname" . }}-webhook --type='strategic' -p ' - { - "webhooks":[ - { - "name":"vclusterspiffeid.kb.io", - "failurePolicy":"Ignore" - }, - { - "name":"vclusterfederatedtrustdomain.kb.io", - "failurePolicy":"Ignore" - } - ] - }' + image: {{ template "spire-server.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} + args: + - patch + - validatingwebhookconfiguration + - {{ include "spire-controller-manager.fullname" . }}-webhook + - --type=strategic + - -p + - | + { + "webhooks":[ + { + "name":"vclusterspiffeid.kb.io", + "failurePolicy":"Ignore" + }, + { + "name":"vclusterfederatedtrustdomain.kb.io", + "failurePolicy":"Ignore" + } + ] + } {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 309e4201c..094fbc11c 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -224,12 +224,12 @@ controllerManager: upgradeHook: image: # -- The OCI registry to pull the image from - registry: cgr.dev + registry: docker.io # -- The repository within the registry - repository: chainguard/kubectl + repository: rancher/kubectl # -- The image pull policy pullPolicy: IfNotPresent - version: latest + version: "" telemetry: prometheus: From 3537161cdf2e5fbf5952fc84a0e7e3d30181cb5e Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 16 May 2023 20:10:10 +0200 Subject: [PATCH 24/55] Allow to configure affinity for tornjak-frontend Signed-off-by: Marco Franssen --- charts/spire/README.md | 1 + charts/spire/charts/tornjak-frontend/README.md | 1 + .../spire/charts/tornjak-frontend/templates/deployment.yaml | 4 ++++ charts/spire/charts/tornjak-frontend/values.yaml | 2 ++ 4 files changed, 8 insertions(+) diff --git a/charts/spire/README.md b/charts/spire/README.md index 9d63c918d..de3605641 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -365,6 +365,7 @@ Kubernetes: `>=1.21.0-0` | spire-server.upstreamAuthority.disk.secret.create | bool | `true` | If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. | | spire-server.upstreamAuthority.disk.secret.data | object | `{"bundle":"","certificate":"","key":""}` | If secret creation is enabled, will create a secret with following certificate info | | spire-server.upstreamAuthority.disk.secret.name | string | `"spiffe-upstream-ca"` | If secret creation is disabled, the secret with this name will be used. | +| tornjak-frontend.affinity | object | `{}` | | | tornjak-frontend.apiServerURL | string | `"http://localhost:10000/"` | URL of the Tornjak APIs (backend) Since Tornjak Frontend runs in the browser, this URL must be accessible from the machine running a browser. | | tornjak-frontend.fullnameOverride | string | `""` | | | tornjak-frontend.image.pullPolicy | string | `"IfNotPresent"` | | diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index b8a254f0b..9bf6e65f1 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -49,6 +49,7 @@ port forwarding. See the chart NOTES output for more details. | Key | Type | Default | Description | |-----|------|---------|-------------| +| affinity | object | `{}` | | | apiServerURL | string | `"http://localhost:10000/"` | URL of the Tornjak APIs (backend) Since Tornjak Frontend runs in the browser, this URL must be accessible from the machine running a browser. | | fullnameOverride | string | `""` | | | image.pullPolicy | string | `"IfNotPresent"` | | diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml index 8566a31e5..68aac56b3 100644 --- a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -55,6 +55,10 @@ spec: nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} volumes: - name: cache emptyDir: {} diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index e17d5321e..9b7a48e90 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -45,6 +45,8 @@ service: nodeSelector: kubernetes.io/arch: amd64 +affinity: {} + # -- Provide minimal resources to prevent accidental crashes due to resource exhaustion # resources: # requests: From 5cc26d3142eb691bea6d5d4bb1736bf4045382da Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 16 May 2023 20:10:54 +0200 Subject: [PATCH 25/55] Allow to configure tolerations for tornjak-frontend Signed-off-by: Marco Franssen --- charts/spire/README.md | 1 + charts/spire/charts/tornjak-frontend/README.md | 1 + .../spire/charts/tornjak-frontend/templates/deployment.yaml | 4 ++++ charts/spire/charts/tornjak-frontend/values.yaml | 2 ++ 4 files changed, 8 insertions(+) diff --git a/charts/spire/README.md b/charts/spire/README.md index de3605641..f98eb92e1 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -386,5 +386,6 @@ Kubernetes: `>=1.21.0-0` | tornjak-frontend.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | tornjak-frontend.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | tornjak-frontend.spireHealthCheck.enabled | bool | `true` | Enables the SPIRE Healthchecker indicator | +| tornjak-frontend.tolerations | list | `[]` | | ---------------------------------------------- diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 9bf6e65f1..baa3c7e70 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -70,4 +70,5 @@ port forwarding. See the chart NOTES output for more details. | serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | spireHealthCheck.enabled | bool | `true` | Enables the SPIRE Healthchecker indicator | +| tolerations | list | `[]` | | ---------------------------------------------- diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml index 68aac56b3..b404a63ee 100644 --- a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -59,6 +59,10 @@ spec: affinity: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} volumes: - name: cache emptyDir: {} diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 9b7a48e90..08faf8e6b 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -47,6 +47,8 @@ nodeSelector: affinity: {} +tolerations: [] + # -- Provide minimal resources to prevent accidental crashes due to resource exhaustion # resources: # requests: From 391f093ae92e730804f8528dcbc54d11c69f053a Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 16 May 2023 20:11:29 +0200 Subject: [PATCH 26/55] Allow to configure topologySpreadConstraints for tornjak-frontend Signed-off-by: Marco Franssen --- charts/spire/README.md | 1 + charts/spire/charts/tornjak-frontend/README.md | 1 + .../spire/charts/tornjak-frontend/templates/deployment.yaml | 4 ++++ charts/spire/charts/tornjak-frontend/values.yaml | 2 ++ 4 files changed, 8 insertions(+) diff --git a/charts/spire/README.md b/charts/spire/README.md index f98eb92e1..7b493f808 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -387,5 +387,6 @@ Kubernetes: `>=1.21.0-0` | tornjak-frontend.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | tornjak-frontend.spireHealthCheck.enabled | bool | `true` | Enables the SPIRE Healthchecker indicator | | tornjak-frontend.tolerations | list | `[]` | | +| tornjak-frontend.topologySpreadConstraints | list | `[]` | | ---------------------------------------------- diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index baa3c7e70..e706d1584 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -71,4 +71,5 @@ port forwarding. See the chart NOTES output for more details. | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | spireHealthCheck.enabled | bool | `true` | Enables the SPIRE Healthchecker indicator | | tolerations | list | `[]` | | +| topologySpreadConstraints | list | `[]` | | ---------------------------------------------- diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml index b404a63ee..cef0fabfc 100644 --- a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -63,6 +63,10 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} volumes: - name: cache emptyDir: {} diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 08faf8e6b..5abc2e858 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -49,6 +49,8 @@ affinity: {} tolerations: [] +topologySpreadConstraints: [] + # -- Provide minimal resources to prevent accidental crashes due to resource exhaustion # resources: # requests: From 3df67dbbc05e554a537ee12d90335865639a3a4d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 May 2023 01:04:16 -0700 Subject: [PATCH 27/55] Bump sigstore/cosign-installer from 3.0.3 to 3.0.4 (#286) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4.
Release notes

Sourced from sigstore/cosign-installer's releases.

v3.0.4

Commits
  • 03d0fec Fix unsafe evaluation of inputs.use-sudo (#124)
  • 46b5db7 use intermediate environment variables to avoid risks of script injection (#122)
  • 84448ba we should rely upon the digests not the tags, typos (#121)
  • See full diff in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sigstore/cosign-installer&package-manager=github_actions&previous-version=3.0.3&new-version=3.0.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/helm-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index 357d9652f..cbfde9834 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -29,7 +29,7 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Setup cosign - uses: sigstore/cosign-installer@v3.0.3 + uses: sigstore/cosign-installer@v3.0.4 with: cosign-release: v2.0.2 From 807558bb9c7ea58788127e1c7b02917b79331e84 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 May 2023 10:39:35 +0200 Subject: [PATCH 28/55] Bump helm/kind-action from 1.5.0 to 1.6.0 (#285) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/helm-chart-ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index e6027dd11..465205793 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -168,7 +168,7 @@ jobs: version: ${{ env.CHART_TESTING_VERSION }} - name: Create kind ${{ matrix.k8s }} cluster - uses: helm/kind-action@v1.5.0 + uses: helm/kind-action@v1.6.0 # Only build a kind cluster if there are chart changes to test. with: version: v0.18.0 From a2da94374c0127ccda5b1f47b548fe01c000d856 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Wed, 17 May 2023 16:25:15 +0200 Subject: [PATCH 29/55] Remove manual dispatch from dummy workflow (#288) --- .github/workflows/helm-chart-ci-ignore.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/helm-chart-ci-ignore.yaml b/.github/workflows/helm-chart-ci-ignore.yaml index d54a1fff8..b5e1ef7a5 100644 --- a/.github/workflows/helm-chart-ci-ignore.yaml +++ b/.github/workflows/helm-chart-ci-ignore.yaml @@ -1,7 +1,6 @@ name: Helm Chart CI on: - workflow_dispatch: pull_request: types: [synchronize, opened, reopened] paths-ignore: From 31ce704fa8121af866d1f44f9b64e8c14692d5c4 Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Wed, 17 May 2023 08:49:02 -0700 Subject: [PATCH 30/55] Cleanup maintainer handbook (#287) --- project/maintainers.md | 84 +++++++++++++++++++++--------------------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/project/maintainers.md b/project/maintainers.md index b8b33d029..9de70bccb 100644 --- a/project/maintainers.md +++ b/project/maintainers.md @@ -8,12 +8,12 @@ provide a consistent user interface for those going through the review process. ## The Pull Request -Pull requests are submitted through GitHub. They are contributions to change -the project. There is no difference between code and non-code submissions, in +Pull requests are submitted through GitHub. They are contributions to change +the project. There is no difference between code and non-code submissions, in procedure or policy. -All maintainers should consider that pull requests are gifts. The project -survives due to the effort of frequent contributors and their generosity. As +All maintainers should consider that pull requests are gifts. The project +survives due to the effort of frequent contributors and their generosity. As such, to encourage future submissions, the default approach to handling a merge request should be gratitude, even if the request cannot be merged. @@ -25,63 +25,63 @@ There are two primary roles within the scope of a pull request. - Maintainer - one who merges the code. To ensure that all code receives a proper review, these roles are mutually -exclusive for each pull request. Within the scope of a pull request, a +exclusive for each pull request. Within the scope of a pull request, a Committer cannot be a Maintainer, nor can a Maintainer be a Committer. For abandoned pull requests still requiring work, or efforts transferred between people, a Maintainer may become a Committer, invalidating any of their prior -review work. +review work. ### Committers -Committers are people contributing changes to the repository. The first -committer is typically the one that opens the pull request. Additional people +Committers are people contributing changes to the repository. The first +committer is typically the one that opens the pull request. Additional people can become committers in the same merge request if they change the pull request directly. Suggestions to a committer by a maintainer, such as commentary that with a change the merge request might be accepted, does not make a maintainer a -committer, as the committer will choose include the change at their discretion. +committer, as the committer will choose to include the change at their discretion. ### Maintainers -Maintainers hold a dual role in the project. They are ambassadors of the -effort as well as the gatekeepers permitting changes to the repository. As +Maintainers hold a dual role in the project. They are ambassadors of the +effort as well as the gatekeepers permitting changes to the repository. As ambassadors, maintainers must present a fair and impartial demeanor when dealing with contributors. Failure to be fair or impartial reflects poorly on the released product, as -guilt by association taints the product. The process of reviewing a merge -request often includes conflict. Contributors can become defensive about work +guilt by association taints the product. The process of reviewing a merge +request often includes conflict. Contributors can become defensive about work they've done while maintainers can become adamant in the changes they request. To prevent a breakdown in the review process, the project encourages all -reviewers to adhere to a standard set of review best practices. Reviewers +reviewers to adhere to a standard set of review best practices. Reviewers should familiarize themselves with these practices and suggest updates to keep the practices relevant over time. ## Review Standards -These standards serve to prevent problems from cropping up during a review. The +These standards serve to prevent problems from cropping up during a review. The intent is that consistent application of these standards permits a consistent review process, leading to repeatable, suprise free, outcomes during a review. The intent of maintaining standards is to enhance productivity and improve team -morale. In the event the standards have a negative impact on productivity or -morale, the standard itself should be questioned. To clarify the kinds of +morale. In the event the standards have a negative impact on productivity or +morale, the standard itself should be questioned. To clarify the kinds of productivity to be improved, the intent is to reduce the time between initial submission of a merge request and its resolution. ### Challenges to the Review Process Whenever possible, a maintainer should not argue a point about the review -standards with a contributor. Instead they should provide this document to the +standards with a contributor. Instead they should provide this document to the contributor, indicating that changes to the review process are to be initiated with a standard-altering Issue. In the exceedingly rare situation that a reviewer opts to ignore a review standard during a merge request, the reviewer must indicate they are purposefully -ignoring the standard and the reason why. There are valid reasons to ignore +ignoring the standard and the reason why. There are valid reasons to ignore standards, but whenever possible a maintainer should uphold the standard or change it. @@ -102,20 +102,20 @@ being suggested. ### Review Tempo -Maintainers should set aside and appropriate amount of time when reviewing. The -initial suggestion is one hour. Most reviews will complete well under this time, -but a few will take longer. Longer reviews should include review breaks, so the -reviewer remains fresh and attentive. Attempting a three hour long review often +Maintainers should set aside and appropriate amount of time when reviewing. The +initial suggestion is one hour. Most reviews will complete well under this time, +but a few will take longer. Longer reviews should include review breaks, so the +reviewer remains fresh and attentive. Attempting a three hour long review often yields worse results than two or three shorter efforts with breaks. -The concept of going slow to complete items quickly is not a new one. With a +The concept of going slow to complete items quickly is not a new one. With a little extra time, comments can be thoughtful instead of reactive. ### Review Goals Each review should have a defined set of goals established prior to the main -work of the review. The review process often challenges the committer, in the -hopes of improving the merge request. Keeping the review scoped to goals avoids +work of the review. The review process often challenges the committer, in the +hopes of improving the merge request. Keeping the review scoped to goals avoids scenarios where the reviewer's requests seem capricious or autocratic. The current list of review goals include: @@ -141,20 +141,20 @@ goals. Each submission should assume that the committer ran the unit tests and small-scale (not requiring an environment) integration tests prior to submission. -The merge request CI pipeline also runs these tests automatically. Failure to +The merge request CI pipeline also runs these tests automatically. Failure to pass them leads to an automatic call for merge request modification. Attempts to pass this requirement by disabling tests or modifying them such that -they are effectively disabled are strongly discouraged. They violate the review +they are effectively disabled are strongly discouraged. They violate the review goals by reducing maintainability (no new failures will be detected) and possibly functionality (for scenarios outside of the current mindset). -At their leisure, maintainers may suggest code changes make the test suite pass. +At their leisure, maintainers may suggest code changes to make the test suite pass. Doing so is never required, nor part of the minimum duties of a maintainer. ### Reviewer Count -Two passing reviews are required for code to be merged. +Two passing reviews are required for code to be merged. Whenever possible, the number of reviewers should be limited, as each additional reviewer presents an extra set of communication channels between the review and @@ -170,20 +170,20 @@ themselves. The amount of possible communication grows such that `commChannels(reviewers) = reviewers + reviewers(reviewers-1)/2` leads to an -`O(n^2)` number of channels. Thus, keeping reviewer count low is critical to +`O(n^2)` number of channels. Thus, keeping reviewer count low is critical to velocity. ### Reviewer Consensus Reviewers should coordinate among themselves when differences of opinion arise -in a review. The first reviewer is likely to make a statement before being +in a review. The first reviewer is likely to make a statement before being aware of the difference of opinion; but, once a difference of opinion is known, the reviewers should coordinate privately to find a unified presentation of the desired features to communicate back to the committer. The committer has no role in the evaluation of options to determine the proper path forward, including them only diminishes the efficiency of the process and -increases the stress they endure while they observe the discussion. Once a path +increases the stress they endure while they observe the discussion. Once a path is agreed upon: - If the request to the committer was reversed, the reviewer making that stance @@ -192,8 +192,8 @@ is agreed upon: present the refined path. If no path forward can be agreed upon, the proposed path that is closest to the -committer submission is the accepted path. This guideline exists to promote -cooperation among reviewers. Ideas of merit which don't become part of the +committer submission is the accepted path. This guideline exists to promote +cooperation among reviewers. Ideas of merit which don't become part of the merge request should be submitted as new issues and reviewed independently. ### Review Automation @@ -204,9 +204,9 @@ review process by automating a portion of the process, the reviewer should create an issue and submit it as an improvement to the CI process. Improvements are subject to the same review process and the same review goals -as other committer offerings. Readability, search-ability, understanding, +as other committer offerings. Readability, search-ability, understanding, maintenance, testing, and functionality are goals of the review process just as -they are of the product code. +they are of the product code. Lack of speed in the review process is viewed as a failure to make the process maintainable, understandable, and functional. @@ -214,8 +214,8 @@ maintainable, understandable, and functional. ### Review Communication Reviewers are encouraged to have meaningful dialogues with contributors and -reviewers during a merge request. For these dialogues to be effective, the -purpose of each communication should be considered. Mixing purposes in +reviewers during a merge request. For these dialogues to be effective, the +purpose of each communication should be considered. Mixing purposes in communication creates problems in understanding intent, retarding progress. Scope your communications to move efforts forward. @@ -228,10 +228,10 @@ Avoid mixing the following communication scopes: - Information sharing - Brainstorming -Combining these scopes reduce the effectiveness of the communication. Ideally -they should be done in different settings. Mixing a brainstorming session with +Combining these scopes reduce the effectiveness of the communication. Ideally +they should be done in different settings. Mixing a brainstorming session with a decision making session disrupts the evaluation of pros and cons with new -options. Attempting to problem solve a technical issue during a status update +options. Attempting to problem solve a technical issue during a status update draws focus away from identifying the challenges of delivering the project, replacing them with the challenges of solving a single problem in the project. From d1f3cdb909dc6ff0c1da9cb2753081303a0f41bb Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Thu, 27 Apr 2023 14:27:17 -0700 Subject: [PATCH 31/55] Switch image.version to image.tag The convention in most charts is to use image.tag. This patch updates the values to use it instead of the less standard image.version. Signed-off-by: Kevin Fox --- charts/spire/README.md | 20 +++++++++---------- .../spire/charts/spiffe-csi-driver/README.md | 4 ++-- .../charts/spiffe-csi-driver/values.yaml | 4 ++-- .../spiffe-oidc-discovery-provider/README.md | 6 +++--- .../values.yaml | 8 ++++---- charts/spire/charts/spire-agent/README.md | 4 ++-- charts/spire/charts/spire-agent/values.yaml | 4 ++-- charts/spire/charts/spire-server/README.md | 6 +++--- charts/spire/charts/spire-server/values.yaml | 6 +++--- charts/spire/templates/_spire-lib.tpl | 10 +++++----- 10 files changed, 36 insertions(+), 36 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 7b493f808..ec7b7eedf 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -129,7 +129,7 @@ Kubernetes: `>=1.21.0-0` | spiffe-csi-driver.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spiffe-csi-driver.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | spiffe-csi-driver.image.repository | string | `"spiffe/spiffe-csi-driver"` | The repository within the registry | -| spiffe-csi-driver.image.version | string | `""` | Overrides the image tag whose default is the chart appVersion | +| spiffe-csi-driver.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | | spiffe-csi-driver.imagePullSecrets | list | `[]` | | | spiffe-csi-driver.kubeletPath | string | `"/var/lib/kubelet"` | | | spiffe-csi-driver.nameOverride | string | `""` | | @@ -137,7 +137,7 @@ Kubernetes: `>=1.21.0-0` | spiffe-csi-driver.nodeDriverRegistrar.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spiffe-csi-driver.nodeDriverRegistrar.image.registry | string | `"registry.k8s.io"` | The OCI registry to pull the image from | | spiffe-csi-driver.nodeDriverRegistrar.image.repository | string | `"sig-storage/csi-node-driver-registrar"` | The repository within the registry | -| spiffe-csi-driver.nodeDriverRegistrar.image.version | string | `"v2.6.2"` | | +| spiffe-csi-driver.nodeDriverRegistrar.image.tag | string | `"v2.6.2"` | | | spiffe-csi-driver.nodeDriverRegistrar.resources | object | `{}` | | | spiffe-csi-driver.nodeSelector | object | `{}` | | | spiffe-csi-driver.pluginName | string | `"csi.spiffe.io"` | Set the csi driver name deployed to Kubernetes. | @@ -170,7 +170,7 @@ Kubernetes: `>=1.21.0-0` | spiffe-oidc-discovery-provider.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spiffe-oidc-discovery-provider.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | spiffe-oidc-discovery-provider.image.repository | string | `"spiffe/oidc-discovery-provider"` | The repository within the registry | -| spiffe-oidc-discovery-provider.image.version | string | `""` | Overrides the image tag whose default is the chart appVersion | +| spiffe-oidc-discovery-provider.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | | spiffe-oidc-discovery-provider.imagePullSecrets | list | `[]` | | | spiffe-oidc-discovery-provider.ingress.annotations | object | `{}` | | | spiffe-oidc-discovery-provider.ingress.className | string | `""` | | @@ -183,7 +183,7 @@ Kubernetes: `>=1.21.0-0` | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.repository | string | `"nginxinc/nginx-unprivileged"` | The repository within the registry | -| spiffe-oidc-discovery-provider.insecureScheme.nginx.image.version | string | `"1.23.2-alpine"` | | +| spiffe-oidc-discovery-provider.insecureScheme.nginx.image.tag | string | `"1.23.2-alpine"` | | | spiffe-oidc-discovery-provider.insecureScheme.nginx.resources | object | `{}` | | | spiffe-oidc-discovery-provider.nameOverride | string | `""` | | | spiffe-oidc-discovery-provider.namespaceOverride | string | `""` | | @@ -203,7 +203,7 @@ Kubernetes: `>=1.21.0-0` | spiffe-oidc-discovery-provider.telemetry.prometheus.nginxExporter.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spiffe-oidc-discovery-provider.telemetry.prometheus.nginxExporter.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | spiffe-oidc-discovery-provider.telemetry.prometheus.nginxExporter.image.repository | string | `"nginx/nginx-prometheus-exporter"` | The repository within the registry | -| spiffe-oidc-discovery-provider.telemetry.prometheus.nginxExporter.image.version | string | `"0.11.0"` | | +| spiffe-oidc-discovery-provider.telemetry.prometheus.nginxExporter.image.tag | string | `"0.11.0"` | | | spiffe-oidc-discovery-provider.telemetry.prometheus.nginxExporter.resources | object | `{}` | | | spiffe-oidc-discovery-provider.telemetry.prometheus.podMonitor.enabled | bool | `false` | | | spiffe-oidc-discovery-provider.telemetry.prometheus.podMonitor.labels | object | `{}` | | @@ -222,7 +222,7 @@ Kubernetes: `>=1.21.0-0` | spire-agent.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spire-agent.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | spire-agent.image.repository | string | `"spiffe/spire-agent"` | The repository within the registry | -| spire-agent.image.version | string | `""` | | +| spire-agent.image.tag | string | `""` | | | spire-agent.imagePullSecrets | list | `[]` | | | spire-agent.initContainers | list | `[]` | | | spire-agent.logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" | @@ -252,7 +252,7 @@ Kubernetes: `>=1.21.0-0` | spire-agent.waitForIt.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spire-agent.waitForIt.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from | | spire-agent.waitForIt.image.repository | string | `"chainguard/wait-for-it"` | The repository within the registry | -| spire-agent.waitForIt.image.version | string | `"latest-20230113"` | | +| spire-agent.waitForIt.image.tag | string | `"latest-20230113"` | | | spire-agent.waitForIt.resources | object | `{}` | | | spire-agent.workloadAttestors.k8s.skipKubeletVerification | bool | `true` | If true, kubelet certificate verification is skipped | | spire-agent.workloadAttestors.unix.enabled | bool | `false` | enables the Unix workload attestor | @@ -283,7 +283,7 @@ Kubernetes: `>=1.21.0-0` | spire-server.controllerManager.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spire-server.controllerManager.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | spire-server.controllerManager.image.repository | string | `"spiffe/spire-controller-manager"` | The repository within the registry | -| spire-server.controllerManager.image.version | string | `"0.2.2"` | | +| spire-server.controllerManager.image.tag | string | `"0.2.2"` | | | spire-server.controllerManager.resources | object | `{}` | | | spire-server.controllerManager.securityContext | object | `{}` | | | spire-server.controllerManager.service.annotations | object | `{}` | | @@ -293,7 +293,7 @@ Kubernetes: `>=1.21.0-0` | spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.repository | string | `"rancher/kubectl"` | The repository within the registry | -| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.version | string | `""` | | +| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.tag | string | `"latest"` | | | spire-server.dataStore.sql.databaseName | string | `"spire"` | Only used by "postgres" or "mysql" | | spire-server.dataStore.sql.databaseType | string | `"sqlite3"` | Other supported databases are "postgres" and "mysql" | | spire-server.dataStore.sql.host | string | `""` | Only used by "postgres" or "mysql" | @@ -314,7 +314,7 @@ Kubernetes: `>=1.21.0-0` | spire-server.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spire-server.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | spire-server.image.repository | string | `"spiffe/spire-server"` | The repository within the registry | -| spire-server.image.version | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| spire-server.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | spire-server.imagePullSecrets | list | `[]` | | | spire-server.initContainers | list | `[]` | | | spire-server.jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain | diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index 0eb23d9fb..9027bebd7 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -19,7 +19,7 @@ A Helm chart to install the SPIFFE CSI driver. | image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | image.repository | string | `"spiffe/spiffe-csi-driver"` | The repository within the registry | -| image.version | string | `""` | Overrides the image tag whose default is the chart appVersion | +| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | | imagePullSecrets | list | `[]` | | | kubeletPath | string | `"/var/lib/kubelet"` | | | nameOverride | string | `""` | | @@ -27,7 +27,7 @@ A Helm chart to install the SPIFFE CSI driver. | nodeDriverRegistrar.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | nodeDriverRegistrar.image.registry | string | `"registry.k8s.io"` | The OCI registry to pull the image from | | nodeDriverRegistrar.image.repository | string | `"sig-storage/csi-node-driver-registrar"` | The repository within the registry | -| nodeDriverRegistrar.image.version | string | `"v2.6.2"` | | +| nodeDriverRegistrar.image.tag | string | `"v2.6.2"` | | | nodeDriverRegistrar.resources | object | `{}` | | | nodeSelector | object | `{}` | | | pluginName | string | `"csi.spiffe.io"` | Set the csi driver name deployed to Kubernetes. | diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index 516931236..fbd97be79 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -9,7 +9,7 @@ image: # -- The image pull policy pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion - version: "" + tag: "" resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -63,7 +63,7 @@ nodeDriverRegistrar: repository: sig-storage/csi-node-driver-registrar # -- The image pull policy pullPolicy: IfNotPresent - version: v2.6.2 + tag: v2.6.2 resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index ea7627d77..607a22972 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -34,7 +34,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | image.repository | string | `"spiffe/oidc-discovery-provider"` | The repository within the registry | -| image.version | string | `""` | Overrides the image tag whose default is the chart appVersion | +| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | | imagePullSecrets | list | `[]` | | | ingress.annotations | object | `{}` | | | ingress.className | string | `""` | | @@ -47,7 +47,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | insecureScheme.nginx.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | insecureScheme.nginx.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | insecureScheme.nginx.image.repository | string | `"nginxinc/nginx-unprivileged"` | The repository within the registry | -| insecureScheme.nginx.image.version | string | `"1.23.2-alpine"` | | +| insecureScheme.nginx.image.tag | string | `"1.23.2-alpine"` | | | insecureScheme.nginx.resources | object | `{}` | | | nameOverride | string | `""` | | | namespaceOverride | string | `""` | | @@ -67,7 +67,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | telemetry.prometheus.nginxExporter.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | telemetry.prometheus.nginxExporter.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | telemetry.prometheus.nginxExporter.image.repository | string | `"nginx/nginx-prometheus-exporter"` | The repository within the registry | -| telemetry.prometheus.nginxExporter.image.version | string | `"0.11.0"` | | +| telemetry.prometheus.nginxExporter.image.tag | string | `"0.11.0"` | | | telemetry.prometheus.nginxExporter.resources | object | `{}` | | | telemetry.prometheus.podMonitor.enabled | bool | `false` | | | telemetry.prometheus.podMonitor.labels | object | `{}` | | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index bf829bcd8..bd5d522e2 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -17,7 +17,7 @@ image: # -- The image pull policy pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion - version: "" + tag: "" resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -65,13 +65,13 @@ insecureScheme: repository: nginxinc/nginx-unprivileged # -- The image pull policy pullPolicy: IfNotPresent - version: 1.23.2-alpine + tag: 1.23.2-alpine # chainguard image does not support the templates feature # https://github.com/chainguard-images/nginx/issues/43 # registry: cgr.dev # repository: chainguard/nginx # pullPolicy: IfNotPresent - # version: "1.23.2" + # tag: "1.23.2" resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -146,7 +146,7 @@ telemetry: repository: nginx/nginx-prometheus-exporter # -- The image pull policy pullPolicy: IfNotPresent - version: "0.11.0" + tag: "0.11.0" resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index a0a5b4d61..46898bb5e 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -25,7 +25,7 @@ A Helm chart to install the SPIRE agent. | image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | image.repository | string | `"spiffe/spire-agent"` | The repository within the registry | -| image.version | string | `""` | | +| image.tag | string | `""` | | | imagePullSecrets | list | `[]` | | | initContainers | list | `[]` | | | logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" | @@ -55,7 +55,7 @@ A Helm chart to install the SPIRE agent. | waitForIt.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | waitForIt.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from | | waitForIt.image.repository | string | `"chainguard/wait-for-it"` | The repository within the registry | -| waitForIt.image.version | string | `"latest-20230113"` | | +| waitForIt.image.tag | string | `"latest-20230113"` | | | waitForIt.resources | object | `{}` | | | workloadAttestors.k8s.skipKubeletVerification | bool | `true` | If true, kubelet certificate verification is skipped | | workloadAttestors.unix.enabled | bool | `false` | enables the Unix workload attestor | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 2a1f9d199..2618d2bc5 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -10,7 +10,7 @@ image: # -- The image pull policy pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - version: "" + tag: "" imagePullSecrets: [] nameOverride: "" @@ -86,7 +86,7 @@ waitForIt: repository: chainguard/wait-for-it # -- The image pull policy pullPolicy: IfNotPresent - version: latest-20230113 + tag: latest-20230113 resources: {} # workloadAttestors determine a workload's properties and then generate a set of selectors associated with it. diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index a09b19edb..c3633216c 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -44,7 +44,7 @@ A Helm chart to install the SPIRE server. | controllerManager.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | controllerManager.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | controllerManager.image.repository | string | `"spiffe/spire-controller-manager"` | The repository within the registry | -| controllerManager.image.version | string | `"0.2.2"` | | +| controllerManager.image.tag | string | `"0.2.2"` | | | controllerManager.resources | object | `{}` | | | controllerManager.securityContext | object | `{}` | | | controllerManager.service.annotations | object | `{}` | | @@ -54,7 +54,7 @@ A Helm chart to install the SPIRE server. | controllerManager.validatingWebhookConfiguration.upgradeHook.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | controllerManager.validatingWebhookConfiguration.upgradeHook.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | controllerManager.validatingWebhookConfiguration.upgradeHook.image.repository | string | `"rancher/kubectl"` | The repository within the registry | -| controllerManager.validatingWebhookConfiguration.upgradeHook.image.version | string | `""` | | +| controllerManager.validatingWebhookConfiguration.upgradeHook.image.tag | string | `"latest"` | | | dataStore.sql.databaseName | string | `"spire"` | Only used by "postgres" or "mysql" | | dataStore.sql.databaseType | string | `"sqlite3"` | Other supported databases are "postgres" and "mysql" | | dataStore.sql.host | string | `""` | Only used by "postgres" or "mysql" | @@ -75,7 +75,7 @@ A Helm chart to install the SPIRE server. | image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | image.repository | string | `"spiffe/spire-server"` | The repository within the registry | -| image.version | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | | | initContainers | list | `[]` | | | jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 094fbc11c..c53c2fbaf 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -13,7 +13,7 @@ image: # -- The image pull policy pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion. - version: "" + tag: "" imagePullSecrets: [] nameOverride: "" @@ -170,7 +170,7 @@ controllerManager: # -- The image pull policy pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - version: "0.2.2" + tag: "0.2.2" resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -229,7 +229,7 @@ controllerManager: repository: rancher/kubectl # -- The image pull policy pullPolicy: IfNotPresent - version: "" + tag: latest telemetry: prometheus: diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl index 4c0c49214..d32bffb27 100644 --- a/charts/spire/templates/_spire-lib.tpl +++ b/charts/spire/templates/_spire-lib.tpl @@ -40,12 +40,12 @@ {{- define "spire-lib.image" -}} {{- $registry := include "spire-lib.registry" . }} -{{- if eq (substr 0 7 .image.version) "sha256:" -}} -{{- printf "%s/%s@%s" $registry .image.repository .image.version -}} +{{- if eq (substr 0 7 .image.tag) "sha256:" -}} +{{- printf "%s/%s@%s" $registry .image.repository .image.tag -}} {{- else if .appVersion -}} -{{- printf "%s/%s:%s" $registry .image.repository (default .appVersion .image.version) -}} -{{- else if .image.version -}} -{{- printf "%s/%s:%s" $registry .image.repository .image.version -}} +{{- printf "%s/%s:%s" $registry .image.repository (default .appVersion .image.tag) -}} +{{- else if .image.tag -}} +{{- printf "%s/%s:%s" $registry .image.repository .image.tag -}} {{- else -}} {{- printf "%s/%s" $registry .image.repository -}} {{- end -}} From 59e422b9e3323aa268e0052831cc3625ff62ff94 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Wed, 17 May 2023 10:46:12 +0200 Subject: [PATCH 32/55] Add documentation for all image.tag values Signed-off-by: Marco Franssen --- charts/spire/README.md | 14 +++++++------- charts/spire/charts/spiffe-csi-driver/README.md | 2 +- charts/spire/charts/spiffe-csi-driver/values.yaml | 1 + .../spiffe-oidc-discovery-provider/README.md | 4 ++-- .../spiffe-oidc-discovery-provider/values.yaml | 2 ++ charts/spire/charts/spire-agent/README.md | 4 ++-- charts/spire/charts/spire-agent/values.yaml | 5 +++-- charts/spire/charts/spire-server/README.md | 4 ++-- charts/spire/charts/spire-server/values.yaml | 3 ++- 9 files changed, 22 insertions(+), 17 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index ec7b7eedf..3637d7fa3 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -137,7 +137,7 @@ Kubernetes: `>=1.21.0-0` | spiffe-csi-driver.nodeDriverRegistrar.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spiffe-csi-driver.nodeDriverRegistrar.image.registry | string | `"registry.k8s.io"` | The OCI registry to pull the image from | | spiffe-csi-driver.nodeDriverRegistrar.image.repository | string | `"sig-storage/csi-node-driver-registrar"` | The repository within the registry | -| spiffe-csi-driver.nodeDriverRegistrar.image.tag | string | `"v2.6.2"` | | +| spiffe-csi-driver.nodeDriverRegistrar.image.tag | string | `"v2.6.2"` | Overrides the image tag | | spiffe-csi-driver.nodeDriverRegistrar.resources | object | `{}` | | | spiffe-csi-driver.nodeSelector | object | `{}` | | | spiffe-csi-driver.pluginName | string | `"csi.spiffe.io"` | Set the csi driver name deployed to Kubernetes. | @@ -183,7 +183,7 @@ Kubernetes: `>=1.21.0-0` | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.repository | string | `"nginxinc/nginx-unprivileged"` | The repository within the registry | -| spiffe-oidc-discovery-provider.insecureScheme.nginx.image.tag | string | `"1.23.2-alpine"` | | +| spiffe-oidc-discovery-provider.insecureScheme.nginx.image.tag | string | `"1.23.2-alpine"` | Overrides the image tag | | spiffe-oidc-discovery-provider.insecureScheme.nginx.resources | object | `{}` | | | spiffe-oidc-discovery-provider.nameOverride | string | `""` | | | spiffe-oidc-discovery-provider.namespaceOverride | string | `""` | | @@ -203,7 +203,7 @@ Kubernetes: `>=1.21.0-0` | spiffe-oidc-discovery-provider.telemetry.prometheus.nginxExporter.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spiffe-oidc-discovery-provider.telemetry.prometheus.nginxExporter.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | spiffe-oidc-discovery-provider.telemetry.prometheus.nginxExporter.image.repository | string | `"nginx/nginx-prometheus-exporter"` | The repository within the registry | -| spiffe-oidc-discovery-provider.telemetry.prometheus.nginxExporter.image.tag | string | `"0.11.0"` | | +| spiffe-oidc-discovery-provider.telemetry.prometheus.nginxExporter.image.tag | string | `"0.11.0"` | Overrides the image tag | | spiffe-oidc-discovery-provider.telemetry.prometheus.nginxExporter.resources | object | `{}` | | | spiffe-oidc-discovery-provider.telemetry.prometheus.podMonitor.enabled | bool | `false` | | | spiffe-oidc-discovery-provider.telemetry.prometheus.podMonitor.labels | object | `{}` | | @@ -222,7 +222,7 @@ Kubernetes: `>=1.21.0-0` | spire-agent.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spire-agent.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | spire-agent.image.repository | string | `"spiffe/spire-agent"` | The repository within the registry | -| spire-agent.image.tag | string | `""` | | +| spire-agent.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | spire-agent.imagePullSecrets | list | `[]` | | | spire-agent.initContainers | list | `[]` | | | spire-agent.logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" | @@ -252,7 +252,7 @@ Kubernetes: `>=1.21.0-0` | spire-agent.waitForIt.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spire-agent.waitForIt.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from | | spire-agent.waitForIt.image.repository | string | `"chainguard/wait-for-it"` | The repository within the registry | -| spire-agent.waitForIt.image.tag | string | `"latest-20230113"` | | +| spire-agent.waitForIt.image.tag | string | `"latest"` | Overrides the image tag | | spire-agent.waitForIt.resources | object | `{}` | | | spire-agent.workloadAttestors.k8s.skipKubeletVerification | bool | `true` | If true, kubelet certificate verification is skipped | | spire-agent.workloadAttestors.unix.enabled | bool | `false` | enables the Unix workload attestor | @@ -283,7 +283,7 @@ Kubernetes: `>=1.21.0-0` | spire-server.controllerManager.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spire-server.controllerManager.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | spire-server.controllerManager.image.repository | string | `"spiffe/spire-controller-manager"` | The repository within the registry | -| spire-server.controllerManager.image.tag | string | `"0.2.2"` | | +| spire-server.controllerManager.image.tag | string | `"0.2.2"` | Overrides the image tag | | spire-server.controllerManager.resources | object | `{}` | | | spire-server.controllerManager.securityContext | object | `{}` | | | spire-server.controllerManager.service.annotations | object | `{}` | | @@ -293,7 +293,7 @@ Kubernetes: `>=1.21.0-0` | spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.repository | string | `"rancher/kubectl"` | The repository within the registry | -| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.tag | string | `"latest"` | | +| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.tag | string | `"latest"` | Overrides the image tag | | spire-server.dataStore.sql.databaseName | string | `"spire"` | Only used by "postgres" or "mysql" | | spire-server.dataStore.sql.databaseType | string | `"sqlite3"` | Other supported databases are "postgres" and "mysql" | | spire-server.dataStore.sql.host | string | `""` | Only used by "postgres" or "mysql" | diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index 9027bebd7..a2dd166b6 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -27,7 +27,7 @@ A Helm chart to install the SPIFFE CSI driver. | nodeDriverRegistrar.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | nodeDriverRegistrar.image.registry | string | `"registry.k8s.io"` | The OCI registry to pull the image from | | nodeDriverRegistrar.image.repository | string | `"sig-storage/csi-node-driver-registrar"` | The repository within the registry | -| nodeDriverRegistrar.image.tag | string | `"v2.6.2"` | | +| nodeDriverRegistrar.image.tag | string | `"v2.6.2"` | Overrides the image tag | | nodeDriverRegistrar.resources | object | `{}` | | | nodeSelector | object | `{}` | | | pluginName | string | `"csi.spiffe.io"` | Set the csi driver name deployed to Kubernetes. | diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index fbd97be79..e07ff131e 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -63,6 +63,7 @@ nodeDriverRegistrar: repository: sig-storage/csi-node-driver-registrar # -- The image pull policy pullPolicy: IfNotPresent + # -- Overrides the image tag tag: v2.6.2 resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 607a22972..04dd1cc73 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -47,7 +47,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | insecureScheme.nginx.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | insecureScheme.nginx.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | insecureScheme.nginx.image.repository | string | `"nginxinc/nginx-unprivileged"` | The repository within the registry | -| insecureScheme.nginx.image.tag | string | `"1.23.2-alpine"` | | +| insecureScheme.nginx.image.tag | string | `"1.23.2-alpine"` | Overrides the image tag | | insecureScheme.nginx.resources | object | `{}` | | | nameOverride | string | `""` | | | namespaceOverride | string | `""` | | @@ -67,7 +67,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | telemetry.prometheus.nginxExporter.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | telemetry.prometheus.nginxExporter.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | telemetry.prometheus.nginxExporter.image.repository | string | `"nginx/nginx-prometheus-exporter"` | The repository within the registry | -| telemetry.prometheus.nginxExporter.image.tag | string | `"0.11.0"` | | +| telemetry.prometheus.nginxExporter.image.tag | string | `"0.11.0"` | Overrides the image tag | | telemetry.prometheus.nginxExporter.resources | object | `{}` | | | telemetry.prometheus.podMonitor.enabled | bool | `false` | | | telemetry.prometheus.podMonitor.labels | object | `{}` | | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index bd5d522e2..9243ba7a6 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -65,6 +65,7 @@ insecureScheme: repository: nginxinc/nginx-unprivileged # -- The image pull policy pullPolicy: IfNotPresent + # -- Overrides the image tag tag: 1.23.2-alpine # chainguard image does not support the templates feature # https://github.com/chainguard-images/nginx/issues/43 @@ -146,6 +147,7 @@ telemetry: repository: nginx/nginx-prometheus-exporter # -- The image pull policy pullPolicy: IfNotPresent + # -- Overrides the image tag tag: "0.11.0" resources: {} diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 46898bb5e..36f22ce39 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -25,7 +25,7 @@ A Helm chart to install the SPIRE agent. | image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | image.repository | string | `"spiffe/spire-agent"` | The repository within the registry | -| image.tag | string | `""` | | +| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | | | initContainers | list | `[]` | | | logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" | @@ -55,7 +55,7 @@ A Helm chart to install the SPIRE agent. | waitForIt.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | waitForIt.