From 1247b68f4d77791517ad7c7e898361dc670d057b Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Thu, 25 May 2023 08:53:44 -0400 Subject: [PATCH 1/7] Parametrize probes (#310) This PR addresses #307 by parametrizing Probes and moving them to values.yaml --------- Signed-off-by: Mariusz Sabath --- charts/spire/README.md | 25 +++++++++++++++++-- .../spire/charts/spiffe-csi-driver/README.md | 2 ++ .../templates/daemonset.yaml | 3 +-- .../charts/spiffe-csi-driver/values.yaml | 6 +++++ .../spiffe-oidc-discovery-provider/README.md | 4 +++ .../templates/deployment.yaml | 6 ++--- .../values.yaml | 12 +++++++++ charts/spire/charts/spire-agent/README.md | 4 +++ .../spire-agent/templates/daemonset.yaml | 6 ++--- charts/spire/charts/spire-agent/values.yaml | 12 +++++++++ charts/spire/charts/spire-server/README.md | 11 ++++++++ .../spire-server/templates/statefulset.yaml | 14 +++-------- charts/spire/charts/spire-server/values.yaml | 25 +++++++++++++++++++ .../spire/charts/tornjak-frontend/README.md | 4 +-- .../spire/charts/tornjak-frontend/values.yaml | 4 +-- 15 files changed, 111 insertions(+), 27 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 079d710db..726fb490f 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -131,6 +131,8 @@ Now you can interact with the Spire agent socket from your own application. The | spiffe-csi-driver.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spiffe-csi-driver.imagePullSecrets | list | `[]` | | | spiffe-csi-driver.kubeletPath | string | `"/var/lib/kubelet"` | | +| spiffe-csi-driver.livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe | +| spiffe-csi-driver.livenessProbe.timeoutSeconds | int | `5` | Timeout value in seconds for livenessProbe | | spiffe-csi-driver.nameOverride | string | `""` | | | spiffe-csi-driver.namespaceOverride | string | `""` | | | spiffe-csi-driver.nodeDriverRegistrar.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | @@ -187,11 +189,15 @@ Now you can interact with the Spire agent socket from your own application. The | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.tag | string | `"1.24.0-alpine"` | Overrides the image tag | | spiffe-oidc-discovery-provider.insecureScheme.nginx.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spiffe-oidc-discovery-provider.insecureScheme.nginx.resources | object | `{}` | | +| spiffe-oidc-discovery-provider.livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe | +| spiffe-oidc-discovery-provider.livenessProbe.periodSeconds | int | `5` | Period seconds for livenessProbe | | spiffe-oidc-discovery-provider.nameOverride | string | `""` | | | spiffe-oidc-discovery-provider.namespaceOverride | string | `""` | | | spiffe-oidc-discovery-provider.nodeSelector | object | `{}` | | | spiffe-oidc-discovery-provider.podAnnotations | object | `{}` | | | spiffe-oidc-discovery-provider.podSecurityContext | object | `{}` | | +| spiffe-oidc-discovery-provider.readinessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for readinessProbe | +| spiffe-oidc-discovery-provider.readinessProbe.periodSeconds | int | `5` | Period seconds for readinessProbe | | spiffe-oidc-discovery-provider.replicaCount | int | `1` | | | spiffe-oidc-discovery-provider.resources | object | `{}` | | | spiffe-oidc-discovery-provider.securityContext | object | `{}` | | @@ -229,6 +235,8 @@ Now you can interact with the Spire agent socket from your own application. The | spire-agent.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | spire-agent.imagePullSecrets | list | `[]` | | | spire-agent.initContainers | list | `[]` | | +| spire-agent.livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe | +| spire-agent.livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe | | spire-agent.logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" | | spire-agent.nameOverride | string | `""` | | | spire-agent.namespaceOverride | string | `""` | | @@ -236,6 +244,8 @@ Now you can interact with the Spire agent socket from your own application. The | spire-agent.podAnnotations | object | `{}` | | | spire-agent.podSecurityContext | object | `{}` | | | spire-agent.priorityClassName | string | `""` | Priority class assigned to daemonset pods | +| spire-agent.readinessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for readinessProbe | +| spire-agent.readinessProbe.periodSeconds | int | `60` | Period seconds for readinessProbe | | spire-agent.resources | object | `{}` | | | spire-agent.securityContext | object | `{}` | | | spire-agent.server.address | string | `""` | | @@ -340,6 +350,10 @@ Now you can interact with the Spire agent socket from your own application. The | spire-server.ingress.tls | list | `[]` | | | spire-server.initContainers | list | `[]` | | | spire-server.jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain | +| spire-server.livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe | +| spire-server.livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe | +| spire-server.livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe | +| spire-server.livenessProbe.timeoutSeconds | int | `3` | Timeout in seconds for livenessProbe | | spire-server.logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" | | spire-server.nameOverride | string | `""` | | | spire-server.namespaceOverride | string | `""` | | @@ -352,6 +366,8 @@ Now you can interact with the Spire agent socket from your own application. The | spire-server.persistence.storageClass | string | `nil` | | | spire-server.podAnnotations | object | `{}` | | | spire-server.podSecurityContext | object | `{}` | | +| spire-server.readinessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for readinessProbe | +| spire-server.readinessProbe.periodSeconds | int | `5` | Period seconds for readinessProbe | | spire-server.replicaCount | int | `1` | SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. | | spire-server.resources | object | `{}` | | | spire-server.securityContext | object | `{}` | | @@ -378,6 +394,11 @@ Now you can interact with the Spire agent socket from your own application. The | spire-server.tornjak.service.annotations | object | `{}` | | | spire-server.tornjak.service.port | int | `10000` | | | spire-server.tornjak.service.type | string | `"ClusterIP"` | | +| spire-server.tornjak.startupProbe.failureThreshold | int | `3` | | +| spire-server.tornjak.startupProbe.initialDelaySeconds | int | `5` | Initial delay seconds for | +| spire-server.tornjak.startupProbe.periodSeconds | int | `10` | | +| spire-server.tornjak.startupProbe.successThreshold | int | `1` | | +| spire-server.tornjak.startupProbe.timeoutSeconds | int | `5` | | | spire-server.trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers | | spire-server.upstreamAuthority.certManager.enabled | bool | `false` | | | spire-server.upstreamAuthority.certManager.issuer_group | string | `"cert-manager.io"` | | @@ -416,10 +437,10 @@ Now you can interact with the Spire agent socket from your own application. The | tornjak-frontend.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | tornjak-frontend.spireHealthCheck.enabled | bool | `true` | Enables the SPIRE Healthchecker indicator | | tornjak-frontend.startupProbe.enabled | bool | `true` | Enable startupProbe on Tornjak frontend container | -| tornjak-frontend.startupProbe.failureThreshold | int | `6` | Failure threshold for startupProbe | +| tornjak-frontend.startupProbe.failureThreshold | int | `6` | Failure threshold count for startupProbe | | tornjak-frontend.startupProbe.initialDelaySeconds | int | `5` | Initial delay seconds for startupProbe | | tornjak-frontend.startupProbe.periodSeconds | int | `10` | Period seconds for startupProbe | -| tornjak-frontend.startupProbe.successThreshold | int | `1` | Success threshold for startupProbe | +| tornjak-frontend.startupProbe.successThreshold | int | `1` | Success threshold count for startupProbe | | tornjak-frontend.startupProbe.timeoutSeconds | int | `5` | Timeout seconds for startupProbe | | tornjak-frontend.tolerations | list | `[]` | | | tornjak-frontend.topologySpreadConstraints | list | `[]` | | diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index 20e39c757..1d08183b2 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -23,6 +23,8 @@ A Helm chart to install the SPIFFE CSI driver. | image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | imagePullSecrets | list | `[]` | | | kubeletPath | string | `"/var/lib/kubelet"` | | +| livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe | +| livenessProbe.timeoutSeconds | int | `5` | Timeout value in seconds for livenessProbe | | nameOverride | string | `""` | | | namespaceOverride | string | `""` | | | nodeDriverRegistrar.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | diff --git a/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml b/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml index c926a0ebb..61204d89c 100644 --- a/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml +++ b/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml @@ -93,8 +93,7 @@ spec: httpGet: path: /healthz port: healthz - initialDelaySeconds: 5 - timeoutSeconds: 5 + {{- toYaml .Values.livenessProbe | nindent 12 }} resources: {{- toYaml .Values.nodeDriverRegistrar.resources | nindent 12 }} volumes: diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index c39be0215..563f264b9 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -27,6 +27,12 @@ resources: {} healthChecks: port: 9809 +livenessProbe: + # -- Initial delay seconds for livenessProbe + initialDelaySeconds: 5 + # -- Timeout value in seconds for livenessProbe + timeoutSeconds: 5 + imagePullSecrets: [] nameOverride: "" namespaceOverride: "" diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 6f15a514d..2079babab 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -51,11 +51,15 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | insecureScheme.nginx.image.tag | string | `"1.24.0-alpine"` | Overrides the image tag | | insecureScheme.nginx.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | insecureScheme.nginx.resources | object | `{}` | | +| livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe | +| livenessProbe.periodSeconds | int | `5` | Period seconds for livenessProbe | | nameOverride | string | `""` | | | namespaceOverride | string | `""` | | | nodeSelector | object | `{}` | | | podAnnotations | object | `{}` | | | podSecurityContext | object | `{}` | | +| readinessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for readinessProbe | +| readinessProbe.periodSeconds | int | `5` | Period seconds for readinessProbe | | replicaCount | int | `1` | | | resources | object | `{}` | | | securityContext | object | `{}` | | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml index d1804669c..bf40dd955 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml @@ -61,14 +61,12 @@ spec: httpGet: path: /ready port: healthz - initialDelaySeconds: 5 - periodSeconds: 5 + {{- toYaml .Values.readinessProbe | nindent 12 }} livenessProbe: httpGet: path: /live port: healthz - initialDelaySeconds: 5 - periodSeconds: 5 + {{- toYaml .Values.livenessProbe | nindent 12 }} resources: {{- toYaml .Values.resources | nindent 12 }} {{- if .Values.insecureScheme.enabled }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index b1e27b844..42d959f0f 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -54,6 +54,18 @@ securityContext: {} # runAsNonRoot: true # runAsUser: 1000 +readinessProbe: + # -- Initial delay seconds for readinessProbe + initialDelaySeconds: 5 + # -- Period seconds for readinessProbe + periodSeconds: 5 + +livenessProbe: + # -- Initial delay seconds for livenessProbe + initialDelaySeconds: 5 + # -- Period seconds for livenessProbe + periodSeconds: 5 + podAnnotations: {} insecureScheme: diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index ec6a0acd3..25be0e9e7 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -29,6 +29,8 @@ A Helm chart to install the SPIRE agent. | image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | | imagePullSecrets | list | `[]` | | | initContainers | list | `[]` | | +| livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe | +| livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe | | logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" | | nameOverride | string | `""` | | | namespaceOverride | string | `""` | | @@ -36,6 +38,8 @@ A Helm chart to install the SPIRE agent. | podAnnotations | object | `{}` | | | podSecurityContext | object | `{}` | | | priorityClassName | string | `""` | Priority class assigned to daemonset pods | +| readinessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for readinessProbe | +| readinessProbe.periodSeconds | int | `60` | Period seconds for readinessProbe | | resources | object | `{}` | | | securityContext | object | `{}` | | | server.address | string | `""` | | diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index eafbad157..00af61361 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -79,14 +79,12 @@ spec: httpGet: path: /live port: healthz - initialDelaySeconds: 15 - periodSeconds: 60 + {{- toYaml .Values.livenessProbe | nindent 12 }} readinessProbe: httpGet: path: /ready port: healthz - initialDelaySeconds: 15 - periodSeconds: 60 + {{- toYaml .Values.readinessProbe | nindent 12 }} resources: {{- toYaml .Values.resources | nindent 12 }} {{- if gt (len .Values.extraContainers) 0 }} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index afd44533c..c237dc4a2 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -80,6 +80,18 @@ healthChecks: # -- override the host port used for health checking port: 9980 +livenessProbe: + # -- Initial delay seconds for livenessProbe + initialDelaySeconds: 15 + # -- Period seconds for livenessProbe + periodSeconds: 60 + +readinessProbe: + # -- Initial delay seconds for readinessProbe + initialDelaySeconds: 15 + # -- Period seconds for readinessProbe + periodSeconds: 60 + waitForIt: image: # -- The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index ef7fa06e0..9fba830fb 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -96,6 +96,10 @@ A Helm chart to install the SPIRE server. | ingress.tls | list | `[]` | | | initContainers | list | `[]` | | | jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain | +| livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe | +| livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe | +| livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe | +| livenessProbe.timeoutSeconds | int | `3` | Timeout in seconds for livenessProbe | | logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" | | nameOverride | string | `""` | | | namespaceOverride | string | `""` | | @@ -108,6 +112,8 @@ A Helm chart to install the SPIRE server. | persistence.storageClass | string | `nil` | | | podAnnotations | object | `{}` | | | podSecurityContext | object | `{}` | | +| readinessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for readinessProbe | +| readinessProbe.periodSeconds | int | `5` | Period seconds for readinessProbe | | replicaCount | int | `1` | SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. | | resources | object | `{}` | | | securityContext | object | `{}` | | @@ -134,6 +140,11 @@ A Helm chart to install the SPIRE server. | tornjak.service.annotations | object | `{}` | | | tornjak.service.port | int | `10000` | | | tornjak.service.type | string | `"ClusterIP"` | | +| tornjak.startupProbe.failureThreshold | int | `3` | | +| tornjak.startupProbe.initialDelaySeconds | int | `5` | Initial delay seconds for | +| tornjak.startupProbe.periodSeconds | int | `10` | | +| tornjak.startupProbe.successThreshold | int | `1` | | +| tornjak.startupProbe.timeoutSeconds | int | `5` | | | trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers | | upstreamAuthority.certManager.enabled | bool | `false` | | | upstreamAuthority.certManager.issuer_group | string | `"cert-manager.io"` | | diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml index e76def00a..bb3cc7899 100644 --- a/charts/spire/charts/spire-server/templates/statefulset.yaml +++ b/charts/spire/charts/spire-server/templates/statefulset.yaml @@ -87,16 +87,12 @@ spec: httpGet: path: /live port: healthz - failureThreshold: 2 - initialDelaySeconds: 15 - periodSeconds: 60 - timeoutSeconds: 3 + {{- toYaml .Values.livenessProbe | nindent 12 }} readinessProbe: httpGet: path: /ready port: healthz - initialDelaySeconds: 5 - periodSeconds: 5 + {{- toYaml .Values.readinessProbe | nindent 12 }} resources: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: @@ -168,11 +164,7 @@ spec: httpGet: scheme: HTTP port: 10000 - failureThreshold: 3 - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 + {{- toYaml .Values.tornjak.startupProbe | nindent 12 }} args: - --spire-config - /run/spire/config/server.conf diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 48e95ef16..ebe31a598 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -81,6 +81,22 @@ affinity: {} topologySpreadConstraints: [] +livenessProbe: + # -- Failure threshold count for livenessProbe + failureThreshold: 2 + # -- Initial delay seconds for livenessProbe + initialDelaySeconds: 15 + # -- Period seconds for livenessProbe + periodSeconds: 60 + # -- Timeout in seconds for livenessProbe + timeoutSeconds: 3 + +readinessProbe: + # -- Initial delay seconds for readinessProbe + initialDelaySeconds: 5 + # -- Period seconds for readinessProbe + periodSeconds: 5 + persistence: size: 1Gi accessMode: ReadWriteOnce @@ -326,6 +342,15 @@ tornjak: type: ClusterIP port: 10000 annotations: {} + + startupProbe: + failureThreshold: 3 + # -- Initial delay seconds for + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + config: # -- persistent DB for storing Tornjak specific information dataStore: diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 2bbeeae1e..bb2af0ab6 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -72,10 +72,10 @@ port forwarding. See the chart NOTES output for more details. | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | spireHealthCheck.enabled | bool | `true` | Enables the SPIRE Healthchecker indicator | | startupProbe.enabled | bool | `true` | Enable startupProbe on Tornjak frontend container | -| startupProbe.failureThreshold | int | `6` | Failure threshold for startupProbe | +| startupProbe.failureThreshold | int | `6` | Failure threshold count for startupProbe | | startupProbe.initialDelaySeconds | int | `5` | Initial delay seconds for startupProbe | | startupProbe.periodSeconds | int | `10` | Period seconds for startupProbe | -| startupProbe.successThreshold | int | `1` | Success threshold for startupProbe | +| startupProbe.successThreshold | int | `1` | Success threshold count for startupProbe | | startupProbe.timeoutSeconds | int | `5` | Timeout seconds for startupProbe | | tolerations | list | `[]` | | | topologySpreadConstraints | list | `[]` | | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 60eddbd6f..ac574899b 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -84,7 +84,7 @@ startupProbe: periodSeconds: 10 # -- Timeout seconds for startupProbe timeoutSeconds: 5 - # -- Failure threshold for startupProbe + # -- Failure threshold count for startupProbe failureThreshold: 6 - # -- Success threshold for startupProbe + # -- Success threshold count for startupProbe successThreshold: 1 From 3cb55dfb4eb88b6e3048f3355fe204e3ebadfe70 Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Thu, 25 May 2023 14:15:46 -0700 Subject: [PATCH 2/7] Allow for having no registry specified (#312) --- charts/spire/templates/_spire-lib.tpl | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl index eac22981e..7fca6ef07 100644 --- a/charts/spire/templates/_spire-lib.tpl +++ b/charts/spire/templates/_spire-lib.tpl @@ -32,9 +32,9 @@ {{- define "spire-lib.registry" }} {{- if ne (len (dig "spire" "image" "registry" "" .global)) 0 }} -{{- .global.spire.image.registry }} -{{- else }} -{{- .image.registry }} +{{- print .global.spire.image.registry "/"}} +{{- else if ne (len (.image.registry)) 0 }} +{{- print .image.registry "/"}} {{- end }} {{- end }} @@ -45,11 +45,11 @@ {{- if eq (substr 0 7 $tag) "sha256:" }} {{- printf "%s/%s@%s" $registry $repo $tag }} {{- else if .appVersion }} -{{- printf "%s/%s:%s" $registry $repo (default .appVersion $tag) }} +{{- printf "%s%s:%s" $registry $repo (default .appVersion $tag) }} {{- else if $tag }} -{{- printf "%s/%s:%s" $registry $repo $tag }} +{{- printf "%s%s:%s" $registry $repo $tag }} {{- else }} -{{- printf "%s/%s" $registry $repo }} +{{- printf "%s%s" $registry $repo }} {{- end }} {{- end }} From 05629460ef2432a3a0c811e834d827d05471ca2f Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Fri, 26 May 2023 17:13:45 +0200 Subject: [PATCH 3/7] Removed pull_request edited event from ci workflow (#318) Edited event is only useful if you want a workflow to act on a PR description or title or labels and such, we are not doing that in this workflow. Removing the edited type from the event doesn't unnecessarily run the workflow again when title, description and such are changed. Signed-off-by: Marco Franssen --- .github/workflows/helm-chart-ci.