diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 9094b7942..090e64d4c 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,26 +2,26 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "62.3.1" + "version": "65.5.0" }, { "name": "cert-manager", "repo": "https://charts.jetstack.io", - "version": "v1.15.3" + "version": "v1.16.1" }, { "name": "ingress-nginx", "repo": "https://kubernetes.github.io/ingress-nginx", - "version": "4.11.2" + "version": "4.11.3" }, { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "11.1.15" + "version": "11.1.19" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "15.5.27" + "version": "16.0.6" } ] diff --git a/.github/tests/images.json b/.github/tests/images.json index bd564c589..53f3fe4e8 100644 --- a/.github/tests/images.json +++ b/.github/tests/images.json @@ -63,6 +63,11 @@ "query": "tests.busybox.image", "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$", "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"] + }, + { + "query": "spiffeHelper.image", + "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$", + "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"] } ], "tornjak-frontend/values.yaml": [ diff --git a/.github/workflows/helm-chart-ci-ignore.yaml b/.github/workflows/helm-chart-ci-ignore.yaml index 1ba17fdcc..68950d152 100644 --- a/.github/workflows/helm-chart-ci-ignore.yaml +++ b/.github/workflows/helm-chart-ci-ignore.yaml @@ -30,9 +30,9 @@ jobs: strategy: matrix: k8s: - - v1.28.0 - - v1.27.3 - - v1.26.6 + - v1.31.1 + - v1.30.4 + - v1.29.8 steps: - run: 'echo "Skipping tests"' @@ -74,9 +74,9 @@ jobs: strategy: matrix: k8s: - - v1.28.0 - - v1.27.3 - - v1.26.6 + - v1.31.1 + - v1.30.4 + - v1.29.8 example: - ${{ fromJson(needs.build-matrix.outputs.examples) }} @@ -92,9 +92,9 @@ jobs: strategy: matrix: k8s: - - v1.28.0 - - v1.27.3 - - v1.26.6 + - v1.31.1 + - v1.30.4 + - v1.29.8 example: - ${{ fromJson(needs.build-matrix.outputs.integrationtests) }} @@ -110,9 +110,9 @@ jobs: strategy: matrix: k8s: - - v1.28.0 - - v1.27.3 - - v1.26.6 + - v1.31.1 + - v1.30.4 + - v1.29.8 steps: - run: 'echo "Skipping upgrade-test"' diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml index d93646507..95070944e 100644 --- a/.github/workflows/helm-chart-ci.yaml +++ b/.github/workflows/helm-chart-ci.yaml @@ -21,9 +21,9 @@ concurrency: cancel-in-progress: true env: - HELM_VERSION: v3.12.0 + HELM_VERSION: v3.16.2 PYTHON_VERSION: 3.11.3 - KIND_VERSION: v0.19.0 + KIND_VERSION: v0.24.0 CHART_TESTING_VERSION: v3.8.0 jobs: @@ -130,9 +130,9 @@ jobs: # Kubernetes, but can go back farther as long as we don't need heroics # to pull it off (i.e. kubectl version juggling). k8s: - - v1.28.0 - - v1.27.3 - - v1.26.6 + - v1.31.1 + - v1.30.4 + - v1.29.8 steps: - name: Checkout @@ -218,9 +218,9 @@ jobs: fail-fast: false matrix: k8s: - - v1.28.0 - - v1.27.3 - - v1.26.6 + - v1.31.1 + - v1.30.4 + - v1.29.8 example: - ${{ fromJson(needs.build-matrix.outputs.examples) }} @@ -243,7 +243,7 @@ jobs: # Only build a kind cluster if there are chart changes to test. with: version: ${{ env.KIND_VERSION }} - node_image: kindest/node:v1.26.4 + node_image: kindest/node:${{ matrix.k8s }} config: .github/kind/conf/kind-config.yaml verbosity: 1 @@ -256,6 +256,7 @@ jobs: kubectl create namespace spire-server helm install -n spire-server spire-crds charts/spire-crds fi + export K8S="${{ matrix.k8s }}" ${{ matrix.example }}/run-tests.sh integration-test: @@ -269,9 +270,9 @@ jobs: fail-fast: false matrix: k8s: - - v1.28.0 - - v1.27.3 - - v1.26.6 + - v1.31.1 + - v1.30.4 + - v1.29.8 integrationtest: - ${{ fromJson(needs.build-matrix.outputs.integrationtests) }} @@ -294,7 +295,7 @@ jobs: # Only build a kind cluster if there are chart changes to test. with: version: ${{ env.KIND_VERSION }} - node_image: kindest/node:v1.26.4 + node_image: kindest/node:${{ matrix.k8s }} config: .github/kind/conf/kind-config.yaml verbosity: 1 @@ -314,9 +315,9 @@ jobs: fail-fast: false matrix: k8s: - - v1.28.0 - - v1.27.3 - - v1.26.6 + - v1.31.1 + - v1.30.4 + - v1.29.8 steps: - name: Checkout @@ -337,7 +338,7 @@ jobs: # Only build a kind cluster if there are chart changes to test. with: version: ${{ env.KIND_VERSION }} - node_image: kindest/node:v1.26.4 + node_image: kindest/node:${{ matrix.k8s }} config: .github/kind/conf/kind-config.yaml verbosity: 1 diff --git a/charts/spire-crds/Chart.yaml b/charts/spire-crds/Chart.yaml index 1dfea9734..0ccccc099 100644 --- a/charts/spire-crds/Chart.yaml +++ b/charts/spire-crds/Chart.yaml @@ -3,7 +3,7 @@ name: spire-crds description: > A Helm chart for deploying the Spire CRDS type: application -version: 0.4.0 +version: 0.5.0 appVersion: "0.0.1" keywords: ["spire-crds"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire diff --git a/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml b/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml index 951fa0e55..2f3489489 100644 --- a/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml +++ b/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml @@ -45,6 +45,11 @@ spec: description: AutoPopulateDNSNames indicates whether or not to auto populate service DNS names. type: boolean + fallback: + description: |- + Apply this ID only if there are no other matching non fallback + ClusterSPIFFEIDs + type: boolean dnsNameTemplates: description: DNSNameTemplate represents templates for extra DNS names that are applicable to SVIDs minted for this ClusterSPIFFEID. The @@ -66,6 +71,9 @@ spec: items: type: string type: array + hint: + description: Set the entry hint + type: string jwtTtl: description: JWTTTL indicates an upper-bound time-to-live for JWT SVIDs minted for this ClusterSPIFFEID. diff --git a/charts/spire-nested/Chart.yaml b/charts/spire-nested/Chart.yaml index 00e86b30d..670381cbb 100644 --- a/charts/spire-nested/Chart.yaml +++ b/charts/spire-nested/Chart.yaml @@ -3,8 +3,8 @@ name: spire-nested description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.23.0 -appVersion: "1.10.3" +version: 0.24.0 +appVersion: "1.11.0" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire-nested/README.md b/charts/spire-nested/README.md index a4991f4e5..4ff3b208a 100644 --- a/charts/spire-nested/README.md +++ b/charts/spire-nested/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.3](https://img.shields.io/badge/AppVersion-1.10.3-informational?style=flat-square) +![Version: 0.24.0](https://img.shields.io/badge/Version-0.24.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.0](https://img.shields.io/badge/AppVersion-1.11.0-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. @@ -303,7 +303,7 @@ Now you can interact with the Spire agent socket from your own application. The | `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled` | Enable the test-keys identity | `false` | | `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled` | Enable the test-keys identity | `false` | | `root-spire-server.externalControllerManagers.enabled` | Flag to enable external controller managers | `true` | -| `root-spire-server.nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` | +| `root-spire-server.nodeAttestor.k8sPSAT.serviceAccountAllowList` | Allowed service accounts for PSAT nodeattestor | `[]` | | `root-spire-server.bundleConfigMap` | The name of the configmap to store the upstream bundle | `spire-bundle-upstream` | | `external-root-spire-server-full.externalServer` | Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers. | `true` | | `external-root-spire-server-full.nameOverride` | Name override | `root-server` | @@ -315,7 +315,7 @@ Now you can interact with the Spire agent socket from your own application. The | `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.default.enabled` | Enable the default cluster spiffe id | `false` | | `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled` | Enable the test-keys identity | `false` | | `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled` | Enable the test-keys identity | `false` | -| `external-root-spire-server-full.nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` | +| `external-root-spire-server-full.nodeAttestor.k8sPSAT.serviceAccountAllowList` | Allowed service accounts for PSAT nodeattestor | `[]` | | `external-root-spire-server-full.bundleConfigMap` | The name of the configmap to store the upstream bundle | `spire-bundle-upstream` | | `external-root-spire-server-security.externalServer` | Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers. | `true` | | `external-root-spire-server-security.nameOverride` | Name override | `root-server` | @@ -323,7 +323,7 @@ Now you can interact with the Spire agent socket from your own application. The | `external-root-spire-server-security.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` | | `external-root-spire-server-security.controllerManager.validatingWebhookConfiguration.enabled` | Disable only when you have another instance on the k8s cluster with webhooks enabled. | `false` | | `external-root-spire-server-security.controllerManager.className` | specify to use an explicit class name. | `spire-mgmt-external-server` | -| `external-root-spire-server-security.nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` | +| `external-root-spire-server-security.nodeAttestor.k8sPSAT.serviceAccountAllowList` | Allowed service accounts for PSAT nodeattestor | `[]` | | `external-root-spire-server-security.bundleConfigMap` | The name of the configmap to store the upstream bundle | `spire-bundle-upstream` | ### Spire server parameters @@ -350,6 +350,6 @@ Now you can interact with the Spire agent socket from your own application. The | `external-spire-server.upstreamAuthority.spire.enabled` | Enable upstream SPIRE server | `true` | | `external-spire-server.upstreamAuthority.spire.upstreamDriver` | Use an upstream driver for authentication | `upstream.csi.spiffe.io` | | `external-spire-server.upstreamAuthority.spire.server.nameOverride` | The name override setting of the root SPIRE server | `root-server` | -| `external-spire-server.notifier.k8sbundle.enabled` | Enable local k8s bundle uploader | `false` | -| `external-spire-server.nodeAttestor.k8sPsat.enabled` | Enable Psat k8s nodeattestor | `false` | +| `external-spire-server.notifier.k8sBundle.enabled` | Enable local k8s bundle uploader | `false` | +| `external-spire-server.nodeAttestor.k8sPSAT.enabled` | Enable PSAT k8s nodeattestor | `false` | | `external-spire-server.nodeAttestor.joinToken.enabled` | Enable the join_token nodeattestor | `true` | diff --git a/charts/spire-nested/values.yaml b/charts/spire-nested/values.yaml index f7c954954..4465ade61 100644 --- a/charts/spire-nested/values.yaml +++ b/charts/spire-nested/values.yaml @@ -246,8 +246,8 @@ root-spire-server: ## @param root-spire-server.externalControllerManagers.enabled Flag to enable external controller managers enabled: true nodeAttestor: - k8sPsat: - ## @param root-spire-server.nodeAttestor.k8sPsat.serviceAccountAllowList [array] Allowed service accounts for Psat nodeattestor + k8sPSAT: + ## @param root-spire-server.nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor serviceAccountAllowList: - spire-agent-upstream ## @param root-spire-server.bundleConfigMap The name of the configmap to store the upstream bundle @@ -284,8 +284,8 @@ external-root-spire-server-full: ## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled Enable the test-keys identity enabled: false nodeAttestor: - k8sPsat: - ## @param external-root-spire-server-full.nodeAttestor.k8sPsat.serviceAccountAllowList [array] Allowed service accounts for Psat nodeattestor + k8sPSAT: + ## @param external-root-spire-server-full.nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor serviceAccountAllowList: - spire-agent-upstream ## @param external-root-spire-server-full.bundleConfigMap The name of the configmap to store the upstream bundle @@ -308,8 +308,8 @@ external-root-spire-server-security: ## @param external-root-spire-server-security.controllerManager.className specify to use an explicit class name. className: spire-mgmt-external-server nodeAttestor: - k8sPsat: - ## @param external-root-spire-server-security.nodeAttestor.k8sPsat.serviceAccountAllowList [array] Allowed service accounts for Psat nodeattestor + k8sPSAT: + ## @param external-root-spire-server-security.nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor serviceAccountAllowList: - spire-agent-upstream ## @param external-root-spire-server-security.bundleConfigMap The name of the configmap to store the upstream bundle @@ -385,12 +385,12 @@ external-spire-server: ## @param external-spire-server.upstreamAuthority.spire.server.nameOverride The name override setting of the root SPIRE server nameOverride: root-server notifier: - k8sbundle: - ## @param external-spire-server.notifier.k8sbundle.enabled Enable local k8s bundle uploader + k8sBundle: + ## @param external-spire-server.notifier.k8sBundle.enabled Enable local k8s bundle uploader enabled: false nodeAttestor: - k8sPsat: - ## @param external-spire-server.nodeAttestor.k8sPsat.enabled Enable Psat k8s nodeattestor + k8sPSAT: + ## @param external-spire-server.nodeAttestor.k8sPSAT.enabled Enable PSAT k8s nodeattestor enabled: false joinToken: ## @param external-spire-server.nodeAttestor.joinToken.enabled Enable the join_token nodeattestor diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 8769e45f6..df06027f3 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,8 +3,8 @@ name: spire description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.23.0 -appVersion: "1.10.3" +version: 0.24.0 +appVersion: "1.11.0" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/README.md b/charts/spire/README.md index 172d73671..14f8d98b7 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.3](https://img.shields.io/badge/AppVersion-1.10.3-informational?style=flat-square) +![Version: 0.24.0](https://img.shields.io/badge/Version-0.24.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.0](https://img.shields.io/badge/AppVersion-1.11.0-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. @@ -88,6 +88,37 @@ kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeid We only support upgrading one major/minor version at a time. Version skipping isn't supported. Please see for details. +### 0.24.X + +- You must upgrade [spire-crds](https://artifacthub.io/packages/helm/spiffe/spire-crds) to 0.5.0+ before performing this upgrade. + +- SPIRE changed the default in 1.11.0 from `spire-agent.workloadAttestors.k8s.useNewContainerLocator=false` to `spire-agent.workloadAttestors.k8s.useNewContainerLocator=true` + +- In order to make it easier to target specific SPIFFE IDs to workloads, a fallback feature was added to ClusterSPIFFEIDs so that a default ID will only apply when no others do. To change back to the previous behavior, use `spire-server.controllerManager.identities.clusterSPIFFEIDs.default.fallback=false`. The new default is unlikely to need changes. + +- We now set a hint of the ClusterSPIFFEID name on each entry created by default. This can be undone by setting the `hint=""` property on the ClusterSPIFFEID. The new default is unlikely to need changes. + +- We have added the remaining options needed for the SPIRE Server SQL data store plugin as native values. We have removed `spire-server.dataStore.sql.plugin_data` section as it is no longer needed. If you are using it, please migrate your settings to the ones under `spire-server.dataStore.sql`. + +- For users of `spire-server.upstreamAuthority.certManager`, a bug was discovered with templates not honoring `global.spire.caSubject.*`. It has been fixed, but may change values if you are not careful. Please double check the new settings are what you need them to be before completing the upgrade. + +- Lastly, as we approach 1.0.0, we would like to ensure all the values follow the same convention. We have made a bunch of minor changes to the values in this version to make sure they are all camel cased and properly capitalized. If you are upgrading from a previous version, please look though this list carefully to see if a value you are using is impacted: + + - `spire-server.federation.bundleEndpoint.refresh_hint` -> `spire-server.federation.bundleEndpoint.refreshHint` + - `spire-server.nodeAttestor.k8sPsat` -> `spire-server.nodeAttestor.k8sPSAT` + - `spire-server.nodeAttestor.externalK8sPsat` -> `spire-server.nodeAttestor.ExternalK8sPSAT` + - `spire-server.notifier.k8sbundle` -> `spire-server.notifier.k8sBundle` + - `spire-server.ca_subject` -> `spire-server.caSubject` + - `spire-server.ca_subject.common_name -> `spire-server.caSubject.commonName` + - `spire-server.upstreamAuthority.certManager.issuer_name` -> `spire-server.upstreamAuthority.certManager.issuerName` + - `spire-server.upstreamAuthority.certManager.issuer_kind` -> `spire-server.upstreamAuthority.certManager.issuerKind` + - `spire-server.upstreamAuthority.certManager.issuer_group` -> `spire-server.upstreamAuthority.certManager.issuerGroup` + - `spire-server.upstreamAuthority.certManager.kube_config_file` -> `spire-server.upstreamAuthority.certManager.kubeConfigFile` + - `spire-agent.sds.defaultSvidName` -> `spire-agent.sds.defaultSVIDName` + - `spire-agent.sds.disableSpiffeCertValidation` -> `spire-agent.sds.disableSPIFFECertValidation` + - `spire-agent.sds.defaultSvidName` -> `spire-agent.sds.defaultSVIDName` + - `spire-agent.nodeAttestor.k8sPsat` -> `spire-agent.nodeAttestor.k8sPSAT` + ### 0.23.X In previous versions, the setting spire-agent.workloadAttestors.k8s.skipKubeletVerification was set to true by default. Starting in 0.23.x, we removed that setting and replaced it with diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index 5a3bd3aa9..0005105d8 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -25,50 +25,52 @@ A Helm chart to install the SPIFFE CSI driver. ### SPIFFE CSI Driver Chart parameters -| Name | Description | Value | -| --------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------- | -| `pluginName` | Set the csi driver name deployed to Kubernetes. | `csi.spiffe.io` | -| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `image.repository` | The repository within the registry | `spiffe/spiffe-csi-driver` | -| `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `resources` | Resource requests and limits for spiffe-csi-driver | `{}` | -| `healthChecks.port` | The healthcheck port for spiffe-csi-driver | `9809` | -| `updateStrategy.type` | The update strategy to use to replace existing DaemonSet pods with new pods. Can be RollingUpdate or OnDelete. | `RollingUpdate` | -| `updateStrategy.rollingUpdate.maxUnavailable` | Max unavailable pods during update. Can be a number or a percentage. | `1` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | -| `livenessProbe.timeoutSeconds` | Timeout value in seconds for livenessProbe | `5` | -| `imagePullSecrets` | Image pull secret details for spiffe-csi-driver | `[]` | -| `nameOverride` | Name override for spiffe-csi-driver | `""` | -| `namespaceOverride` | Namespace to install spiffe-csi-driver | `""` | -| `fullnameOverride` | Full name override for spiffe-csi-driver | `""` | -| `csiDriverLabels` | Labels to apply to the CSIDriver | `{}` | -| `initContainers` | Init Containers to apply to the CSI Driver DaemonSet | `[]` | -| `serviceAccount.create` | Specifies whether a service account should be created | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | -| `podAnnotations` | Pod annotations for spiffe-csi-driver | `{}` | -| `podSecurityContext` | Security context for CSI driver pods | `{}` | -| `securityContext.readOnlyRootFilesystem` | Flag for read only root filesystem | `true` | -| `securityContext.privileged` | Flag for specifying privileged mode | `true` | -| `nodeSelector` | Node selector for CSI driver pods | `{}` | -| `tolerations` | Tolerations for CSI driver pods | `[]` | -| `affinity` | Node affinity | `{}` | -| `nodeDriverRegistrar.