Merge branch 'main' into release

spiffe · Nov 9, 2023 · 2108f80 · 2108f80
2 parents e458ca3 + 06d8cd2
commit 2108f80
Show file tree

Hide file tree

Showing 88 changed files with 1,379 additions and 871 deletions.
diff --git a/.github/tests/charts.json b/.github/tests/charts.json
@@ -2,26 +2,26 @@
   {
     "name": "kube-prometheus-stack",
     "repo": "https://prometheus-community.github.io/helm-charts",
-    "version": "51.8.0"
+    "version": "52.1.0"
   },
   {
     "name": "cert-manager",
     "repo": "https://charts.jetstack.io",
-    "version": "v1.13.1"
+    "version": "v1.13.2"
   },
   {
     "name": "ingress-nginx",
     "repo": "https://kubernetes.github.io/ingress-nginx",
-    "version": "4.8.2"
+    "version": "4.8.3"
   },
   {
     "name": "mysql",
     "repo": "https://charts.bitnami.com/bitnami",
-    "version": "9.12.5"
+    "version": "9.14.1"
   },
   {
     "name": "postgresql",
     "repo": "https://charts.bitnami.com/bitnami",
-    "version": "13.1.5"
+    "version": "13.2.1"
   }
 ]
diff --git a/.github/tests/common.sh b/.github/tests/common.sh
@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
 
+GITHUB_STEP_SUMMARY="${GITHUB_STEP_SUMMARY:-/tmp/summary}"
+
 get_namespace_details () {
 cat <<EOF >>"$GITHUB_STEP_SUMMARY"
 ### Namespace $1

diff --git a/.github/tests/dependencies/spire-root-server-values.yaml b/.github/tests/dependencies/spire-root-server-values.yaml
@@ -2,11 +2,17 @@ global:
   spire:
     clusterName: production
     trustDomain: production.other
-    jwtIssuer: oidc-discovery.production.other
 
 spire-server:
   controllerManager:
-    enabled: false
+    identities:
+      namespaceSelector:
+        kubernetes.io/metadata.name: spire-server
+      podSelector:
+        app.kubernetes.io/component: server
+        app.kubernetes.io/instance: spire
+        app.kubernetes.io/name: server
+      downstream: true
   nodeAttestor:
     k8sPsat:
       serviceAccountAllowList:

diff --git a/.github/workflows/check-versions.yaml b/.github/workflows/check-versions.yaml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/[email protected].0
+        uses: actions/[email protected].1
 
       - name: Set up Helm
         uses: azure/[email protected]

diff --git a/.github/workflows/helm-chart-ci-ignore.yaml b/.github/workflows/helm-chart-ci-ignore.yaml
@@ -43,7 +43,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/[email protected].0
+        uses: actions/[email protected].1
 
       - id: set-matrix
         name: Collect all examples

diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml
@@ -32,7 +32,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/[email protected].0
+        uses: actions/[email protected].1
 
       - name: Verify Docs updated
         run: ./helm-docs.sh
@@ -94,7 +94,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/[email protected].0
+        uses: actions/[email protected].1
         with:
           fetch-depth: 0
 
@@ -109,7 +109,7 @@ jobs:
           python-version: ${{ env.PYTHON_VERSION }}
 
       - name: Setup chart-testing
-        uses: helm/chart-testing-action@v2.4.0
+        uses: helm/chart-testing-action@v2.6.1
         with:
           version: ${{ env.CHART_TESTING_VERSION }}
 
@@ -136,7 +136,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/[email protected].0
+        uses: actions/[email protected].1
         with:
           fetch-depth: 0
 
@@ -151,7 +151,7 @@ jobs:
           python-version: ${{ env.PYTHON_VERSION }}
 
       - name: Setup chart-testing
-        uses: helm/chart-testing-action@v2.4.0
+        uses: helm/chart-testing-action@v2.6.1
         with:
           version: ${{ env.CHART_TESTING_VERSION }}
 
@@ -185,7 +185,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/[email protected].0
+        uses: actions/[email protected].1
 
       - id: set-matrix
         name: Collect all examples
@@ -217,7 +217,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/[email protected].0
+        uses: actions/[email protected].1
 
       - name: Set up Helm
         uses: azure/[email protected]
@@ -261,7 +261,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/[email protected].0
+        uses: actions/[email protected].1
 
       - name: Set up Helm
         uses: azure/[email protected]

diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml
@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/[email protected].0
+        uses: actions/[email protected].1
         with:
           fetch-depth: 0
 
@@ -29,7 +29,7 @@ jobs:
           git config user.email "[email protected]"
 
       - name: Setup cosign
-        uses: sigstore/cosign-installer@v3.1.2
+        uses: sigstore/cosign-installer@v3.2.0
         with:
           cosign-release: v2.2.0
 
@@ -39,7 +39,7 @@ jobs:
           version: v3.10.3
 
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.5.0
+        uses: helm/chart-releaser-action@v1.6.0
         env:
           CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
 

diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml
@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/[email protected].0
+        uses: actions/[email protected].1
 
       - name: Run Shellcheck
         uses: ludeeus/[email protected]

diff --git a/CODE-OF-CONDUCT.md b/CODE-OF-CONDUCT.md
@@ -1,8 +1,8 @@
-### Contributor Code of Conduct
+# Contributor Code of Conduct
 
 We follow the [CNCF Contributor Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md). Additionally, we commit to the following guidelines as detailed on the [Linkerd Code of Conduct](https://github.com/linkerd/linkerd/wiki/Linkerd-code-of-conduct):
 
-### Community Guidelines
+## Community Guidelines
 
 - Our goal is to foster an inclusive and diverse community of technology enthusiasts.
 
@@ -14,6 +14,6 @@ We follow the [CNCF Contributor Code of Conduct](https://github.com/cncf/foundat
 
 - We do our best to avoid [subtle-isms](https://www.recurse.com/manual#sub-sec-social-rules): small actions that make others feel uncomfortable. If you witness a subtle-ism, you may respectfully point it out to the person publicly or privately, or you may ask a moderator to say something. Accidentally saying something biased is common, expected, and readily forgiven. It is not in and of itself a bannable offense.
 
-### Moderation
+## Moderation
 
 - If you feel any of SPIFFE's communication channels require moderation, please e-mail the [SPIFFE Steering Committee (SSC)](mailto:[email protected]).
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -38,7 +38,8 @@ git rebase main
 
 Our CI pipeline takes care of the majority of the testing of this Chart. Other ways for you to test are by running `make test` locally using:
 
-> **Warning**: Ensure to run the test on a dedicated k8s cluster that does not have Spire installed yet.
+> [!Warning]
+> Ensure to run the test on a dedicated k8s cluster that does not have Spire installed yet.
 
 ```shell
 make test
@@ -48,7 +49,7 @@ Another approach to testing the chart is by installing one of the examples in yo
 
 ## Generating documentation
 
-Any changes to Chart.yaml or values.yaml require an update of the README.md. This update can easily be generated using [readme-generator](https://github.com/bitnami-labs/readme-generator-for-helm).
+Any changes to Chart.yaml or values.yaml require an update of the README.md. This update can easily be generated using [readme-generator][].
 
 ```shell
 ./helm-docs.sh

diff --git a/FAQ.md b/FAQ.md
@@ -36,25 +36,29 @@ helm repo add spiffe https://spiffe.github.io/helm-charts-hardened
 If you uninstall the SPIRE chart before all users of the CSI driver are removed, Pods will get stuck in a terminating state waiting for the driver, that no longer is installed, to unmount the volumes for the Pod. In order to fix this, reinstall the chart and remove all affected workloads that are not part of the SPIRE helm chart itself, before attempting to remove SPIRE again.
 
 You can discover Pods that use the driver with the following command:
-```
+
+```shell
 kubectl get pods --all-namespaces -o go-template='{{range .items}}{{$nn := printf "%s %s" .metadata.namespace .metadata.name}}{{range .spec.volumes}}{{if .csi.driver}}{{if eq .csi.driver "csi.spiffe.io"}}{{printf "%s\n" $nn}}{{end}}{{end}}{{end}}{{end}}'
 ```
 
 ## Uninstall is stuck. How do I fix it?
 
 If you uninstall the SPIFFE CSI driver manually before removing the chart, Pods can still be using the driver and are unable to unmount the CSI volume.
 
-To resolve, reinstall the chart before trying to remove it again. 
+To resolve, reinstall the chart before trying to remove it again.
 
 ## The PSAT plugin is not working
 
 The chart requires `Projected Service Account Tokens` which has to be enabled on your Kubernetes API server. In most cases this is already done for you.
 
-> **Note**: This is enabled by default with newer versions as shown by the existence of:
+> [!Note]
+> This is enabled by default with newer versions as shown by the existence of:
 >
+> ```yaml
 >        - --service-account-issuer
 >        - --service-account-key-file
 >        - --service-account-signing-key-file
+> ```
 
 See [Service Account Token Volume Projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) in the Kubernetes docs for more details.
 
@@ -64,7 +68,9 @@ command to SSH into the Docker Desktop K8s VM.
 ```bash
 docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
 ```
+
 Then add the following to `/etc/kubernetes/manifests/kube-apiserver.yaml`
+
 ```yaml
 spec:
   containers:

diff --git a/README.md b/README.md
@@ -1,4 +1,7 @@
-> **Note**: All the helm charts in this repo are beta. We encourage you to try them out and contribute. The API may change as we move towards a production ready release.
+> [!Note]
+> Things to consider:
+> 1. We do not support running out of the git main branch. This is where development happens. Please use released versions via the published repo or git tags.
+> 2. All the helm charts in this repo are beta. We encourage you to try them out and contribute. The API may change as we move towards a production ready release.
 
 # SPIFFE Helm Charts
 
@@ -8,24 +11,10 @@
 
 A suite of [Helm Charts](https://helm.sh/docs) for standardized installations of SPIRE components in Kubernetes environments.
 
-## Add Helm repository
+## How to install or upgrade
 
-```bash
-helm repo add spiffe https://spiffe.github.io/helm-charts/
-helm repo update
-```
-
-## Dependencies and Version Compatibility
-
-Unless otherwise noted in an application chart README, the following dependencies will follow these prescribed version compatibility rules.
-
-| Dependency | Supported Versions |
-|:-----------|:-------------------|
-| SPIRE      | `1.8.2`            |
-| Helm       | `3.x`              |
-| Kubernetes | `1.22+`            |
-
-> **Note**: For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden. *The first version we tested this chart with is `1.22`.*
+You most likely want to do an integrated setup based on the spire chart.
+See the [Instructions](https://artifacthub.io/packages/helm/spiffe/spire).
 
 ## Contributing
 

diff --git a/charts/spire-crds/README.md b/charts/spire-crds/README.md
@@ -7,6 +7,7 @@ A Helm chart to install the SPIRE CRDS.
 **Homepage:** <https://github.com/spiffe/helm-charts/tree/main/charts/spire>
 
 ## Maintainers
+
 | Name | Email | Url |
 | ---- | ------ | --- |
 | marcofranssen | <[email protected]> | <https://marcofranssen.nl> |
@@ -16,8 +17,8 @@ A Helm chart to install the SPIRE CRDS.
 
 ## Source Code
 
-* <https://github.com/spiffe/helm-charts/tree/main/charts/spire>
+* <https://github.com/spiffe/helm-charts/tree/main/charts/spire-crds>
 
-<!-- The Parameters section is generated using helm-docs.sh -->
+<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
 
 ## Parameters
diff --git a/charts/spire-crds/templates/spire.spiffe.io_clusterfederatedtrustdomains.yaml b/charts/spire-crds/templates/spire.spiffe.io_clusterfederatedtrustdomains.yaml
@@ -65,6 +65,9 @@ spec:
                 description: BundleEndpointURL is the URL of the bundle endpoint.
                   It must be an HTTPS URL and cannot contain userinfo (i.e. username/password).
                 type: string
+              className:
+                description: Set the class of controller to handle this object.
+                type: string
               trustDomain:
                 description: TrustDomain is the name of the trust domain to federate
                   with (e.g. example.org)
@@ -89,3 +92,9 @@ spec:
     storage: true
     subresources:
       status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml b/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml
@@ -41,6 +41,10 @@ spec:
                   access the SPIRE administrative APIs. Extra care should be taken
                   to only apply this SPIFFE ID to admin workloads.
                 type: boolean
+              autoPopulateDNSNames:
+                description: AutoPopulateDNSNames indicates whether or not to auto
+                  populate service DNS names.
+                type: boolean
               dnsNameTemplates:
                 description: DNSNameTemplate represents templates for extra DNS names
                   that are applicable to SVIDs minted for this ClusterSPIFFEID. The
@@ -53,6 +57,9 @@ spec:
                 description: Downstream indicates that the entry describes a downstream
                   SPIRE server.
                 type: boolean
+              className:
+                description: Set the class of controller to handle this object.
+                type: string
               federatesWith:
                 description: FederatesWith is a list of trust domain names that workloads
                   that obtain this SPIFFE ID will federate with.
@@ -224,3 +231,9 @@ spec:
     storage: true
     subresources:
       status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml b/charts/spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml
@@ -39,6 +39,9 @@ spec:
             properties:
               admin:
                 type: boolean
+              className:
+                description: Set the class of controller to handle this object.
+                type: string
               dnsNames:
                 items:
                   type: string
@@ -90,3 +93,9 @@ spec:
     storage: true
     subresources:
       status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []