Merge branch 'main' into release

spiffe · Jan 24, 2024 · 5f46d7b · 5f46d7b
2 parents 69511f5 + 2df2e16
commit 5f46d7b
Show file tree

Hide file tree

Showing 99 changed files with 2,175 additions and 1,199 deletions.
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -0,0 +1,82 @@
+FROM ubuntu:22.04
+RUN \
+  apt-get update && \
+  apt-get install -y bash ca-certificates gnupg make curl vim sudo jq && \
+  curl -sL https://deb.nodesource.com/setup_18.x -o nodesource_setup.sh && \
+  mkdir -p /etc/apt/keyrings && \
+  curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
+  echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | sudo tee /etc/apt/sources.list.d/nodesource.list && \
+  apt-get update && \
+  apt-get install -y nodejs && \
+  apt-get clean && \
+  curl -o /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.35.2/yq_linux_amd64 && \
+  chmod +x /usr/local/bin/yq
+RUN \
+  curl -q -l -o /tmp/go.tgz "https://dl.google.com/go/go1.21.4.linux-amd64.tar.gz" && \
+  cd /usr/local && \
+  tar -xvf /tmp/go.tgz && \
+  rm -f /tmp/go.tgz && \
+  cd /
+RUN \
+  curl -L -o /usr/local/bin/minikube https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 && \
+  chmod +x /usr/local/bin/minikube && \
+  curl -L -o /usr/local/bin/kubectl "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \
+  chmod +x /usr/local/bin/kubectl
+
+RUN \
+  curl -fsSL -o /tmp/get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && \
+  chmod +x /tmp/get_helm.sh && \
+  /tmp/get_helm.sh && \
+  rm /tmp/get_helm.sh
+
+RUN \
+  groupadd -g 10001 dev && \
+  useradd --uid 10001 -g 10001 -m dev && \
+  echo 'dev ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/dev && \
+  chmod 400 /etc/sudoers.d/dev
+
+ENV PATH /usr/local/go/bin:$PATH
+
+RUN \
+  npm install -g "@bitnami/readme-generator-for-helm@2.6.0"
+
+RUN \
+  go install github.com/onsi/ginkgo/v2/ginkgo@latest
+
+RUN \
+  apt-get install -y git zsh strace lsof graphviz && \
+  mv /root/go/bin/ginkgo /usr/local/bin
+
+RUN \
+  curl -L -o /tmp/ct.tar.gz https://github.com/helm/chart-testing/releases/download/v3.8.0/chart-testing_3.8.0_linux_amd64.tar.gz && \
+  cd /usr/local/bin && \
+  tar -xvf /tmp/ct.tar.gz ct && \
+  cd / && \
+  tar -xvf /tmp/ct.tar.gz etc && \
+  mkdir /etc/ct && \
+  mv /etc/chart_schema.yaml /etc/ct/ && \
+  mv /etc/lintconf.yaml /etc/ct/ && \
+  curl -o /tmp/gh.tar.gz https://github.com/cli/cli/releases/download/v2.40.0/gh_2.40.0_linux_amd64.tar.gz -L && \
+  cd && \
+  cd /tmp && \
+  tar -zxvf gh.tar.gz && \
+  mv gh_*_linux_amd64/bin/* /usr/local/bin && \
+  mkdir -p /usr/local/share/main/man1/ && \
+  mv gh_*_linux_amd64/share/man/man1/* /usr/local/share/main/man1/ && \
+  cd
+
+RUN \
+  cd /tmp && \
+  git clone https://github.com/devcontainers/features && \
+  cd features/src/docker-in-docker && \
+  export MOBY=true && \
+  export INSTALLDOCKERBUILDX=false && \
+  ./install.sh && \
+  cd ../../../ && \
+  rm -rf features
+
+RUN \
+  usermod -a -G docker dev
+
+USER dev
+
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -0,0 +1,30 @@
+{
+	"name": "spiffe-helm-charts-hardened",
+	"image": "ghcr.io/spiffe/helm-charts-hardened-devcontainer:latest",
+	"features": {
+		"ghcr.io/devcontainers/features/docker-in-docker:2": {
+			"version": "latest",
+			"moby": true,
+			"installDockerBuildx": false
+		}
+	},
+	"customizations": {
+		"vscode": {
+			"extensions": [
+				"ms-kubernetes-tools.vscode-kubernetes-tools"
+			],
+			"settings": {
+				"terminal.integrated.defaultProfile.linux": "bash",
+				"terminal.integrated.profiles.linux": {
+					"zsh": { "path": "/bin/zsh" },
+					"bash": { "path": "/bin/bash" }
+				}
+			}
+		}
+	},
+	"postStartCommand": "minikube start && helm upgrade --install -n spire-server spire-crds charts/spire-crds --create-namespace && kubectl version",
+	"hostRequirements": {
+		"cpus": 1
+	},
+	"remoteUser": "dev"
+}
diff --git a/.github/tests/charts.json b/.github/tests/charts.json
@@ -2,26 +2,26 @@
   {
     "name": "kube-prometheus-stack",
     "repo": "https://prometheus-community.github.io/helm-charts",
-    "version": "54.2.2"
+    "version": "56.0.1"
   },
   {
     "name": "cert-manager",
     "repo": "https://charts.jetstack.io",
-    "version": "v1.13.2"
+    "version": "v1.13.3"
   },
   {
     "name": "ingress-nginx",
     "repo": "https://kubernetes.github.io/ingress-nginx",
-    "version": "4.8.3"
+    "version": "4.9.0"
   },
   {
     "name": "mysql",
     "repo": "https://charts.bitnami.com/bitnami",
-    "version": "9.14.4"
+    "version": "9.18.0"
   },
   {
     "name": "postgresql",
     "repo": "https://charts.bitnami.com/bitnami",
-    "version": "13.2.18"
+    "version": "13.3.1"
   }
 ]
diff --git a/.github/tests/common.sh b/.github/tests/common.sh
@@ -22,6 +22,7 @@ $(kubectl --request-timeout=30s describe pods --namespace "$1")
 
 \`\`\`shell
 $(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --all-containers=true --ignore-errors=true; done)
+$( ([[ -n "$2" ]] && kubectl get pods -o name -n "$2") | while read -r line; do echo logs for "${line}"; kubectl logs -n "$2" "${line}" --all-containers=true --ignore-errors=true; done)
 \`\`\`
 
 EOF
@@ -36,7 +37,7 @@ k_rollout_status () {
 }
 
 get_spire_release_name () {
-  helm ls -A | grep '^spire' | awk '{print $1}'
+  helm ls -A | grep '^spire' | grep -v spire-crds | awk '{print $1}'
 }
 
 print_spire_workload_status () {

diff --git a/.github/tests/dependencies/spire-root-server-values.yaml b/.github/tests/dependencies/spire-root-server-values.yaml
@@ -8,13 +8,23 @@ spire-server:
     identities:
       clusterSPIFFEIDs:
         default:
+          type: raw
+          spiffeIDTemplate: spiffe://{{ .TrustDomain }}/k8s/{{ .ClusterName }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}
           namespaceSelector:
-            kubernetes.io/metadata.name: spire-server
+            matchExpressions:
+            - key: "kubernetes.io/metadata.name"
+              operator: In
+              values: [spire-server]
           podSelector:
-            app.kubernetes.io/component: server
-            app.kubernetes.io/instance: spire
-            app.kubernetes.io/name: server
+            matchLabels:
+              release: spire
+              release-namespace: spire-server
+              component: server
           downstream: true
+        oidc-discovery-provider:
+          enabled: false
+        test-keys:
+          enabled: false
   nodeAttestor:
     k8sPsat:
       serviceAccountAllowList:
@@ -24,6 +34,9 @@ spire-server:
     k8sbundle:
       namespace: spire-system
 
