Skip to content

Commit

Permalink
Merge branch 'main' into release
Browse files Browse the repository at this point in the history
  • Loading branch information
@faisal-memon
faisal-memon committed Jan 30, 2024
2 parents 5f46d7b + 16ecfe9 commit f2f56fa
Show file tree
Hide file tree
Showing 23 changed files with 95 additions and 31 deletions.
6 changes: 3 additions & 3 deletions .github/tests/charts.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
{
"name": "kube-prometheus-stack",
"repo": "https://prometheus-community.github.io/helm-charts",
"version": "56.0.1"
"version": "56.2.1"
},
{
"name": "cert-manager",
Expand All @@ -12,7 +12,7 @@
{
"name": "ingress-nginx",
"repo": "https://kubernetes.github.io/ingress-nginx",
"version": "4.9.0"
"version": "4.9.1"
},
{
"name": "mysql",
Expand All @@ -22,6 +22,6 @@
{
"name": "postgresql",
"repo": "https://charts.bitnami.com/bitnami",
"version": "13.3.1"
"version": "13.4.3"
}
]
2 changes: 1 addition & 1 deletion charts/spire/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: spire
description: >
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
type: application
version: 0.17.0
version: 0.17.1
appVersion: "1.8.7"
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
Expand Down
13 changes: 11 additions & 2 deletions charts/spire/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# spire

![Version: 0.17.0](https://img.shields.io/badge/Version-0.17.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.7](https://img.shields.io/badge/AppVersion-1.8.7-informational?style=flat-square)
![Version: 0.17.1](https://img.shields.io/badge/Version-0.17.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.7](https://img.shields.io/badge/AppVersion-1.8.7-informational?style=flat-square)
[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)

A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
Expand Down Expand Up @@ -64,14 +64,23 @@ helm upgrade --install -n spire-mgmt spire-crds spire-crds --repo https://spiffe
helm upgrade --install -n spire-mgmt spire spire --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml
```

## Clean up

