Skip to content

Commit

Permalink
Merge branch 'main' into release
Browse files Browse the repository at this point in the history
  • Loading branch information
@faisal-memon
faisal-memon committed Oct 28, 2024
2 parents e6d7d57 + 5b16168 commit 9da5fa2
Show file tree
Hide file tree
Showing 61 changed files with 945 additions and 601 deletions.
10 changes: 5 additions & 5 deletions .github/tests/charts.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,26 +2,26 @@
{
"name": "kube-prometheus-stack",
"repo": "https://prometheus-community.github.io/helm-charts",
"version": "62.3.1"
"version": "65.5.0"
},
{
"name": "cert-manager",
"repo": "https://charts.jetstack.io",
"version": "v1.15.3"
"version": "v1.16.1"
},
{
"name": "ingress-nginx",
"repo": "https://kubernetes.github.io/ingress-nginx",
"version": "4.11.2"
"version": "4.11.3"
},
{
"name": "mysql",
"repo": "https://charts.bitnami.com/bitnami",
"version": "11.1.15"
"version": "11.1.19"
},
{
"name": "postgresql",
"repo": "https://charts.bitnami.com/bitnami",
"version": "15.5.27"
"version": "16.0.6"
}
]
5 changes: 5 additions & 0 deletions .github/tests/images.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,11 @@
"query": "tests.busybox.image",
"filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
"sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
},
{
"query": "spiffeHelper.image",
"filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$",
"sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
}
],
"tornjak-frontend/values.yaml": [
Expand Down
24 changes: 12 additions & 12 deletions .github/workflows/helm-chart-ci-ignore.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,9 @@ jobs:
strategy:
matrix:
k8s:
- v1.28.0
- v1.27.3
- v1.26.6
- v1.31.1
- v1.30.4
- v1.29.8

steps:
- run: 'echo "Skipping tests"'
Expand Down Expand Up @@ -74,9 +74,9 @@ jobs:
strategy:
matrix:
k8s:
- v1.28.0
- v1.27.3
- v1.26.6
- v1.31.1
- v1.30.4
- v1.29.8
example:
- ${{ fromJson(needs.build-matrix.outputs.examples) }}

Expand All @@ -92,9 +92,9 @@ jobs:
strategy:
matrix:
k8s:
- v1.28.0
- v1.27.3
- v1.26.6
- v1.31.1
- v1.30.4
- v1.29.8
example:
- ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}

Expand All @@ -110,9 +110,9 @@ jobs:
strategy:
matrix:
k8s:
- v1.28.0
- v1.27.3
- v1.26.6
- v1.31.1
- v1.30.4
- v1.29.8

steps:
- run: 'echo "Skipping upgrade-test"'
35 changes: 18 additions & 17 deletions .github/workflows/helm-chart-ci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,9 @@ concurrency:
cancel-in-progress: true

env:
HELM_VERSION: v3.12.0
HELM_VERSION: v3.16.2
PYTHON_VERSION: 3.11.3
KIND_VERSION: v0.19.0
KIND_VERSION: v0.24.0
CHART_TESTING_VERSION: v3.8.0

jobs:
Expand Down Expand Up @@ -130,9 +130,9 @@ jobs:
# Kubernetes, but can go back farther as long as we don't need heroics
# to pull it off (i.e. kubectl version juggling).
k8s:
- v1.28.0
- v1.27.3
- v1.26.6
- v1.31.1
- v1.30.4
- v1.29.8

steps:
- name: Checkout
Expand Down Expand Up @@ -218,9 +218,9 @@ jobs:
fail-fast: false
matrix:
k8s:
- v1.28.0
- v1.27.3
- v1.26.6
- v1.31.1
- v1.30.4
- v1.29.8
example:
- ${{ fromJson(needs.build-matrix.outputs.examples) }}

Expand All @@ -243,7 +243,7 @@ jobs:
# Only build a kind cluster if there are chart changes to test.
with:
version: ${{ env.KIND_VERSION }}
node_image: kindest/node:v1.26.4
node_image: kindest/node:${{ matrix.k8s }}
config: .github/kind/conf/kind-config.yaml
verbosity: 1

Expand All @@ -256,6 +256,7 @@ jobs:
kubectl create namespace spire-server
helm install -n spire-server spire-crds charts/spire-crds
fi
export K8S="${{ matrix.k8s }}"
${{ matrix.example }}/run-tests.sh
integration-test:
Expand All @@ -269,9 +270,9 @@ jobs:
fail-fast: false
matrix:
k8s:
- v1.28.0
- v1.27.3
- v1.26.6
- v1.31.1
- v1.30.4
- v1.29.8
integrationtest:
- ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}

Expand All @@ -294,7 +295,7 @@ jobs:
# Only build a kind cluster if there are chart changes to test.
with:
version: ${{ env.KIND_VERSION }}
node_image: kindest/node:v1.26.4
node_image: kindest/node:${{ matrix.k8s }}
config: .github/kind/conf/kind-config.yaml
verbosity: 1

Expand All @@ -314,9 +315,9 @@ jobs:
fail-fast: false
matrix:
k8s:
- v1.28.0
- v1.27.3
- v1.26.6
- v1.31.1
- v1.30.4
- v1.29.8

steps:
- name: Checkout
Expand All @@ -337,7 +338,7 @@ jobs:
# Only build a kind cluster if there are chart changes to test.
with:
version: ${{ env.KIND_VERSION }}
node_image: kindest/node:v1.26.4
node_image: kindest/node:${{ matrix.k8s }}
config: .github/kind/conf/kind-config.yaml
verbosity: 1

Expand Down
2 changes: 1 addition & 1 deletion charts/spire-crds/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: spire-crds
description: >
A Helm chart for deploying the Spire CRDS
type: application
version: 0.4.0
version: 0.5.0
appVersion: "0.0.1"
keywords: ["spire-crds"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
Expand Down
8 changes: 8 additions & 0 deletions charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,11 @@ spec:
description: AutoPopulateDNSNames indicates whether or not to auto
populate service DNS names.
type: boolean
fallback:
description: |-
Apply this ID only if there are no other matching non fallback
ClusterSPIFFEIDs
type: boolean
dnsNameTemplates:
description: DNSNameTemplate represents templates for extra DNS names
that are applicable to SVIDs minted for this ClusterSPIFFEID. The
Expand All @@ -66,6 +71,9 @@ spec:
items:
type: string
type: array
hint:
description: Set the entry hint
type: string
jwtTtl:
description: JWTTTL indicates an upper-bound time-to-live for JWT
SVIDs minted for this ClusterSPIFFEID.
Expand Down
4 changes: 2 additions & 2 deletions charts/spire-nested/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ name: spire-nested
description: >
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
type: application
version: 0.23.0
appVersion: "1.10.3"
version: 0.24.0
appVersion: "1.11.0"
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources:
Expand Down
12 changes: 6 additions & 6 deletions charts/spire-nested/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# spire

![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.3](https://img.shields.io/badge/AppVersion-1.10.3-informational?style=flat-square)
![Version: 0.24.0](https://img.shields.io/badge/Version-0.24.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.0](https://img.shields.io/badge/AppVersion-1.11.0-informational?style=flat-square)
[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)

A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
Expand Down Expand Up @@ -303,7 +303,7 @@ Now you can interact with the Spire agent socket from your own application. The
| `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled` | Enable the test-keys identity | `false` |
| `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled` | Enable the test-keys identity | `false` |
| `root-spire-server.externalControllerManagers.enabled` | Flag to enable external controller managers | `true` |
| `root-spire-server.nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` |
| `root-spire-server.nodeAttestor.k8sPSAT.serviceAccountAllowList` | Allowed service accounts for PSAT nodeattestor | `[]` |
| `root-spire-server.bundleConfigMap` | The name of the configmap to store the upstream bundle | `spire-bundle-upstream` |
| `external-root-spire-server-full.externalServer` | Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers. | `true` |
| `external-root-spire-server-full.nameOverride` | Name override | `root-server` |
Expand All @@ -315,15 +315,15 @@ Now you can interact with the Spire agent socket from your own application. The
| `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.default.enabled` | Enable the default cluster spiffe id | `false` |
| `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled` | Enable the test-keys identity | `false` |
| `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled` | Enable the test-keys identity | `false` |
| `external-root-spire-server-full.nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` |
| `external-root-spire-server-full.nodeAttestor.k8sPSAT.serviceAccountAllowList` | Allowed service accounts for PSAT nodeattestor | `[]` |
| `external-root-spire-server-full.bundleConfigMap` | The name of the configmap to store the upstream bundle | `spire-bundle-upstream` |
| `external-root-spire-server-security.externalServer` | Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers. | `true` |
| `external-root-spire-server-security.nameOverride` | Name override | `root-server` |
| `external-root-spire-server-security.crNameOverride` | Custom Resource name override | `root` |
| `external-root-spire-server-security.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` |
| `external-root-spire-server-security.controllerManager.validatingWebhookConfiguration.enabled` | Disable only when you have another instance on the k8s cluster with webhooks enabled. | `false` |
| `external-root-spire-server-security.controllerManager.className` | specify to use an explicit class name. | `spire-mgmt-external-server` |
| `external-root-spire-server-security.nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` |
| `external-root-spire-server-security.nodeAttestor.k8sPSAT.serviceAccountAllowList` | Allowed service accounts for PSAT nodeattestor | `[]` |
| `external-root-spire-server-security.bundleConfigMap` | The name of the configmap to store the upstream bundle | `spire-bundle-upstream` |