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index a41d2e747..7c61c837c 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -3,7 +3,7 @@ name: Helm Chart CI on: workflow_dispatch: pull_request: - types: [synchronize, opened, reopened, edited] + types: [synchronize, opened, reopened] paths: - 'charts/**' - '.github/workflows/helm-chart-ci.yaml' @@ -61,7 +61,7 @@ jobs: if [ $res -eq 0 ]; then { echo "## Hardcoded images" - echo + echo echo ":x: These templates were found to be using statically defined images and not overridable ones. Please fix." echo cat /tmp/findings From ed172e41ae1f1259597f608b7c1e0f8f3ab69c0a Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Sat, 27 May 2023 06:41:53 +0200 Subject: [PATCH 4/7] Bump k8s versions to latest patches (#317) @faisal-memon we will need to update the required checks in branch protection to use the new version --------- Signed-off-by: Marco Franssen Signed-off-by: Faisal Memon Co-authored-by: Faisal Memon --- .github/workflows/helm-chart-ci-ignore.yaml | 6 +++--- .github/workflows/helm-chart-ci.yaml | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/helm-chart-ci-ignore.yaml b/.github/workflows/helm-chart-ci-ignore.yaml index b5e1ef7a5..8a63936bb 100644 --- a/.github/workflows/helm-chart-ci-ignore.yaml +++ b/.github/workflows/helm-chart-ci-ignore.yaml @@ -50,9 +50,9 @@ jobs: strategy: matrix: k8s: - - v1.27.0 - - v1.26.3 - - v1.25.8 + - v1.27.2 + - v1.26.4 + - v1.25.9 values: - ${{ fromJson(needs.build-matrix.outputs.tests) }} diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index 7c61c837c..4682bcde9 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -136,10 +136,10 @@ jobs: # Kubernetes, but can go back farther as long as we don't need heroics # to pull it off (i.e. kubectl version juggling). k8s: - - v1.27.0 - - v1.26.3 - - v1.25.8 - - v1.24.12 + - v1.27.2 + - v1.26.4 + - v1.25.9 + - v1.24.13 - v1.23.17 - v1.22.17 values: From d83d6a8efee327a2fecf65cf2678e0562a90507a Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Sat, 27 May 2023 00:50:41 -0400 Subject: [PATCH 5/7] Emergency patch for Tornjak Frontend (#319) Tornjak Frontend serves incorrect dashboard due to restricted namespace. Fixing the cache file location leads to this error: ```Error: EACCES: permission denied, open './build/env.js'``` Solution, to redirect the env.js output to writeable space e.g. /tmp Signed-off-by: Mariusz Sabath Co-authored-by: Faisal Memon --- .../charts/tornjak-frontend/templates/deployment.yaml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml index 180f90be5..e4449b2c7 100644 --- a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -28,6 +28,13 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} + command: + - /bin/sh + - -c + - | + ln -s /tmp/env.js build/env.js + npx react-inject-env set -n /tmp/env.js + serve -s build -p $PORT_FE ports: - name: http containerPort: 3000 @@ -52,7 +59,7 @@ spec: {{- end }} volumeMounts: - name: cache - mountPath: /usr/src/app/ + mountPath: /usr/src/app/node_modules/.cache {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} From dddefd88c07495382132d3270d9b39efa84f11f4 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 30 May 2023 08:48:04 +0200 Subject: [PATCH 6/7] Bump spire Helm Chart version from 0.8.0 to 0.8.1 * d83d6a8e Emergency patch for Tornjak Frontend (#319) * ed172e41 Bump k8s versions to latest patches (#317) * 05629460 Removed pull_request edited event from ci workflow (#318) * 3cb55dfb Allow for having no registry specified (#312) * 1247b68f Parametrize probes (#310) Signed-off-by: Marco Franssen --- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index ff67d9d38..bc7b13dfa 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,7 +3,7 @@ name: spire description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.8.0 +version: 0.8.1 appVersion: "1.6.4" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire diff --git a/charts/spire/README.md b/charts/spire/README.md index 726fb490f..0c9bb1345 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -2,7 +2,7 @@ -![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) +![Version: 0.8.1](https://img.shields.io/badge/Version-0.8.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. From 71d110e730f914ca94e61d05503c5b5ef2a33564 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 30 May 2023 18:12:22 +0200 Subject: [PATCH 7/7] Bump python + helm in CI workflow (#325) Signed-off-by: Marco Franssen Signed-off-by: Marco Franssen --- .github/workflows/helm-chart-ci.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index 4682bcde9..6099ba45b 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -19,8 +19,8 @@ concurrency: cancel-in-progress: true env: - HELM_VERSION: v3.11.1 - PYTHON_VERSION: 3.11.2 + HELM_VERSION: v3.12.0 + PYTHON_VERSION: 3.11.3 CHART_TESTING_VERSION: v3.8.0 jobs: