From c1783f639ca546837b31bbfbbbe31555b7de5c3e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 Feb 2024 03:41:21 +0000 Subject: [PATCH 1/9] Bump peter-evans/create-pull-request from 5.0.2 to 6.0.0 Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 5.0.2 to 6.0.0. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/v5.0.2...v6.0.0) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/check-versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-versions.yaml b/.github/workflows/check-versions.yaml index 26f6f3915..433f1ce24 100644 --- a/.github/workflows/check-versions.yaml +++ b/.github/workflows/check-versions.yaml @@ -61,7 +61,7 @@ jobs: - name: Create Pull Request id: cpr - uses: peter-evans/create-pull-request@v5.0.2 + uses: peter-evans/create-pull-request@v6.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} title: Bump test chart dependencies From 35215aee33f5c4b905c430a84e500208b49e1083 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Thu, 1 Feb 2024 09:28:20 -0800 Subject: [PATCH 2/9] Add missing upgrade test bypass (#231) * Add missing upgrade test bypass Signed-off-by: Kevin Fox * Too many iterations. Update comment. Signed-off-by: Kevin Fox --------- Signed-off-by: Kevin Fox --- .github/workflows/helm-chart-ci-ignore.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/workflows/helm-chart-ci-ignore.yaml b/.github/workflows/helm-chart-ci-ignore.yaml index b2aad512b..2a098e3dd 100644 --- a/.github/workflows/helm-chart-ci-ignore.yaml +++ b/.github/workflows/helm-chart-ci-ignore.yaml @@ -73,3 +73,19 @@ jobs: steps: - run: 'echo "Skipping example-test"' + + upgrade-test: + runs-on: ubuntu-22.04 + + needs: + - build-matrix + + strategy: + matrix: + k8s: + - v1.28.0 + - v1.27.3 + - v1.26.6 + + steps: + - run: 'echo "Skipping upgrade-test"' From 40b5cc360151b367cbd1bd607bee66988b718d5e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 Feb 2024 09:46:58 -0800 Subject: [PATCH 3/9] Bump sigstore/cosign-installer from 3.3.0 to 3.4.0 (#228) * Bump sigstore/cosign-installer from 3.3.0 to 3.4.0 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.3.0 to 3.4.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/v3.3.0...v3.4.0) Signed-off-by: dependabot[bot] Signed-off-by: kfox1111 Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: kfox1111 Co-authored-by: Marco Franssen --- .github/workflows/helm-release.yaml | 4 ++-- .github/workflows/update-devcontainer-image.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index a5b24c3b7..b56c6bcb1 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -29,9 +29,9 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Setup cosign - uses: sigstore/cosign-installer@v3.3.0 + uses: sigstore/cosign-installer@v3.4.0 with: - cosign-release: v2.2.2 + cosign-release: v2.2.3 - name: Set up Helm uses: azure/setup-helm@v3.5 diff --git a/.github/workflows/update-devcontainer-image.yaml b/.github/workflows/update-devcontainer-image.yaml index 6bd3368f0..596f41dc8 100644 --- a/.github/workflows/update-devcontainer-image.yaml +++ b/.github/workflows/update-devcontainer-image.yaml @@ -25,9 +25,9 @@ jobs: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install cosign - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 with: - cosign-release: v2.2.2 + cosign-release: v2.2.3 - name: Install regctl uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main - name: Log in to GHCR From 0e1259546b41dc3fcd8ad1b30fd75bfe5de38f7d Mon Sep 17 00:00:00 2001 From: cccsss01 <56396984+cccsss01@users.noreply.github.com> Date: Fri, 2 Feb 2024 17:23:44 -0600 Subject: [PATCH 4/9] Update README.md delete pvc for cleanup (#233) * Update README.md delete pvc for cleanup adding command to delete the pvc Signed-off-by: cccsss01 <56396984+cccsss01@users.noreply.github.com> * Update charts/spire/README.md Co-authored-by: kfox1111 Signed-off-by: cccsss01 <56396984+cccsss01@users.noreply.github.com> --------- Signed-off-by: cccsss01 <56396984+cccsss01@users.noreply.github.com> Co-authored-by: kfox1111 --- charts/spire/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/spire/README.md b/charts/spire/README.md index 897877172..990951223 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -69,6 +69,7 @@ helm upgrade --install -n spire-mgmt spire spire --repo https://spiffe.github.io ```shell helm -n spire-mgmt uninstall spire-crds helm -n spire-mgmt uninstall spire +kubectl -n spire-server delete pvc -l app.kubernetes.io/instance=spire kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeids.spire.spiffe.io clusterstaticentries.spire.spiffe.io ``` From 350ec89ff2e53bf8634d82b70ffcf544130b694b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 5 Feb 2024 06:07:03 -0800 Subject: [PATCH 5/9] Bump test chart dependencies (#235) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: marcofranssen <694733+marcofranssen@users.noreply.github.com> --- .github/tests/charts.json | 8 ++++---- .../spire/charts/spiffe-oidc-discovery-provider/README.md | 4 ++-- .../charts/spiffe-oidc-discovery-provider/values.yaml | 4 ++-- charts/spire/charts/spire-agent/README.md | 4 ++-- charts/spire/charts/spire-agent/values.yaml | 4 ++-- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/charts/tornjak-frontend/README.md | 2 +- charts/spire/charts/tornjak-frontend/values.yaml | 2 +- 9 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 707c677e4..36ca24d49 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,12 +2,12 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "56.2.1" + "version": "56.6.2" }, { "name": "cert-manager", "repo": "https://charts.jetstack.io", - "version": "v1.13.3" + "version": "v1.14.1" }, { "name": "ingress-nginx", @@ -17,11 +17,11 @@ { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "9.18.0" + "version": "9.19.1" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "13.4.3" + "version": "14.0.1" } ] diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 942d1ef37..a78314cec 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -115,11 +115,11 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f37793c4af2a98f6cc313ac8af635d713e92d19344b11d499f92d8c644dd3b9f` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:1b4e8389d2582d0b013fad55d7ad799a67bbdcbfbae0a053258ae24c8b03a19f` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:41c7d1fcb755339b883b0cf2998c52e77ba2e4fab9347665a54c6ef3e4d97838` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:9198d9e7e83ab4078df6f53dfa3e8e1e8f60d5718cc21fefa2ccb6604283e049` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index bb396014c..6df782965 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -328,7 +328,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:f37793c4af2a98f6cc313ac8af635d713e92d19344b11d499f92d8c644dd3b9f + tag: latest@sha256:1b4e8389d2582d0b013fad55d7ad799a67bbdcbfbae0a053258ae24c8b03a19f toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from @@ -340,7 +340,7 @@ tests: registry: cgr.dev repository: chainguard/slim-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:41c7d1fcb755339b883b0cf2998c52e77ba2e4fab9347665a54c6ef3e4d97838 + tag: latest@sha256:9198d9e7e83ab4078df6f53dfa3e8e1e8f60d5718cc21fefa2ccb6604283e049 step: ## @param tests.step.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index b7ccf43e2..2db9ee204 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -63,12 +63,12 @@ A Helm chart to install the SPIRE agent. | `waitForIt.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` | | `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:e5f04633c3885d2a3a6fce512da4e03fcb064411f62642e7d2793bfafed10d59` | +| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:64ba1b49313924643dec6a03e15a1c6cfc24046cff96b0b3c0003cabbad2f60d` | | `waitForIt.resources` | Resource requests and limits | `{}` | | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f37793c4af2a98f6cc313ac8af635d713e92d19344b11d499f92d8c644dd3b9f` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:1b4e8389d2582d0b013fad55d7ad799a67bbdcbfbae0a053258ae24c8b03a19f` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` | | `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s Node Attestor | `true` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 8bcb698b6..5c907ef4d 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -132,7 +132,7 @@ waitForIt: registry: cgr.dev repository: chainguard/wait-for-it pullPolicy: IfNotPresent - tag: latest@sha256:e5f04633c3885d2a3a6fce512da4e03fcb064411f62642e7d2793bfafed10d59 + tag: latest@sha256:64ba1b49313924643dec6a03e15a1c6cfc24046cff96b0b3c0003cabbad2f60d ## @param waitForIt.resources [object] Resource requests and limits resources: {} @@ -149,7 +149,7 @@ fsGroupFix: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:f37793c4af2a98f6cc313ac8af635d713e92d19344b11d499f92d8c644dd3b9f + tag: latest@sha256:1b4e8389d2582d0b013fad55d7ad799a67bbdcbfbae0a053258ae24c8b03a19f ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index f714dd01f..7cafb563a 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -340,4 +340,4 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f37793c4af2a98f6cc313ac8af635d713e92d19344b11d499f92d8c644dd3b9f` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:1b4e8389d2582d0b013fad55d7ad799a67bbdcbfbae0a053258ae24c8b03a19f` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index df858d5b4..d254eab0f 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -843,4 +843,4 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:f37793c4af2a98f6cc313ac8af635d713e92d19344b11d499f92d8c644dd3b9f + tag: latest@sha256:1b4e8389d2582d0b013fad55d7ad799a67bbdcbfbae0a053258ae24c8b03a19f diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index c45621878..b59cda827 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -98,4 +98,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f37793c4af2a98f6cc313ac8af635d713e92d19344b11d499f92d8c644dd3b9f` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:1b4e8389d2582d0b013fad55d7ad799a67bbdcbfbae0a053258ae24c8b03a19f` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 642ac2736..d4100fc85 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -154,4 +154,4 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:f37793c4af2a98f6cc313ac8af635d713e92d19344b11d499f92d8c644dd3b9f + tag: latest@sha256:1b4e8389d2582d0b013fad55d7ad799a67bbdcbfbae0a053258ae24c8b03a19f From fce95cb44379ffd1460ddc4a9c9589da05557c05 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Mon, 5 Feb 2024 11:17:19 -0800 Subject: [PATCH 6/9] Add example of mysql using spire (#164) * Add example of mysql using spire Signed-off-by: Kevin Fox * Finish up the implementation Signed-off-by: Kevin Fox * Update the image Signed-off-by: Kevin Fox * Apply suggestions from code review Signed-off-by: kfox1111 * Update. Restested. Signed-off-by: Kevin Fox --------- Signed-off-by: Kevin Fox Signed-off-by: kfox1111 --- examples/mysql-using-spire/README.md | 21 +++ examples/mysql-using-spire/mysql-values.yaml | 122 ++++++++++++++++++ .../mysqlclient-configmap.yaml | 15 +++ .../mysqlclient-statefulset.yaml | 78 +++++++++++ examples/mysql-using-spire/spire-values.yaml | 26 ++++ 5 files changed, 262 insertions(+) create mode 100644 examples/mysql-using-spire/README.md create mode 100644 examples/mysql-using-spire/mysql-values.yaml create mode 100644 examples/mysql-using-spire/mysqlclient-configmap.yaml create mode 100644 examples/mysql-using-spire/mysqlclient-statefulset.yaml create mode 100644 examples/mysql-using-spire/spire-values.yaml diff --git a/examples/mysql-using-spire/README.md b/examples/mysql-using-spire/README.md new file mode 100644 index 000000000..bfa51257e --- /dev/null +++ b/examples/mysql-using-spire/README.md @@ -0,0 +1,21 @@ +``` +helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace --version 0.3.0 +helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ --version 0.17.1 -f spire-values.yaml + +kubectl apply -f mysqlclient-configmap.yaml +kubectl apply -f mysqlclient-statefulset.yaml + +kubectl wait pod mysqlclient-0 --for=condition=ready --timeout=60s + +# Run, and get the x500UniqueIdentifier value: +kubectl exec -it mysqlclient-0 -c main -- bash -c 'openssl x509 -in /certs/tls.crt -noout -text | grep Subject:' + +# Edit mysql-values.yaml and update the x509UniqueIdentifer +vim mysql-values.yaml + +helm upgrade --install -f mysql-values.yaml mysql mysql --version 9.15.0 --repo https://charts.bitnami.com/bitnami + +kubectl wait pod mysql-0 --for=condition=ready --timeout=60s + +kubectl exec -it mysqlclient-0 -- bash -c 'mysql -u mysqlclient --protocol tcp --ssl-key /certs/tls.key --ssl-cert /certs/tls.crt --ssl-ca /certs/ca.pem -h mysql.default.svc.cluster.local' +``` diff --git a/examples/mysql-using-spire/mysql-values.yaml b/examples/mysql-using-spire/mysql-values.yaml new file mode 100644 index 000000000..ccf00599a --- /dev/null +++ b/examples/mysql-using-spire/mysql-values.yaml @@ -0,0 +1,122 @@ +initdbScripts: + usertls.sql: | + CREATE USER 'mysqlclient'@'%' REQUIRE SUBJECT '/C=US/O=SPIRE/CN=mysqlclient.default.svc.cluster.local/x500UniqueIdentifier=a753b06724b81d4a2f14f615d40550ed'; + GRANT ALL PRIVILEGES ON *.* TO 'mysqlclient'@'%' WITH GRANT OPTION; + +primary: + extraFlags: "--ssl-ca=/certs/ca.pem --ssl-cert=/certs/tls.crt --ssl-key=/certs/tls.key --require-secure-transport=ON" + + initContainers: | + - name: setup-helper-volume-p1 + image: busybox:1.36.1-uclibc + imagePullPolicy: IfNotPresent + command: + - sh + - -c + - 'cp -a /bin/busybox /helper' + securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 8 }} + volumeMounts: + - name: spiffe-helper + mountPath: /helper + - name: setup-helper-volume-p2 + image: ghcr.io/spiffe/spiffe-helper:nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6 + imagePullPolicy: IfNotPresent + command: + - /helper/busybox + - sh + - -c + - '/helper/busybox cp -a /spiffe-helper /helper && /helper/busybox rm -f /helper/busybox' + securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 8 }} + volumeMounts: + - name: spiffe-helper + mountPath: /helper + - name: init-tls + image: ghcr.io/spiffe/spiffe-helper:nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6 + imagePullPolicy: Always + command: + - /spiffe-helper + - -config + - /etc/spiffe-helper.conf + - -exitWhenReady + securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 8 }} + volumeMounts: + - name: spiffe-workload-api + mountPath: /spiffe-workload-api + readOnly: true + - name: spiffe-helper-configmap + mountPath: /etc/spiffe-helper.conf + subPath: spiffe-helper.conf + readOnly: true + - name: certdir + mountPath: /certs + + sidecars: | + - name: refresh-tls + image: {{ include "mysql.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + command: + - /helper/spiffe-helper + - -config + - /etc/spiffe-helper.conf + env: + - name: MYSQL_PWD + valueFrom: + secretKeyRef: + name: {{ template "mysql.secretName" . }} + key: mysql-root-password + securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 8 }} + volumeMounts: + - name: spiffe-workload-api + mountPath: /spiffe-workload-api + readOnly: true + - name: spiffe-helper-configmap + mountPath: /etc/spiffe-helper.conf + subPath: spiffe-helper.conf + readOnly: true + - name: certdir + mountPath: /certs + - name: spiffe-helper + mountPath: /helper + - name: mysql-sockdir + mountPath: /opt/bitnami/mysql/tmp + + extraVolumeMounts: + - name: certdir + mountPath: /certs + - name: mysql-sockdir + mountPath: /opt/bitnami/mysql/tmp + + extraVolumes: | + - name: certdir + emptyDir: {} + - name: spiffe-helper + emptyDir: {} + - name: mysql-sockdir + emptyDir: {} + - name: spiffe-helper-configmap + configMap: + name: {{ include "mysql.primary.fullname" . }}-spiffe-helper + - name: spiffe-workload-api + csi: + driver: "csi.spiffe.io" + readOnly: true + +extraDeploy: + - | + apiVersion: v1 + kind: ConfigMap + metadata: + name: {{ include "mysql.primary.fullname" . }}-spiffe-helper + namespace: {{ include "common.names.namespace" . | quote }} + data: + spiffe-helper.conf: | + agent_address = "/spiffe-workload-api/spire-agent.sock" + cmd = "/opt/bitnami/mysql/bin/mysql" + cmd_args = "-uroot -e \"ALTER INSTANCE RELOAD TLS;\"" + renew_signal = "" + cert_dir = "/certs" + renew_signal = "" + svid_file_name = "tls.crt" + svid_key_file_name = "tls.key" + svid_bundle_file_name = "ca.pem" + add_intermediates_to_bundle = true diff --git a/examples/mysql-using-spire/mysqlclient-configmap.yaml b/examples/mysql-using-spire/mysqlclient-configmap.yaml new file mode 100644 index 000000000..5e2e862c9 --- /dev/null +++ b/examples/mysql-using-spire/mysqlclient-configmap.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: mysqlclient +data: + spiffe-helper.conf: | + agent_address = "/spiffe-workload-api/spire-agent.sock" + cmd = "" + cmd_args = "" + cert_dir = "/certs" + renew_signal = "" + svid_file_name = "tls.crt" + svid_key_file_name = "tls.key" + svid_bundle_file_name = "ca.pem" + add_intermediates_to_bundle = true diff --git a/examples/mysql-using-spire/mysqlclient-statefulset.yaml b/examples/mysql-using-spire/mysqlclient-statefulset.yaml new file mode 100644 index 000000000..71d993108 --- /dev/null +++ b/examples/mysql-using-spire/mysqlclient-statefulset.yaml @@ -0,0 +1,78 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: mysqlclient +spec: + replicas: 1 + #serviceName: mysqlclient + selector: + matchLabels: + app.kubernetes.io/instance: mysqlclient + template: + metadata: + labels: + app.kubernetes.io/instance: mysqlclient + spec: + terminationGracePeriodSeconds: 0 + initContainers: + - name: init-tls + image: ghcr.io/spiffe/spiffe-helper:nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6 + imagePullPolicy: Always + command: + - /spiffe-helper + - -config + - /etc/spiffe-helper.conf + - -exitWhenReady + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + volumeMounts: + - name: spiffe-workload-api + mountPath: /spiffe-workload-api + readOnly: true + - name: spiffe-helper-configmap + mountPath: /etc/spiffe-helper.conf + subPath: spiffe-helper.conf + readOnly: true + - name: certdir + mountPath: /certs + containers: + - name: main + image: docker.io/bitnami/mysql:8.0.35-debian-11-r0 + command: [sleep, inf] + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + volumeMounts: + - name: certdir + mountPath: /certs + - name: refresh-tls + image: ghcr.io/spiffe/spiffe-helper:nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6 + imagePullPolicy: Always + command: + - /spiffe-helper + - -config + - /etc/spiffe-helper.conf + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + volumeMounts: + - name: spiffe-workload-api + mountPath: /spiffe-workload-api + readOnly: true + - name: spiffe-helper-configmap + mountPath: /etc/spiffe-helper.conf + subPath: spiffe-helper.conf + readOnly: true + - name: certdir + mountPath: /certs + volumes: + - name: certdir + emptyDir: {} + - name: spiffe-helper-configmap + configMap: + name: mysqlclient + - name: spiffe-workload-api + csi: + driver: "csi.spiffe.io" + readOnly: true diff --git a/examples/mysql-using-spire/spire-values.yaml b/examples/mysql-using-spire/spire-values.yaml new file mode 100644 index 000000000..6929a9d2c --- /dev/null +++ b/examples/mysql-using-spire/spire-values.yaml @@ -0,0 +1,26 @@ +spire-server: + controllerManager: + identities: + clusterSPIFFEIDs: + default: + enabled: false + mysql: + spiffeIDTemplate: spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: default + podSelector: + matchLabels: + app.kubernetes.io/instance: mysql + dnsNameTemplates: + - mysql.default.svc.cluster.local + mysqlclient: + spiffeIDTemplate: spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: default + podSelector: + matchLabels: + app.kubernetes.io/instance: mysqlclient + dnsNameTemplates: + - mysqlclient.default.svc.cluster.local From 8adbb89890865d55bb3880562bb43890cfcd522f Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Mon, 5 Feb 2024 11:40:19 -0800 Subject: [PATCH 7/9] Add alternate name support for the socket (#181) * Add alternate name support for the socket Signed-off-by: Kevin Fox * Fix missing image reference Signed-off-by: Kevin Fox * Make user changing socket work smoothly. Signed-off-by: Kevin Fox * Apply suggestions from code review Signed-off-by: kfox1111 * Update charts/spire/charts/spire-agent/values.yaml Signed-off-by: kfox1111 --------- Signed-off-by: Kevin Fox Signed-off-by: kfox1111 Co-authored-by: Faisal Memon --- .github/tests/images.json | 5 +++ charts/spire/charts/spire-agent/README.md | 6 +++ .../charts/spire-agent/templates/_helpers.tpl | 8 ++++ .../spire-agent/templates/configmap.yaml | 2 +- .../spire-agent/templates/daemonset.yaml | 39 ++++++++++++++++--- charts/spire/charts/spire-agent/values.yaml | 21 ++++++++++ 6 files changed, 74 insertions(+), 7 deletions(-) diff --git a/.github/tests/images.json b/.github/tests/images.json index 271dca192..12863b587 100644 --- a/.github/tests/images.json +++ b/.github/tests/images.json @@ -12,6 +12,11 @@ "filter": "LATESTSHA", "sort-flags": [] }, + { + "query": "socketAlternate.image", + "filter": "LATESTSHA", + "sort-flags": [] + }, { "query": "fsGroupFix.image", "filter": "LATESTSHA", diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 2db9ee204..22c11c47f 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -88,6 +88,12 @@ A Helm chart to install the SPIRE agent. | `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | | `kubeletConnectByHostname` | If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise. | `""` | | `socketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | +| `socketAlternate.names` | List of alternate names for the socket that workloads might expect to be able to access in the driver mount. | `["socket","spire-agent.sock","api.sock"]` | +| `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` | +| `socketAlternate.image.pullPolicy` | The image pull policy | `Always` | +| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea` | +| `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | | `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | | `extraVolumes` | Extra volumes to be mounted on Spire Agent pods | `[]` | diff --git a/charts/spire/charts/spire-agent/templates/_helpers.tpl b/charts/spire/charts/spire-agent/templates/_helpers.tpl index 89d5624d9..fd83a3fb4 100644 --- a/charts/spire/charts/spire-agent/templates/_helpers.tpl +++ b/charts/spire/charts/spire-agent/templates/_helpers.tpl @@ -125,3 +125,11 @@ Create the name of the service account to use {{- printf "false" }} {{- end }} {{- end }} + +{{- define "spire-agent.socket-alternate-names" -}} +{{- $sockName := .Values.socketPath | base }} +{{- $l := deepCopy .Values.socketAlternate.names }} +{{- $l = without $l $sockName }} +names: +{{ $l | toYaml }} +{{- end }} diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index 34a0d7e4d..1270be668 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -24,7 +24,7 @@ agent: log_level: {{ .Values.logLevel | quote }} server_address: {{ include "spire-agent.server-address" . | trim | quote }} server_port: {{ .Values.server.port | quote }} - socket_path: {{ include "spire-agent.socket-path" . | quote }} + socket_path: /tmp/spire-agent/public/{{ include "spire-agent.socket-path" . | base }} {{- if ne (len .Values.trustBundleURL) 0 }} trust_bundle_url: {{ .Values.trustBundleURL | quote }} trust_bundle_format: {{ .Values.trustBundleFormat | quote }} diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 4d6c7c5bb..7dfe8d0b0 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -1,6 +1,8 @@ {{- $configSum := (include (print $.Template.BasePath "/configmap.yaml") . | sha256sum) }} {{- $podSecurityContext := fromYaml (include "spire-lib.podsecuritycontext" .) }} {{- $cbh := eq (include "spire-agent.connect-by-hostname" .) "true" }} +{{- $socketAlternateNames := index (include "spire-agent.socket-alternate-names" . | fromYaml) "names" }} +{{- $socketPath := include "spire-agent.socket-path" . }} apiVersion: apps/v1 kind: DaemonSet metadata: @@ -50,18 +52,43 @@ spec: {{- toYaml .Values.waitForIt.resources | nindent 12 }} securityContext: {{ toYaml .Values.securityContext | nindent 12 }} + {{- if gt (len $socketAlternateNames) 0 }} + - name: ensure-alternate-names + image: {{ template "spire-lib.image" (dict "image" .Values.socketAlternate.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.socketAlternate.image.pullPolicy }} + command: ["bash", "-xc"] + {{/* 1. Look for symlinks pointing at the wrong place and remove them. 2. Make symlinks that don't exist. 3. If new socket is pointing at an existing symlink, remove old symlink. */}} + args: + - | + cd {{ $socketPath | dir }} + {{- range $socketAlternateNames }} + L=`readlink {{ . }}` + [ "x$L" != "x{{ $socketPath | base}}" ] && rm -f {{ . }} + [ ! -L {{ . }} ] && ln -s {{ $socketPath | base }} {{ . }} + {{- end }} + [ -L {{ $socketPath | base }} ] && rm -f {{ $socketPath | base }} + exit 0 + resources: + {{- toYaml .Values.socketAlternate.resources | nindent 12 }} + volumeMounts: + - name: spire-agent-socket-dir + mountPath: {{ $socketPath | dir }} + securityContext: + runAsUser: 0 + runAsGroup: 0 + {{- end }} {{- if gt (int (dig "fsGroup" 0 $podSecurityContext)) 0 }} - name: fsgroupfix image: {{ template "spire-lib.image" (dict "image" .Values.fsGroupFix.image "global" .Values.global) }} imagePullPolicy: {{ .Values.fsGroupFix.image.pullPolicy }} command: ["bash", "-c"] args: - - "chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} {{ include "spire-agent.socket-path" . | dir }}" + - "chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} {{ $socketPath | dir }}" resources: {{- toYaml .Values.fsGroupFix.resources | nindent 12 }} volumeMounts: - name: spire-agent-socket-dir - mountPath: {{ include "spire-agent.socket-path" . | dir }} + mountPath: {{ $socketPath | dir }} securityContext: runAsUser: 0 runAsGroup: 0 @@ -73,7 +100,7 @@ spec: - name: {{ .Chart.Name }} image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }} imagePullPolicy: {{ .Values.image.pullPolicy }} - args: ["-config", "/run/spire/config/agent.conf"] + args: ["-config", "/opt/spire/conf/agent/agent.conf"] securityContext: {{ toYaml .Values.securityContext | nindent 12 }} env: @@ -97,7 +124,7 @@ spec: {{- end }} volumeMounts: - name: spire-config - mountPath: /run/spire/config + mountPath: /opt/spire/conf/agent readOnly: true {{- if eq (len .Values.trustBundleURL) 0 }} - name: spire-bundle @@ -105,7 +132,7 @@ spec: readOnly: true {{- end }} - name: spire-agent-socket-dir - mountPath: {{ include "spire-agent.socket-path" . | dir }} + mountPath: /tmp/spire-agent/public readOnly: false - name: spire-token mountPath: /var/run/secrets/tokens @@ -153,7 +180,7 @@ spec: audience: spire-server - name: spire-agent-socket-dir hostPath: - path: {{ include "spire-agent.socket-path" . | dir }} + path: {{ $socketPath | dir }} type: DirectoryOrCreate {{- if gt (len .Values.extraVolumes) 0 }} {{- toYaml .Values.extraVolumes | nindent 8 }} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 5c907ef4d..f072b5280 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -210,6 +210,27 @@ kubeletConnectByHostname: "" ## @param socketPath The unix socket path to the spire-agent socketPath: /run/spire/agent-sockets/spire-agent.sock +socketAlternate: + ## @param socketAlternate.names List of alternate names for the socket that workloads might expect to be able to access in the driver mount. + names: + - socket + - spire-agent.sock + - api.sock + + ## @param socketAlternate.image.registry The OCI registry to pull the image from + ## @param socketAlternate.image.repository The repository within the registry + ## @param socketAlternate.image.pullPolicy The image pull policy + ## @param socketAlternate.image.tag Overrides the image tag whose default is the chart appVersion + ## + image: + registry: cgr.dev + repository: chainguard/bash + pullPolicy: Always + tag: latest@sha256:07d2662ef699e9ceafab3f39624083193dfcb7b768ee86860dbdd5cb4473dcea + + ## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + ## @param priorityClassName Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. priorityClassName: "" From 49e21c389bdb796ef9ffbc0080bf9e173683eddd Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Mon, 5 Feb 2024 12:33:24 -0800 Subject: [PATCH 8/9] Add missing affinity settings (#232) Signed-off-by: Kevin Fox Co-authored-by: Faisal Memon --- charts/spire/charts/spiffe-csi-driver/README.md | 1 + .../spire/charts/spiffe-csi-driver/templates/daemonset.yaml | 4 ++++ charts/spire/charts/spiffe-csi-driver/values.yaml | 3 +++ charts/spire/charts/spire-agent/README.md | 1 + charts/spire/charts/spire-agent/templates/daemonset.yaml | 4 ++++ charts/spire/charts/spire-agent/values.yaml | 3 +++ 6 files changed, 16 insertions(+) diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index cfcb62849..92322dd62 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -51,6 +51,7 @@ A Helm chart to install the SPIFFE CSI driver. | `securityContext.privileged` | Flag for specifying privileged mode | `true` | | `nodeSelector` | Node selector for CSI driver pods | `{}` | | `tolerations` | Tolerations for CSI driver pods | `[]` | +| `affinity` | Node affinity | `{}` | | `nodeDriverRegistrar.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` | | `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` | | `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml b/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml index f81804057..3044ac4f0 100644 --- a/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml +++ b/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml @@ -29,6 +29,10 @@ spec: nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index 8eebf6f80..4f1afaf7d 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -96,6 +96,9 @@ nodeSelector: {} ## @param tolerations [array] Tolerations for CSI driver pods tolerations: [] +## @param affinity [object] Node affinity +affinity: {} + nodeDriverRegistrar: ## @param nodeDriverRegistrar.image.registry The OCI registry to pull the image from ## @param nodeDriverRegistrar.image.repository The repository within the registry diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 22c11c47f..c059bcfe0 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -45,6 +45,7 @@ A Helm chart to install the SPIRE agent. | `resources` | Resource requests and limits | `{}` | | `nodeSelector` | Node selector | `{}` | | `tolerations` | List of tolerations | `[]` | +| `affinity` | Node affinity | `{}` | | `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | | `clusterName` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `example-cluster` | | `trustDomain` | The trust domain to be used for the SPIFFE identifiers | `example.org` | diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 7dfe8d0b0..279f56c06 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -158,6 +158,10 @@ spec: nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index f072b5280..b2be1533b 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -77,6 +77,9 @@ nodeSelector: {} ## @param tolerations [array] List of tolerations tolerations: [] +## @param affinity [object] Node affinity +affinity: {} + ## @param logLevel The log level, valid values are "debug", "info", "warn", and "error" logLevel: info ## @param clusterName The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) From 7ad1ae7355bfe41ce944cd276d519f1319947b6a Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Mon, 5 Feb 2024 12:42:26 -0800 Subject: [PATCH 9/9] Bump spire Helm Chart version from 0.17.1 to 0.17.2 * 49e21c3 Add missing affinity settings (#232) * 8adbb89 Add alternate name support for the socket (#181) * 350ec89 Bump test chart dependencies (#235) * 0e12595 Update README.md delete pvc for cleanup (#233) Signed-off-by: Faisal Memon --- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 2eca37e46..f03638567 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,7 +3,7 @@ name: spire description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.17.1 +version: 0.17.2 appVersion: "1.8.7" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire diff --git a/charts/spire/README.md b/charts/spire/README.md index 990951223..99861fd43 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.17.1](https://img.shields.io/badge/Version-0.17.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.7](https://img.shields.io/badge/AppVersion-1.8.7-informational?style=flat-square) +![Version: 0.17.2](https://img.shields.io/badge/Version-0.17.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.7](https://img.shields.io/badge/AppVersion-1.8.7-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.