### Spire server parameters
Expand All @@ -350,6 +350,6 @@ Now you can interact with the Spire agent socket from your own application. The
| `external-spire-server.upstreamAuthority.spire.enabled` | Enable upstream SPIRE server | `true` |
| `external-spire-server.upstreamAuthority.spire.upstreamDriver` | Use an upstream driver for authentication | `upstream.csi.spiffe.io` |
| `external-spire-server.upstreamAuthority.spire.server.nameOverride` | The name override setting of the root SPIRE server | `root-server` |
| `external-spire-server.notifier.k8sbundle.enabled` | Enable local k8s bundle uploader | `false` |
| `external-spire-server.nodeAttestor.k8sPsat.enabled` | Enable Psat k8s nodeattestor | `false` |
| `external-spire-server.notifier.k8sBundle.enabled` | Enable local k8s bundle uploader | `false` |
| `external-spire-server.nodeAttestor.k8sPSAT.enabled` | Enable PSAT k8s nodeattestor | `false` |
| `external-spire-server.nodeAttestor.joinToken.enabled` | Enable the join_token nodeattestor | `true` |
20 changes: 10 additions & 10 deletions charts/spire-nested/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -246,8 +246,8 @@ root-spire-server:
## @param root-spire-server.externalControllerManagers.enabled Flag to enable external controller managers
enabled: true
nodeAttestor:
k8sPsat:
## @param root-spire-server.nodeAttestor.k8sPsat.serviceAccountAllowList [array] Allowed service accounts for Psat nodeattestor
k8sPSAT:
## @param root-spire-server.nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor
serviceAccountAllowList:
- spire-agent-upstream
## @param root-spire-server.bundleConfigMap The name of the configmap to store the upstream bundle
Expand Down Expand Up @@ -284,8 +284,8 @@ external-root-spire-server-full:
## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled Enable the test-keys identity
enabled: false
nodeAttestor:
k8sPsat:
## @param external-root-spire-server-full.nodeAttestor.k8sPsat.serviceAccountAllowList [array] Allowed service accounts for Psat nodeattestor
k8sPSAT:
## @param external-root-spire-server-full.nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor
serviceAccountAllowList:
- spire-agent-upstream
## @param external-root-spire-server-full.bundleConfigMap The name of the configmap to store the upstream bundle
Expand All @@ -308,8 +308,8 @@ external-root-spire-server-security:
## @param external-root-spire-server-security.controllerManager.className specify to use an explicit class name.
className: spire-mgmt-external-server
nodeAttestor:
k8sPsat:
## @param external-root-spire-server-security.nodeAttestor.k8sPsat.serviceAccountAllowList [array] Allowed service accounts for Psat nodeattestor
k8sPSAT:
## @param external-root-spire-server-security.nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor
serviceAccountAllowList:
- spire-agent-upstream
## @param external-root-spire-server-security.bundleConfigMap The name of the configmap to store the upstream bundle
Expand Down Expand Up @@ -385,12 +385,12 @@ external-spire-server:
## @param external-spire-server.upstreamAuthority.spire.server.nameOverride The name override setting of the root SPIRE server
nameOverride: root-server
notifier:
k8sbundle:
## @param external-spire-server.notifier.k8sbundle.enabled Enable local k8s bundle uploader
k8sBundle:
## @param external-spire-server.notifier.k8sBundle.enabled Enable local k8s bundle uploader
enabled: false
nodeAttestor:
k8sPsat:
## @param external-spire-server.nodeAttestor.k8sPsat.enabled Enable Psat k8s nodeattestor
k8sPSAT:
## @param external-spire-server.nodeAttestor.k8sPSAT.enabled Enable PSAT k8s nodeattestor
enabled: false
joinToken:
## @param external-spire-server.nodeAttestor.joinToken.enabled Enable the join_token nodeattestor
Expand Down
4 changes: 2 additions & 2 deletions charts/spire/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ name: spire
description: >
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
type: application
version: 0.23.0
appVersion: "1.10.3"
version: 0.24.0
appVersion: "1.11.0"
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources:
Expand Down
Loading

0 comments on commit 9da5fa2

Please sign in to comment.