Merge branch 'main' into validatingpolicy

spiffe · Oct 26, 2024 · 3ed1e59 · 3ed1e59
2 parents 6508c89 + a7368ee
commit 3ed1e59
Show file tree

Hide file tree

Showing 9 changed files with 12 additions and 10 deletions.
diff --git a/charts/spire-nested/Chart.yaml b/charts/spire-nested/Chart.yaml
@@ -4,7 +4,7 @@ description: >
   A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 type: application
 version: 0.23.0
-appVersion: "1.10.3"
+appVersion: "1.11.0"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:

diff --git a/charts/spire-nested/README.md b/charts/spire-nested/README.md
@@ -1,6 +1,6 @@
 # spire
 
-![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.3](https://img.shields.io/badge/AppVersion-1.10.3-informational?style=flat-square)
+![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.0](https://img.shields.io/badge/AppVersion-1.11.0-informational?style=flat-square)
 [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
 
 A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.

diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml
@@ -4,7 +4,7 @@ description: >
   A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 type: application
 version: 0.23.0
-appVersion: "1.10.3"
+appVersion: "1.11.0"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:

diff --git a/charts/spire/README.md b/charts/spire/README.md
@@ -1,6 +1,6 @@
 # spire
 
-![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.3](https://img.shields.io/badge/AppVersion-1.10.3-informational?style=flat-square)
+![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.0](https://img.shields.io/badge/AppVersion-1.11.0-informational?style=flat-square)
 [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
 
 A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
@@ -92,6 +92,8 @@ We only support upgrading one major/minor version at a time. Version skipping is
 
 - You must upgrade [spire-crds](https://artifacthub.io/packages/helm/spiffe/spire-crds) to 0.5.0+ before performing this upgrade.
 
+- SPIRE changed the default in 1.11.0 from `spire-agent.workloadAttestors.k8s.useNewContainerLocator=false` to `spire-agent.workloadAttestors.k8s.useNewContainerLocator=true`
+
 - In order to make it easier to target specific SPIFFE IDs to workloads, a fallback feature was added to ClusterSPIFFEIDs so that a default ID will only apply when no others do. To change back to the previous behavior, use `spire-server.controllerManager.identities.clusterSPIFFEIDs.default.fallback=false`. The new default is unlikely to need changes.
 
 - We now set a hint of the ClusterSPIFFEID name on each entry created by default. This can be undone by setting the `hint=""` property on the ClusterSPIFFEID. The new default is unlikely to need changes.

diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml
@@ -3,7 +3,7 @@ name: spiffe-oidc-discovery-provider
 description: A Helm chart to install the SPIFFE OIDC discovery provider.
 type: application
 version: 0.1.0
-appVersion: "1.10.3"
+appVersion: "1.11.0"
 keywords: ["spiffe", "oidc"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:

diff --git a/charts/spire/charts/spire-agent/Chart.yaml b/charts/spire/charts/spire-agent/Chart.yaml
@@ -3,7 +3,7 @@ name: spire-agent
 description: A Helm chart to install the SPIRE agent.
 type: application
 version: 0.1.0
-appVersion: "1.10.3"
+appVersion: "1.11.0"
 keywords: ["spiffe", "spire-agent"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:

diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md
@@ -96,7 +96,7 @@ A Helm chart to install the SPIRE agent.
 | `workloadAttestors.k8s.verification.hostCert.basePath` | Path where kubelet places its certificates                                                                                                                                                        | `/var/lib/kubelet/pki`                                                           |
 | `workloadAttestors.k8s.verification.hostCert.fileName` | File name where kubelet places its certificates. If blank, it will be auto detected.                                                                                                              | `""`                                                                             |
 | `workloadAttestors.k8s.disableContainerSelectors`      | Set to true if using holdApplicationUntilProxyStarts in Istio                                                                                                                                     | `false`                                                                          |
-| `workloadAttestors.k8s.useNewContainerLocator`         | If true, enables the new container locator algorithm that has support for cgroups v2. Defaults to false                                                                                           | `false`                                                                          |
+| `workloadAttestors.k8s.useNewContainerLocator`         | If true, enables the new container locator algorithm that has support for cgroups v2. Defaults to true                                                                                            | `true`                                                                           |
 | `workloadAttestors.k8s.verboseContainerLocatorLogs`    | If true, enables verbose logging of mountinfo and cgroup information used to locate containers. Defaults to false                                                                                 | `false`                                                                          |
 | `sds.enabled`                                          | Enables Envoy SDS configuration                                                                                                                                                                   | `false`                                                                          |
 | `sds.defaultSVIDName`                                  | The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS                                                                                                                 | `default`                                                                        |

diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml
@@ -227,8 +227,8 @@ workloadAttestors:
         fileName: ""
     ## @param workloadAttestors.k8s.disableContainerSelectors Set to true if using holdApplicationUntilProxyStarts in Istio
     disableContainerSelectors: false
-    ## @param workloadAttestors.k8s.useNewContainerLocator If true, enables the new container locator algorithm that has support for cgroups v2. Defaults to false
-    useNewContainerLocator: false
+    ## @param workloadAttestors.k8s.useNewContainerLocator If true, enables the new container locator algorithm that has support for cgroups v2. Defaults to true
+    useNewContainerLocator: true
     ## @param workloadAttestors.k8s.verboseContainerLocatorLogs If true, enables verbose logging of mountinfo and cgroup information used to locate containers. Defaults to false
     verboseContainerLocatorLogs: false
 

diff --git a/charts/spire/charts/spire-server/Chart.yaml b/charts/spire/charts/spire-server/Chart.yaml
@@ -3,7 +3,7 @@ name: spire-server
 description: A Helm chart to install the SPIRE server.
 type: application
 version: 0.1.0
-appVersion: "1.10.3"
+appVersion: "1.11.0"
 keywords: ["spiffe", "spire-server", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources: