diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 31501defd..79594ddad 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,7 +2,7 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "52.1.0" + "version": "54.2.2" }, { "name": "cert-manager", @@ -17,11 +17,11 @@ { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "9.14.1" + "version": "9.14.4" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "13.2.1" + "version": "13.2.18" } ] diff --git a/.github/tests/dependencies/spire-root-server-values.yaml b/.github/tests/dependencies/spire-root-server-values.yaml index 400a10cab..124c8dd4a 100644 --- a/.github/tests/dependencies/spire-root-server-values.yaml +++ b/.github/tests/dependencies/spire-root-server-values.yaml @@ -6,13 +6,15 @@ global: spire-server: controllerManager: identities: - namespaceSelector: - kubernetes.io/metadata.name: spire-server - podSelector: - app.kubernetes.io/component: server - app.kubernetes.io/instance: spire - app.kubernetes.io/name: server - downstream: true + clusterSPIFFEIDs: + default: + namespaceSelector: + kubernetes.io/metadata.name: spire-server + podSelector: + app.kubernetes.io/component: server + app.kubernetes.io/instance: spire + app.kubernetes.io/name: server + downstream: true nodeAttestor: k8sPsat: serviceAccountAllowList: diff --git a/Makefile b/Makefile index c3ad2d647..aff0da0ad 100644 --- a/Makefile +++ b/Makefile @@ -63,3 +63,8 @@ test-example-%: .PHONY: test-examples test-examples: $(patsubst examples/%/values.yaml,test-example-%,$(wildcard examples/*/values.yaml)) ## Run `helm install` and `helm test` for all the examples containing `run-tests.sh` + +.PHONY: diagrams +diagrams: ## Builds diagrams + @dot -Tpng examples/nested/singlehardened.dot > examples/nested/singlehardened.png + @dot -Tpng examples/nested/multicluster.dot > examples/nested/multicluster.png diff --git a/README.md b/README.md index ea0704a05..8e4903a7f 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -> [!Note] +> **Note** > Things to consider: > 1. We do not support running out of the git main branch. This is where development happens. Please use released versions via the published repo or git tags. > 2. All the helm charts in this repo are beta. We encourage you to try them out and contribute. The API may change as we move towards a production ready release. @@ -14,7 +14,7 @@ A suite of [Helm Charts](https://helm.sh/docs) for standardized installations of ## How to install or upgrade You most likely want to do an integrated setup based on the spire chart. -See the [Instructions](https://artifacthub.io/packages/helm/spiffe/spire). +See the [Instructions](https://artifacthub.io/packages/helm/spiffe/spire#install-notes). ## Contributing diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index d016b132b..98e78959e 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,8 +3,8 @@ name: spire description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.15.1 -appVersion: "1.8.4" +version: 0.16.0 +appVersion: "1.8.5" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts/tree/main/charts/spire sources: diff --git a/charts/spire/README.md b/charts/spire/README.md index 659c2f9d3..b079db7bf 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.15.1](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square) +![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.5](https://img.shields.io/badge/AppVersion-1.8.5-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. @@ -12,8 +12,8 @@ A Helm chart for deploying the complete Spire stack including: spire-server, spi To do a quick non production install suitable for quick testing in something like minikube: ```shell -helm install -n spire-server spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace -helm install -n spire-server spire --repo https://spiffe.github.io/helm-charts-hardened/ +helm install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace +helm install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ ``` To customize, start with a base values file and edit as needed: @@ -28,10 +28,16 @@ Then: helm install -n spire-server spire --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml ``` -For production installs, please see [the production example](https://github.com/spiffe/helm-charts-hardened/tree/main/examples/production). +For production installs, please see [the production example](https://github.com/spiffe/helm-charts-hardened/tree/spire-0.16.0/examples/production). ## Upgrade notes +We only support upgrading one major version at a time. Version skipping isn't supported. + +### 0.16.X + +The settings under "spire-server.controllerManager.identities" have all been moved under "spire-server.controllerManager.identities.clusterSPIFFEIDs.default". If you have changed any from the defaults, please update them to the new location during upgrade. + ### 0.15.X The spire-crds chart has been updated. Please ensure you have upgraded spire-crds before upgrading the spire chart. diff --git a/charts/spire/charts/spiffe-csi-driver/Chart.yaml b/charts/spire/charts/spiffe-csi-driver/Chart.yaml index a7d5ab008..0d883d9e6 100644 --- a/charts/spire/charts/spiffe-csi-driver/Chart.yaml +++ b/charts/spire/charts/spiffe-csi-driver/Chart.yaml @@ -5,9 +5,9 @@ type: application version: 0.1.0 appVersion: "0.2.3" keywords: ["spiffe", "csi-driver"] -home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: - - https://github.com/spiffe/helm-charts/tree/main/charts/spire + - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png maintainers: - name: marcofranssen diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index 2b2b1155d..c1371d688 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -4,11 +4,7 @@ A Helm chart to install the SPIFFE CSI driver. -**Homepage:** - -> [!Note] -> The recommended version is `0.2.3` to support arm64 nodes. If running with any -> prior version to `0.2.3` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`. +**Homepage:** ## Maintainers @@ -21,7 +17,7 @@ A Helm chart to install the SPIFFE CSI driver. ## Source Code -* +* @@ -60,7 +56,7 @@ A Helm chart to install the SPIFFE CSI driver. | `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` | | `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `nodeDriverRegistrar.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.0` | +| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.1` | | `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` | | `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | | `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` | diff --git a/charts/spire/charts/spiffe-csi-driver/templates/spiffe-csi-driver.yaml b/charts/spire/charts/spiffe-csi-driver/templates/spiffe-csi-driver.yaml index 95d008674..cd17fddb1 100644 --- a/charts/spire/charts/spiffe-csi-driver/templates/spiffe-csi-driver.yaml +++ b/charts/spire/charts/spiffe-csi-driver/templates/spiffe-csi-driver.yaml @@ -1,8 +1,13 @@ +{{- $labels := dict }} +{{- if (dig "openshift" false .Values.global) }} +{{- $_ := set $labels "security.openshift.io/csi-ephemeral-volume-profile" "restricted" }} +{{- end }} +{{- $labels = mergeOverwrite $labels .Values.csiDriverLabels }} apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: name: {{ .Values.pluginName | quote }} - {{- with .Values.csiDriverLabels }} + {{- with $labels }} labels: {{- toYaml . | nindent 4 }} {{- end }} diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index aa4e943e1..12eeb7b94 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -110,7 +110,7 @@ nodeDriverRegistrar: repository: sig-storage/csi-node-driver-registrar pullPolicy: IfNotPresent version: "" - tag: v2.9.0 + tag: v2.9.1 ## @param nodeDriverRegistrar.resources Resource requests and limits for CSI driver pods resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml index d38ddbf72..5109dfab1 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml @@ -3,11 +3,11 @@ name: spiffe-oidc-discovery-provider description: A Helm chart to install the SPIFFE OIDC discovery provider. type: application version: 0.1.0 -appVersion: "1.8.4" +appVersion: "1.8.5" keywords: ["spiffe", "oidc"] -home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: - - https://github.com/spiffe/helm-charts/tree/main/charts/spire + - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png maintainers: - name: marcofranssen diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 38d9e866e..788f69493 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -4,12 +4,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. -**Homepage:** - -> [!Note] -> Minimum Spire version is `1.5.3`. -> The recommended version is `1.6.0` to support arm64 nodes. If running with any -> prior version to `1.6.0` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`. +**Homepage:** ## Maintainers @@ -22,7 +17,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. ## Source Code -* +* @@ -58,7 +53,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `insecureScheme.nginx.image.repository` | The repository within the registry | `nginxinc/nginx-unprivileged` | | `insecureScheme.nginx.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `insecureScheme.nginx.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.25.2-alpine` | +| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.25.3-alpine` | | `insecureScheme.nginx.resources` | Resource requests and limits | `{}` | | `jwtIssuer` | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset | `""` | | `config.logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | @@ -110,12 +105,12 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3d077aae77eb552abd85a015d087047a7a7353d974e5f7fc6a402180c1501214` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.toolkit.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d1fc4d296994f28d7e0264c933a12ba75c9a80478ff1eb4b6f692bb91a073a4c` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:99cafee4f14fe07a3298fcb7b90d4f0c396cba150b65d937856788b42ad83f79` | | `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | | `tests.busybox.image.repository` | The repository within the registry | `busybox` | | `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/scc-spire-oidc-discovery-provider.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/scc-spire-oidc-discovery-provider.yaml index 71c147c78..abd9a73be 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/scc-spire-oidc-discovery-provider.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/scc-spire-oidc-discovery-provider.yaml @@ -15,13 +15,13 @@ users: - system:serviceaccount:{{ include "spiffe-oidc-discovery-provider.namespace" . }}:{{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }}-pre-delete volumes: - configMap + - csi + - downwardAPI + - emptyDir + - ephemeral - hostPath - projected - secret - - ephemeral - - downwardAPI - - csi - - emptyDir allowHostDirVolumePlugin: true allowHostIPC: true allowHostNetwork: true diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 9b47296a9..405f96ed0 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -111,7 +111,7 @@ insecureScheme: repository: nginxinc/nginx-unprivileged pullPolicy: IfNotPresent version: "" - tag: 1.25.2-alpine + tag: 1.25.3-alpine ## @param insecureScheme.nginx.resources Resource requests and limits resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -289,7 +289,7 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:3d077aae77eb552abd85a015d087047a7a7353d974e5f7fc6a402180c1501214 + tag: latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from @@ -303,7 +303,7 @@ tests: repository: chainguard/slim-toolkit-debug pullPolicy: IfNotPresent version: "" - tag: latest@sha256:d1fc4d296994f28d7e0264c933a12ba75c9a80478ff1eb4b6f692bb91a073a4c + tag: latest@sha256:99cafee4f14fe07a3298fcb7b90d4f0c396cba150b65d937856788b42ad83f79 busybox: ## @param tests.busybox.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/Chart.yaml b/charts/spire/charts/spire-agent/Chart.yaml index 514744fd3..24c25e30b 100644 --- a/charts/spire/charts/spire-agent/Chart.yaml +++ b/charts/spire/charts/spire-agent/Chart.yaml @@ -3,11 +3,11 @@ name: spire-agent description: A Helm chart to install the SPIRE agent. type: application version: 0.1.0 -appVersion: "1.8.4" +appVersion: "1.8.5" keywords: ["spiffe", "spire-agent"] -home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: - - https://github.com/spiffe/helm-charts/tree/main/charts/spire + - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png maintainers: - name: marcofranssen diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 976eca7b5..a4e9c0b73 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -4,12 +4,7 @@ A Helm chart to install the SPIRE agent. -**Homepage:** - -> [!Note] -> Minimum Spire version is `1.5.3`. -> The recommended version is `1.6.0` to support arm64 nodes. If running with any -> prior version to `1.6.0` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`. +**Homepage:** ## Maintainers @@ -22,7 +17,7 @@ A Helm chart to install the SPIRE agent. ## Source Code -* +* @@ -30,79 +25,80 @@ A Helm chart to install the SPIRE agent. ### Chart parameters -| Name | Description | Value | -| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | -| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `image.repository` | The repository within the registry | `spiffe/spire-agent` | -| `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `imagePullSecrets` | Pull secrets for images | `[]` | -| `nameOverride` | Name override | `""` | -| `namespaceOverride` | Namespace override | `""` | -| `fullnameOverride` | Fullname override | `""` | -| `serviceAccount.create` | Specifies whether a service account should be created | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | The name of the service account to use. | `""` | -| `configMap.annotations` | Annotations to add to the SPIRE Agent ConfigMap | `{}` | -| `podAnnotations` | Annotations to add to pods | `{}` | -| `podSecurityContext` | Pod security context | `{}` | -| `securityContext` | Security context | `{}` | -| `resources` | Resource requests and limits | `{}` | -| `nodeSelector` | Node selector | `{}` | -| `tolerations` | List of tolerations | `[]` | -| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | -| `clusterName` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `example-cluster` | -| `trustDomain` | The trust domain to be used for the SPIFFE identifiers | `example.org` | -| `trustBundleURL` | If set, obtain trust bundle from url instead of Kubernetes ConfigMap | `""` | -| `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `pem` | -| `bundleConfigMap` | Configmap name for Spire bundle | `spire-bundle` | -| `server.address` | Address for Spire server | `""` | -| `server.port` | Port number for Spire server | `8081` | -| `server.namespaceOverride` | Override the namespace for Spire server | `""` | -| `healthChecks.port` | override the host port used for health checking | `9982` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for probe | `15` | -| `livenessProbe.periodSeconds` | Period seconds for probe | `60` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for probe | `15` | -| `readinessProbe.periodSeconds` | Period seconds for probe | `60` | -| `waitForIt.image.registry` | The OCI registry to pull the image from | `cgr.dev` | -| `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` | -| `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `waitForIt.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:c58a76f9241187615ab081ec73db6aeea6939369fba995206343bd9fb1975378` | -| `waitForIt.resources` | Resource requests and limits | `{}` | -| `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | -| `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | -| `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | -| `fsGroupFix.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3d077aae77eb552abd85a015d087047a7a7353d974e5f7fc6a402180c1501214` | -| `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | -| `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | -| `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` | -| `workloadAttestors.k8s.skipKubeletVerification` | If true, kubelet certificate verification is skipped | `true` | -| `workloadAttestors.k8s.disableContainerSelectors` | Set to true if using holdApplicationUntilProxyStarts in Istio | `false` | -| `sds.enabled` | Enables Envoy SDS configuration | `false` | -| `sds.defaultSvidName` | The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS | `default` | -| `sds.defaultBundleName` | The Validation Context resource name to use for the default X.509 bundle with Envoy SDS | `ROOTCA` | -| `sds.defaultAllBundlesName` | The Validation Context resource name to use for all bundles (including federated) with Envoy SDS | `ALL` | -| `sds.disableSpiffeCertValidation` | Disable Envoy SDS custom validation | `false` | -| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | -| `telemetry.prometheus.port` | Port for prometheus metrics | `9988` | -| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | -| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | -| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | -| `socketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | -| `priorityClassName` | Priority class assigned to daemonset pods | `""` | -| `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | -| `extraVolumes` | Extra volumes to be mounted on Spire Agent pods | `[]` | -| `extraVolumeMounts` | Extra volume mounts for Spire Agent pods | `[]` | -| `extraContainers` | Additional containers to create with Spire Agent pods | `[]` | -| `initContainers` | Additional init containers to create with Spire Agent pods | `[]` | -| `hostAliases` | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ | `[]` | -| `customPlugins.keyManager` | Custom plugins of type KeyManager are configured here | `{}` | -| `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` | -| `customPlugins.svidStore` | Custom plugins of type SVIDStore are configured here | `{}` | -| `customPlugins.workloadAttestor` | Custom plugins of type WorkloadAttestor are configured here | `{}` | -| `experimental.enabled` | Allow configuration of experimental features | `false` | -| `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` | -| `experimental.featureFlags` | List of developer feature flags | `[]` | +| Name | Description | Value | +| ------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/spire-agent` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `imagePullSecrets` | Pull secrets for images | `[]` | +| `nameOverride` | Name override | `""` | +| `namespaceOverride` | Namespace override | `""` | +| `fullnameOverride` | Fullname override | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. | `""` | +| `configMap.annotations` | Annotations to add to the SPIRE Agent ConfigMap | `{}` | +| `podAnnotations` | Annotations to add to pods | `{}` | +| `podSecurityContext` | Pod security context | `{}` | +| `securityContext` | Security context | `{}` | +| `resources` | Resource requests and limits | `{}` | +| `nodeSelector` | Node selector | `{}` | +| `tolerations` | List of tolerations | `[]` | +| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | +| `clusterName` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `example-cluster` | +| `trustDomain` | The trust domain to be used for the SPIFFE identifiers | `example.org` | +| `trustBundleURL` | If set, obtain trust bundle from url instead of Kubernetes ConfigMap | `""` | +| `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `pem` | +| `bundleConfigMap` | Configmap name for Spire bundle | `spire-bundle` | +| `server.address` | Address for Spire server | `""` | +| `server.port` | Port number for Spire server | `8081` | +| `server.namespaceOverride` | Override the namespace for Spire server | `""` | +| `healthChecks.port` | override the host port used for health checking | `9982` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for probe | `15` | +| `livenessProbe.periodSeconds` | Period seconds for probe | `60` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for probe | `15` | +| `readinessProbe.periodSeconds` | Period seconds for probe | `60` | +| `waitForIt.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` | +| `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `waitForIt.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:ffab5a8d7b7da2d04f433d0321cc5c34d8aa53bd15dd54eb2e4cd9c0d3d3cf5e` | +| `waitForIt.resources` | Resource requests and limits | `{}` | +| `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | +| `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | +| `fsGroupFix.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e` | +| `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | +| `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | +| `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` | +| `workloadAttestors.k8s.skipKubeletVerification` | If true, kubelet certificate verification is skipped | `true` | +| `workloadAttestors.k8s.disableContainerSelectors` | Set to true if using holdApplicationUntilProxyStarts in Istio | `false` | +| `sds.enabled` | Enables Envoy SDS configuration | `false` | +| `sds.defaultSvidName` | The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS | `default` | +| `sds.defaultBundleName` | The Validation Context resource name to use for the default X.509 bundle with Envoy SDS | `ROOTCA` | +| `sds.defaultAllBundlesName` | The Validation Context resource name to use for all bundles (including federated) with Envoy SDS | `ALL` | +| `sds.disableSpiffeCertValidation` | Disable Envoy SDS custom validation | `false` | +| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | +| `telemetry.prometheus.port` | Port for prometheus metrics | `9988` | +| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | +| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | +| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | +| `kubeletConnectByHostname` | If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise. | `""` | +| `socketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | +| `priorityClassName` | Priority class assigned to daemonset pods | `""` | +| `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | +| `extraVolumes` | Extra volumes to be mounted on Spire Agent pods | `[]` | +| `extraVolumeMounts` | Extra volume mounts for Spire Agent pods | `[]` | +| `extraContainers` | Additional containers to create with Spire Agent pods | `[]` | +| `initContainers` | Additional init containers to create with Spire Agent pods | `[]` | +| `hostAliases` | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ | `[]` | +| `customPlugins.keyManager` | Custom plugins of type KeyManager are configured here | `{}` | +| `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` | +| `customPlugins.svidStore` | Custom plugins of type SVIDStore are configured here | `{}` | +| `customPlugins.workloadAttestor` | Custom plugins of type WorkloadAttestor are configured here | `{}` | +| `experimental.enabled` | Allow configuration of experimental features | `false` | +| `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` | +| `experimental.featureFlags` | List of developer feature flags | `[]` | diff --git a/charts/spire/charts/spire-agent/templates/_helpers.tpl b/charts/spire/charts/spire-agent/templates/_helpers.tpl index a28e1db9a..69642052c 100644 --- a/charts/spire/charts/spire-agent/templates/_helpers.tpl +++ b/charts/spire/charts/spire-agent/templates/_helpers.tpl @@ -104,3 +104,16 @@ Create the name of the service account to use {{- print .Values.socketPath }} {{- end }} +{{- define "spire-agent.connect-by-hostname" -}} +{{- if ne .Values.kubeletConnectByHostname "" }} +{{- if eq (.Values.kubeletConnectByHostname | toString) "true" }} +{{- printf "true" }} +{{- else }} +{{- printf "false" }} +{{- end }} +{{- else if (dig "openshift" false .Values.global) }} +{{- printf "true" }} +{{- else }} +{{- printf "false" }} +{{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 57c3a3189..071534ab1 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -1,4 +1,5 @@ {{- $configSum := (include (print $.Template.BasePath "/configmap.yaml") . | sha256sum) }} +{{- $cbh := eq (include "spire-agent.connect-by-hostname" .) "true" }} apiVersion: apps/v1 kind: DaemonSet metadata: @@ -71,9 +72,17 @@ spec: image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: ["-config", "/run/spire/config/agent.conf"] - {{- if gt (len .Values.extraEnvVars) 0 }} + {{- if or (gt (len .Values.extraEnvVars) 0) $cbh }} env: - {{- toYaml .Values.extraEnvVars | nindent 12 }} + {{- if $cbh }} + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- end }} + {{- with .Values.extraEnvVars }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- end }} ports: - containerPort: {{ .Values.healthChecks.port }} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 5b2f44e52..80e3fb412 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -134,7 +134,7 @@ waitForIt: repository: chainguard/wait-for-it pullPolicy: IfNotPresent version: "" - tag: latest@sha256:c58a76f9241187615ab081ec73db6aeea6939369fba995206343bd9fb1975378 + tag: latest@sha256:ffab5a8d7b7da2d04f433d0321cc5c34d8aa53bd15dd54eb2e4cd9c0d3d3cf5e ## @param waitForIt.resources [object] Resource requests and limits resources: {} @@ -153,7 +153,7 @@ fsGroupFix: repository: chainguard/bash pullPolicy: Always version: "" - tag: latest@sha256:3d077aae77eb552abd85a015d087047a7a7353d974e5f7fc6a402180c1501214 + tag: latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -198,6 +198,9 @@ telemetry: ## @param telemetry.prometheus.podMonitor.labels [object] Pod labels to filter for prometheus monitoring labels: {} +## @param kubeletConnectByHostname If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise. +kubeletConnectByHostname: "" + ## @param socketPath The unix socket path to the spire-agent socketPath: /run/spire/agent-sockets/spire-agent.sock diff --git a/charts/spire/charts/spire-server/Chart.yaml b/charts/spire/charts/spire-server/Chart.yaml index a150171b7..7d13241a4 100644 --- a/charts/spire/charts/spire-server/Chart.yaml +++ b/charts/spire/charts/spire-server/Chart.yaml @@ -3,11 +3,11 @@ name: spire-server description: A Helm chart to install the SPIRE server. type: application version: 0.1.0 -appVersion: "1.8.4" +appVersion: "1.8.5" keywords: ["spiffe", "spire-server", "spire-controller-manager"] -home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: - - https://github.com/spiffe/helm-charts/tree/main/charts/spire + - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png maintainers: - name: marcofranssen diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 4bf91ecc7..0c219892c 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -4,15 +4,7 @@ A Helm chart to install the SPIRE server. -**Homepage:** - -> [!Note] -> Minimum Spire version is `1.5.3`. -> The recommended version is `1.6.0` to support arm64 nodes. If running with any -> prior version to `1.6.0` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`. -> -> The recommended spire-controller-manager version is `0.2.2` to support arm64 nodes. If running with any -> prior version to `0.2.2` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`. +**Homepage:** ## Maintainers @@ -25,7 +17,7 @@ A Helm chart to install the SPIRE server. ## Source Code -* +* ## Tornjak @@ -87,192 +79,194 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr ### Chart parameters -| Name | Description | Value | -| ---------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | -| `replicaCount` | SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. | `1` | -| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `image.repository` | The repository within the registry | `spiffe/spire-server` | -| `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `imagePullSecrets` | Pull secrets for images | `[]` | -| `nameOverride` | Name override | `""` | -| `namespaceOverride` | Namespace override | `""` | -| `fullnameOverride` | Fullname override | `""` | -| `serviceAccount.create` | Specifies whether a service account should be created | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | -| `podAnnotations` | Annotations to add to pods | `{}` | -| `podSecurityContext` | Pod security context | `{}` | -| `securityContext` | Security context | `{}` | -| `priorityClassName` | Priority class assigned to statefulset pods | `""` | -| `service.type` | Type of the Spire server service created | `ClusterIP` | -| `service.port` | Port for the created service | `8081` | -| `service.annotations` | Annotations to add to the service object | `{}` | -| `configMap.annotations` | Annotations to add to the SPIRE Server ConfigMap | `{}` | -| `resources` | Resource requests and limits | `{}` | -| `autoscaling.enabled` | Flag to enable autoscaling | `false` | -| `autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | -| `autoscaling.maxReplicas` | Maximum replicas for autoscaling | `100` | -| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utlization that triggers autoscaling | `80` | -| `nodeSelector` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | `{}` | -| `tolerations` | List of tolerations | `[]` | -| `affinity` | List of node affinities | `{}` | -| `topologySpreadConstraints` | Topology spread constraints for resilience | `[]` | -| `livenessProbe.failureThreshold` | Failure threshold count for livenessProbe | `2` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | -| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `60` | -| `livenessProbe.timeoutSeconds` | Timeout in seconds for livenessProbe | `3` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `persistence.type` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `pvc` | -| `persistence.size` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `1Gi` | -| `persistence.accessMode` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `ReadWriteOnce` | -| `persistence.storageClass` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `nil` | -| `persistence.hostPath` | Which path to use on the host when type = hostPath | `""` | -| `dataStore.sql.databaseType` | Other supported databases are "postgres" and "mysql" | `sqlite3` | -| `dataStore.sql.databaseName` | Only used by "postgres" or "mysql" | `spire` | -| `dataStore.sql.host` | Only used by "postgres" or "mysql" | `""` | -| `dataStore.sql.port` | If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases. | `0` | -| `dataStore.sql.username` | Only used by "postgres" or "mysql" | `spire` | -| `dataStore.sql.password` | Only used by "postgres" or "mysql" | `""` | -| `dataStore.sql.options` | Only used by "postgres" or "mysql" | `[]` | -| `dataStore.sql.plugin_data` | Settings from https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md go in this section | `{}` | -| `dataStore.sql.externalSecret.enabled` | Enable external secret for datastore creds | `false` | -| `dataStore.sql.externalSecret.name` | The name of the secret object | `""` | -| `dataStore.sql.externalSecret.key` | The key of the secret object whose value is the dataStore.sql password | `""` | -| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | -| `jwtIssuer` | The JWT issuer domain. Defaults to oidc-discovery.$trustDomain if unset | `""` | -| `clusterName` | Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`) | `example-cluster` | -| `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` | -| `bundleConfigMap` | Set the trust domain to be used for the SPIFFE identifiers | `spire-bundle` | -| `clusterDomain` | This is the value of your clusters `kubeadm init --service-dns-domain` flag | `cluster.local` | -| `federation.enabled` | Flag to enable federation | `false` | -| `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` | -| `federation.bundleEndpoint.address` | Address for trust bundle federation | `0.0.0.0` | -| `federation.ingress.enabled` | Flag to enable ingress for federation | `false` | -| `federation.ingress.className` | Ingress class name for federation | `""` | -| `federation.ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | -| `federation.ingress.annotations` | Annotations for the ingress object | `{}` | -| `federation.ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server-federation` | -| `federation.ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | -| `federation.ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | -| `federation.ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | -| `ca_subject.country` | Country for Spire server CA | `ARPA` | -| `ca_subject.organization` | Organization for Spire server CA | `Example` | -| `ca_subject.common_name` | Common Name for Spire server CA | `example.org` | -| `keyManager.disk.enabled` | Flag to enable keyManager on disk | `true` | -| `keyManager.memory.enabled` | Flag to enable keyManager in memory | `false` | -| `keyManager.awsKMS.enabled` | Flag to enable keyManager in memory | `false` | -| `keyManager.awsKMS.region` | Specify the region for AWS KMS | `""` | -| `keyManager.awsKMS.keyPolicy` | Policy to use when creating keys. If no policy is specified, a default policy will be used. | | -| `keyManager.awsKMS.keyPolicy.policy` | Key policy in JSON format. | `""` | -| `keyManager.awsKMS.keyPolicy.existingConfigMap` | Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. | `""` | -| `keyManager.awsKMS.accessKeyID` | Access key ID for the AWS account. It's recommended to use an IAM role instead. See [here](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) to learn how to annotate your SPIRE Server Service Account to assume an IAM role. | `""` | -| `keyManager.awsKMS.secretAccessKey` | Secret access key for the AWS account. | `""` | -| `upstreamAuthority.disk.enabled` | Flag to enable upstream authority plugin on disk | `false` | -| `upstreamAuthority.disk.secret.create` | If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. | `true` | -| `upstreamAuthority.disk.secret.name` | If secret creation is disabled, the secret with this name will be used. | `spiffe-upstream-ca` | -| `upstreamAuthority.disk.secret.data` | If secret creation is enabled, will create a secret with following certificate info | | -| `upstreamAuthority.disk.secret.data.certificate` | Certificate to store within disk upstreamAuthority. | `""` | -| `upstreamAuthority.disk.secret.data.key` | Key corresponding to the upstreamAuthority. | `""` | -| `upstreamAuthority.disk.secret.data.bundle` | Trust bundle for upstreamAuthority. | `""` | -| `upstreamAuthority.awsPCA.enabled` | Flag to enable upstream authority plugin with AWS PCA | `false` | -| `upstreamAuthority.awsPCA.region` | AWS Region to use | `""` | -| `upstreamAuthority.awsPCA.certificateAuthorityARN` | ARN of the "upstream" CA certificate | `""` | -| `upstreamAuthority.awsPCA.assumeRoleARN` | (Optional) ARN of an IAM role to assume | `""` | -| `upstreamAuthority.awsPCA.caSigningTemplateARN` | (Optional) ARN of the signing template to use for the server's CA. Defaults to a signing template for end-entity certificates only. See Using Templates (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html) for possible values. | `""` | -| `upstreamAuthority.awsPCA.signingAlgorithm` | (Optional) Signing algorithm to use for the server's CA. Defaults to the CA's default. See Issue Certificate (https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) for possible values. | `""` | -| `upstreamAuthority.awsPCA.endpoint` | (Optional) Endpoint as hostname or fully-qualified URI that overrides the default endpoint. See AWS SDK Config docs (https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config) for more information. | `""` | -| `upstreamAuthority.awsPCA.supplementalBundlePath` | (Optional) Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle. | `""` | -| `upstreamAuthority.certManager.enabled` | Flag to enable upstream authority plugin with cert manager | `false` | -| `upstreamAuthority.certManager.rbac.create` | Flag to create RBAC roles | `true` | -| `upstreamAuthority.certManager.issuer_name` | Defaults to the release name, override if CA is provided outside of the chart | `""` | -| `upstreamAuthority.certManager.issuer_kind` | Defaults to "Issuer", override if CA is provided outside of the chart | `Issuer` | -| `upstreamAuthority.certManager.issuer_group` | Defaults to "cert-manager.io", override if CA is provided outside of the chart | `cert-manager.io` | -| `upstreamAuthority.certManager.namespace` | Specify to use a namespace other then the one the chart is installed into | `""` | -| `upstreamAuthority.certManager.kube_config_file` | Path to kube_config_file on node to setup cert manager | `""` | -| `upstreamAuthority.certManager.ca.create` | Creates a Cert-Manager CA | `false` | -| `upstreamAuthority.certManager.ca.duration` | Duration of the CA. Defaults to 10 years | `87600h` | -| `upstreamAuthority.certManager.ca.privateKey.algorithm` | Algorithm to generate private key for CA | `ECDSA` | -| `upstreamAuthority.certManager.ca.privateKey.size` | Size of generated private key for CA | `256` | -| `upstreamAuthority.certManager.ca.privateKey.rotationPolicy` | Rotation policy for generated private key | `""` | -| `upstreamAuthority.certManager.ca.renewBefore` | How long to wait before renewing the CA | `""` | -| `upstreamAuthority.spire.enabled` | Flag to use another Spire install as upstream CA | `false` | -| `upstreamAuthority.spire.upstreamDriver` | Driver for Spire as upstream CA | `""` | -| `upstreamAuthority.spire.server` | Server details for the Spire instance use as upstream CA | | -| `upstreamAuthority.spire.server.address` | Address for upstream Spire server | `""` | -| `upstreamAuthority.spire.server.port` | Port for upstream Spire server | `8081` | -| `upstreamAuthority.vault.enabled` | Enable Hashicorp Vault as upstream CA | `false` | -| `upstreamAuthority.vault.vaultAddr` | The URL of the Vault server. (e.g., https://vault.example.com:8443/) | `""` | -| `upstreamAuthority.vault.namespace` | Name of the Vault namespace. This is only available in the Vault Enterprise. | `""` | -| `upstreamAuthority.vault.pkiMountPoint` | Name of the mount point where PKI secret engine is mounted | `pki` | -| `upstreamAuthority.vault.insecureSkipVerify` | If true, caCert options are ignored and Spire accepts any server certificates claiming to be Vault | `false` | -| `upstreamAuthority.vault.caCert.type` | Type of resource representing the Vault server certificate, options are 'Secret' or 'Configmap', the item must be named `ca.crt` | `Secret` | -| `upstreamAuthority.vault.caCert.name` | Name of the Kubernetes resource containing the Vault server certificate | `vault-ca` | -| `upstreamAuthority.vault.k8sAuth.enabled` | Enable k8s authentication to Hashicorp Vault | `false` | -| `upstreamAuthority.vault.k8sAuth.k8sAuthMountPoint` | Name of the mount point where the Kubernetes auth method is mounted | `kubernetes` | -| `upstreamAuthority.vault.k8sAuth.k8sAuthRoleName` | Required - Name of the Vault role. The plugin authenticates against the named role | `""` | -| `upstreamAuthority.vault.k8sAuth.token.audience` | Intended audience of the PSAT, it must match one of the audiences supported by the Kubernetes API server. If no audience is specified, it defaults to the identifier of API Server. See ['Service Account Documentation'](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) for more info. | `vault` | -| `upstreamAuthority.vault.k8sAuth.token.expiry` | Expiry time in seconds for the token | `7200` | -| `notifier.k8sbundle.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` | -| `controllerManager.enabled` | Flag to enable controller manager | `false` | -| `controllerManager.className` | specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs. | `""` | -| `controllerManager.watchClassless` | specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. | `false` | -| `controllerManager.installAndUpgradeHook.enabled` | Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | -| `controllerManager.deleteHook.enabled` | Enable Helm hook to autofix common delete issues (should be disabled when using `helm template`) | `true` | -| `controllerManager.image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `controllerManager.image.repository` | The repository within the registry | `spiffe/spire-controller-manager` | -| `controllerManager.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `controllerManager.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.4.0` | -| `controllerManager.resources` | Resource requests and limits for controller manager | `{}` | -| `controllerManager.securityContext` | Security context | `{}` | -| `controllerManager.service.type` | Service type for controller manager | `ClusterIP` | -| `controllerManager.service.port` | Service port for controller manager | `443` | -| `controllerManager.service.annotations` | Annotations for service resource | `{}` | -| `controllerManager.configMap.annotations` | Annotations to add to the Controller Manager ConfigMap | `{}` | -| `controllerManager.ignoreNamespaces` | These namespaces are ignored by controller manager | `[]` | -| `controllerManager.identities.enabled` | Flag to enable default identities for controller manager | `true` | -| `controllerManager.identities.spiffeIDTemplate` | Spiffe ID template for identities | `spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}` | -| `controllerManager.identities.podSelector` | Selector for pods to issue identity | `{}` | -| `controllerManager.identities.namespaceSelector` | Selector for namespacs to issue identity | `{}` | -| `controllerManager.identities.dnsNameTemplates` | DNS name template for issued identities | `[]` | -| `controllerManager.identities.federatesWith` | Other Spire server URLs for identity federation | `[]` | -| `controllerManager.identities.workloadSelectorTemplates` | Templates to produce selectors that apply to a given workload before it will receive an ID | `[]` | -| `controllerManager.identities.ttl` | Indicates an upper-bound time-to-live for X509 SVIDs. If unset, the cluster default will be chosen. | `""` | -| `controllerManager.identities.jwtTTL` | Indicates an upper-bound time-to-live for JWT SVIDs. If unset, the cluster default will be chosen. | `""` | -| `controllerManager.identities.admin` | Indicates any pod matched by this identity will be an admin. Use this with extreme care. | `false` | -| `controllerManager.identities.downstream` | Set if this spire instance is a root server and the workloads are downstream servers. | `false` | -| `controllerManager.identities.autoPopulateDNSNames` | Auto populate DNS names from services attached to pods | `false` | -| `controllerManager.validatingWebhookConfiguration.failurePolicy` | Action when identity is not issued | `Fail` | -| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | -| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | -| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tools.kubectl.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | -| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | -| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | -| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | -| `ingress.enabled` | Flag to enable ingress | `false` | -| `ingress.className` | Ingress class name | `""` | -| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | -| `ingress.annotations` | Annotations for the ingress object | `{}` | -| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server` | -| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | -| `ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | -| `ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | -| `extraVolumes` | Extra volumes to be mounted | `[]` | -| `extraVolumeMounts` | Extra volume mounts | `[]` | -| `extraContainers` | Additional containers to create | `[]` | -| `initContainers` | Additional init containers to create | `[]` | -| `caKeyType` | The CA key type to use, possible values are rsa-2048, rsa-4096, ec-p256, ec-p384 (AWS requires the use of RSA. EC cryptography is not supported) | `rsa-2048` | -| `caTTL` | TTL for CA | `24h` | -| `defaultX509SvidTTL` | TTL for X509 Svids | `4h` | -| `defaultJwtSvidTTL` | TTL for JWT Svids | `1h` | -| `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s nodeattestor | `true` | -| `nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` | +| Name | Description | Value | +| --------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | +| `replicaCount` | SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. | `1` | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/spire-server` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `imagePullSecrets` | Pull secrets for images | `[]` | +| `nameOverride` | Name override | `""` | +| `namespaceOverride` | Namespace override | `""` | +| `fullnameOverride` | Fullname override | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | +| `podAnnotations` | Annotations to add to pods | `{}` | +| `podSecurityContext` | Pod security context | `{}` | +| `securityContext` | Security context | `{}` | +| `priorityClassName` | Priority class assigned to statefulset pods | `""` | +| `service.type` | Type of the Spire server service created | `ClusterIP` | +| `service.port` | Port for the created service | `8081` | +| `service.annotations` | Annotations to add to the service object | `{}` | +| `configMap.annotations` | Annotations to add to the SPIRE Server ConfigMap | `{}` | +| `resources` | Resource requests and limits | `{}` | +| `autoscaling.enabled` | Flag to enable autoscaling | `false` | +| `autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | +| `autoscaling.maxReplicas` | Maximum replicas for autoscaling | `100` | +| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utlization that triggers autoscaling | `80` | +| `nodeSelector` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | `{}` | +| `tolerations` | List of tolerations | `[]` | +| `affinity` | List of node affinities | `{}` | +| `topologySpreadConstraints` | Topology spread constraints for resilience | `[]` | +| `livenessProbe.failureThreshold` | Failure threshold count for livenessProbe | `2` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `60` | +| `livenessProbe.timeoutSeconds` | Timeout in seconds for livenessProbe | `3` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `persistence.type` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `pvc` | +| `persistence.size` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `1Gi` | +| `persistence.accessMode` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `ReadWriteOnce` | +| `persistence.storageClass` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `nil` | +| `persistence.hostPath` | Which path to use on the host when type = hostPath | `""` | +| `dataStore.sql.databaseType` | Other supported databases are "postgres" and "mysql" | `sqlite3` | +| `dataStore.sql.databaseName` | Only used by "postgres" or "mysql" | `spire` | +| `dataStore.sql.host` | Only used by "postgres" or "mysql" | `""` | +| `dataStore.sql.port` | If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases. | `0` | +| `dataStore.sql.username` | Only used by "postgres" or "mysql" | `spire` | +| `dataStore.sql.password` | Only used by "postgres" or "mysql" | `""` | +| `dataStore.sql.options` | Only used by "postgres" or "mysql" | `[]` | +| `dataStore.sql.plugin_data` | Settings from https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md go in this section | `{}` | +| `dataStore.sql.externalSecret.enabled` | Enable external secret for datastore creds | `false` | +| `dataStore.sql.externalSecret.name` | The name of the secret object | `""` | +| `dataStore.sql.externalSecret.key` | The key of the secret object whose value is the dataStore.sql password | `""` | +| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | +| `jwtIssuer` | The JWT issuer domain. Defaults to oidc-discovery.$trustDomain if unset | `""` | +| `clusterName` | Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`) | `example-cluster` | +| `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` | +| `bundleConfigMap` | Set the trust domain to be used for the SPIFFE identifiers | `spire-bundle` | +| `clusterDomain` | This is the value of your clusters `kubeadm init --service-dns-domain` flag | `cluster.local` | +| `federation.enabled` | Flag to enable federation | `false` | +| `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` | +| `federation.bundleEndpoint.address` | Address for trust bundle federation | `0.0.0.0` | +| `federation.ingress.enabled` | Flag to enable ingress for federation | `false` | +| `federation.ingress.className` | Ingress class name for federation | `""` | +| `federation.ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | +| `federation.ingress.annotations` | Annotations for the ingress object | `{}` | +| `federation.ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server-federation` | +| `federation.ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | +| `federation.ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | +| `federation.ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | +| `ca_subject.country` | Country for Spire server CA | `ARPA` | +| `ca_subject.organization` | Organization for Spire server CA | `Example` | +| `ca_subject.common_name` | Common Name for Spire server CA | `example.org` | +| `keyManager.disk.enabled` | Flag to enable keyManager on disk | `true` | +| `keyManager.memory.enabled` | Flag to enable keyManager in memory | `false` | +| `keyManager.awsKMS.enabled` | Flag to enable keyManager in memory | `false` | +| `keyManager.awsKMS.region` | Specify the region for AWS KMS | `""` | +| `keyManager.awsKMS.keyPolicy` | Policy to use when creating keys. If no policy is specified, a default policy will be used. | | +| `keyManager.awsKMS.keyPolicy.policy` | Key policy in JSON format. | `""` | +| `keyManager.awsKMS.keyPolicy.existingConfigMap` | Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. | `""` | +| `keyManager.awsKMS.accessKeyID` | Access key ID for the AWS account. It's recommended to use an IAM role instead. See [here](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) to learn how to annotate your SPIRE Server Service Account to assume an IAM role. | `""` | +| `keyManager.awsKMS.secretAccessKey` | Secret access key for the AWS account. | `""` | +| `upstreamAuthority.disk.enabled` | Flag to enable upstream authority plugin on disk | `false` | +| `upstreamAuthority.disk.secret.create` | If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. | `true` | +| `upstreamAuthority.disk.secret.name` | If secret creation is disabled, the secret with this name will be used. | `spiffe-upstream-ca` | +| `upstreamAuthority.disk.secret.data` | If secret creation is enabled, will create a secret with following certificate info | | +| `upstreamAuthority.disk.secret.data.certificate` | Certificate to store within disk upstreamAuthority. | `""` | +| `upstreamAuthority.disk.secret.data.key` | Key corresponding to the upstreamAuthority. | `""` | +| `upstreamAuthority.disk.secret.data.bundle` | Trust bundle for upstreamAuthority. | `""` | +| `upstreamAuthority.awsPCA.enabled` | Flag to enable upstream authority plugin with AWS PCA | `false` | +| `upstreamAuthority.awsPCA.region` | AWS Region to use | `""` | +| `upstreamAuthority.awsPCA.certificateAuthorityARN` | ARN of the "upstream" CA certificate | `""` | +| `upstreamAuthority.awsPCA.assumeRoleARN` | (Optional) ARN of an IAM role to assume | `""` | +| `upstreamAuthority.awsPCA.caSigningTemplateARN` | (Optional) ARN of the signing template to use for the server's CA. Defaults to a signing template for end-entity certificates only. See Using Templates (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html) for possible values. | `""` | +| `upstreamAuthority.awsPCA.signingAlgorithm` | (Optional) Signing algorithm to use for the server's CA. Defaults to the CA's default. See Issue Certificate (https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) for possible values. | `""` | +| `upstreamAuthority.awsPCA.endpoint` | (Optional) Endpoint as hostname or fully-qualified URI that overrides the default endpoint. See AWS SDK Config docs (https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config) for more information. | `""` | +| `upstreamAuthority.awsPCA.supplementalBundlePath` | (Optional) Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle. | `""` | +| `upstreamAuthority.certManager.enabled` | Flag to enable upstream authority plugin with cert manager | `false` | +| `upstreamAuthority.certManager.rbac.create` | Flag to create RBAC roles | `true` | +| `upstreamAuthority.certManager.issuer_name` | Defaults to the release name, override if CA is provided outside of the chart | `""` | +| `upstreamAuthority.certManager.issuer_kind` | Defaults to "Issuer", override if CA is provided outside of the chart | `Issuer` | +| `upstreamAuthority.certManager.issuer_group` | Defaults to "cert-manager.io", override if CA is provided outside of the chart | `cert-manager.io` | +| `upstreamAuthority.certManager.namespace` | Specify to use a namespace other then the one the chart is installed into | `""` | +| `upstreamAuthority.certManager.kube_config_file` | Path to kube_config_file on node to setup cert manager | `""` | +| `upstreamAuthority.certManager.ca.create` | Creates a Cert-Manager CA | `false` | +| `upstreamAuthority.certManager.ca.duration` | Duration of the CA. Defaults to 10 years | `87600h` | +| `upstreamAuthority.certManager.ca.privateKey.algorithm` | Algorithm to generate private key for CA | `ECDSA` | +| `upstreamAuthority.certManager.ca.privateKey.size` | Size of generated private key for CA | `256` | +| `upstreamAuthority.certManager.ca.privateKey.rotationPolicy` | Rotation policy for generated private key | `""` | +| `upstreamAuthority.certManager.ca.renewBefore` | How long to wait before renewing the CA | `""` | +| `upstreamAuthority.spire.enabled` | Flag to use another Spire install as upstream CA | `false` | +| `upstreamAuthority.spire.upstreamDriver` | Driver for Spire as upstream CA | `""` | +| `upstreamAuthority.spire.server` | Server details for the Spire instance use as upstream CA | | +| `upstreamAuthority.spire.server.address` | Address for upstream Spire server | `""` | +| `upstreamAuthority.spire.server.port` | Port for upstream Spire server | `8081` | +| `upstreamAuthority.vault.enabled` | Enable Hashicorp Vault as upstream CA | `false` | +| `upstreamAuthority.vault.vaultAddr` | The URL of the Vault server. (e.g., https://vault.example.com:8443/) | `""` | +| `upstreamAuthority.vault.namespace` | Name of the Vault namespace. This is only available in the Vault Enterprise. | `""` | +| `upstreamAuthority.vault.pkiMountPoint` | Name of the mount point where PKI secret engine is mounted | `pki` | +| `upstreamAuthority.vault.insecureSkipVerify` | If true, caCert options are ignored and Spire accepts any server certificates claiming to be Vault | `false` | +| `upstreamAuthority.vault.caCert.type` | Type of resource representing the Vault server certificate, options are 'Secret' or 'Configmap', the item must be named `ca.crt` | `Secret` | +| `upstreamAuthority.vault.caCert.name` | Name of the Kubernetes resource containing the Vault server certificate | `vault-ca` | +| `upstreamAuthority.vault.k8sAuth.enabled` | Enable k8s authentication to Hashicorp Vault | `false` | +| `upstreamAuthority.vault.k8sAuth.k8sAuthMountPoint` | Name of the mount point where the Kubernetes auth method is mounted | `kubernetes` | +| `upstreamAuthority.vault.k8sAuth.k8sAuthRoleName` | Required - Name of the Vault role. The plugin authenticates against the named role | `""` | +| `upstreamAuthority.vault.k8sAuth.token.audience` | Intended audience of the PSAT, it must match one of the audiences supported by the Kubernetes API server. If no audience is specified, it defaults to the identifier of API Server. See ['Service Account Documentation'](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) for more info. | `vault` | +| `upstreamAuthority.vault.k8sAuth.token.expiry` | Expiry time in seconds for the token | `7200` | +| `notifier.k8sbundle.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` | +| `controllerManager.enabled` | Flag to enable controller manager | `false` | +| `controllerManager.className` | specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs. | `""` | +| `controllerManager.watchClassless` | specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. | `false` | +| `controllerManager.installAndUpgradeHook.enabled` | Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | +| `controllerManager.deleteHook.enabled` | Enable Helm hook to autofix common delete issues (should be disabled when using `helm template`) | `true` | +| `controllerManager.image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `controllerManager.image.repository` | The repository within the registry | `spiffe/spire-controller-manager` | +| `controllerManager.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `controllerManager.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.4.0` | +| `controllerManager.resources` | Resource requests and limits for controller manager | `{}` | +| `controllerManager.securityContext` | Security context | `{}` | +| `controllerManager.service.type` | Service type for controller manager | `ClusterIP` | +| `controllerManager.service.port` | Service port for controller manager | `443` | +| `controllerManager.service.annotations` | Annotations for service resource | `{}` | +| `controllerManager.configMap.annotations` | Annotations to add to the Controller Manager ConfigMap | `{}` | +| `controllerManager.ignoreNamespaces` | These namespaces are ignored by controller manager | `[]` | +| `controllerManager.identities.clusterSPIFFEIDs.default.enabled` | Enable this identity for controller manager | `true` | +| `controllerManager.identities.clusterSPIFFEIDs.default.spiffeIDTemplate` | Spiffe ID template for identities | `spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}` | +| `controllerManager.identities.clusterSPIFFEIDs.default.podSelector` | Selector for pods to issue identity | `{}` | +| `controllerManager.identities.clusterSPIFFEIDs.default.namespaceSelector` | Selector for namespacs to issue identity | `{}` | +| `controllerManager.identities.clusterSPIFFEIDs.default.dnsNameTemplates` | DNS name template for issued identities | `[]` | +| `controllerManager.identities.clusterSPIFFEIDs.default.federatesWith` | Other Spire server URLs for identity federation | `[]` | +| `controllerManager.identities.clusterSPIFFEIDs.default.workloadSelectorTemplates` | Templates to produce selectors that apply to a given workload before it will receive an ID | `[]` | +| `controllerManager.identities.clusterSPIFFEIDs.default.ttl` | Indicates an upper-bound time-to-live for X509 SVIDs. If unset, the cluster default will be chosen. | `""` | +| `controllerManager.identities.clusterSPIFFEIDs.default.jwtTTL` | Indicates an upper-bound time-to-live for JWT SVIDs. If unset, the cluster default will be chosen. | `""` | +| `controllerManager.identities.clusterSPIFFEIDs.default.admin` | Indicates any pod matched by this identity will be an admin. Use this with extreme care. | `false` | +| `controllerManager.identities.clusterSPIFFEIDs.default.downstream` | Set if this spire instance is a root server and the workloads are downstream servers. | `false` | +| `controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames` | Auto populate DNS names from services attached to pods | `false` | +| `controllerManager.identities.clusterStaticEntries` | Specify ClusterStaticEntry objects. | `{}` | +| `controllerManager.identities.clusterFederatedTrustDomains` | Specify ClusterFederatedTrustDomain objects. | `{}` | +| `controllerManager.validatingWebhookConfiguration.failurePolicy` | Action when identity is not issued | `Fail` | +| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | +| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tools.kubectl.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | +| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | +| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | +| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | +| `ingress.enabled` | Flag to enable ingress | `false` | +| `ingress.className` | Ingress class name | `""` | +| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | +| `ingress.annotations` | Annotations for the ingress object | `{}` | +| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server` | +| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | +| `ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | +| `ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | +| `extraVolumes` | Extra volumes to be mounted | `[]` | +| `extraVolumeMounts` | Extra volume mounts | `[]` | +| `extraContainers` | Additional containers to create | `[]` | +| `initContainers` | Additional init containers to create | `[]` | +| `caKeyType` | The CA key type to use, possible values are rsa-2048, rsa-4096, ec-p256, ec-p384 (AWS requires the use of RSA. EC cryptography is not supported) | `rsa-2048` | +| `caTTL` | TTL for CA | `24h` | +| `defaultX509SvidTTL` | TTL for X509 Svids | `4h` | +| `defaultJwtSvidTTL` | TTL for JWT Svids | `1h` | +| `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s nodeattestor | `true` | +| `nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` | ### Tornjak @@ -322,4 +316,4 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3d077aae77eb552abd85a015d087047a7a7353d974e5f7fc6a402180c1501214` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e` | diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index e366716d3..a6778101a 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -206,7 +206,7 @@ plugins: {{- fail "You can only enable a single authentication mechanism to an upstream Vault." }} {{- end }} {{- end }} - {{- end }} + {{- end }} {{- with .Values.upstreamAuthority.awsPCA }} {{- if eq (.enabled | toString) "true" }} @@ -219,18 +219,18 @@ plugins: ca_signing_template_arn: {{ .caSigningTemplateARN | default "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1" | quote }} {{- if ne .signingAlgorithm "" }} signing_algorithm: {{ .signingAlgorithm | quote }} - {{- end }} + {{- end }} {{- if ne .assumeRoleARN "" }} assume_role_arn: {{ .assumeRoleARN | quote }} - {{- end }} + {{- end }} {{- if ne .endpoint "" }} endpoint: {{ .endpoint | quote }} - {{- end }} + {{- end }} {{- if ne .supplementalBundlePath "" }} supplemental_bundle_path: {{ .supplementalBundlePath | quote }} - {{- end }} + {{- end }} + {{- end }} {{- end }} - {{- end }} {{- if gt $upstreamAuthorityUsed 1 }} {{- fail "You can only enable a single Upstream Authority." }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml index 77cca5e90..8670f7332 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml @@ -1,42 +1,68 @@ {{- $root := . }} -{{- with .Values.controllerManager }} -{{- if and (eq (.enabled | toString) "true") (eq (.identities.enabled | toString) "true") }} +{{- range $key, $value := .Values.controllerManager.identities.clusterSPIFFEIDs }} +{{- range $skey, $svalue := $value }} +{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames")) }} +{{- fail (printf "Unsupported property specified: %s" $skey) }} +{{- end }} +{{- end }} +{{- range $rprop := list "spiffeIDTemplate" }} +{{- if not (hasKey $value $rprop) }} +{{- fail (printf "Required property %s was not specified" $rprop) }} +{{- end }} +{{- end }} +{{- if eq ($root.Values.controllerManager.enabled | toString) "true" }} +{{- if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }} +--- apiVersion: spire.spiffe.io/v1alpha1 kind: ClusterSPIFFEID metadata: - name: {{ $root.Release.Namespace }}-{{ include "spire-controller-manager.fullname" $root }}-service-account-based - namespace: {{ include "spire-server.namespace" $root }} + name: {{ $root.Release.Namespace }}-{{ $root.Release.Name }}-{{ $key }} + {{- with $value.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $value.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} spec: - spiffeIDTemplate: {{ .identities.spiffeIDTemplate | quote }} - {{- with .identities.federatesWith }} + className: {{ include "spire-server.controller-manager-class-name" $root | quote }} + spiffeIDTemplate: {{ $value.spiffeIDTemplate | quote }} + {{- with $value.federatesWith }} federatesWith: {{- toYaml . | nindent 4 }} {{- end }} - {{- with .identities.podSelector }} + {{- with $value.podSelector }} podSelector: {{- toYaml . | nindent 4 }} {{- end }} - {{- with .identities.namespaceSelector }} + {{- with $value.namespaceSelector }} namespaceSelector: {{- toYaml . | nindent 4 }} {{- end }} - {{- with .identities.dnsNameTemplates }} + {{- with $value.dnsNameTemplates }} dnsNameTemplates: {{- toYaml . | nindent 4 }} {{- end }} - {{- with .identities.workloadSelectorTemplates }} - workloadTSelectoremplates: + {{- with $value.workloadSelectorTemplates }} + workloadSelectorTemplates: {{- toYaml . | nindent 4 }} {{- end }} - {{- with .identities.ttl }} + {{- with $value.ttl }} ttl: {{ . | quote }} {{- end }} - {{- with .identities.jwtTTL }} + {{- with $value.jwtTTL }} jwtTtl: {{ . | quote }} {{- end }} - admin: {{ .identities.admin }} - downstream: {{ .identities.downstream }} - autoPopulateDNSNames: {{ .identities.autoPopulateDNSNames }} - className: {{ include "spire-server.controller-manager-class-name" $root | quote}} -{{- end }} + {{- with $value.admin }} + admin: {{ . }} + {{- end }} + {{- with $value.downstream }} + downstream: {{ . }} + {{- end }} + {{- with $value.autoPopulateDNSNames }} + autoPopulateDNSNames: {{ . }} + {{- end }} +{{- end }} +{{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml b/charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml new file mode 100644 index 000000000..1c2b659a0 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml @@ -0,0 +1,45 @@ +{{- $root := . }} +{{- range $key, $value := .Values.controllerManager.identities.clusterFederatedTrustDomains }} +{{- range $skey, $svalue := $value }} +{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "bundleEndpointProfile" "bundleEndpointURL" "trustDomain" "trustDomainBundle")) }} +{{- fail (printf "Unsupported property specified: %s" $skey) }} +{{- end }} +{{- end }} +{{- range $rprop := list "bundleEndpointProfile" "bundleEndpointURL" "trustDomain" }} +{{- if not (hasKey $value $rprop) }} +{{- fail (printf "Required property %s was not specified" $rprop) }} +{{- end }} +{{- end }} +{{- if eq ($root.Values.controllerManager.enabled | toString) "true" }} +{{- if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }} +--- +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterFederatedTrustDomain +metadata: + name: {{ $root.Release.Namespace }}-{{ $root.Release.Name }}-{{ $key }} + {{- with $value.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $value.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + className: {{ include "spire-server.controller-manager-class-name" $root | quote }} + {{- with $value.bundleEndpointProfile }} + bundleEndpointProfile: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $value.bundleEndpointURL }} + bundleEndpointURL: {{ . | quote }} + {{- end }} + {{- with $value.trustDomain }} + trustDomain: {{ . | quote }} + {{- end }} + {{- with $value.trustDomainBundle }} + trustDomainBundle: {{ . | quote }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-static-entries.yaml b/charts/spire/charts/spire-server/templates/controller-manager-static-entries.yaml new file mode 100644 index 000000000..47629c4a4 --- /dev/null +++ b/charts/spire/charts/spire-server/templates/controller-manager-static-entries.yaml @@ -0,0 +1,63 @@ +{{- $root := . }} +{{- range $key, $value := .Values.controllerManager.identities.clusterStaticEntries }} +{{- range $skey, $svalue := $value }} +{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "admin" "dnsNames" "downstream" "federatesWith" "hint" "jwtSVIDTTL" "parentID" "selectors" "spiffeID" "x509SVIDTTL")) }} +{{- fail (printf "Unsupported property specified: %s" $skey) }} +{{- end }} +{{- end }} +{{- range $rprop := list "spiffeID" "selectors" "parentID" }} +{{- if not (hasKey $value $rprop) }} +{{- fail (printf "Required property %s was not specified" $rprop) }} +{{- end }} +{{- end }} +{{- if eq ($root.Values.controllerManager.enabled | toString) "true" }} +{{- if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }} +--- +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterStaticEntry +metadata: + name: {{ $root.Release.Namespace }}-{{ $root.Release.Name }}-{{ $key }} + {{- with $value.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $value.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + className: {{ include "spire-server.controller-manager-class-name" $root | quote }} + spiffeID: {{ $value.spiffeID | quote }} + {{- with $value.federatesWith }} + federatesWith: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $value.selectors }} + selectors: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $value.parentID }} + parentID: {{ . | quote }} + {{- end }} + {{- with $value.dnsNames }} + dnsNames: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $value.hint }} + hint: {{ . | quote }} + {{- end }} + {{- with $value.x509SVIDTTL }} + x509SVIDTTL: {{ . | quote }} + {{- end }} + {{- with $value.jwtSVIDTTL }} + jwtSVIDTTL: {{ . | quote }} + {{- end }} + {{- with $value.admin }} + admin: {{ . }} + {{- end }} + {{- with $value.downstream }} + downstream: {{ . }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 80315fad1..170d46e68 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -445,38 +445,70 @@ controllerManager: - local-path-storage identities: - ## @param controllerManager.identities.enabled Flag to enable default identities for controller manager - enabled: true - - ## @param controllerManager.identities.spiffeIDTemplate Spiffe ID template for identities - spiffeIDTemplate: spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} - ## @param controllerManager.identities.podSelector [object] Selector for pods to issue identity - podSelector: {} - # matchLabels: - # spiffe.io/spiffe-id: "true" - ## @param controllerManager.identities.namespaceSelector [object] Selector for namespacs to issue identity - namespaceSelector: {} - # matchLabels: - # spiffe.io/spiffe-id: "true" - ## @param controllerManager.identities.dnsNameTemplates [array] DNS name template for issued identities - dnsNameTemplates: [] - # - '{{ index .PodMeta.Labels "app.kubernetes.io/name" }}.{{ .PodMeta.Namespace }}.svc.cluster.local' - ## @param controllerManager.identities.federatesWith [array] Other Spire server URLs for identity federation - federatesWith: [] - # - example.io - # - example.ai - ## @param controllerManager.identities.workloadSelectorTemplates [array] Templates to produce selectors that apply to a given workload before it will receive an ID - workloadSelectorTemplates: [] - ## @param controllerManager.identities.ttl Indicates an upper-bound time-to-live for X509 SVIDs. If unset, the cluster default will be chosen. - ttl: "" - ## @param controllerManager.identities.jwtTTL Indicates an upper-bound time-to-live for JWT SVIDs. If unset, the cluster default will be chosen. - jwtTTL: "" - ## @param controllerManager.identities.admin Indicates any pod matched by this identity will be an admin. Use this with extreme care. - admin: false - ## @param controllerManager.identities.downstream Set if this spire instance is a root server and the workloads are downstream servers. - downstream: false - ## @param controllerManager.identities.autoPopulateDNSNames Auto populate DNS names from services attached to pods - autoPopulateDNSNames: false + clusterSPIFFEIDs: + # NOTE you can add multiple uniquely named entries to create multiple ClusterSPIFFEID objects. See example below. + default: + ## @param controllerManager.identities.clusterSPIFFEIDs.default.enabled Enable this identity for controller manager + enabled: true + ## @param controllerManager.identities.clusterSPIFFEIDs.default.spiffeIDTemplate Spiffe ID template for identities + spiffeIDTemplate: spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} + ## @param controllerManager.identities.clusterSPIFFEIDs.default.podSelector [object] Selector for pods to issue identity + podSelector: {} + # matchLabels: + # spiffe.io/spiffe-id: "true" + ## @param controllerManager.identities.clusterSPIFFEIDs.default.namespaceSelector [object] Selector for namespacs to issue identity + namespaceSelector: {} + # matchLabels: + # spiffe.io/spiffe-id: "true" + ## @param controllerManager.identities.clusterSPIFFEIDs.default.dnsNameTemplates [array] DNS name template for issued identities + dnsNameTemplates: [] + # - '{{ index .PodMeta.Labels "app.kubernetes.io/name" }}.{{ .PodMeta.Namespace }}.svc.cluster.local' + ## @param controllerManager.identities.clusterSPIFFEIDs.default.federatesWith [array] Other Spire server URLs for identity federation + federatesWith: [] + # - example.io + # - example.ai + ## @param controllerManager.identities.clusterSPIFFEIDs.default.workloadSelectorTemplates [array] Templates to produce selectors that apply to a given workload before it will receive an ID + workloadSelectorTemplates: [] + ## @param controllerManager.identities.clusterSPIFFEIDs.default.ttl Indicates an upper-bound time-to-live for X509 SVIDs. If unset, the cluster default will be chosen. + ttl: "" + ## @param controllerManager.identities.clusterSPIFFEIDs.default.jwtTTL Indicates an upper-bound time-to-live for JWT SVIDs. If unset, the cluster default will be chosen. + jwtTTL: "" + ## @param controllerManager.identities.clusterSPIFFEIDs.default.admin Indicates any pod matched by this identity will be an admin. Use this with extreme care. + admin: false + ## @param controllerManager.identities.clusterSPIFFEIDs.default.downstream Set if this spire instance is a root server and the workloads are downstream servers. + downstream: false + ## @param controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames Auto populate DNS names from services attached to pods + autoPopulateDNSNames: false + + # You can specify additional ClusterSPIFFEIDs following this example: + # foo: + # labels: + # foo: bar + # spiffeIDTemplate: spiffe://{{ .TrustDomain }}/foo + # namespaceSelector: + # matchLabels: + # foo: bar + + ## @param controllerManager.identities.clusterStaticEntries Specify ClusterStaticEntry objects. + clusterStaticEntries: {} + # foo: + # labels: + # foo: bar + # parentID: spiffe://example.com/bar + # spiffeID: spiffe://example.com/foo + # selectors: + # - k8s:pod-label:app.kubernetes.io/name:server + + ## @param controllerManager.identities.clusterFederatedTrustDomains Specify ClusterFederatedTrustDomain objects. + clusterFederatedTrustDomains: {} + # foo: + # labels: + # foo: bar + # bundleEndpointProfile: + # endpointSPIFFEID: spiffe://example.com/foo + # type: https_spiffe + # bundleEndpointURL: https://rootserver.example.com:1234 + # trustDomain: example.com validatingWebhookConfiguration: ## @param controllerManager.validatingWebhookConfiguration.failurePolicy Action when identity is not issued @@ -724,4 +756,4 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:3d077aae77eb552abd85a015d087047a7a7353d974e5f7fc6a402180c1501214 + tag: latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e diff --git a/charts/spire/charts/tornjak-frontend/Chart.yaml b/charts/spire/charts/tornjak-frontend/Chart.yaml index 38a2e7a6b..1e72c8e0e 100644 --- a/charts/spire/charts/tornjak-frontend/Chart.yaml +++ b/charts/spire/charts/tornjak-frontend/Chart.yaml @@ -4,7 +4,7 @@ description: A Helm chart to deploy Tornjak frontend type: application version: 0.1.0 appVersion: "v1.4.0" -home: https://github.com/spiffe/helm-charts/tree/main/charts/spire +home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: - https://github.com/spiffe/tornjak icon: https://raw.githubusercontent.com/spiffe/tornjak/main/logos/logo%2Btornjak.2132x1291.png diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 38239d4f1..fc1ec957f 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -5,7 +5,7 @@ A Helm chart to deploy Tornjak frontend -**Homepage:** +**Homepage:** ## Version support @@ -16,8 +16,6 @@ A Helm chart to deploy Tornjak frontend | Dependency | Supported Versions | |:-----------|:-------------------| -| SPIRE | `1.5.3+`, `1.6.x` | -| Tornjak | `1.0.x` | | Helm | `3.x` | ## Tornjak @@ -102,4 +100,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3d077aae77eb552abd85a015d087047a7a7353d974e5f7fc6a402180c1501214` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e` | diff --git a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml index a1c4f4218..8fbf2105f 100644 --- a/charts/spire/charts/tornjak-frontend/templates/deployment.yaml +++ b/charts/spire/charts/tornjak-frontend/templates/deployment.yaml @@ -56,6 +56,8 @@ spec: mountPath: {{ .Values.workingDir }}/node_modules/.cache - name: env mountPath: {{ .Values.workingDir }}/build/tmp + - name: logs + mountPath: /opt/app-root/src/.npm/ {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -77,3 +79,5 @@ spec: emptyDir: {} - name: env emptyDir: {} + - name: logs + emptyDir: {} diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 7917df4ab..78a06899e 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -158,4 +158,4 @@ tests: repository: chainguard/bash pullPolicy: IfNotPresent version: "" - tag: latest@sha256:3d077aae77eb552abd85a015d087047a7a7353d974e5f7fc6a402180c1501214 + tag: latest@sha256:d8e08cda119684ca08dcfcebdd63cbf3d3ff7c4f8a8effca80b962dddd42438e diff --git a/charts/spire/templates/_spire-lib.tpl b/charts/spire/templates/_spire-lib.tpl index 2208abe13..8536e22bc 100644 --- a/charts/spire/templates/_spire-lib.tpl +++ b/charts/spire/templates/_spire-lib.tpl @@ -20,7 +20,7 @@ {{- else if ne (len .Values.jwtIssuer) 0 }} {{- .Values.jwtIssuer }} {{- else }} -{{- printf "oidc-discovery.%s" (include "spire-lib.trust-domain" .) }} +{{- printf "https://oidc-discovery.%s" (include "spire-lib.trust-domain" .) }} {{- end }} {{- end }} diff --git a/examples/external-mysql/README.md b/examples/external-mysql/README.md index f9afb3e31..8a6864ccf 100644 --- a/examples/external-mysql/README.md +++ b/examples/external-mysql/README.md @@ -15,7 +15,7 @@ Next, edit values.yaml with your settings. Check it into your git repo if using Then, deploy the chart pointing at your mysql instance like so: ```shell -helm upgrade --install --namespace spire-server spire charts/spire -f values.yaml --set "spire-server.dataStore.sql.password=${DBPW}" +helm upgrade --install --namespace spire-server spire charts/spire -f examples/external-mysql/values.yaml --set "spire-server.dataStore.sql.password=${DBPW}" ``` See the [production example](../production) for production recommendations. diff --git a/examples/external-postgresql/README.md b/examples/external-postgresql/README.md index 21fd1dfbf..d4710fbee 100644 --- a/examples/external-postgresql/README.md +++ b/examples/external-postgresql/README.md @@ -15,7 +15,7 @@ Next, edit values.yaml with your settings. Check it into your git repo if using Then, deploy the chart pointing at your postgresql instance like so: ```shell -helm upgrade --install --namespace spire-server spire charts/spire -f values.yaml --set "spire-server.dataStore.sql.password=${DBPW}" +helm upgrade --install --namespace spire-server spire charts/spire -f examples/external-postgresql/values.yaml --set "spire-server.dataStore.sql.password=${DBPW}" ``` diff --git a/examples/nested/README.md b/examples/nested/README.md new file mode 100644 index 000000000..2b2986eff --- /dev/null +++ b/examples/nested/README.md @@ -0,0 +1,10 @@ +# Possible Nesting Configurations + +There are multiple ways of configuring the chart depending on what you want to use nesting for. + +## Nesting across Kubernetes clusters: +![Multiple Kubernetes Cluster](./multicluster.png) + +## Nesting within a Kubernetes cluster: +![Single Hardened](./singlehardened.png) + diff --git a/examples/nested/multicluster.dot b/examples/nested/multicluster.dot new file mode 100644 index 000000000..fb9283339 --- /dev/null +++ b/examples/nested/multicluster.dot @@ -0,0 +1,61 @@ +digraph G { + subgraph cluster_root { + label="Cluster: Root K8S"; + subgraph cluster_root_release { + label="Helm Release: Namespace=spire-root Name=spire" + spireRoot [label="Root Spire Server"]; + } + } + subgraph cluster_nested1 { + label="Cluster: K8S Workload 1"; + subgraph cluster_nested1_release { + label="Helm Release: Namespace=spire-server Name=spire" + subgraph cluster_nested1_ns1 { + label="Namespace: spire-system" + spireUpstreamAgent1 [label="Upstream Spire Agent/CSI"]; + } + subgraph cluster_nested1_ns2 { + label="Namespace: spire-server" + spireServerNested1 [label="Nested Spire Server"]; + } + subgraph cluster_nested1_ns3 { + label="Namespace: spire-system" + spireDownstreamAgent1 [label="Downstream Spire Agent/CSI"]; + } + } + subgraph cluster_nested1_user { + label="Namespace: user" + userWorkload1 [label="User Workload"]; + } + } + subgraph cluster_nested2 { + label="Cluster: K8S Workload 2"; + subgraph cluster_nested2_release { + label="Helm Release: Namespace=spire-server Name=spire" + subgraph cluster_nested2_ns1 { + label="Namespace: spire-system" + spireUpstreamAgent2 [label="Upstream Spire Agent/CSI"]; + } + subgraph cluster_nested2_ns2 { + label="Namespace: spire-server" + spireServerNested2 [label="Nested Spire Server"]; + } + subgraph cluster_nested2_ns3 { + label="Namespace: spire-system" + spireDownstreamAgent2 [label="Downstream Spire Agent/CSI"]; + } + } + subgraph cluster_nested2_user { + label="Namespace: user" + userWorkload2 [label="Other User Workload"]; + } + } + spireRoot -> spireUpstreamAgent1; + spireRoot -> spireUpstreamAgent2; + spireUpstreamAgent1 -> spireServerNested1; + spireServerNested1 -> spireDownstreamAgent1; + spireDownstreamAgent1 -> userWorkload1; + spireUpstreamAgent2 -> spireServerNested2; + spireServerNested2 -> spireDownstreamAgent2; + spireDownstreamAgent2 -> userWorkload2; +} diff --git a/examples/nested/multicluster.png b/examples/nested/multicluster.png new file mode 100644 index 000000000..a0ffd8d3d Binary files /dev/null and b/examples/nested/multicluster.png differ diff --git a/examples/nested/singlehardened.dot b/examples/nested/singlehardened.dot new file mode 100644 index 000000000..9f3ac97a6 --- /dev/null +++ b/examples/nested/singlehardened.dot @@ -0,0 +1,55 @@ +digraph G { + subgraph cluster_baremetal { + label="(Bare Metal|Virtual) Node" + spireDownstreamAgent3 [label="Downstream Spire Agent"]; + userWorkload3 [label="External User Workload"]; + } + subgraph cluster_k8s { + label="Cluster: K8S"; + subgraph cluster_root_release { + label="Helm Release: Namespace=spire-root Name=spire"; + subgraph cluster_ns_root { + label="Namespace: spire-root" + spireRoot [label="Root Spire Server"]; + } + subgraph cluster_ns_1_system { + label="Namespace: spire-system" + spireUpstreamAgent1 [label="Upstream Spire Agent/CSI"]; + } + } + subgraph cluster_nested1_release { + label="Helm Release: Namespace=spire-server Name=spire" + subgraph cluster_ns_nested_server { + label="Namespace: spire-server"; + spireServerNested1 [label="Internal Nested Spire Server"]; + } + subgraph cluster_ns_nested_system { + label="Namespace: spire-system"; + spireDownstreamAgent1 [label="Downstream Spire Agent/CSI"]; + } + } + subgraph cluster_ns_nested_system { + label="Namespace: user"; + userWorkload1 [label="User Workload"]; + } + subgraph cluster_ns_nested2_system { + label="Namespace: user-other"; + userWorkload2 [label="Other User Workload"]; + } + subgraph cluster_nested3_release { + label="Helm Release: Namespace=spire-external Name=spire" + subgraph cluster_ns_nested2_system { + label="Namespace: spire-external"; + spireServerNested2 [label="External Nested Spire Server"]; + } + } + spireRoot -> spireUpstreamAgent1; + spireUpstreamAgent1 -> spireServerNested1; + spireServerNested1 -> spireDownstreamAgent1; + spireDownstreamAgent1 -> userWorkload1; + spireDownstreamAgent1 -> userWorkload2; + spireUpstreamAgent1 -> spireServerNested2; + spireServerNested2 -> spireDownstreamAgent3; + spireDownstreamAgent3 -> userWorkload3; + } +} diff --git a/examples/nested/singlehardened.png b/examples/nested/singlehardened.png new file mode 100644 index 000000000..7b161bc9f Binary files /dev/null and b/examples/nested/singlehardened.png differ diff --git a/examples/nested/values.yaml b/examples/nested/values.yaml index d24df6ea4..0a26f7334 100644 --- a/examples/nested/values.yaml +++ b/examples/nested/values.yaml @@ -11,7 +11,9 @@ spire-server: controllerManager: enabled: true identities: - spiffeIDTemplate: spiffe://{{ .TrustDomain }}/k8s/{{ .ClusterName }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} + clusterSPIFFEIDs: + default: + spiffeIDTemplate: spiffe://{{ .TrustDomain }}/k8s/{{ .ClusterName }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} spiffe-oidc-discovery-provider: enabled: true diff --git a/examples/openshift/openshift-values.yaml b/examples/openshift/openshift-values.yaml index 013a63667..6f5dad69a 100644 --- a/examples/openshift/openshift-values.yaml +++ b/examples/openshift/openshift-values.yaml @@ -27,12 +27,6 @@ spire-agent: runAsUser: null runAsGroup: null fsGroup: null - # Talk from the agent to kubelet based on hostname instead of localhost - extraEnvVars: - - name: MY_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName upstream-spire-agent: podSecurityContext: @@ -58,8 +52,6 @@ tornjak-frontend: fsGroup: null spiffe-csi-driver: - csiDriverLabels: - security.openshift.io/csi-ephemeral-volume-profile: restricted initContainers: - terminationMessagePath: /dev/termination-log name: set-context diff --git a/examples/production/README.md b/examples/production/README.md index 21119c222..e2c04e310 100644 --- a/examples/production/README.md +++ b/examples/production/README.md @@ -12,27 +12,27 @@ kubectl label namespace "spire-server" pod-security.kubernetes.io/enforce=restri Update the `example-your-values.yaml` file with your values, then: ```shell -helm upgrade --install --namespace spire-server spire ../../charts/spire \ - -f values.yaml -f example-your-values.yaml --render-subchart-notes +helm upgrade --install --namespace spire-server spire charts/spire \ + -f examples/production/values.yaml -f examples/production/example-your-values.yaml --render-subchart-notes ``` If your using ingress-nginx and want to expose the spiffe oidc discovery provider outside the cluster, add the following to the end of the helm upgrade example: ```shell --f values-expose-spiffe-oidc-discovery-provider-ingress-nginx.yaml +-f examples/production/values-expose-spiffe-oidc-discovery-provider-ingress-nginx.yaml ``` If you want to expose your spire-server outside of Kubernetes and are using ingress-nginx, add following values file when running `helm template/install/upgrade`. ```shell --f values-expose-spire-server-ingress-nginx.yaml +-f examples/production/values-expose-spire-server-ingress-nginx.yaml ``` For example: ```shell -helm upgrade --install --namespace spire-server spire charts/spire -f values.yaml -f values-expose-spire-server-ingress-nginx.yaml +helm upgrade --install --namespace spire-server spire charts/spire -f examples/production/values.yaml -f examples/production/values-expose-spire-server-ingress-nginx.yaml ``` If you want to expose your federation endpoint outside of Kubernetes and are using ingress-nginx @@ -42,25 +42,25 @@ you have two options as described here: If you chose profile https_web, use: ```shell --f values-expose-federation-https-web-ingress-nginx.yaml +-f examples/production/values-expose-federation-https-web-ingress-nginx.yaml ``` For example: ```shell -helm upgrade --install --namespace spire-server spire charts/spire -f values.yaml -f values-expose-federation-https-web-ingress-nginx.yaml +helm upgrade --install --namespace spire-server spire charts/spire -f examples/production/values.yaml -f examples/production/values-expose-federation-https-web-ingress-nginx.yaml ``` If you chose profile https_spiffe, use: ```shell --f values-expose-federation-https-spiffe-ingress-nginx.yaml +-f examples/production/values-expose-federation-https-spiffe-ingress-nginx.yaml ``` For example: ```shell -helm upgrade --install --namespace spire-server spire charts/spire -f values.yaml -f values-expose-federation-https-spiffe-ingress-nginx.yaml +helm upgrade --install --namespace spire-server spire charts/spire -f examples/production/values.yaml -f examples/production/values-expose-federation-https-spiffe-ingress-nginx.yaml ``` See [values.yaml](./values.yaml) for more details on the chart configurations to achieve this setup. diff --git a/examples/production/run-tests.sh b/examples/production/run-tests.sh index 5ef92b62b..a60342a05 100755 --- a/examples/production/run-tests.sh +++ b/examples/production/run-tests.sh @@ -2,7 +2,7 @@ set -xe -UPGRADE_VERSION=v0.14.0 +UPGRADE_VERSION=v0.15.1 UPGRADE_REPO=https://spiffe.github.io/helm-charts-hardened SCRIPT="$(readlink -f "$0")" diff --git a/examples/production/values.yaml b/examples/production/values.yaml index bd1aa183e..dd6fb4eb5 100644 --- a/examples/production/values.yaml +++ b/examples/production/values.yaml @@ -124,7 +124,7 @@ tornjak-frontend: securityContext: allowPrivilegeEscalation: false runAsNonRoot: true - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true capabilities: drop: [ALL] seccompProfile: diff --git a/examples/tornjak/README.md b/examples/tornjak/README.md index f0a5b518f..51bdc4da0 100644 --- a/examples/tornjak/README.md +++ b/examples/tornjak/README.md @@ -12,11 +12,11 @@ kubectl create namespace "spire-server" kubectl label namespace "spire-server" pod-security.kubernetes.io/enforce=restricted # deploy SPIRE with Tornjak enabled -helm upgrade --install --namespace spire-server \ - --values ../production/values.yaml \ - --values ./values.yaml \ - --render-subchart-notes \ - spire ../../charts/spire +helm upgrade --install --namespace spire-server spire charts/spire \ +--values examples/production/values.yaml \ +--values examples/tornjak/values.yaml \ +--render-subchart-notes + # test the Tornjak deployment helm test spire -n spire-server diff --git a/release-chart.sh b/release-chart.sh index 136956746..bbb071434 100755 --- a/release-chart.sh +++ b/release-chart.sh @@ -6,12 +6,12 @@ ## ## Usage example(s): ## -## ./__PROG__ --chart spire --current-version 0.15.1 --new-version 0.16.0 +## ./__PROG__ --chart spire --new-version 0.16.0 +## ./__PROG__ --chart spire-crds --new-version 0.3.0 ## ## Options: ## --help Show this help message ## --chart The chart to release -## --current-version The current version number ## --new-version The new version number ## --dry-run Will not actually submit the PR ## @@ -39,6 +39,24 @@ function print_error_and_exit { exit 1 } +function unreleased_changes_other_charts { + for chart in "$@" ; do + latest_tag="$(git --no-pager tag --list "${chart}-[0-9]*.[0-9]*.[0-9]*" | sort -V | tail -n 1)" + changes="$(git --no-pager log "${latest_tag}..HEAD" --pretty=format:'* %h %s' "charts/${chart}")" + if [ -n "${changes}" ] ; then + echo "### Unreleased changes ${chart}" + echo + echo "${changes}" + echo + echo Please ensure you bump above charts as well before merging main into the release branch. + echo + echo '```shell' + echo ./release-chart.sh --chart "${chart}" --new-version ……… + echo '```' + fi + done +} + while (("$#")); do case "$1" in --help) @@ -49,10 +67,6 @@ while (("$#")); do chart=$2 shift 2 ;; - --current-version) - current_version=$2 - shift 2 - ;; --new-version) new_version=$2 shift 2 @@ -86,11 +100,6 @@ if [ -z "$chart" ]; then print_error_and_exit 'chart option is missing' fi -if [ -z "$current_version" ]; then - usage - print_error_and_exit 'current-version option is missing' -fi - if [ -z "$new_version" ]; then usage print_error_and_exit 'new-version option is missing' @@ -102,21 +111,37 @@ fi branch_name="bump-${chart}-version" +git fetch --tags git checkout main git pull git checkout --track -B "${branch_name}" main + +current_version="$(grep '^version:' "charts/${chart}/Chart.yaml" | awk '{print $2}')" commits_since_previous_release="$(git log "${chart}-${current_version}..HEAD" --pretty=format:'* %h %s' "charts/${chart}")" "${SED}" -i "s/version: ${current_version}/version: ${new_version}/" "charts/${chart}/Chart.yaml" -"${SED}" -i "s/${current_version}/${new_version}/" "charts/${chart}/README.md" +"${SED}" -i "s/${current_version}/${new_version}/g" "charts/${chart}/README.md" git add "charts/${chart}/"{Chart.yaml,README.md} git commit -m "Bump ${chart} Helm Chart version from ${current_version} to ${new_version}" \ -m "${commits_since_previous_release}" \ -s git push -u origin --force-with-lease +other_charts=() +for chart_dir in charts/*/; do + chart_name=$(basename "$chart_dir") + if [[ "$chart_name" != "$chart" ]]; then + other_charts+=("$chart_name") + fi +done + cat < [!Important] +> Before merging to the release branch, ensure all other changed charts also have their version number bumped. + +$(unreleased_changes_other_charts "${other_charts[@]}") + > [!Note] > **Maintainers** ensure to run following after merging this PR to trigger the release workflow: > diff --git a/tests/go.mod b/tests/go.mod index b6cc0373b..44a6a0810 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -3,7 +3,7 @@ module github.com/spiffe/helm-charts/tests go 1.20 require ( - github.com/onsi/ginkgo/v2 v2.13.0 + github.com/onsi/ginkgo/v2 v2.13.2 github.com/onsi/gomega v1.30.0 helm.sh/helm/v3 v3.13.2 ) @@ -16,7 +16,7 @@ require ( github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/emicklei/go-restful/v3 v3.10.1 // indirect - github.com/go-logr/logr v1.2.4 // indirect + github.com/go-logr/logr v1.3.0 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect github.com/go-openapi/swag v0.22.3 // indirect @@ -48,11 +48,11 @@ require ( golang.org/x/crypto v0.14.0 // indirect golang.org/x/net v0.17.0 // indirect golang.org/x/oauth2 v0.8.0 // indirect - golang.org/x/sys v0.13.0 // indirect + golang.org/x/sys v0.14.0 // indirect golang.org/x/term v0.13.0 // indirect golang.org/x/text v0.13.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.12.0 // indirect + golang.org/x/tools v0.14.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/protobuf v1.30.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/tests/go.sum b/tests/go.sum index 693fb29cb..0140bd971 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -20,8 +20,8 @@ github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKf github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= -github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= +github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= @@ -85,8 +85,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= -github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= +github.com/onsi/ginkgo/v2 v2.13.2 h1:Bi2gGVkfn6gQcjNjZJVO8Gf0FHzMPf2phUei9tejVMs= +github.com/onsi/ginkgo/v2 v2.13.2/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM= github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -132,7 +132,7 @@ golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= +golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -158,8 +158,8 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= +golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= @@ -179,8 +179,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.12.0 h1:YW6HUoUmYBpwSgyaGaZq1fHjrBjX1rlpZ54T6mu2kss= -golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= +golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc= +golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=