From 7a96175f060fa11b5b97ee2e3f118d946b1bbf14 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Mon, 18 Sep 2023 10:29:24 +0200 Subject: [PATCH 01/36] Remove developer-guy as a CODEOWNER Due to time constraints he steps down as a maintainer. Signed-off-by: Marco Franssen --- CODEOWNERS | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index 54b126945..2a9b629a6 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,7 +1,7 @@ # These owners will be the default owners for everything in # the repo. Unless a later match takes precedence, -# they will be requested for review when someone opens a +# they will be requested for review when someone opens a # pull request. -* @marcofranssen @Kfox1111 @developer-guy @dfeldman @faisal-memon @mrsabath @edwbuck +* @marcofranssen @Kfox1111 @dfeldman @faisal-memon @mrsabath @edwbuck # See CODEOWNERS syntax here: https://help.github.com/articles/about-codeowners/#codeowners-syntax From d3091a829c02edb00640aa9fa24c7fc95486e7f2 Mon Sep 17 00:00:00 2001 From: unufr33 <129618334+unufr33@users.noreply.github.com> Date: Wed, 20 Sep 2023 19:12:11 +0300 Subject: [PATCH 02/36] =?UTF-8?q?Fix=20spire-server=20configmap=20Upstream?= =?UTF-8?q?Authority/aws=5Fpca=20and=20KeyManager/a=E2=80=A6=20(#489)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Current configmap template renders to a wrong KeyManager and UpstreamAuthority configurarion when aws_kms and aws_pca are enabled and container is crashing. The proposed changes will fix the issue. --------- Signed-off-by: unufree Signed-off-by: unufr33 <129618334+unufr33@users.noreply.github.com> Co-authored-by: Faisal Memon --- .../spire-server/templates/configmap.yaml | 60 +++++++++---------- tests/unit/spire_test.go | 34 ++++++++++- 2 files changed, 63 insertions(+), 31 deletions(-) diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index 33c70c554..1fea3197a 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -89,19 +89,19 @@ plugins: {{- if eq (.enabled | toString) "true" }} {{- $keyManagerUsed = add1 $keyManagerUsed }} KeyManager: - - aws_kms: - plugin_data: - region: {{ .region | quote }} - key_metadata_file: "/run/spire/data/aws-kms-key-metadata" - {{- if ne .accessKeyID "" }} - access_key_id: "${AWS_KMS_ACCESS_KEY_ID}" - {{- end }} - {{- if ne .secretAccessKey "" }} - secret_access_key: "${AWS_KMS_SECRET_ACCESS_KEY}" - {{- end }} - {{- if or (ne .keyPolicy.policy "") (ne .keyPolicy.existingConfigMap "") }} - key_policy_file: "/run/spire/data/aws-kms-key-policy.json" - {{- end }} + aws_kms: + plugin_data: + region: {{ .region | quote }} + key_metadata_file: "/run/spire/data/aws-kms-key-metadata" + {{- if ne .accessKeyID "" }} + access_key_id: "${AWS_KMS_ACCESS_KEY_ID}" + {{- end }} + {{- if ne .secretAccessKey "" }} + secret_access_key: "${AWS_KMS_SECRET_ACCESS_KEY}" + {{- end }} + {{- if or (ne .keyPolicy.policy "") (ne .keyPolicy.existingConfigMap "") }} + key_policy_file: "/run/spire/data/aws-kms-key-policy.json" + {{- end }} {{- end }} {{- end }} @@ -193,23 +193,23 @@ plugins: {{- if eq (.enabled | toString) "true" }} {{- $upstreamAuthorityUsed = add1 $upstreamAuthorityUsed }} UpstreamAuthority: - - aws_pca: - plugin_data: - region: {{ .region | quote }} - certificate_authority_arn: {{ .certificateAuthorityARN | quote }} - ca_signing_template_arn: {{ .caSigningTemplateARN | default "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1" | quote }} - {{- if ne .signingAlgorithm "" }} - signing_algorithm: {{ .signingAlgorithm | quote }} - {{- end }} - {{- if ne .assumeRoleARN "" }} - assume_role_arn: {{ .assumeRoleARN | quote }} - {{- end }} - {{- if ne .endpoint "" }} - endpoint: {{ .endpoint | quote }} - {{- end }} - {{- if ne .supplementalBundlePath "" }} - supplemental_bundle_path: {{ .supplementalBundlePath | quote }} - {{- end }} + aws_pca: + plugin_data: + region: {{ .region | quote }} + certificate_authority_arn: {{ .certificateAuthorityARN | quote }} + ca_signing_template_arn: {{ .caSigningTemplateARN | default "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1" | quote }} + {{- if ne .signingAlgorithm "" }} + signing_algorithm: {{ .signingAlgorithm | quote }} + {{- end }} + {{- if ne .assumeRoleARN "" }} + assume_role_arn: {{ .assumeRoleARN | quote }} + {{- end }} + {{- if ne .endpoint "" }} + endpoint: {{ .endpoint | quote }} + {{- end }} + {{- if ne .supplementalBundlePath "" }} + supplemental_bundle_path: {{ .supplementalBundlePath | quote }} + {{- end }} {{- end }} {{- end }} {{- if gt $upstreamAuthorityUsed 1 }} diff --git a/tests/unit/spire_test.go b/tests/unit/spire_test.go index d22c0b8f4..4db554cef 100644 --- a/tests/unit/spire_test.go +++ b/tests/unit/spire_test.go @@ -16,7 +16,7 @@ func ValueStringRender(chart *helmchart.Chart, values string) (map[string]string return nil, err } ro := helmutil.ReleaseOptions{Name: "spire", Namespace: "spire-server", Revision: 1, IsUpgrade: false, IsInstall: true} - v, err = helmutil.ToRenderValues(chart, v, ro, helmutil.DefaultCapabilities); + v, err = helmutil.ToRenderValues(chart, v, ro, helmutil.DefaultCapabilities) if err != nil { return nil, err } @@ -71,4 +71,36 @@ spire-server: Expect(notes).Should(ContainSubstring("join_token")) }) }) + Describe("spire-server.keyManager.aws_kms", func() { + It("plugin set ok", func() { + objs, err := ValueStringRender(chart, ` +spire-server: + keyManager: + awsKMS: + enabled: true + region: us-west-2 + plugin_data: {} + disk: + enabled: false +`) + Expect(err).Should(Succeed()) + notes := objs["spire/charts/spire-server/templates/configmap.yaml"] + Expect(notes).Should(ContainSubstring("\"aws_kms\": {")) + }) + }) + Describe("spire-server.UpstreamAuthority.aws_pca", func() { + It("plugin set ok", func() { + objs, err := ValueStringRender(chart, ` +spire-server: + upstreamAuthority: + awsPCA: + enabled: true + region: us-west-2 + plugin_data: {} +`) + Expect(err).Should(Succeed()) + notes := objs["spire/charts/spire-server/templates/configmap.yaml"] + Expect(notes).Should(ContainSubstring("\"aws_pca\": {")) + }) + }) }) From 7cdae9233315548b41e3f4b8f2623453b5a415be Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Sep 2023 09:12:38 -0700 Subject: [PATCH 03/36] Bump github.com/onsi/ginkgo/v2 from 2.12.0 to 2.12.1 in /tests (#490) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.0 to 2.12.1.
Release notes

Sourced from github.com/onsi/ginkgo/v2's releases.

v2.12.1

2.12.1

Fixes

  • Print logr prefix if it exists (#1275) [90d4846]

Maintenance

  • Bump actions/checkout from 3 to 4 (#1271) [555f543]
  • Bump golang.org/x/sys from 0.11.0 to 0.12.0 (#1270) [d867b7d]
Changelog

Sourced from github.com/onsi/ginkgo/v2's changelog.

2.12.1

Fixes

  • Print logr prefix if it exists (#1275) [90d4846]

Maintenance

  • Bump actions/checkout from 3 to 4 (#1271) [555f543]
  • Bump golang.org/x/sys from 0.11.0 to 0.12.0 (#1270) [d867b7d]
Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/onsi/ginkgo/v2&package-manager=go_modules&previous-version=2.12.0&new-version=2.12.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/go.mod | 4 ++-- tests/go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index 1f07383dd..4f42b2cca 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -3,7 +3,7 @@ module github.com/spiffe/helm-charts/tests go 1.20 require ( - github.com/onsi/ginkgo/v2 v2.12.0 + github.com/onsi/ginkgo/v2 v2.12.1 github.com/onsi/gomega v1.27.10 helm.sh/helm/v3 v3.12.3 ) @@ -48,7 +48,7 @@ require ( golang.org/x/crypto v0.12.0 // indirect golang.org/x/net v0.14.0 // indirect golang.org/x/oauth2 v0.4.0 // indirect - golang.org/x/sys v0.11.0 // indirect + golang.org/x/sys v0.12.0 // indirect golang.org/x/term v0.11.0 // indirect golang.org/x/text v0.12.0 // indirect golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect diff --git a/tests/go.sum b/tests/go.sum index 187b74f9c..64b1a246d 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -108,8 +108,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.12.0 h1:UIVDowFPwpg6yMUpPjGkYvf06K3RAiJXUhCxEwQVHRI= -github.com/onsi/ginkgo/v2 v2.12.0/go.mod h1:ZNEzXISYlqpb8S36iN71ifqLi3vVD1rVJGvWRCJOUpQ= +github.com/onsi/ginkgo/v2 v2.12.1 h1:uHNEO1RP2SpuZApSkel9nEh1/Mu+hmQe7Q+Pepg5OYA= +github.com/onsi/ginkgo/v2 v2.12.1/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -195,8 +195,8 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM= -golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= From f04bdc36182d1c4689eb045b0199d220e12c03c2 Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Fri, 22 Sep 2023 14:55:03 -0700 Subject: [PATCH 04/36] Add support for experimental flags (#492) Add support for the experimental section of the config. Needed for developers. This PR doesnt add support for the `auth_opa_policy_engine` experimental config. --------- Signed-off-by: Faisal Memon --- charts/spire/charts/spire-server/README.md | 3 +++ .../charts/spire-server/templates/configmap.yaml | 13 +++++++++++++ charts/spire/charts/spire-server/values.yaml | 8 ++++++++ charts/spire/templates/NOTES.txt | 8 ++++++-- 4 files changed, 30 insertions(+), 2 deletions(-) diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 9222c7ac6..80f223cac 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -279,6 +279,9 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tornjak.config.clientCA.type` | Type of delivery for the user CA for TLS client verification. Options are `Secret` or `ConfigMap` (required for `mtls` connectionType) | `Secret` | | `tornjak.config.clientCA.name` | Name of the resource secret or configMap with user CA for TLS | `tornjak-client-ca` | | `tornjak.resources` | Resource requests and limits | `{}` | +| `experimental.enabled` | Allow configuration of experimental features | `false` | +| `experimental.cacheReloadInterval` | The amount of time between two reloads of the in-memory entry cache. | `5s` | +| `experimental.featureFlags` | List of developer feature flags | `[]` | | `tests.hostAliases` | List of host aliases for testing | `[]` | | `tests.tls.enabled` | Flag for enabling tls for tests | `false` | | `tests.tls.customCA` | Custom CA value for tests | `""` | diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index 1fea3197a..f540c57ff 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -49,6 +49,19 @@ server: {{- end }} {{- end }} + {{- with .Values.experimental }} + {{- if eq (.enabled | toString) "true" }} + experimental: + cache_reload_interval: {{ .cacheReloadInterval | quote }} + {{- if gt (len .featureFlags) 0 }} + feature_flags: + {{- range .featureFlags }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + plugins: DataStore: sql: diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index c66ed6056..01cf2ccf5 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -628,6 +628,14 @@ customPlugins: upstreamAuthority: {} notifier: {} +experimental: + ## @param experimental.enabled Allow configuration of experimental features + enabled: false + ## @param experimental.cacheReloadInterval The amount of time between two reloads of the in-memory entry cache. + cacheReloadInterval: 5s + ## @param experimental.featureFlags [array] List of developer feature flags + featureFlags: [] + tests: ## @param tests.hostAliases [array] List of host aliases for testing hostAliases: [] diff --git a/charts/spire/templates/NOTES.txt b/charts/spire/templates/NOTES.txt index 519b6c137..f1f69836a 100644 --- a/charts/spire/templates/NOTES.txt +++ b/charts/spire/templates/NOTES.txt @@ -3,6 +3,10 @@ Installed {{ .Chart.Name }}… {{- $s := add (len $up.keyManager) (len $up.nodeAttestor) (len $up.upstreamAuthority) (len $up.notifier) }} {{- if gt $s 0 }} -Warning: - You are using an unsupported plugin. Functionality of this release and future upgrades are not guaranteed to work smoothly. +Warning: You're using an unsupported plugin. Functionality of this release and future upgrades aren't guaranteed to work smoothly. +{{- end }} + +{{- if eq ((index .Values "spire-server").experimental.enabled | toString) "true" }} + +Warning: You're using an experimental config. Functionality of this release and future upgrades aren't guaranteed to work smoothly. {{- end }} From 712a0f6fbe56b3f171d064f817aa1d99f9c50c56 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Sep 2023 00:55:49 +0000 Subject: [PATCH 05/36] Bump actions/checkout from 4.0.0 to 4.1.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4.0.0...v4.1.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/check-versions.yaml | 2 +- .github/workflows/helm-chart-ci-ignore.yaml | 2 +- .github/workflows/helm-chart-ci.yaml | 10 +++++----- .github/workflows/helm-release.yaml | 2 +- .github/workflows/shellcheck.yaml | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/check-versions.yaml b/.github/workflows/check-versions.yaml index 6436e403c..fdf7ac8dc 100644 --- a/.github/workflows/check-versions.yaml +++ b/.github/workflows/check-versions.yaml @@ -20,7 +20,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4.0.0 + uses: actions/checkout@v4.1.0 - name: Set up Helm uses: azure/setup-helm@v3.5 diff --git a/.github/workflows/helm-chart-ci-ignore.yaml b/.github/workflows/helm-chart-ci-ignore.yaml index eb0216564..3e88952ad 100644 --- a/.github/workflows/helm-chart-ci-ignore.yaml +++ b/.github/workflows/helm-chart-ci-ignore.yaml @@ -43,7 +43,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4.0.0 + uses: actions/checkout@v4.1.0 - id: set-matrix name: Collect all examples diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index 87fba53d6..c8f03d033 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -32,7 +32,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4.0.0 + uses: actions/checkout@v4.1.0 - name: Verify Docs updated run: ./helm-docs.sh @@ -94,7 +94,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4.0.0 + uses: actions/checkout@v4.1.0 with: fetch-depth: 0 @@ -136,7 +136,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4.0.0 + uses: actions/checkout@v4.1.0 with: fetch-depth: 0 @@ -184,7 +184,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4.0.0 + uses: actions/checkout@v4.1.0 - id: set-matrix name: Collect all examples @@ -216,7 +216,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4.0.0 + uses: actions/checkout@v4.1.0 - name: Set up Helm uses: azure/setup-helm@v3.5 diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index 5201f551c..b700d4310 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4.0.0 + uses: actions/checkout@v4.1.0 with: fetch-depth: 0 diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml index 5f59c6697..9840317c5 100644 --- a/.github/workflows/shellcheck.yaml +++ b/.github/workflows/shellcheck.yaml @@ -21,7 +21,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4.0.0 + uses: actions/checkout@v4.1.0 - name: Run Shellcheck uses: ludeeus/action-shellcheck@2.0.0 From 50825d9fc9c243cce381aa246e2b0e0cb2cd0ba0 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Mon, 25 Sep 2023 12:06:48 -0700 Subject: [PATCH 06/36] Deny production runs of example.org trust domains (#229) --- .../spire-root-server-values.yaml | 6 +++ .github/tests/dependencies/testcert.yaml | 4 +- charts/spire/README.md | 1 + .../templates/configmap.yaml | 2 + .../spire-agent/templates/configmap.yaml | 2 + charts/spire/charts/spire-server/README.md | 2 +- .../spire-server/templates/configmap.yaml | 6 +++ charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/templates/_spire-lib.tpl | 15 +++++++ charts/spire/values.yaml | 3 ++ examples/external-mysql/run-tests.sh | 2 +- examples/external-postgresql/run-tests.sh | 2 +- examples/nested/run-tests.sh | 4 +- examples/production/example-your-values.yaml | 45 +++++++++++++++++++ examples/production/run-tests.sh | 22 ++++----- examples/production/values.yaml | 2 + 16 files changed, 101 insertions(+), 19 deletions(-) create mode 100644 examples/production/example-your-values.yaml diff --git a/.github/tests/dependencies/spire-root-server-values.yaml b/.github/tests/dependencies/spire-root-server-values.yaml index 02ef8cffc..f58836640 100644 --- a/.github/tests/dependencies/spire-root-server-values.yaml +++ b/.github/tests/dependencies/spire-root-server-values.yaml @@ -1,3 +1,9 @@ +global: + spire: + clusterName: production + trustDomain: production.other + jwtIssuer: oidc-discovery.production.other + spire-server: controllerManager: enabled: false diff --git a/.github/tests/dependencies/testcert.yaml b/.github/tests/dependencies/testcert.yaml index a16b5c9bf..c639cb2cd 100644 --- a/.github/tests/dependencies/testcert.yaml +++ b/.github/tests/dependencies/testcert.yaml @@ -43,8 +43,8 @@ metadata: name: oidc spec: dnsNames: - - oidc-discovery.example.org - - spire-server-federation.example.org + - oidc-discovery.production.other + - spire-server-federation.production.other secretName: tls-cert issuerRef: name: demo-ca diff --git a/charts/spire/README.md b/charts/spire/README.md index 107f98080..0a6d6a393 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -98,6 +98,7 @@ Now you can interact with the Spire agent socket from your own application. The | `global.spire.trustDomain` | The trust domain for Spire install | `example.org` | | `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` | | `global.spire.image.registry` | Override all Spire image registries at once | `""` | +| `global.spire.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `false` | | `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | | `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml index 5fc7e7051..ed554059b 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml @@ -1,3 +1,5 @@ +{{- include "spire-lib.check-strict-mode" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}} +{{- include "spire-lib.check-strict-mode" (list . "jwtIssuer must be set" (eq (include "spire-lib.jwt-issuer" .) "https://oidc-discovery.example.org"))}} {{- $oidcSocket := "/run/spire/oidc-sockets/spire-oidc-server.sock" }} {{- define "spiffe-oidc-discovery-provider.yaml-config" -}} {{- $oidcSocket := .oidcSocket }} diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index b1662e440..bc4fa4eb5 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -1,3 +1,5 @@ +{{- include "spire-lib.check-strict-mode" (list . "clusterName must be set" (eq (include "spire-lib.cluster-name" .) "example-cluster"))}} +{{- include "spire-lib.check-strict-mode" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}} {{- define "spire-agent.yaml-config" -}} agent: data_dir: "/run/spire" diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 80f223cac..bf21975ab 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -153,7 +153,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `federation.ingress.annotations` | Annotations for the ingress object | `{}` | | `federation.ingress.hosts` | Host paths for ingress object | `[]` | | `federation.ingress.tls` | Secrets containining TLS certs to enable https on ingress | `[]` | -| `ca_subject.country` | Country for Spire server CA | `NL` | +| `ca_subject.country` | Country for Spire server CA | `ARPA` | | `ca_subject.organization` | Organization for Spire server CA | `Example` | | `ca_subject.common_name` | Common Name for Spire server CA | `example.org` | | `keyManager.disk.enabled` | Flag to enable keyManager on disk | `true` | diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index f540c57ff..94e8d1e0e 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -1,3 +1,9 @@ +{{- include "spire-lib.check-strict-mode" (list . "clusterName must be set" (eq (include "spire-lib.cluster-name" .) "example-cluster"))}} +{{- include "spire-lib.check-strict-mode" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}} +{{- include "spire-lib.check-strict-mode" (list . "jwtIssuer must be set" (eq (include "spire-lib.jwt-issuer" .) "https://oidc-discovery.example.org"))}} +{{- include "spire-lib.check-strict-mode" (list . "ca_subject.county must be set" (eq .Values.ca_subject.country "ARPA"))}} +{{- include "spire-lib.check-strict-mode" (list . "ca_subject.organization must be set" (eq .Values.ca_subject.organization "Example"))}} +{{- include "spire-lib.check-strict-mode" (list . "ca_subject.common_name must be set" (eq .Values.ca_subject.common_name "example.org"))}} {{- range $type, $tvals := .Values.customPlugins }} {{- if not (has $type (list "keyManager" "nodeAttestor" "upstreamAuthority" "notifier")) }} {{- fail (printf "Unknown plugin type specified: %s" $type) }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 01cf2ccf5..348e1a750 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -225,7 +225,7 @@ federation: ca_subject: ## @param ca_subject.country Country for Spire server CA - country: NL + country: ARPA ## @param ca_subject.organization Organization for Spire server CA organization: Example ## @param ca_subject.common_name Common Name for Spire server CA diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl index 2c7835157..64152ac5a 100644 --- a/charts/spire/templates/_spire-lib.tpl +++ b/charts/spire/templates/_spire-lib.tpl @@ -107,3 +107,18 @@ rules: {{- end }} {{- include "spire-lib.image" $root }} {{- end }} + +{{/* +Take in an array of, '.', a failure string to display, and boolean to to display it, +if strictMode is enabled and the boolean is true +*/}} +{{- define "spire-lib.check-strict-mode" }} +{{ $root := index . 0 }} +{{ $message := index . 1 }} +{{ $condition := index . 2 }} +{{- if (dig "spire" "strictMode" false $root.Values.global) }} +{{- if $condition }} +{{- fail $message }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 06493faba..bcb9c45b8 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -24,6 +24,9 @@ global: ## @param global.spire.image.registry Override all Spire image registries at once registry: "" + ## @param global.spire.strictMode Check values, such as trustDomain, are overridden with a suitable value for production. + strictMode: false + installAndUpgradeHooks: ## @param global.installAndUpgradeHooks.enabled Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) enabled: true diff --git a/examples/external-mysql/run-tests.sh b/examples/external-mysql/run-tests.sh index 76d6c1bdd..6815b296d 100755 --- a/examples/external-mysql/run-tests.sh +++ b/examples/external-mysql/run-tests.sh @@ -32,7 +32,7 @@ helm upgrade --install mysql mysql --version "$VERSION_MYSQL" --repo "$HELM_REPO --wait helm upgrade --install --namespace "spire-server" \ - --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml" \ + --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml,${SCRIPTPATH}/../production/example-your-values.yaml" \ --set 'spire-server.dataStore.sql.password=sp1ff3Test' --wait spire charts/spire helm test --namespace "spire-server" spire diff --git a/examples/external-postgresql/run-tests.sh b/examples/external-postgresql/run-tests.sh index fdb310d2e..388da84ab 100755 --- a/examples/external-postgresql/run-tests.sh +++ b/examples/external-postgresql/run-tests.sh @@ -32,7 +32,7 @@ helm upgrade --install postgresql postgresql --version "$VERSION_POSTGRESQL" --r --wait helm upgrade --install --namespace "spire-server" \ - --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml" \ + --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml,${SCRIPTPATH}/../production/example-your-values.yaml" \ --set 'spire-server.dataStore.sql.password=sp1ff3Test' --wait spire charts/spire helm test --namespace "spire-server" spire diff --git a/examples/nested/run-tests.sh b/examples/nested/run-tests.sh index a3ae4eb0a..0bace5dbf 100755 --- a/examples/nested/run-tests.sh +++ b/examples/nested/run-tests.sh @@ -34,10 +34,10 @@ helm upgrade --install --create-namespace spire charts/spire \ --wait kubectl get nodes -o go-template='{{range .items}}{{printf "%s\n" .metadata.uid}}{{end}}' | while read -r line; do - kubectl exec -t spire-server-0 -n "spire-root-server" -- spire-server entry create -spiffeID spiffe://example.org/example-cluster/nested-spire -parentID "spiffe://example.org/spire/agent/k8s_psat/example-cluster/$line" -selector k8s:pod-label:app.kubernetes.io/name:server -downstream + kubectl exec -t spire-server-0 -n "spire-root-server" -- spire-server entry create -spiffeID spiffe://production.other/production/nested-spire -parentID "spiffe://production.other/spire/agent/k8s_psat/production/$line" -selector k8s:pod-label:app.kubernetes.io/name:server -downstream done -helm upgrade --install --create-namespace --namespace spire-server --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml" \ +helm upgrade --install --create-namespace --namespace spire-server --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml,${SCRIPTPATH}/../production/example-your-values.yaml" \ --wait spire charts/spire helm test --namespace spire-server spire diff --git a/examples/production/example-your-values.yaml b/examples/production/example-your-values.yaml new file mode 100644 index 000000000..be5efa32a --- /dev/null +++ b/examples/production/example-your-values.yaml @@ -0,0 +1,45 @@ +global: + spire: + clusterName: production + trustDomain: production.other + jwtIssuer: oidc-discovery.production.other + +spire-server: + ca_subject: + country: US + organization: Production + common_name: production.other + + ingress: + hosts: + - host: spire-server.production.other + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - spire-server.production.other + federation: + ingress: + hosts: + - host: spire-server-federation.production.other + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - spire-server-federation.production.other + secretName: tls-cert + +spiffe-oidc-discovery-provider: + ingress: + hosts: + - host: oidc-discovery.production.other + paths: + - path: / + pathType: Prefix + tls: + - secretName: tls-cert + hosts: + - oidc-discovery.production.other + diff --git a/examples/production/run-tests.sh b/examples/production/run-tests.sh index f47f53a9d..3f28928a0 100755 --- a/examples/production/run-tests.sh +++ b/examples/production/run-tests.sh @@ -48,7 +48,7 @@ kubectl apply -f "${DEPS}/testcert.yaml" -n spire-server --wait ip=$(kubectl get svc -n ingress-nginx ingress-nginx-controller -o go-template='{{ .spec.clusterIP }}') -echo "$ip" oidc-discovery.example.org +echo "$ip" oidc-discovery.production.other cat > /tmp/dummydns < Date: Mon, 2 Oct 2023 09:17:34 +0200 Subject: [PATCH 07/36] Add back CODE-OF-CONDUCT Signed-off-by: Marco Franssen --- CODE-OF-CONDUCT.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 CODE-OF-CONDUCT.md diff --git a/CODE-OF-CONDUCT.md b/CODE-OF-CONDUCT.md new file mode 100644 index 000000000..e758eacb6 --- /dev/null +++ b/CODE-OF-CONDUCT.md @@ -0,0 +1,19 @@ +### Contributor Code of Conduct + +We follow the [CNCF Contributor Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md). Additionally, we commit to the following guidelines as detailed on the [Linkerd Code of Conduct](https://github.com/linkerd/linkerd/wiki/Linkerd-code-of-conduct): + +### Community Guidelines + +- Our goal is to foster an inclusive and diverse community of technology enthusiasts. + +- Try to be your best self. Treat your fellow community members with kindness and empathy. We welcome disagreements when they are conducted respectfully and without personal attacks. + +- We ask that you keep unstructured critique to a minimum. Disparaging remarks about the project are unnecessary and a drain on community morale. Feedback should be constructive and relevant. Having passionately held opinions on what should improve is encouraged! We hope you will use that enthusiasm to roll up your sleeves and get involved by submitting pull requests. We have additional guidelines on [how to ask constructive questions](https://github.com/linkerd/linkerd/wiki/How-To-Ask-Questions-in-Slack). + +- We don't tolerate insults, spamming, trolling, flaming, baiting, or harassment. We don't tolerate sexual language, imagery, or unwanted advances. Private harassment is also unacceptable. + +- We do our best to avoid [subtle-isms](https://www.recurse.com/manual#sub-sec-social-rules): small actions that make others feel uncomfortable. If you witness a subtle-ism, you may respectfully point it out to the person publicly or privately, or you may ask a moderator to say something. Accidentally saying something biased is common, expected, and readily forgiven. It is not in and of itself a bannable offense. + +### Moderation + +- If you feel any of SPIFFE's communication channels require moderation, please e-mail the [SPIFFE Steering Committee (SSC)](mailto:ssc@spiffe.io). From babd677649c0dc1d86f3d87f90b405b98676d246 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 07:15:38 +0000 Subject: [PATCH 08/36] Bump helm.sh/helm/v3 from 3.12.3 to 3.13.0 in /tests Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.12.3 to 3.13.0. - [Release notes](https://github.com/helm/helm/releases) - [Commits](https://github.com/helm/helm/compare/v3.12.3...v3.13.0) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- tests/go.mod | 28 ++++++------ tests/go.sum | 122 +++++++++++++-------------------------------------- 2 files changed, 44 insertions(+), 106 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index 4f42b2cca..275bfad82 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -5,26 +5,26 @@ go 1.20 require ( github.com/onsi/ginkgo/v2 v2.12.1 github.com/onsi/gomega v1.27.10 - helm.sh/helm/v3 v3.12.3 + helm.sh/helm/v3 v3.13.0 ) require ( - github.com/BurntSushi/toml v1.2.1 // indirect + github.com/BurntSushi/toml v1.3.2 // indirect github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver/v3 v3.2.1 // indirect github.com/Masterminds/sprig/v3 v3.2.3 // indirect - github.com/cyphar/filepath-securejoin v0.2.3 // indirect + github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/emicklei/go-restful/v3 v3.10.1 // indirect github.com/go-logr/logr v1.2.4 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect - github.com/go-openapi/jsonreference v0.20.1 // indirect + github.com/go-openapi/jsonreference v0.20.2 // indirect github.com/go-openapi/swag v0.22.3 // indirect github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/protobuf v1.5.3 // indirect - github.com/google/gnostic v0.5.7-v3refs // indirect + github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect @@ -47,24 +47,24 @@ require ( github.com/xeipuuv/gojsonschema v1.2.0 // indirect golang.org/x/crypto v0.12.0 // indirect golang.org/x/net v0.14.0 // indirect - golang.org/x/oauth2 v0.4.0 // indirect + golang.org/x/oauth2 v0.8.0 // indirect golang.org/x/sys v0.12.0 // indirect golang.org/x/term v0.11.0 // indirect golang.org/x/text v0.12.0 // indirect - golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect + golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.12.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/protobuf v1.28.1 // indirect + google.golang.org/protobuf v1.30.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v0.27.3 // indirect - k8s.io/apiextensions-apiserver v0.27.3 // indirect - k8s.io/apimachinery v0.27.3 // indirect - k8s.io/client-go v0.27.3 // indirect + k8s.io/api v0.28.2 // indirect + k8s.io/apiextensions-apiserver v0.28.2 // indirect + k8s.io/apimachinery v0.28.2 // indirect + k8s.io/client-go v0.28.2 // indirect k8s.io/klog/v2 v2.100.1 // indirect - k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect - k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 // indirect + k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect + k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect diff --git a/tests/go.sum b/tests/go.sum index 64b1a246d..4c704ae0f 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -1,7 +1,5 @@ -cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak= -github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= +github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= @@ -9,30 +7,25 @@ github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0 github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA= github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM= -github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= -github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= +github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ= github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= -github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= -github.com/go-openapi/jsonreference v0.20.1 h1:FBLnyygC4/IZZr893oiomc9XaghoveYTrLC1F86HID8= -github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= @@ -41,27 +34,12 @@ github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= -github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= -github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= -github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= -github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= -github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= -github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= -github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= -github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -86,9 +64,8 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= -github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -116,7 +93,6 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8= @@ -125,7 +101,6 @@ github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkU github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w= github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= -github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= @@ -136,7 +111,7 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= @@ -154,18 +129,10 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk= golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= -golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= -golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= -golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -176,16 +143,12 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14= golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= -golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.4.0 h1:NF0gk8LVPg1Ml7SSbGyySuoxdsXitj7TvgvuRxIMc/M= -golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec= -golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= +golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -209,13 +172,9 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc= golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44= -golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= +golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= -golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= @@ -226,31 +185,13 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= -google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= -google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= -google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= -google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= -google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= -google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= -google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= -google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= -google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= -google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= +google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= @@ -261,28 +202,25 @@ gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -helm.sh/helm/v3 v3.12.3 h1:5y1+Sbty12t48T/t/CGNYUIME5BJ0WKfmW/sobYqkFg= -helm.sh/helm/v3 v3.12.3/go.mod h1:KPKQiX9IP5HX7o5YnnhViMnNuKiL/lJBVQ47GHe1R0k= -honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.27.3 h1:yR6oQXXnUEBWEWcvPWS0jQL575KoAboQPfJAuKNrw5Y= -k8s.io/api v0.27.3/go.mod h1:C4BNvZnQOF7JA/0Xed2S+aUyJSfTGkGFxLXz9MnpIpg= -k8s.io/apiextensions-apiserver v0.27.3 h1:xAwC1iYabi+TDfpRhxh4Eapl14Hs2OftM2DN5MpgKX4= -k8s.io/apiextensions-apiserver v0.27.3/go.mod h1:BH3wJ5NsB9XE1w+R6SSVpKmYNyIiyIz9xAmBl8Mb+84= -k8s.io/apimachinery v0.27.3 h1:Ubye8oBufD04l9QnNtW05idcOe9Z3GQN8+7PqmuVcUM= -k8s.io/apimachinery v0.27.3/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= -k8s.io/client-go v0.27.3 h1:7dnEGHZEJld3lYwxvLl7WoehK6lAq7GvgjxpA3nv1E8= -k8s.io/client-go v0.27.3/go.mod h1:2MBEKuTo6V1lbKy3z1euEGnhPfGZLKTS9tiJ2xodM48= +helm.sh/helm/v3 v3.13.0 h1:XPJKIU30K4JTQ6VX/6e0hFAmEIonYa8E7wx5aqv4xOc= +helm.sh/helm/v3 v3.13.0/go.mod h1:2PBEKsMWKLVZTojUOqMS3Eadv5mP43FBWrRgLNkNm9Y= +k8s.io/api v0.28.2 h1:9mpl5mOb6vXZvqbQmankOfPIGiudghwCoLl1EYfUZbw= +k8s.io/api v0.28.2/go.mod h1:RVnJBsjU8tcMq7C3iaRSGMeaKt2TWEUXcpIt/90fjEg= +k8s.io/apiextensions-apiserver v0.28.2 h1:J6/QRWIKV2/HwBhHRVITMLYoypCoPY1ftigDM0Kn+QU= +k8s.io/apiextensions-apiserver v0.28.2/go.mod h1:5tnkxLGa9nefefYzWuAlWZ7RZYuN/765Au8cWLA6SRg= +k8s.io/apimachinery v0.28.2 h1:KCOJLrc6gu+wV1BYgwik4AF4vXOlVJPdiqn0yAWWwXQ= +k8s.io/apimachinery v0.28.2/go.mod h1:RdzF87y/ngqk9H4z3EL2Rppv5jj95vGS/HaFXrLDApU= +k8s.io/client-go v0.28.2 h1:DNoYI1vGq0slMBN/SWKMZMw0Rq+0EQW6/AK4v9+3VeY= +k8s.io/client-go v0.28.2/go.mod h1:sMkApowspLuc7omj1FOSUxSoqjr+d5Q0Yc0LOFnYFJY= k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= -k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= -k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 h1:kmDqav+P+/5e1i9tFfHq1qcF3sOrDp+YEkVDAHu7Jwk= -k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= +k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= +k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= +k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= From f86648f318249387b22c8fa3cd4e2e4b1e33b8f9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 07:25:09 +0000 Subject: [PATCH 09/36] Bump github.com/onsi/gomega from 1.27.10 to 1.28.0 in /tests Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.10 to 1.28.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.10...v1.28.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- tests/go.mod | 2 +- tests/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index 275bfad82..befcd4d1c 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -4,7 +4,7 @@ go 1.20 require ( github.com/onsi/ginkgo/v2 v2.12.1 - github.com/onsi/gomega v1.27.10 + github.com/onsi/gomega v1.28.0 helm.sh/helm/v3 v3.13.0 ) diff --git a/tests/go.sum b/tests/go.sum index 4c704ae0f..4895565ad 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -87,8 +87,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onsi/ginkgo/v2 v2.12.1 h1:uHNEO1RP2SpuZApSkel9nEh1/Mu+hmQe7Q+Pepg5OYA= github.com/onsi/ginkgo/v2 v2.12.1/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= -github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= -github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= +github.com/onsi/gomega v1.28.0 h1:i2rg/p9n/UqIDAMFUJ6qIUUMcsqOuUHgbpbu235Vr1c= +github.com/onsi/gomega v1.28.0/go.mod h1:A1H2JE76sI14WIP57LMKj7FVfCHx3g3BcZVjJG8bjX8= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= From 21db1e4b9ab54c06b0d37fbbdc08d48d37a01be4 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Mon, 2 Oct 2023 17:05:25 -0700 Subject: [PATCH 10/36] Add a test to ensure upgrades work (#6) * Add a test to ensure upgrades work Signed-off-by: Kevin Fox * Update examples/production/run-tests.sh Co-authored-by: Faisal Memon --------- Signed-off-by: Kevin Fox Co-authored-by: Faisal Memon --- .github/workflows/helm-chart-ci.yaml | 41 +++++++++++++++++++++++ examples/production/run-tests.sh | 50 +++++++++++++++++++++------- 2 files changed, 79 insertions(+), 12 deletions(-) diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index c8f03d033..47077560a 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -239,3 +239,44 @@ jobs: - name: Install and test example run: ${{ matrix.example }}/run-tests.sh + + upgrade-test: + runs-on: ubuntu-22.04 + + needs: + - lint-chart + - build-matrix + + strategy: + fail-fast: false + matrix: + k8s: + - v1.27.2 + - v1.26.4 + - v1.25.9 + + steps: + - name: Checkout + uses: actions/checkout@v4.0.0 + + - name: Set up Helm + uses: azure/setup-helm@v3.5 + with: + version: ${{ env.HELM_VERSION }} + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: ${{ env.PYTHON_VERSION }} + + - name: Create kind cluster + uses: helm/kind-action@v1.8.0 + # Only build a kind cluster if there are chart changes to test. + with: + version: ${{ env.KIND_VERSION }} + node_image: kindest/node:v1.26.4 + config: .github/kind/conf/kind-config.yaml + verbosity: 1 + + - name: Install and test example + run: examples/production/run-tests.sh -u diff --git a/examples/production/run-tests.sh b/examples/production/run-tests.sh index 3f28928a0..05102f794 100755 --- a/examples/production/run-tests.sh +++ b/examples/production/run-tests.sh @@ -2,6 +2,9 @@ set -xe +UPGRADE_VERSION=v0.13.0 +UPGRADE_REPO=https://spiffe.github.io/helm-charts-hardened + SCRIPT="$(readlink -f "$0")" SCRIPTPATH="$(dirname "${SCRIPT}")" TESTDIR="${SCRIPTPATH}/../../.github/tests" @@ -15,6 +18,17 @@ source "${TESTDIR}/common.sh" helm_install=(helm upgrade --install --create-namespace) ns=spire-server +UPGRADE_ARGS="" + +for i in "$@"; do + case $i in + -u) + UPGRADE_ARGS="--repo $UPGRADE_REPO --version $UPGRADE_VERSION" + shift # past argument=value + ;; + esac +done + teardown() { helm uninstall --namespace "${ns}" spire 2>/dev/null || true kubectl delete ns "${ns}" 2>/dev/null || true @@ -70,19 +84,31 @@ spire-server: - "spire-server-federation.production.other" EOF -"${helm_install[@]}" spire charts/spire \ - --namespace "${ns}" \ - --values "${SCRIPTPATH}/values.yaml" \ - --values "${SCRIPTPATH}/values-export-spiffe-oidc-discovery-provider-ingress-nginx.yaml" \ - --values "${SCRIPTPATH}/values-export-spire-server-ingress-nginx.yaml" \ - --values "${SCRIPTPATH}/values-export-federation-https-web-ingress-nginx.yaml" \ - --values /tmp/dummydns \ - --set spiffe-oidc-discovery-provider.tests.tls.customCA=tls-cert,spire-server.tests.tls.customCA=tls-cert \ - --set spire-agent.server.address=spire-server.production.other,spire-agent.server.port=443 \ - --values "${SCRIPTPATH}/example-your-values.yaml" \ - --wait +install_and_test() { + # Can't pass an array to a function. We completely control the string so its safe. + # shellcheck disable=SC2086 + "${helm_install[@]}" spire "$1" \ + --namespace "${ns}" \ + --values "${SCRIPTPATH}/values.yaml" \ + --values "${SCRIPTPATH}/values-export-spiffe-oidc-discovery-provider-ingress-nginx.yaml" \ + --values "${SCRIPTPATH}/values-export-spire-server-ingress-nginx.yaml" \ + --values "${SCRIPTPATH}/values-export-federation-https-web-ingress-nginx.yaml" \ + --values /tmp/dummydns \ + --set spiffe-oidc-discovery-provider.tests.tls.customCA=tls-cert,spire-server.tests.tls.customCA=tls-cert \ + --set spire-agent.server.address=spire-server.production.other,spire-agent.server.port=443 \ + --values "${SCRIPTPATH}/example-your-values.yaml" \ + $2 \ + --wait + + helm test --namespace "${ns}" spire +} + +if [[ -n "$UPGRADE_ARGS" ]]; then + install_and_test spire "$UPGRADE_ARGS" + # Any other upgrade steps go here. (Upgrade crds, delete statefulsets without cascade, etc.) +fi -helm test --namespace "${ns}" spire +install_and_test charts/spire "" if helm get manifest -n spire-server spire | grep -i example; then echo Global settings did not work. Please fix. From 51c20b1ec204999a111723dafb77cfcd95016d67 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 21:12:05 -0700 Subject: [PATCH 11/36] Bump actions/checkout from 4.0.0 to 4.1.0 (#9) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v4.1.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/helm-chart-ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index 47077560a..c9c8a91a0 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -257,7 +257,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4.0.0 + uses: actions/checkout@v4.1.0 - name: Set up Helm uses: azure/setup-helm@v3.5 From c23e6cb3b18fcbff60a95b7efd033563f2cbe5f9 Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Mon, 2 Oct 2023 14:22:06 -0700 Subject: [PATCH 12/36] Fix issue with version checker not running Signed-off-by: Faisal Memon --- .github/workflows/check-versions.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/check-versions.yaml b/.github/workflows/check-versions.yaml index fdf7ac8dc..0a395f68b 100644 --- a/.github/workflows/check-versions.yaml +++ b/.github/workflows/check-versions.yaml @@ -36,6 +36,7 @@ jobs: uses: actions/setup-go@v4.1.0 with: go-version: '1.21' + cache: false - name: Setup crane uses: imjasonh/setup-crane@v0.3 From ebfa518a4b3c1b3da1aa98fc21c19e2c7c9d3a8b Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Wed, 4 Oct 2023 09:11:58 -0700 Subject: [PATCH 13/36] Update FAQ from repo switch (#15) * Update FAQ from repo switch Signed-off-by: Faisal Memon * Add note about repo name Signed-off-by: Faisal Memon * Clarify old and new forks Signed-off-by: Faisal Memon --------- Signed-off-by: Faisal Memon --- FAQ.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/FAQ.md b/FAQ.md index 61d5b56b8..25313eac2 100644 --- a/FAQ.md +++ b/FAQ.md @@ -1,9 +1,36 @@ # Frequently Asked Questions +- [How does this repo relate to the helm-charts repo?](#how-does-this-repo-relate-to-the-helm-charts-repo) +- [How do I migrate my changeset from the old helm-charts repo to this one?](#how-do-i-migrate-my-changeset-from-the-old-helm-charts-repo-to-this-one) +- [How do I update my helm registry to point to this one?](#how-do-i-update-my-helm-registry-to-point-to-this-one) - [Pods are stuck terminating after uninstall. How do I fix it?](#pods-are-stuck-terminating-after-uninstall-how-do-i-fix-it) - [Uninstall is stuck. How do I fix it?](#uninstall-is-stuck-how-do-i-fix-it) - [The PSAT plugin is not working](#the-psat-plugin-is-not-working) +## How does this repo relate to the helm-charts repo? + +The helm-charts repo has been archived. This repo has all the commit history and releases copied over from that repo and is continuing development to provide a SPIRE helm chart for the community to use and contribute to. + +## How do I migrate my changeset from the old helm-charts repo to this one? + +Run one of these commands to switch to the new repo: + +- If working off a branch (maintainers with write access): `git remote set-url origin git@github.com:spiffe/helm-charts-hardened.git` +- If working off a fork: + 1. Create a new fork of helm-charts-hardened + 1. In your local clone of your old fork of helm-charts: `git remote set-url origin https://github.com//helm-charts-hardened.git` + +Then just `git push` your branches. Git history has been migrated over so you can just push your existing branches without issues. + +## How do I update my helm registry to point to this one? + +Assuming you named the repo `spiffe`: + +``` bash +helm repo remove spiffe +helm repo add spiffe https://spiffe.github.io/helm-charts-hardened +``` + ## Pods are stuck terminating after uninstall. How do I fix it? If you uninstall the SPIRE chart before all users of the CSI driver are removed, Pods will get stuck in a terminating state waiting for the driver, that no longer is installed, to unmount the volumes for the Pod. In order to fix this, reinstall the chart and remove all affected workloads that are not part of the SPIRE helm chart itself, before attempting to remove SPIRE again. From a6cb3974ac01d1bedafa03e1924f23db3406e943 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Thu, 5 Oct 2023 10:23:50 -0700 Subject: [PATCH 14/36] Exit code from diff indicating changes should not block commit. (#17) Signed-off-by: Kevin Fox --- .github/scripts/update-tags.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/scripts/update-tags.sh b/.github/scripts/update-tags.sh index 916222616..d63df4775 100755 --- a/.github/scripts/update-tags.sh +++ b/.github/scripts/update-tags.sh @@ -71,4 +71,4 @@ jq -r '. | keys[]' "$IMAGEJSON" | while read -r CHART; do fi done done -"${SCRIPTPATH}/../../helm-docs.sh" +"${SCRIPTPATH}/../../helm-docs.sh" || true From 8aca48f14c963b58f343cdcbd0fd6e1170de7448 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Thu, 5 Oct 2023 10:40:32 -0700 Subject: [PATCH 15/36] Push the changes that update-tags creates (#19) * Exit code from diff indicating changes should not block commit. Signed-off-by: Kevin Fox * Push the changes that update-tags creates Signed-off-by: Kevin Fox --------- Signed-off-by: Kevin Fox --- .github/workflows/check-versions.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/check-versions.yaml b/.github/workflows/check-versions.yaml index 0a395f68b..7a39ffc04 100644 --- a/.github/workflows/check-versions.yaml +++ b/.github/workflows/check-versions.yaml @@ -71,6 +71,7 @@ jobs: signoff: true add-paths: | .github/tests + charts - name: Check outputs if: ${{ steps.cpr.outputs.pull-request-number }} From 06d6690d71972ad0ef12d9549e563d18d225d197 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 5 Oct 2023 11:21:51 -0700 Subject: [PATCH 16/36] Bump test chart dependencies (#20) Signed-off-by: GitHub Co-authored-by: faisal-memon --- .github/tests/charts.json | 10 +++++----- charts/spire/charts/spiffe-csi-driver/README.md | 2 +- charts/spire/charts/spiffe-csi-driver/values.yaml | 2 +- .../charts/spiffe-oidc-discovery-provider/README.md | 8 ++++---- .../charts/spiffe-oidc-discovery-provider/values.yaml | 8 ++++---- charts/spire/charts/spire-agent/README.md | 4 ++-- charts/spire/charts/spire-agent/values.yaml | 4 ++-- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 4 ++-- charts/spire/charts/tornjak-frontend/README.md | 2 +- charts/spire/charts/tornjak-frontend/values.yaml | 2 +- 11 files changed, 24 insertions(+), 24 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 455c028ff..9db804f85 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,26 +2,26 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "48.3.1" + "version": "51.3.0" }, { "name": "cert-manager", "repo": "https://charts.jetstack.io", - "version": "v1.12.3" + "version": "v1.13.1" }, { "name": "ingress-nginx", "repo": "https://kubernetes.github.io/ingress-nginx", - "version": "4.7.1" + "version": "4.8.1" }, { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "9.10.10" + "version": "9.12.3" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "12.8.2" + "version": "13.1.0" } ] diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index 64774b2ba..c3e96fefa 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -57,7 +57,7 @@ A Helm chart to install the SPIFFE CSI driver. | `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` | | `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `nodeDriverRegistrar.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.8.0` | +| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.0` | | `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` | | `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | | `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` | diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index a6dc54ce2..666407247 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -104,7 +104,7 @@ nodeDriverRegistrar: repository: sig-storage/csi-node-driver-registrar pullPolicy: IfNotPresent version: "" - tag: v2.8.0 + tag: v2.9.0 ## @param nodeDriverRegistrar.resources Resource requests and limits for CSI driver pods resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 3c2991e0b..80ea7a559 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -57,7 +57,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `insecureScheme.nginx.image.repository` | The repository within the registry | `nginxinc/nginx-unprivileged` | | `insecureScheme.nginx.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `insecureScheme.nginx.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.24.0-alpine` | +| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.25.2-alpine` | | `insecureScheme.nginx.resources` | Resource requests and limits | `{}` | | `jwtIssuer` | Path to JWT issuer | `https://oidc-discovery.example.org` | | `config.logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | @@ -106,17 +106,17 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:5c943903c3f9159c58c4fdf9809f404ab9cfc39b7bfed12bac44563ce0fe7875` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.toolkit.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d717d0a2c88518f8e36d9cfe1571639a40617e8c4291e34876d46bdeefb1ab5a` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:5b7238ba3ae528a6a400f8cd27dd987924ade0913de2326c3ebc13561d99709e` | | `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | | `tests.busybox.image.repository` | The repository within the registry | `busybox` | | `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.busybox.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.busybox.image.tag` | Overrides the image tag whose default is the chart appVersion | `uclibc@sha256:3e516f71d8801b0ce6c3f8f8e4f11093ec04e168177a90f1da4498014ee06b6b` | +| `tests.busybox.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.36.1-uclibc` | | `tests.agent.image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `tests.agent.image.repository` | The repository within the registry | `spiffe/spire-agent` | | `tests.agent.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 1d3be3a49..760500c6f 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -111,7 +111,7 @@ insecureScheme: repository: nginxinc/nginx-unprivileged pullPolicy: IfNotPresent version: "" - tag: 1.24.0-alpine + tag: 1.25.2-alpine ## @param insecureScheme.nginx.resources Resource requests and limits resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -280,7 +280,7 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4 + tag: latest@sha256:5c943903c3f9159c58c4fdf9809f404ab9cfc39b7bfed12bac44563ce0fe7875 toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from @@ -294,7 +294,7 @@ tests: repository: chainguard/slim-toolkit-debug pullPolicy: IfNotPresent version: "" - tag: latest@sha256:d717d0a2c88518f8e36d9cfe1571639a40617e8c4291e34876d46bdeefb1ab5a + tag: latest@sha256:5b7238ba3ae528a6a400f8cd27dd987924ade0913de2326c3ebc13561d99709e busybox: ## @param tests.busybox.image.registry The OCI registry to pull the image from @@ -308,7 +308,7 @@ tests: repository: busybox pullPolicy: IfNotPresent version: "" - tag: uclibc@sha256:3e516f71d8801b0ce6c3f8f8e4f11093ec04e168177a90f1da4498014ee06b6b + tag: 1.36.1-uclibc agent: ## @param tests.agent.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 9f339bc4d..69fe8a274 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -68,13 +68,13 @@ A Helm chart to install the SPIRE agent. | `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` | | `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `waitForIt.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:deeaccb164a67a4d7f585c4d416641b1f422c029911a29d72beae28221f823df` | +| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:c1822a2d9c88431e5f87af378c377d26e622eaeaf44e84f375d07e283c85e567` | | `waitForIt.resources` | Resource requests and limits | `{}` | | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | | `fsGroupFix.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:5c943903c3f9159c58c4fdf9809f404ab9cfc39b7bfed12bac44563ce0fe7875` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | | `workloadAttestors.k8s.skipKubeletVerification` | If true, kubelet certificate verification is skipped | `true` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 631ff30a0..09ea3ade9 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -134,7 +134,7 @@ waitForIt: repository: chainguard/wait-for-it pullPolicy: IfNotPresent version: "" - tag: latest@sha256:deeaccb164a67a4d7f585c4d416641b1f422c029911a29d72beae28221f823df + tag: latest@sha256:c1822a2d9c88431e5f87af378c377d26e622eaeaf44e84f375d07e283c85e567 ## @param waitForIt.resources [object] Resource requests and limits resources: {} @@ -153,7 +153,7 @@ fsGroupFix: repository: chainguard/bash pullPolicy: Always version: "" - tag: latest@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4 + tag: latest@sha256:5c943903c3f9159c58c4fdf9809f404ab9cfc39b7bfed12bac44563ce0fe7875 ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index bf21975ab..da8643df8 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -289,4 +289,4 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:5c943903c3f9159c58c4fdf9809f404ab9cfc39b7bfed12bac44563ce0fe7875` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 348e1a750..64bf68977 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -309,7 +309,7 @@ upstreamAuthority: ## @param upstreamAuthority.certManager.ca.create Creates a Cert-Manager CA create: false ## @param upstreamAuthority.certManager.ca.duration Duration of the CA. Defaults to 10 years - duration: 87600h + duration: 87600h privateKey: ## @param upstreamAuthority.certManager.ca.privateKey.algorithm Algorithm to generate private key for CA algorithm: ECDSA @@ -656,4 +656,4 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4 + tag: latest@sha256:5c943903c3f9159c58c4fdf9809f404ab9cfc39b7bfed12bac44563ce0fe7875 diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 00e385746..ec4281894 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -92,4 +92,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:5c943903c3f9159c58c4fdf9809f404ab9cfc39b7bfed12bac44563ce0fe7875` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index d39d8eed4..bfb75a1da 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -126,4 +126,4 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4 + tag: latest@sha256:5c943903c3f9159c58c4fdf9809f404ab9cfc39b7bfed12bac44563ce0fe7875 From 12937db24b7c98ac7947d1a6aacc88f9a5dfcf50 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Fri, 6 Oct 2023 21:31:59 -0400 Subject: [PATCH 17/36] Update Example README Signed-off-by: Mariusz Sabath --- examples/production/README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/examples/production/README.md b/examples/production/README.md index 7787c2c4d..a8561e632 100644 --- a/examples/production/README.md +++ b/examples/production/README.md @@ -7,9 +7,13 @@ kubectl create namespace "spire-system" kubectl label namespace "spire-system" pod-security.kubernetes.io/enforce=privileged kubectl create namespace "spire-server" kubectl label namespace "spire-server" pod-security.kubernetes.io/enforce=restricted +``` + +Update the `example-your-values.yaml` file with your values, then: ```shell -helm upgrade --install --namespace spire-server spire charts/spire -f values.yaml +helm upgrade --install --namespace spire-server spire ../../charts/spire \ + -f values.yaml -f example-your-values.yaml --render-subchart-notes ``` If your using ingress-nginx and want to expose the spiffe oidc discovery provider outside the From 03ff6189582a57d4ce133e5e6487c1e19b19ee49 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Mon, 9 Oct 2023 07:31:55 -0400 Subject: [PATCH 18/36] Add Tornjak ingress (#16) Co-authored-by: Marco Franssen --- charts/spire/charts/spire-server/README.md | 6 +++++ .../templates/tornjak-ingress.yaml | 16 ++++++++++++ charts/spire/charts/spire-server/values.yaml | 21 ++++++++++++++++ .../spire/charts/tornjak-frontend/README.md | 5 ++++ .../tornjak-frontend/templates/ingress.yaml | 16 ++++++++++++ .../spire/charts/tornjak-frontend/values.yaml | 25 ++++++++++++++++--- 6 files changed, 86 insertions(+), 3 deletions(-) create mode 100644 charts/spire/charts/spire-server/templates/tornjak-ingress.yaml create mode 100644 charts/spire/charts/tornjak-frontend/templates/ingress.yaml diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index da8643df8..7272fdf85 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -267,6 +267,12 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tornjak.service.ports.http` | Insecure port for tornjak service | `10000` | | `tornjak.service.ports.https` | Secure port for tornjak service | `10443` | | `tornjak.service.annotations` | Annotations for the service | `{}` | +| `tornjak.ingress.enabled` | Flag to enable ingress for Tornjak backend service | `false` | +| `tornjak.ingress.className` | Ingress class name for Tornjak backend service | `""` | +| `tornjak.ingress.annotations` | Annotations for Tornjak backend service | `{}` | +| `tornjak.ingress.tlsBackendPort` | Flag to enable TLS on the ingress Tornjak backend service | `false` | +| `tornjak.ingress.hosts` | Host paths for ingress Tornjak backend service | `[]` | +| `tornjak.ingress.tls` | Secrets containing TLS certs to enable https on ingress | `[]` | | `tornjak.startupProbe.failureThreshold` | Failure threshold count | `3` | | `tornjak.startupProbe.initialDelaySeconds` | Initial delay seconds | `5` | | `tornjak.startupProbe.periodSeconds` | Period seconds | `10` | diff --git a/charts/spire/charts/spire-server/templates/tornjak-ingress.yaml b/charts/spire/charts/spire-server/templates/tornjak-ingress.yaml new file mode 100644 index 000000000..9a40e9b25 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/tornjak-ingress.yaml @@ -0,0 +1,16 @@ +{{- if .Values.tornjak.ingress.enabled -}} +{{- $fullName := include "spire-tornjak.fullname" . -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ include "spire-server.namespace" . }} + labels: + {{ include "spire-server.labels" . | nindent 4}} + {{- with .Values.tornjak.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.tornjak.ingress "svcName" (include "spire-tornjak.servicename" .) "port" "tornjak-srv-http") | nindent 2 }} +{{- end }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 64bf68977..d374a9b9a 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -562,6 +562,27 @@ tornjak: ## @param tornjak.service.annotations [object] Annotations for the service annotations: {} + ## @param tornjak.ingress.enabled Flag to enable ingress for Tornjak backend service + ## @param tornjak.ingress.className Ingress class name for Tornjak backend service + ## @param tornjak.ingress.annotations [object] Annotations for Tornjak backend service + ## @param tornjak.ingress.tlsBackendPort Flag to enable TLS on the ingress Tornjak backend service + ## @param tornjak.ingress.hosts [array] Host paths for ingress Tornjak backend service + ingress: + enabled: false + className: "" + annotations: {} + tlsBackendPort: false + hosts: + - host: tornjak-backend.example.org + paths: + - path: / + pathType: Prefix + ## @param tornjak.ingress.tls [array] Secrets containing TLS certs to enable https on ingress + tls: [] + # - secretName: chart-example-tls + # hosts: + # - tornjak-backend.example.org + ## @param tornjak.startupProbe.failureThreshold Failure threshold count ## @param tornjak.startupProbe.initialDelaySeconds Initial delay seconds ## @param tornjak.startupProbe.periodSeconds Period seconds diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index ec4281894..719beed3a 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -88,6 +88,11 @@ port forwarding. See the chart NOTES output for more details. | `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | | `startupProbe.failureThreshold` | Failure threshold count for startupProbe | `6` | | `startupProbe.successThreshold` | Success threshold count for startupProbe | `1` | +| `ingress.enabled` | Flag to enable ingress for Tornjak frontend service | `false` | +| `ingress.className` | Ingress class name for Tornjak frontend service | `""` | +| `ingress.annotations` | Annotations for Tornjak frontend service | `{}` | +| `ingress.hosts` | Host paths for ingress Tornjak frontend service | `[]` | +| `ingress.tls` | Secrets containing TLS certs to enable https on ingress | `[]` | | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/tornjak-frontend/templates/ingress.yaml b/charts/spire/charts/tornjak-frontend/templates/ingress.yaml new file mode 100644 index 000000000..1d14de2f6 --- /dev/null +++ b/charts/spire/charts/tornjak-frontend/templates/ingress.yaml @@ -0,0 +1,16 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "tornjak-frontend.fullname" . -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ include "tornjak-frontend.namespace" . }} + labels: + {{ include "tornjak-frontend.labels" . | nindent 4}} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.ingress "svcName" $fullName "port" .Values.service.port "global" .Values.global) | nindent 2 }} +{{- end }} diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index bfb75a1da..1e7abbf7e 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -22,13 +22,13 @@ image: ## @param imagePullSecrets [array] Pull secrets for images imagePullSecrets: [] -## @param nameOverride Name override +## @param nameOverride Name override nameOverride: "" -## @param namespaceOverride Namespace override +## @param namespaceOverride Namespace override namespaceOverride: "" -## @param fullnameOverride Fullname override +## @param fullnameOverride Fullname override fullnameOverride: "" ## @param serviceAccount.create Specifies whether a service account should be created @@ -113,6 +113,25 @@ startupProbe: failureThreshold: 6 successThreshold: 1 +## @param ingress.enabled Flag to enable ingress for Tornjak frontend service +## @param ingress.className Ingress class name for Tornjak frontend service +## @param ingress.annotations [object] Annotations for Tornjak frontend service +## @param ingress.hosts [array] Host paths for ingress Tornjak frontend service +ingress: + enabled: false + className: "" + annotations: {} + hosts: + - host: tornjak-frontend.example.org + paths: + - path: / + pathType: Prefix + ## @param ingress.tls [array] Secrets containing TLS certs to enable https on ingress + tls: [] + # - secretName: chart-example-tls + # hosts: + # - tornjak-frontend.example.org + tests: bash: ## @param tests.bash.image.registry The OCI registry to pull the image from From 11072780ca209a9ef84b7b91ab45797c905ab95d Mon Sep 17 00:00:00 2001 From: marcofranssen Date: Mon, 9 Oct 2023 08:01:50 +0000 Subject: [PATCH 19/36] Bump test chart dependencies Signed-off-by: GitHub --- charts/spire/charts/spiffe-oidc-discovery-provider/README.md | 2 +- charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 80ea7a559..9a32aaa7d 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -111,7 +111,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.toolkit.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:5b7238ba3ae528a6a400f8cd27dd987924ade0913de2326c3ebc13561d99709e` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8e231266acc48b98934b1eaba7fd086bd13e7f22d69d3c4dff9c46040dbb29d8` | | `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | | `tests.busybox.image.repository` | The repository within the registry | `busybox` | | `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 760500c6f..5f25e5e0a 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -294,7 +294,7 @@ tests: repository: chainguard/slim-toolkit-debug pullPolicy: IfNotPresent version: "" - tag: latest@sha256:5b7238ba3ae528a6a400f8cd27dd987924ade0913de2326c3ebc13561d99709e + tag: latest@sha256:8e231266acc48b98934b1eaba7fd086bd13e7f22d69d3c4dff9c46040dbb29d8 busybox: ## @param tests.busybox.image.registry The OCI registry to pull the image from From afba33f179ba7581f4e25c7d226ea32bf8a2a9e1 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Mon, 9 Oct 2023 16:09:28 -0700 Subject: [PATCH 20/36] Add spire agent experimental flags (#26) * Add spire agent experimental flags Signed-off-by: Kevin Fox * Fix nested test Signed-off-by: Kevin Fox * Update charts/spire/charts/spire-agent/templates/configmap.yaml Co-authored-by: Faisal Memon Signed-off-by: kfox1111 * Apply suggestions from code review Co-authored-by: Faisal Memon Signed-off-by: kfox1111 * Regen docs Signed-off-by: Kevin Fox --------- Signed-off-by: Kevin Fox Signed-off-by: kfox1111 Co-authored-by: Faisal Memon --- charts/spire/charts/spire-agent/README.md | 3 +++ .../charts/spire-agent/templates/configmap.yaml | 13 +++++++++++++ charts/spire/charts/spire-agent/values.yaml | 8 ++++++++ charts/spire/templates/NOTES.txt | 2 +- 4 files changed, 25 insertions(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 69fe8a274..eb346c2f0 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -96,3 +96,6 @@ A Helm chart to install the SPIRE agent. | `extraContainers` | Additional containers to create with Spire Agent pods | `[]` | | `initContainers` | Additional init containers to create with Spire Agent pods | `[]` | | `hostAliases` | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ | `[]` | +| `experimental.enabled` | Allow configuration of experimental features | `false` | +| `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` | +| `experimental.featureFlags` | List of developer feature flags | `[]` | diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index bc4fa4eb5..e19a57735 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -22,6 +22,19 @@ agent: disable_spiffe_cert_validation: {{ .Values.sds.disableSpiffeCertValidation }} {{- end }} + {{- with .Values.experimental }} + {{- if eq (.enabled | toString) "true" }} + experimental: + sync_interval: {{ .syncInterval | quote }} + {{- if gt (len .featureFlags) 0 }} + feature_flags: + {{- range .featureFlags }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + plugins: NodeAttestor: - k8s_psat: diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 09ea3ade9..54d11d609 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -215,3 +215,11 @@ extraContainers: [] initContainers: [] ## @param hostAliases [array] Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ hostAliases: [] + +experimental: + ## @param experimental.enabled Allow configuration of experimental features + enabled: false + ## @param experimental.syncInterval Sync interval with SPIRE server with exponential backoff + syncInterval: 5s + ## @param experimental.featureFlags [array] List of developer feature flags + featureFlags: [] diff --git a/charts/spire/templates/NOTES.txt b/charts/spire/templates/NOTES.txt index f1f69836a..096b2baf7 100644 --- a/charts/spire/templates/NOTES.txt +++ b/charts/spire/templates/NOTES.txt @@ -6,7 +6,7 @@ Installed {{ .Chart.Name }}… Warning: You're using an unsupported plugin. Functionality of this release and future upgrades aren't guaranteed to work smoothly. {{- end }} -{{- if eq ((index .Values "spire-server").experimental.enabled | toString) "true" }} +{{- if or (eq (((index .Values "spire-server").experimental).enabled | toString) "true") (eq (((index .Values "spire-agent").experimental).enabled | toString) "true") }} Warning: You're using an experimental config. Functionality of this release and future upgrades aren't guaranteed to work smoothly. {{- end }} From c5c53200973af0f23095d4f60c21c0ac24f0384a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Oct 2023 20:43:44 -0700 Subject: [PATCH 21/36] Bump github.com/onsi/ginkgo/v2 from 2.12.1 to 2.13.0 in /tests (#27) --- tests/go.mod | 2 +- tests/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index befcd4d1c..beeb90967 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -3,7 +3,7 @@ module github.com/spiffe/helm-charts/tests go 1.20 require ( - github.com/onsi/ginkgo/v2 v2.12.1 + github.com/onsi/ginkgo/v2 v2.13.0 github.com/onsi/gomega v1.28.0 helm.sh/helm/v3 v3.13.0 ) diff --git a/tests/go.sum b/tests/go.sum index 4895565ad..7434b2937 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -85,8 +85,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.12.1 h1:uHNEO1RP2SpuZApSkel9nEh1/Mu+hmQe7Q+Pepg5OYA= -github.com/onsi/ginkgo/v2 v2.12.1/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= +github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= +github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= github.com/onsi/gomega v1.28.0 h1:i2rg/p9n/UqIDAMFUJ6qIUUMcsqOuUHgbpbu235Vr1c= github.com/onsi/gomega v1.28.0/go.mod h1:A1H2JE76sI14WIP57LMKj7FVfCHx3g3BcZVjJG8bjX8= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= From 0fa43a507dc197566824622734d888cf5aaa3216 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 10 Oct 2023 01:09:11 -0700 Subject: [PATCH 22/36] Add plugin support to the spire agent (#22) * Exit code from diff indicating changes should not block commit. Signed-off-by: Kevin Fox * Push the changes that update-tags creates Signed-off-by: Kevin Fox * Add plugin support to the spire agent This adapts the existing spire server plugin support to be usable by the agent as well. Signed-off-by: Kevin Fox * Fix notes Signed-off-by: Kevin Fox * Add plugin support to the spire agent This adapts the existing spire server plugin support to be usable by the agent as well. Signed-off-by: Kevin Fox * Fix notes Signed-off-by: Kevin Fox * Update documentation Signed-off-by: Kevin Fox * Update example Signed-off-by: Kevin Fox --------- Signed-off-by: Kevin Fox Signed-off-by: kfox1111 --- charts/spire/charts/spire-agent/README.md | 5 ++ .../spire-agent/templates/configmap.yaml | 50 +++++++++++----- charts/spire/charts/spire-agent/values.yaml | 22 +++++++ charts/spire/charts/spire-server/README.md | 4 ++ .../spire-server/templates/_helpers.tpl | 49 ---------------- .../spire-server/templates/configmap.yaml | 2 +- charts/spire/charts/spire-server/values.yaml | 5 +- charts/spire/templates/NOTES.txt | 15 ++++- charts/spire/templates/_spire-lib.tpl | 57 +++++++++++++++++++ .../spire-plugins/node-agent-tpm/values.yaml | 16 +++++- tests/unit/spire_test.go | 30 ++++++++++ 11 files changed, 185 insertions(+), 70 deletions(-) diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index eb346c2f0..4881d0473 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -77,6 +77,7 @@ A Helm chart to install the SPIRE agent. | `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:5c943903c3f9159c58c4fdf9809f404ab9cfc39b7bfed12bac44563ce0fe7875` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | +| `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` | | `workloadAttestors.k8s.skipKubeletVerification` | If true, kubelet certificate verification is skipped | `true` | | `workloadAttestors.k8s.disableContainerSelectors` | Set to true if using holdApplicationUntilProxyStarts in Istio | `false` | | `sds.enabled` | Enables Envoy SDS configuration | `false` | @@ -96,6 +97,10 @@ A Helm chart to install the SPIRE agent. | `extraContainers` | Additional containers to create with Spire Agent pods | `[]` | | `initContainers` | Additional init containers to create with Spire Agent pods | `[]` | | `hostAliases` | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ | `[]` | +| `customPlugins.keyManager` | Custom plugins of type KeyManager are configured here | `{}` | +| `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` | +| `customPlugins.svidStore` | Custom plugins of type SVIDStore are configured here | `{}` | +| `customPlugins.workloadAttestor` | Custom plugins of type WorkloadAttestor are configured here | `{}` | | `experimental.enabled` | Allow configuration of experimental features | `false` | | `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` | | `experimental.featureFlags` | List of developer feature flags | `[]` | diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index e19a57735..0bfd9d935 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -1,5 +1,23 @@ {{- include "spire-lib.check-strict-mode" (list . "clusterName must be set" (eq (include "spire-lib.cluster-name" .) "example-cluster"))}} {{- include "spire-lib.check-strict-mode" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}} +{{- range $type, $tvals := .Values.customPlugins }} +{{- if not (has $type (list "keyManager" "nodeAttestor" "svidStore" "workloadAttestor")) }} +{{- fail (printf "Unknown plugin type specified: %s" $type) }} +{{- end }} +{{- range $name, $nval := $tvals }} +{{- if not (hasKey $nval "plugin_cmd") }} +{{- fail (printf "plugin_cmd is a required field. %s" $name) }} +{{- end }} +{{- if not (hasKey $nval "plugin_checksum") }} +{{- fail (printf "plugin_checksum is a required field.") }} +{{- end }} +{{- range $sname, $svals := $nval }} +{{- if not (has $sname (list "plugin_cmd" "plugin_checksum" "plugin_data")) }} +{{- fail (printf "Unknown plugin setting specified: %s" $sname) }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} {{- define "spire-agent.yaml-config" -}} agent: data_dir: "/run/spire" @@ -37,26 +55,28 @@ agent: plugins: NodeAttestor: - - k8s_psat: - plugin_data: - cluster: {{ include "spire-lib.cluster-name" . | quote }} + k8s_psat: + plugin_data: + cluster: {{ include "spire-lib.cluster-name" . | quote }} KeyManager: - - memory: - plugin_data: + memory: + plugin_data: WorkloadAttestor: - - k8s: - plugin_data: - # Defaults to the secure kubelet port by default. - # Minikube does not have a cert in the cluster CA bundle that - # can authenticate the kubelet cert, so skip validation. - skip_kubelet_verification: {{ .Values.workloadAttestors.k8s.skipKubeletVerification }} - disable_container_selectors: {{ .Values.workloadAttestors.k8s.disableContainerSelectors }} + {{- if .Values.workloadAttestors.k8s.enabled }} + k8s: + plugin_data: + # Defaults to the secure kubelet port by default. + # Minikube does not have a cert in the cluster CA bundle that + # can authenticate the kubelet cert, so skip validation. + skip_kubelet_verification: {{ .Values.workloadAttestors.k8s.skipKubeletVerification }} + disable_container_selectors: {{ .Values.workloadAttestors.k8s.disableContainerSelectors }} + {{- end }} {{- if .Values.workloadAttestors.unix.enabled }} - - unix: - plugin_data: + unix: + plugin_data: {{- end }} health_checks: @@ -84,4 +104,4 @@ metadata: {{- end }} data: agent.conf: | - {{- include "spire-agent.yaml-config" . | fromYaml | toPrettyJson | nindent 4 }} + {{- include "spire-lib.reformat-and-yaml2json" (dict "config" (include "spire-agent.yaml-config" .) "root" .) | nindent 4 }} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 54d11d609..81d110bb2 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -165,6 +165,8 @@ workloadAttestors: ## @param workloadAttestors.unix.enabled Enables the Unix workload attestor enabled: false k8s: + ## @param workloadAttestors.k8s.enabled Enables the Kubernetes workload attestor + enabled: true ## @param workloadAttestors.k8s.skipKubeletVerification If true, kubelet certificate verification is skipped skipKubeletVerification: true ## @param workloadAttestors.k8s.disableContainerSelectors Set to true if using holdApplicationUntilProxyStarts in Istio @@ -216,6 +218,26 @@ initContainers: [] ## @param hostAliases [array] Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ hostAliases: [] +# NOTE: This is unsupported and only to configure currently supported spire built in plugins but plugins unsupported by the chart. +# Upgrades wont be tested for anything under this config. If you need this, please let the chart developers know your needs so we +# can prioritize proper support. +## @skip unsupportedBuiltInPlugins +unsupportedBuiltInPlugins: + keyManager: {} + nodeAttestor: {} + svidStore: {} + workloadAttestor: {} + +## @param customPlugins.keyManager Custom plugins of type KeyManager are configured here +## @param customPlugins.nodeAttestor Custom plugins of type NodeAttestor are configured here +## @param customPlugins.svidStore Custom plugins of type SVIDStore are configured here +## @param customPlugins.workloadAttestor Custom plugins of type WorkloadAttestor are configured here +customPlugins: + keyManager: {} + nodeAttestor: {} + svidStore: {} + workloadAttestor: {} + experimental: ## @param experimental.enabled Allow configuration of experimental features enabled: false diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 7272fdf85..bf4336c60 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -285,6 +285,10 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tornjak.config.clientCA.type` | Type of delivery for the user CA for TLS client verification. Options are `Secret` or `ConfigMap` (required for `mtls` connectionType) | `Secret` | | `tornjak.config.clientCA.name` | Name of the resource secret or configMap with user CA for TLS | `tornjak-client-ca` | | `tornjak.resources` | Resource requests and limits | `{}` | +| `customPlugins.keyManager` | Custom plugins of type KeyManager are configured here | `{}` | +| `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` | +| `customPlugins.upstreamAuthority` | Custom plugins of type upstreamAuthority are configured here | `{}` | +| `customPlugins.notifier` | Custom plugins of type notifier are configured here | `{}` | | `experimental.enabled` | Allow configuration of experimental features | `false` | | `experimental.cacheReloadInterval` | The amount of time between two reloads of the in-memory entry cache. | `5s` | | `experimental.featureFlags` | List of developer feature flags | `[]` | diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index f1a926380..d4d503e4e 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -217,52 +217,3 @@ The code below determines what connection type should be used. {{- end }} {{ $args | toYaml }} {{- end -}} - -{{/* -Take a copy of the config and merge in .Values.customPlugins and .Values.unsupportedBuiltInPlugins passed through as root. -*/}} -{{- define "spire-server.config_merge" }} -{{- $pluginsToMerge := dict "plugins" dict }} -{{- range $type, $val := .root.Values.customPlugins }} -{{- if . }} -{{- $nt := printf "%s%s" (substr 0 1 $type | upper) (substr 1 -1 $type) }} -{{- $_ := set $pluginsToMerge.plugins $nt (deepCopy $val) }} -{{- end }} -{{- end }} -{{- range $type, $val := .root.Values.unsupportedBuiltInPlugins }} -{{- if . }} -{{- $nt := printf "%s%s" (substr 0 1 $type | upper) (substr 1 -1 $type) }} -{{- $_ := set $pluginsToMerge.plugins $nt (deepCopy $val) }} -{{- end }} -{{- end }} -{{- $newConfig := .config | fromYaml | mustMerge $pluginsToMerge }} -{{- $newConfig | toYaml }} -{{- end }} - -{{/* -Take a copy of the plugin section and return a yaml string based version -reformatted from a dict of dicts to a dict of lists of dicts -*/}} -{{- define "spire-server.plugins_reformat" }} -{{- range $type, $v := . }} -{{ $type }}: -{{- range $name, $v2 := $v }} - - {{ $name }}: {{ $v2 | toYaml | nindent 8 }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Take a copy of the config as a yaml config and root var. -Merge in .root.Values.customPlugins and .Values.unsupportedBuiltInPlugins into config, -Reformat the plugin section from a dict of dicts to a dict of lists of dicts, -and export it back as as json string. -This makes it much easier for users to merge in plugin configs, as dicts are easier -to merge in values, but spire needs arrays. -*/}} -{{- define "spire-server.reformat-and-yaml2json" -}} -{{- $config := include "spire-server.config_merge" . | fromYaml }} -{{- $plugins := include "spire-server.plugins_reformat" $config.plugins | fromYaml }} -{{- $_ := set $config "plugins" $plugins }} -{{- $config | toPrettyJson }} -{{- end }} diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index 94e8d1e0e..e366716d3 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -260,4 +260,4 @@ metadata: {{- end }} data: server.conf: | - {{- include "spire-server.reformat-and-yaml2json" (dict "config" (include "spire-server.yaml-config" .) "root" .) | nindent 4 }} + {{- include "spire-lib.reformat-and-yaml2json" (dict "config" (include "spire-server.yaml-config" .) "root" .) | nindent 4 }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index d374a9b9a..8d4a9deec 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -642,7 +642,10 @@ unsupportedBuiltInPlugins: upstreamAuthority: {} notifier: {} -## @skip customPlugins +## @param customPlugins.keyManager Custom plugins of type KeyManager are configured here +## @param customPlugins.nodeAttestor Custom plugins of type NodeAttestor are configured here +## @param customPlugins.upstreamAuthority Custom plugins of type upstreamAuthority are configured here +## @param customPlugins.notifier Custom plugins of type notifier are configured here customPlugins: keyManager: {} nodeAttestor: {} diff --git a/charts/spire/templates/NOTES.txt b/charts/spire/templates/NOTES.txt index 096b2baf7..5da926b5b 100644 --- a/charts/spire/templates/NOTES.txt +++ b/charts/spire/templates/NOTES.txt @@ -1,6 +1,17 @@ Installed {{ .Chart.Name }}… -{{- $up := (index .Values "spire-server").unsupportedBuiltInPlugins }} -{{- $s := add (len $up.keyManager) (len $up.nodeAttestor) (len $up.upstreamAuthority) (len $up.notifier) }} +{{- $s := 0 }} +{{- if (index .Values "spire-server").enabled }} +{{- $up := (index .Values "spire-server").unsupportedBuiltInPlugins }} +{{- $s = add (len $up.keyManager) (len $up.nodeAttestor) (len $up.upstreamAuthority) (len $up.notifier) $s }} +{{- end }} +{{- if (index .Values "spire-agent").enabled }} +{{- $up := (index .Values "spire-agent").unsupportedBuiltInPlugins }} +{{- $s = add (len $up.keyManager) (len $up.nodeAttestor) (len $up.svidStore) (len $up.workloadAttestor) $s }} +{{- end }} +{{- if (index .Values "upstream-spire-agent").enabled }} +{{- $up := (index .Values "upstream-spire-agent").unsupportedBuiltInPlugins }} +{{- $s = add (len $up.keyManager) (len $up.nodeAttestor) (len $up.svidStore) (len $up.workloadAttestor) $s }} +{{- end }} {{- if gt $s 0 }} Warning: You're using an unsupported plugin. Functionality of this release and future upgrades aren't guaranteed to work smoothly. diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl index 64152ac5a..12e854d0b 100644 --- a/charts/spire/templates/_spire-lib.tpl +++ b/charts/spire/templates/_spire-lib.tpl @@ -122,3 +122,60 @@ if strictMode is enabled and the boolean is true {{- end }} {{- end }} {{- end }} + +{{/* +Take a copy of the config and merge in .Values.customPlugins and .Values.unsupportedBuiltInPlugins passed through as root. +*/}} +{{- define "spire-lib.config_merge" }} +{{- $pluginsToMerge := dict "plugins" dict }} +{{- range $type, $val := .root.Values.customPlugins }} +{{- if . }} +{{- if eq $type "svidstore" }} +{{- $_ := set $pluginsToMerge.plugins "SVIDStore" (deepCopy $val) }} +{{- else }} +{{- $nt := printf "%s%s" (substr 0 1 $type | upper) (substr 1 -1 $type) }} +{{- $_ := set $pluginsToMerge.plugins $nt (deepCopy $val) }} +{{- end }} +{{- end }} +{{- end }} +{{- range $type, $val := .root.Values.unsupportedBuiltInPlugins }} +{{- if . }} +{{- if eq $type "svidstore" }} +{{- $_ := set $pluginsToMerge.plugins "SVIDStore" (deepCopy $val) }} +{{- else }} +{{- $nt := printf "%s%s" (substr 0 1 $type | upper) (substr 1 -1 $type) }} +{{- $_ := set $pluginsToMerge.plugins $nt (deepCopy $val) }} +{{- end }} +{{- end }} +{{- end }} +{{- $newConfig := .config | fromYaml | mustMerge $pluginsToMerge }} +{{- $newConfig | toYaml }} +{{- end }} + +{{/* +Take a copy of the plugin section and return a yaml string based version +reformatted from a dict of dicts to a dict of lists of dicts +*/}} +{{- define "spire-lib.plugins_reformat" }} +{{- range $type, $v := . }} +{{ $type }}: +{{- range $name, $v2 := $v }} + - {{ $name }}: {{ $v2 | toYaml | nindent 8 }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Take a copy of the config as a yaml config and root var. +Merge in .root.Values.customPlugins and .Values.unsupportedBuiltInPlugins into config, +Reformat the plugin section from a dict of dicts to a dict of lists of dicts, +and export it back as as json string. +This makes it much easier for users to merge in plugin configs, as dicts are easier +to merge in values, but spire needs arrays. +*/}} +{{- define "spire-lib.reformat-and-yaml2json" -}} +{{- $config := include "spire-lib.config_merge" . | fromYaml }} +{{- $plugins := include "spire-lib.plugins_reformat" $config.plugins | fromYaml }} +{{- $_ := set $config "plugins" $plugins }} +{{- $config | toPrettyJson }} +{{- end }} diff --git a/examples/spire-plugins/node-agent-tpm/values.yaml b/examples/spire-plugins/node-agent-tpm/values.yaml index a2011b795..702477371 100644 --- a/examples/spire-plugins/node-agent-tpm/values.yaml +++ b/examples/spire-plugins/node-agent-tpm/values.yaml @@ -13,8 +13,8 @@ spire-server: name: spire-data image: registry: docker.io - repository: kfox1111/misc - version: tpm-server-test + repository: + tag: customPlugins: nodeAttestor: tpm: @@ -23,3 +23,15 @@ spire-server: plugin_data: - ca_path: /run/spire/data/certs hash_path: /run/spire/data/hashes + +spire-agent: + image: + registry: docker.io + repository: + tag: + customPlugins: + nodeAttestor: + tpm: + plugin_cmd: /bin/tpm_attestor_agent + plugin_checksum: bb7be714c27452231a6c7764b65912ce0cdeb66ff2a2c688d3e88bd0bd17d138 + plugin_data: {} diff --git a/tests/unit/spire_test.go b/tests/unit/spire_test.go index 4db554cef..891771b8e 100644 --- a/tests/unit/spire_test.go +++ b/tests/unit/spire_test.go @@ -103,4 +103,34 @@ spire-server: Expect(notes).Should(ContainSubstring("\"aws_pca\": {")) }) }) + Describe("spire-agent.customPlugin.tpm", func() { + It("plugin set ok", func() { + objs, err := ValueStringRender(chart, ` +spire-agent: + customPlugins: + nodeAttestor: + tpm: + plugin_cmd: /bin/tpm_attestor_agent + plugin_checksum: bb7be714c27452231a6c7764b65912ce0cdeb66ff2a2c688d3e88bd0bd17d138 + plugin_data: {} +`) + Expect(err).Should(Succeed()) + notes := objs["spire/charts/spire-agent/templates/configmap.yaml"] + Expect(notes).Should(ContainSubstring("tpm")) + }) + }) + Describe("spire-server.unsupportedBuiltInPlugins", func() { + It("plugin set ok", func() { + objs, err := ValueStringRender(chart, ` +spire-agent: + unsupportedBuiltInPlugins: + nodeAttestor: + join_token: + plugin_data: {} +`) + Expect(err).Should(Succeed()) + notes := objs["spire/charts/spire-agent/templates/configmap.yaml"] + Expect(notes).Should(ContainSubstring("join_token")) + }) + }) }) From da49059c8758916b0138293ca2d200e8bb4e7107 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 10 Oct 2023 15:01:31 -0400 Subject: [PATCH 23/36] Update Tornjak image version Signed-off-by: Mariusz Sabath --- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/charts/tornjak-frontend/Chart.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index bf4336c60..3e07b50ea 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -262,7 +262,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tornjak.image.repository` | The repository within the registry | `spiffe/tornjak-backend` | | `tornjak.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tornjak.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tornjak.image.tag` | Overrides the image tag whose default is the chart appVersion | `v1.2.2` | +| `tornjak.image.tag` | Overrides the image tag whose default is the chart appVersion | `v1.4.1` | | `tornjak.service.type` | Type of service resource | `ClusterIP` | | `tornjak.service.ports.http` | Insecure port for tornjak service | `10000` | | `tornjak.service.ports.https` | Secure port for tornjak service | `10443` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 8d4a9deec..7b56ab2ef 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -549,7 +549,7 @@ tornjak: repository: spiffe/tornjak-backend pullPolicy: IfNotPresent version: "" - tag: "v1.2.2" + tag: "v1.4.1" service: ## @param tornjak.service.type Type of service resource diff --git a/charts/spire/charts/tornjak-frontend/Chart.yaml b/charts/spire/charts/tornjak-frontend/Chart.yaml index 64c44f125..feda34252 100644 --- a/charts/spire/charts/tornjak-frontend/Chart.yaml +++ b/charts/spire/charts/tornjak-frontend/Chart.yaml @@ -3,7 +3,7 @@ name: tornjak-frontend description: A Helm chart to deploy Tornjak frontend type: application version: 0.1.0 -appVersion: "v1.2.2" +appVersion: "v1.4.1" home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: - https://github.com/spiffe/tornjak From 3036a41c02571119c6aba85825c5f38850f83e88 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 10 Oct 2023 15:07:14 -0400 Subject: [PATCH 24/36] Switch to version v1.4.0 Signed-off-by: Mariusz Sabath --- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/charts/tornjak-frontend/Chart.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 3e07b50ea..eb5db667a 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -262,7 +262,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tornjak.image.repository` | The repository within the registry | `spiffe/tornjak-backend` | | `tornjak.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tornjak.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tornjak.image.tag` | Overrides the image tag whose default is the chart appVersion | `v1.4.1` | +| `tornjak.image.tag` | Overrides the image tag whose default is the chart appVersion | `v1.4.0` | | `tornjak.service.type` | Type of service resource | `ClusterIP` | | `tornjak.service.ports.http` | Insecure port for tornjak service | `10000` | | `tornjak.service.ports.https` | Secure port for tornjak service | `10443` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 7b56ab2ef..e7cb901e6 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -549,7 +549,7 @@ tornjak: repository: spiffe/tornjak-backend pullPolicy: IfNotPresent version: "" - tag: "v1.4.1" + tag: "v1.4.0" service: ## @param tornjak.service.type Type of service resource diff --git a/charts/spire/charts/tornjak-frontend/Chart.yaml b/charts/spire/charts/tornjak-frontend/Chart.yaml index feda34252..38a2e7a6b 100644 --- a/charts/spire/charts/tornjak-frontend/Chart.yaml +++ b/charts/spire/charts/tornjak-frontend/Chart.yaml @@ -3,7 +3,7 @@ name: tornjak-frontend description: A Helm chart to deploy Tornjak frontend type: application version: 0.1.0 -appVersion: "v1.4.1" +appVersion: "v1.4.0" home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: - https://github.com/spiffe/tornjak From df1abf62351f4aeb91f219f13dde0c8889ea3ffa Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 10 Oct 2023 22:28:24 -0700 Subject: [PATCH 25/36] Bump to spire 1.7.3 (#31) Signed-off-by: Kevin Fox --- charts/spire/Chart.yaml | 2 +- charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml | 2 +- charts/spire/charts/spire-agent/Chart.yaml | 2 +- charts/spire/charts/spire-server/Chart.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 0d06c79c8..70838319b 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -4,7 +4,7 @@ description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application version: 0.13.0 -appVersion: "1.7.2" +appVersion: "1.7.3" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml index 01006b61d..0467975cd 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml @@ -3,7 +3,7 @@ name: spiffe-oidc-discovery-provider description: A Helm chart to install the SPIFFE OIDC discovery provider. type: application version: 0.1.0 -appVersion: "1.7.2" +appVersion: "1.7.3" keywords: ["spiffe", "oidc"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-agent/Chart.yaml b/charts/spire/charts/spire-agent/Chart.yaml index 1763751f7..5a5e1561d 100644 --- a/charts/spire/charts/spire-agent/Chart.yaml +++ b/charts/spire/charts/spire-agent/Chart.yaml @@ -3,7 +3,7 @@ name: spire-agent description: A Helm chart to install the SPIRE agent. type: application version: 0.1.0 -appVersion: "1.7.2" +appVersion: "1.7.3" keywords: ["spiffe", "spire-agent"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-server/Chart.yaml b/charts/spire/charts/spire-server/Chart.yaml index ac676b20e..f8d6e6594 100644 --- a/charts/spire/charts/spire-server/Chart.yaml +++ b/charts/spire/charts/spire-server/Chart.yaml @@ -3,7 +3,7 @@ name: spire-server description: A Helm chart to install the SPIRE server. type: application version: 0.1.0 -appVersion: "1.7.2" +appVersion: "1.7.3" keywords: ["spiffe", "spire-server", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: From 0e41a7d1b454203faef8d2be3737d763ba9ee304 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Wed, 11 Oct 2023 10:36:15 -0400 Subject: [PATCH 26/36] Fix failing Tornjak ingress port (#28) Co-authored-by: Faisal Memon --- charts/spire/charts/spire-server/templates/tornjak-ingress.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-server/templates/tornjak-ingress.yaml b/charts/spire/charts/spire-server/templates/tornjak-ingress.yaml index 9a40e9b25..df8a09232 100644 --- a/charts/spire/charts/spire-server/templates/tornjak-ingress.yaml +++ b/charts/spire/charts/spire-server/templates/tornjak-ingress.yaml @@ -12,5 +12,5 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.tornjak.ingress "svcName" (include "spire-tornjak.servicename" .) "port" "tornjak-srv-http") | nindent 2 }} + {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.tornjak.ingress "svcName" (include "spire-tornjak.servicename" .) "port" .Values.tornjak.service.ports.http) | nindent 2 }} {{- end }} From fdba5d084b6d375bf6fd4c2cb842a874606b598d Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Wed, 11 Oct 2023 11:07:07 -0700 Subject: [PATCH 27/36] Bump spire Helm Chart version from 0.13.0 to 0.13.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 0e41a7d Fix failing Tornjak ingress port (#28) * df1abf6 Bump to spire 1.7.3 (#31) * 69a20e3 Merge pull request #29 from spiffe/tornjak-version * 3036a41 Switch to version v1.4.0 * da49059 Update Tornjak image version * 0fa43a5 Add plugin support to the spire agent (#22) * c5c5320 Bump github.com/onsi/ginkgo/v2 from 2.12.1 to 2.13.0 in /tests (#27) * afba33f Add spire agent experimental flags (#26) * 1107278 Bump test chart dependencies * 03ff618 Add Tornjak ingress (#16) * 8f1bfc1 Merge pull request #23 from spiffe/examples-doc * cd386eb Merge branch 'main' into examples-doc * 12937db Update Example README * 06d6690 Bump test chart dependencies (#20) * 8aca48f Push the changes that update-tags creates (#19) * a6cb397 Exit code from diff indicating changes should not block commit. (#17) * ebfa518 Update FAQ from repo switch (#15) * c23e6cb Fix issue with version checker not running * 51c20b1 Bump actions/checkout from 4.0.0 to 4.1.0 (#9) * 21db1e4 Add a test to ensure upgrades work (#6) * f86648f Bump github.com/onsi/gomega from 1.27.10 to 1.28.0 in /tests * babd677 Bump helm.sh/helm/v3 from 3.12.3 to 3.13.0 in /tests * 45187fe Add back CODE-OF-CONDUCT * 50825d9 Deny production runs of example.org trust domains (#229) * 712a0f6 Bump actions/checkout from 4.0.0 to 4.1.0 * f04bdc3 Add support for experimental flags (#492) * 7cdae92 Bump github.com/onsi/ginkgo/v2 from 2.12.0 to 2.12.1 in /tests (#490) * d3091a8 Fix spire-server configmap UpstreamAuthority/aws_pca and KeyManager/a… (#489) * 7a96175 Remove developer-guy as a CODEOWNER Signed-off-by: Faisal Memon --- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 70838319b..333d91633 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,7 +3,7 @@ name: spire description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.13.0 +version: 0.13.1 appVersion: "1.7.3" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire diff --git a/charts/spire/README.md b/charts/spire/README.md index 0a6d6a393..23858f31e 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.13.0](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square) +![Version: 0.13.1](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. From dd87bc0fb208e2b3a3e72e9c79fff92723dd14c7 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Thu, 12 Oct 2023 14:52:18 -0700 Subject: [PATCH 28/36] Bump spire versions to 1.7.4 (#35) Signed-off-by: Kevin Fox --- charts/spire/Chart.yaml | 2 +- charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml | 2 +- charts/spire/charts/spire-agent/Chart.yaml | 2 +- charts/spire/charts/spire-server/Chart.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 333d91633..d69671544 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -4,7 +4,7 @@ description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application version: 0.13.1 -appVersion: "1.7.3" +appVersion: "1.7.4" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml index 0467975cd..acbe939ed 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml @@ -3,7 +3,7 @@ name: spiffe-oidc-discovery-provider description: A Helm chart to install the SPIFFE OIDC discovery provider. type: application version: 0.1.0 -appVersion: "1.7.3" +appVersion: "1.7.4" keywords: ["spiffe", "oidc"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-agent/Chart.yaml b/charts/spire/charts/spire-agent/Chart.yaml index 5a5e1561d..43eca41fb 100644 --- a/charts/spire/charts/spire-agent/Chart.yaml +++ b/charts/spire/charts/spire-agent/Chart.yaml @@ -3,7 +3,7 @@ name: spire-agent description: A Helm chart to install the SPIRE agent. type: application version: 0.1.0 -appVersion: "1.7.3" +appVersion: "1.7.4" keywords: ["spiffe", "spire-agent"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-server/Chart.yaml b/charts/spire/charts/spire-server/Chart.yaml index f8d6e6594..952541b47 100644 --- a/charts/spire/charts/spire-server/Chart.yaml +++ b/charts/spire/charts/spire-server/Chart.yaml @@ -3,7 +3,7 @@ name: spire-server description: A Helm chart to install the SPIRE server. type: application version: 0.1.0 -appVersion: "1.7.3" +appVersion: "1.7.4" keywords: ["spiffe", "spire-server", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: From 42bb8cf06621ad1dd71500196102804aa83a40d5 Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Thu, 12 Oct 2023 14:54:52 -0700 Subject: [PATCH 29/36] Bump spire Helm Chart version from 0.13.1 to 0.13.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * dd87bc0 Bump spire versions to 1.7.4 (#35) * fdba5d0 Bump spire Helm Chart version from 0.13.0 to 0.13.1 * 0e41a7d Fix failing Tornjak ingress port (#28) * df1abf6 Bump to spire 1.7.3 (#31) * 69a20e3 Merge pull request #29 from spiffe/tornjak-version * 3036a41 Switch to version v1.4.0 * da49059 Update Tornjak image version * 0fa43a5 Add plugin support to the spire agent (#22) * c5c5320 Bump github.com/onsi/ginkgo/v2 from 2.12.1 to 2.13.0 in /tests (#27) * afba33f Add spire agent experimental flags (#26) * 1107278 Bump test chart dependencies * 03ff618 Add Tornjak ingress (#16) * 8f1bfc1 Merge pull request #23 from spiffe/examples-doc * cd386eb Merge branch 'main' into examples-doc * 12937db Update Example README * 06d6690 Bump test chart dependencies (#20) * 8aca48f Push the changes that update-tags creates (#19) * a6cb397 Exit code from diff indicating changes should not block commit. (#17) * ebfa518 Update FAQ from repo switch (#15) * c23e6cb Fix issue with version checker not running * 51c20b1 Bump actions/checkout from 4.0.0 to 4.1.0 (#9) * 21db1e4 Add a test to ensure upgrades work (#6) * f86648f Bump github.com/onsi/gomega from 1.27.10 to 1.28.0 in /tests * babd677 Bump helm.sh/helm/v3 from 3.12.3 to 3.13.0 in /tests * 45187fe Add back CODE-OF-CONDUCT * 50825d9 Deny production runs of example.org trust domains (#229) * 712a0f6 Bump actions/checkout from 4.0.0 to 4.1.0 * f04bdc3 Add support for experimental flags (#492) * 7cdae92 Bump github.com/onsi/ginkgo/v2 from 2.12.0 to 2.12.1 in /tests (#490) * d3091a8 Fix spire-server configmap UpstreamAuthority/aws_pca and KeyManager/a… (#489) * 7a96175 Remove developer-guy as a CODEOWNER Signed-off-by: Faisal Memon --- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index d69671544..cc44b75d2 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,7 +3,7 @@ name: spire description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.13.1 +version: 0.13.2 appVersion: "1.7.4" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire diff --git a/charts/spire/README.md b/charts/spire/README.md index 23858f31e..cb784b9a1 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.13.1](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square) +![Version: 0.13.2](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. From 5cb3c6de12f79786fa51ed6c936e8daeaa180ec4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 12 Oct 2023 22:15:14 -0700 Subject: [PATCH 30/36] Bump helm.sh/helm/v3 from 3.13.0 to 3.13.1 in /tests (#37) Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.13.0 to 3.13.1. - [Release notes](https://github.com/helm/helm/releases) - [Commits](https://github.com/helm/helm/compare/v3.13.0...v3.13.1) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/go.mod | 8 ++++---- tests/go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index beeb90967..cc6e23440 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -5,7 +5,7 @@ go 1.20 require ( github.com/onsi/ginkgo/v2 v2.13.0 github.com/onsi/gomega v1.28.0 - helm.sh/helm/v3 v3.13.0 + helm.sh/helm/v3 v3.13.1 ) require ( @@ -45,12 +45,12 @@ require ( github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect - golang.org/x/crypto v0.12.0 // indirect + golang.org/x/crypto v0.13.0 // indirect golang.org/x/net v0.14.0 // indirect golang.org/x/oauth2 v0.8.0 // indirect golang.org/x/sys v0.12.0 // indirect - golang.org/x/term v0.11.0 // indirect - golang.org/x/text v0.12.0 // indirect + golang.org/x/term v0.12.0 // indirect + golang.org/x/text v0.13.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.12.0 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/tests/go.sum b/tests/go.sum index 7434b2937..ffeb68f17 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -127,8 +127,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk= -golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= +golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck= +golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= @@ -163,15 +163,15 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0= -golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= +golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU= +golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc= -golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -205,8 +205,8 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -helm.sh/helm/v3 v3.13.0 h1:XPJKIU30K4JTQ6VX/6e0hFAmEIonYa8E7wx5aqv4xOc= -helm.sh/helm/v3 v3.13.0/go.mod h1:2PBEKsMWKLVZTojUOqMS3Eadv5mP43FBWrRgLNkNm9Y= +helm.sh/helm/v3 v3.13.1 h1:DG+XLGzBJeZvMLlMbm6bPDLV1dGaVW9eZsDoUd1/LM0= +helm.sh/helm/v3 v3.13.1/go.mod h1:TdQRMiq46CSWcc68Hb0uVhvAWusaN90YwAV54cz6JzU= k8s.io/api v0.28.2 h1:9mpl5mOb6vXZvqbQmankOfPIGiudghwCoLl1EYfUZbw= k8s.io/api v0.28.2/go.mod h1:RVnJBsjU8tcMq7C3iaRSGMeaKt2TWEUXcpIt/90fjEg= k8s.io/apiextensions-apiserver v0.28.2 h1:J6/QRWIKV2/HwBhHRVITMLYoypCoPY1ftigDM0Kn+QU= From 2644e4b1983cc485e5095e2fc17d3f8e806534f5 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 16 Oct 2023 18:00:04 +0000 Subject: [PATCH 31/36] Bump test chart dependencies (#38) Signed-off-by: GitHub Co-authored-by: marcofranssen --- .github/tests/charts.json | 8 ++++---- .../spire/charts/spiffe-oidc-discovery-provider/README.md | 4 ++-- .../charts/spiffe-oidc-discovery-provider/values.yaml | 4 ++-- charts/spire/charts/spire-agent/README.md | 4 ++-- charts/spire/charts/spire-agent/values.yaml | 4 ++-- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/charts/tornjak-frontend/README.md | 2 +- charts/spire/charts/tornjak-frontend/values.yaml | 2 +- 9 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 9db804f85..02f1c7730 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,7 +2,7 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "51.3.0" + "version": "51.8.0" }, { "name": "cert-manager", @@ -12,16 +12,16 @@ { "name": "ingress-nginx", "repo": "https://kubernetes.github.io/ingress-nginx", - "version": "4.8.1" + "version": "4.8.2" }, { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "9.12.3" + "version": "9.12.5" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "13.1.0" + "version": "13.1.5" } ] diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 9a32aaa7d..3bab4ad42 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -106,12 +106,12 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:5c943903c3f9159c58c4fdf9809f404ab9cfc39b7bfed12bac44563ce0fe7875` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:cdf09d9d48e2b78e4a31dbbeba03e34b9462a35fa55defe67d73c440dbacca2c` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.toolkit.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8e231266acc48b98934b1eaba7fd086bd13e7f22d69d3c4dff9c46040dbb29d8` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:57151ad9f998c9394c9ba8b66c83f70cbfe3d4b733c166c9856e0d8fb273bfd0` | | `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | | `tests.busybox.image.repository` | The repository within the registry | `busybox` | | `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 5f25e5e0a..c6377e2ea 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -280,7 +280,7 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:5c943903c3f9159c58c4fdf9809f404ab9cfc39b7bfed12bac44563ce0fe7875 + tag: latest@sha256:cdf09d9d48e2b78e4a31dbbeba03e34b9462a35fa55defe67d73c440dbacca2c toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from @@ -294,7 +294,7 @@ tests: repository: chainguard/slim-toolkit-debug pullPolicy: IfNotPresent version: "" - tag: latest@sha256:8e231266acc48b98934b1eaba7fd086bd13e7f22d69d3c4dff9c46040dbb29d8 + tag: latest@sha256:57151ad9f998c9394c9ba8b66c83f70cbfe3d4b733c166c9856e0d8fb273bfd0 busybox: ## @param tests.busybox.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 4881d0473..52f27d114 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -68,13 +68,13 @@ A Helm chart to install the SPIRE agent. | `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` | | `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `waitForIt.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:c1822a2d9c88431e5f87af378c377d26e622eaeaf44e84f375d07e283c85e567` | +| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:5b836d1a4c652ec1c56bdd4a05a43349e2eeff50cf7fdb45a356f0ddc578573b` | | `waitForIt.resources` | Resource requests and limits | `{}` | | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | | `fsGroupFix.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:5c943903c3f9159c58c4fdf9809f404ab9cfc39b7bfed12bac44563ce0fe7875` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:cdf09d9d48e2b78e4a31dbbeba03e34b9462a35fa55defe67d73c440dbacca2c` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | | `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 81d110bb2..d5fe56f35 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -134,7 +134,7 @@ waitForIt: repository: chainguard/wait-for-it pullPolicy: IfNotPresent version: "" - tag: latest@sha256:c1822a2d9c88431e5f87af378c377d26e622eaeaf44e84f375d07e283c85e567 + tag: latest@sha256:5b836d1a4c652ec1c56bdd4a05a43349e2eeff50cf7fdb45a356f0ddc578573b ## @param waitForIt.resources [object] Resource requests and limits resources: {} @@ -153,7 +153,7 @@ fsGroupFix: repository: chainguard/bash pullPolicy: Always version: "" - tag: latest@sha256:5c943903c3f9159c58c4fdf9809f404ab9cfc39b7bfed12bac44563ce0fe7875 + tag: latest@sha256:cdf09d9d48e2b78e4a31dbbeba03e34b9462a35fa55defe67d73c440dbacca2c ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index eb5db667a..de7b0d3c2 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -299,4 +299,4 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:5c943903c3f9159c58c4fdf9809f404ab9cfc39b7bfed12bac44563ce0fe7875` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:cdf09d9d48e2b78e4a31dbbeba03e34b9462a35fa55defe67d73c440dbacca2c` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index e7cb901e6..5a1f7da0c 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -680,4 +680,4 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:5c943903c3f9159c58c4fdf9809f404ab9cfc39b7bfed12bac44563ce0fe7875 + tag: latest@sha256:cdf09d9d48e2b78e4a31dbbeba03e34b9462a35fa55defe67d73c440dbacca2c diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 719beed3a..e8ac2d30b 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -97,4 +97,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:5c943903c3f9159c58c4fdf9809f404ab9cfc39b7bfed12bac44563ce0fe7875` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:cdf09d9d48e2b78e4a31dbbeba03e34b9462a35fa55defe67d73c440dbacca2c` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 1e7abbf7e..b76959ff7 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -145,4 +145,4 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:5c943903c3f9159c58c4fdf9809f404ab9cfc39b7bfed12bac44563ce0fe7875 + tag: latest@sha256:cdf09d9d48e2b78e4a31dbbeba03e34b9462a35fa55defe67d73c440dbacca2c From 78ba615c7d200c19a1e2128b604a9ae3cd330808 Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Tue, 17 Oct 2023 10:26:14 -0700 Subject: [PATCH 32/36] Update to SPIRE 1.8.2 (#40) Signed-off-by: Faisal Memon --- README.md | 2 +- charts/spire/Chart.yaml | 2 +- charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml | 2 +- charts/spire/charts/spire-agent/Chart.yaml | 2 +- charts/spire/charts/spire-server/Chart.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 6ccbade74..19c83cfd6 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ Unless otherwise noted in an application chart README, the following dependencie | Dependency | Supported Versions | |:-----------|:-------------------| -| SPIRE | `1.6.x`, `1.7.x` | +| SPIRE | `1.8.2` | | Helm | `3.x` | | Kubernetes | `1.22+` | diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index cc44b75d2..5c61e486e 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -4,7 +4,7 @@ description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application version: 0.13.2 -appVersion: "1.7.4" +appVersion: "1.8.2" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml index acbe939ed..0d446fca0 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml @@ -3,7 +3,7 @@ name: spiffe-oidc-discovery-provider description: A Helm chart to install the SPIFFE OIDC discovery provider. type: application version: 0.1.0 -appVersion: "1.7.4" +appVersion: "1.8.2" keywords: ["spiffe", "oidc"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-agent/Chart.yaml b/charts/spire/charts/spire-agent/Chart.yaml index 43eca41fb..6d411b560 100644 --- a/charts/spire/charts/spire-agent/Chart.yaml +++ b/charts/spire/charts/spire-agent/Chart.yaml @@ -3,7 +3,7 @@ name: spire-agent description: A Helm chart to install the SPIRE agent. type: application version: 0.1.0 -appVersion: "1.7.4" +appVersion: "1.8.2" keywords: ["spiffe", "spire-agent"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-server/Chart.yaml b/charts/spire/charts/spire-server/Chart.yaml index 952541b47..2335de437 100644 --- a/charts/spire/charts/spire-server/Chart.yaml +++ b/charts/spire/charts/spire-server/Chart.yaml @@ -3,7 +3,7 @@ name: spire-server description: A Helm chart to install the SPIRE server. type: application version: 0.1.0 -appVersion: "1.7.4" +appVersion: "1.8.2" keywords: ["spiffe", "spire-server", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: From 663551297a05bb077cd6ed3fbb18c9c33792bed5 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 17 Oct 2023 15:48:54 -0400 Subject: [PATCH 33/36] Fix Tornjak HTTPS ingress port (#39) * Fix failing Tornjak ingress port Signed-off-by: Mariusz Sabath * Add HTTPS port to Tornjak ingress Signed-off-by: Mariusz Sabath * Remove tlsBackendPort flag Signed-off-by: Mariusz Sabath --------- Signed-off-by: Mariusz Sabath --- charts/spire/charts/spire-server/README.md | 1 - .../charts/spire-server/templates/tornjak-ingress.yaml | 6 +++++- charts/spire/charts/spire-server/values.yaml | 2 -- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index de7b0d3c2..5fdf4f38e 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -270,7 +270,6 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tornjak.ingress.enabled` | Flag to enable ingress for Tornjak backend service | `false` | | `tornjak.ingress.className` | Ingress class name for Tornjak backend service | `""` | | `tornjak.ingress.annotations` | Annotations for Tornjak backend service | `{}` | -| `tornjak.ingress.tlsBackendPort` | Flag to enable TLS on the ingress Tornjak backend service | `false` | | `tornjak.ingress.hosts` | Host paths for ingress Tornjak backend service | `[]` | | `tornjak.ingress.tls` | Secrets containing TLS certs to enable https on ingress | `[]` | | `tornjak.startupProbe.failureThreshold` | Failure threshold count | `3` | diff --git a/charts/spire/charts/spire-server/templates/tornjak-ingress.yaml b/charts/spire/charts/spire-server/templates/tornjak-ingress.yaml index df8a09232..ac0dfb59a 100644 --- a/charts/spire/charts/spire-server/templates/tornjak-ingress.yaml +++ b/charts/spire/charts/spire-server/templates/tornjak-ingress.yaml @@ -12,5 +12,9 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.tornjak.ingress "svcName" (include "spire-tornjak.servicename" .) "port" .Values.tornjak.service.ports.http) | nindent 2 }} + {{- if eq (include "spire-tornjak.connectionType" .) "http" }} + {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.tornjak.ingress "svcName" (include "spire-tornjak.servicename" .) "port" "tornjak-srv-http") | nindent 2 }} + {{- else -}} + {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.tornjak.ingress "svcName" (include "spire-tornjak.servicename" .) "port" "tornjak-srv-https") | nindent 2 }} + {{- end -}} {{- end }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 5a1f7da0c..ff8dd603b 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -565,13 +565,11 @@ tornjak: ## @param tornjak.ingress.enabled Flag to enable ingress for Tornjak backend service ## @param tornjak.ingress.className Ingress class name for Tornjak backend service ## @param tornjak.ingress.annotations [object] Annotations for Tornjak backend service - ## @param tornjak.ingress.tlsBackendPort Flag to enable TLS on the ingress Tornjak backend service ## @param tornjak.ingress.hosts [array] Host paths for ingress Tornjak backend service ingress: enabled: false className: "" annotations: {} - tlsBackendPort: false hosts: - host: tornjak-backend.example.org paths: From 56445c4f947900abe13daf73cd94d43024371da7 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Tue, 17 Oct 2023 12:54:12 -0700 Subject: [PATCH 34/36] Spire controller manager upgrade (#8) Co-authored-by: Faisal Memon Co-authored-by: Marco Franssen --- .github/workflows/helm-chart-ci.yaml | 8 +- charts/spire-crds/.helmignore | 23 +++++ charts/spire-crds/Chart.yaml | 22 +++++ charts/spire-crds/README.md | 23 +++++ ...iffe.io_clusterfederatedtrustdomains.yaml} | 9 +- .../spire.spiffe.io_clusterspiffeids.yaml} | 27 +++--- .../spire.spiffe.io_clusterstaticentries.yaml | 92 +++++++++++++++++++ ...e.spiffe.io_controllermanagerconfigs.yaml} | 1 + charts/spire-crds/values.yaml | 3 + charts/spire/README.md | 33 +++++++ charts/spire/charts/spire-server/README.md | 2 +- .../templates/controller-manager-roles.yaml | 9 ++ charts/spire/charts/spire-server/values.yaml | 2 +- examples/production/run-tests.sh | 12 +++ 14 files changed, 244 insertions(+), 22 deletions(-) create mode 100644 charts/spire-crds/.helmignore create mode 100644 charts/spire-crds/Chart.yaml create mode 100644 charts/spire-crds/README.md rename charts/{spire/charts/spire-server/crds/clusterfederatedtrustdomains.yaml => spire-crds/templates/spire.spiffe.io_clusterfederatedtrustdomains.yaml} (96%) rename charts/{spire/charts/spire-server/crds/clusterspiffeids.yaml => spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml} (93%) create mode 100644 charts/spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml rename charts/{spire/charts/spire-server/crds/controllermanagerconfigs.yaml => spire-crds/templates/spire.spiffe.io_controllermanagerconfigs.yaml} (97%) create mode 100644 charts/spire-crds/values.yaml diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index c9c8a91a0..32ae4fb33 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -170,7 +170,8 @@ jobs: - name: Run chart-testing (install) run: | - ct install --config ct.yaml \ + helm install -n spire-server spire-crds charts/spire-crds + ct install --config ct.yaml --excluded-charts spire-crds \ --target-branch ${{ github.base_ref }} - name: Test summary @@ -238,7 +239,10 @@ jobs: verbosity: 1 - name: Install and test example - run: ${{ matrix.example }}/run-tests.sh + run: | + kubectl create namespace spire-server + helm install -n spire-server spire-crds charts/spire-crds + ${{ matrix.example }}/run-tests.sh upgrade-test: runs-on: ubuntu-22.04 diff --git a/charts/spire-crds/.helmignore b/charts/spire-crds/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/spire-crds/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/spire-crds/Chart.yaml b/charts/spire-crds/Chart.yaml new file mode 100644 index 000000000..34be7d880 --- /dev/null +++ b/charts/spire-crds/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +name: spire-crds +description: > + A Helm chart for deploying the Spire CRDS +type: application +version: 0.0.1 +appVersion: "0.0.1" +keywords: ["spire-crds"] +home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +sources: + - https://github.com/spiffe/helm-charts/tree/main/charts/spire +icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png +maintainers: + - name: marcofranssen + email: marco.franssen@gmail.com + url: https://marcofranssen.nl + - name: kfox1111 + email: Kevin.Fox@pnnl.gov + - name: faisal-memon + email: fymemon@yahoo.com + - name: edwbuck + email: edwbuck@gmail.com diff --git a/charts/spire-crds/README.md b/charts/spire-crds/README.md new file mode 100644 index 000000000..7eb21c25a --- /dev/null +++ b/charts/spire-crds/README.md @@ -0,0 +1,23 @@ +# spire-crds + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square) + +A Helm chart to install the SPIRE CRDS. + +**Homepage:** + +## Maintainers +| Name | Email | Url | +| ---- | ------ | --- | +| marcofranssen | | | +| kfox1111 | | | +| faisal-memon | | | +| edwbuck | | | + +## Source Code + +* + + + +## Parameters diff --git a/charts/spire/charts/spire-server/crds/clusterfederatedtrustdomains.yaml b/charts/spire-crds/templates/spire.spiffe.io_clusterfederatedtrustdomains.yaml similarity index 96% rename from charts/spire/charts/spire-server/crds/clusterfederatedtrustdomains.yaml rename to charts/spire-crds/templates/spire.spiffe.io_clusterfederatedtrustdomains.yaml index 91aae17e2..6380ac4c6 100644 --- a/charts/spire/charts/spire-server/crds/clusterfederatedtrustdomains.yaml +++ b/charts/spire-crds/templates/spire.spiffe.io_clusterfederatedtrustdomains.yaml @@ -3,7 +3,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.8.0 + controller-gen.kubebuilder.io/version: v0.11.1 + {{- .Values.annotations | toYaml | nindent 4 }} creationTimestamp: null name: clusterfederatedtrustdomains.spire.spiffe.io spec: @@ -88,9 +89,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/spire/charts/spire-server/crds/clusterspiffeids.yaml b/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml similarity index 93% rename from charts/spire/charts/spire-server/crds/clusterspiffeids.yaml rename to charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml index 74758a5a0..d630c731b 100644 --- a/charts/spire/charts/spire-server/crds/clusterspiffeids.yaml +++ b/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml @@ -3,7 +3,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.8.0 + controller-gen.kubebuilder.io/version: v0.11.1 + {{- .Values.annotations | toYaml | nindent 4 }} creationTimestamp: null name: clusterspiffeids.spire.spiffe.io spec: @@ -48,14 +49,22 @@ spec: items: type: string type: array + downstream: + description: Downstream indicates that the entry describes a downstream + SPIRE server. + type: boolean federatesWith: description: FederatesWith is a list of trust domain names that workloads that obtain this SPIFFE ID will federate with. items: type: string type: array + jwtTtl: + description: JWTTTL indicates an upper-bound time-to-live for JWT + SVIDs minted for this ClusterSPIFFEID. + type: string namespaceSelector: - description: NamespaceSelector selects the namespaces that are targetted + description: NamespaceSelector selects the namespaces that are targeted by this CRD. properties: matchExpressions: @@ -99,8 +108,9 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic podSelector: - description: PodSelector selects the pods that are targetted by this + description: PodSelector selects the pods that are targeted by this CRD. properties: matchExpressions: @@ -144,14 +154,15 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic spiffeIDTemplate: description: SPIFFEID is the SPIFFE ID template. The node and pod spec are made available to the template under .NodeSpec, .PodSpec respectively. type: string ttl: - description: TTL indicates an upper-bound time-to-live for SVIDs minted - for this ClusterSPIFFEID. If unset, a default will be chosen. + description: TTL indicates an upper-bound time-to-live for X509 SVIDs + minted for this ClusterSPIFFEID. If unset, a default will be chosen. type: string workloadSelectorTemplates: description: WorkloadSelectorTemplates are templates to produce arbitrary @@ -213,9 +224,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml b/charts/spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml new file mode 100644 index 000000000..3e2e35c52 --- /dev/null +++ b/charts/spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + {{- .Values.annotations | toYaml | nindent 4 }} + creationTimestamp: null + name: clusterstaticentries.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterStaticEntry + listKind: ClusterStaticEntryList + plural: clusterstaticentries + singular: clusterstaticentry + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterStaticEntry is the Schema for the clusterstaticentries + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry + properties: + admin: + type: boolean + dnsNames: + items: + type: string + type: array + downstream: + type: boolean + federatesWith: + items: + type: string + type: array + hint: + type: string + jwtSVIDTTL: + type: string + parentID: + type: string + selectors: + items: + type: string + type: array + spiffeID: + type: string + x509SVIDTTL: + type: string + required: + - parentID + - selectors + - spiffeID + type: object + status: + description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry + properties: + masked: + description: If the static entry was masked by another entry. + type: boolean + rendered: + description: If the static entry rendered properly. + type: boolean + set: + description: If the static entry was successfully created/updated. + type: boolean + required: + - masked + - rendered + - set + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/spire/charts/spire-server/crds/controllermanagerconfigs.yaml b/charts/spire-crds/templates/spire.spiffe.io_controllermanagerconfigs.yaml similarity index 97% rename from charts/spire/charts/spire-server/crds/controllermanagerconfigs.yaml rename to charts/spire-crds/templates/spire.spiffe.io_controllermanagerconfigs.yaml index 7845a107e..137616a6b 100644 --- a/charts/spire/charts/spire-server/crds/controllermanagerconfigs.yaml +++ b/charts/spire-crds/templates/spire.spiffe.io_controllermanagerconfigs.yaml @@ -4,6 +4,7 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.8.0 + {{- .Values.annotations | toYaml | nindent 4 }} creationTimestamp: null name: controllermanagerconfigs.spire.spiffe.io spec: diff --git a/charts/spire-crds/values.yaml b/charts/spire-crds/values.yaml new file mode 100644 index 000000000..1e1e994af --- /dev/null +++ b/charts/spire-crds/values.yaml @@ -0,0 +1,3 @@ +annotations: + ## @param annotations.helm.sh/resource-policy keep the crds after chart deletion + helm.sh/resource-policy: keep diff --git a/charts/spire/README.md b/charts/spire/README.md index cb784b9a1..8c8d57634 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -83,6 +83,39 @@ Now you can interact with the Spire agent socket from your own application. The | file://./charts/spire-server | spire-server | 0.1.0 | | file://./charts/tornjak-frontend | tornjak-frontend | 0.1.0 | +## Install notes + +To do a quick non production install: + +```shell +kubectl create namespace spire-system +helm install -n spire-system spire-crds charts/spire-crds +helm install -n spire-system spire charts/spire + +For production installs, please see [the production example](examples/production/). + +## Upgrade notes + +0.14.X: + +If coming from a chart version before 0.14.0, you must relabel your crds to switch to using the new spire-crds chart. To migrate to the spire-crds chart +run the following: + +```shell +# Replace the spire-server namespace in the commands below with the namespace you want to install the spire-crds chart in. + +kubectl label crd "clusterfederatedtrustdomains.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm" +kubectl annotate crd "clusterfederatedtrustdomains.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds" +kubectl annotate crd "clusterfederatedtrustdomains.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server" +kubectl label crd "clusterspiffeids.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm" +kubectl annotate crd "clusterspiffeids.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds" +kubectl annotate crd "clusterspiffeids.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server" +kubectl label crd "controllermanagerconfigs.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm" +kubectl annotate crd "controllermanagerconfigs.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds" +kubectl annotate crd "controllermanagerconfigs.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server" +helm install -n spire-server spire-crds charts/spire-crds +``` + ## Parameters diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 5fdf4f38e..2b099653d 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -218,7 +218,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `controllerManager.image.repository` | The repository within the registry | `spiffe/spire-controller-manager` | | `controllerManager.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `controllerManager.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.2.3` | +| `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.3.0` | | `controllerManager.resources` | Resource requests and limits for controller manager | `{}` | | `controllerManager.securityContext` | Security context | `{}` | | `controllerManager.service.type` | Service type for controller manager | `ClusterIP` | diff --git a/charts/spire/charts/spire-server/templates/controller-manager-roles.yaml b/charts/spire/charts/spire-server/templates/controller-manager-roles.yaml index f5a85a7c7..e9cbc5d09 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-roles.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-roles.yaml @@ -64,6 +64,15 @@ rules: - apiGroups: ["spire.spiffe.io"] resources: ["clusterspiffeids/status"] verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterstaticentries/status"] + verbs: ["get", "patch", "update"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index ff8dd603b..5dfd1bf09 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -386,7 +386,7 @@ controllerManager: repository: spiffe/spire-controller-manager pullPolicy: IfNotPresent version: "" - tag: "0.2.3" + tag: "0.3.0" ## @param controllerManager.resources [object] Resource requests and limits for controller manager resources: {} diff --git a/examples/production/run-tests.sh b/examples/production/run-tests.sh index 05102f794..6e840e9f4 100755 --- a/examples/production/run-tests.sh +++ b/examples/production/run-tests.sh @@ -105,7 +105,19 @@ install_and_test() { if [[ -n "$UPGRADE_ARGS" ]]; then install_and_test spire "$UPGRADE_ARGS" + # Any other upgrade steps go here. (Upgrade crds, delete statefulsets without cascade, etc.) + kubectl label crd "clusterfederatedtrustdomains.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm" + kubectl annotate crd "clusterfederatedtrustdomains.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds" + kubectl annotate crd "clusterfederatedtrustdomains.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server" + kubectl label crd "clusterspiffeids.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm" + kubectl annotate crd "clusterspiffeids.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds" + kubectl annotate crd "clusterspiffeids.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server" + kubectl label crd "controllermanagerconfigs.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm" + kubectl annotate crd "controllermanagerconfigs.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds" + kubectl annotate crd "controllermanagerconfigs.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server" + + helm upgrade --install -n spire-server spire-crds charts/spire-crds fi install_and_test charts/spire "" From a01cdc96d6f0bba3ba5008d671e2ba5ecc45265f Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Wed, 18 Oct 2023 13:29:56 -0700 Subject: [PATCH 35/36] Production test don't cleanup flag (#44) * Production test don't cleanup flag For use in the future with uprade tests, we add a flag -c to the production test to not cleanup after the testing. Signed-off-by: Kevin Fox * Incorperate feedback Signed-off-by: Kevin Fox --------- Signed-off-by: Kevin Fox --- examples/production/run-tests.sh | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/examples/production/run-tests.sh b/examples/production/run-tests.sh index 6e840e9f4..8fed83abc 100755 --- a/examples/production/run-tests.sh +++ b/examples/production/run-tests.sh @@ -19,6 +19,7 @@ helm_install=(helm upgrade --install --create-namespace) ns=spire-server UPGRADE_ARGS="" +CLEANUP=1 for i in "$@"; do case $i in @@ -26,17 +27,23 @@ for i in "$@"; do UPGRADE_ARGS="--repo $UPGRADE_REPO --version $UPGRADE_VERSION" shift # past argument=value ;; + -c) + CLEANUP=0 + shift # past argument=value + ;; esac done teardown() { - helm uninstall --namespace "${ns}" spire 2>/dev/null || true - kubectl delete ns "${ns}" 2>/dev/null || true - kubectl delete ns spire-system 2>/dev/null || true - helm uninstall --namespace cert-manager cert-manager 2>/dev/null || true - kubectl delete ns cert-manager 2>/dev/null || true - helm uninstall --namespace ingress-nginx 2>/dev/null || true - kubectl delete ns ingress-nginx 2>/dev/null || true + if [ "${CLEANUP}" -eq 1 ]; then + helm uninstall --namespace "${ns}" spire 2>/dev/null || true + kubectl delete ns "${ns}" 2>/dev/null || true + kubectl delete ns spire-system 2>/dev/null || true + helm uninstall --namespace cert-manager cert-manager 2>/dev/null || true + kubectl delete ns cert-manager 2>/dev/null || true + helm uninstall --namespace ingress-nginx 2>/dev/null || true + kubectl delete ns ingress-nginx 2>/dev/null || true + fi } trap 'trap - SIGTERM && teardown' SIGINT SIGTERM EXIT From ff725c2e3872040696419e20059f88463caee3f7 Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Wed, 18 Oct 2023 13:36:36 -0700 Subject: [PATCH 36/36] Bump spire Helm Chart version from 0.13.2 to 0.14.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * a01cdc9 Production test don't cleanup flag (#44) * 56445c4 Spire controller manager upgrade (#8) * 6635512 Fix Tornjak HTTPS ingress port (#39) * 78ba615 Update to SPIRE 1.8.2 (#40) * 2644e4b Bump test chart dependencies (#38) * 5cb3c6d Bump helm.sh/helm/v3 from 3.13.0 to 3.13.1 in /tests (#37) * 42bb8cf Bump spire Helm Chart version from 0.13.1 to 0.13.2 * dd87bc0 Bump spire versions to 1.7.4 (#35) * fdba5d0 Bump spire Helm Chart version from 0.13.0 to 0.13.1 * 0e41a7d Fix failing Tornjak ingress port (#28) * df1abf6 Bump to spire 1.7.3 (#31) * 69a20e3 Merge pull request #29 from spiffe/tornjak-version * 3036a41 Switch to version v1.4.0 * da49059 Update Tornjak image version * 0fa43a5 Add plugin support to the spire agent (#22) * c5c5320 Bump github.com/onsi/ginkgo/v2 from 2.12.1 to 2.13.0 in /tests (#27) * afba33f Add spire agent experimental flags (#26) * 1107278 Bump test chart dependencies * 03ff618 Add Tornjak ingress (#16) * 8f1bfc1 Merge pull request #23 from spiffe/examples-doc * cd386eb Merge branch 'main' into examples-doc * 12937db Update Example README * 06d6690 Bump test chart dependencies (#20) * 8aca48f Push the changes that update-tags creates (#19) * a6cb397 Exit code from diff indicating changes should not block commit. (#17) * ebfa518 Update FAQ from repo switch (#15) * c23e6cb Fix issue with version checker not running * 51c20b1 Bump actions/checkout from 4.0.0 to 4.1.0 (#9) * 21db1e4 Add a test to ensure upgrades work (#6) * f86648f Bump github.com/onsi/gomega from 1.27.10 to 1.28.0 in /tests * babd677 Bump helm.sh/helm/v3 from 3.12.3 to 3.13.0 in /tests * 45187fe Add back CODE-OF-CONDUCT * 50825d9 Deny production runs of example.org trust domains (#229) * 712a0f6 Bump actions/checkout from 4.0.0 to 4.1.0 * f04bdc3 Add support for experimental flags (#492) * 7cdae92 Bump github.com/onsi/ginkgo/v2 from 2.12.0 to 2.12.1 in /tests (#490) * d3091a8 Fix spire-server configmap UpstreamAuthority/aws_pca and KeyManager/a… (#489) * 7a96175 Remove developer-guy as a CODEOWNER Signed-off-by: Faisal Memon --- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 5c61e486e..dba8bd32f 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,7 +3,7 @@ name: spire description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.13.2 +version: 0.14.0 appVersion: "1.8.2" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire diff --git a/charts/spire/README.md b/charts/spire/README.md index 8c8d57634..aa89c4b6b 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.13.2](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square) +![Version: 0.14.0](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.