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` | -| `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` | -| `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.4` | -| `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` | -| `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | -| `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` | -| `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | -| `restrictedScc.enabled` | Enables the creation of a SecurityContextConstraint based on the restricted SCC with CSI volume support | `false` | -| `restrictedScc.name` | Set the name of the restricted SCC with CSI support | `""` | -| `restrictedScc.version` | Version of the restricted SCC | `2` | -| `selinux.enabled` | Enable selinux support | `false` | -| `selinux.context` | Which selinux context to use | `container_file_t` | -| `selinux.image.registry` | The OCI registry to pull the image from | `registry.access.redhat.com` | -| `selinux.image.repository` | The repository within the registry | `ubi9` | -| `selinux.image.pullPolicy` | The image pull policy | `Always` | -| `selinux.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest` | +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------- | +| `pluginName` | Set the csi driver name deployed to Kubernetes. | `csi.spiffe.io` | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/spiffe-csi-driver` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `resources` | Resource requests and limits for spiffe-csi-driver | `{}` | +| `healthChecks.port` | The healthcheck port for spiffe-csi-driver | `9809` | +| `updateStrategy.type` | The update strategy to use to replace existing DaemonSet pods with new pods. Can be RollingUpdate or OnDelete. | `RollingUpdate` | +| `updateStrategy.rollingUpdate.maxUnavailable` | Max unavailable pods during update. Can be a number or a percentage. | `1` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | +| `livenessProbe.timeoutSeconds` | Timeout value in seconds for livenessProbe | `5` | +| `imagePullSecrets` | Image pull secret details for spiffe-csi-driver | `[]` | +| `nameOverride` | Name override for spiffe-csi-driver | `""` | +| `namespaceOverride` | Namespace to install spiffe-csi-driver | `""` | +| `serverNamespaceOverride` | Override the namespace that the spire-server is installed into | `""` | +| `validatingAdmissionPolicy.enabled` | When set to auto, the validatingAdmissionPolicy will be enabled when the pluginName == "upstream.csi.spiffe.io" and k8s >= 1.30.0. Valid options are [auto, true, false] | `auto` | +| `fullnameOverride` | Full name override for spiffe-csi-driver | `""` | +| `csiDriverLabels` | Labels to apply to the CSIDriver | `{}` | +| `initContainers` | Init Containers to apply to the CSI Driver DaemonSet | `[]` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | +| `podAnnotations` | Pod annotations for spiffe-csi-driver | `{}` | +| `podSecurityContext` | Security context for CSI driver pods | `{}` | +| `securityContext.readOnlyRootFilesystem` | Flag for read only root filesystem | `true` | +| `securityContext.privileged` | Flag for specifying privileged mode | `true` | +| `nodeSelector` | Node selector for CSI driver pods | `{}` | +| `tolerations` | Tolerations for CSI driver pods | `[]` | +| `affinity` | Node affinity | `{}` | +| `nodeDriverRegistrar.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` | +| `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` | +| `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.4` | +| `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` | +| `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | +| `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` | +| `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | +| `restrictedScc.enabled` | Enables the creation of a SecurityContextConstraint based on the restricted SCC with CSI volume support | `false` | +| `restrictedScc.name` | Set the name of the restricted SCC with CSI support | `""` | +| `restrictedScc.version` | Version of the restricted SCC | `2` | +| `selinux.enabled` | Enable selinux support | `false` | +| `selinux.context` | Which selinux context to use | `container_file_t` | +| `selinux.image.registry` | The OCI registry to pull the image from | `registry.access.redhat.com` | +| `selinux.image.repository` | The repository within the registry | `ubi9` | +| `selinux.image.pullPolicy` | The image pull policy | `Always` | +| `selinux.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest` | diff --git a/charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl b/charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl index 4fd5fcd04..ddc1be598 100644 --- a/charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl +++ b/charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl @@ -40,6 +40,23 @@ Allow the release namespace to be overridden for multi-namespace deployments in {{- end -}} {{- end -}} +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "spiffe-csi-driver.server-namespace" -}} + {{- if .Values.serverNamespaceOverride -}} + {{- .Values.serverNamespaceOverride -}} + {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} + {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }} + {{- .Values.global.spire.namespaces.server.name }} + {{- else }} + {{- printf "spire-server" }} + {{- end }} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} diff --git a/charts/spire/charts/spiffe-csi-driver/templates/policy.yaml b/charts/spire/charts/spiffe-csi-driver/templates/policy.yaml new file mode 100644 index 000000000..6c82b45bb --- /dev/null +++ b/charts/spire/charts/spiffe-csi-driver/templates/policy.yaml @@ -0,0 +1,37 @@ +{{- $upstream := eq .Values.pluginName "upstream.csi.spiffe.io" }} +{{- $detectedValidation := semverCompare ">=1.30-0" .Capabilities.KubeVersion.GitVersion -}} +{{- $policyEnabled := .Values.validatingAdmissionPolicy.enabled | toString }} +{{- $auto := eq $policyEnabled "auto" }} +{{- if or (eq $policyEnabled "true") (and $auto $upstream $detectedValidation) }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: {{ .Values.pluginName | quote }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["pods"] + validations: + - expression: | + !object.spec.volumes.exists(c, has(c.csi) && has(c.csi.driver) && c.csi.driver == {{ .Values.pluginName | quote }}) + message: 'you may not use the upstream.csi.spiffe.io csi driver' +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: {{ .Values.pluginName | quote }} +spec: + policyName: {{ .Values.pluginName | quote }} + validationActions: ["Deny"] + matchResources: + namespaceSelector: + matchExpressions: + - key: "kubernetes.io/metadata.name" + operator: NotIn + values: + - {{ include "spiffe-csi-driver.server-namespace" . | quote }} +{{- end }} diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index 3381a96ec..8e97b37c0 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -60,6 +60,13 @@ nameOverride: "" ## @param namespaceOverride Namespace to install spiffe-csi-driver namespaceOverride: "" +## @param serverNamespaceOverride Override the namespace that the spire-server is installed into +serverNamespaceOverride: "" + +validatingAdmissionPolicy: + ## @param validatingAdmissionPolicy.enabled When set to auto, the validatingAdmissionPolicy will be enabled when the pluginName == "upstream.csi.spiffe.io" and k8s >= 1.30.0. Valid options are [auto, true, false] + enabled: auto + ## @param fullnameOverride Full name override for spiffe-csi-driver fullnameOverride: "" diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml index 05f64e903..1dd20c7bb 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml @@ -3,7 +3,7 @@ name: spiffe-oidc-discovery-provider description: A Helm chart to install the SPIFFE OIDC discovery provider. type: application version: 0.1.0 -appVersion: "1.10.3" +appVersion: "1.11.0" keywords: ["spiffe", "oidc"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 772d992c1..40d50cda4 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -25,115 +25,116 @@ A Helm chart to install the SPIFFE OIDC discovery provider. ### Chart parameters -| Name | Description | Value | -| ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- | -| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` | -| `csiDriverName` | The csi driver to use | `csi.spiffe.io` | -| `replicaCount` | Replica count | `1` | -| `namespaceOverride` | Namespace override | `""` | -| `annotations` | Annotations for the deployment | `{}` | -| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `image.repository` | The repository within the registry | `spiffe/oidc-discovery-provider` | -| `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `spiffeHelper.image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `spiffeHelper.image.repository` | The repository within the registry | `spiffe/spiffe-helper` | -| `spiffeHelper.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `spiffeHelper.image.tag` | Overrides the image tag whose default is the chart appVersion | `nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6` | -| `spiffeHelper.resources` | Resource requests and limits | `{}` | -| `resources` | Resource requests and limits | `{}` | -| `service.type` | Service type | `ClusterIP` | -| `service.ports.http` | Insecure port for the service | `80` | -| `service.ports.https` | Secure port for the service | `443` | -| `service.annotations` | Annotations for service resource | `{}` | -| `configMap.annotations` | Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap | `{}` | -| `podSecurityContext` | Pod security context for OIDC discovery provider pods | `{}` | -| `securityContext` | Security context for OIDC discovery provider deployment | `{}` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | -| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | -| `podAnnotations` | Pod annotations for Spire OIDC discovery provider | `{}` | -| `tls.spire.enabled` | Use spire to secure the oidc-discovery-provider | `true` | -| `tls.externalSecret.enabled` | Provide your own certificate/key via tls style Kubernetes Secret | `false` | -| `tls.externalSecret.secretName` | Specify which Secret to use | `""` | -| `tls.certManager.enabled` | Use certificateManager to create the certificate | `false` | -| `tls.certManager.issuer.create` | Create an issuer to use to issue the certificate | `true` | -| `tls.certManager.issuer.acme.email` | Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service | `""` | -| `tls.certManager.issuer.acme.server` | Server to use to get certificate. Defaults to LetsEncrypt | `https://acme-v02.api.letsencrypt.org/directory` | -| `tls.certManager.issuer.acme.solvers` | Configure the issuer solvers. Defaults to http01 via ingress. | `{}` | -| `tls.certManager.certificate.dnsNames` | Override the dnsNames on the certificate request. Defaults to the same settings as Ingress | `[]` | -| `tls.certManager.certificate.issuerRef.group` | If you are using an external plugin, specify the group for it here | `""` | -| `tls.certManager.certificate.issuerRef.kind` | Kind of the issuer reference. Override if you want to use a ClusterIssuer | `Issuer` | -| `tls.certManager.certificate.issuerRef.name` | Name of the issuer to use. If unset, it will use the name of the built in issuer | `""` | -| `insecureScheme.nginx.image.registry` | The OCI registry to pull the image from. Only used when TLS is disabled. | `docker.io` | -| `insecureScheme.nginx.image.repository` | The repository within the registry. Only used when TLS is disabled. | `nginxinc/nginx-unprivileged` | -| `insecureScheme.nginx.image.pullPolicy` | The image pull policy. Only used when TLS is disabled. | `IfNotPresent` | -| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. | `1.27.1-alpine` | -| `insecureScheme.nginx.ipMode` | IP modes supported by the cluster. Must be one of [ipv4, ipv6, both] | `both` | -| `insecureScheme.nginx.resources` | Resource requests and limits | `{}` | -| `jwtIssuer` | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset | `""` | -| `config.logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | -| `config.additionalDomains` | Add additional domains that can be used for oidc discovery | `[]` | -| `imagePullSecrets` | Image pull secret names | `[]` | -| `nameOverride` | Name override | `""` | -| `fullnameOverride` | Full name override | `""` | -| `serviceAccount.create` | Specifies whether a service account should be created | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | -| `deleteHook.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` | -| `autoscaling.enabled` | Flag to enable autoscaling | `false` | -| `autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | -| `autoscaling.maxReplicas` | Maximum replicas for autoscaling | `5` | -| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utlization that triggers autoscaling | `80` | -| `autoscaling.targetMemoryUtilizationPercentage` | Target Memory utlization that triggers autoscaling | `80` | -| `nodeSelector` | Node selector | `{}` | -| `tolerations` | iist of tolerations | `[]` | -| `affinity` | Node affinity | `{}` | -| `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` | -| `clusterDomain` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `cluster.local` | -| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | -| `telemetry.prometheus.port` | Port for prometheus metrics | `9988` | -| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | -| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the helm release | `""` | -| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | -| `telemetry.prometheus.nginxExporter.image.registry` | The OCI registry to pull the image from | `docker.io` | -| `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry | `nginx/nginx-prometheus-exporter` | -| `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.3.0` | -| `telemetry.prometheus.nginxExporter.resources` | Resource requests and limits | `{}` | -| `ingress.enabled` | Flag to enable ingress | `false` | -| `ingress.className` | Ingress class name | `""` | -| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | -| `ingress.annotations` | Annotations for ingress object | `{}` | -| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `oidc-discovery` | -| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | -| `ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | -| `ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | -| `tests.hostAliases` | List of host aliases for testing | `[]` | -| `tests.tls.enabled` | Flag for enabling tls for tests | `false` | -| `tests.tls.customCA` | Custom CA value for tests | `""` | -| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | -| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | -| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a` | -| `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | -| `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | -| `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:5420e15d91112458fc573755954c9174dbf4db8d802c4de3aac18145f5a78a17` | -| `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | -| `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | -| `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.27.2` | -| `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | -| `tests.busybox.image.repository` | The repository within the registry | `busybox` | -| `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.busybox.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.36.1-uclibc` | -| `tests.agent.image.registry` | The OCI registry to pull the image from | `ghcr.io` | -| `tests.agent.image.repository` | The repository within the registry | `spiffe/spire-agent` | -| `tests.agent.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.agent.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | -| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | -| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | -| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | +| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` | +| `csiDriverName` | The csi driver to use | `csi.spiffe.io` | +| `replicaCount` | Replica count | `1` | +| `namespaceOverride` | Namespace override | `""` | +| `annotations` | Annotations for the deployment | `{}` | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/oidc-discovery-provider` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `spiffeHelper.image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `spiffeHelper.image.repository` | The repository within the registry | `spiffe/spiffe-helper` | +| `spiffeHelper.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `spiffeHelper.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.8.0` | +| `spiffeHelper.resources` | Resource requests and limits | `{}` | +| `resources` | Resource requests and limits | `{}` | +| `service.type` | Service type | `ClusterIP` | +| `service.ports.http` | Insecure port for the service | `80` | +| `service.ports.https` | Secure port for the service | `443` | +| `service.annotations` | Annotations for service resource | `{}` | +| `configMap.annotations` | Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap | `{}` | +| `podSecurityContext` | Pod security context for OIDC discovery provider pods | `{}` | +| `securityContext` | Security context for OIDC discovery provider deployment | `{}` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `podAnnotations` | Pod annotations for Spire OIDC discovery provider | `{}` | +| `tls.spire.enabled` | Use spire to secure the oidc-discovery-provider | `true` | +| `tls.externalSecret.enabled` | Provide your own certificate/key via tls style Kubernetes Secret | `false` | +| `tls.externalSecret.secretName` | Specify which Secret to use | `""` | +| `tls.certManager.enabled` | Use certificateManager to create the certificate | `false` | +| `tls.certManager.issuer.create` | Create an issuer to use to issue the certificate | `true` | +| `tls.certManager.issuer.acme.email` | Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service | `""` | +| `tls.certManager.issuer.acme.server` | Server to use to get certificate. Defaults to LetsEncrypt | `https://acme-v02.api.letsencrypt.org/directory` | +| `tls.certManager.issuer.acme.solvers` | Configure the issuer solvers. Defaults to http01 via ingress. | `{}` | +| `tls.certManager.certificate.dnsNames` | Override the dnsNames on the certificate request. Defaults to the same settings as Ingress | `[]` | +| `tls.certManager.certificate.issuerRef.group` | If you are using an external plugin, specify the group for it here | `""` | +| `tls.certManager.certificate.issuerRef.kind` | Kind of the issuer reference. Override if you want to use a ClusterIssuer | `Issuer` | +| `tls.certManager.certificate.issuerRef.name` | Name of the issuer to use. If unset, it will use the name of the built in issuer | `""` | +| `insecureScheme.nginx.image.registry` | The OCI registry to pull the image from. Only used when TLS is disabled. | `docker.io` | +| `insecureScheme.nginx.image.repository` | The repository within the registry. Only used when TLS is disabled. | `nginxinc/nginx-unprivileged` | +| `insecureScheme.nginx.image.pullPolicy` | The image pull policy. Only used when TLS is disabled. | `IfNotPresent` | +| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. | `1.27.2-alpine` | +| `insecureScheme.nginx.ipMode` | IP modes supported by the cluster. Must be one of [ipv4, ipv6, both] | `both` | +| `insecureScheme.nginx.resources` | Resource requests and limits | `{}` | +| `jwtIssuer` | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset | `""` | +| `config.logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | +| `config.jwtDomain` | The JWT domain. Defaults to oidc-discovery.$jwtIssuer URL-parsed host if unset | `""` | +| `config.additionalDomains` | Add additional domains that can be used for oidc discovery | `[]` | +| `imagePullSecrets` | Image pull secret names | `[]` | +| `nameOverride` | Name override | `""` | +| `fullnameOverride` | Full name override | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | +| `deleteHook.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` | +| `autoscaling.enabled` | Flag to enable autoscaling | `false` | +| `autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | +| `autoscaling.maxReplicas` | Maximum replicas for autoscaling | `5` | +| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utlization that triggers autoscaling | `80` | +| `autoscaling.targetMemoryUtilizationPercentage` | Target Memory utlization that triggers autoscaling | `80` | +| `nodeSelector` | Node selector | `{}` | +| `tolerations` | iist of tolerations | `[]` | +| `affinity` | Node affinity | `{}` | +| `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` | +| `clusterDomain` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `cluster.local` | +| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | +| `telemetry.prometheus.port` | Port for prometheus metrics | `9988` | +| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | +| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the helm release | `""` | +| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | +| `telemetry.prometheus.nginxExporter.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry | `nginx/nginx-prometheus-exporter` | +| `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.3.0` | +| `telemetry.prometheus.nginxExporter.resources` | Resource requests and limits | `{}` | +| `ingress.enabled` | Flag to enable ingress | `false` | +| `ingress.className` | Ingress class name | `""` | +| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | +| `ingress.annotations` | Annotations for ingress object | `{}` | +| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `oidc-discovery` | +| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | +| `ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | +| `ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | +| `tests.hostAliases` | List of host aliases for testing | `[]` | +| `tests.tls.enabled` | Flag for enabling tls for tests | `false` | +| `tests.tls.customCA` | Custom CA value for tests | `""` | +| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | +| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2` | +| `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | +| `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:424ac4637dac08a4594643b548d9af10144dcd6360b4b319a4c143841bf0bfee` | +| `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | +| `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.27.5` | +| `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | +| `tests.busybox.image.repository` | The repository within the registry | `busybox` | +| `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.busybox.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.37.0-uclibc` | +| `tests.agent.image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `tests.agent.image.repository` | The repository within the registry | `spiffe/spire-agent` | +| `tests.agent.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.agent.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | +| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml index 3fdb93a0b..6906852fd 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml @@ -23,9 +23,12 @@ domains: - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}" - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}" - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}" - {{- $uri := urlParse (include "spire-lib.jwt-issuer" .) }} - {{- $jwtIssuer := (default $uri.path $uri.host) }} - {{- uniq (concat (list $jwtIssuer) .Values.config.additionalDomains) | toYaml | nindent 2 }} + {{- $jwtDomain := .Values.config.jwtDomain }} + {{- if not $jwtDomain }} + {{- $uri := urlParse (include "spire-lib.jwt-issuer" .) }} + {{- $jwtDomain = (default $uri.path $uri.host) }} + {{- end }} + {{- uniq (concat (list $jwtDomain) .Values.config.additionalDomains) | toYaml | nindent 2 }} {{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }} allow_insecure_scheme: true diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml index 3e99bb26d..0d1a82874 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml @@ -50,7 +50,7 @@ spec: args: - -config - /etc/spiffe-helper.conf - - -exitWhenReady + - -daemon-mode=false volumeMounts: - name: spiffe-workload-api mountPath: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | dir }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index f59b18cc1..7ad04e2fd 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -41,7 +41,7 @@ spiffeHelper: registry: ghcr.io repository: spiffe/spiffe-helper pullPolicy: IfNotPresent - tag: nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6 + tag: 0.8.0 ## @param spiffeHelper.resources [object] Resource requests and limits resources: {} @@ -164,7 +164,7 @@ insecureScheme: registry: docker.io repository: nginxinc/nginx-unprivileged pullPolicy: IfNotPresent - tag: 1.27.1-alpine + tag: 1.27.2-alpine ## @param insecureScheme.nginx.ipMode IP modes supported by the cluster. Must be one of [ipv4, ipv6, both] ipMode: both ## @param insecureScheme.nginx.resources Resource requests and limits @@ -186,6 +186,8 @@ jwtIssuer: "" config: ## @param config.logLevel The log level, valid values are "debug", "info", "warn", and "error" logLevel: info + ## @param config.jwtDomain [string] The JWT domain. Defaults to oidc-discovery.$jwtIssuer URL-parsed host if unset + jwtDomain: "" ## @param config.additionalDomains [array] Add additional domains that can be used for oidc discovery additionalDomains: [] # - localhost @@ -330,7 +332,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a + tag: latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2 toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from @@ -342,7 +344,7 @@ tests: registry: cgr.dev repository: chainguard/min-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:5420e15d91112458fc573755954c9174dbf4db8d802c4de3aac18145f5a78a17 + tag: latest@sha256:424ac4637dac08a4594643b548d9af10144dcd6360b4b319a4c143841bf0bfee step: ## @param tests.step.image.registry The OCI registry to pull the image from @@ -354,7 +356,7 @@ tests: registry: "docker.io" repository: smallstep/step-cli pullPolicy: IfNotPresent - tag: 0.27.2 + tag: 0.27.5 busybox: ## @param tests.busybox.image.registry The OCI registry to pull the image from @@ -366,7 +368,7 @@ tests: registry: "" repository: busybox pullPolicy: IfNotPresent - tag: 1.36.1-uclibc + tag: 1.37.0-uclibc agent: ## @param tests.agent.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/Chart.yaml b/charts/spire/charts/spire-agent/Chart.yaml index 234a5cac4..88a2da48b 100644 --- a/charts/spire/charts/spire-agent/Chart.yaml +++ b/charts/spire/charts/spire-agent/Chart.yaml @@ -3,7 +3,7 @@ name: spire-agent description: A Helm chart to install the SPIRE agent. type: application version: 0.1.0 -appVersion: "1.10.3" +appVersion: "1.11.0" keywords: ["spiffe", "spire-agent"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index a662ace88..a51518508 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -53,6 +53,7 @@ A Helm chart to install the SPIRE agent. | `trustDomain` | The trust domain to be used for the SPIFFE identifiers | `example.org` | | `trustBundleURL` | If set, obtain trust bundle from url instead of Kubernetes ConfigMap | `""` | | `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `pem` | +| `trustBundleHostPath` | If set, obtain trust bundle from a file on the host instead of from the ConfigMap | `""` | | `bundleConfigMap` | Configmap name for Spire bundle | `spire-bundle` | | `availabilityTarget` | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. | `""` | | `server.address` | Address for Spire server | `""` | @@ -69,10 +70,10 @@ A Helm chart to install the SPIRE agent. | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` | -| `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s Node Attestor | `true` | +| `nodeAttestor.k8sPSAT.enabled` | Enable PSAT k8s Node Attestor | `true` | | `nodeAttestor.httpChallenge.enabled` | Enable the http challenge Node Attestor | `false` | | `nodeAttestor.httpChallenge.agentname` | Name of this agent. Useful if you have multiple agents bound to different spire servers on the same host and sharing the same port. | `default` | | `nodeAttestor.httpChallenge.port` | The port to listen on. If 0, a random value will be used. | `0` | @@ -84,7 +85,7 @@ A Helm chart to install the SPIRE agent. | `nodeAttestor.tpmDirect.plugin.image.tag` | Overrides the image tag | `v1.8.7` | | `nodeAttestor.tpmDirect.plugin.checksum` | The sha256 checksum of the plugin binary | `1d7c73ccac948ee86cbd78ddde2d30128a1838b403f7bb2100d38d916a252244` | | `nodeAttestor.tpmDirect.plugin.path` | The filename in the container of the plugin | `/app/tpm_attestor_agent` | -| `nodeAttestor.tpmDirect.pubHash.enabled` | Enable Psat k8s nodeattestor | `true` | +| `nodeAttestor.tpmDirect.pubHash.enabled` | Display pubhash in logs | `true` | | `nodeAttestor.tpmDirect.pubHash.image.registry` | The OCI registry to pull the image from | `docker.io` | | `nodeAttestor.tpmDirect.pubHash.image.repository` | The repository within the registry | `boxboat/spire-tpm-plugin-get-tpm-pubhash` | | `nodeAttestor.tpmDirect.pubHash.image.pullPolicy` | The image pull policy | `IfNotPresent` | @@ -95,13 +96,13 @@ A Helm chart to install the SPIRE agent. | `workloadAttestors.k8s.verification.hostCert.basePath` | Path where kubelet places its certificates | `/var/lib/kubelet/pki` | | `workloadAttestors.k8s.verification.hostCert.fileName` | File name where kubelet places its certificates. If blank, it will be auto detected. | `""` | | `workloadAttestors.k8s.disableContainerSelectors` | Set to true if using holdApplicationUntilProxyStarts in Istio | `false` | -| `workloadAttestors.k8s.useNewContainerLocator` | If true, enables the new container locator algorithm that has support for cgroups v2. Defaults to false | `false` | +| `workloadAttestors.k8s.useNewContainerLocator` | If true, enables the new container locator algorithm that has support for cgroups v2. Defaults to true | `true` | | `workloadAttestors.k8s.verboseContainerLocatorLogs` | If true, enables verbose logging of mountinfo and cgroup information used to locate containers. Defaults to false | `false` | | `sds.enabled` | Enables Envoy SDS configuration | `false` | -| `sds.defaultSvidName` | The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS | `default` | +| `sds.defaultSVIDName` | The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS | `default` | | `sds.defaultBundleName` | The Validation Context resource name to use for the default X.509 bundle with Envoy SDS | `ROOTCA` | | `sds.defaultAllBundlesName` | The Validation Context resource name to use for all bundles (including federated) with Envoy SDS | `ALL` | -| `sds.disableSpiffeCertValidation` | Disable Envoy SDS custom validation | `false` | +| `sds.disableSPIFFECertValidation` | Disable Envoy SDS custom validation | `false` | | `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | | `telemetry.prometheus.port` | Port for prometheus metrics | `9988` | | `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | @@ -113,12 +114,12 @@ A Helm chart to install the SPIRE agent. | `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` | | `socketAlternate.image.pullPolicy` | The image pull policy | `Always` | -| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a` | +| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2` | | `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `hostCert.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `hostCert.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | | `hostCert.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `hostCert.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:5420e15d91112458fc573755954c9174dbf4db8d802c4de3aac18145f5a78a17` | +| `hostCert.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:424ac4637dac08a4594643b548d9af10144dcd6360b4b319a4c143841bf0bfee` | | `hostCert.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | | `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | diff --git a/charts/spire/charts/spire-agent/templates/_helpers.tpl b/charts/spire/charts/spire-agent/templates/_helpers.tpl index fe7714752..34e6b082c 100644 --- a/charts/spire/charts/spire-agent/templates/_helpers.tpl +++ b/charts/spire/charts/spire-agent/templates/_helpers.tpl @@ -75,20 +75,20 @@ Create chart name and version as used by the chart label. Common labels */}} {{- define "spire-agent.labels" -}} -helm.sh/chart: {{ include "spire-agent.chart" . }} +helm.sh/chart: {{ include "spire-agent.chart" . | quote }} {{ include "spire-agent.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} {{- end }} {{/* Selector labels */}} {{- define "spire-agent.selectorLabels" -}} -app.kubernetes.io/name: {{ include "spire-agent.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/name: {{ include "spire-agent.name" . | quote }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} {{- end }} {{/* diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index d659ce796..73a003ea6 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -41,6 +41,8 @@ agent: {{- if ne (len .Values.trustBundleURL) 0 }} trust_bundle_url: {{ .Values.trustBundleURL | quote }} trust_bundle_format: {{ .Values.trustBundleFormat | quote }} + {{- else if ne (len .Values.trustBundleHostPath) 0 }} + trust_bundle_path: {{ .Values.trustBundleHostPath | quote }} {{- else }} trust_bundle_path: "/run/spire/bundle/bundle.crt" {{- end }} @@ -50,10 +52,10 @@ agent: {{- end }} {{- if .Values.sds.enabled }} sds: - default_svid_name: {{ .Values.sds.defaultSvidName | quote }} + default_svid_name: {{ .Values.sds.defaultSVIDName | quote }} default_bundle_name: {{ .Values.sds.defaultBundleName | quote }} default_all_bundles_name: {{ .Values.sds.defaultAllBundlesName | quote }} - disable_spiffe_cert_validation: {{ .Values.sds.disableSpiffeCertValidation }} + disable_spiffe_cert_validation: {{ eq .Values.sds.disableSPIFFECertValidation true }} {{- end }} {{- with .Values.experimental }} @@ -73,7 +75,7 @@ agent: {{- $keyManagerUsed := add (len .Values.customPlugins.keyManager) (len .Values.unsupportedBuiltInPlugins.keyManager) }} plugins: NodeAttestor: - {{- if .Values.nodeAttestor.k8sPsat.enabled }} + {{- if .Values.nodeAttestor.k8sPSAT.enabled }} k8s_psat: plugin_data: cluster: {{ include "spire-lib.cluster-name" . | quote }} @@ -97,7 +99,7 @@ plugins: {{- if eq (.enabled | toString) "true" }} tpm: plugin_cmd: "/tpm/tpm_attestor_agent" - plugin_checksum: {{ .plugin.checksum }} + plugin_checksum: {{ .plugin.checksum | quote }} plugin_data: {} {{- $nodeAttestorUsed = add1 $nodeAttestorUsed }} {{- end }} @@ -126,9 +128,9 @@ plugins: kubelet_ca_path: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt {{- end }} skip_kubelet_verification: {{ eq .Values.workloadAttestors.k8s.verification.type "skip" }} - disable_container_selectors: {{ .Values.workloadAttestors.k8s.disableContainerSelectors }} - use_new_container_locator: {{ .Values.workloadAttestors.k8s.useNewContainerLocator }} - verbose_container_locator_logs: {{ .Values.workloadAttestors.k8s.verboseContainerLocatorLogs }} + disable_container_selectors: {{ eq .Values.workloadAttestors.k8s.disableContainerSelectors true}} + use_new_container_locator: {{ eq .Values.workloadAttestors.k8s.useNewContainerLocator true }} + verbose_container_locator_logs: {{ eq .Values.workloadAttestors.k8s.verboseContainerLocatorLogs true }} {{- if eq (include "spire-agent.connect-by-hostname" .) "true" }} node_name_env: "MY_NODE_NAME" {{- end }} @@ -168,8 +170,8 @@ telemetry: apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "spire-agent.fullname" . }}{{ $nameSuffix }} - namespace: {{ include "spire-agent.namespace" . }} + name: {{ printf "%s%s" (include "spire-agent.fullname" .) $nameSuffix | quote }} + namespace: {{ include "spire-agent.namespace" . | quote }} {{- with .Values.configMap.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 3bec7b06a..805c4c00b 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -1,5 +1,14 @@ {{- $configSum := (include (print $.Template.BasePath "/configmap.yaml") . | sha256sum) }} {{- $root := . }} +{{- if hasKey .Values.nodeAttestor "k8sPsat" }} +{{- fail "k8sPsat was renamed to k8sPSAT. Please update your config." }} +{{- end }} +{{- if hasKey .Values.sds "defaultSvidName" }} +{{- fail "defaultSvidName was renamed to defaultSVIDName. Please update your config." }} +{{- end }} +{{- if hasKey .Values.sds "disableSpiffeCertValidation" }} +{{- fail "disableSpiffeCertValidation was renamed to disableSPIFFECertValidation. Please update your config." }} +{{- end }} {{- range $name := (concat (list "default") (keys .Values.agents)) | uniq }} {{- with (dict "Release" $root.Release "Chart" $root.Chart "Values" (deepCopy $root.Values)) }} {{- $nameSuffix := "" }} @@ -22,16 +31,16 @@ apiVersion: apps/v1 kind: DaemonSet metadata: - name: {{ include "spire-agent.fullname" . }}{{ $nameSuffix }} - namespace: {{ include "spire-agent.namespace" . }} + name: {{ printf "%s%s" (include "spire-agent.fullname" .) $nameSuffix | quote }} + namespace: {{ include "spire-agent.namespace" . | quote}} labels: {{- include "spire-agent.labels" . | nindent 4 }} - app.kubernetes.io/component: {{ $name }} + app.kubernetes.io/component: {{ $name | quote }} spec: selector: matchLabels: {{- include "spire-agent.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: {{ $name }} + app.kubernetes.io/component: {{ $name | quote }} {{- with .Values.updateStrategy }} updateStrategy: {{- if not (has .type (list "RollingUpdate" "OnDelete")) }} @@ -47,13 +56,13 @@ spec: metadata: annotations: kubectl.kubernetes.io/default-container: spire-agent - checksum/config: {{ $configSum }} + checksum/config: {{ $configSum | quote }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} labels: {{- include "spire-agent.selectorLabels" . | nindent 8 }} - app.kubernetes.io/component: {{ $name }} + app.kubernetes.io/component: {{ $name | quote }} {{- with .Values.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} @@ -65,7 +74,7 @@ spec: hostPID: true hostNetwork: true dnsPolicy: ClusterFirstWithHostNet - serviceAccountName: {{ include "spire-agent.serviceAccountName" . }} + serviceAccountName: {{ include "spire-agent.serviceAccountName" . | quote }} securityContext: {{- toYaml $podSecurityContext | nindent 8 }} {{- include "spire-lib.default_node_priority_class_name" . | nindent 6 }} @@ -79,17 +88,17 @@ spec: securityContext: {{- $mainSecurityContext | toYaml | nindent 12 }} image: {{ template "spire-lib.image" (dict "image" .Values.hostCert.image "global" .Values.global) }} - imagePullPolicy: {{ .Values.hostCert.image.pullPolicy }} + imagePullPolicy: {{ .Values.hostCert.image.pullPolicy | quote }} command: ["bash", "-xc"] args: - | {{- if ne .Values.workloadAttestors.k8s.verification.hostCert.fileName "" }} - openssl x509 -in "{{ .Values.workloadAttestors.k8s.verification.hostCert.basePath }}/{{ .Values.workloadAttestors.k8s.verification.hostCert.fileName }}" -out /hostCert/kubelet.crt + openssl x509 -in {{ printf "%s/%s" .Values.workloadAttestors.k8s.verification.hostCert.basePath .Values.workloadAttestors.k8s.verification.hostCert.fileName | quote }} -out /hostCert/kubelet.crt {{- else }} if [ -f "{{ .Values.workloadAttestors.k8s.verification.hostCert.basePath }}/kubelet-server-current.pem" ]; then - openssl x509 -in "{{ .Values.workloadAttestors.k8s.verification.hostCert.basePath }}/kubelet-server-current.pem" -out /hostCert/kubelet.crt + openssl x509 -in {{ printf "%s/kubelet-server-current.pem" .Values.workloadAttestors.k8s.verification.hostCert.basePath | quote }} -out /hostCert/kubelet.crt elif [ -f "{{ .Values.workloadAttestors.k8s.verification.hostCert.basePath }}/kubelet.crt" ]; then - openssl x509 -in "{{ .Values.workloadAttestors.k8s.verification.hostCert.basePath }}/kubelet.crt" -out /hostCert/kubelet.crt + openssl x509 -in {{ printf "%s/kubelet.crt" .Values.workloadAttestors.k8s.verification.hostCert.basePath | quote }} -out /hostCert/kubelet.crt else {{- if eq .Values.workloadAttestors.k8s.verification.type "auto" }} {{- if $cbh }} @@ -97,7 +106,7 @@ spec: {{- else }} URL="https://localhost:10250/spec/" {{- end }} - curl --caPath /var/run/secrets/kubernetes.io/serviceaccount/ca.crt "$URL" + curl --capath /var/run/secrets/kubernetes.io/serviceaccount/ca.crt "$URL" if [ $? -eq 0 ]; then echo Mode detected as apiServerCA. ln -s /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /hostCert/kubelet.crt @@ -150,7 +159,7 @@ spec: readOnly: true - name: kmsg mountPath: /dev/kmsg - imagePullPolicy: {{ .Values.nodeAttestor.tpmDirect.pubHash.image.pullPolicy }} + imagePullPolicy: {{ .Values.nodeAttestor.tpmDirect.pubHash.image.pullPolicy | quote }} {{- end }} - name: init-tpm-direct securityContext: @@ -161,16 +170,16 @@ spec: - -ec - | # SPIRE must be able to fork the plugin directly within its container. Copy the plugin into a volume that can be mounted where SPIRE can execute it. - cp -a {{ .Values.nodeAttestor.tpmDirect.plugin.path }} /tpm/tpm_attestor_agent + cp -a {{ .Values.nodeAttestor.tpmDirect.plugin.path | quote }} /tpm/tpm_attestor_agent volumeMounts: - name: tpm-direct mountPath: /tpm - imagePullPolicy: {{ .Values.nodeAttestor.tpmDirect.plugin.image.pullPolicy }} + imagePullPolicy: {{ .Values.nodeAttestor.tpmDirect.plugin.image.pullPolicy | quote }} {{- end }} {{- if gt (len $socketAlternateNames) 0 }} - name: ensure-alternate-names image: {{ template "spire-lib.image" (dict "image" .Values.socketAlternate.image "global" .Values.global) }} - imagePullPolicy: {{ .Values.socketAlternate.image.pullPolicy }} + imagePullPolicy: {{ .Values.socketAlternate.image.pullPolicy | quote }} command: ["bash", "-xc"] {{- /* 1. Look for symlinks pointing at the wrong place and remove them. 2. Make symlinks that don't exist. 3. If new socket is pointing at an existing symlink, remove old symlink. */}} args: @@ -178,7 +187,7 @@ spec: cd {{ $socketPath | dir }} {{- range $socketAlternateNames }} L=`readlink {{ . }}` - [ "x$L" != "x{{ $socketPath | base}}" ] && rm -f {{ . }} + [ "x$L" != "x{{ $socketPath | base }}" ] && rm -f {{ . }} [ ! -L {{ . }} ] && ln -s {{ $socketPath | base }} {{ . }} {{- end }} [ -L {{ $socketPath | base }} ] && rm -f {{ $socketPath | base }} @@ -195,12 +204,12 @@ spec: {{- if gt (int (dig "fsGroup" 0 $podSecurityContext)) 0 }} - name: fsgroupfix image: {{ template "spire-lib.image" (dict "image" .Values.fsGroupFix.image "global" .Values.global) }} - imagePullPolicy: {{ .Values.fsGroupFix.image.pullPolicy }} + imagePullPolicy: {{ .Values.fsGroupFix.image.pullPolicy | quote }} command: ["bash", "-c"] args: - | - chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} {{ $socketPath | dir }} /tmp/spire-agent/private - chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} /var/lib/spire + chown -R {{ printf "%v:%v" $podSecurityContext.runAsUser $podSecurityContext.fsGroup | quote }} {{ $socketPath | dir }} /tmp/spire-agent/private + chown -R {{ printf "%v:%v" $podSecurityContext.runAsUser $podSecurityContext.fsGroup | quote }} /var/lib/spire resources: {{- toYaml .Values.fsGroupFix.resources | nindent 12 }} volumeMounts: @@ -218,9 +227,9 @@ spec: {{- toYaml .Values.initContainers | nindent 8 }} {{- end }} containers: - - name: {{ .Chart.Name }} + - name: {{ .Chart.Name | quote }} image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }} - imagePullPolicy: {{ .Values.image.pullPolicy }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} args: ["-config", "/opt/spire/conf/agent/agent.conf"] securityContext: {{- $mainSecurityContext | toYaml | nindent 12 }} @@ -256,8 +265,12 @@ spec: {{- end }} {{- if eq (len .Values.trustBundleURL) 0 }} - name: spire-bundle - mountPath: /run/spire/bundle readOnly: true + {{- if ne (len .Values.trustBundleHostPath) 0 }} + mountPath: {{ .Values.trustBundleHostPath | dir | quote }} + {{- else }} + mountPath: /run/spire/bundle + {{- end }} {{- end }} {{- if .Values.nodeAttestor.tpmDirect.enabled }} - name: tpm-direct @@ -314,7 +327,11 @@ spec: {{- if .Values.sockets.admin.mountOnHost }} - name: spire-agent-admin-socket-dir hostPath: - path: {{ .Values.sockets.hostBasePath }}/{{ if .Values.upstream }}upstream.csi.spiffe.io{{ else }}csi.spiffe.io{{ end }}/admin + {{- if .Values.upstream }} + path: {{ printf "%s/upstream.csi.spiffe.io/admin" .Values.sockets.hostBasePath | quote }} + {{- else }} + path: {{ printf "%s/csi.spiffe.io/admin" .Values.sockets.hostBasePath | quote }} + {{- end }} type: DirectoryOrCreate {{- else }} - name: spire-agent-admin-socket-dir @@ -323,7 +340,11 @@ spec: {{- if eq .Values.persistence.type "hostPath" }} - name: spire-agent-persistence hostPath: - path: {{ .Values.persistence.hostPath }}/{{ if .Values.upstream }}upstream.csi.spiffe.io{{ else }}csi.spiffe.io{{ end }} + {{- if .Values.upstream }} + path: {{ printf "%s/upstream.csi.spiffe.io" .Values.persistence.hostPath | quote }} + {{- else }} + path: {{ printf "%s/csi.spiffe.io" .Values.persistence.hostPath | quote }} + {{- end }} type: DirectoryOrCreate {{- else }} - name: spire-agent-persistence @@ -331,8 +352,13 @@ spec: {{- end }} {{- if eq (len .Values.trustBundleURL) 0 }} - name: spire-bundle + {{- if ne (len .Values.trustBundleHostPath) 0 }} + hostPath: + path: {{ .Values.trustBundleHostPath | dir | quote }} + {{- else }} configMap: - name: {{ include "spire-lib.bundle-configmap" . }}{{ $nameSuffix }} + name: {{ printf "%s%s" (include "spire-lib.bundle-configmap" .) $nameSuffix | quote }} + {{- end }} {{- end }} {{- if .Values.nodeAttestor.tpmDirect.enabled }} - name: tpm-direct @@ -364,7 +390,7 @@ spec: emptyDir: {} - name: host-cert hostPath: - path: {{ .Values.workloadAttestors.k8s.verification.hostCert.basePath }} + path: {{ .Values.workloadAttestors.k8s.verification.hostCert.basePath | quote }} {{- end }} {{- if gt (len .Values.extraVolumes) 0 }} {{- toYaml .Values.extraVolumes | nindent 8 }} diff --git a/charts/spire/charts/spire-agent/templates/podmonitor.yaml b/charts/spire/charts/spire-agent/templates/podmonitor.yaml index 409bfb309..a8001285b 100644 --- a/charts/spire/charts/spire-agent/templates/podmonitor.yaml +++ b/charts/spire/charts/spire-agent/templates/podmonitor.yaml @@ -5,7 +5,7 @@ apiVersion: monitoring.coreos.com/v1 kind: PodMonitor metadata: name: {{ include "spire-agent.fullname" . }} - namespace: {{ $namespace }} + namespace: {{ $namespace | quote }} labels: {{- include "spire-agent.labels" . | nindent 4 }} {{- if ne (len (dig "telemetry" "prometheus" "podMonitor" "labels" (dict) .Values.global)) 0 }} @@ -22,6 +22,6 @@ spec: - port: prom {{- if ne $namespace $podNamespace }} namespaceSelector: - kubernetes.io/metadata.name: {{ $podNamespace }} + kubernetes.io/metadata.name: {{ $podNamespace | quote }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-agent/templates/roles.yaml b/charts/spire/charts/spire-agent/templates/roles.yaml index e6878a21f..f4df1cec1 100644 --- a/charts/spire/charts/spire-agent/templates/roles.yaml +++ b/charts/spire/charts/spire-agent/templates/roles.yaml @@ -2,7 +2,7 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ include "spire-agent.fullname" . }} + name: {{ include "spire-agent.fullname" . | quote }} rules: - apiGroups: [""] resources: @@ -15,12 +15,12 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ include "spire-agent.fullname" . }} + name: {{ include "spire-agent.fullname" . | quote }} subjects: - kind: ServiceAccount - name: {{ include "spire-agent.serviceAccountName" . }} - namespace: {{ include "spire-agent.namespace" . }} + name: {{ include "spire-agent.serviceAccountName" . | quote }} + namespace: {{ include "spire-agent.namespace" . | quote }} roleRef: kind: ClusterRole - name: {{ include "spire-agent.fullname" . }} + name: {{ include "spire-agent.fullname" . | quote }} apiGroup: rbac.authorization.k8s.io diff --git a/charts/spire/charts/spire-agent/templates/scc-spire-agent.yaml b/charts/spire/charts/spire-agent/templates/scc-spire-agent.yaml index 30d84f1d5..3c81651b8 100644 --- a/charts/spire/charts/spire-agent/templates/scc-spire-agent.yaml +++ b/charts/spire/charts/spire-agent/templates/scc-spire-agent.yaml @@ -2,7 +2,7 @@ apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: - name: {{ include "spire-agent.fullname" . }} + name: {{ include "spire-agent.fullname" . | quote }} readOnlyRootFilesystem: true runAsUser: type: RunAsAny @@ -11,7 +11,7 @@ seLinuxContext: supplementalGroups: type: RunAsAny users: - - system:serviceaccount:{{ include "spire-agent.namespace" . }}:{{ include "spire-agent.serviceAccountName" . }} + - {{ printf "system:serviceaccount:%s:%s" (include "spire-agent.namespace" .) (include "spire-agent.serviceAccountName" .) | quote }} volumes: - configMap - hostPath diff --git a/charts/spire/charts/spire-agent/templates/serviceaccount.yaml b/charts/spire/charts/spire-agent/templates/serviceaccount.yaml index 03e447e6b..c0c347225 100644 --- a/charts/spire/charts/spire-agent/templates/serviceaccount.yaml +++ b/charts/spire/charts/spire-agent/templates/serviceaccount.yaml @@ -2,8 +2,8 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "spire-agent.serviceAccountName" . }} - namespace: {{ include "spire-agent.namespace" . }} + name: {{ include "spire-agent.serviceAccountName" . | quote }} + namespace: {{ include "spire-agent.namespace" . | quote }} labels: {{- include "spire-agent.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/charts/spire/charts/spire-agent/values.schema.json b/charts/spire/charts/spire-agent/values.schema.json new file mode 100644 index 000000000..de327467c --- /dev/null +++ b/charts/spire/charts/spire-agent/values.schema.json @@ -0,0 +1,50 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "server": { + "type": "object", + "properties": { + "port": { + "type": "integer", + "minimum": 1 + } + } + }, + "healthChecks": { + "type": "object", + "properties": { + "port": { + "type": "integer", + "minimum": 1 + } + } + }, + "livenessProbe": { + "type": "object", + "properties": { + "initialDelaySeconds": { + "type": "integer", + "minimum": 0 + }, + "periodSeconds": { + "type": "integer", + "minimum": 1 + } + } + }, + "readinessProbe": { + "type": "object", + "properties": { + "initialDelaySeconds": { + "type": "integer", + "minimum": 0 + }, + "periodSeconds": { + "type": "integer", + "minimum": 1 + } + } + } + } +} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index ddca0799c..94b405d3b 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -95,6 +95,8 @@ trustDomain: example.org trustBundleURL: "" ## @param trustBundleFormat If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" trustBundleFormat: pem +## @param trustBundleHostPath If set, obtain trust bundle from a file on the host instead of from the ConfigMap +trustBundleHostPath: "" ## @param bundleConfigMap Configmap name for Spire bundle bundleConfigMap: spire-bundle ## @param availabilityTarget The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. @@ -151,7 +153,7 @@ fsGroupFix: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a + tag: latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2 ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -162,8 +164,8 @@ keyManager: enabled: true nodeAttestor: - k8sPsat: - ## @param nodeAttestor.k8sPsat.enabled Enable Psat k8s Node Attestor + k8sPSAT: + ## @param nodeAttestor.k8sPSAT.enabled Enable PSAT k8s Node Attestor enabled: true httpChallenge: ## @param nodeAttestor.httpChallenge.enabled Enable the http challenge Node Attestor @@ -193,7 +195,7 @@ nodeAttestor: ## @param nodeAttestor.tpmDirect.plugin.path The filename in the container of the plugin path: /app/tpm_attestor_agent pubHash: - ## @param nodeAttestor.tpmDirect.pubHash.enabled Enable Psat k8s nodeattestor + ## @param nodeAttestor.tpmDirect.pubHash.enabled Display pubhash in logs enabled: true ## @param nodeAttestor.tpmDirect.pubHash.image.registry The OCI registry to pull the image from ## @param nodeAttestor.tpmDirect.pubHash.image.repository The repository within the registry @@ -225,22 +227,22 @@ workloadAttestors: fileName: "" ## @param workloadAttestors.k8s.disableContainerSelectors Set to true if using holdApplicationUntilProxyStarts in Istio disableContainerSelectors: false - ## @param workloadAttestors.k8s.useNewContainerLocator If true, enables the new container locator algorithm that has support for cgroups v2. Defaults to false - useNewContainerLocator: false + ## @param workloadAttestors.k8s.useNewContainerLocator If true, enables the new container locator algorithm that has support for cgroups v2. Defaults to true + useNewContainerLocator: true ## @param workloadAttestors.k8s.verboseContainerLocatorLogs If true, enables verbose logging of mountinfo and cgroup information used to locate containers. Defaults to false verboseContainerLocatorLogs: false sds: ## @param sds.enabled Enables Envoy SDS configuration enabled: false - ## @param sds.defaultSvidName The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS - defaultSvidName: "default" + ## @param sds.defaultSVIDName The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS + defaultSVIDName: "default" ## @param sds.defaultBundleName The Validation Context resource name to use for the default X.509 bundle with Envoy SDS defaultBundleName: "ROOTCA" ## @param sds.defaultAllBundlesName The Validation Context resource name to use for all bundles (including federated) with Envoy SDS defaultAllBundlesName: "ALL" - ## @param sds.disableSpiffeCertValidation Disable Envoy SDS custom validation - disableSpiffeCertValidation: false + ## @param sds.disableSPIFFECertValidation Disable Envoy SDS custom validation + disableSPIFFECertValidation: false telemetry: prometheus: @@ -278,7 +280,7 @@ socketAlternate: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a + tag: latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2 ## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -293,7 +295,7 @@ hostCert: registry: cgr.dev repository: chainguard/min-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:5420e15d91112458fc573755954c9174dbf4db8d802c4de3aac18145f5a78a17 + tag: latest@sha256:424ac4637dac08a4594643b548d9af10144dcd6360b4b319a4c143841bf0bfee ## @param hostCert.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -355,7 +357,7 @@ agents: {} # nodeSelector: # tpm: with # nodeAttestor: -# k8sPsat: +# k8sPSAT: # enabled: false # tpmDirect: # enabled: true diff --git a/charts/spire/charts/spire-lib/templates/_helpers.tpl b/charts/spire/charts/spire-lib/templates/_helpers.tpl index db33cee9f..8e3684a9b 100644 --- a/charts/spire/charts/spire-lib/templates/_helpers.tpl +++ b/charts/spire/charts/spire-lib/templates/_helpers.tpl @@ -53,17 +53,17 @@ {{- $repo := .image.repository }} {{- $tag := .image.tag | toString }} {{- if eq (substr 0 7 $tag) "sha256:" }} -{{- printf "%s/%s@%s" $registry $repo $tag }} +{{- printf "%s/%s@%s" $registry $repo $tag | quote }} {{- else if .appVersion }} {{- $appVersion := .appVersion }} {{- if and (hasKey . "ubi") (dig "openshift" false .global) }} {{- $appVersion = printf "ubi-%s" $appVersion }} {{- end }} -{{- printf "%s%s:%s" $registry $repo (default $appVersion $tag) }} +{{- printf "%s%s:%s" $registry $repo (default $appVersion $tag) | quote }} {{- else if $tag }} -{{- printf "%s%s:%s" $registry $repo $tag }} +{{- printf "%s%s:%s" $registry $repo $tag | quote }} {{- else }} -{{- printf "%s%s" $registry $repo }} +{{- printf "%s%s" $registry $repo | quote }} {{- end }} {{- end }} @@ -309,7 +309,7 @@ securityContext - the subbranch of values that contains the securityContext to m {{- define "spire-lib.default_node_priority_class_name" }} {{- if .Values.priorityClassName }} -priorityClassName: {{ .Values.priorityClassName }} +priorityClassName: {{ .Values.priorityClassName | quote }} {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "priorityClassName" true .Values.global) }} priorityClassName: system-node-critical {{- end }} @@ -317,7 +317,7 @@ priorityClassName: system-node-critical {{- define "spire-lib.default_cluster_priority_class_name" }} {{- if .Values.priorityClassName }} -priorityClassName: {{ .Values.priorityClassName }} +priorityClassName: {{ .Values.priorityClassName | quote }} {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "priorityClassName" true .Values.global) }} priorityClassName: system-cluster-critical {{- end }} diff --git a/charts/spire/charts/spire-server/Chart.yaml b/charts/spire/charts/spire-server/Chart.yaml index 13be7fc15..6ba161a9f 100644 --- a/charts/spire/charts/spire-server/Chart.yaml +++ b/charts/spire/charts/spire-server/Chart.yaml @@ -3,7 +3,7 @@ name: spire-server description: A Helm chart to install the SPIRE server. type: application version: 0.1.0 -appVersion: "1.10.3" +appVersion: "1.11.0" keywords: ["spiffe", "spire-server", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 836c534b1..218eaa22a 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -125,17 +125,33 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `persistence.accessMode` | What access mode to use for persistence. Valid options are ReadWriteOnce (recommended), ReadWriteOncePod, ReadWriteMany (not recommended) | `ReadWriteOnce` | | `persistence.storageClass` | What storage class to use for persistence | `nil` | | `persistence.hostPath` | Which path to use on the host when persistence.type = hostPath | `""` | -| `dataStore.sql.databaseType` | Other supported databases are "postgres" and "mysql" | `sqlite3` | -| `dataStore.sql.databaseName` | Only used by "postgres" or "mysql" | `spire` | -| `dataStore.sql.host` | Only used by "postgres" or "mysql" | `""` | +| `dataStore.sql.databaseType` | Other supported databases are ["postgres", "mysql", "aws_postgresql", "aws_mysql"]. Note: aws type databases are still experimental | `sqlite3` | +| `dataStore.sql.databaseName` | Only used when type != "sqlite3" | `spire` | +| `dataStore.sql.host` | Only used when type != "sqlite3" | `""` | | `dataStore.sql.port` | If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases. | `0` | -| `dataStore.sql.username` | Only used by "postgres" or "mysql" | `spire` | -| `dataStore.sql.password` | Only used by "postgres" or "mysql" | `""` | -| `dataStore.sql.options` | Only used by "postgres" or "mysql" | `[]` | -| `dataStore.sql.plugin_data` | Settings from https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md go in this section | `{}` | +| `dataStore.sql.username` | Only used when type != "sqlite3" | `spire` | +| `dataStore.sql.password` | Only used when type != "sqlite3" | `""` | +| `dataStore.sql.options` | Only used when type != "sqlite3" | `[]` | +| `dataStore.sql.rootCAPath` | Path to Root CA bundle (MySQL only) | `""` | +| `dataStore.sql.clientCertPath` | Path to client certificate (MySQL only) | `""` | +| `dataStore.sql.clientKeyPath` | Path to private key for client certificate (MySQL only) | `""` | | `dataStore.sql.externalSecret.enabled` | Enable external secret for datastore creds | `false` | | `dataStore.sql.externalSecret.name` | The name of the secret object | `""` | | `dataStore.sql.externalSecret.key` | The key of the secret object whose value is the dataStore.sql password | `""` | +| `dataStore.sql.maxOpenConns` | The maximum number of open db connections | `100` | +| `dataStore.sql.maxIdleConns` | The maximum number of idle connections in the pool | `2` | +| `dataStore.sql.connMaxLifetime` | The maximum amount of time a connection may be reused. If 0, time is unlimited | `0` | +| `dataStore.sql.disableMigration` | True to disable auto-migration functionality | `false` | +| `dataStore.sql.region` | Region to use when database type is either aws_mysql or aws_postgresql | `""` | +| `dataStore.sql.readOnly.enabled` | Set to true to configure a readOnly dartabase connection | `false` | +| `dataStore.sql.readOnly.host` | Only used when type != "sqlite3" | `""` | +| `dataStore.sql.readOnly.port` | If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases. | `0` | +| `dataStore.sql.readOnly.username` | Only used when type != "sqlite3" | `spire` | +| `dataStore.sql.readOnly.password` | Only used when type != "sqlite3" | `""` | +| `dataStore.sql.readOnly.options` | Only used when type != "sqlite3" | `[]` | +| `dataStore.sql.readOnly.externalSecret.enabled` | Enable external secret for datastore creds | `false` | +| `dataStore.sql.readOnly.externalSecret.name` | The name of the secret object | `""` | +| `dataStore.sql.readOnly.externalSecret.key` | The key of the secret object whose value is the dataStore.sql password | `""` | | `adminIDs` | SPIFFE IDs that, when present in a caller’s X509-SVID, grant that caller admin privileges. | `[]` | | `auditLogEnabled` | If true, enables audit logging | `false` | | `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | @@ -147,7 +163,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `federation.enabled` | Flag to enable federation | `false` | | `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` | | `federation.bundleEndpoint.address` | Address for trust bundle federation | `0.0.0.0` | -| `federation.bundleEndpoint.refresh_hint` | Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. | `5m` | +| `federation.bundleEndpoint.refreshHint` | Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. | `5m` | +| `federation.bundleEndpoint.profile.httpWeb.fileSyncInterval` | Interval on which to reload the certificate/key from disk | `1h` | | `federation.tls.spire.enabled` | Use spire to secure the federation bundle endpoint | `true` | | `federation.tls.externalSecret.enabled` | Provide your own certificate/key via tls style Kubernetes Secret | `false` | | `federation.tls.externalSecret.secretName` | Specify which Secret to use | `""` | @@ -168,9 +185,9 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `federation.ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | | `federation.ingress.hosts` | Host paths for ingress object. If empty, rules will be built based on the host var. | `[]` | | `federation.ingress.tls` | Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars. | `[]` | -| `ca_subject.country` | Country for Spire server CA | `ARPA` | -| `ca_subject.organization` | Organization for Spire server CA | `Example` | -| `ca_subject.common_name` | Common Name for Spire server CA | `example.org` | +| `caSubject.country` | Country for Spire server CA | `ARPA` | +| `caSubject.organization` | Organization for Spire server CA | `Example` | +| `caSubject.commonName` | Common Name for Spire server CA | `example.org` | | `credentialComposer.uniqueID.enabled` | Add the x509UniqueIdentifier attribute to workload X509-SVIDs | `false` | | `keyManager.disk.enabled` | Flag to enable keyManager on disk | `true` | | `keyManager.memory.enabled` | Flag to enable keyManager in memory | `false` | @@ -201,11 +218,11 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `upstreamAuthority.awsPCA.supplementalBundlePath` | (Optional) Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle. | `""` | | `upstreamAuthority.certManager.enabled` | Flag to enable upstream authority plugin with cert manager | `false` | | `upstreamAuthority.certManager.rbac.create` | Flag to create RBAC roles | `true` | -| `upstreamAuthority.certManager.issuer_name` | Defaults to the release name, override if CA is provided outside of the chart | `""` | -| `upstreamAuthority.certManager.issuer_kind` | Defaults to "Issuer", override if CA is provided outside of the chart | `Issuer` | -| `upstreamAuthority.certManager.issuer_group` | Defaults to "cert-manager.io", override if CA is provided outside of the chart | `cert-manager.io` | +| `upstreamAuthority.certManager.issuerName` | Defaults to the release name, override if CA is provided outside of the chart | `""` | +| `upstreamAuthority.certManager.issuerKind` | Defaults to "Issuer", override if CA is provided outside of the chart | `Issuer` | +| `upstreamAuthority.certManager.issuerGroup` | Defaults to "cert-manager.io", override if CA is provided outside of the chart | `cert-manager.io` | | `upstreamAuthority.certManager.namespace` | Specify to use a namespace other then the one the chart is installed into | `""` | -| `upstreamAuthority.certManager.kube_config_file` | Path to kube_config_file on node to setup cert manager | `""` | +| `upstreamAuthority.certManager.kubeConfigFile` | Path to kube config file on node to setup cert manager | `""` | | `upstreamAuthority.certManager.ca.create` | Creates a Cert-Manager CA | `false` | | `upstreamAuthority.certManager.ca.duration` | Duration of the CA. Defaults to 10 years | `87600h` | | `upstreamAuthority.certManager.ca.privateKey.algorithm` | Algorithm to generate private key for CA | `ECDSA` | @@ -230,8 +247,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `upstreamAuthority.vault.k8sAuth.k8sAuthRoleName` | Required - Name of the Vault role. The plugin authenticates against the named role | `""` | | `upstreamAuthority.vault.k8sAuth.token.audience` | Intended audience of the PSAT, it must match one of the audiences supported by the Kubernetes API server. If no audience is specified, it defaults to the identifier of API Server. See ['Service Account Documentation'](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) for more info. | `vault` | | `upstreamAuthority.vault.k8sAuth.token.expiry` | Expiry time in seconds for the token | `7200` | -| `notifier.k8sbundle.enabled` | Enable local k8s bundle uploader | `true` | -| `notifier.k8sbundle.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` | +| `notifier.k8sBundle.enabled` | Enable local k8s bundle uploader | `true` | +| `notifier.k8sBundle.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` | | `notifier.externalK8sBundle.enabled` | Enable external k8s bundle uploader | `true` | | `notifier.externalK8sBundle.defaults.namespace` | Namespace to push the bundle into on clusters | `spire-system` | | `notifier.externalK8sBundle.defaults.configMap` | ConfigMap name to push the bundle into on external clusters | `spire-bundle-upstream` | @@ -249,7 +266,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `controllerManager.image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `controllerManager.image.repository` | The repository within the registry | `spiffe/spire-controller-manager` | | `controllerManager.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.5.0` | +| `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.6.0` | | `controllerManager.resources` | Resource requests and limits for controller manager | `{}` | | `controllerManager.securityContext` | Security context | `{}` | | `controllerManager.service.type` | Service type for controller manager | `ClusterIP` | @@ -272,6 +289,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `controllerManager.identities.clusterSPIFFEIDs.default.admin` | Indicates any pod matched by this identity will be an admin. Use this with extreme care. | `false` | | `controllerManager.identities.clusterSPIFFEIDs.default.downstream` | Set if this spire instance is a root server and the workloads are downstream servers. | `false` | | `controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames` | Auto populate DNS names from services attached to pods | `false` | +| `controllerManager.identities.clusterSPIFFEIDs.default.fallback` | Apply this ID only if there are no other matching non fallback ClusterSPIFFEIDs | `true` | | `controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled` | Enable this identity for controller manager | `false` | | `controllerManager.identities.clusterSPIFFEIDs.child-servers.type` | The type of rule this is. | `child-servers` | | `controllerManager.identities.clusterSPIFFEIDs.child-servers.downstream` | Set if this spire instance is a root server and the workloads are downstream servers. | `true` | @@ -327,17 +345,17 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `caTTL` | TTL for CA | `24h` | | `defaultX509SvidTTL` | TTL for X509 Svids | `4h` | | `defaultJwtSvidTTL` | TTL for JWT Svids | `1h` | -| `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s nodeattestor | `true` | -| `nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor. If namespace isn't specified, release namespace will be used. | `[]` | -| `nodeAttestor.k8sPsat.audience` | Audience for token validation. If set to [] (empty array), Kubernetes API server audience is used | `[]` | -| `nodeAttestor.k8sPsat.allowedNodeLabelKeys` | Node label keys considered for selectors | `[]` | -| `nodeAttestor.k8sPsat.allowedPodLabelKeys` | Pod label keys considered for selectors | `[]` | -| `nodeAttestor.externalK8sPsat.enabled` | Enable PSAT k8s nodeattestor for external Kubernetes clusters | `true` | -| `nodeAttestor.externalK8sPsat.defaults.serviceAccountAllowList` | Allowed service accounts for PSAT node attestor | `[]` | -| `nodeAttestor.externalK8sPsat.defaults.audience` | Audience for token validation. If it is set to an empty array ([]), Kubernetes API server audience is used | `[]` | -| `nodeAttestor.externalK8sPsat.defaults.allowedNodeLabelKeys` | Node label keys considered for selectors | `[]` | -| `nodeAttestor.externalK8sPsat.defaults.allowedPodLabelKeys` | Pod label keys considered for selectors | `[]` | -| `nodeAttestor.externalK8sPsat.clusters` | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used. | `{}` | +| `nodeAttestor.k8sPSAT.enabled` | Enable PSAT k8s nodeattestor | `true` | +| `nodeAttestor.k8sPSAT.serviceAccountAllowList` | Allowed service accounts for PSAT nodeattestor. If namespace isn't specified, release namespace will be used. | `[]` | +| `nodeAttestor.k8sPSAT.audience` | Audience for token validation. If set to [] (empty array), Kubernetes API server audience is used | `[]` | +| `nodeAttestor.k8sPSAT.allowedNodeLabelKeys` | Node label keys considered for selectors | `[]` | +| `nodeAttestor.k8sPSAT.allowedPodLabelKeys` | Pod label keys considered for selectors | `[]` | +| `nodeAttestor.externalK8sPSAT.enabled` | Enable PSAT k8s nodeattestor for external Kubernetes clusters | `true` | +| `nodeAttestor.externalK8sPSAT.defaults.serviceAccountAllowList` | Allowed service accounts for PSAT node attestor | `[]` | +| `nodeAttestor.externalK8sPSAT.defaults.audience` | Audience for token validation. If it is set to an empty array ([]), Kubernetes API server audience is used | `[]` | +| `nodeAttestor.externalK8sPSAT.defaults.allowedNodeLabelKeys` | Node label keys considered for selectors | `[]` | +| `nodeAttestor.externalK8sPSAT.defaults.allowedPodLabelKeys` | Pod label keys considered for selectors | `[]` | +| `nodeAttestor.externalK8sPSAT.clusters` | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used. | `{}` | | `nodeAttestor.joinToken.enabled` | Enable the join_token nodeattestor | `false` | | `nodeAttestor.httpChallenge.enabled` | Enable the http_challenge nodeattesto | `false` | | `nodeAttestor.httpChallenge.allowedDNSPatterns` | A list of regular expressions to match to the hostname being attested. If none match, attestation will fail. If a blank list, all hostnames are allowed. | `[]` | @@ -416,7 +434,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `chown.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `chown.image.repository` | The repository within the registry | `chainguard/bash` | | `chown.image.pullPolicy` | The image pull policy | `Always` | -| `chown.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a` | +| `chown.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2` | | `chown.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `experimental.enabled` | Allow configuration of experimental features | `false` | | `experimental.cacheReloadInterval` | The amount of time between two reloads of the in-memory entry cache. | `5s` | @@ -429,5 +447,5 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2` | | `kubeConfigs` | Manage additional kubeconfig files to talk to external Kubernetes clusters | `{}` | diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl index 5674c5c29..388289079 100644 --- a/charts/spire/charts/spire-server/templates/_helpers.tpl +++ b/charts/spire/charts/spire-server/templates/_helpers.tpl @@ -66,8 +66,8 @@ Allow the release namespace to be overridden for multi-namespace deployments in {{- end -}} {{- define "spire-server.bundle-namespace" -}} - {{- if .Values.notifier.k8sbundle.namespace }} - {{- .Values.notifier.k8sbundle.namespace }} + {{- if .Values.notifier.k8sBundle.namespace }} + {{- .Values.notifier.k8sBundle.namespace }} {{- else if .Values.namespaceOverride -}} {{- .Values.namespaceOverride -}} {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }} @@ -146,9 +146,9 @@ Create the name of the service account to use {{- define "spire-server.serviceAccountAllowedList" }} {{- $releaseNamespace := include "spire-server.agent-namespace" . }} -{{- if ne (len .Values.nodeAttestor.k8sPsat.serviceAccountAllowList) 0 }} +{{- if ne (len .Values.nodeAttestor.k8sPSAT.serviceAccountAllowList) 0 }} {{- $list := list }} -{{- range .Values.nodeAttestor.k8sPsat.serviceAccountAllowList }} +{{- range .Values.nodeAttestor.k8sPSAT.serviceAccountAllowList }} {{- if contains ":" . }} {{- $list = append $list . }} {{- else }} @@ -189,20 +189,44 @@ Create the name of the service account to use {{- end }} {{- define "spire-server.datastore-config" }} -{{- $config := deepCopy .Values.dataStore.sql.plugin_data }} +{{- $config := dict }} +{{- $pw := "" }} +{{- $ropw := "" }} {{- if eq .Values.dataStore.sql.databaseType "sqlite3" }} {{- $_ := set $config "database_type" "sqlite3" }} {{- $_ := set $config "connection_string" "/run/spire/data/datastore.sqlite3" }} -{{- else if eq .Values.dataStore.sql.databaseType "mysql" }} - {{- $_ := set $config "database_type" "mysql" }} +{{- else if or (eq .Values.dataStore.sql.databaseType "mysql") (eq .Values.dataStore.sql.databaseType "aws_mysql") }} + {{- if eq .Values.dataStore.sql.databaseType "mysql" }} + {{- $_ := set $config "database_type" "mysql" }} + {{- $pw = "${DBPW}" }} + {{- $ropw = "${RODBPW}" }} + {{- else }} + {{- $_ := set $config "database_type" (list (dict "aws_mysql" (dict "region" .Values.dataStore.sql.region))) }} + {{- end }} {{- $port := int .Values.dataStore.sql.port | default 3306 }} {{- $query := include "spire-server.config-mysql-query" .Values.dataStore.sql.options }} - {{- $_ := set $config "connection_string" (printf "%s:${DBPW}@tcp(%s:%d)/%s%s" .Values.dataStore.sql.username .Values.dataStore.sql.host $port .Values.dataStore.sql.databaseName $query) }} -{{- else if eq .Values.dataStore.sql.databaseType "postgres" }} - {{- $_ := set $config "database_type" "postgres" }} + {{- $_ := set $config "connection_string" (printf "%s:%s@tcp(%s:%d)/%s%s" .Values.dataStore.sql.username $pw .Values.dataStore.sql.host $port .Values.dataStore.sql.databaseName $query) }} + {{- if .Values.dataStore.sql.readOnly.enabled }} + {{- $roPort := int .Values.dataStore.sql.readOnly.port | default 3306 }} + {{- $roQuery := include "spire-server.config-mysql-query" .Values.dataStore.sql.readOnly.options }} + {{- $_ := set $config "ro_connection_string" (printf "%s:%s@tcp(%s:%d)/%s%s" .Values.dataStore.sql.readOnly.username $ropw .Values.dataStore.sql.readOnly.host $roPort .Values.dataStore.sql.readOnly.databaseName $roQuery) }} + {{- end }} +{{- else if or (eq .Values.dataStore.sql.databaseType "postgres") (eq .Values.dataStore.sql.databaseType "aws_postgres") }} + {{- if eq .Values.dataStore.sql.databaseType "postgres" }} + {{- $_ := set $config "database_type" "postgres" }} + {{- $pw = " password=${DBPW}" }} + {{- $ropw = " password=${RODBPW}" }} + {{- else }} + {{- $_ := set $config "database_type" (list (dict "aws_postgres" (dict "region" .Values.dataStore.sql.region))) }} + {{- end }} {{- $port := int .Values.dataStore.sql.port | default 5432 }} {{- $options:= include "spire-server.config-postgresql-options" .Values.dataStore.sql.options }} - {{- $_ := set $config "connection_string" (printf "dbname=%s user=%s password=${DBPW} host=%s port=%d%s" .Values.dataStore.sql.databaseName .Values.dataStore.sql.username .Values.dataStore.sql.host $port $options) }} + {{- $_ := set $config "connection_string" (printf "dbname=%s user=%s%s host=%s port=%d%s" .Values.dataStore.sql.databaseName .Values.dataStore.sql.username $pw .Values.dataStore.sql.host $port $options) }} + {{- if .Values.dataStore.sql.readOnly.enabled }} + {{- $roPort := int .Values.dataStore.sql.readOnly.port | default 5432 }} + {{- $roOptions:= include "spire-server.config-postgresql-options" .Values.dataStore.sql.readOnly.options }} + {{- $_ := set $config "ro_connection_string" (printf "dbname=%s user=%s%s host=%s port=%d%s" .Values.dataStore.sql.readOnly.databaseName $ropw .Values.dataStore.sql.readOnly.username .Values.dataStore.sql.readOnly.host $roPort $roOptions) }} + {{- end }} {{- else }} {{- fail "Unsupported database type" }} {{- end }} @@ -274,7 +298,7 @@ The code below determines what connection type should be used. {{- end }} {{- $args = append $args (printf "https://%s/" $host) }} {{- else }} -{{- $args = append $args (printf "http://%s/" $host) }} +{{- $args = append $args (printf "-k -L http://%s/" $host) }} {{- end }} {{ $args | toYaml }} {{- end -}} @@ -293,17 +317,17 @@ The code below determines what connection type should be used. {{- define "spire-server.ca-subject-country" }} {{- $g := dig "spire" "caSubject" "country" "" .Values.global }} -{{- default .Values.ca_subject.country $g }} +{{- default .Values.caSubject.country $g }} {{- end }} {{- define "spire-server.ca-subject-organization" }} {{- $g := dig "spire" "caSubject" "organization" "" .Values.global }} -{{- default .Values.ca_subject.organization $g }} +{{- default .Values.caSubject.organization $g }} {{- end }} {{- define "spire-server.ca-subject-common-name" }} {{- $g := dig "spire" "caSubject" "commonName" "" .Values.global }} -{{- default .Values.ca_subject.common_name $g }} +{{- default .Values.caSubject.commonName $g }} {{- end }} {{- define "spire-server.subject" }} diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index c43f35867..f365cec04 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -1,9 +1,9 @@ {{- include "spire-lib.check-strict-mode" (list . "clusterName must be set" (eq (include "spire-lib.cluster-name" .) "example-cluster"))}} {{- include "spire-lib.check-strict-mode" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}} {{- include "spire-lib.check-strict-mode" (list . "jwtIssuer must be set" (eq (include "spire-lib.jwt-issuer" .) "https://oidc-discovery.example.org"))}} -{{- include "spire-lib.check-strict-mode" (list . "ca_subject.country must be set" (eq (include "spire-server.ca-subject-country" .) "ARPA"))}} -{{- include "spire-lib.check-strict-mode" (list . "ca_subject.organization must be set" (eq (include "spire-server.ca-subject-organization" .) "Example"))}} -{{- include "spire-lib.check-strict-mode" (list . "ca_subject.common_name must be set" (eq (include "spire-server.ca-subject-common-name" .) "example.org"))}} +{{- include "spire-lib.check-strict-mode" (list . "caSubject.country must be set" (eq (include "spire-server.ca-subject-country" .) "ARPA"))}} +{{- include "spire-lib.check-strict-mode" (list . "caSubject.organization must be set" (eq (include "spire-server.ca-subject-organization" .) "Example"))}} +{{- include "spire-lib.check-strict-mode" (list . "caSubject.commonNname must be set" (eq (include "spire-server.ca-subject-common-name" .) "example.org"))}} {{- range $type, $tvals := .Values.customPlugins }} {{- if not (has $type (list "bundlePublisher" "credentialComposer" "keyManager" "nodeAttestor" "upstreamAuthority" "notifier")) }} {{- fail (printf "Unknown plugin type specified: %s" $type) }} @@ -38,9 +38,6 @@ {{- if and (eq (.Values.keyManager.awsKMS.keyIdentifierFile.enabled | toString) "true") (eq (.Values.keyManager.awsKMS.keyIdentifierValue.enabled | toString ) "true") }} {{- fail "You can only enable one of keyIdentifierFile or keyIdentifierValue at a time" }} {{- end }} -{{- if hasKey .Values.federation.bundleEndpoint "profile" }} -{{- fail "Configuring the federation bundle endpoint profile directly isn't supported. You can specify the settings via federation.tls" }} -{{- end }} {{- define "spire-server.yaml-config" -}} {{- $upstreamAuthorityUsed := 0 }} {{- $keyManagerUsed := 0 }} @@ -69,12 +66,24 @@ server: organization: [{{ include "spire-server.ca-subject-organization" . | quote }}] common_name: {{ include "spire-server.ca-subject-common-name" . | quote }} - {{- with .Values.federation }} - {{- if eq (.enabled | toString) "true" }} + {{- if eq (.Values.federation.enabled | toString) "true" }} federation: bundle_endpoint: - - {{ .bundleEndpoint | toYaml | nindent 8 }} - {{- end }} + address: {{ .Values.federation.bundleEndpoint.address | quote }} + port: {{ .Values.federation.bundleEndpoint.port }} + refresh_hint: {{ .Values.federation.bundleEndpoint.refreshHint | quote }} + profile: + {{- if .Values.federation.tls.spire.enabled }} + - https_spiffe: {} + {{ else }} + - https_web: + serving_cert_file: + file_sync_interval: {{ .Values.federation.bundleEndpoint.profile.httpWeb.fileSyncInterval }} + {{- if or .Values.federation.tls.certManager.enabled .Values.federation.tls.externalSecret.enabled }} + cert_file_path: /bundle-endpoint-tls/tls.crt + key_file_path: /bundle-endpoint-tls/tls.key + {{- end }} + {{- end }} {{- end }} {{- with .Values.experimental }} @@ -101,16 +110,31 @@ plugins: DataStore: sql: plugin_data: - {{ include "spire-server.datastore-config" . | nindent 10 }} + {{ include "spire-server.datastore-config" . | nindent 8 }} + {{- if ne .Values.dataStore.sql.rootCAPath "" }} + root_ca_path: {{ .Values.dataStore.sql.rootCAPath }} + {{- end }} + {{- if ne .Values.dataStore.sql.clientCertPath "" }} + client_cert_path: {{ .Values.dataStore.sql.clientCertPath }} + {{- end }} + {{- if ne .Values.dataStore.sql.clientKeyPath "" }} + client_key_path : {{ .Values.dataStore.sql.clientKeyPath }} + {{- end }} + max_open_conns: {{ .Values.dataStore.sql.maxOpenConns }} + max_idle_conns: {{ .Values.dataStore.sql.maxIdleConns }} + {{- if ne (int .Values.dataStore.sql.connMaxLifetime) 0 }} + conn_max_lifetime: {{ .Values.dataStore.sql.connMaxLifetime }} + {{- end }} + disable_migration: {{ .Values.dataStore.sql.disableMigration }} - {{- if or .Values.nodeAttestor.k8sPsat.enabled .Values.nodeAttestor.externalK8sPsat.enabled .Values.nodeAttestor.joinToken.enabled .Values.nodeAttestor.httpChallenge.enabled .Values.nodeAttestor.tpmDirect.enabled }} + {{- if or .Values.nodeAttestor.k8sPSAT.enabled .Values.nodeAttestor.externalK8sPSAT.enabled .Values.nodeAttestor.joinToken.enabled .Values.nodeAttestor.httpChallenge.enabled .Values.nodeAttestor.tpmDirect.enabled }} NodeAttestor: - {{- $clusters := default .Values.kubeConfigs .Values.nodeAttestor.externalK8sPsat.clusters }} - {{- if or (eq (.Values.nodeAttestor.k8sPsat.enabled | toString) "true") (and (eq (.Values.nodeAttestor.externalK8sPsat.enabled | toString) "true") (gt (len $clusters) 0)) }} + {{- $clusters := default .Values.kubeConfigs .Values.nodeAttestor.externalK8sPSAT.clusters }} + {{- if or (eq (.Values.nodeAttestor.k8sPSAT.enabled | toString) "true") (and (eq (.Values.nodeAttestor.externalK8sPSAT.enabled | toString) "true") (gt (len $clusters) 0)) }} k8s_psat: plugin_data: clusters: - {{- with .Values.nodeAttestor.k8sPsat }} + {{- with .Values.nodeAttestor.k8sPSAT }} {{- if eq (.enabled | toString) "true" }} - {{ include "spire-lib.cluster-name" $root }}: service_account_allow_list: {{ include "spire-server.serviceAccountAllowedList" $root | trim }} @@ -121,12 +145,12 @@ plugins: {{ toYaml .allowedPodLabelKeys | nindent 14 }} {{- end }} {{- end }} - {{- if eq (.Values.nodeAttestor.externalK8sPsat.enabled | toString) "true" }} - {{- $clusterDefaults := .Values.nodeAttestor.externalK8sPsat.defaults }} + {{- if eq (.Values.nodeAttestor.externalK8sPSAT.enabled | toString) "true" }} + {{- $clusterDefaults := .Values.nodeAttestor.externalK8sPSAT.defaults }} {{- range $name, $_ := $clusters }} {{- $clusterSettings := dict }} - {{- if hasKey $root.Values.nodeAttestor.externalK8sPsat.clusters $name }} - {{- $clusterSettings = index $root.Values.nodeAttestor.externalK8sPsat.clusters $name }} + {{- if hasKey $root.Values.nodeAttestor.externalK8sPSAT.clusters $name }} + {{- $clusterSettings = index $root.Values.nodeAttestor.externalK8sPSAT.clusters $name }} {{- end }} - {{ $name }}: {{- if hasKey $clusterSettings "kubeConfigName" }} @@ -233,11 +257,11 @@ plugins: {{- end }} {{- $externalK8sBundleClusters := default .Values.kubeConfigs .Values.notifier.externalK8sBundle.clusters }} - {{- if or .Values.notifier.k8sbundle.enabled (and .Values.notifier.externalK8sBundle.enabled (ne (len $externalK8sBundleClusters) 0)) }} + {{- if or .Values.notifier.k8sBundle.enabled (and .Values.notifier.externalK8sBundle.enabled (ne (len $externalK8sBundleClusters) 0)) }} Notifier: k8sbundle: plugin_data: - {{- if eq (.Values.notifier.k8sbundle.enabled | toString) "true" }} + {{- if eq (.Values.notifier.k8sBundle.enabled | toString) "true" }} namespace: {{ include "spire-server.bundle-namespace" . | quote }} config_map: {{ include "spire-lib.bundle-configmap" . | quote }} {{- end }} @@ -307,12 +331,12 @@ plugins: UpstreamAuthority: cert-manager: plugin_data: - issuer_name: {{ default (printf "%s-ca" (include "spire-server.fullname" $root)) .issuer_name }} - issuer_kind: {{ .issuer_kind | quote }} - issuer_group: {{ .issuer_group | quote }} - namespace: {{ default $root.Release.Namespace .namespace | quote }} - {{- if ne .kube_config_file "" }} - kube_config_file: {{ .kube_config_file | quote }} + issuer_name: {{ default (printf "%s-ca" (include "spire-server.fullname" $root)) .issuerName }} + issuer_kind: {{ .issuerKind | quote }} + issuer_group: {{ .issuerGroup | quote }} + namespace: {{ default (include "spire-server.namespace" $) .namespace | quote }} + {{- if ne .kubeConfigFile "" }} + kube_config_file: {{ .kubeConfigFile | quote }} {{- end }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml index 7642d7af3..1973bdaba 100644 --- a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml +++ b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml @@ -30,7 +30,7 @@ matchLabels: {{ $namespaces := list .Release.Namespace .Values.namespaceOverride (dig "spire" "namespaces" "server" "name" "" .Values.global) (dig "spire" "namespaces" "system" "name" "" .Values.global) | compact | uniq }} {{- range $key, $value := .Values.controllerManager.identities.clusterSPIFFEIDs }} {{- range $skey, $svalue := $value }} -{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "type" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames")) }} +{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "type" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames" "fallback" "hint")) }} {{- fail (printf "Unsupported property specified: %s" $skey) }} {{- end }} {{- end }} @@ -63,6 +63,13 @@ metadata: {{- end }} spec: className: {{ include "spire-server.controller-manager-class-name" $root | quote }} + {{- if hasKey $value "hint" }} + {{- if ne $value.hint "" }} + hint: {{ $value.hint }} + {{- end }} + {{- else }} + hint: {{ $key }} + {{- end }} {{- if and (hasKey $value "spiffeIDTemplate") (ne (len $value.spiffeIDTemplate) 0) }} spiffeIDTemplate: {{ $value.spiffeIDTemplate | quote }} {{- else }} @@ -103,6 +110,9 @@ spec: {{- with $value.autoPopulateDNSNames }} autoPopulateDNSNames: {{ . }} {{- end }} + {{- with $value.fallback }} + fallback: {{ . }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/federation-ingress.yaml b/charts/spire/charts/spire-server/templates/federation-ingress.yaml index 2eb89794d..d3c497590 100644 --- a/charts/spire/charts/spire-server/templates/federation-ingress.yaml +++ b/charts/spire/charts/spire-server/templates/federation-ingress.yaml @@ -4,33 +4,18 @@ {{- $path := "/"}} {{- $pathType := "Prefix" }} {{- $tlsSection := true }} -{{/* Until https://github.com/spiffe/spire/issues/2202 is resolved, use ingress to implement cert-manager and externalSecret support. */}} -{{- $federationIngress := deepCopy .Values.federation.ingress }} -{{- if .Values.federation.tls.certManager.enabled }} -{{- $secret := printf "%s-federation-cert" $svcName }} -{{- $_ := set $federationIngress "tlsSecret" $secret }} -{{- end }} -{{- if .Values.federation.tls.externalSecret.enabled }} -{{- $_ := set $federationIngress "tlsSecret" .Values.federation.tls.externalSecret.secretName }} -{{- end }} {{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.federation.ingress) }} {{- $annotations := deepCopy .Values.federation.ingress.annotations }} {{- if eq $ingressControllerType "ingress-nginx" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }} -{{- if not .Values.federation.ingress.tlsSecret }} -{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }} -{{- end }} +{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }} {{- else if eq $ingressControllerType "openshift" }} -{{- if $federationIngress.tlsSecret }} -{{- $_ := set $annotations "route.openshift.io/termination" "reencrypt" }} -{{- else }} -{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }} +{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }} {{- $path = "" }} {{- $pathType = "ImplementationSpecific" }} {{- $tlsSection = false }} -{{- end }} {{- end }} apiVersion: networking.k8s.io/v1 kind: Ingress @@ -44,6 +29,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{ include "spire-lib.ingress-spec" (dict "ingress" $federationIngress "svcName" $svcName "port" .Values.federation.bundleEndpoint.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }} + {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.federation.ingress "svcName" $svcName "port" .Values.federation.bundleEndpoint.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/issuer.yaml b/charts/spire/charts/spire-server/templates/issuer.yaml index 1a9afbd38..202929255 100644 --- a/charts/spire/charts/spire-server/templates/issuer.yaml +++ b/charts/spire/charts/spire-server/templates/issuer.yaml @@ -1,6 +1,6 @@ {{- with .Values.upstreamAuthority.certManager }} {{ if and .enabled .ca.create }} -{{ $issuerName := printf "%s-selfsigned" (default (include "spire-server.fullname" $) .issuer_name) }} +{{ $issuerName := printf "%s-selfsigned" (default (include "spire-server.fullname" $) .issuerName) }} {{/* Configuring CA Issuer: https://cert-manager.io/docs/configuration/ca/ */}} @@ -21,14 +21,14 @@ metadata: namespace: {{ include "spire-server.namespace" $ }} spec: isCA: true - commonName: {{ $.Values.ca_subject.common_name }} + commonName: {{ include "spire-server.ca-subject-common-name" $ | quote }} secretName: {{ include "spire-server.fullname" $ }}-ca-keys duration: {{ $.Values.upstreamAuthority.certManager.ca.duration }} subject: countries: - - {{ $.Values.ca_subject.country }} + - {{ include "spire-server.ca-subject-country" $ | quote }} organizations: - - {{ $.Values.ca_subject.organization }} + - {{ include "spire-server.ca-subject-organization" $ | quote }} privateKey: algorithm: {{ $.Values.upstreamAuthority.certManager.ca.privateKey.algorithm }} size: {{ $.Values.upstreamAuthority.certManager.ca.privateKey.size }} diff --git a/charts/spire/charts/spire-server/templates/roles.yaml b/charts/spire/charts/spire-server/templates/roles.yaml index fdf2ac517..197dc02a9 100644 --- a/charts/spire/charts/spire-server/templates/roles.yaml +++ b/charts/spire/charts/spire-server/templates/roles.yaml @@ -1,7 +1,7 @@ {{- $subject := include "spire-server.subject" . }} {{- $namespace := include "spire-server.namespace" . }} {{- $bundleNamespace := include "spire-server.bundle-namespace" . }} -{{- if .Values.notifier.k8sbundle.enabled }} +{{- if .Values.notifier.k8sBundle.enabled }} # Role to be able to push certificate bundles to a configmap kind: Role apiVersion: rbac.authorization.k8s.io/v1 @@ -48,7 +48,7 @@ roleRef: name: {{ include "spire-server.fullname" . }}-cm apiGroup: rbac.authorization.k8s.io {{- end }} -{{- if .Values.notifier.k8sbundle.enabled }} +{{- if .Values.notifier.k8sBundle.enabled }} --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -61,7 +61,7 @@ roleRef: name: {{ include "spire-lib.bundle-configmap" . }} apiGroup: rbac.authorization.k8s.io {{- end }} -{{- if and .Values.nodeAttestor.k8sPsat.enabled }} +{{- if and .Values.nodeAttestor.k8sPSAT.enabled }} --- # ClusterRole to allow spire-server node attestor to query Token Review API kind: ClusterRole diff --git a/charts/spire/charts/spire-server/templates/secret.yaml b/charts/spire/charts/spire-server/templates/secret.yaml index c31828039..8ba00a283 100644 --- a/charts/spire/charts/spire-server/templates/secret.yaml +++ b/charts/spire/charts/spire-server/templates/secret.yaml @@ -16,5 +16,8 @@ metadata: namespace: {{ include "spire-server.namespace" . }} data: DBPW: {{ .Values.dataStore.sql.password | b64enc }} + {{- if .Values.dataStore.sql.readOnly.enabled }} + RODBPW: {{ .Values.dataStore.sql.readOnly.password | b64enc }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/server-resource.yaml b/charts/spire/charts/spire-server/templates/server-resource.yaml index 1a52494ac..fd254384f 100644 --- a/charts/spire/charts/spire-server/templates/server-resource.yaml +++ b/charts/spire/charts/spire-server/templates/server-resource.yaml @@ -6,7 +6,33 @@ {{- $configSum3 := (include (print $.Template.BasePath "/controller-manager-configmap.yaml") . | sha256sum) }} {{- $configSumTornjak := (include (print $.Template.BasePath "/tornjak-config.yaml") . | sha256sum) }} {{- $fullname := include "spire-server.fullname" . }} - +{{- if hasKey .Values "ca_subject" }} +{{- fail "ca_subject was renamed to caSubject. Please update your config." }} +{{- end }} +{{- if hasKey .Values.caSubject "common_name" }} +{{- fail "ca_name was renamed to caName. Please update your config." }} +{{- end }} +{{- if hasKey .Values.upstreamAuthority.certManager "issuer_name" }} +{{- fail "issuer_name was renamed to issuerName. Please update your config." }} +{{- end }} +{{- if hasKey .Values.upstreamAuthority.certManager "issuer_group" }} +{{- fail "issuer_group was renamed to issuerGroup. Please update your config." }} +{{- end }} +{{- if hasKey .Values.upstreamAuthority.certManager "issuer_kind" }} +{{- fail "issuer_kind was renamed to issuerKind. Please update your config." }} +{{- end }} +{{- if hasKey .Values.upstreamAuthority.certManager "kube_config_file" }} +{{- fail "kube_config_file was renamed to kubeConfigFile. Please update your config." }} +{{- end }} +{{- if hasKey .Values.nodeAttestor "k8sPsat" }} +{{- fail "k8sPsat was renamed to k8sPSAT. Please update your config." }} +{{- end }} +{{- if hasKey .Values.nodeAttestor "externalK8sPSA" }} +{{- fail "externalK8sPsat was renamed to externalK8sPSAT. Please update your config." }} +{{- end }} +{{- if hasKey .Values.notifier "k8sbundle" }} +{{- fail "k8sbundle was renmaed to k8sBundle. Please update your config." }} +{{- end }} {{- if eq .Values.kind "statefulset" }} {{- if not (has .Values.persistence.type (list "pvc" "hostPath" "emptyDir")) }} {{- fail "persistence.type must be one of [\"pvc\", \"hostPath\", \"emptyDir\"]" }} @@ -24,6 +50,20 @@ {{- else }} {{- fail "Unsupported kind." }} {{- end }} +{{- if hasKey .Values.dataStore.sql "plugin_data" }} +{{- fail "The plugin_data setting to the sql data store is no longer supported." }} +{{- end }} +{{- if and (ne .Values.dataStore.sql.databaseType "mysql") (ne .Values.dataStore.sql.databaseType "aws_mysql") }} +{{- if ne .Values.dataStore.sql.rootCAPath "" }} +{{- fail "rootCAPath can only be set with database type mysql or aws_mysql." }} +{{- end }} +{{- if ne .Values.dataStore.sql.clientCertPath "" }} +{{- fail "clientCertPath can only be set with database type mysql or aws_mysql." }} +{{- end }} +{{- if ne .Values.dataStore.sql.clientKeyPath "" }} +{{- fail "clientKeyPath can only be set with database type mysql or aws_mysql." }} +{{- end }} +{{- end }} {{- if not .Values.externalServer }} apiVersion: apps/v1 {{- if eq .Values.kind "statefulset" }} @@ -128,7 +168,7 @@ spec: args: - wait - --namespace - - {{ .Release.Namespace }} + - {{ include "spire-server.namespace" $ }} - --timeout=3m - --for=condition=ready - issuer @@ -169,6 +209,19 @@ spec: name: {{ $fullname }}-dbpw key: DBPW {{- end }} + {{- if and .Values.dataStore.sql.readOnly.enabled .Values.dataStore.sql.readOnly.externalSecret.enabled }} + - name: RODBPW + valueFrom: + secretKeyRef: + name: {{ .Values.dataStore.sql.readOnly.externalSecret.name }} + key: {{ .Values.dataStore.sql.readOnly.externalSecret.key }} + {{- else if .Values.dataStore.sql.readOnly.enabled }} + - name: RODBPW + valueFrom: + secretKeyRef: + name: {{ $fullname }}-dbpw + key: RODBPW + {{- end }} {{- end }} {{- if ne .Values.keyManager.awsKMS.accessKeyID "" }} - name: AWS_KMS_ACCESS_KEY_ID @@ -262,6 +315,10 @@ spec: mountPath: /tmp-direct-hashes {{- end }} {{- end }} + {{- if or .Values.federation.tls.certManager.enabled .Values.federation.tls.externalSecret.enabled }} + - name: bundle-endpoint-tls + mountPath: /bundle-endpoint-tls + {{- end }} {{- if eq (.Values.upstreamAuthority.disk.enabled | toString) "true" }} - name: upstream-ca mountPath: /run/spire/upstream_ca @@ -397,6 +454,16 @@ spec: name: {{ include "spire-server.fullname" . }}-tpm-direct-hash {{- end }} {{- end }} + {{- if .Values.federation.tls.certManager.enabled }} + - name: bundle-endpoint-tls + secret: + secretName: {{ printf "%s-federation-cert" (include "spire-server.fullname" .) }} + {{- end }} + {{- if .Values.federation.tls.externalSecret.enabled }} + - name: bundle-endpoint-tls + secret: + secretName: {{ .Values.federation.tls.externalSecret.secretName }} + {{- end }} {{- if or (eq (include "spire-tornjak.connectionType" .) "tls") (eq (include "spire-tornjak.connectionType" .) "mtls") }} - name: server-cert secret: diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 19e8f4a57..52f13fd3f 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -155,23 +155,27 @@ persistence: dataStore: sql: - ## @param dataStore.sql.databaseType Other supported databases are "postgres" and "mysql" + ## @param dataStore.sql.databaseType Other supported databases are ["postgres", "mysql", "aws_postgresql", "aws_mysql"]. Note: aws type databases are still experimental databaseType: sqlite3 - ## @param dataStore.sql.databaseName Only used by "postgres" or "mysql" + ## @param dataStore.sql.databaseName Only used when type != "sqlite3" databaseName: spire - ## @param dataStore.sql.host Only used by "postgres" or "mysql" + ## @param dataStore.sql.host Only used when type != "sqlite3" host: "" ## @param dataStore.sql.port If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases. port: 0 - ## @param dataStore.sql.username Only used by "postgres" or "mysql" + ## @param dataStore.sql.username Only used when type != "sqlite3" username: spire - ## @param dataStore.sql.password Only used by "postgres" or "mysql" + ## @param dataStore.sql.password Only used when type != "sqlite3" password: "" - ## @param dataStore.sql.options [array] Only used by "postgres" or "mysql" + ## @param dataStore.sql.options [array] Only used when type != "sqlite3" options: [] - ## @param dataStore.sql.plugin_data [object] Settings from https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md go in this section - plugin_data: {} + ## @param dataStore.sql.rootCAPath Path to Root CA bundle (MySQL only) + rootCAPath: "" + ## @param dataStore.sql.clientCertPath Path to client certificate (MySQL only) + clientCertPath: "" + ## @param dataStore.sql.clientKeyPath Path to private key for client certificate (MySQL only) + clientKeyPath: "" ## When an external source creates the secret. The secret should reside in the same namespace as the spire server externalSecret: @@ -182,6 +186,40 @@ dataStore: ## @param dataStore.sql.externalSecret.key The key of the secret object whose value is the dataStore.sql password key: "" + ## @param dataStore.sql.maxOpenConns The maximum number of open db connections + maxOpenConns: 100 + ## @param dataStore.sql.maxIdleConns The maximum number of idle connections in the pool + maxIdleConns: 2 + ## @param dataStore.sql.connMaxLifetime The maximum amount of time a connection may be reused. If 0, time is unlimited + connMaxLifetime: 0 + ## @param dataStore.sql.disableMigration True to disable auto-migration functionality + disableMigration: false + + ## @param dataStore.sql.region Region to use when database type is either aws_mysql or aws_postgresql + region: "" + + readOnly: + ## @param dataStore.sql.readOnly.enabled Set to true to configure a readOnly dartabase connection + enabled: false + ## @param dataStore.sql.readOnly.host Only used when type != "sqlite3" + host: "" + ## @param dataStore.sql.readOnly.port If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases. + port: 0 + ## @param dataStore.sql.readOnly.username Only used when type != "sqlite3" + username: spire + ## @param dataStore.sql.readOnly.password Only used when type != "sqlite3" + password: "" + ## @param dataStore.sql.readOnly.options [array] Only used when type != "sqlite3" + options: [] + ## When an external source creates the secret. The secret should reside in the same namespace as the spire server + externalSecret: + ## @param dataStore.sql.readOnly.externalSecret.enabled Enable external secret for datastore creds + enabled: false + ## @param dataStore.sql.readOnly.externalSecret.name The name of the secret object + name: "" + ## @param dataStore.sql.readOnly.externalSecret.key The key of the secret object whose value is the dataStore.sql password + key: "" + ## @param adminIDs SPIFFE IDs that, when present in a caller’s X509-SVID, grant that caller admin privileges. adminIDs: [] ## @param auditLogEnabled If true, enables audit logging @@ -210,8 +248,12 @@ federation: port: 8443 ## @param federation.bundleEndpoint.address Address for trust bundle federation address: "0.0.0.0" - ## @param federation.bundleEndpoint.refresh_hint Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. - refresh_hint: "5m" + ## @param federation.bundleEndpoint.refreshHint Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. + refreshHint: "5m" + profile: + httpWeb: + ## @param federation.bundleEndpoint.profile.httpWeb.fileSyncInterval Interval on which to reload the certificate/key from disk + fileSyncInterval: 1h tls: spire: @@ -287,13 +329,13 @@ federation: # If Profile Type == https_web: # secretName: spire-server-federation-tls -ca_subject: - ## @param ca_subject.country Country for Spire server CA +caSubject: + ## @param caSubject.country Country for Spire server CA country: ARPA - ## @param ca_subject.organization Organization for Spire server CA + ## @param caSubject.organization Organization for Spire server CA organization: Example - ## @param ca_subject.common_name Common Name for Spire server CA - common_name: example.org + ## @param caSubject.commonName Common Name for Spire server CA + commonName: example.org credentialComposer: uniqueID: @@ -371,16 +413,16 @@ upstreamAuthority: ## @param upstreamAuthority.certManager.rbac.create Flag to create RBAC roles rbac: create: true - ## @param upstreamAuthority.certManager.issuer_name Defaults to the release name, override if CA is provided outside of the chart - issuer_name: "" - ## @param upstreamAuthority.certManager.issuer_kind Defaults to "Issuer", override if CA is provided outside of the chart - issuer_kind: "Issuer" - ## @param upstreamAuthority.certManager.issuer_group Defaults to "cert-manager.io", override if CA is provided outside of the chart - issuer_group: "cert-manager.io" + ## @param upstreamAuthority.certManager.issuerName Defaults to the release name, override if CA is provided outside of the chart + issuerName: "" + ## @param upstreamAuthority.certManager.issuerKind Defaults to "Issuer", override if CA is provided outside of the chart + issuerKind: "Issuer" + ## @param upstreamAuthority.certManager.issuerGroup Defaults to "cert-manager.io", override if CA is provided outside of the chart + issuerGroup: "cert-manager.io" ## @param upstreamAuthority.certManager.namespace Specify to use a namespace other then the one the chart is installed into namespace: "" - ## @param upstreamAuthority.certManager.kube_config_file Path to kube_config_file on node to setup cert manager - kube_config_file: "" + ## @param upstreamAuthority.certManager.kubeConfigFile Path to kube config file on node to setup cert manager + kubeConfigFile: "" ca: ## @param upstreamAuthority.certManager.ca.create Creates a Cert-Manager CA @@ -440,10 +482,10 @@ upstreamAuthority: expiry: 7200 notifier: - k8sbundle: - ## @param notifier.k8sbundle.enabled Enable local k8s bundle uploader + k8sBundle: + ## @param notifier.k8sBundle.enabled Enable local k8s bundle uploader enabled: true - ## @param notifier.k8sbundle.namespace Namespace to push the bundle into, if blank will default to SPIRE Server namespace + ## @param notifier.k8sBundle.namespace Namespace to push the bundle into, if blank will default to SPIRE Server namespace namespace: "" externalK8sBundle: ## @param notifier.externalK8sBundle.enabled Enable external k8s bundle uploader @@ -498,7 +540,7 @@ controllerManager: registry: ghcr.io repository: spiffe/spire-controller-manager pullPolicy: IfNotPresent - tag: "0.5.0" + tag: "0.6.0" ## @param controllerManager.resources [object] Resource requests and limits for controller manager resources: {} @@ -586,6 +628,10 @@ controllerManager: downstream: false ## @param controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames Auto populate DNS names from services attached to pods autoPopulateDNSNames: false + ## @param controllerManager.identities.clusterSPIFFEIDs.default.fallback Apply this ID only if there are no other matching non fallback ClusterSPIFFEIDs + fallback: true + # Set what hint to use. If unset, it will be asigned the clusterSPIFFEID name. If set to "", it will be unset. Any other value will set the hint to exactly what is specified. + # hint: "" child-servers: ## @param controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled Enable this identity for controller manager @@ -795,30 +841,30 @@ defaultX509SvidTTL: 4h defaultJwtSvidTTL: 1h nodeAttestor: - k8sPsat: - ## @param nodeAttestor.k8sPsat.enabled Enable Psat k8s nodeattestor + k8sPSAT: + ## @param nodeAttestor.k8sPSAT.enabled Enable PSAT k8s nodeattestor enabled: true - ## @param nodeAttestor.k8sPsat.serviceAccountAllowList [array] Allowed service accounts for Psat nodeattestor. If namespace isn't specified, release namespace will be used. + ## @param nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor. If namespace isn't specified, release namespace will be used. serviceAccountAllowList: [] - ## @param nodeAttestor.k8sPsat.audience [array] Audience for token validation. If set to [] (empty array), Kubernetes API server audience is used + ## @param nodeAttestor.k8sPSAT.audience [array] Audience for token validation. If set to [] (empty array), Kubernetes API server audience is used audience: ["spire-server"] - ## @param nodeAttestor.k8sPsat.allowedNodeLabelKeys [array] Node label keys considered for selectors + ## @param nodeAttestor.k8sPSAT.allowedNodeLabelKeys [array] Node label keys considered for selectors allowedNodeLabelKeys: [] - ## @param nodeAttestor.k8sPsat.allowedPodLabelKeys [array] Pod label keys considered for selectors + ## @param nodeAttestor.k8sPSAT.allowedPodLabelKeys [array] Pod label keys considered for selectors allowedPodLabelKeys: [] - externalK8sPsat: - ## @param nodeAttestor.externalK8sPsat.enabled Enable PSAT k8s nodeattestor for external Kubernetes clusters + externalK8sPSAT: + ## @param nodeAttestor.externalK8sPSAT.enabled Enable PSAT k8s nodeattestor for external Kubernetes clusters enabled: true defaults: - ## @param nodeAttestor.externalK8sPsat.defaults.serviceAccountAllowList [array] Allowed service accounts for PSAT node attestor + ## @param nodeAttestor.externalK8sPSAT.defaults.serviceAccountAllowList [array] Allowed service accounts for PSAT node attestor serviceAccountAllowList: ["spire-system:spire-agent-upstream"] - ## @param nodeAttestor.externalK8sPsat.defaults.audience [array] Audience for token validation. If it is set to an empty array ([]), Kubernetes API server audience is used + ## @param nodeAttestor.externalK8sPSAT.defaults.audience [array] Audience for token validation. If it is set to an empty array ([]), Kubernetes API server audience is used audience: ["spire-server"] - ## @param nodeAttestor.externalK8sPsat.defaults.allowedNodeLabelKeys [array] Node label keys considered for selectors + ## @param nodeAttestor.externalK8sPSAT.defaults.allowedNodeLabelKeys [array] Node label keys considered for selectors allowedNodeLabelKeys: [] - ## @param nodeAttestor.externalK8sPsat.defaults.allowedPodLabelKeys [array] Pod label keys considered for selectors + ## @param nodeAttestor.externalK8sPSAT.defaults.allowedPodLabelKeys [array] Pod label keys considered for selectors allowedPodLabelKeys: [] - ## @param nodeAttestor.externalK8sPsat.clusters [object] A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used. + ## @param nodeAttestor.externalK8sPSAT.clusters [object] A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used. clusters: {} # clustera: # kubeConfigName: foo @@ -1052,7 +1098,7 @@ chown: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a + tag: latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2 ## @param chown.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -1087,7 +1133,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a + tag: latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2 ## @param kubeConfigs [object] Manage additional kubeconfig files to talk to external Kubernetes clusters kubeConfigs: {} diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 33abe48e3..d225ba9af 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -101,4 +101,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 1607b6222..19859f186 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -162,4 +162,4 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a + tag: latest@sha256:a5cd47a3caf0668c48c6ad4bb66436cab40aa335634f3b5740ffd2a0c39770b2 diff --git a/charts/spire/ci/namespace-override-values-skip.yaml b/charts/spire/ci/namespace-override-values-skip.yaml index b91f0c325..8efbaf1a2 100644 --- a/charts/spire/ci/namespace-override-values-skip.yaml +++ b/charts/spire/ci/namespace-override-values-skip.yaml @@ -8,10 +8,10 @@ spiffe-oidc-discovery-provider: spire-server: namespaceOverride: spire-server nodeAttestor: - k8sPsat: + k8sPSAT: serviceAccountAllowList: ["spire-system:spire-agent"] notifier: - k8sbundle: + k8sBundle: namespace: spire-system spiffe-csi-driver: diff --git a/examples/federation/a-values.yaml b/examples/federation/a-values.yaml index 6ca171f10..6dd0f5591 100644 --- a/examples/federation/a-values.yaml +++ b/examples/federation/a-values.yaml @@ -9,12 +9,12 @@ global: clusterName: a trustDomain: a-org.local bundleConfigMap: spire-bundle-a + caSubject: + country: US + organization: A + commonName: a.local spire-server: - ca_subject: - country: US - organization: A - common_name: a.local federation: enabled: true ingress: diff --git a/examples/federation/b-values.yaml b/examples/federation/b-values.yaml index b76ec6b0d..4d295accc 100644 --- a/examples/federation/b-values.yaml +++ b/examples/federation/b-values.yaml @@ -9,12 +9,12 @@ global: clusterName: b trustDomain: b-org.local bundleConfigMap: spire-bundle-b + caSubject: + country: US + organization: B + commonName: b.local spire-server: - ca_subject: - country: US - organization: B - common_name: b.local federation: enabled: true ingress: diff --git a/examples/mysql-using-spire/mysql-values.yaml b/examples/mysql-using-spire/mysql-values.yaml index ccf00599a..57ecbf954 100644 --- a/examples/mysql-using-spire/mysql-values.yaml +++ b/examples/mysql-using-spire/mysql-values.yaml @@ -19,7 +19,7 @@ primary: - name: spiffe-helper mountPath: /helper - name: setup-helper-volume-p2 - image: ghcr.io/spiffe/spiffe-helper:nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6 + image: ghcr.io/spiffe/spiffe-helper:0.8.0 imagePullPolicy: IfNotPresent command: - /helper/busybox @@ -31,13 +31,13 @@ primary: - name: spiffe-helper mountPath: /helper - name: init-tls - image: ghcr.io/spiffe/spiffe-helper:nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6 + image: ghcr.io/spiffe/spiffe-helper:0.8.0 imagePullPolicy: Always command: - /spiffe-helper - -config - /etc/spiffe-helper.conf - - -exitWhenReady + - -daemon-mode=false securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 8 }} volumeMounts: - name: spiffe-workload-api diff --git a/examples/mysql-using-spire/mysqlclient-statefulset.yaml b/examples/mysql-using-spire/mysqlclient-statefulset.yaml index 71d993108..3132580e6 100644 --- a/examples/mysql-using-spire/mysqlclient-statefulset.yaml +++ b/examples/mysql-using-spire/mysqlclient-statefulset.yaml @@ -16,13 +16,13 @@ spec: terminationGracePeriodSeconds: 0 initContainers: - name: init-tls - image: ghcr.io/spiffe/spiffe-helper:nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6 + image: ghcr.io/spiffe/spiffe-helper:0.8.0 imagePullPolicy: Always command: - /spiffe-helper - -config - /etc/spiffe-helper.conf - - -exitWhenReady + - -daemon-mode=false securityContext: runAsUser: 1001 runAsGroup: 1001 @@ -47,7 +47,7 @@ spec: - name: certdir mountPath: /certs - name: refresh-tls - image: ghcr.io/spiffe/spiffe-helper:nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6 + image: ghcr.io/spiffe/spiffe-helper:0.8.0 imagePullPolicy: Always command: - /spiffe-helper diff --git a/examples/nested-full/child-values.yaml b/examples/nested-full/child-values.yaml index 0fb62ae1e..79c24d872 100644 --- a/examples/nested-full/child-values.yaml +++ b/examples/nested-full/child-values.yaml @@ -5,4 +5,3 @@ tags: nestedChildFull: true - diff --git a/examples/nested-full/run-tests.sh b/examples/nested-full/run-tests.sh index 67049b86f..d5fd9cd92 100755 --- a/examples/nested-full/run-tests.sh +++ b/examples/nested-full/run-tests.sh @@ -71,7 +71,9 @@ kubectl rollout status -n kube-system -w --timeout=1m deploy/coredns for cluster in child other; do KC="${SCRIPTPATH}/kubeconfig-${cluster}" - kind create cluster --name "${cluster}" --kubeconfig "${SCRIPTPATH}/kubeconfig-${cluster}" --config "${SCRIPTPATH}/.test-files/${cluster}-kind-config.yaml" + kind create cluster --name "${cluster}" --kubeconfig "${SCRIPTPATH}/kubeconfig-${cluster}" --config "${SCRIPTPATH}/.test-files/${cluster}-kind-config.yaml" --image "kindest/node:${K8S}" + + kubectl version --kubeconfig "${SCRIPTPATH}/kubeconfig-${cluster}" md5sum "${KC}" wc -l "${KC}" @@ -104,12 +106,12 @@ for cluster in child other; do KC="${SCRIPTPATH}/kubeconfig-${cluster}" kubectl --kubeconfig "${KC}" get configmap -n spire-system spire-bundle-upstream -o yaml kubectl --kubeconfig "${KC}" rollout restart daemonset spire-agent-upstream -n spire-system + kubectl --kubeconfig "${KC}" rollout status daemonset spire-agent-upstream -n spire-system --timeout 120s || kubectl logs --kubeconfig "${KC}" daemonset/spire-agent-upstream -n spire-system --prefix --all-containers=true kubectl --kubeconfig "${KC}" rollout restart statefulset spire-internal-server -n spire-server + kubectl --kubeconfig "${KC}" rollout status statefulset spire-internal-server -n spire-server --timeout 120s || kubectl logs --kubeconfig "${KC}" statefulset/spire-internal-server -n spire-server --prefix --all-containers=true kubectl --kubeconfig "${KC}" rollout restart daemonset spire-agent-downstream -n spire-system - kubectl --kubeconfig "${KC}" rollout restart deployment spiffe-oidc-discovery-provider -n spire-server - kubectl --kubeconfig "${KC}" rollout status daemonset spire-agent-upstream -n spire-system --timeout 60s || kubectl logs --kubeconfig "${KC}" daemonset/spire-agent-upstream -n spire-system --prefix --all-containers=true - kubectl --kubeconfig "${KC}" rollout status statefulset spire-internal-server -n spire-server --timeout 60s || kubectl logs --kubeconfig "${KC}" statefulset/spire-internal-server -n spire-server --prefix --all-containers=true kubectl --kubeconfig "${KC}" rollout status daemonset spire-agent-downstream -n spire-system --timeout 60s || kubectl logs --kubeconfig "${KC}" daemonset/spire-agent-downstream -n spire-system --prefix --all-containers=true + kubectl --kubeconfig "${KC}" rollout restart deployment spiffe-oidc-discovery-provider -n spire-server kubectl --kubeconfig "${KC}" rollout status deployment spiffe-oidc-discovery-provider -n spire-server --timeout 60s || kubectl logs --kubeconfig "${KC}" deployment/spiffe-oidc-discovery-provider -n spire-server --prefix --all-containers=true echo Pods on "${cluster}" diff --git a/examples/nested-security/run-tests.sh b/examples/nested-security/run-tests.sh index 8551b03b6..0bb9ab912 100755 --- a/examples/nested-security/run-tests.sh +++ b/examples/nested-security/run-tests.sh @@ -73,7 +73,7 @@ kubectl rollout status -n kube-system -w --timeout=1m deploy/coredns for cluster in child; do KC="${SCRIPTPATH}/kubeconfig-${cluster}" - kind create cluster --name "${cluster}" --kubeconfig "${SCRIPTPATH}/kubeconfig-${cluster}" --config "${SCRIPTPATH}/.test-files/${cluster}-kind-config.yaml" + kind create cluster --name "${cluster}" --kubeconfig "${SCRIPTPATH}/kubeconfig-${cluster}" --config "${SCRIPTPATH}/.test-files/${cluster}-kind-config.yaml" --image "kindest/node:${K8S}" md5sum "${KC}" wc -l "${KC}" @@ -102,6 +102,7 @@ helm upgrade --install --create-namespace --namespace spire-mgmt --values "${COM # The check is being too pedantic. # shellcheck shell=bash disable=SC2043 for cluster in child; do + kubectl version --kubeconfig "${SCRIPTPATH}/kubeconfig-${cluster}" KC="${SCRIPTPATH}/kubeconfig-${cluster}" kubectl --kubeconfig "${KC}" get configmap -n spire-system spire-bundle-upstream -o yaml kubectl --kubeconfig "${KC}" rollout restart daemonset spire-agent-downstream -n spire-system diff --git a/examples/tpm-direct/different-nodes.yaml b/examples/tpm-direct/different-nodes.yaml index 86d913ee0..4cc6e205e 100644 --- a/examples/tpm-direct/different-nodes.yaml +++ b/examples/tpm-direct/different-nodes.yaml @@ -7,7 +7,7 @@ spire-agent: nodeSelector: tpm: with nodeAttestor: - k8sPsat: + k8sPSAT: enabled: false tpmDirect: enabled: true diff --git a/examples/tpm-direct/same-nodes.yaml b/examples/tpm-direct/same-nodes.yaml index ab53a82c3..c4cd76cc8 100644 --- a/examples/tpm-direct/same-nodes.yaml +++ b/examples/tpm-direct/same-nodes.yaml @@ -1,6 +1,6 @@ spire-agent: nodeAttestor: - k8sPsat: + k8sPSAT: enabled: false tpmDirect: enabled: true diff --git a/examples/tpm-direct/values.yaml b/examples/tpm-direct/values.yaml index ab53a82c3..c4cd76cc8 100644 --- a/examples/tpm-direct/values.yaml +++ b/examples/tpm-direct/values.yaml @@ -1,6 +1,6 @@ spire-agent: nodeAttestor: - k8sPsat: + k8sPSAT: enabled: false tpmDirect: enabled: true diff --git a/tests/go.mod b/tests/go.mod index b20974583..9d9e027bc 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -6,21 +6,23 @@ toolchain go1.22.5 require ( github.com/onsi/ginkgo/v2 v2.20.2 github.com/onsi/gomega v1.34.2 - helm.sh/helm/v3 v3.15.4 + helm.sh/helm/v3 v3.16.2 ) require ( + dario.cat/mergo v1.0.1 // indirect github.com/BurntSushi/toml v1.3.2 // indirect github.com/Masterminds/goutils v1.1.1 // indirect - github.com/Masterminds/semver/v3 v3.2.1 // indirect - github.com/Masterminds/sprig/v3 v3.2.3 // indirect - github.com/cyphar/filepath-securejoin v0.2.4 // indirect - github.com/davecgh/go-spew v1.1.1 // indirect + github.com/Masterminds/semver/v3 v3.3.0 // indirect + github.com/Masterminds/sprig/v3 v3.3.0 // indirect + github.com/cyphar/filepath-securejoin v0.3.1 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect - github.com/go-openapi/swag v0.22.3 // indirect + github.com/go-openapi/swag v0.22.4 // indirect github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect @@ -29,9 +31,8 @@ require ( github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 // indirect - github.com/google/uuid v1.3.0 // indirect - github.com/huandu/xstrings v1.4.0 // indirect - github.com/imdario/mergo v0.3.13 // indirect + github.com/google/uuid v1.6.0 // indirect + github.com/huandu/xstrings v1.5.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/mailru/easyjson v0.7.7 // indirect @@ -41,31 +42,31 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/shopspring/decimal v1.3.1 // indirect - github.com/spf13/cast v1.5.0 // indirect + github.com/shopspring/decimal v1.4.0 // indirect + github.com/spf13/cast v1.7.0 // indirect + github.com/x448/float16 v0.8.4 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect - golang.org/x/crypto v0.26.0 // indirect + golang.org/x/crypto v0.27.0 // indirect golang.org/x/net v0.28.0 // indirect - golang.org/x/oauth2 v0.10.0 // indirect - golang.org/x/sys v0.24.0 // indirect - golang.org/x/term v0.23.0 // indirect - golang.org/x/text v0.17.0 // indirect + golang.org/x/oauth2 v0.21.0 // indirect + golang.org/x/sys v0.25.0 // indirect + golang.org/x/term v0.24.0 // indirect + golang.org/x/text v0.18.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.24.0 // indirect - google.golang.org/appengine v1.6.7 // indirect - google.golang.org/protobuf v1.34.1 // indirect + google.golang.org/protobuf v1.34.2 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v0.30.3 // indirect - k8s.io/apiextensions-apiserver v0.30.3 // indirect - k8s.io/apimachinery v0.30.3 // indirect - k8s.io/client-go v0.30.3 // indirect - k8s.io/klog/v2 v2.120.1 // indirect + k8s.io/api v0.31.1 // indirect + k8s.io/apiextensions-apiserver v0.31.1 // indirect + k8s.io/apimachinery v0.31.1 // indirect + k8s.io/client-go v0.31.1 // indirect + k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect - k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect + k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.4.0 // indirect diff --git a/tests/go.sum b/tests/go.sum index eeab87f74..166f8dbb5 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -1,39 +1,41 @@ +dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= +dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= -github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= -github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0= -github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= -github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA= -github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM= +github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0= +github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= +github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs= +github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= -github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/cyphar/filepath-securejoin v0.3.1 h1:1V7cHiaW+C+39wEfpH6XlLBQo3j/PciWFrgfCLS8XrE= +github.com/cyphar/filepath-securejoin v0.3.1/go.mod h1:F7i41x/9cBF7lzCrVsYs9fuzwRZm4NQsGTBdpp6mETc= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= -github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE= -github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps= +github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= +github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= -github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogBU= +github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= @@ -46,15 +48,10 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 h1:5iH8iuqE5apketRbSFBy+X1V0o+l+8NF1avt4HWl7cA= github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= -github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= -github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU= -github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= -github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= -github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= -github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= +github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= @@ -70,10 +67,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= -github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -89,29 +84,28 @@ github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8= github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= -github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= -github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= -github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8= -github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= -github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w= -github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= +github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= +github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w= +github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= -github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= @@ -121,102 +115,78 @@ github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= -golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= +golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= +golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= -golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= -golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= +golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= +golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= -golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU= -golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk= +golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= +golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= +golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= -golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= +golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= -google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= -google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= +gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -helm.sh/helm/v3 v3.15.4 h1:UFHd6oZ1IN3FsUZ7XNhOQDyQ2QYknBNWRHH57e9cbHY= -helm.sh/helm/v3 v3.15.4/go.mod h1:phOwlxqGSgppCY/ysWBNRhG3MtnpsttOzxaTK+Mt40E= -k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ= -k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04= -k8s.io/apiextensions-apiserver v0.30.3 h1:oChu5li2vsZHx2IvnGP3ah8Nj3KyqG3kRSaKmijhB9U= -k8s.io/apiextensions-apiserver v0.30.3/go.mod h1:uhXxYDkMAvl6CJw4lrDN4CPbONkF3+XL9cacCT44kV4= -k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= -k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= -k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k= -k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U= -k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= -k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +helm.sh/helm/v3 v3.16.2 h1:Y9v7ry+ubQmi+cb5zw1Llx8OKHU9Hk9NQ/+P+LGBe2o= +helm.sh/helm/v3 v3.16.2/go.mod h1:SyTXgKBjNqi2NPsHCW5dDAsHqvGIu0kdNYNH9gQaw70= +k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= +k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= +k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= +k8s.io/apiextensions-apiserver v0.31.1/go.mod h1:tWMPR3sgW+jsl2xm9v7lAyRF1rYEK71i9G5dRtkknoQ= +k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= +k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= +k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= -k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= -k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/tests/integration/production/run-tests.sh b/tests/integration/production/run-tests.sh index c5cd8bbe4..a61cbacb5 100755 --- a/tests/integration/production/run-tests.sh +++ b/tests/integration/production/run-tests.sh @@ -129,7 +129,7 @@ install_and_test() { --values /tmp/dummydns \ --set spiffe-oidc-discovery-provider.tests.tls.customCA=tls-cert,spire-server.tests.tls.customCA=tls-cert \ --set spire-agent.server.address=spire-server.production.other,spire-agent.server.port=443 \ - --set spire-server.federation.ingress.tlsSecret=tls-cert,spiffe-oidc-discovery-provider.ingress.tlsSecret=tls-cert \ + --set spire-server.federation.tls.externalSecret.secretName=tls-cert,spiffe-oidc-discovery-provider.ingress.tlsSecret=tls-cert \ --wait helm test --namespace "${ns}" spire diff --git a/tests/integration/production/values-expose-federation-https-web-ingress-nginx.yaml b/tests/integration/production/values-expose-federation-https-web-ingress-nginx.yaml index c2c3879fa..4d30a3af2 100644 --- a/tests/integration/production/values-expose-federation-https-web-ingress-nginx.yaml +++ b/tests/integration/production/values-expose-federation-https-web-ingress-nginx.yaml @@ -4,10 +4,9 @@ spire-server: enabled: true federation: enabled: true - ingress: - enabled: true - controllerType: ingress-nginx - - # className: nginx - - tlsSecret: spire-server-federation-tls + tls: + spire: + enabled: false + externalSecret: + enabled: true + secretName: spire-server-federation-tls diff --git a/tests/unit/spire_test.go b/tests/unit/spire_test.go index 7e6e1f096..b704d45c9 100644 --- a/tests/unit/spire_test.go +++ b/tests/unit/spire_test.go @@ -28,13 +28,13 @@ var _ = Describe("Spire", func() { chart, err := helmloader.Load("../../charts/spire") Expect(err).Should(Succeed()) Describe("spire-server.upstream.cert-manager", func() { - It("issuer_name when set is passed through", func() { + It("issuerName when set is passed through", func() { objs, err := ValueStringRender(chart, ` spire-server: upstreamAuthority: certManager: enabled: true - issuer_name: abc123 + issuerName: abc123 `) Expect(err).Should(Succeed()) notes := objs["spire/charts/spire-server/templates/configmap.yaml"] @@ -108,7 +108,7 @@ spire-server: objs, err := ValueStringRender(chart, ` spire-agent: nodeAttestor: - k8sPsat: + k8sPSAT: enabled: false customPlugins: nodeAttestor: @@ -127,7 +127,7 @@ spire-agent: objs, err := ValueStringRender(chart, ` spire-agent: nodeAttestor: - k8sPsat: + k8sPSAT: enabled: false unsupportedBuiltInPlugins: nodeAttestor: