Skip to content

Commit

Permalink
Merge branch 'main' into release
Browse files Browse the repository at this point in the history
  • Loading branch information
@faisal-memon
faisal-memon committed Mar 4, 2024
2 parents bea5972 + cf2e213 commit 4469529
Show file tree
Hide file tree
Showing 39 changed files with 971 additions and 115 deletions.
10 changes: 5 additions & 5 deletions .github/tests/charts.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,26 +2,26 @@
{
"name": "kube-prometheus-stack",
"repo": "https://prometheus-community.github.io/helm-charts",
"version": "56.6.2"
"version": "56.20.0"
},
{
"name": "cert-manager",
"repo": "https://charts.jetstack.io",
"version": "v1.14.1"
"version": "v1.14.3"
},
{
"name": "ingress-nginx",
"repo": "https://kubernetes.github.io/ingress-nginx",
"version": "4.9.1"
"version": "4.10.0"
},
{
"name": "mysql",
"repo": "https://charts.bitnami.com/bitnami",
"version": "9.19.1"
"version": "9.22.0"
},
{
"name": "postgresql",
"repo": "https://charts.bitnami.com/bitnami",
"version": "14.0.1"
"version": "14.2.3"
}
]
2 changes: 1 addition & 1 deletion .github/workflows/check-versions.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ jobs:
- name: Create Pull Request
id: cpr
uses: peter-evans/create-pull-request@v6.0.0
uses: peter-evans/create-pull-request@v6.0.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
title: Bump test chart dependencies
Expand Down
31 changes: 29 additions & 2 deletions .github/workflows/helm-chart-ci-ignore.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,16 +45,25 @@ jobs:
- name: Checkout
uses: actions/checkout@v4.1.1

- id: set-matrix
- id: set-matrix-example
name: Collect all examples
run: |
examples="$(find examples -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
examples_json="$(echo "$examples" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
echo "${examples_json}"
echo "examples=$examples_json" >>"$GITHUB_OUTPUT"
- id: set-matrix-integration
name: Collect all integration tests
run: |
integrationtests="$(find tests/integration -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
integrationtests_json="$(echo "$integrationtests" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
echo "${integrationtests_json}"
echo "integrationtests=$integrationtests_json" >>"$GITHUB_OUTPUT"
outputs:
examples: ${{ steps.set-matrix.outputs.examples }}
examples: ${{ steps.set-matrix-example.outputs.examples }}
integrationtests: ${{ steps.set-matrix-integration.outputs.integrationtests }}

example-test:
runs-on: ubuntu-22.04
Expand All @@ -74,6 +83,24 @@ jobs:
steps:
- run: 'echo "Skipping example-test"'

integration-test:
runs-on: ubuntu-22.04

needs:
- build-matrix

strategy:
matrix:
k8s:
- v1.28.0
- v1.27.3
- v1.26.6
example:
- ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}

steps:
- run: 'echo "Skipping integration-test"'

upgrade-test:
runs-on: ubuntu-22.04

Expand Down
65 changes: 60 additions & 5 deletions .github/workflows/helm-chart-ci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ jobs:
version: ${{ env.CHART_TESTING_VERSION }}

- name: Create kind ${{ matrix.k8s }} cluster
uses: helm/kind-action@v1.8.0
uses: helm/kind-action@v1.9.0
# Only build a kind cluster if there are chart changes to test.
with:
version: ${{ env.KIND_VERSION }}
Expand Down Expand Up @@ -187,16 +187,25 @@ jobs:
- name: Checkout
uses: actions/checkout@v4.1.1

- id: set-matrix
- id: set-matrix-example
name: Collect all examples
run: |
examples="$(find examples -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
examples_json="$(echo "$examples" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
echo "${examples_json}"
echo "examples=$examples_json" >>"$GITHUB_OUTPUT"
- id: set-matrix-integration
name: Collect all integration tests
run: |
integrationtests="$(find tests/integration -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
integrationtests_json="$(echo "$integrationtests" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
echo "${integrationtests_json}"
echo "integrationtests=$integrationtests_json" >>"$GITHUB_OUTPUT"
outputs:
examples: ${{ steps.set-matrix.outputs.examples }}
examples: ${{ steps.set-matrix-example.outputs.examples }}
integrationtests: ${{ steps.set-matrix-integration.outputs.integrationtests }}

example-test:
runs-on: ubuntu-22.04
Expand Down Expand Up @@ -230,7 +239,7 @@ jobs:
python-version: ${{ env.PYTHON_VERSION }}

- name: Create kind cluster
uses: helm/kind-action@v1.8.0
uses: helm/kind-action@v1.9.0
# Only build a kind cluster if there are chart changes to test.
with:
version: ${{ env.KIND_VERSION }}
Expand All @@ -249,6 +258,52 @@ jobs:
fi
${{ matrix.example }}/run-tests.sh
integration-test:
runs-on: ubuntu-22.04

needs:
- lint-chart
- build-matrix

strategy:
fail-fast: false
matrix:
k8s:
- v1.28.0
- v1.27.3
- v1.26.6
integrationtest:
- ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}

steps:
- name: Checkout
uses: actions/checkout@v4.1.1

- name: Set up Helm
uses: azure/setup-helm@v3.5
with:
version: ${{ env.HELM_VERSION }}

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}

- name: Create kind cluster
uses: helm/kind-action@v1.9.0
# Only build a kind cluster if there are chart changes to test.
with:
version: ${{ env.KIND_VERSION }}
node_image: kindest/node:v1.26.4
config: .github/kind/conf/kind-config.yaml
verbosity: 1

- name: Install and test integration
run: |
kubectl create namespace spire-server
helm install -n spire-server spire-crds charts/spire-crds
${{ matrix.integrationtest }}/run-tests.sh
upgrade-test:
runs-on: ubuntu-22.04

Expand Down Expand Up @@ -279,7 +334,7 @@ jobs:
python-version: ${{ env.PYTHON_VERSION }}

- name: Create kind cluster
uses: helm/kind-action@v1.8.0
uses: helm/kind-action@v1.9.0
# Only build a kind cluster if there are chart changes to test.
with:
version: ${{ env.KIND_VERSION }}
Expand Down
4 changes: 2 additions & 2 deletions charts/spire/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ name: spire
description: >
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
type: application
version: 0.17.2
appVersion: "1.8.7"
version: 0.18.0
appVersion: "1.9.0"
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources:
Expand Down
21 changes: 14 additions & 7 deletions charts/spire/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# spire

![Version: 0.17.2](https://img.shields.io/badge/Version-0.17.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.7](https://img.shields.io/badge/AppVersion-1.8.7-informational?style=flat-square)
![Version: 0.18.0](https://img.shields.io/badge/Version-0.18.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.0](https://img.shields.io/badge/AppVersion-1.9.0-informational?style=flat-square)
[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)

A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
Expand Down Expand Up @@ -34,12 +34,10 @@ global:
# Update these
clusterName: example-cluster
trustDomain: example.org
spire-server:
ca_subject:
# Update these
country: ARPA
organization: Example
common_name: example.org
caSubject:
country: ARPA
organization: Example
commonName: example.org
```
2. If you need a non default storageClass, append the following to the spire-server section and update:
Expand Down Expand Up @@ -77,6 +75,11 @@ kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeid

We only support upgrading one major version at a time. Version skipping isn't supported.

### 0.18.x

- SPIRE no longer emits x509UniqueIdentifiers in x509-SVIDS by default. The old behavior can be reenabled with spire-server.credentialComposer.uniqueID.enabled=true. See https://github.com/spiffe/spire/pull/4862 for details.
- SPIRE agents will now automatically reattest when they can. The old behavior can be reenabled with spire-agent.disableReattestToRenew=true. See https://github.com/spiffe/spire/pull/4791 for details.

### 0.17.X

- If you set spire-server.replicaCount > 1, update it to 1 before upgrading and after upgrade you can set it back to its previous value.
Expand Down Expand Up @@ -209,6 +212,9 @@ Now you can interact with the Spire agent socket from your own application. The
| `global.spire.jwtIssuer` | The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset | `""` |
| `global.spire.trustDomain` | The trust domain for Spire install | `example.org` |
| `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` |
| `global.spire.caSubject.country` | Country for Spire server CA | `""` |
| `global.spire.caSubject.organization` | Organization for Spire server CA | `""` |
| `global.spire.caSubject.commonName` | Common Name for Spire server CA | `""` |
| `global.spire.recommendations.enabled` | Use recommended settings for production deployments. Default is off. | `false` |
| `global.spire.recommendations.namespaceLayout` | Set to true to use recommended values for installing across namespaces | `true` |
| `global.spire.recommendations.namespacePSS` | When chart namespace creation is enabled, label them with preffered Pod Security Standard labels | `true` |
Expand All @@ -228,6 +234,7 @@ Now you can interact with the Spire agent socket from your own application. The
| `global.spire.namespaces.server.labels` | Labels to apply to the Spire server Namespace. | `{}` |
| `global.spire.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `false` |
| `global.spire.ingressControllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` |
| `global.spire.tools.kubectl.tag` | Set to force the tag to use for all kubectl instances | `""` |
| `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` |
| `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` |

Expand Down
Loading

0 comments on commit 4469529

Please sign in to comment.