Merge branch 'main' into release

.github/scripts/update-tags.sh

@@ -71,4 +71,4 @@ jq -r '. | keys[]' "$IMAGEJSON" | while read -r CHART; do
     fi
   done
 done
-"${SCRIPTPATH}/../../helm-docs.sh"
+"${SCRIPTPATH}/../../helm-docs.sh" || true

.github/tests/charts.json

@@ -2,26 +2,26 @@
   {
     "name": "kube-prometheus-stack",
     "repo": "https://prometheus-community.github.io/helm-charts",
-    "version": "48.3.1"
+    "version": "51.8.0"
   },
   {
     "name": "cert-manager",
     "repo": "https://charts.jetstack.io",
-    "version": "v1.12.3"
+    "version": "v1.13.1"
   },
   {
     "name": "ingress-nginx",
     "repo": "https://kubernetes.github.io/ingress-nginx",
-    "version": "4.7.1"
+    "version": "4.8.2"
   },
   {
     "name": "mysql",
     "repo": "https://charts.bitnami.com/bitnami",
-    "version": "9.10.10"
+    "version": "9.12.5"
   },
   {
     "name": "postgresql",
     "repo": "https://charts.bitnami.com/bitnami",
-    "version": "12.8.2"
+    "version": "13.1.5"
   }
 ]

.github/tests/dependencies/spire-root-server-values.yaml

@@ -1,3 +1,9 @@
+global:
+  spire:
+    clusterName: production
+    trustDomain: production.other
+    jwtIssuer: oidc-discovery.production.other
+
 spire-server:
   controllerManager:
     enabled: false

.github/tests/dependencies/testcert.yaml

@@ -43,8 +43,8 @@ metadata:
   name: oidc
 spec:
   dnsNames:
-    - oidc-discovery.example.org
-    - spire-server-federation.example.org
+    - oidc-discovery.production.other
+    - spire-server-federation.production.other
   secretName: tls-cert
   issuerRef:
     name: demo-ca

.github/workflows/check-versions.yaml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.0.0
+        uses: actions/checkout@v4.1.0
 
       - name: Set up Helm
         uses: azure/[email protected]
@@ -36,6 +36,7 @@ jobs:
         uses: actions/[email protected]
         with:
           go-version: '1.21'
+          cache: false
 
       - name: Setup crane
         uses: imjasonh/[email protected]
@@ -70,6 +71,7 @@ jobs:
           signoff: true
           add-paths: |
             .github/tests
+            charts
 
       - name: Check outputs
         if: ${{ steps.cpr.outputs.pull-request-number }}

.github/workflows/helm-chart-ci-ignore.yaml

@@ -43,7 +43,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.0.0
+        uses: actions/checkout@v4.1.0
 
       - id: set-matrix
         name: Collect all examples

.github/workflows/helm-chart-ci.yaml

@@ -32,7 +32,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.0.0
+        uses: actions/checkout@v4.1.0
 
       - name: Verify Docs updated
         run: ./helm-docs.sh
@@ -94,7 +94,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.0.0
+        uses: actions/checkout@v4.1.0
         with:
           fetch-depth: 0
 
@@ -136,7 +136,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.0.0
+        uses: actions/checkout@v4.1.0
         with:
           fetch-depth: 0
 
@@ -170,7 +170,8 @@ jobs:
 
       - name: Run chart-testing (install)
         run: |
-          ct install --config ct.yaml \
+          helm install -n spire-server spire-crds charts/spire-crds
+          ct install --config ct.yaml --excluded-charts spire-crds \
             --target-branch ${{ github.base_ref }}
 
       - name: Test summary
@@ -184,7 +185,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.0.0
+        uses: actions/checkout@v4.1.0
 
       - id: set-matrix
         name: Collect all examples
@@ -216,7 +217,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.0.0
+        uses: actions/checkout@v4.1.0
 
       - name: Set up Helm
         uses: azure/[email protected]
@@ -238,4 +239,48 @@ jobs:
           verbosity: 1
 
       - name: Install and test example
-        run: ${{ matrix.example }}/run-tests.sh
+        run: |
+          kubectl create namespace spire-server
+          helm install -n spire-server spire-crds charts/spire-crds
+          ${{ matrix.example }}/run-tests.sh
+
+  upgrade-test:
+    runs-on: ubuntu-22.04
+
+    needs:
+      - lint-chart
+      - build-matrix
+
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s:
+          - v1.27.2
+          - v1.26.4
+          - v1.25.9
+
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+
+      - name: Set up Helm
+        uses: azure/[email protected]
+        with:
+          version: ${{ env.HELM_VERSION }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Create kind cluster
+        uses: helm/[email protected]
+        # Only build a kind cluster if there are chart changes to test.
+        with:
+          version: ${{ env.KIND_VERSION }}
+          node_image: kindest/node:v1.26.4
+          config: .github/kind/conf/kind-config.yaml
+          verbosity: 1
+
+      - name: Install and test example
+        run: examples/production/run-tests.sh -u

.github/workflows/helm-release.yaml

@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.0.0
+        uses: actions/checkout@v4.1.0
         with:
           fetch-depth: 0
 

.github/workflows/shellcheck.yaml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.0.0
+        uses: actions/checkout@v4.1.0
 
       - name: Run Shellcheck
         uses: ludeeus/[email protected]

CODE-OF-CONDUCT.md

@@ -0,0 +1,19 @@
+### Contributor Code of Conduct
+
+We follow the [CNCF Contributor Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md). Additionally, we commit to the following guidelines as detailed on the [Linkerd Code of Conduct](https://github.com/linkerd/linkerd/wiki/Linkerd-code-of-conduct):
+
+### Community Guidelines
+
+- Our goal is to foster an inclusive and diverse community of technology enthusiasts.
+
+- Try to be your best self. Treat your fellow community members with kindness and empathy. We welcome disagreements when they are conducted respectfully and without personal attacks.
+
+- We ask that you keep unstructured critique to a minimum. Disparaging remarks about the project are unnecessary and a drain on community morale. Feedback should be constructive and relevant. Having passionately held opinions on what should improve is encouraged! We hope you will use that enthusiasm to roll up your sleeves and get involved by submitting pull requests. We have additional guidelines on [how to ask constructive questions](https://github.com/linkerd/linkerd/wiki/How-To-Ask-Questions-in-Slack).
+
+- We don't tolerate insults, spamming, trolling, flaming, baiting, or harassment. We don't tolerate sexual language, imagery, or unwanted advances. Private harassment is also unacceptable.
+
+- We do our best to avoid [subtle-isms](https://www.recurse.com/manual#sub-sec-social-rules): small actions that make others feel uncomfortable. If you witness a subtle-ism, you may respectfully point it out to the person publicly or privately, or you may ask a moderator to say something. Accidentally saying something biased is common, expected, and readily forgiven. It is not in and of itself a bannable offense.
+
+### Moderation
+
+- If you feel any of SPIFFE's communication channels require moderation, please e-mail the [SPIFFE Steering Committee (SSC)](mailto:[email protected]).

CODEOWNERS

@@ -1,7 +1,7 @@
 # These owners will be the default owners for everything in
 # the repo. Unless a later match takes precedence,
-# they will be requested for review when someone opens a 
+# they will be requested for review when someone opens a
 # pull request.
-*       @marcofranssen @Kfox1111 @developer-guy @dfeldman @faisal-memon @mrsabath @edwbuck
+*       @marcofranssen @Kfox1111 @dfeldman @faisal-memon @mrsabath @edwbuck
 
 # See CODEOWNERS syntax here: https://help.github.com/articles/about-codeowners/#codeowners-syntax

FAQ.md

@@ -1,9 +1,36 @@
 # Frequently Asked Questions
 
+- [How does this repo relate to the helm-charts repo?](#how-does-this-repo-relate-to-the-helm-charts-repo)
+- [How do I migrate my changeset from the old helm-charts repo to this one?](#how-do-i-migrate-my-changeset-from-the-old-helm-charts-repo-to-this-one)
+- [How do I update my helm registry to point to this one?](#how-do-i-update-my-helm-registry-to-point-to-this-one)
 - [Pods are stuck terminating after uninstall. How do I fix it?](#pods-are-stuck-terminating-after-uninstall-how-do-i-fix-it)
 - [Uninstall is stuck. How do I fix it?](#uninstall-is-stuck-how-do-i-fix-it)
 - [The PSAT plugin is not working](#the-psat-plugin-is-not-working)
 
+## How does this repo relate to the helm-charts repo?
+
+The helm-charts repo has been archived. This repo has all the commit history and releases copied over from that repo and is continuing development to provide a SPIRE helm chart for the community to use and contribute to.
+
+## How do I migrate my changeset from the old helm-charts repo to this one?
+
+Run one of these commands to switch to the new repo:
+
+- If working off a branch (maintainers with write access): `git remote set-url origin [email protected]:spiffe/helm-charts-hardened.git`
+- If working off a fork:
+    1. Create a new fork of helm-charts-hardened
+    1. In your local clone of your old fork of helm-charts: `git remote set-url origin https://github.com/<your new fork>/helm-charts-hardened.git`
+
+Then just `git push` your branches. Git history has been migrated over so you can just push your existing branches without issues.
+
+## How do I update my helm registry to point to this one?
+
+Assuming you named the repo `spiffe`:
+
+``` bash
+helm repo remove spiffe
+helm repo add spiffe https://spiffe.github.io/helm-charts-hardened
+```
+
 ## Pods are stuck terminating after uninstall. How do I fix it?
 
 If you uninstall the SPIRE chart before all users of the CSI driver are removed, Pods will get stuck in a terminating state waiting for the driver, that no longer is installed, to unmount the volumes for the Pod. In order to fix this, reinstall the chart and remove all affected workloads that are not part of the SPIRE helm chart itself, before attempting to remove SPIRE again.

README.md

@@ -21,7 +21,7 @@ Unless otherwise noted in an application chart README, the following dependencie
 
 | Dependency | Supported Versions |
 |:-----------|:-------------------|
-| SPIRE      | `1.6.x`, `1.7.x`   |
+| SPIRE      | `1.8.2`            |
 | Helm       | `3.x`              |
 | Kubernetes | `1.22+`            |
 

charts/spire-crds/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/spire-crds/Chart.yaml

@@ -0,0 +1,22 @@
+apiVersion: v2
+name: spire-crds
+description: >
+  A Helm chart for deploying the Spire CRDS
+type: application
+version: 0.0.1
+appVersion: "0.0.1"
+keywords: ["spire-crds"]
+home: https://github.com/spiffe/helm-charts/tree/main/charts/spire
+sources:
+  - https://github.com/spiffe/helm-charts/tree/main/charts/spire
+icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
+maintainers:
+  - name: marcofranssen
+    email: [email protected]
+    url: https://marcofranssen.nl
+  - name: kfox1111
+    email: [email protected]
+  - name: faisal-memon
+    email: [email protected]
+  - name: edwbuck
+    email: [email protected]

charts/spire-crds/README.md

@@ -0,0 +1,23 @@
+# spire-crds
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square)
+
+A Helm chart to install the SPIRE CRDS.
+
+**Homepage:** <https://github.com/spiffe/helm-charts/tree/main/charts/spire>
+
+## Maintainers
+| Name | Email | Url |
+| ---- | ------ | --- |
+| marcofranssen | <[email protected]> | <https://marcofranssen.nl> |
+| kfox1111 | <[email protected]> |  |
+| faisal-memon | <[email protected]> |  |
+| edwbuck | <[email protected]> |  |
+
+## Source Code
+
+* <https://github.com/spiffe/helm-charts/tree/main/charts/spire>
+
+<!-- The Parameters section is generated using helm-docs.sh -->
+
+## Parameters

charts/spire/charts/spire-server/crds/clusterfederatedtrustdomains.yaml → charts/spire-crds/templates/spire.spiffe.io_clusterfederatedtrustdomains.yaml

@@ -3,7 +3,8 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
+    controller-gen.kubebuilder.io/version: v0.11.1
+    {{- .Values.annotations | toYaml | nindent 4 }}
   creationTimestamp: null
   name: clusterfederatedtrustdomains.spire.spiffe.io
 spec:
@@ -88,9 +89,3 @@ spec:
     storage: true
     subresources:
       status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []