Merge branch 'main' into release

.github/workflows/helm-chart-ci-ignore.yaml

@@ -50,9 +50,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.27.0
-          - v1.26.3
-          - v1.25.8
+          - v1.27.2
+          - v1.26.4
+          - v1.25.9
         values:
           - ${{ fromJson(needs.build-matrix.outputs.tests) }}
 

.github/workflows/helm-chart-ci.yaml

@@ -3,7 +3,7 @@ name: Helm Chart CI
 on:
   workflow_dispatch:
   pull_request:
-    types: [synchronize, opened, reopened, edited]
+    types: [synchronize, opened, reopened]
     paths:
       - 'charts/**'
       - '.github/workflows/helm-chart-ci.yaml'
@@ -19,8 +19,8 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  HELM_VERSION: v3.11.1
-  PYTHON_VERSION: 3.11.2
+  HELM_VERSION: v3.12.0
+  PYTHON_VERSION: 3.11.3
   CHART_TESTING_VERSION: v3.8.0
 
 jobs:
@@ -61,7 +61,7 @@ jobs:
           if [ $res -eq 0 ]; then
             {
               echo "## Hardcoded images"
-              echo 
+              echo
               echo ":x: These templates were found to be using statically defined images and not overridable ones. Please fix."
               echo
               cat /tmp/findings
@@ -136,10 +136,10 @@ jobs:
         # Kubernetes, but can go back farther as long as we don't need heroics
         # to pull it off (i.e. kubectl version juggling).
         k8s:
-          - v1.27.0
-          - v1.26.3
-          - v1.25.8
-          - v1.24.12
+          - v1.27.2
+          - v1.26.4
+          - v1.25.9
+          - v1.24.13
           - v1.23.17
           - v1.22.17
         values:

charts/spire/Chart.yaml

@@ -3,7 +3,7 @@ name: spire
 description: >
   A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 type: application
-version: 0.8.0
+version: 0.8.1
 appVersion: "1.6.4"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts/tree/main/charts/spire

charts/spire/README.md

@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 
-![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square)
+![Version: 0.8.1](https://img.shields.io/badge/Version-0.8.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square)
 [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
 
 A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
@@ -131,6 +131,8 @@ Now you can interact with the Spire agent socket from your own application. The
 | spiffe-csi-driver.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
 | spiffe-csi-driver.imagePullSecrets | list | `[]` |  |
 | spiffe-csi-driver.kubeletPath | string | `"/var/lib/kubelet"` |  |
+| spiffe-csi-driver.livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe |
+| spiffe-csi-driver.livenessProbe.timeoutSeconds | int | `5` | Timeout value in seconds for livenessProbe |
 | spiffe-csi-driver.nameOverride | string | `""` |  |
 | spiffe-csi-driver.namespaceOverride | string | `""` |  |
 | spiffe-csi-driver.nodeDriverRegistrar.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
@@ -187,11 +189,15 @@ Now you can interact with the Spire agent socket from your own application. The
 | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.tag | string | `"1.24.0-alpine"` | Overrides the image tag |
 | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
 | spiffe-oidc-discovery-provider.insecureScheme.nginx.resources | object | `{}` |  |
+| spiffe-oidc-discovery-provider.livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe |
+| spiffe-oidc-discovery-provider.livenessProbe.periodSeconds | int | `5` | Period seconds for livenessProbe |
 | spiffe-oidc-discovery-provider.nameOverride | string | `""` |  |
 | spiffe-oidc-discovery-provider.namespaceOverride | string | `""` |  |
 | spiffe-oidc-discovery-provider.nodeSelector | object | `{}` |  |
 | spiffe-oidc-discovery-provider.podAnnotations | object | `{}` |  |
 | spiffe-oidc-discovery-provider.podSecurityContext | object | `{}` |  |
+| spiffe-oidc-discovery-provider.readinessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for readinessProbe |
+| spiffe-oidc-discovery-provider.readinessProbe.periodSeconds | int | `5` | Period seconds for readinessProbe |
 | spiffe-oidc-discovery-provider.replicaCount | int | `1` |  |
 | spiffe-oidc-discovery-provider.resources | object | `{}` |  |
 | spiffe-oidc-discovery-provider.securityContext | object | `{}` |  |
@@ -229,13 +235,17 @@ Now you can interact with the Spire agent socket from your own application. The
 | spire-agent.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
 | spire-agent.imagePullSecrets | list | `[]` |  |
 | spire-agent.initContainers | list | `[]` |  |
+| spire-agent.livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe |
+| spire-agent.livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe |
 | spire-agent.logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" |
 | spire-agent.nameOverride | string | `""` |  |
 | spire-agent.namespaceOverride | string | `""` |  |
 | spire-agent.nodeSelector | object | `{}` |  |
 | spire-agent.podAnnotations | object | `{}` |  |
 | spire-agent.podSecurityContext | object | `{}` |  |
 | spire-agent.priorityClassName | string | `""` | Priority class assigned to daemonset pods |
+| spire-agent.readinessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for readinessProbe |
+| spire-agent.readinessProbe.periodSeconds | int | `60` | Period seconds for readinessProbe |
 | spire-agent.resources | object | `{}` |  |
 | spire-agent.securityContext | object | `{}` |  |
 | spire-agent.server.address | string | `""` |  |
@@ -340,6 +350,10 @@ Now you can interact with the Spire agent socket from your own application. The
 | spire-server.ingress.tls | list | `[]` |  |
 | spire-server.initContainers | list | `[]` |  |
 | spire-server.jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain |
+| spire-server.livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe |
+| spire-server.livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe |
+| spire-server.livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe |
+| spire-server.livenessProbe.timeoutSeconds | int | `3` | Timeout in seconds for livenessProbe |
 | spire-server.logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" |
 | spire-server.nameOverride | string | `""` |  |
 | spire-server.namespaceOverride | string | `""` |  |
@@ -352,6 +366,8 @@ Now you can interact with the Spire agent socket from your own application. The
 | spire-server.persistence.storageClass | string | `nil` |  |
 | spire-server.podAnnotations | object | `{}` |  |
 | spire-server.podSecurityContext | object | `{}` |  |
+| spire-server.readinessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for readinessProbe |
+| spire-server.readinessProbe.periodSeconds | int | `5` | Period seconds for readinessProbe |
 | spire-server.replicaCount | int | `1` | SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. |
 | spire-server.resources | object | `{}` |  |
 | spire-server.securityContext | object | `{}` |  |
@@ -378,6 +394,11 @@ Now you can interact with the Spire agent socket from your own application. The
 | spire-server.tornjak.service.annotations | object | `{}` |  |
 | spire-server.tornjak.service.port | int | `10000` |  |
 | spire-server.tornjak.service.type | string | `"ClusterIP"` |  |
+| spire-server.tornjak.startupProbe.failureThreshold | int | `3` |  |
+| spire-server.tornjak.startupProbe.initialDelaySeconds | int | `5` | Initial delay seconds for |
+| spire-server.tornjak.startupProbe.periodSeconds | int | `10` |  |
+| spire-server.tornjak.startupProbe.successThreshold | int | `1` |  |
+| spire-server.tornjak.startupProbe.timeoutSeconds | int | `5` |  |
 | spire-server.trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers |
 | spire-server.upstreamAuthority.certManager.enabled | bool | `false` |  |
 | spire-server.upstreamAuthority.certManager.issuer_group | string | `"cert-manager.io"` |  |
@@ -416,10 +437,10 @@ Now you can interact with the Spire agent socket from your own application. The
 | tornjak-frontend.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
 | tornjak-frontend.spireHealthCheck.enabled | bool | `true` | Enables the SPIRE Healthchecker indicator |
 | tornjak-frontend.startupProbe.enabled | bool | `true` | Enable startupProbe on Tornjak frontend container |
-| tornjak-frontend.startupProbe.failureThreshold | int | `6` | Failure threshold for startupProbe |
+| tornjak-frontend.startupProbe.failureThreshold | int | `6` | Failure threshold count for startupProbe |
 | tornjak-frontend.startupProbe.initialDelaySeconds | int | `5` | Initial delay seconds for startupProbe |
 | tornjak-frontend.startupProbe.periodSeconds | int | `10` | Period seconds for startupProbe |
-| tornjak-frontend.startupProbe.successThreshold | int | `1` | Success threshold for startupProbe |
+| tornjak-frontend.startupProbe.successThreshold | int | `1` | Success threshold count for startupProbe |
 | tornjak-frontend.startupProbe.timeoutSeconds | int | `5` | Timeout seconds for startupProbe |
 | tornjak-frontend.tolerations | list | `[]` |  |
 | tornjak-frontend.topologySpreadConstraints | list | `[]` |  |

charts/spire/charts/spiffe-csi-driver/README.md

@@ -23,6 +23,8 @@ A Helm chart to install the SPIFFE CSI driver.
 | image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
 | imagePullSecrets | list | `[]` |  |
 | kubeletPath | string | `"/var/lib/kubelet"` |  |
+| livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe |
+| livenessProbe.timeoutSeconds | int | `5` | Timeout value in seconds for livenessProbe |
 | nameOverride | string | `""` |  |
 | namespaceOverride | string | `""` |  |
 | nodeDriverRegistrar.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |

charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml

@@ -93,8 +93,7 @@ spec:
             httpGet:
               path: /healthz
               port: healthz
-            initialDelaySeconds: 5
-            timeoutSeconds: 5
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
           resources:
             {{- toYaml .Values.nodeDriverRegistrar.resources | nindent 12 }}
       volumes:

charts/spire/charts/spiffe-csi-driver/values.yaml

@@ -27,6 +27,12 @@ resources: {}
 healthChecks:
   port: 9809
 
+livenessProbe:
+  # -- Initial delay seconds for livenessProbe
+  initialDelaySeconds: 5
+  # -- Timeout value in seconds for livenessProbe
+  timeoutSeconds: 5
+
 imagePullSecrets: []
 nameOverride: ""
 namespaceOverride: ""

charts/spire/charts/spiffe-oidc-discovery-provider/README.md

@@ -51,11 +51,15 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
 | insecureScheme.nginx.image.tag | string | `"1.24.0-alpine"` | Overrides the image tag |
 | insecureScheme.nginx.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
 | insecureScheme.nginx.resources | object | `{}` |  |
+| livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe |
+| livenessProbe.periodSeconds | int | `5` | Period seconds for livenessProbe |
 | nameOverride | string | `""` |  |
 | namespaceOverride | string | `""` |  |
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
+| readinessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for readinessProbe |
+| readinessProbe.periodSeconds | int | `5` | Period seconds for readinessProbe |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
 | securityContext | object | `{}` |  |

charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml

@@ -61,14 +61,12 @@ spec:
             httpGet:
               path: /ready
               port: healthz
-            initialDelaySeconds: 5
-            periodSeconds: 5
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
           livenessProbe:
             httpGet:
               path: /live
               port: healthz
-            initialDelaySeconds: 5
-            periodSeconds: 5
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
         {{- if .Values.insecureScheme.enabled }}

charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml

@@ -54,6 +54,18 @@ securityContext: {}
   # runAsNonRoot: true
   # runAsUser: 1000
 
+readinessProbe:
+  # -- Initial delay seconds for readinessProbe
+  initialDelaySeconds: 5
+  # -- Period seconds for readinessProbe
+  periodSeconds: 5
+
+livenessProbe:
+  # -- Initial delay seconds for livenessProbe
+  initialDelaySeconds: 5
+  # -- Period seconds for livenessProbe
+  periodSeconds: 5
+
 podAnnotations: {}
 
 insecureScheme:

charts/spire/charts/spire-agent/README.md

@@ -29,13 +29,17 @@ A Helm chart to install the SPIRE agent.
 | image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
 | imagePullSecrets | list | `[]` |  |
 | initContainers | list | `[]` |  |
+| livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe |
+| livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe |
 | logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" |
 | nameOverride | string | `""` |  |
 | namespaceOverride | string | `""` |  |
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
 | priorityClassName | string | `""` | Priority class assigned to daemonset pods |
+| readinessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for readinessProbe |
+| readinessProbe.periodSeconds | int | `60` | Period seconds for readinessProbe |
 | resources | object | `{}` |  |
 | securityContext | object | `{}` |  |
 | server.address | string | `""` |  |

charts/spire/charts/spire-agent/templates/daemonset.yaml

@@ -79,14 +79,12 @@ spec:
             httpGet:
               path: /live
               port: healthz
-            initialDelaySeconds: 15
-            periodSeconds: 60
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
           readinessProbe:
             httpGet:
               path: /ready
               port: healthz
-            initialDelaySeconds: 15
-            periodSeconds: 60
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
         {{- if gt (len .Values.extraContainers) 0 }}

charts/spire/charts/spire-agent/values.yaml

@@ -80,6 +80,18 @@ healthChecks:
   # -- override the host port used for health checking
   port: 9980
 
+livenessProbe:
+  # -- Initial delay seconds for livenessProbe
+  initialDelaySeconds: 15
+  # -- Period seconds for livenessProbe
+  periodSeconds: 60
+
+readinessProbe:
+  # -- Initial delay seconds for readinessProbe
+  initialDelaySeconds: 15
+  # -- Period seconds for readinessProbe
+  periodSeconds: 60
+
 waitForIt:
   image:
     # -- The OCI registry to pull the image from

charts/spire/charts/spire-server/README.md

@@ -96,6 +96,10 @@ A Helm chart to install the SPIRE server.
 | ingress.tls | list | `[]` |  |
 | initContainers | list | `[]` |  |
 | jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain |
+| livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe |
+| livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe |
+| livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe |
+| livenessProbe.timeoutSeconds | int | `3` | Timeout in seconds for livenessProbe |
 | logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" |
 | nameOverride | string | `""` |  |
 | namespaceOverride | string | `""` |  |
@@ -108,6 +112,8 @@ A Helm chart to install the SPIRE server.
 | persistence.storageClass | string | `nil` |  |
 | podAnnotations | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
+| readinessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for readinessProbe |
+| readinessProbe.periodSeconds | int | `5` | Period seconds for readinessProbe |
 | replicaCount | int | `1` | SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. |
 | resources | object | `{}` |  |
 | securityContext | object | `{}` |  |
@@ -134,6 +140,11 @@ A Helm chart to install the SPIRE server.
 | tornjak.service.annotations | object | `{}` |  |
 | tornjak.service.port | int | `10000` |  |
 | tornjak.service.type | string | `"ClusterIP"` |  |
+| tornjak.startupProbe.failureThreshold | int | `3` |  |
+| tornjak.startupProbe.initialDelaySeconds | int | `5` | Initial delay seconds for |
+| tornjak.startupProbe.periodSeconds | int | `10` |  |
+| tornjak.startupProbe.successThreshold | int | `1` |  |
+| tornjak.startupProbe.timeoutSeconds | int | `5` |  |
 | trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers |
 | upstreamAuthority.certManager.enabled | bool | `false` |  |
 | upstreamAuthority.certManager.issuer_group | string | `"cert-manager.io"` |  |

charts/spire/charts/spire-server/templates/statefulset.yaml

@@ -87,16 +87,12 @@ spec:
             httpGet:
               path: /live
               port: healthz
-            failureThreshold: 2
-            initialDelaySeconds: 15
-            periodSeconds: 60
-            timeoutSeconds: 3
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
           readinessProbe:
             httpGet:
               path: /ready
               port: healthz
-            initialDelaySeconds: 5
-            periodSeconds: 5
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           volumeMounts:
@@ -168,11 +164,7 @@ spec:
             httpGet:
               scheme: HTTP
               port: 10000
-            failureThreshold: 3
-            initialDelaySeconds: 5
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 5
+            {{- toYaml .Values.tornjak.startupProbe | nindent 12 }}
           args:
             - --spire-config
             - /run/spire/config/server.conf