Merge branch 'main' into spire-step-ssh

.github/tests/charts.json

@@ -2,7 +2,7 @@
   {
     "name": "kube-prometheus-stack",
     "repo": "https://prometheus-community.github.io/helm-charts",
-    "version": "65.3.1"
+    "version": "65.5.0"
   },
   {
     "name": "cert-manager",
@@ -22,6 +22,6 @@
   {
     "name": "postgresql",
     "repo": "https://charts.bitnami.com/bitnami",
-    "version": "16.0.3"
+    "version": "16.0.6"
   }
 ]

.github/workflows/helm-chart-ci-ignore.yaml

@@ -30,9 +30,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
 
     steps:
       - run: 'echo "Skipping tests"'
@@ -74,9 +74,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
         example:
           - ${{ fromJson(needs.build-matrix.outputs.examples) }}
 
@@ -92,9 +92,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
         example:
           - ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}
 
@@ -110,9 +110,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
 
     steps:
       - run: 'echo "Skipping upgrade-test"'

.github/workflows/helm-chart-ci.yaml

@@ -21,9 +21,9 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  HELM_VERSION: v3.12.0
+  HELM_VERSION: v3.16.2
   PYTHON_VERSION: 3.11.3
-  KIND_VERSION: v0.19.0
+  KIND_VERSION: v0.24.0
   CHART_TESTING_VERSION: v3.8.0
 
 jobs:
@@ -130,9 +130,9 @@ jobs:
         # Kubernetes, but can go back farther as long as we don't need heroics
         # to pull it off (i.e. kubectl version juggling).
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
 
     steps:
       - name: Checkout
@@ -218,9 +218,9 @@ jobs:
       fail-fast: false
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
         example:
           - ${{ fromJson(needs.build-matrix.outputs.examples) }}
 
@@ -243,7 +243,7 @@ jobs:
         # Only build a kind cluster if there are chart changes to test.
         with:
           version: ${{ env.KIND_VERSION }}
-          node_image: kindest/node:v1.26.4
+          node_image: kindest/node:${{ matrix.k8s }}
           config: .github/kind/conf/kind-config.yaml
           verbosity: 1
 
@@ -256,6 +256,7 @@ jobs:
             kubectl create namespace spire-server
             helm install -n spire-server spire-crds charts/spire-crds
           fi
+          export K8S="${{ matrix.k8s }}"
           ${{ matrix.example }}/run-tests.sh
 
   integration-test:
@@ -269,9 +270,9 @@ jobs:
       fail-fast: false
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
         integrationtest:
           - ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}
 
@@ -294,7 +295,7 @@ jobs:
         # Only build a kind cluster if there are chart changes to test.
         with:
           version: ${{ env.KIND_VERSION }}
-          node_image: kindest/node:v1.26.4
+          node_image: kindest/node:${{ matrix.k8s }}
           config: .github/kind/conf/kind-config.yaml
           verbosity: 1
 
@@ -314,9 +315,9 @@ jobs:
       fail-fast: false
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
 
     steps:
       - name: Checkout
@@ -337,7 +338,7 @@ jobs:
         # Only build a kind cluster if there are chart changes to test.
         with:
           version: ${{ env.KIND_VERSION }}
-          node_image: kindest/node:v1.26.4
+          node_image: kindest/node:${{ matrix.k8s }}
           config: .github/kind/conf/kind-config.yaml
           verbosity: 1
 

charts/spire-nested/Chart.yaml

@@ -4,7 +4,7 @@ description: >
   A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 type: application
 version: 0.23.0
-appVersion: "1.10.3"
+appVersion: "1.11.0"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:

charts/spire-nested/README.md

@@ -1,6 +1,6 @@
 # spire
 
-![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.3](https://img.shields.io/badge/AppVersion-1.10.3-informational?style=flat-square)
+![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.0](https://img.shields.io/badge/AppVersion-1.11.0-informational?style=flat-square)
 [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
 
 A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.

charts/spire/Chart.yaml

@@ -4,7 +4,7 @@ description: >
   A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 type: application
 version: 0.23.0
-appVersion: "1.10.3"
+appVersion: "1.11.0"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:

charts/spire/README.md

@@ -1,6 +1,6 @@
 # spire
 
-![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.3](https://img.shields.io/badge/AppVersion-1.10.3-informational?style=flat-square)
+![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.0](https://img.shields.io/badge/AppVersion-1.11.0-informational?style=flat-square)
 [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
 
 A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
@@ -92,6 +92,8 @@ We only support upgrading one major/minor version at a time. Version skipping is
 
 - You must upgrade [spire-crds](https://artifacthub.io/packages/helm/spiffe/spire-crds) to 0.5.0+ before performing this upgrade.
 
+- SPIRE changed the default in 1.11.0 from `spire-agent.workloadAttestors.k8s.useNewContainerLocator=false` to `spire-agent.workloadAttestors.k8s.useNewContainerLocator=true`
+
 - In order to make it easier to target specific SPIFFE IDs to workloads, a fallback feature was added to ClusterSPIFFEIDs so that a default ID will only apply when no others do. To change back to the previous behavior, use `spire-server.controllerManager.identities.clusterSPIFFEIDs.default.fallback=false`. The new default is unlikely to need changes.
 
 - We now set a hint of the ClusterSPIFFEID name on each entry created by default. This can be undone by setting the `hint=""` property on the ClusterSPIFFEID. The new default is unlikely to need changes.