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from | | waitForIt.image.repository | string | `"chainguard/wait-for-it"` | The repository within the registry | -| waitForIt.image.tag | string | `"latest-20230113"` | | +| waitForIt.image.tag | string | `"latest"` | Overrides the image tag | | waitForIt.resources | object | `{}` | | | workloadAttestors.k8s.skipKubeletVerification | bool | `true` | If true, kubelet certificate verification is skipped | | workloadAttestors.unix.enabled | bool | `false` | enables the Unix workload attestor | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 2618d2bc5..872737ff7 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -9,7 +9,7 @@ image: repository: spiffe/spire-agent # -- The image pull policy pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. + # -- Overrides the image tag whose default is the chart appVersion. tag: "" imagePullSecrets: [] @@ -86,7 +86,8 @@ waitForIt: repository: chainguard/wait-for-it # -- The image pull policy pullPolicy: IfNotPresent - tag: latest-20230113 + # -- Overrides the image tag + tag: latest resources: {} # workloadAttestors determine a workload's properties and then generate a set of selectors associated with it. diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index c3633216c..f0fa3a3f8 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -44,7 +44,7 @@ A Helm chart to install the SPIRE server. | controllerManager.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | controllerManager.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | controllerManager.image.repository | string | `"spiffe/spire-controller-manager"` | The repository within the registry | -| controllerManager.image.tag | string | `"0.2.2"` | | +| controllerManager.image.tag | string | `"0.2.2"` | Overrides the image tag | | controllerManager.resources | object | `{}` | | | controllerManager.securityContext | object | `{}` | | | controllerManager.service.annotations | object | `{}` | | @@ -54,7 +54,7 @@ A Helm chart to install the SPIRE server. | controllerManager.validatingWebhookConfiguration.upgradeHook.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | controllerManager.validatingWebhookConfiguration.upgradeHook.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | controllerManager.validatingWebhookConfiguration.upgradeHook.image.repository | string | `"rancher/kubectl"` | The repository within the registry | -| controllerManager.validatingWebhookConfiguration.upgradeHook.image.tag | string | `"latest"` | | +| controllerManager.validatingWebhookConfiguration.upgradeHook.image.tag | string | `"latest"` | Overrides the image tag | | dataStore.sql.databaseName | string | `"spire"` | Only used by "postgres" or "mysql" | | dataStore.sql.databaseType | string | `"sqlite3"` | Other supported databases are "postgres" and "mysql" | | dataStore.sql.host | string | `""` | Only used by "postgres" or "mysql" | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index c53c2fbaf..6b01d9007 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -169,7 +169,7 @@ controllerManager: repository: spiffe/spire-controller-manager # -- The image pull policy pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. + # -- Overrides the image tag tag: "0.2.2" resources: {} @@ -229,6 +229,7 @@ controllerManager: repository: rancher/kubectl # -- The image pull policy pullPolicy: IfNotPresent + # -- Overrides the image tag tag: latest telemetry: From d850486478a4e451e5695764523a06e38eaf6602 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Wed, 17 May 2023 10:54:00 +0200 Subject: [PATCH 33/55] Instead of removing version, first deprecate version Deprecating version allows users of the chart to have a migration path Signed-off-by: Marco Franssen --- charts/spire/README.md | 14 +++++++++++-- .../spire/charts/spiffe-csi-driver/README.md | 2 ++ .../charts/spiffe-csi-driver/values.yaml | 4 ++++ .../spiffe-oidc-discovery-provider/README.md | 3 +++ .../values.yaml | 6 ++++++ charts/spire/charts/spire-agent/README.md | 4 +++- charts/spire/charts/spire-agent/values.yaml | 6 +++++- charts/spire/charts/spire-server/README.md | 5 ++++- charts/spire/charts/spire-server/values.yaml | 8 +++++++- charts/spire/templates/_spire-lib.tpl | 20 ++++++++++--------- 10 files changed, 57 insertions(+), 15 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 3637d7fa3..7cb50a3ef 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -130,6 +130,7 @@ Kubernetes: `>=1.21.0-0` | spiffe-csi-driver.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | spiffe-csi-driver.image.repository | string | `"spiffe/spiffe-csi-driver"` | The repository within the registry | | spiffe-csi-driver.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | +| spiffe-csi-driver.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spiffe-csi-driver.imagePullSecrets | list | `[]` | | | spiffe-csi-driver.kubeletPath | string | `"/var/lib/kubelet"` | | | spiffe-csi-driver.nameOverride | string | `""` | | @@ -138,6 +139,7 @@ Kubernetes: `>=1.21.0-0` | spiffe-csi-driver.nodeDriverRegistrar.image.registry | string | `"registry.k8s.io"` | The OCI registry to pull the image from | | spiffe-csi-driver.nodeDriverRegistrar.image.repository | string | `"sig-storage/csi-node-driver-registrar"` | The repository within the registry | | spiffe-csi-driver.nodeDriverRegistrar.image.tag | string | `"v2.6.2"` | Overrides the image tag | +| spiffe-csi-driver.nodeDriverRegistrar.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spiffe-csi-driver.nodeDriverRegistrar.resources | object | `{}` | | | spiffe-csi-driver.nodeSelector | object | `{}` | | | spiffe-csi-driver.pluginName | string | `"csi.spiffe.io"` | Set the csi driver name deployed to Kubernetes. | @@ -171,6 +173,7 @@ Kubernetes: `>=1.21.0-0` | spiffe-oidc-discovery-provider.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | spiffe-oidc-discovery-provider.image.repository | string | `"spiffe/oidc-discovery-provider"` | The repository within the registry | | spiffe-oidc-discovery-provider.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | +| spiffe-oidc-discovery-provider.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spiffe-oidc-discovery-provider.imagePullSecrets | list | `[]` | | | spiffe-oidc-discovery-provider.ingress.annotations | object | `{}` | | | spiffe-oidc-discovery-provider.ingress.className | string | `""` | | @@ -184,6 +187,7 @@ Kubernetes: `>=1.21.0-0` | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.repository | string | `"nginxinc/nginx-unprivileged"` | The repository within the registry | | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.tag | string | `"1.23.2-alpine"` | Overrides the image tag | +| spiffe-oidc-discovery-provider.insecureScheme.nginx.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spiffe-oidc-discovery-provider.insecureScheme.nginx.resources | object | `{}` | | | spiffe-oidc-discovery-provider.nameOverride | string | `""` | | | spiffe-oidc-discovery-provider.namespaceOverride | string | `""` | | @@ -204,6 +208,7 @@ Kubernetes: `>=1.21.0-0` | spiffe-oidc-discovery-provider.telemetry.prometheus.nginxExporter.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | spiffe-oidc-discovery-provider.telemetry.prometheus.nginxExporter.image.repository | string | `"nginx/nginx-prometheus-exporter"` | The repository within the registry | | spiffe-oidc-discovery-provider.telemetry.prometheus.nginxExporter.image.tag | string | `"0.11.0"` | Overrides the image tag | +| spiffe-oidc-discovery-provider.telemetry.prometheus.nginxExporter.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spiffe-oidc-discovery-provider.telemetry.prometheus.nginxExporter.resources | object | `{}` | | | spiffe-oidc-discovery-provider.telemetry.prometheus.podMonitor.enabled | bool | `false` | | | spiffe-oidc-discovery-provider.telemetry.prometheus.podMonitor.labels | object | `{}` | | @@ -223,6 +228,7 @@ Kubernetes: `>=1.21.0-0` | spire-agent.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | spire-agent.image.repository | string | `"spiffe/spire-agent"` | The repository within the registry | | spire-agent.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| spire-agent.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spire-agent.imagePullSecrets | list | `[]` | | | spire-agent.initContainers | list | `[]` | | | spire-agent.logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" | @@ -252,7 +258,8 @@ Kubernetes: `>=1.21.0-0` | spire-agent.waitForIt.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spire-agent.waitForIt.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from | | spire-agent.waitForIt.image.repository | string | `"chainguard/wait-for-it"` | The repository within the registry | -| spire-agent.waitForIt.image.tag | string | `"latest"` | Overrides the image tag | +| spire-agent.waitForIt.image.tag | string | `"latest-20230517"` | Overrides the image tag | +| spire-agent.waitForIt.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spire-agent.waitForIt.resources | object | `{}` | | | spire-agent.workloadAttestors.k8s.skipKubeletVerification | bool | `true` | If true, kubelet certificate verification is skipped | | spire-agent.workloadAttestors.unix.enabled | bool | `false` | enables the Unix workload attestor | @@ -284,6 +291,7 @@ Kubernetes: `>=1.21.0-0` | spire-server.controllerManager.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | spire-server.controllerManager.image.repository | string | `"spiffe/spire-controller-manager"` | The repository within the registry | | spire-server.controllerManager.image.tag | string | `"0.2.2"` | Overrides the image tag | +| spire-server.controllerManager.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spire-server.controllerManager.resources | object | `{}` | | | spire-server.controllerManager.securityContext | object | `{}` | | | spire-server.controllerManager.service.annotations | object | `{}` | | @@ -293,7 +301,8 @@ Kubernetes: `>=1.21.0-0` | spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.repository | string | `"rancher/kubectl"` | The repository within the registry | -| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.tag | string | `"latest"` | Overrides the image tag | +| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.tag | string | `""` | Overrides the image tag | +| spire-server.controllerManager.validatingWebhookConfiguration.upgradeHook.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spire-server.dataStore.sql.databaseName | string | `"spire"` | Only used by "postgres" or "mysql" | | spire-server.dataStore.sql.databaseType | string | `"sqlite3"` | Other supported databases are "postgres" and "mysql" | | spire-server.dataStore.sql.host | string | `""` | Only used by "postgres" or "mysql" | @@ -315,6 +324,7 @@ Kubernetes: `>=1.21.0-0` | spire-server.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | spire-server.image.repository | string | `"spiffe/spire-server"` | The repository within the registry | | spire-server.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| spire-server.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spire-server.imagePullSecrets | list | `[]` | | | spire-server.initContainers | list | `[]` | | | spire-server.jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain | diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index a2dd166b6..b759f31ce 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -20,6 +20,7 @@ A Helm chart to install the SPIFFE CSI driver. | image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | image.repository | string | `"spiffe/spiffe-csi-driver"` | The repository within the registry | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | +| image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | imagePullSecrets | list | `[]` | | | kubeletPath | string | `"/var/lib/kubelet"` | | | nameOverride | string | `""` | | @@ -28,6 +29,7 @@ A Helm chart to install the SPIFFE CSI driver. | nodeDriverRegistrar.image.registry | string | `"registry.k8s.io"` | The OCI registry to pull the image from | | nodeDriverRegistrar.image.repository | string | `"sig-storage/csi-node-driver-registrar"` | The repository within the registry | | nodeDriverRegistrar.image.tag | string | `"v2.6.2"` | Overrides the image tag | +| nodeDriverRegistrar.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | nodeDriverRegistrar.resources | object | `{}` | | | nodeSelector | object | `{}` | | | pluginName | string | `"csi.spiffe.io"` | Set the csi driver name deployed to Kubernetes. | diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index e07ff131e..182545202 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -8,6 +8,8 @@ image: repository: spiffe/spiffe-csi-driver # -- The image pull policy pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" # -- Overrides the image tag whose default is the chart appVersion tag: "" resources: {} @@ -63,6 +65,8 @@ nodeDriverRegistrar: repository: sig-storage/csi-node-driver-registrar # -- The image pull policy pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" # -- Overrides the image tag tag: v2.6.2 resources: {} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 04dd1cc73..48ee4dfcb 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -35,6 +35,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | image.repository | string | `"spiffe/oidc-discovery-provider"` | The repository within the registry | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | +| image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | imagePullSecrets | list | `[]` | | | ingress.annotations | object | `{}` | | | ingress.className | string | `""` | | @@ -48,6 +49,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | insecureScheme.nginx.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | insecureScheme.nginx.image.repository | string | `"nginxinc/nginx-unprivileged"` | The repository within the registry | | insecureScheme.nginx.image.tag | string | `"1.23.2-alpine"` | Overrides the image tag | +| insecureScheme.nginx.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | insecureScheme.nginx.resources | object | `{}` | | | nameOverride | string | `""` | | | namespaceOverride | string | `""` | | @@ -68,6 +70,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | telemetry.prometheus.nginxExporter.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | telemetry.prometheus.nginxExporter.image.repository | string | `"nginx/nginx-prometheus-exporter"` | The repository within the registry | | telemetry.prometheus.nginxExporter.image.tag | string | `"0.11.0"` | Overrides the image tag | +| telemetry.prometheus.nginxExporter.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | telemetry.prometheus.nginxExporter.resources | object | `{}` | | | telemetry.prometheus.podMonitor.enabled | bool | `false` | | | telemetry.prometheus.podMonitor.labels | object | `{}` | | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 9243ba7a6..f0b507126 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -16,6 +16,8 @@ image: repository: spiffe/oidc-discovery-provider # -- The image pull policy pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" # -- Overrides the image tag whose default is the chart appVersion tag: "" @@ -65,6 +67,8 @@ insecureScheme: repository: nginxinc/nginx-unprivileged # -- The image pull policy pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" # -- Overrides the image tag tag: 1.23.2-alpine # chainguard image does not support the templates feature @@ -147,6 +151,8 @@ telemetry: repository: nginx/nginx-prometheus-exporter # -- The image pull policy pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" # -- Overrides the image tag tag: "0.11.0" diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 36f22ce39..05b24af6c 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -26,6 +26,7 @@ A Helm chart to install the SPIRE agent. | image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | image.repository | string | `"spiffe/spire-agent"` | The repository within the registry | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | imagePullSecrets | list | `[]` | | | initContainers | list | `[]` | | | logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" | @@ -55,7 +56,8 @@ A Helm chart to install the SPIRE agent. | waitForIt.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | waitForIt.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from | | waitForIt.image.repository | string | `"chainguard/wait-for-it"` | The repository within the registry | -| waitForIt.image.tag | string | `"latest"` | Overrides the image tag | +| waitForIt.image.tag | string | `"latest-20230517"` | Overrides the image tag | +| waitForIt.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | waitForIt.resources | object | `{}` | | | workloadAttestors.k8s.skipKubeletVerification | bool | `true` | If true, kubelet certificate verification is skipped | | workloadAttestors.unix.enabled | bool | `false` | enables the Unix workload attestor | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 872737ff7..afd44533c 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -9,6 +9,8 @@ image: repository: spiffe/spire-agent # -- The image pull policy pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" # -- Overrides the image tag whose default is the chart appVersion. tag: "" @@ -86,8 +88,10 @@ waitForIt: repository: chainguard/wait-for-it # -- The image pull policy pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" # -- Overrides the image tag - tag: latest + tag: latest-20230517 resources: {} # workloadAttestors determine a workload's properties and then generate a set of selectors associated with it. diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index f0fa3a3f8..d0ab19fcd 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -45,6 +45,7 @@ A Helm chart to install the SPIRE server. | controllerManager.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | controllerManager.image.repository | string | `"spiffe/spire-controller-manager"` | The repository within the registry | | controllerManager.image.tag | string | `"0.2.2"` | Overrides the image tag | +| controllerManager.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | controllerManager.resources | object | `{}` | | | controllerManager.securityContext | object | `{}` | | | controllerManager.service.annotations | object | `{}` | | @@ -54,7 +55,8 @@ A Helm chart to install the SPIRE server. | controllerManager.validatingWebhookConfiguration.upgradeHook.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | controllerManager.validatingWebhookConfiguration.upgradeHook.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | controllerManager.validatingWebhookConfiguration.upgradeHook.image.repository | string | `"rancher/kubectl"` | The repository within the registry | -| controllerManager.validatingWebhookConfiguration.upgradeHook.image.tag | string | `"latest"` | Overrides the image tag | +| controllerManager.validatingWebhookConfiguration.upgradeHook.image.tag | string | `""` | Overrides the image tag | +| controllerManager.validatingWebhookConfiguration.upgradeHook.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | dataStore.sql.databaseName | string | `"spire"` | Only used by "postgres" or "mysql" | | dataStore.sql.databaseType | string | `"sqlite3"` | Other supported databases are "postgres" and "mysql" | | dataStore.sql.host | string | `""` | Only used by "postgres" or "mysql" | @@ -76,6 +78,7 @@ A Helm chart to install the SPIRE server. | image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | | image.repository | string | `"spiffe/spire-server"` | The repository within the registry | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | imagePullSecrets | list | `[]` | | | initContainers | list | `[]` | | | jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 6b01d9007..21558de32 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -12,6 +12,8 @@ image: repository: spiffe/spire-server # -- The image pull policy pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" # -- Overrides the image tag whose default is the chart appVersion. tag: "" @@ -169,6 +171,8 @@ controllerManager: repository: spiffe/spire-controller-manager # -- The image pull policy pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" # -- Overrides the image tag tag: "0.2.2" @@ -229,8 +233,10 @@ controllerManager: repository: rancher/kubectl # -- The image pull policy pullPolicy: IfNotPresent + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" # -- Overrides the image tag - tag: latest + tag: "" telemetry: prometheus: diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl index d32bffb27..ca059d97b 100644 --- a/charts/spire/templates/_spire-lib.tpl +++ b/charts/spire/templates/_spire-lib.tpl @@ -40,13 +40,15 @@ {{- define "spire-lib.image" -}} {{- $registry := include "spire-lib.registry" . }} -{{- if eq (substr 0 7 .image.tag) "sha256:" -}} -{{- printf "%s/%s@%s" $registry .image.repository .image.tag -}} -{{- else if .appVersion -}} -{{- printf "%s/%s:%s" $registry .image.repository (default .appVersion .image.tag) -}} -{{- else if .image.tag -}} -{{- printf "%s/%s:%s" $registry .image.repository .image.tag -}} -{{- else -}} -{{- printf "%s/%s" $registry .image.repository -}} -{{- end -}} +{{- $repo := .image.repository }} +{{- $tag := (default .image.tag .image.version) | toString }} +{{- if eq (substr 0 7 $tag) "sha256:" }} +{{- printf "%s/%s@%s" $registry $repo $tag }} +{{- else if .appVersion }} +{{- printf "%s/%s:%s" $registry $repo (default .appVersion $tag) }} +{{- else if $tag }} +{{- printf "%s/%s:%s" $registry $repo $tag }} +{{- else }} +{{- printf "%s/%s" $registry $repo }} +{{- end }} {{- end }} From 300d1ccf2829123833cec96e620bcc38285cafae Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Wed, 17 May 2023 13:59:08 +0200 Subject: [PATCH 34/55] Apply deprecation of image.version to Tornjak Signed-off-by: Marco Franssen --- charts/spire/README.md | 8 +++++--- charts/spire/charts/spire-server/README.md | 5 +++-- charts/spire/charts/spire-server/values.yaml | 6 ++++-- charts/spire/charts/tornjak-frontend/README.md | 3 ++- charts/spire/charts/tornjak-frontend/values.yaml | 4 +++- 5 files changed, 17 insertions(+), 9 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 7cb50a3ef..5481d8c5b 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -357,8 +357,9 @@ Kubernetes: `>=1.21.0-0` | spire-server.topologySpreadConstraints | list | `[]` | | | spire-server.tornjak.config.dataStore | object | `{"driver":"sqlite3","file":"/run/spire/data/tornjak.sqlite3"}` | persistent DB for storing Tornjak specific information | | spire-server.tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) | -| spire-server.tornjak.image | object | `{"pullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"spiffe/tornjak-backend","version":"v1.2.0"}` | Tornjak API image | -| spire-server.tornjak.image.version | string | `"v1.2.0"` | Overrides the image tag whose default is the chart appVersion. | +| spire-server.tornjak.image | object | `{"pullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"spiffe/tornjak-backend","tag":"v1.2.0","version":""}` | Tornjak API image | +| spire-server.tornjak.image.tag | string | `"v1.2.0"` | Overrides the image tag | +| spire-server.tornjak.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spire-server.tornjak.resources | object | `{}` | | | spire-server.tornjak.service.annotations | object | `{}` | | | spire-server.tornjak.service.port | int | `10000` | | @@ -381,7 +382,8 @@ Kubernetes: `>=1.21.0-0` | tornjak-frontend.image.pullPolicy | string | `"IfNotPresent"` | | | tornjak-frontend.image.registry | string | `"ghcr.io"` | | | tornjak-frontend.image.repository | string | `"spiffe/tornjak-frontend"` | | -| tornjak-frontend.image.version | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| tornjak-frontend.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| tornjak-frontend.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | tornjak-frontend.imagePullSecrets | list | `[]` | | | tornjak-frontend.labels | object | `{}` | | | tornjak-frontend.nameOverride | string | `""` | | diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index d0ab19fcd..15e6dbc80 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -111,8 +111,9 @@ A Helm chart to install the SPIRE server. | topologySpreadConstraints | list | `[]` | | | tornjak.config.dataStore | object | `{"driver":"sqlite3","file":"/run/spire/data/tornjak.sqlite3"}` | persistent DB for storing Tornjak specific information | | tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) | -| tornjak.image | object | `{"pullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"spiffe/tornjak-backend","version":"v1.2.0"}` | Tornjak API image | -| tornjak.image.version | string | `"v1.2.0"` | Overrides the image tag whose default is the chart appVersion. | +| tornjak.image | object | `{"pullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"spiffe/tornjak-backend","tag":"v1.2.0","version":""}` | Tornjak API image | +| tornjak.image.tag | string | `"v1.2.0"` | Overrides the image tag | +| tornjak.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | tornjak.resources | object | `{}` | | | tornjak.service.annotations | object | `{}` | | | tornjak.service.port | int | `10000` | | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 21558de32..5121ad80e 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -273,8 +273,10 @@ tornjak: registry: ghcr.io repository: spiffe/tornjak-backend pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion. - version: "v1.2.0" + # -- This value is deprecated in favor of tag. (Will be removed in a future release) + version: "" + # -- Overrides the image tag + tag: "v1.2.0" service: type: ClusterIP port: 10000 diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index e706d1584..e80b7b8ee 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -55,7 +55,8 @@ port forwarding. See the chart NOTES output for more details. | image.pullPolicy | string | `"IfNotPresent"` | | | image.registry | string | `"ghcr.io"` | | | image.repository | string | `"spiffe/tornjak-frontend"` | | -| image.version | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | imagePullSecrets | list | `[]` | | | labels | object | `{}` | | | nameOverride | string | `""` | | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 5abc2e858..e079d4282 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -6,8 +6,10 @@ image: registry: ghcr.io repository: spiffe/tornjak-frontend pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion. + # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" + # -- Overrides the image tag whose default is the chart appVersion. + tag: "" imagePullSecrets: [] nameOverride: "" From 90c9eb50f95246701b1390ae9ad17aeadc5564bc Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Wed, 17 May 2023 20:19:26 +0200 Subject: [PATCH 35/55] Fix kubectl-image macro to handle version deprecation Signed-off-by: Marco Franssen --- charts/spire/charts/spire-server/templates/_helpers.tpl | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index 2c7e45c97..c085b4f78 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -107,8 +107,9 @@ Create the name of the service account to use {{- define "spire-server.kubectl-image" }} {{- $root := deepCopy . }} -{{- if eq (len $root.image.version) 0 }} -{{- $_ := set $root.image "version" $root.KubeVersion }} +{{- $tag := (default $root.image.tag $root.image.version) | toString }} +{{- if eq (len $tag) 0 }} +{{- $_ := set $root.image "tag" $root.KubeVersion }} {{- end }} {{- include "spire-lib.image" $root }} {{- end }} From b30b412edbee7c1d74bc702dbaaf757fcc9ef3c5 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Wed, 17 May 2023 21:42:17 +0200 Subject: [PATCH 36/55] Tornjak reuse spire-lib.cluster-domain macro (#292) Resolves #291 Signed-off-by: Marco Franssen --- .../spire/charts/tornjak-frontend/templates/_helpers.tpl | 8 -------- .../templates/tests/test-tornjak-connection.yaml | 2 +- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl b/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl index 1ad456776..0dadaebe9 100644 --- a/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl +++ b/charts/spire/charts/tornjak-frontend/templates/_helpers.tpl @@ -41,14 +41,6 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} -{{- define "tornjak-frontend.cluster-domain" -}} -{{- if ne (len (dig "k8s" "clusterDomain" "" .Values.global)) 0 }} -{{- .Values.global.k8s.clusterDomain }} -{{- else }} -{{- .Values.clusterDomain }} -{{- end }} -{{- end }} - {{/* Common labels */}} diff --git a/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml b/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml index af4aea49a..4afec4514 100644 --- a/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml @@ -14,7 +14,7 @@ spec: - name: curl-tornjak-frontend image: cgr.dev/chainguard/bash:latest command: ['curl'] - args: ['-k', '-s', '-f', 'http://{{ include "tornjak-frontend.fullname" . }}.{{ include "tornjak-frontend.namespace" . }}.svc.{{ include "tornjak-frontend.cluster-domain" . }}:{{ .Values.service.port }}'] + args: ['-k', '-s', '-f', 'http://{{ include "tornjak-frontend.fullname" . }}.{{ include "tornjak-frontend.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }}'] securityContext: {{- toYaml .Values.securityContext | nindent 8 }} restartPolicy: Never From f8db5a313b74458973de775e4e5f8e58e6be37fc Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Wed, 17 May 2023 16:54:26 -0700 Subject: [PATCH 37/55] Fix Tornjak persistence issue (#294) --- charts/spire/charts/spire-server/templates/statefulset.yaml | 2 -- examples/production/values.yaml | 3 --- 2 files changed, 5 deletions(-) diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index dc67dab96..ce45d9edc 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -193,11 +193,9 @@ spec: - name: spire-config mountPath: /run/spire/config readOnly: true - {{- if eq (.Values.dataStorage.enabled | toString) "true" }} - name: spire-data mountPath: /run/spire/data readOnly: false - {{- end }} {{- end }} {{- if gt (len .Values.extraContainers) 0 }} diff --git a/examples/production/values.yaml b/examples/production/values.yaml index fcbb883b5..683666a6d 100644 --- a/examples/production/values.yaml +++ b/examples/production/values.yaml @@ -24,9 +24,6 @@ spire-server: seccompProfile: type: RuntimeDefault - dataStorage: - enabled: true - logLevel: info controllerManager: From f1623a59bb5c63e84d7fcef733cf84506fa110f9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 May 2023 01:05:50 +0000 Subject: [PATCH 38/55] Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/v3.0.4...v3.0.5) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/helm-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index cbfde9834..035ae8b3d 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -29,7 +29,7 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Setup cosign - uses: sigstore/cosign-installer@v3.0.4 + uses: sigstore/cosign-installer@v3.0.5 with: cosign-release: v2.0.2 From 7bb7ece1231a855ce7afc872002217813a40a574 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 May 2023 01:05:53 +0000 Subject: [PATCH 39/55] Bump helm/kind-action from 1.6.0 to 1.7.0 Bumps [helm/kind-action](https://github.com/helm/kind-action) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/helm/kind-action/releases) - [Commits](https://github.com/helm/kind-action/compare/v1.6.0...v1.7.0) --- updated-dependencies: - dependency-name: helm/kind-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/helm-chart-ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index 465205793..8bc24e310 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -168,7 +168,7 @@ jobs: version: ${{ env.CHART_TESTING_VERSION }} - name: Create kind ${{ matrix.k8s }} cluster - uses: helm/kind-action@v1.6.0 + uses: helm/kind-action@v1.7.0 # Only build a kind cluster if there are chart changes to test. with: version: v0.18.0 From 1c6947078a3aa6bce734c82eb73ae6f76a66db56 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Thu, 18 May 2023 17:31:03 -0400 Subject: [PATCH 40/55] Updated Tornjak documenation with Not-for-production labels (#297) --- charts/spire/README.md | 14 +++++++------- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/charts/tornjak-frontend/README.md | 2 +- .../spire/charts/tornjak-frontend/README.md.gotmpl | 2 +- charts/spire/values.yaml | 6 ++++++ 6 files changed, 17 insertions(+), 11 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 5481d8c5b..a66a60ad5 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -115,14 +115,14 @@ Kubernetes: `>=1.21.0-0` | global.spire.clusterName | string | `"example-cluster"` | | | global.spire.image.registry | string | `""` | Override all Spire image registries at once | | global.spire.trustDomain | string | `"example.org"` | The trust domain to be used for the SPIFFE identifiers | -| spiffe-csi-driver.enabled | bool | `true` | | -| spiffe-oidc-discovery-provider.enabled | bool | `false` | | -| spire-agent.enabled | bool | `true` | | +| spiffe-csi-driver.enabled | bool | `true` | Enables deployment of CSI driver | +| spiffe-oidc-discovery-provider.enabled | bool | `false` | Enables deployment of OIDC discovery provider | +| spire-agent.enabled | bool | `true` | Enables deployment of SPIRE Agent(s) | | spire-agent.nameOverride | string | `"agent"` | | -| spire-server.controllerManager.enabled | bool | `true` | | -| spire-server.enabled | bool | `true` | | +| spire-server.controllerManager.enabled | bool | `true` | Enables deployment of Controller Manager | +| spire-server.enabled | bool | `true` | Enables deployment of SPIRE Server | | spire-server.nameOverride | string | `"server"` | | -| tornjak-frontend.enabled | bool | `false` | | +| tornjak-frontend.enabled | bool | `false` | Enables deployment of Tornjak frontend/UI (Not for production) | | spiffe-csi-driver.agentSocketPath | string | `"/run/spire/agent-sockets/spire-agent.sock"` | The unix socket path to the spire-agent | | spiffe-csi-driver.fullnameOverride | string | `""` | | | spiffe-csi-driver.healthChecks.port | int | `9809` | | @@ -356,7 +356,7 @@ Kubernetes: `>=1.21.0-0` | spire-server.tolerations | list | `[]` | | | spire-server.topologySpreadConstraints | list | `[]` | | | spire-server.tornjak.config.dataStore | object | `{"driver":"sqlite3","file":"/run/spire/data/tornjak.sqlite3"}` | persistent DB for storing Tornjak specific information | -| spire-server.tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) | +| spire-server.tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) (Not for production) | | spire-server.tornjak.image | object | `{"pullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"spiffe/tornjak-backend","tag":"v1.2.0","version":""}` | Tornjak API image | | spire-server.tornjak.image.tag | string | `"v1.2.0"` | Overrides the image tag | | spire-server.tornjak.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 15e6dbc80..3eb765f56 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -110,7 +110,7 @@ A Helm chart to install the SPIRE server. | tolerations | list | `[]` | | | topologySpreadConstraints | list | `[]` | | | tornjak.config.dataStore | object | `{"driver":"sqlite3","file":"/run/spire/data/tornjak.sqlite3"}` | persistent DB for storing Tornjak specific information | -| tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) | +| tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) (Not for production) | | tornjak.image | object | `{"pullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"spiffe/tornjak-backend","tag":"v1.2.0","version":""}` | Tornjak API image | | tornjak.image.tag | string | `"v1.2.0"` | Overrides the image tag | | tornjak.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 5121ad80e..1585cce5d 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -266,7 +266,7 @@ nodeAttestor: # tornjak - Tornjak specific configuration tornjak: - # -- Deploys Tornjak API (backend) + # -- Deploys Tornjak API (backend) (Not for production) enabled: false # -- Tornjak API image image: diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index e80b7b8ee..023575b84 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -24,7 +24,7 @@ A Helm chart to deploy Tornjak frontend ## Prerequisites This chart requires access to Tornjak Backend (`tornjakFrontend.apiServerURL`). -This URL needs to be reachable from your webbrowser and can therefore not be a cluster internal URL. +This URL needs to be reachable from your web browser and can therefore not be a cluster internal URL. Obtain the URL for Tornjak APIs. If deployed in the same cluster, locally, Tornjak APIs are typically available at `http://localhost:10000`. diff --git a/charts/spire/charts/tornjak-frontend/README.md.gotmpl b/charts/spire/charts/tornjak-frontend/README.md.gotmpl index eaf51ce4b..152b7dc74 100644 --- a/charts/spire/charts/tornjak-frontend/README.md.gotmpl +++ b/charts/spire/charts/tornjak-frontend/README.md.gotmpl @@ -26,7 +26,7 @@ ## Prerequisites This chart requires access to Tornjak Backend (`tornjakFrontend.apiServerURL`). -This URL needs to be reachable from your webbrowser and can therefore not be a cluster internal URL. +This URL needs to be reachable from your web browser and can therefore not be a cluster internal URL. Obtain the URL for Tornjak APIs. If deployed in the same cluster, locally, Tornjak APIs are typically available at `http://localhost:10000`. diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 3f0a7a434..c6ba84978 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -26,21 +26,27 @@ global: # subcharts spire-server: + # -- Enables deployment of SPIRE Server enabled: true nameOverride: server controllerManager: + # -- Enables deployment of Controller Manager enabled: true spire-agent: + # -- Enables deployment of SPIRE Agent(s) enabled: true nameOverride: agent spiffe-csi-driver: + # -- Enables deployment of CSI driver enabled: true spiffe-oidc-discovery-provider: + # -- Enables deployment of OIDC discovery provider enabled: false tornjak-frontend: + # -- Enables deployment of Tornjak frontend/UI (Not for production) enabled: false From dd1ad495bd91336b6dbe31ef67079f8cef7f82a3 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Thu, 18 May 2023 14:55:39 -0700 Subject: [PATCH 41/55] Update images for cve's found by the cronjob (#290) Signed-off-by: Kevin Fox --- charts/spire/README.md | 4 ++-- charts/spire/charts/spiffe-csi-driver/README.md | 2 +- charts/spire/charts/spiffe-csi-driver/values.yaml | 2 +- charts/spire/charts/spiffe-oidc-discovery-provider/README.md | 2 +- .../spire/charts/spiffe-oidc-discovery-provider/values.yaml | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index a66a60ad5..6250e264e 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -138,7 +138,7 @@ Kubernetes: `>=1.21.0-0` | spiffe-csi-driver.nodeDriverRegistrar.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spiffe-csi-driver.nodeDriverRegistrar.image.registry | string | `"registry.k8s.io"` | The OCI registry to pull the image from | | spiffe-csi-driver.nodeDriverRegistrar.image.repository | string | `"sig-storage/csi-node-driver-registrar"` | The repository within the registry | -| spiffe-csi-driver.nodeDriverRegistrar.image.tag | string | `"v2.6.2"` | Overrides the image tag | +| spiffe-csi-driver.nodeDriverRegistrar.image.tag | string | `"v2.8.0"` | Overrides the image tag | | spiffe-csi-driver.nodeDriverRegistrar.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spiffe-csi-driver.nodeDriverRegistrar.resources | object | `{}` | | | spiffe-csi-driver.nodeSelector | object | `{}` | | @@ -186,7 +186,7 @@ Kubernetes: `>=1.21.0-0` | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.repository | string | `"nginxinc/nginx-unprivileged"` | The repository within the registry | -| spiffe-oidc-discovery-provider.insecureScheme.nginx.image.tag | string | `"1.23.2-alpine"` | Overrides the image tag | +| spiffe-oidc-discovery-provider.insecureScheme.nginx.image.tag | string | `"1.24.0-alpine"` | Overrides the image tag | | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spiffe-oidc-discovery-provider.insecureScheme.nginx.resources | object | `{}` | | | spiffe-oidc-discovery-provider.nameOverride | string | `""` | | diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index b759f31ce..20e39c757 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -28,7 +28,7 @@ A Helm chart to install the SPIFFE CSI driver. | nodeDriverRegistrar.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | nodeDriverRegistrar.image.registry | string | `"registry.k8s.io"` | The OCI registry to pull the image from | | nodeDriverRegistrar.image.repository | string | `"sig-storage/csi-node-driver-registrar"` | The repository within the registry | -| nodeDriverRegistrar.image.tag | string | `"v2.6.2"` | Overrides the image tag | +| nodeDriverRegistrar.image.tag | string | `"v2.8.0"` | Overrides the image tag | | nodeDriverRegistrar.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | nodeDriverRegistrar.resources | object | `{}` | | | nodeSelector | object | `{}` | | diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index 182545202..c39be0215 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -68,7 +68,7 @@ nodeDriverRegistrar: # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" # -- Overrides the image tag - tag: v2.6.2 + tag: v2.8.0 resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 48ee4dfcb..c62e4735b 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -48,7 +48,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | insecureScheme.nginx.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | insecureScheme.nginx.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | | insecureScheme.nginx.image.repository | string | `"nginxinc/nginx-unprivileged"` | The repository within the registry | -| insecureScheme.nginx.image.tag | string | `"1.23.2-alpine"` | Overrides the image tag | +| insecureScheme.nginx.image.tag | string | `"1.24.0-alpine"` | Overrides the image tag | | insecureScheme.nginx.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | insecureScheme.nginx.resources | object | `{}` | | | nameOverride | string | `""` | | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index f0b507126..b1e27b844 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -70,7 +70,7 @@ insecureScheme: # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" # -- Overrides the image tag - tag: 1.23.2-alpine + tag: 1.24.0-alpine # chainguard image does not support the templates feature # https://github.com/chainguard-images/nginx/issues/43 # registry: cgr.dev From 00c2c1a533825bcefe19b6be70c3350228b50a75 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 23 May 2023 03:14:40 -0700 Subject: [PATCH 42/55] Fix the generated pr so that it runs jobs too (#303) --- .github/workflows/check-versions.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/check-versions.yaml b/.github/workflows/check-versions.yaml index e129967c3..4f3fbf24d 100644 --- a/.github/workflows/check-versions.yaml +++ b/.github/workflows/check-versions.yaml @@ -36,6 +36,7 @@ jobs: id: cpr uses: peter-evans/create-pull-request@v5.0.1 with: + token: ${{ secrets.GITHUB_TOKEN }} title: Bump test chart dependencies branch: bump-test-chart-deps commit-message: Bump test chart dependencies From 4777a30012b5f3e5c4ef4b1a18ae15cbbc2fadf7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 23 May 2023 10:19:40 +0000 Subject: [PATCH 43/55] Bump test chart dependencies (#301) Co-authored-by: marcofranssen --- .github/tests/charts.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 2309183ae..e1ab03e5f 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,12 +2,12 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "45.27.2" + "version": "45.29.0" }, { "name": "cert-manager", "repo": "https://charts.jetstack.io", - "version": "v1.11.2" + "version": "v1.12.0" }, { "name": "ingress-nginx", @@ -17,11 +17,11 @@ { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "9.9.1" + "version": "9.10.1" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "12.5.1" + "version": "12.5.3" } ] From 0ba03880a1b3bb09a10f4e193eeb2d19e9918cad Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 23 May 2023 06:58:58 -0700 Subject: [PATCH 44/55] Add support for spire-server ingress (#68) Co-authored-by: Faisal Memon Co-authored-by: Marco Franssen Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/tests/spire-oidc-insecure/values.yaml | 20 ++++++++++ charts/spire/README.md | 14 +++++++ .../templates/ingress.yaml | 30 +-------------- charts/spire/charts/spire-server/README.md | 14 +++++++ .../templates/federation-ingress.yaml | 18 +++++++++ .../spire-server/templates/ingress.yaml | 16 ++++++++ charts/spire/charts/spire-server/values.yaml | 38 +++++++++++++++++++ charts/spire/templates/_spire-lib.tpl | 38 +++++++++++++++++++ examples/production/README.md | 22 +++++++++++ ...federation-https-spiffe-ingress-nginx.yaml | 25 ++++++++++++ ...rt-federation-https-web-ingress-nginx.yaml | 25 ++++++++++++ ...ues-export-spire-server-ingress-nginx.yaml | 25 ++++++++++++ 12 files changed, 257 insertions(+), 28 deletions(-) create mode 100644 charts/spire/charts/spire-server/templates/federation-ingress.yaml create mode 100644 charts/spire/charts/spire-server/templates/ingress.yaml create mode 100644 examples/production/values-export-federation-https-spiffe-ingress-nginx.yaml create mode 100644 examples/production/values-export-federation-https-web-ingress-nginx.yaml create mode 100644 examples/production/values-export-spire-server-ingress-nginx.yaml diff --git a/.github/tests/spire-oidc-insecure/values.yaml b/.github/tests/spire-oidc-insecure/values.yaml index 4c1124e24..86f71596b 100644 --- a/.github/tests/spire-oidc-insecure/values.yaml +++ b/.github/tests/spire-oidc-insecure/values.yaml @@ -1,3 +1,23 @@ +spire-server: + ingress: + enabled: true + className: "nginx" + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + nginx.ingress.kubernetes.io/ssl-passthrough: "true" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + hosts: + - host: ingress-nginx-controller.spire-oidc-insecure + paths: + - path: / + pathType: Prefix + +spire-agent: + server: + address: ingress-nginx-controller.spire-oidc-insecure + port: 443 + spiffe-oidc-discovery-provider: enabled: true diff --git a/charts/spire/README.md b/charts/spire/README.md index 6250e264e..c4007728a 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -319,6 +319,13 @@ Kubernetes: `>=1.21.0-0` | spire-server.federation.bundleEndpoint.address | string | `"0.0.0.0"` | | | spire-server.federation.bundleEndpoint.port | int | `8443` | | | spire-server.federation.enabled | bool | `false` | | +| spire-server.federation.ingress.annotations | object | `{}` | | +| spire-server.federation.ingress.className | string | `""` | | +| spire-server.federation.ingress.enabled | bool | `false` | | +| spire-server.federation.ingress.hosts[0].host | string | `"spire-server-federation.example.org"` | | +| spire-server.federation.ingress.hosts[0].paths[0].path | string | `"/"` | | +| spire-server.federation.ingress.hosts[0].paths[0].pathType | string | `"Prefix"` | | +| spire-server.federation.ingress.tls | list | `[]` | | | spire-server.fullnameOverride | string | `""` | | | spire-server.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | spire-server.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | @@ -326,6 +333,13 @@ Kubernetes: `>=1.21.0-0` | spire-server.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | spire-server.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spire-server.imagePullSecrets | list | `[]` | | +| spire-server.ingress.annotations | object | `{}` | | +| spire-server.ingress.className | string | `""` | | +| spire-server.ingress.enabled | bool | `false` | | +| spire-server.ingress.hosts[0].host | string | `"spire-server.example.org"` | | +| spire-server.ingress.hosts[0].paths[0].path | string | `"/"` | | +| spire-server.ingress.hosts[0].paths[0].pathType | string | `"Prefix"` | | +| spire-server.ingress.tls | list | `[]` | | | spire-server.initContainers | list | `[]` | | | spire-server.jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain | | spire-server.logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/ingress.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/ingress.yaml index ba3cf8cd6..f71db7dde 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/ingress.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/ingress.yaml @@ -1,42 +1,16 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "spiffe-oidc-discovery-provider.fullname" . }} -{{- $port := .Values.service.port }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: {{ $fullName }} namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }} labels: - {{- include "spiffe-oidc-discovery-provider.labels" . | nindent 4 }} + {{ include "spiffe-oidc-discovery-provider.labels" . | nindent 4 }} {{- with .Values.ingress.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: - ingressClassName: {{ .Values.ingress.className }} - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ .path }} - pathType: {{ .pathType }} - backend: - service: - name: {{ $fullName }} - port: - number: {{ $port }} - {{- end }} - {{- end }} + {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.ingress "svcName" $fullName "port" .Values.service.port "global" .Values.global) | nindent 2 }} {{- end }} diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 3eb765f56..76f935c67 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -73,6 +73,13 @@ A Helm chart to install the SPIRE server. | federation.bundleEndpoint.address | string | `"0.0.0.0"` | | | federation.bundleEndpoint.port | int | `8443` | | | federation.enabled | bool | `false` | | +| federation.ingress.annotations | object | `{}` | | +| federation.ingress.className | string | `""` | | +| federation.ingress.enabled | bool | `false` | | +| federation.ingress.hosts[0].host | string | `"spire-server-federation.example.org"` | | +| federation.ingress.hosts[0].paths[0].path | string | `"/"` | | +| federation.ingress.hosts[0].paths[0].pathType | string | `"Prefix"` | | +| federation.ingress.tls | list | `[]` | | | fullnameOverride | string | `""` | | | image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | @@ -80,6 +87,13 @@ A Helm chart to install the SPIRE server. | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | imagePullSecrets | list | `[]` | | +| ingress.annotations | object | `{}` | | +| ingress.className | string | `""` | | +| ingress.enabled | bool | `false` | | +| ingress.hosts[0].host | string | `"spire-server.example.org"` | | +| ingress.hosts[0].paths[0].path | string | `"/"` | | +| ingress.hosts[0].paths[0].pathType | string | `"Prefix"` | | +| ingress.tls | list | `[]` | | | initContainers | list | `[]` | | | jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain | | logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" | diff --git a/charts/spire/charts/spire-server/templates/federation-ingress.yaml b/charts/spire/charts/spire-server/templates/federation-ingress.yaml new file mode 100644 index 000000000..013be910b --- /dev/null +++ b/charts/spire/charts/spire-server/templates/federation-ingress.yaml @@ -0,0 +1,18 @@ +{{- if .Values.federation.enabled }} +{{- if .Values.federation.ingress.enabled -}} +{{- $svcName := include "spire-server.fullname" . }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ printf "%s-federation" $svcName }} + namespace: {{ include "spire-server.namespace" . }} + labels: + {{ include "spire-server.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.federation.ingress "svcName" $svcName "port" .Values.federation.bundleEndpoint.port "global" .Values.global) | nindent 2 }} +{{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/ingress.yaml b/charts/spire/charts/spire-server/templates/ingress.yaml new file mode 100644 index 000000000..56da8c841 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/ingress.yaml @@ -0,0 +1,16 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "spire-server.fullname" . -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ include "spire-server.namespace" . }} + labels: + {{ include "spire-server.labels" . | nindent 4}} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.ingress "svcName" $fullName "port" .Values.service.port "global" .Values.global) | nindent 2 }} +{{- end }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 1585cce5d..499facf1b 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -127,6 +127,26 @@ federation: port: 8443 address: "0.0.0.0" + ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # If Profile Type == https_spiffe: + # nginx.ingress.kubernetes.io/ssl-passthrough: "true" + hosts: + - host: spire-server-federation.example.org + paths: + - path: / + pathType: Prefix + tls: [] + # - hosts: + # - spire-server-federation.example.org + # If Profile Type == https_web: + # secretName: spire-server-federation-tls + ca_subject: country: NL organization: Example @@ -247,6 +267,24 @@ telemetry: namespace: "" labels: {} +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # nginx.ingress.kubernetes.io/ssl-passthrough: "true" + hosts: + - host: spire-server.example.org + paths: + - path: / + pathType: Prefix + tls: [] + # - secretName: spire-server-tls + # hosts: + # - spire-server.example.org + extraVolumes: [] extraVolumeMounts: [] extraContainers: [] diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl index ca059d97b..eac22981e 100644 --- a/charts/spire/templates/_spire-lib.tpl +++ b/charts/spire/templates/_spire-lib.tpl @@ -52,3 +52,41 @@ {{- printf "%s/%s" $registry $repo }} {{- end }} {{- end }} + +{{/* Takes in a dictionary with keys: + * ingress - the standardized ingress object + * svcName - The service to route to + * port - which port on the service to use +*/}} +{{ define "spire-lib.ingress-spec" }} +{{- $svcName := .svcName }} +{{- $port := .port }} +{{- with .ingress.className }} +ingressClassName: {{ . | quote }} +{{- end }} +{{- if .ingress.tls }} +tls: + {{- range .ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName | quote }} + {{- end }} +{{- end }} +rules: + {{- range .ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ $svcName | quote }} + port: + number: {{ $port }} + {{- end }} + {{- end }} +{{- end }} diff --git a/examples/production/README.md b/examples/production/README.md index 0514ca439..8b7b19693 100644 --- a/examples/production/README.md +++ b/examples/production/README.md @@ -12,3 +12,25 @@ helm upgrade --install --namespace spire-server spire charts/spire -f values.yam ``` See [values.yaml](./values.yaml) for more details on the chart configurations to achieve this setup. + +If you want to expose your spire-server outside of Kubernetes and are using ingress-nginx, add following values file when running `helm template/install/upgrade`. + +```shell +-f values-expose-spire-server-ingress-nginx.yaml +``` + +If you want to expose your federation endpoint outside of Kubernetes and are using ingress-nginx +you have two options as described here: +https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Federation.md#52-endpoint-profiles + +If you chose profile https_web, use: + +```shell +-f values-expose-federation-https-web-ingress-nginx.yaml +``` + +If you chose profile https_spiffe, use: + +```shell +-f values-expose-federation-https-spiffe-ingress-nginx.yaml +``` diff --git a/examples/production/values-export-federation-https-spiffe-ingress-nginx.yaml b/examples/production/values-export-federation-https-spiffe-ingress-nginx.yaml new file mode 100644 index 000000000..35aa85afc --- /dev/null +++ b/examples/production/values-export-federation-https-spiffe-ingress-nginx.yaml @@ -0,0 +1,25 @@ +spire-server: + federation: + enabled: true + ingress: + enabled: true + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + nginx.ingress.kubernetes.io/ssl-passthrough: "true" + + # Optional settings you may put in your own values. + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + + # className: nginx + + hosts: + - host: spire-server-federation.example.org + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - spire-server-federation.example.org diff --git a/examples/production/values-export-federation-https-web-ingress-nginx.yaml b/examples/production/values-export-federation-https-web-ingress-nginx.yaml new file mode 100644 index 000000000..e238c1310 --- /dev/null +++ b/examples/production/values-export-federation-https-web-ingress-nginx.yaml @@ -0,0 +1,25 @@ +spire-server: + federation: + enabled: true + ingress: + enabled: true + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + + # Optional settings you may put in your own values. + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + + # className: nginx + + hosts: + - host: spire-server-federation.example.org + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - spire-server-federation.example.org + secretName: spire-server-federation-tls diff --git a/examples/production/values-export-spire-server-ingress-nginx.yaml b/examples/production/values-export-spire-server-ingress-nginx.yaml new file mode 100644 index 000000000..dceac4235 --- /dev/null +++ b/examples/production/values-export-spire-server-ingress-nginx.yaml @@ -0,0 +1,25 @@ +spire-server: + ingress: + enabled: true + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + nginx.ingress.kubernetes.io/ssl-passthrough: "true" + + # Optional settings you may put in your own values. + # kubernetes.io/tls-acme: "true" + # kubernetes.io/ingress.class: nginx + + # className: nginx + + # You must override these in your own values file with the appropriate hostname + # and secret or it wont start. + hosts: + - host: spire-server.example.org + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - spire-server.example.org From 88efc77bee1125ce44f4064e206a5df4f4c8b8d4 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 23 May 2023 07:39:37 -0700 Subject: [PATCH 45/55] Allow to use spire-server as an upstream authority (#304) Co-authored-by: Marco Franssen --- charts/spire/README.md | 3 +++ charts/spire/charts/spire-server/README.md | 3 +++ .../spire-server/templates/configmap.yaml | 18 ++++++++++++++++++ charts/spire/charts/spire-server/values.yaml | 5 +++++ 4 files changed, 29 insertions(+) diff --git a/charts/spire/README.md b/charts/spire/README.md index c4007728a..ed954bf7c 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -390,6 +390,9 @@ Kubernetes: `>=1.21.0-0` | spire-server.upstreamAuthority.disk.secret.create | bool | `true` | If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. | | spire-server.upstreamAuthority.disk.secret.data | object | `{"bundle":"","certificate":"","key":""}` | If secret creation is enabled, will create a secret with following certificate info | | spire-server.upstreamAuthority.disk.secret.name | string | `"spiffe-upstream-ca"` | If secret creation is disabled, the secret with this name will be used. | +| spire-server.upstreamAuthority.spire.enabled | bool | `false` | | +| spire-server.upstreamAuthority.spire.server.address | string | `""` | | +| spire-server.upstreamAuthority.spire.server.port | int | `8081` | | | tornjak-frontend.affinity | object | `{}` | | | tornjak-frontend.apiServerURL | string | `"http://localhost:10000/"` | URL of the Tornjak APIs (backend) Since Tornjak Frontend runs in the browser, this URL must be accessible from the machine running a browser. | | tornjak-frontend.fullnameOverride | string | `""` | | diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 76f935c67..a1cce08d3 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -144,5 +144,8 @@ A Helm chart to install the SPIRE server. | upstreamAuthority.disk.secret.create | bool | `true` | If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. | | upstreamAuthority.disk.secret.data | object | `{"bundle":"","certificate":"","key":""}` | If secret creation is enabled, will create a secret with following certificate info | | upstreamAuthority.disk.secret.name | string | `"spiffe-upstream-ca"` | If secret creation is disabled, the secret with this name will be used. | +| upstreamAuthority.spire.enabled | bool | `false` | | +| upstreamAuthority.spire.server.address | string | `""` | | +| upstreamAuthority.spire.server.port | int | `8081` | | ---------------------------------------------- diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index 6b2ff7184..ad228241f 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -1,4 +1,5 @@ {{- define "spire-server.yaml-config" -}} +{{- $upstreamAuthorityUsed := 0 }} {{- $root := . }} server: bind_address: "0.0.0.0" @@ -59,6 +60,7 @@ plugins: {{- with .Values.upstreamAuthority.disk }} {{- if eq (.enabled | toString) "true" }} + {{- $upstreamAuthorityUsed = add1 $upstreamAuthorityUsed }} UpstreamAuthority: - disk: plugin_data: @@ -72,6 +74,7 @@ plugins: {{- with .Values.upstreamAuthority.certManager }} {{- if eq (.enabled | toString) "true" }} + {{- $upstreamAuthorityUsed = add1 $upstreamAuthorityUsed }} UpstreamAuthority: - cert-manager: plugin_data: @@ -85,6 +88,21 @@ plugins: {{- end }} {{- end }} + {{- with .Values.upstreamAuthority.spire }} + {{- if eq (.enabled | toString) "true" }} + {{- $upstreamAuthorityUsed = add1 $upstreamAuthorityUsed }} + UpstreamAuthority: + - spire: + plugin_data: + server_address: {{ .server.address | quote }} + server_port: {{ .server.port }} + workload_api_socket: "/run/spire/upstream_agent/spire-agent.sock" + {{- end }} + {{- end }} +{{- if gt $upstreamAuthorityUsed 1 }} +{{- fail "You can only enable a single Upstream Authority." }} +{{- end }} + health_checks: listener_enabled: true bind_address: "0.0.0.0" diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 499facf1b..a029e6b7a 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -175,6 +175,11 @@ upstreamAuthority: # -- Specify to use a namespace other then the one the chart is installed into namespace: "" kube_config_file: "" + spire: + enabled: false + server: + address: "" + port: 8081 notifier: k8sbundle: From 4fb549e954cb718c4271d28df386f3053b8c0b87 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 23 May 2023 08:57:07 -0700 Subject: [PATCH 46/55] Remove 1.21.x testing Signed-off-by: Kevin Fox --- .github/workflows/helm-chart-ci.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index 8bc24e310..a41d2e747 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -142,7 +142,6 @@ jobs: - v1.24.12 - v1.23.17 - v1.22.17 - - v1.21.14 values: - ${{ fromJson(needs.build-matrix.outputs.tests) }} From 1922085ba7b389f3176b5f9da9ea77025f2243d3 Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Tue, 23 May 2023 08:59:21 -0700 Subject: [PATCH 47/55] Fix hooks for K3s (#305) Co-authored-by: kfox1111 --- charts/spire/charts/spire-server/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index c085b4f78..af1e65277 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -109,7 +109,7 @@ Create the name of the service account to use {{- $root := deepCopy . }} {{- $tag := (default $root.image.tag $root.image.version) | toString }} {{- if eq (len $tag) 0 }} -{{- $_ := set $root.image "tag" $root.KubeVersion }} +{{- $_ := set $root.image "tag" (regexReplaceAll "^(v?\\d+\\.\\d+\\.\\d+).*" $root.KubeVersion "${1}") }} {{- end }} {{- include "spire-lib.image" $root }} {{- end }} From a1ba235c992039d09e3041809819ad9e3cdcd59a Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 23 May 2023 09:44:06 -0700 Subject: [PATCH 48/55] Update docs Signed-off-by: Kevin Fox --- charts/spire/README.md | 4 ++-- charts/spire/README.md.gotmpl | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index ed954bf7c..f3576aa35 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -19,9 +19,9 @@ A Helm chart for deploying the complete Spire stack including: spire-server, spi |:-----------|:-------------------| | SPIRE | `1.5.3+`, `1.6.3+` | | Helm | `3.x` | -| Kubernetes | `1.21+` | +| Kubernetes | `1.22+` | -> **Note**: For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden. *The first version we tested this chart with is `1.21`.* +> **Note**: For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden. *The first version we tested this chart with is `1.22`.* ## Prerequisites diff --git a/charts/spire/README.md.gotmpl b/charts/spire/README.md.gotmpl index f2dd15d3f..5239da78e 100644 --- a/charts/spire/README.md.gotmpl +++ b/charts/spire/README.md.gotmpl @@ -21,9 +21,9 @@ |:-----------|:-------------------| | SPIRE | `1.5.3+`, `1.6.3+` | | Helm | `3.x` | -| Kubernetes | `1.21+` | +| Kubernetes | `1.22+` | -> **Note**: For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden. *The first version we tested this chart with is `1.21`.* +> **Note**: For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden. *The first version we tested this chart with is `1.22`.* ## Prerequisites From 38d51d59854fbbf6a7f581b6621775a4b81228d8 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 23 May 2023 09:55:38 -0700 Subject: [PATCH 49/55] Apply suggestions from code review Co-authored-by: Faisal Memon Signed-off-by: kfox1111 --- charts/spire/README.md.gotmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/README.md.gotmpl b/charts/spire/README.md.gotmpl index 5239da78e..39cbcaa72 100644 --- a/charts/spire/README.md.gotmpl +++ b/charts/spire/README.md.gotmpl @@ -23,7 +23,7 @@ | Helm | `3.x` | | Kubernetes | `1.22+` | -> **Note**: For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden. *The first version we tested this chart with is `1.22`.* +> **Note**: For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden. ## Prerequisites From 69f402ecc65c1bf323886cb87fbda56604c55403 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 23 May 2023 09:56:05 -0700 Subject: [PATCH 50/55] Update docs Signed-off-by: Kevin Fox --- charts/spire/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index f3576aa35..6c28acd5f 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -21,7 +21,7 @@ A Helm chart for deploying the complete Spire stack including: spire-server, spi | Helm | `3.x` | | Kubernetes | `1.22+` | -> **Note**: For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden. *The first version we tested this chart with is `1.22`.* +> **Note**: For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden. ## Prerequisites From e4447fd8eb141a9a261b70d06c69848240bbffd4 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 23 May 2023 13:32:20 -0400 Subject: [PATCH 51/55] Upgrade Tornjak to new image v1.2.1 (#299) This upgrade enables the production version of React in Tornjak Frontend with a smaller footprint and faster startup time. Using Tornjak v1.2.1 release https://github.com/spiffe/tornjak/releases/tag/v1.2.1 --------- Signed-off-by: Mariusz Sabath --- charts/spire/README.md | 12 ++++++++++-- charts/spire/charts/spire-server/README.md | 6 ++++-- .../spire-server/templates/statefulset.yaml | 4 ++-- .../spire-server/templates/tornjak-config.yaml | 7 ++++++- charts/spire/charts/spire-server/values.yaml | 6 ++++-- charts/spire/charts/tornjak-frontend/Chart.yaml | 2 +- charts/spire/charts/tornjak-frontend/README.md | 8 +++++++- .../tornjak-frontend/templates/deployment.yaml | 14 ++++++++------ .../spire/charts/tornjak-frontend/values.yaml | 17 +++++++++++++++++ 9 files changed, 59 insertions(+), 17 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index ed954bf7c..33144120a 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -371,8 +371,10 @@ Kubernetes: `>=1.21.0-0` | spire-server.topologySpreadConstraints | list | `[]` | | | spire-server.tornjak.config.dataStore | object | `{"driver":"sqlite3","file":"/run/spire/data/tornjak.sqlite3"}` | persistent DB for storing Tornjak specific information | | spire-server.tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) (Not for production) | -| spire-server.tornjak.image | object | `{"pullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"spiffe/tornjak-backend","tag":"v1.2.0","version":""}` | Tornjak API image | -| spire-server.tornjak.image.tag | string | `"v1.2.0"` | Overrides the image tag | +| spire-server.tornjak.image.pullPolicy | string | `"IfNotPresent"` | The Tornjak image pull policy | +| spire-server.tornjak.image.registry | string | `"ghcr.io"` | The OCI registry to pull the Tornjak image from | +| spire-server.tornjak.image.repository | string | `"spiffe/tornjak-backend"` | The repository within the registry | +| spire-server.tornjak.image.tag | string | `"v1.2.1"` | Overrides the image tag | | spire-server.tornjak.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spire-server.tornjak.resources | object | `{}` | | | spire-server.tornjak.service.annotations | object | `{}` | | @@ -415,6 +417,12 @@ Kubernetes: `>=1.21.0-0` | tornjak-frontend.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | tornjak-frontend.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | tornjak-frontend.spireHealthCheck.enabled | bool | `true` | Enables the SPIRE Healthchecker indicator | +| tornjak-frontend.startupProbe.enabled | bool | `true` | Enable startupProbe on Tornjak frontend container | +| tornjak-frontend.startupProbe.failureThreshold | int | `6` | Failure threshold for startupProbe | +| tornjak-frontend.startupProbe.initialDelaySeconds | int | `5` | Initial delay seconds for startupProbe | +| tornjak-frontend.startupProbe.periodSeconds | int | `10` | Period seconds for startupProbe | +| tornjak-frontend.startupProbe.successThreshold | int | `1` | Success threshold for startupProbe | +| tornjak-frontend.startupProbe.timeoutSeconds | int | `5` | Timeout seconds for startupProbe | | tornjak-frontend.tolerations | list | `[]` | | | tornjak-frontend.topologySpreadConstraints | list | `[]` | | diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index a1cce08d3..12de0ad75 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -125,8 +125,10 @@ A Helm chart to install the SPIRE server. | topologySpreadConstraints | list | `[]` | | | tornjak.config.dataStore | object | `{"driver":"sqlite3","file":"/run/spire/data/tornjak.sqlite3"}` | persistent DB for storing Tornjak specific information | | tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) (Not for production) | -| tornjak.image | object | `{"pullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"spiffe/tornjak-backend","tag":"v1.2.0","version":""}` | Tornjak API image | -| tornjak.image.tag | string | `"v1.2.0"` | Overrides the image tag | +| tornjak.image.pullPolicy | string | `"IfNotPresent"` | The Tornjak image pull policy | +| tornjak.image.registry | string | `"ghcr.io"` | The OCI registry to pull the Tornjak image from | +| tornjak.image.repository | string | `"spiffe/tornjak-backend"` | The repository within the registry | +| tornjak.image.tag | string | `"v1.2.1"` | Overrides the image tag | | tornjak.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | tornjak.resources | object | `{}` | | | tornjak.service.annotations | object | `{}` | | diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index ce45d9edc..e76def00a 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -174,9 +174,9 @@ spec: successThreshold: 1 timeoutSeconds: 5 args: - - -c + - --spire-config - /run/spire/config/server.conf - - -t + - --tornjak-config - /run/spire/tornjak-config/server.conf ports: - name: tornjak diff --git a/charts/spire/charts/spire-server/templates/tornjak-config.yaml b/charts/spire/charts/spire-server/templates/tornjak-config.yaml index a112051a7..16a8f61ae 100644 --- a/charts/spire/charts/spire-server/templates/tornjak-config.yaml +++ b/charts/spire/charts/spire-server/templates/tornjak-config.yaml @@ -7,7 +7,12 @@ metadata: data: server.conf: | server { - metadata = "insert metadata" + spire_socket_path = "unix:///tmp/spire-server/private/api.sock" # socket to communicate with SPIRE server + + http { + enabled = true # if true, opens HTTP server + port = "10000" # if HTTP enabled, opens HTTP listen port at container port 10000 + } } plugins { diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index a029e6b7a..48e95ef16 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -311,15 +311,17 @@ nodeAttestor: tornjak: # -- Deploys Tornjak API (backend) (Not for production) enabled: false - # -- Tornjak API image image: + # -- The OCI registry to pull the Tornjak image from registry: ghcr.io + # -- The repository within the registry repository: spiffe/tornjak-backend + # -- The Tornjak image pull policy pullPolicy: IfNotPresent # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" # -- Overrides the image tag - tag: "v1.2.0" + tag: "v1.2.1" service: type: ClusterIP port: 10000 diff --git a/charts/spire/charts/tornjak-frontend/Chart.yaml b/charts/spire/charts/tornjak-frontend/Chart.yaml index 15167cfc1..532f259dd 100644 --- a/charts/spire/charts/tornjak-frontend/Chart.yaml +++ b/charts/spire/charts/tornjak-frontend/Chart.yaml @@ -3,7 +3,7 @@ name: tornjak-frontend description: A Helm chart to deploy Tornjak frontend type: application version: 0.1.0 -appVersion: "v1.2.0" +appVersion: "v1.2.1" home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: - https://github.com/spiffe/tornjak diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 023575b84..2bbeeae1e 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -2,7 +2,7 @@ -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.2.0](https://img.shields.io/badge/AppVersion-v1.2.0-informational?style=flat-square) +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.2.1](https://img.shields.io/badge/AppVersion-v1.2.1-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart to deploy Tornjak frontend @@ -71,6 +71,12 @@ port forwarding. See the chart NOTES output for more details. | serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | spireHealthCheck.enabled | bool | `true` | Enables the SPIRE Healthchecker indicator | +| startupProbe.enabled | bool | `true` | Enable startupProbe on Tornjak frontend container | +| startupProbe.failureThreshold | int | `6` | Failure threshold for startupProbe | +| startupProbe.initialDelaySeconds | int | `5` | Initial delay seconds for startupProbe | +| startupProbe.periodSeconds | int | `10` | Period seconds for startupProbe | +| startupProbe.successThreshold | int | `1` | Success threshold for startupProbe | +| startupProbe.timeoutSeconds | int | `5` | Timeout seconds for startupProbe | | tolerations | list | `[]` | | | topologySpreadConstraints | list | `[]` | | ---------------------------------------------- diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml index cef0fabfc..180f90be5 100644 --- a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -39,18 +39,20 @@ spec: - name: REACT_APP_SPIRE_HEALTH_CHECK_ENABLE value: "{{ .Values.spireHealthCheck.enabled }}" {{- end }} + {{- if .Values.startupProbe.enabled }} startupProbe: httpGet: scheme: HTTP port: {{ .Values.service.port }} - failureThreshold: 6 - initialDelaySeconds: 120 - periodSeconds: 45 - successThreshold: 1 - timeoutSeconds: 20 + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + successThreshold: {{ .Values.startupProbe.successThreshold }} + timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} + {{- end }} volumeMounts: - name: cache - mountPath: /usr/src/app/node_modules/.cache + mountPath: /usr/src/app/ {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index e079d4282..60eddbd6f 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -71,3 +71,20 @@ apiServerURL: "http://localhost:10000/" # 👈 Use it for minikube or kind spireHealthCheck: # -- Enables the SPIRE Healthchecker indicator enabled: true + +## Configure extra options for Tornjak frontend container's startup probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes +## +startupProbe: + # -- Enable startupProbe on Tornjak frontend container + enabled: true + # -- Initial delay seconds for startupProbe + initialDelaySeconds: 5 + # -- Period seconds for startupProbe + periodSeconds: 10 + # -- Timeout seconds for startupProbe + timeoutSeconds: 5 + # -- Failure threshold for startupProbe + failureThreshold: 6 + # -- Success threshold for startupProbe + successThreshold: 1 From dc5d9cfeec7d3a3afb7e86570182926ed22afa60 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 23 May 2023 16:15:21 -0700 Subject: [PATCH 52/55] Fix root README.md Signed-off-by: Kevin Fox --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d5e947b2f..e14c7a5c4 100644 --- a/README.md +++ b/README.md @@ -23,9 +23,9 @@ Unless otherwise noted in an application chart README, the following dependencie |:-----------|:-------------------| | SPIRE | `1.5.3`+, `1.6.x` | | Helm | `3.x` | -| Kubernetes | `1.21+` | +| Kubernetes | `1.22+` | -> **Note**: For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden. *The first version we tested this chart with is `1.21`.* +> **Note**: For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden. *The first version we tested this chart with is `1.22`.* ## Contributing From ed038feae1a270c5a15ed00607d524157eb266a7 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 23 May 2023 16:17:34 -0700 Subject: [PATCH 53/55] Upgrade to spire 1.6.4 (#308) Signed-off-by: Kevin Fox --- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 2 +- charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml | 2 +- charts/spire/charts/spiffe-oidc-discovery-provider/README.md | 2 +- charts/spire/charts/spire-agent/Chart.yaml | 2 +- charts/spire/charts/spire-agent/README.md | 2 +- charts/spire/charts/spire-server/Chart.yaml | 2 +- charts/spire/charts/spire-server/README.md | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 12af3d9c7..b5db24ad2 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -4,7 +4,7 @@ description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application version: 0.7.0 -appVersion: "1.6.3" +appVersion: "1.6.4" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: diff --git a/charts/spire/README.md b/charts/spire/README.md index 33144120a..474debfc0 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -2,7 +2,7 @@ -![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.3](https://img.shields.io/badge/AppVersion-1.6.3-informational?style=flat-square) +![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml index ac3134e31..3c1e0491b 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml @@ -3,4 +3,4 @@ name: spiffe-oidc-discovery-provider description: A Helm chart to install the SPIFFE OIDC discovery provider. type: application version: 0.1.0 -appVersion: "1.6.3" +appVersion: "1.6.4" diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index c62e4735b..6f15a514d 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -2,7 +2,7 @@ -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.3](https://img.shields.io/badge/AppVersion-1.6.3-informational?style=flat-square) +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) A Helm chart to install the SPIFFE OIDC discovery provider. diff --git a/charts/spire/charts/spire-agent/Chart.yaml b/charts/spire/charts/spire-agent/Chart.yaml index 8655cd3d6..5a566bccb 100644 --- a/charts/spire/charts/spire-agent/Chart.yaml +++ b/charts/spire/charts/spire-agent/Chart.yaml @@ -3,4 +3,4 @@ name: spire-agent description: A Helm chart to install the SPIRE agent. type: application version: 0.1.0 -appVersion: "1.6.3" +appVersion: "1.6.4" diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 05b24af6c..ec6a0acd3 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -2,7 +2,7 @@ -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.3](https://img.shields.io/badge/AppVersion-1.6.3-informational?style=flat-square) +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) A Helm chart to install the SPIRE agent. diff --git a/charts/spire/charts/spire-server/Chart.yaml b/charts/spire/charts/spire-server/Chart.yaml index cb30c507f..3614da407 100644 --- a/charts/spire/charts/spire-server/Chart.yaml +++ b/charts/spire/charts/spire-server/Chart.yaml @@ -3,4 +3,4 @@ name: spire-server description: A Helm chart to install the SPIRE server. type: application version: 0.1.0 -appVersion: "1.6.3" +appVersion: "1.6.4" diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 12de0ad75..ef7fa06e0 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -2,7 +2,7 @@ -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.3](https://img.shields.io/badge/AppVersion-1.6.3-informational?style=flat-square) +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) A Helm chart to install the SPIRE server. From 0df45e3cd8223fc2b7fd5542f807a7892479a40b Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 23 May 2023 16:26:23 -0700 Subject: [PATCH 54/55] Fix up docs Signed-off-by: Kevin Fox --- charts/spire/README.md | 2 -- charts/spire/README.md.gotmpl | 4 +++- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 6c28acd5f..ed8424373 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -96,8 +96,6 @@ Now you can interact with the Spire agent socket from your own application. The ## Requirements -Kubernetes: `>=1.21.0-0` - | Repository | Name | Version | |------------|------|---------| | file://./charts/spiffe-csi-driver | spiffe-csi-driver | 0.1.0 | diff --git a/charts/spire/README.md.gotmpl b/charts/spire/README.md.gotmpl index 39cbcaa72..3e8562311 100644 --- a/charts/spire/README.md.gotmpl +++ b/charts/spire/README.md.gotmpl @@ -87,7 +87,9 @@ Now you can interact with the Spire agent socket from your own application. The {{ template "chart.sourcesSection" . }} -{{ template "chart.requirementsSection" . }} +{{ template "chart.requirementsHeader" . }} + +{{ template "chart.requirementsTable" . }} {{ template "chart.valuesSection" . }} From efdeb2e1230366c910d549807fa950e57cf97860 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Thu, 25 May 2023 09:26:04 +0200 Subject: [PATCH 55/55] Bump spire Helm Chart version from 0.7.0 to 0.8.0 * c1c5b112 Merge pull request #306 from spiffe/remove-1.21 * 0df45e3c Fix up docs * ed038fea Upgrade to spire 1.6.4 (#308) * dc5d9cfe Fix root README.md * e4447fd8 Upgrade Tornjak to new image v1.2.1 (#299) * 69f402ec Update docs * 38d51d59 Apply suggestions from code review * a1ba235c Update docs * 1922085b Fix hooks for K3s (#305) * 4fb549e9 Remove 1.21.x testing * 88efc77b Allow to use spire-server as an upstream authority (#304) * 0ba03880 Add support for spire-server ingress (#68) * 4777a300 Bump test chart dependencies (#301) * 00c2c1a5 Fix the generated pr so that it runs jobs too (#303) * dd1ad495 Update images for cve's found by the cronjob (#290) * 1c694707 Updated Tornjak documenation with Not-for-production labels (#297) * 78096374 Merge pull request #296 from spiffe/dependabot/github_actions/helm/kind-action-1.7.0 * e61ed17b Merge pull request #295 from spiffe/dependabot/github_actions/sigstore/cosign-installer-3.0.5 * 9975e58f Merge pull request #245 from spiffe/tags * 7bb7ece1 Bump helm/kind-action from 1.6.0 to 1.7.0 * f1623a59 Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 * f8db5a31 Fix Tornjak persistence issue (#294) * b30b412e Tornjak reuse spire-lib.cluster-domain macro (#292) * 90c9eb50 Fix kubectl-image macro to handle version deprecation * 300d1ccf Apply deprecation of image.version to Tornjak * d8504864 Instead of removing version, first deprecate version * 59e422b9 Add documentation for all image.tag values * d1f3cdb9 Switch image.version to image.tag * 31ce704f Cleanup maintainer handbook (#287) * a2da9437 Remove manual dispatch from dummy workflow (#288) * 807558bb Bump helm/kind-action from 1.5.0 to 1.6.0 (#285) * 3df67dbb Bump sigstore/cosign-installer from 3.0.3 to 3.0.4 (#286) * 5505d41d Merge pull request #283 from spiffe/additional-k8s-native-feature-tornjak-frontend * 391f093a Allow to configure topologySpreadConstraints for tornjak-frontend * 5cc26d31 Allow to configure tolerations for tornjak-frontend * 3537161c Allow to configure affinity for tornjak-frontend * aed6fdfe Use the correct kubectl for the cluster (#248) * ee43c5e3 Add nodeSelector for tornjak * fc13cbd9 Merge pull request #234 from spiffe/tornjak * ed472aa9 Update documentation * a11cfc99 Allow to define the resources for tornjak backend * 382e0d4a Upgrade Tornjak image to version v1.2.0 (#259) * 657c460e Update charts/spire/charts/tornjak-frontend/templates/service.yaml * 7521cafc Update charts/spire/charts/spire-server/templates/tornjak-config.yaml * b64c352b Update charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml * 6ddf6ab9 Improve tornjak docs (#276) * 80d34f04 Use common post-install scripts for testing * f5efa0ce Remove dead macros * bd86518a Fixing shellcheck * 91bdea2a Provide minimal resources to prevent accidental crashes due to resource exhaustion * 16759977 Tornjak global image fix (#228) * 5e827ee4 Add Tornjak Tests (#220) * bdba97b6 Add empty directory to Tornjak to support npm cache (#224) * da186c5f Split Tornjak Frontend into separate subchart (#179) * 6d221263 Add Tornjak * 2669d8b5 Add maintainer's handbook. (#265) * 72596aea Skip tests for docs folders (#281) * 7c71738d Bump test chart dependencies (#279) * 05addae9 Add json to test path (#280) * 8d9b7349 Switch the spire tests to always run (#250) Signed-off-by: Marco Franssen --- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index b5db24ad2..ff67d9d38 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,7 +3,7 @@ name: spire description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.7.0 +version: 0.8.0 appVersion: "1.6.4" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire diff --git a/charts/spire/README.md b/charts/spire/README.md index 604c260e1..079d710db 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -2,7 +2,7 @@ -![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) +![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.