+spiffe-oidc-discovery-provider:
+  enabled: false
+
 spire-agent:
   enabled: false
 

diff --git a/.github/tests/images.json b/.github/tests/images.json
@@ -34,6 +34,10 @@
       "query": "telemetry.prometheus.nginxExporter.image",
       "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$",
       "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
+    }, {
+      "query": "tests.step.image",
+      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$",
+      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
     },
     {
       "query": "tests.bash.image",

diff --git a/.github/workflows/check-versions.yaml b/.github/workflows/check-versions.yaml
@@ -33,15 +33,15 @@ jobs:
           git diff
 
       - name: Setup go
-        uses: actions/setup-go@v4.1.0
+        uses: actions/setup-go@v5.0.0
         with:
           go-version: '1.21'
           cache: false
 
       - name: Setup crane
         uses: imjasonh/setup-crane@v0.3
 
-      - uses: actions/setup-python@v4.6.1
+      - uses: actions/setup-python@v5
         with:
           python-version: '3.9'
 

diff --git a/.github/workflows/helm-chart-ci-ignore.yaml b/.github/workflows/helm-chart-ci-ignore.yaml
@@ -30,9 +30,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.27.2
-          - v1.26.4
-          - v1.25.9
+          - v1.28.0
+          - v1.27.3
+          - v1.26.6
 
     steps:
       - run: 'echo "Skipping tests"'
@@ -65,9 +65,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.27.2
-          - v1.26.4
-          - v1.25.9
+          - v1.28.0
+          - v1.27.3
+          - v1.26.6
         example:
           - ${{ fromJson(needs.build-matrix.outputs.examples) }}
 

diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml
@@ -73,7 +73,7 @@ jobs:
           fi
 
       - name: Setup Go
-        uses: actions/setup-go@v4.1.0
+        uses: actions/setup-go@v5.0.0
         with:
           go-version-file: tests/go.mod
           cache-dependency-path: tests/go.sum
@@ -104,7 +104,7 @@ jobs:
           version: ${{ env.HELM_VERSION }}
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
@@ -130,9 +130,9 @@ jobs:
         # Kubernetes, but can go back farther as long as we don't need heroics
         # to pull it off (i.e. kubectl version juggling).
         k8s:
-          - v1.27.2
-          - v1.26.4
-          - v1.25.9
+          - v1.28.0
+          - v1.27.3
+          - v1.26.6
 
     steps:
       - name: Checkout
@@ -146,7 +146,7 @@ jobs:
           version: ${{ env.HELM_VERSION }}
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
@@ -209,9 +209,9 @@ jobs:
       fail-fast: false
       matrix:
         k8s:
-          - v1.27.2
-          - v1.26.4
-          - v1.25.9
+          - v1.28.0
+          - v1.27.3
+          - v1.26.6
         example:
           - ${{ fromJson(needs.build-matrix.outputs.examples) }}
 
@@ -225,7 +225,7 @@ jobs:
           version: ${{ env.HELM_VERSION }}
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
@@ -240,8 +240,13 @@ jobs:
 
       - name: Install and test example
         run: |
-          kubectl create namespace spire-server
-          helm install -n spire-server spire-crds charts/spire-crds
+          if [ "${{ matrix.example }}" = "examples/federation" ]; then
+            kubectl create namespace spire-mgmt
+            helm install -n spire-mgmt spire-crds charts/spire-crds
+          else
+            kubectl create namespace spire-server
+            helm install -n spire-server spire-crds charts/spire-crds
+          fi
           ${{ matrix.example }}/run-tests.sh
 
   upgrade-test:
@@ -255,9 +260,9 @@ jobs:
       fail-fast: false
       matrix:
         k8s:
-          - v1.27.2
-          - v1.26.4
-          - v1.25.9
+          - v1.28.0
+          - v1.27.3
+          - v1.26.6
 
     steps:
       - name: Checkout
@@ -269,7 +274,7 @@ jobs:
           version: ${{ env.HELM_VERSION }}
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 

diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml
@@ -29,9 +29,9 @@ jobs:
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
       - name: Setup cosign
-        uses: sigstore/cosign-installer@v3.2.0
+        uses: sigstore/cosign-installer@v3.3.0
         with:
-          cosign-release: v2.2.0
+          cosign-release: v2.2.2
 
       - name: Set up Helm
         uses: azure/setup-helm@v3.5