From 0b14535e9c9b5e097b992d151ffaca7c3335a917 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 30 Oct 2024 07:57:13 -0700 Subject: [PATCH 01/12] Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 in /tests (#488) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.20.2 to 2.21.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.20.2...v2.21.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/go.mod | 16 ++++++++-------- tests/go.sum | 32 ++++++++++++++++---------------- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index 9d9e027bc..48184d571 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -4,7 +4,7 @@ go 1.21 toolchain go1.22.5 require ( - github.com/onsi/ginkgo/v2 v2.20.2 + github.com/onsi/ginkgo/v2 v2.21.0 github.com/onsi/gomega v1.34.2 helm.sh/helm/v3 v3.16.2 ) @@ -30,7 +30,7 @@ require ( github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 // indirect + github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect github.com/google/uuid v1.6.0 // indirect github.com/huandu/xstrings v1.5.0 // indirect github.com/josharian/intern v1.0.0 // indirect @@ -48,14 +48,14 @@ require ( github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect - golang.org/x/crypto v0.27.0 // indirect - golang.org/x/net v0.28.0 // indirect + golang.org/x/crypto v0.28.0 // indirect + golang.org/x/net v0.30.0 // indirect golang.org/x/oauth2 v0.21.0 // indirect - golang.org/x/sys v0.25.0 // indirect - golang.org/x/term v0.24.0 // indirect - golang.org/x/text v0.18.0 // indirect + golang.org/x/sys v0.26.0 // indirect + golang.org/x/term v0.25.0 // indirect + golang.org/x/text v0.19.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.24.0 // indirect + golang.org/x/tools v0.26.0 // indirect google.golang.org/protobuf v1.34.2 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/tests/go.sum b/tests/go.sum index 166f8dbb5..c25b83036 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -46,8 +46,8 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 h1:5iH8iuqE5apketRbSFBy+X1V0o+l+8NF1avt4HWl7cA= -github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= +github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo= +github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= @@ -78,8 +78,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4= -github.com/onsi/ginkgo/v2 v2.20.2/go.mod h1:K9gyxPIlb+aIvnZ8bd9Ak+YP18w3APlR+5coaZoE2ag= +github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM= +github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8= github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -118,16 +118,16 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= -golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= +golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= +golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= -golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -136,22 +136,22 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= -golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= -golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= +golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= +golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= -golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= -golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= +golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ= +golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 5f5fd6a484557ea04fd314b527f983872a28251f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 30 Oct 2024 10:31:11 -0700 Subject: [PATCH 02/12] Bump github.com/onsi/gomega from 1.34.2 to 1.35.0 in /tests (#489) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.34.2 to 1.35.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.34.2...v1.35.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/go.mod | 4 ++-- tests/go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index 48184d571..cf024eaf4 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -5,7 +5,7 @@ toolchain go1.22.5 require ( github.com/onsi/ginkgo/v2 v2.21.0 - github.com/onsi/gomega v1.34.2 + github.com/onsi/gomega v1.35.0 helm.sh/helm/v3 v3.16.2 ) @@ -56,7 +56,7 @@ require ( golang.org/x/text v0.19.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.26.0 // indirect - google.golang.org/protobuf v1.34.2 // indirect + google.golang.org/protobuf v1.35.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/tests/go.sum b/tests/go.sum index c25b83036..b6f8c09a9 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -80,8 +80,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM= github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= -github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8= -github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc= +github.com/onsi/gomega v1.35.0 h1:xuM1M/UvMp9BCdS4hojhS9/4jEuVqS9Er3bqupeaoPM= +github.com/onsi/gomega v1.35.0/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -156,8 +156,8 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= -google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= +google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= +google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= From 4993b671b535f8486cbe75fd0ce215cfed84b3c2 Mon Sep 17 00:00:00 2001 From: Mattias Gees Date: Fri, 1 Nov 2024 12:26:15 +0000 Subject: [PATCH 03/12] Fix GCS Bundle endpoint format variable (#491) The GCS Bundle endpoint configuration was pointing to the S3 Format variable instead of the GCS one. Signed-off-by: Mattias Gees --- charts/spire/charts/spire-server/templates/configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index f365cec04..6f25dafbb 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -307,7 +307,7 @@ plugins: plugin_data: bucket_name: {{ .Values.bundlePublisher.gcpCloudStorage.bucketName | quote }} object_name: {{ .Values.bundlePublisher.gcpCloudStorage.objectName | quote }} - format: {{ .Values.bundlePublisher.awsS3.format | quote }} + format: {{ .Values.bundlePublisher.gcpCloudStorage.format | quote }} {{- end }} {{- end }} From 9b1b8b37a29b1d8e5bb481f377e9eb7dc5a057ba Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 3 Nov 2024 05:44:22 -0800 Subject: [PATCH 04/12] Bump github.com/onsi/gomega from 1.35.0 to 1.35.1 in /tests (#490) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.35.0 to 1.35.1. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.35.0...v1.35.1) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/go.mod | 2 +- tests/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index cf024eaf4..1617203a4 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -5,7 +5,7 @@ toolchain go1.22.5 require ( github.com/onsi/ginkgo/v2 v2.21.0 - github.com/onsi/gomega v1.35.0 + github.com/onsi/gomega v1.35.1 helm.sh/helm/v3 v3.16.2 ) diff --git a/tests/go.sum b/tests/go.sum index b6f8c09a9..a6f26aade 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -80,8 +80,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM= github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= -github.com/onsi/gomega v1.35.0 h1:xuM1M/UvMp9BCdS4hojhS9/4jEuVqS9Er3bqupeaoPM= -github.com/onsi/gomega v1.35.0/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= +github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4= +github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= From d5777c3dd27cef4cff3b6ffb275b4555bd009ee8 Mon Sep 17 00:00:00 2001 From: "spire-helm-version-checker[bot]" <161522935+spire-helm-version-checker[bot]@users.noreply.github.com> Date: Mon, 4 Nov 2024 05:39:24 -0800 Subject: [PATCH 05/12] Bump test chart dependencies (#493) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: marcofranssen <694733+marcofranssen@users.noreply.github.com> --- .github/tests/charts.json | 4 ++-- .../spire/charts/spiffe-oidc-discovery-provider/README.md | 6 +++--- .../spire/charts/spiffe-oidc-discovery-provider/values.yaml | 6 +++--- charts/spire/charts/spire-agent/README.md | 6 +++--- charts/spire/charts/spire-agent/values.yaml | 6 +++--- charts/spire/charts/spire-server/README.md | 4 ++-- charts/spire/charts/spire-server/values.yaml | 4 ++-- charts/spire/charts/tornjak-frontend/README.md | 2 +- charts/spire/charts/tornjak-frontend/values.yaml | 2 +- 9 files changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 090e64d4c..c65c55ea6 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,7 +2,7 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "65.5.0" + "version": "65.5.1" }, { "name": "cert-manager", @@ -22,6 +22,6 @@ { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "16.0.6" + "version": "16.1.1" } ] diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 40d50cda4..562f8821c 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -117,15 +117,15 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:424ac4637dac08a4594643b548d9af10144dcd6360b4b319a4c143841bf0bfee` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:218fbcbc011b48808354d652a1fee26c934b195e4d64ebda40e1989c90365d78` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.27.5` | +| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.28.0` | | `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | | `tests.busybox.image.repository` | The repository within the registry | `busybox` | | `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 7ad04e2fd..3a7200da0 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -332,7 +332,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2 + tag: latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1 toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from @@ -344,7 +344,7 @@ tests: registry: cgr.dev repository: chainguard/min-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:424ac4637dac08a4594643b548d9af10144dcd6360b4b319a4c143841bf0bfee + tag: latest@sha256:218fbcbc011b48808354d652a1fee26c934b195e4d64ebda40e1989c90365d78 step: ## @param tests.step.image.registry The OCI registry to pull the image from @@ -356,7 +356,7 @@ tests: registry: "docker.io" repository: smallstep/step-cli pullPolicy: IfNotPresent - tag: 0.27.5 + tag: 0.28.0 busybox: ## @param tests.busybox.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index a51518508..abe9b9e49 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -70,7 +70,7 @@ A Helm chart to install the SPIRE agent. | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` | | `nodeAttestor.k8sPSAT.enabled` | Enable PSAT k8s Node Attestor | `true` | @@ -114,12 +114,12 @@ A Helm chart to install the SPIRE agent. | `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` | | `socketAlternate.image.pullPolicy` | The image pull policy | `Always` | -| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2` | +| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1` | | `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `hostCert.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `hostCert.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | | `hostCert.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `hostCert.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:424ac4637dac08a4594643b548d9af10144dcd6360b4b319a4c143841bf0bfee` | +| `hostCert.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:218fbcbc011b48808354d652a1fee26c934b195e4d64ebda40e1989c90365d78` | | `hostCert.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | | `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 94b405d3b..1505e08a7 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -153,7 +153,7 @@ fsGroupFix: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2 + tag: latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1 ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -280,7 +280,7 @@ socketAlternate: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2 + tag: latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1 ## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -295,7 +295,7 @@ hostCert: registry: cgr.dev repository: chainguard/min-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:424ac4637dac08a4594643b548d9af10144dcd6360b4b319a4c143841bf0bfee + tag: latest@sha256:218fbcbc011b48808354d652a1fee26c934b195e4d64ebda40e1989c90365d78 ## @param hostCert.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 218eaa22a..4a74d2b3d 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -434,7 +434,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `chown.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `chown.image.repository` | The repository within the registry | `chainguard/bash` | | `chown.image.pullPolicy` | The image pull policy | `Always` | -| `chown.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2` | +| `chown.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1` | | `chown.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `experimental.enabled` | Allow configuration of experimental features | `false` | | `experimental.cacheReloadInterval` | The amount of time between two reloads of the in-memory entry cache. | `5s` | @@ -447,5 +447,5 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1` | | `kubeConfigs` | Manage additional kubeconfig files to talk to external Kubernetes clusters | `{}` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 52f13fd3f..30a69288f 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -1098,7 +1098,7 @@ chown: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2 + tag: latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1 ## @param chown.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -1133,7 +1133,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2 + tag: latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1 ## @param kubeConfigs [object] Manage additional kubeconfig files to talk to external Kubernetes clusters kubeConfigs: {} diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index d225ba9af..0130fc888 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -101,4 +101,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 19859f186..c2051c941 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -162,4 +162,4 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2 + tag: latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1 From ec7259699f59046826fdfad3fb7f160caf8ae900 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Thu, 7 Nov 2024 23:43:26 -0800 Subject: [PATCH 06/12] spiffe-step-ssh server (#198) * Initial prototype of spire-step-ssh integration Signed-off-by: Kevin Fox * Ingress work, image cleanup and misc cleanup Signed-off-by: Kevin Fox * More values rework Signed-off-by: Kevin Fox * Rename chart spiffe-step-ssh Signed-off-by: Kevin Fox * Update to use shared lib Signed-off-by: Kevin Fox * Update spiffe-helper Signed-off-by: Kevin Fox * Use URLSAN rather then CN Signed-off-by: Kevin Fox * Lookup the sans. Signed-off-by: Kevin Fox * Make trust domain configurable Signed-off-by: Kevin Fox * Add flag Signed-off-by: Kevin Fox * Make driver configurable Signed-off-by: Kevin Fox * Add more configurables. Fix up docs to pass test. Signed-off-by: Kevin Fox * Add some metadata Signed-off-by: Kevin Fox * Fix metadata Signed-off-by: Kevin Fox * Add default values for lint Signed-off-by: Kevin Fox * Forgot values updates Signed-off-by: Kevin Fox * Fix metadata Signed-off-by: Kevin Fox * Start working on integration test Signed-off-by: Kevin Fox * Test Signed-off-by: Kevin Fox * Test Signed-off-by: Kevin Fox * Fix names Signed-off-by: Kevin Fox * More test bits Signed-off-by: Kevin Fox * More test bits Signed-off-by: Kevin Fox * More test bits Signed-off-by: Kevin Fox * More test bits Signed-off-by: Kevin Fox * More test bits Signed-off-by: Kevin Fox * More test bits Signed-off-by: Kevin Fox * More fixes Signed-off-by: Kevin Fox * More fixes Signed-off-by: Kevin Fox * More fixes Signed-off-by: Kevin Fox * Fix name conflict. Align naming Signed-off-by: Kevin Fox * Fix name Signed-off-by: Kevin Fox * Add more logging Signed-off-by: Kevin Fox * Disable unneeded test. Add missing file. Signed-off-by: Kevin Fox * Setup more things Signed-off-by: Kevin Fox * Add missing conf file Signed-off-by: Kevin Fox * Fix multiple svids Signed-off-by: Kevin Fox * Fix ci defaults Signed-off-by: Kevin Fox * Fix filename Signed-off-by: Kevin Fox * Try and get the linter to stop complaining... Signed-off-by: Kevin Fox * Fix perms Signed-off-by: Kevin Fox * More logs Signed-off-by: Kevin Fox * More setup Signed-off-by: Kevin Fox * Fixes Signed-off-by: Kevin Fox * Fixes Signed-off-by: Kevin Fox * Add wait Signed-off-by: Kevin Fox * More logging Signed-off-by: Kevin Fox * Test ssh Signed-off-by: Kevin Fox * Restart fetchca on updates too Signed-off-by: Kevin Fox * Fix formating Signed-off-by: Kevin Fox * Add missing file flag Signed-off-by: Kevin Fox * Increase timeout Signed-off-by: Kevin Fox * More flags Signed-off-by: Kevin Fox * Fix name Signed-off-by: Kevin Fox * Finish end to end test Signed-off-by: Kevin Fox * Fix ingress setting Signed-off-by: Kevin Fox * More logging/tests Signed-off-by: Kevin Fox * More testing Signed-off-by: Kevin Fox * Fix namespace Signed-off-by: Kevin Fox * Fetch correct bundle Signed-off-by: Kevin Fox * Chart testing will fail as it depends on spire to be preinstalled. Weird dependency loop. Signed-off-by: Kevin Fox * Dont skip tls for testing Signed-off-by: Kevin Fox * More logging Signed-off-by: Kevin Fox * More debug Signed-off-by: Kevin Fox * More debug Signed-off-by: Kevin Fox * Pass intermediates Signed-off-by: Kevin Fox * Fix trustdomain Signed-off-by: Kevin Fox * Add ca authority prefix Signed-off-by: Kevin Fox * fix Signed-off-by: Kevin Fox * fix Signed-off-by: Kevin Fox * fix Signed-off-by: Kevin Fox * ci test is just broken. Revert trying to fix it. Signed-off-by: Kevin Fox * Update charts/spiffe-step-ssh/files/ssh_x5c.tpl Signed-off-by: kfox1111 * Self review feedback Signed-off-by: Kevin Fox * Switch ingress to our more functional/easy type Signed-off-by: Kevin Fox * Simplify the template Signed-off-by: Kevin Fox * Add cast Signed-off-by: Kevin Fox * Add install notes Signed-off-by: Kevin Fox * Fix test Signed-off-by: Kevin Fox * Update tests for updated client Signed-off-by: Kevin Fox * Fix logging and entry Signed-off-by: Kevin Fox * Add missing dir Signed-off-by: Kevin Fox * Fix file location Signed-off-by: Kevin Fox * Update timeout Signed-off-by: Kevin Fox * More logging Signed-off-by: Kevin Fox * Fix filename Signed-off-by: Kevin Fox * Fix perms Signed-off-by: Kevin Fox * Update charts/spiffe-step-ssh/README.md Signed-off-by: kfox1111 * Apply suggestions from code review Co-authored-by: Faisal Memon Signed-off-by: kfox1111 --------- Signed-off-by: Kevin Fox Signed-off-by: kfox1111 Co-authored-by: Faisal Memon --- .github/tests/common.sh | 10 + .github/workflows/helm-chart-ci.yaml | 2 +- charts/spiffe-step-ssh/Chart.yaml | 42 +++ charts/spiffe-step-ssh/README.md | 65 ++++ charts/spiffe-step-ssh/ci/default-values.yaml | 1 + charts/spiffe-step-ssh/files/ssh_x5c.tpl | 13 + charts/spiffe-step-ssh/templates/NOTES.txt | 5 + charts/spiffe-step-ssh/templates/_helpers.tpl | 83 +++++ .../templates/config-configmap.yaml | 25 ++ .../templates/config-deployment.yaml | 143 +++++++++ .../templates/config-role.yaml | 41 +++ .../templates/config-serviceaccount.yaml | 13 + .../templates/fetchca-configmap.yaml | 28 ++ .../templates/fetchca-deployment.yaml | 182 +++++++++++ .../templates/fetchca-hpa.yaml | 32 ++ .../templates/fetchca-ingress.yaml | 31 ++ .../templates/fetchca-service.yaml | 17 + .../templates/fetchca-serviceaccount.yaml | 12 + ...sh-certificate-issuer-password-secret.yaml | 8 + .../templates/step-ca-password-secret.yaml | 8 + .../templates/step-certs-configmap.yaml | 15 + .../templates/step-config.yaml | 32 ++ .../templates/step-ingress.yaml | 31 ++ .../templates/step-secret.yaml | 11 + .../step-ssh-host-ca-password-secret.yaml | 8 + .../step-ssh-user-ca-password-secret.yaml | 8 + charts/spiffe-step-ssh/values.yaml | 292 ++++++++++++++++++ .../spiffe-step-ssh/ingress-values.yaml | 8 + .../spiffe-step-ssh/root-values.yaml | 45 +++ .../integration/spiffe-step-ssh/run-tests.sh | 170 ++++++++++ .../spiffe-step-ssh/spire-agent.conf | 25 ++ 31 files changed, 1405 insertions(+), 1 deletion(-) create mode 100644 charts/spiffe-step-ssh/Chart.yaml create mode 100644 charts/spiffe-step-ssh/README.md create mode 100644 charts/spiffe-step-ssh/ci/default-values.yaml create mode 100644 charts/spiffe-step-ssh/files/ssh_x5c.tpl create mode 100644 charts/spiffe-step-ssh/templates/NOTES.txt create mode 100644 charts/spiffe-step-ssh/templates/_helpers.tpl create mode 100644 charts/spiffe-step-ssh/templates/config-configmap.yaml create mode 100644 charts/spiffe-step-ssh/templates/config-deployment.yaml create mode 100644 charts/spiffe-step-ssh/templates/config-role.yaml create mode 100644 charts/spiffe-step-ssh/templates/config-serviceaccount.yaml create mode 100644 charts/spiffe-step-ssh/templates/fetchca-configmap.yaml create mode 100644 charts/spiffe-step-ssh/templates/fetchca-deployment.yaml create mode 100644 charts/spiffe-step-ssh/templates/fetchca-hpa.yaml create mode 100644 charts/spiffe-step-ssh/templates/fetchca-ingress.yaml create mode 100644 charts/spiffe-step-ssh/templates/fetchca-service.yaml create mode 100644 charts/spiffe-step-ssh/templates/fetchca-serviceaccount.yaml create mode 100644 charts/spiffe-step-ssh/templates/ssh-certificate-issuer-password-secret.yaml create mode 100644 charts/spiffe-step-ssh/templates/step-ca-password-secret.yaml create mode 100644 charts/spiffe-step-ssh/templates/step-certs-configmap.yaml create mode 100644 charts/spiffe-step-ssh/templates/step-config.yaml create mode 100644 charts/spiffe-step-ssh/templates/step-ingress.yaml create mode 100644 charts/spiffe-step-ssh/templates/step-secret.yaml create mode 100644 charts/spiffe-step-ssh/templates/step-ssh-host-ca-password-secret.yaml create mode 100644 charts/spiffe-step-ssh/templates/step-ssh-user-ca-password-secret.yaml create mode 100644 charts/spiffe-step-ssh/values.yaml create mode 100644 tests/integration/spiffe-step-ssh/ingress-values.yaml create mode 100644 tests/integration/spiffe-step-ssh/root-values.yaml create mode 100755 tests/integration/spiffe-step-ssh/run-tests.sh create mode 100644 tests/integration/spiffe-step-ssh/spire-agent.conf diff --git a/.github/tests/common.sh b/.github/tests/common.sh index d833cf68d..cead98833 100755 --- a/.github/tests/common.sh +++ b/.github/tests/common.sh @@ -82,6 +82,16 @@ while true; do done ) +common_test_file_exists () ( +count=20 +while true; do + if [ -f "$1" ]; then exit 0; fi + sleep 2 + count=$((count-1)) + [ $count -le 0 ] && exit 1 +done +) + # Used just for testing. You should provide your own values as described in the install instructions. common_test_your_values () { cat > /tmp/$$.example-your-values.yaml < spiffe-step-ssh-password.txt +step ca init --helm --deployment-type=Standalone --name='My CA' --dns spiffe-step-ssh.example.org --ssh --address :8443 --provisioner default --password-file spiffe-step-ssh-password.txt > spiffe-step-ssh-values.yaml +``` + +ingress-values.yaml +```yaml +global: + spiffe: + ingressControllerType: ingress-nginx +stepIngress: + enabled: true +fetchCA: + ingress: + enabled: true +``` + +```shell +helm upgrade --install spiffe-step-ssh . --set caPassword=`cat spiffe-step-ssh-password.txt` -f spiffe-step-ssh-values.yaml -f ingress-values.yaml --set trustDomain=example.org +``` + + + +## Parameters diff --git a/charts/spiffe-step-ssh/ci/default-values.yaml b/charts/spiffe-step-ssh/ci/default-values.yaml new file mode 100644 index 000000000..3fe430bd4 --- /dev/null +++ b/charts/spiffe-step-ssh/ci/default-values.yaml @@ -0,0 +1 @@ +trustDomain: example.org diff --git a/charts/spiffe-step-ssh/files/ssh_x5c.tpl b/charts/spiffe-step-ssh/files/ssh_x5c.tpl new file mode 100644 index 000000000..292bcdbc0 --- /dev/null +++ b/charts/spiffe-step-ssh/files/ssh_x5c.tpl @@ -0,0 +1,13 @@ +{{- if eq (len .AuthorizationCrt.URIs) 1 }} +{{- $san := printf "%s" (index .AuthorizationCrt.URIs 0) }} +{{- if hasPrefix "spiffe://@TRUST_DOMAIN@/@PREFIX@/" $san }} +{{- $name := trimPrefix "spiffe://@TRUST_DOMAIN@/@PREFIX@/" $san }} +{ + "type": {{ toJson .Type }}, + "keyId": {{ toJson $name }}, + "principals": [{{ toJson $name }}], + "extensions": {{ toJson .Extensions }}, + "criticalOptions": {{ toJson .CriticalOptions }} +} +{{- end }} +{{- end }} diff --git a/charts/spiffe-step-ssh/templates/NOTES.txt b/charts/spiffe-step-ssh/templates/NOTES.txt new file mode 100644 index 000000000..1a8bc499b --- /dev/null +++ b/charts/spiffe-step-ssh/templates/NOTES.txt @@ -0,0 +1,5 @@ +Installed {{ .Chart.Name }}… + +Configure your ssh clients with known_hosts file with: + +@cert-authority *.{{ .Values.trustDomain }} {{ .Values.inject.certificates.ssh_host_ca }} diff --git a/charts/spiffe-step-ssh/templates/_helpers.tpl b/charts/spiffe-step-ssh/templates/_helpers.tpl new file mode 100644 index 000000000..415702b0b --- /dev/null +++ b/charts/spiffe-step-ssh/templates/_helpers.tpl @@ -0,0 +1,83 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "spiffe-step-ssh.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "spiffe-step-ssh.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "spiffe-step-ssh.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "spiffe-step-ssh.labels" -}} +helm.sh/chart: {{ include "spiffe-step-ssh.chart" . }} +{{ include "spiffe-step-ssh.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "spiffe-step-ssh.selectorLabels" -}} +app.kubernetes.io/name: {{ include "spiffe-step-ssh.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "spiffe-step-ssh.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "spiffe-step-ssh.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* Takes in a dictionary with keys: + * global - the standard global object + * ingress - a standard format ingress config object +*/}} +{{- define "spiffe-step-ssh.ingress-controller-type" }} +{{- $type := "" }} +{{- if ne (len (dig "spiffe" "ingressControllerType" "" .global)) 0 }} +{{- $type = .global.spiffe.ingressControllerType }} +{{- else if ne .ingress.controllerType "" }} +{{- $type = .ingress.controllerType }} +{{- else if (dig "openshift" false .global) }} +{{- $type = "openshift" }} +{{- else }} +{{- $type = "other" }} +{{- end }} +{{- if not (has $type (list "ingress-nginx" "openshift" "other")) }} +{{- fail "Unsupported ingress controller type specified. Must be one of [ingress-nginx, openshift, other]" }} +{{- end }} +{{- $type }} +{{- end }} diff --git a/charts/spiffe-step-ssh/templates/config-configmap.yaml b/charts/spiffe-step-ssh/templates/config-configmap.yaml new file mode 100644 index 000000000..ef40ee7d6 --- /dev/null +++ b/charts/spiffe-step-ssh/templates/config-configmap.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "spiffe-step-ssh.fullname" . }}-config-deployment + labels: + {{- include "spiffe-step-ssh.labels" . | nindent 4 }} +data: + spiffe-helper.conf: | + agent_address = "/spiffe-workload-api/spire-agent.sock" + cmd = "sh" + cmd_args = "/config-deployment/update.sh" + cert_dir = "/certs" + svid_file_name = "tls.crt" + svid_key_file_name = "tls.key" + svid_bundle_file_name = "ca.pem" + add_intermediates_to_bundle = false + update.sh: | + #!/bin/sh + export ROOTS=$(base64 /certs/ca.pem | tr '\n' ' ' | sed 's/ //g') + echo Updating Roots to "$ROOTS" + cat /config/ca.json > /work/ca.json + yq e -i -ojson '.authority.provisioners |= map(select(.name == "x5c@spiffe").roots = env(ROOTS))' /work/ca.json + /helper/kubectl create configmap {{ include "spiffe-step-ssh.fullname" . }}-config -n "{{ .Release.Namespace }}" --from-file=/work/ca.json --from-file=/config/defaults.json --from-file=/config/ssh_x5c.tpl --dry-run=client -o yaml | /helper/kubectl apply -f - + /helper/kubectl rollout restart statefulset {{ include "spiffe-step-ssh.fullname" . }} -n "{{ .Release.Namespace }}" + echo $? diff --git a/charts/spiffe-step-ssh/templates/config-deployment.yaml b/charts/spiffe-step-ssh/templates/config-deployment.yaml new file mode 100644 index 000000000..e8b51333f --- /dev/null +++ b/charts/spiffe-step-ssh/templates/config-deployment.yaml @@ -0,0 +1,143 @@ +{{- $configSum := (include (print $.Template.BasePath "/config-configmap.yaml") . | sha256sum) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "spiffe-step-ssh.fullname" . }}-config + labels: + {{- include "spiffe-step-ssh.labels" . | nindent 4 }} + app: spiffe-step-ssh + component: config +spec: + replicas: 1 + selector: + matchLabels: + {{- include "spiffe-step-ssh.selectorLabels" . | nindent 6 }} + app: spiffe-step-ssh + component: config + template: + metadata: + annotations: + checksum/config: {{ $configSum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "spiffe-step-ssh.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + app: spiffe-step-ssh + component: config + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "spiffe-step-ssh.serviceAccountName" . }}-svc-config + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + initContainers: + - name: setup-volume-p1 + image: {{ template "spire-lib.image" (dict "image" .Values.busybox.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.busybox.image.pullPolicy }} + command: + - sh + - -c + - 'cp -a /bin/busybox /helper' + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + volumeMounts: + - name: spiffe-helper + mountPath: /helper + resources: + {{- toYaml .Values.config.resources | nindent 12 }} + - name: setup-volume-p2 + image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }} + imagePullPolicy: {{ .Values.kubectl.image.pullPolicy }} + command: + - /helper/busybox + - sh + - -c + - '/helper/busybox cp -a /bin/kubectl /helper' + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + volumeMounts: + - name: spiffe-helper + mountPath: /helper + resources: + {{- toYaml .Values.config.resources | nindent 12 }} + - name: setup-volume-p3 + image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }} + command: + - /helper/busybox + - sh + - -c + - '/helper/busybox cp -a /spiffe-helper /helper && /helper/busybox rm -f /helper/busybox' + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + volumeMounts: + - name: spiffe-helper + mountPath: /helper + resources: + {{- toYaml .Values.config.resources | nindent 12 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: {{ template "spire-lib.image" (dict "image" .Values.yq.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.yq.image.pullPolicy }} + command: + - /helper/spiffe-helper + - -config + - /config-deployment/spiffe-helper.conf + resources: + {{- toYaml .Values.config.resources | nindent 12 }} + volumeMounts: + - name: spiffe-helper + mountPath: /helper + readOnly: true + - name: config + mountPath: /config + readOnly: true + - name: config-deployment + mountPath: /config-deployment + readOnly: true + - name: certdir + mountPath: /certs + - name: spiffe-workload-api + mountPath: /spiffe-workload-api + readOnly: true + - name: workdir + mountPath: /work + volumes: + - name: spiffe-workload-api + csi: + driver: {{ .Values.csiDriver | quote }} + readOnly: true + - name: config-deployment + configMap: + name: {{ include "spiffe-step-ssh.fullname" . }}-config-deployment + - name: config + configMap: + name: {{ include "spiffe-step-ssh.fullname" . }}-config-raw + - name: certdir + emptyDir: {} + - name: spiffe-helper-config + emptyDir: {} + - name: spiffe-helper + emptyDir: {} + - name: workdir + emptyDir: {} + {{- with .Values.config.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.config.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.config.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/spiffe-step-ssh/templates/config-role.yaml b/charts/spiffe-step-ssh/templates/config-role.yaml new file mode 100644 index 000000000..f44f1209b --- /dev/null +++ b/charts/spiffe-step-ssh/templates/config-role.yaml @@ -0,0 +1,41 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config +rules: + - apiGroups: [""] + resources: [configmaps] + verbs: + - create + - apiGroups: [""] + resources: [configmaps] + resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}-config] + verbs: + - get + - update + - patch + - apiGroups: ["apps"] + resources: [statefulsets] + resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}] + verbs: + - get + - patch + - apiGroups: ["apps"] + resources: [deployments] + resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}-fetchca] + verbs: + - get + - patch +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config +subjects: + - kind: ServiceAccount + name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config + apiGroup: rbac.authorization.k8s.io diff --git a/charts/spiffe-step-ssh/templates/config-serviceaccount.yaml b/charts/spiffe-step-ssh/templates/config-serviceaccount.yaml new file mode 100644 index 000000000..6a1f67f59 --- /dev/null +++ b/charts/spiffe-step-ssh/templates/config-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "spiffe-step-ssh.serviceAccountName" . }}-svc-config + labels: + {{- include "spiffe-step-ssh.labels" . | nindent 4 }} + component: config + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/spiffe-step-ssh/templates/fetchca-configmap.yaml b/charts/spiffe-step-ssh/templates/fetchca-configmap.yaml new file mode 100644 index 000000000..f17d62364 --- /dev/null +++ b/charts/spiffe-step-ssh/templates/fetchca-configmap.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca + labels: + {{- include "spiffe-step-ssh.labels" . | nindent 4 }} +data: + spiffe-helper-init.conf: | + agent_address = "/spiffe-workload-api/spire-agent.sock" + cmd = "" + cmd_args = "" + cert_dir = "/certs" + svid_file_name = "tls.crt" + svid_key_file_name = "tls.key" + svid_bundle_file_name = "ca.pem" + add_intermediates_to_bundle = false + spiffe-helper-sidecar.conf: | + agent_address = "/spiffe-workload-api/spire-agent.sock" + cmd = "/busybox/busybox" + cmd_args = "sh /update.sh" + cert_dir = "/certs" + svid_file_name = "tls.crt" + svid_key_file_name = "tls.key" + svid_bundle_file_name = "ca.pem" + add_intermediates_to_bundle = false + update.sh: | + #!/bin/sh + /busybox/busybox kill -HUP `/busybox/busybox busybox cat /pid/pid` diff --git a/charts/spiffe-step-ssh/templates/fetchca-deployment.yaml b/charts/spiffe-step-ssh/templates/fetchca-deployment.yaml new file mode 100644 index 000000000..5114c1c98 --- /dev/null +++ b/charts/spiffe-step-ssh/templates/fetchca-deployment.yaml @@ -0,0 +1,182 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca + labels: + {{- include "spiffe-step-ssh.labels" . | nindent 4 }} + app: spiffe-step-ssh + component: fetchca +spec: + {{- if not .Values.fetchCA.autoscaling.enabled }} + replicas: {{ .Values.fetchCA.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "spiffe-step-ssh.selectorLabels" . | nindent 6 }} + app: spiffe-step-ssh + component: fetchca + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "spiffe-step-ssh.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + app: spiffe-step-ssh + component: fetchca + spec: + shareProcessNamespace: true + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "spiffe-step-ssh.serviceAccountName" . }}-fetchca + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + initContainers: + - name: busybox-volume + image: {{ template "spire-lib.image" (dict "image" .Values.busybox.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.busybox.image.pullPolicy }} + command: + - sh + - -c + - 'cp -a /bin/busybox /busybox' + volumeMounts: + - name: busybox + mountPath: /busybox + resources: + {{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }} + - name: init-tls + image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }} + command: + - /spiffe-helper + - -config + - /etc/spiffe-helper.conf + - -daemon-mode=false + volumeMounts: + - name: spiffe-workload-api + mountPath: /spiffe-workload-api + readOnly: true + - name: config + mountPath: /etc/spiffe-helper.conf + subPath: spiffe-helper-init.conf + readOnly: true + - name: certs + mountPath: /certs + resources: + {{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }} + containers: + - name: {{ .Chart.Name }}-fetchca + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: {{ template "spire-lib.image" (dict "image" .Values.nginx.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} + command: + - /bin/sh + - -c + - | + echo $$$$ > /pid/pid + cat > /etc/nginx/conf.d/ssl.conf </dev/null /dev/null || true + kubectl delete ns spire-server 2>/dev/null || true + kubectl delete ns spire-system 2>/dev/null || true + + helm uninstall --namespace mysql spire-root-server 2>/dev/null || true + kubectl delete ns spire-root-server 2>/dev/null || true + fi +} + +trap 'EC=$? && trap - SIGTERM && teardown $EC' SIGINT SIGTERM EXIT + +echo Network interfaces: +ip a + +HIP="$(ip -4 addr show docker0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')" + +echo "Picked IP ${HIP}" + +echo "${HIP} test.production.other" | sudo bash -c 'cat >> /etc/hosts' + +sudo adduser spiffe-test +sudo -u spiffe-test mkdir -p /home/spiffe-test/.ssh +sudo chown spiffe-test --recursive /home/spiffe-test +sudo -u spiffe-test ssh-keygen -t ed25519 -f /home/spiffe-test/.ssh/id_ed25519 -q -N "" +sudo -u spiffe-test chmod 600 /home/spiffe-test/.ssh/id_ed25519 +sudo -u spiffe-test cp /home/spiffe-test/.ssh/id_ed25519.pub /home/spiffe-test/.ssh/authorized_keys +sudo -u spiffe-test ssh -T -n -i /home/spiffe-test/.ssh/id_ed25519 spiffe-test@test.production.other hostname || echo Expected fail here + +# Update deps +helm dep up charts/spire-nested + +# List nodes +kubectl get nodes + +# Deploy an ingress controller +IP=$(kubectl get nodes chart-testing-control-plane -o go-template='{{ range .status.addresses }}{{ if eq .type "InternalIP" }}{{ .address }}{{ end }}{{ end }}') +helm upgrade --install ingress-nginx ingress-nginx --version "$VERSION_INGRESS_NGINX" --repo "$HELM_REPO_INGRESS_NGINX" \ + --namespace ingress-nginx \ + --create-namespace \ + --set "controller.extraArgs.enable-ssl-passthrough=,controller.admissionWebhooks.enabled=false,controller.service.type=ClusterIP,controller.service.externalIPs[0]=$IP" \ + --set controller.ingressClassResource.default=true \ + --wait + +# Test the ingress controller. Should 404 as there is no services yet. +common_test_url "$IP" + +kubectl get configmap -n kube-system coredns -o yaml | grep hosts || kubectl get configmap -n kube-system coredns -o yaml | sed "/ready/a\ hosts {\n fallthrough\n }" | kubectl apply -f - +kubectl get configmap -n kube-system coredns -o yaml | grep test.production.other || kubectl get configmap -n kube-system coredns -o yaml | sed "/hosts/a\ $IP oidc-discovery.production.other\n $IP spire-server.production.other\n $HIP test.production.other\n" | kubectl apply -f - +kubectl rollout restart -n kube-system deployment/coredns +kubectl rollout status -n kube-system -w --timeout=1m deploy/coredns + +helm upgrade --install --create-namespace --namespace spire-mgmt --values "${COMMON_TEST_YOUR_VALUES},${SCRIPTPATH}/root-values.yaml" \ + --wait spire charts/spire-nested \ + --set "global.spire.namespaces.create=true" \ + --set "global.spire.ingressControllerType=ingress-nginx" + +kubectl get pods -n spire-server +kubectl exec -it -n spire-server spire-external-server-0 -- spire-server entry create -parentID spiffe://production.other/spire/agent/http_challenge/test.production.other -spiffeID spiffe://production.other/sshd/test.production.other -selector systemd:id:spiffe-step-ssh@main.service + +ENTRIES="$(kubectl exec -i -n spire-server spire-external-server-0 -- spire-server entry show)" + +if [[ "${ENTRIES}" == "Found 0 entries" ]]; then + echo "${ENTRIES}" + exit 1 +fi + +kubectl get ingress -n spire-server + +echo "${IP} spire-server.production.other spiffe-step-ssh.production.other spiffe-step-ssh-fetchca.production.other" | sudo bash -c 'cat >> /etc/hosts' +echo Hosts: +cat /etc/hosts + +curl -L https://raw.githubusercontent.com/kfox1111/spire-examples/refs/heads/spiffe-step-ssh/examples/spiffe-step-ssh/scripts/demo.sh | sudo bash + +sudo mkdir -p /usr/libexec/spiffe-step-ssh +sudo mkdir -p /etc/systemd/system/sshd.service.d +sudo curl -L -o /usr/libexec/spiffe-step-ssh/update.sh https://raw.githubusercontent.com/kfox1111/spire-examples/refs/heads/spiffe-step-ssh/examples/spiffe-step-ssh/scripts/update.sh +sudo curl -L -o /etc/systemd/system/spiffe-step-ssh@.service https://raw.githubusercontent.com/kfox1111/spire-examples/refs/heads/spiffe-step-ssh/examples/spiffe-step-ssh/systemd/spiffe-step-ssh@.service +sudo curl -L -o /etc/systemd/system/spiffe-step-ssh-cleanup.service https://raw.githubusercontent.com/kfox1111/spire-examples/refs/heads/spiffe-step-ssh/examples/spiffe-step-ssh/systemd/spiffe-step-ssh-cleanup.service +sudo curl -L -o /etc/systemd/system/sshd.service.d/10-spiffe-step-ssh.conf https://raw.githubusercontent.com/kfox1111/spire-examples/refs/heads/spiffe-step-ssh/examples/spiffe-step-ssh/conf/10-spiffe-step-ssh.conf + +sudo mkdir -p /etc/spire/agent +sudo cp "${SCRIPTPATH}/spire-agent.conf" /etc/spire/agent/main.conf + +PASSWORD=$(openssl rand -base64 48) +echo "$PASSWORD" > spiffe-step-ssh-password.txt +step ca init --helm --deployment-type=Standalone --name='My CA' --dns spiffe-step-ssh.production.other --ssh --address :8443 --provisioner default --password-file spiffe-step-ssh-password.txt > spiffe-step-ssh-values.yaml + +# Start things up +sudo systemctl daemon-reload +sudo systemctl enable spire-agent@main +sudo systemctl start spire-agent@main + +pushd charts/spiffe-step-ssh +helm dep up +popd + +helm upgrade --install spiffe-step-ssh charts/spiffe-step-ssh --set caPassword="$(cat spiffe-step-ssh-password.txt)" -f spiffe-step-ssh-values.yaml -f "${SCRIPTPATH}/ingress-values.yaml" --set trustDomain=production.other --wait --timeout 10m + +# Is fetchca responding. +kubectl get configmap -n spire-system spire-bundle-downstream -o go-template='{{ index .data "bundle.crt" }}' > /tmp/ca.pem +cat /tmp/ca.pem +curl https://spiffe-step-ssh-fetchca.production.other -s --cacert /tmp/ca.pem + +sudo systemctl start spiffe-step-ssh@main + +# This is bad, but only for testing. Don't do this at home +sudo chmod 777 "/var/run/spiffe/" +sudo chmod 777 "/var/run/spiffe/step-ssh/" +sudo chmod 777 "/var/run/spiffe/step-ssh/main/" +common_test_file_exists "/var/run/spiffe/step-ssh/main/ssh_host_rsa_key-cert.pub" + +kubectl get configmap spiffe-step-ssh-certs -o 'go-template={{ index .data "ssh_host_ca_key.pub" }}' | sed '/^$/d; s/^/@cert-authority *.production.other /' | sudo -u spiffe-test dd of=/home/spiffe-test/.ssh/known_hosts +sudo -u spiffe-test cat /home/spiffe-test/.ssh/known_hosts + +sudo -u spiffe-test ssh -T -n -i /home/spiffe-test/.ssh/id_ed25519 spiffe-test@test.production.other hostname diff --git a/tests/integration/spiffe-step-ssh/spire-agent.conf b/tests/integration/spiffe-step-ssh/spire-agent.conf new file mode 100644 index 000000000..4c5a9f441 --- /dev/null +++ b/tests/integration/spiffe-step-ssh/spire-agent.conf @@ -0,0 +1,25 @@ +agent { + log_level = "DEBUG" + trust_domain = "production.other" + server_address = "spire-server.production.other" + server_port = 443 + # Insecure bootstrap is NOT appropriate for production use but is ok for + # simple testing/evaluation purposes. + insecure_bootstrap = true +} +plugins { + KeyManager "disk" { + plugin_data { + directory = "./" + } + } + NodeAttestor "http_challenge" { + plugin_data { + hostname = "test.production.other" + port = 81 + } + } + WorkloadAttestor "systemd" { + plugin_data {} + } +} From 619371706186c6df3bf3cce98aa9ea71ee62313b Mon Sep 17 00:00:00 2001 From: "spire-helm-version-checker[bot]" <161522935+spire-helm-version-checker[bot]@users.noreply.github.com> Date: Mon, 11 Nov 2024 04:15:31 -0800 Subject: [PATCH 07/12] Bump test chart dependencies (#494) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: marcofranssen <694733+marcofranssen@users.noreply.github.com> --- .github/tests/charts.json | 6 +++--- .../spire/charts/spiffe-oidc-discovery-provider/README.md | 4 ++-- .../spire/charts/spiffe-oidc-discovery-provider/values.yaml | 4 ++-- charts/spire/charts/spire-agent/README.md | 6 +++--- charts/spire/charts/spire-agent/values.yaml | 6 +++--- charts/spire/charts/spire-server/README.md | 4 ++-- charts/spire/charts/spire-server/values.yaml | 4 ++-- charts/spire/charts/tornjak-frontend/README.md | 2 +- charts/spire/charts/tornjak-frontend/values.yaml | 2 +- 9 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index c65c55ea6..8deb91b53 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,7 +2,7 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "65.5.1" + "version": "66.1.0" }, { "name": "cert-manager", @@ -17,11 +17,11 @@ { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "11.1.19" + "version": "11.1.20" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "16.1.1" + "version": "16.1.2" } ] diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 562f8821c..6c976e314 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -117,11 +117,11 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:71acae435de0d6a363ed159b38bee618e8ef37320a078caaba0792c8fd76fa99` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:218fbcbc011b48808354d652a1fee26c934b195e4d64ebda40e1989c90365d78` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8699d1707c16f2e05e321d19904652c16090b5819d657a91efd051d437f1b7dd` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 3a7200da0..9583a69fa 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -332,7 +332,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1 + tag: latest@sha256:71acae435de0d6a363ed159b38bee618e8ef37320a078caaba0792c8fd76fa99 toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from @@ -344,7 +344,7 @@ tests: registry: cgr.dev repository: chainguard/min-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:218fbcbc011b48808354d652a1fee26c934b195e4d64ebda40e1989c90365d78 + tag: latest@sha256:8699d1707c16f2e05e321d19904652c16090b5819d657a91efd051d437f1b7dd step: ## @param tests.step.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index abe9b9e49..3cf3d4286 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -70,7 +70,7 @@ A Helm chart to install the SPIRE agent. | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:71acae435de0d6a363ed159b38bee618e8ef37320a078caaba0792c8fd76fa99` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` | | `nodeAttestor.k8sPSAT.enabled` | Enable PSAT k8s Node Attestor | `true` | @@ -114,12 +114,12 @@ A Helm chart to install the SPIRE agent. | `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` | | `socketAlternate.image.pullPolicy` | The image pull policy | `Always` | -| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1` | +| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:71acae435de0d6a363ed159b38bee618e8ef37320a078caaba0792c8fd76fa99` | | `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `hostCert.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `hostCert.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | | `hostCert.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `hostCert.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:218fbcbc011b48808354d652a1fee26c934b195e4d64ebda40e1989c90365d78` | +| `hostCert.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8699d1707c16f2e05e321d19904652c16090b5819d657a91efd051d437f1b7dd` | | `hostCert.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | | `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 1505e08a7..7146b2cc2 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -153,7 +153,7 @@ fsGroupFix: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1 + tag: latest@sha256:71acae435de0d6a363ed159b38bee618e8ef37320a078caaba0792c8fd76fa99 ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -280,7 +280,7 @@ socketAlternate: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1 + tag: latest@sha256:71acae435de0d6a363ed159b38bee618e8ef37320a078caaba0792c8fd76fa99 ## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -295,7 +295,7 @@ hostCert: registry: cgr.dev repository: chainguard/min-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:218fbcbc011b48808354d652a1fee26c934b195e4d64ebda40e1989c90365d78 + tag: latest@sha256:8699d1707c16f2e05e321d19904652c16090b5819d657a91efd051d437f1b7dd ## @param hostCert.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 4a74d2b3d..598cf8a25 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -434,7 +434,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `chown.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `chown.image.repository` | The repository within the registry | `chainguard/bash` | | `chown.image.pullPolicy` | The image pull policy | `Always` | -| `chown.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1` | +| `chown.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:71acae435de0d6a363ed159b38bee618e8ef37320a078caaba0792c8fd76fa99` | | `chown.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `experimental.enabled` | Allow configuration of experimental features | `false` | | `experimental.cacheReloadInterval` | The amount of time between two reloads of the in-memory entry cache. | `5s` | @@ -447,5 +447,5 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:71acae435de0d6a363ed159b38bee618e8ef37320a078caaba0792c8fd76fa99` | | `kubeConfigs` | Manage additional kubeconfig files to talk to external Kubernetes clusters | `{}` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 30a69288f..18179b0d9 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -1098,7 +1098,7 @@ chown: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1 + tag: latest@sha256:71acae435de0d6a363ed159b38bee618e8ef37320a078caaba0792c8fd76fa99 ## @param chown.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -1133,7 +1133,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1 + tag: latest@sha256:71acae435de0d6a363ed159b38bee618e8ef37320a078caaba0792c8fd76fa99 ## @param kubeConfigs [object] Manage additional kubeconfig files to talk to external Kubernetes clusters kubeConfigs: {} diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 0130fc888..7a8424a21 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -101,4 +101,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:71acae435de0d6a363ed159b38bee618e8ef37320a078caaba0792c8fd76fa99` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index c2051c941..1187ec668 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -162,4 +162,4 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:0dab51a88ca154706fe22ad56274ee826dab43392dc6ee83de46b3ed9a3a8dd1 + tag: latest@sha256:71acae435de0d6a363ed159b38bee618e8ef37320a078caaba0792c8fd76fa99 From dc30efb5eb25af5be979a410d808f0cd7d1a9a97 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 14 Nov 2024 04:37:02 -0800 Subject: [PATCH 08/12] Bump helm.sh/helm/v3 from 3.16.2 to 3.16.3 in /tests (#495) Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.16.2 to 3.16.3. - [Release notes](https://github.com/helm/helm/releases) - [Commits](https://github.com/helm/helm/compare/v3.16.2...v3.16.3) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/go.mod | 4 ++-- tests/go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index 1617203a4..0a5b3f4d9 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -6,7 +6,7 @@ toolchain go1.22.5 require ( github.com/onsi/ginkgo/v2 v2.21.0 github.com/onsi/gomega v1.35.1 - helm.sh/helm/v3 v3.16.2 + helm.sh/helm/v3 v3.16.3 ) require ( @@ -15,7 +15,7 @@ require ( github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver/v3 v3.3.0 // indirect github.com/Masterminds/sprig/v3 v3.3.0 // indirect - github.com/cyphar/filepath-securejoin v0.3.1 // indirect + github.com/cyphar/filepath-securejoin v0.3.4 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect diff --git a/tests/go.sum b/tests/go.sum index a6f26aade..5aaf26048 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -9,8 +9,8 @@ github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lpr github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs= github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/cyphar/filepath-securejoin v0.3.1 h1:1V7cHiaW+C+39wEfpH6XlLBQo3j/PciWFrgfCLS8XrE= -github.com/cyphar/filepath-securejoin v0.3.1/go.mod h1:F7i41x/9cBF7lzCrVsYs9fuzwRZm4NQsGTBdpp6mETc= +github.com/cyphar/filepath-securejoin v0.3.4 h1:VBWugsJh2ZxJmLFSM06/0qzQyiQX2Qs0ViKrUAcqdZ8= +github.com/cyphar/filepath-securejoin v0.3.4/go.mod h1:8s/MCNJREmFK0H02MF6Ihv1nakJe4L/w3WZLHNkvlYM= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -171,8 +171,8 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -helm.sh/helm/v3 v3.16.2 h1:Y9v7ry+ubQmi+cb5zw1Llx8OKHU9Hk9NQ/+P+LGBe2o= -helm.sh/helm/v3 v3.16.2/go.mod h1:SyTXgKBjNqi2NPsHCW5dDAsHqvGIu0kdNYNH9gQaw70= +helm.sh/helm/v3 v3.16.3 h1:kb8bSxMeRJ+knsK/ovvlaVPfdis0X3/ZhYCSFRP+YmY= +helm.sh/helm/v3 v3.16.3/go.mod h1:zeVWGDR4JJgiRbT3AnNsjYaX8OTJlIE9zC+Q7F7iUSU= k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= From 6608fc980abf37ebe7c3c546cac9c0b57f01af9d Mon Sep 17 00:00:00 2001 From: Patrick O'Brien Date: Sun, 17 Nov 2024 13:25:29 -0800 Subject: [PATCH 09/12] Add extraEnvVars support for spiffe-csi-driver containers (#496) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Patrick O'Brien Signed-off-by: Patrick O’Brien --- charts/spire/charts/spiffe-csi-driver/README.md | 2 ++ .../charts/spiffe-csi-driver/templates/daemonset.yaml | 7 +++++++ charts/spire/charts/spiffe-csi-driver/values.yaml | 5 +++++ 3 files changed, 14 insertions(+) diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index 0005105d8..28cf4213f 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -33,6 +33,7 @@ A Helm chart to install the SPIFFE CSI driver. | `image.pullPolicy` | The image pull policy | `IfNotPresent` | | `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | | `resources` | Resource requests and limits for spiffe-csi-driver | `{}` | +| `extraEnvVars` | Extra environment variables to be added to the spiffe-csi-driver container | `[]` | | `healthChecks.port` | The healthcheck port for spiffe-csi-driver | `9809` | | `updateStrategy.type` | The update strategy to use to replace existing DaemonSet pods with new pods. Can be RollingUpdate or OnDelete. | `RollingUpdate` | | `updateStrategy.rollingUpdate.maxUnavailable` | Max unavailable pods during update. Can be a number or a percentage. | `1` | @@ -61,6 +62,7 @@ A Helm chart to install the SPIFFE CSI driver. | `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.4` | | `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` | +| `nodeDriverRegistrar.extraEnvVars` | Extra environment variables to be added to the nodeDriverRegistrar container | `[]` | | `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | | `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` | | `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | diff --git a/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml b/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml index 754d90092..5c4528de4 100644 --- a/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml +++ b/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml @@ -90,6 +90,9 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName + {{- with .Values.extraEnvVars }} + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: # The volume containing the SPIRE agent socket. The SPIFFE CSI # driver will mount this directory into containers. @@ -123,6 +126,10 @@ spec: "-kubelet-registration-path", "{{ .Values.kubeletPath }}/plugins/{{ .Values.pluginName }}/csi.sock", "-health-port", "{{ .Values.healthChecks.port }}" ] + env: + {{- with .Values.nodeDriverRegistrar.extraEnvVars }} + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: # The registrar needs access to the SPIFFE CSI driver socket - mountPath: /spiffe-csi diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index 8e97b37c0..e293e4c36 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -33,6 +33,9 @@ resources: {} # cpu: 100m # memory: 64Mi +## @param extraEnvVars [array] Extra environment variables to be added to the spiffe-csi-driver container +extraEnvVars: [] + healthChecks: ## @param healthChecks.port The healthcheck port for spiffe-csi-driver port: 9809 @@ -136,6 +139,8 @@ nodeDriverRegistrar: # limits: # cpu: 100m # memory: 64Mi + ## @param nodeDriverRegistrar.extraEnvVars [array] Extra environment variables to be added to the nodeDriverRegistrar container + extraEnvVars: [] ## @param agentSocketPath The unix socket path to the spire-agent agentSocketPath: /run/spire/agent-sockets/spire-agent.sock From 61eb715029503b3d2fe044fb63a2be7f209ca9c5 Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Sun, 17 Nov 2024 14:14:01 -0800 Subject: [PATCH 10/12] Bump spire Helm Chart version from 0.24.0 to 0.24.1 (#497) * 6608fc9 Add extraEnvVars support for spiffe-csi-driver containers (#496) * 6193717 Bump test chart dependencies (#494) * d5777c3 Bump test chart dependencies (#493) * 4993b67 Fix GCS Bundle endpoint format variable (#491) Signed-off-by: Faisal Memon --- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index df06027f3..597399a41 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,7 +3,7 @@ name: spire description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.24.0 +version: 0.24.1 appVersion: "1.11.0" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire diff --git a/charts/spire/README.md b/charts/spire/README.md index 14f8d98b7..851a4a3a5 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.24.0](https://img.shields.io/badge/Version-0.24.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.0](https://img.shields.io/badge/AppVersion-1.11.0-informational?style=flat-square) +![Version: 0.24.1](https://img.shields.io/badge/Version-0.24.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.0](https://img.shields.io/badge/AppVersion-1.11.0-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. From 18a34f6cab4081ea463a12274384af85b801cb08 Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Sun, 17 Nov 2024 14:27:03 -0800 Subject: [PATCH 11/12] Bump spire-nested Helm Chart version from 0.24.0 to 0.24.1 (#498) Signed-off-by: Faisal Memon Co-authored-by: kfox1111 --- charts/spire-nested/Chart.yaml | 2 +- charts/spire-nested/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire-nested/Chart.yaml b/charts/spire-nested/Chart.yaml index 670381cbb..eadb418b1 100644 --- a/charts/spire-nested/Chart.yaml +++ b/charts/spire-nested/Chart.yaml @@ -3,7 +3,7 @@ name: spire-nested description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.24.0 +version: 0.24.1 appVersion: "1.11.0" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire diff --git a/charts/spire-nested/README.md b/charts/spire-nested/README.md index 4ff3b208a..072e53caf 100644 --- a/charts/spire-nested/README.md +++ b/charts/spire-nested/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.24.0](https://img.shields.io/badge/Version-0.24.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.0](https://img.shields.io/badge/AppVersion-1.11.0-informational?style=flat-square) +![Version: 0.24.1](https://img.shields.io/badge/Version-0.24.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.0](https://img.shields.io/badge/AppVersion-1.11.0-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. From 17d31f17892fd842e7d54706f05e93917ca42e91 Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Sun, 17 Nov 2024 14:48:08 -0800 Subject: [PATCH 12/12] Bump spiffe-step-ssh Helm Chart version from 0.0.1 to 0.1.0 (#499) Signed-off-by: Faisal Memon Co-authored-by: kfox1111 --- charts/spiffe-step-ssh/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spiffe-step-ssh/Chart.yaml b/charts/spiffe-step-ssh/Chart.yaml index e3ae9e26b..b091acb09 100644 --- a/charts/spiffe-step-ssh/Chart.yaml +++ b/charts/spiffe-step-ssh/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.0.1 +version: 0.1.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to