```shell
helm -n spire-mgmt uninstall spire-crds
helm -n spire-mgmt uninstall spire
kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeids.spire.spiffe.io clusterstaticentries.spire.spiffe.io
```

## Upgrade notes

We only support upgrading one major version at a time. Version skipping isn't supported.

### 0.17.X

- If you set spire-server.replicaCount > 1, update it to 1 before upgrading and after upgrade you can set it back to its previous value.
- The SPIFFE OIDC Discovery Provider now has many new TLS options and defaults to using SPIRE to issue its certificate.
- The `spiffe-oidc-discovery-provider.insecureScheme.enabled` flag was removed. If you previously set that flag, remove the setting from your values.yaml and see if the new default of using a SPIRE issued certificate is suitable for your deployment. If it isn't, please consider one of the other options under `spiffe-oidc-discovery-provider.tls`. If all other options are still unsuitable, you can still enable the previous mode by disabling TLS. (`spiffe-oidc-discovery-provider.spire.enabled=false`)
- The `spiffe-oidc-discovery-provider.insecureScheme.enabled` flag was removed. If you previously set that flag, remove the setting from your values.yaml and see if the new default of using a SPIRE issued certificate is suitable for your deployment. If it isn't, please consider one of the other options under `spiffe-oidc-discovery-provider.tls`. If all other options are still unsuitable, you can still enable the previous mode by disabling TLS. (`spiffe-oidc-discovery-provider.tls.spire.enabled=false`)

- The SPIFFE OIDC Discovery Provider is now enabled by default. If you previously chose to have it off, you can disable it explicitly with `spiffe-oidc-discovery-provider.enabled=false`.

Expand Down
4 changes: 2 additions & 2 deletions charts/spire/charts/spiffe-oidc-discovery-provider/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,11 +115,11 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` |
| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d` |
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f37793c4af2a98f6cc313ac8af635d713e92d19344b11d499f92d8c644dd3b9f` |
| `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` |
| `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:55cbdb5d87d89ab2c02efcb3bbc06f88bc70828e09294fb8a39be0cbc5c0a3b6` |
| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:41c7d1fcb755339b883b0cf2998c52e77ba2e4fab9347665a54c6ef3e4d97838` |
| `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` |
| `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` |
| `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` |
Expand Down
4 changes: 2 additions & 2 deletions charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -328,7 +328,7 @@ tests:
registry: cgr.dev
repository: chainguard/bash
pullPolicy: IfNotPresent
tag: latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d
tag: latest@sha256:f37793c4af2a98f6cc313ac8af635d713e92d19344b11d499f92d8c644dd3b9f

toolkit:
## @param tests.toolkit.image.registry The OCI registry to pull the image from
Expand All @@ -340,7 +340,7 @@ tests:
registry: cgr.dev
repository: chainguard/slim-toolkit-debug
pullPolicy: IfNotPresent
tag: latest@sha256:55cbdb5d87d89ab2c02efcb3bbc06f88bc70828e09294fb8a39be0cbc5c0a3b6
tag: latest@sha256:41c7d1fcb755339b883b0cf2998c52e77ba2e4fab9347665a54c6ef3e4d97838

step:
## @param tests.step.image.registry The OCI registry to pull the image from
Expand Down
10 changes: 6 additions & 4 deletions charts/spire/charts/spire-agent/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,18 +58,20 @@ A Helm chart to install the SPIRE agent.
| `healthChecks.port` | override the host port used for health checking | `9982` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for probe | `15` |
| `livenessProbe.periodSeconds` | Period seconds for probe | `60` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for probe | `15` |
| `readinessProbe.periodSeconds` | Period seconds for probe | `60` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for probe | `10` |
| `readinessProbe.periodSeconds` | Period seconds for probe | `30` |
| `waitForIt.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` |
| `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:84be7f9205d88f368097c3712a867c5d35d1d024633de4b5675b3f17f63f27cf` |
| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:e5f04633c3885d2a3a6fce512da4e03fcb064411f62642e7d2793bfafed10d59` |
| `waitForIt.resources` | Resource requests and limits | `{}` |
| `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` |
| `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` |
| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:099e4b9adb13a94e6f25d6bb9bfe69fd5ba734a615e62bb0e1efba6650c6b23d` |
| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f37793c4af2a98f6cc313ac8af635d713e92d19344b11d499f92d8c644dd3b9f` |
| `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` |
| `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` |
| `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s Node Attestor | `true` |
| `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` |
| `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` |
| `workloadAttestors.k8s.skipKubeletVerification` | If true, kubelet certificate verification is skipped | `true` |
Expand Down
14 changes: 14 additions & 0 deletions charts/spire/charts/spire-agent/templates/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,15 +56,29 @@ agent:
{{- end }}
{{- end }}

{{- $nodeAttestorUsed := add (len .Values.customPlugins.nodeAttestor) (len .Values.unsupportedBuiltInPlugins.nodeAttestor) }}
{{- $keyManagerUsed := add (len .Values.customPlugins.keyManager) (len .Values.unsupportedBuiltInPlugins.keyManager) }}
plugins:
NodeAttestor:
{{- if .Values.nodeAttestor.k8sPsat.enabled }}
k8s_psat:
plugin_data:
cluster: {{ include "spire-lib.cluster-name" . | quote }}
{{- $nodeAttestorUsed = add1 $nodeAttestorUsed }}
{{- end }}
{{- if ne $nodeAttestorUsed 1 }}
{{- fail (printf "You have to enable exactly one Node Attestor. There are %d enabled." $nodeAttestorUsed) }}
{{- end }}

KeyManager:
{{- if .Values.keyManager.memory.enabled }}
memory:
plugin_data:
{{- $keyManagerUsed = add1 $keyManagerUsed }}
{{- end }}
{{- if ne $keyManagerUsed 1 }}
{{- fail (printf "You have to enable exactly one Key Manager. There are %d enabled." $keyManagerUsed) }}
{{- end }}

WorkloadAttestor:
{{- if .Values.workloadAttestors.k8s.enabled }}
Expand Down
5 changes: 5 additions & 0 deletions charts/spire/charts/spire-agent/templates/daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ spec:
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: spire-agent
checksum/config: {{ $configSum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
Expand Down Expand Up @@ -47,6 +48,8 @@ spec:
args: ["-t", "30", "-h", "{{ include "spire-agent.server-address" . | trim }}", "-p", {{ .Values.server.port | quote }}]
resources:
{{- toYaml .Values.waitForIt.resources | nindent 12 }}
securityContext:
{{ toYaml .Values.securityContext | nindent 12 }}
{{- if gt (int (dig "fsGroup" 0 $podSecurityContext)) 0 }}
- name: fsgroupfix
image: {{ template "spire-lib.image" (dict "image" .Values.fsGroupFix.image "global" .Values.global) }}
Expand All @@ -71,6 +74,8 @@ spec:
image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args: ["-config", "/run/spire/config/agent.conf"]
securityContext:
{{ toYaml .Values.securityContext | nindent 12 }}
env:
- name: PATH
value: "/opt/spire/bin:/bin"
Expand Down
Loading

0 comments on commit f2f56fa

Please sign in to comment.