Merge branch 'main' into helper-csi

Signed-off-by: kfox1111 <[email protected]>

.github/tests/charts.json

@@ -2,27 +2,27 @@
   {
     "name": "kube-prometheus-stack",
     "repo": "https://prometheus-community.github.io/helm-charts",
-    "version": "56.6.2"
+    "version": "58.6.0"
   },
   {
     "name": "cert-manager",
     "repo": "https://charts.jetstack.io",
-    "version": "v1.14.1"
+    "version": "v1.14.5"
   },
   {
     "name": "ingress-nginx",
     "repo": "https://kubernetes.github.io/ingress-nginx",
-    "version": "4.9.1"
+    "version": "4.10.1"
   },
   {
     "name": "mysql",
     "repo": "https://charts.bitnami.com/bitnami",
-    "version": "9.19.1"
+    "version": "10.2.4"
   },
   {
     "name": "postgresql",
     "repo": "https://charts.bitnami.com/bitnami",
-    "version": "14.0.1"
+    "version": "15.3.3"
   },
   {
     "name": "kyverno",

.github/tests/common.sh

@@ -21,7 +21,7 @@ $(kubectl --request-timeout=30s describe pods --namespace "$1")
 #### Logs
 
 \`\`\`shell
-$(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --all-containers=true --ignore-errors=true; done)
+$(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --prefix --all-containers=true --ignore-errors=true; done)
 $( ([[ -n "$2" ]] && kubectl get pods -o name -n "$2") | while read -r line; do echo logs for "${line}"; kubectl logs -n "$2" "${line}" --all-containers=true --ignore-errors=true; done)
 \`\`\`
 
@@ -55,6 +55,7 @@ print_spire_workload_status () {
 | Namespace | Workload                                       | Status |
 | --------- | ---------------------------------------------- | ------ |
 | ${ns1}    | ${release_name}-server                         | <pre>$(k_rollout_status "${ns1}" statefulset "${release_name}-server")</pre> |
+| ${ns1}    | ${release_name}-server                         | <pre>$(k_rollout_status "${ns1}" deployments.apps "${release_name}-server")</pre> |
 | ${ns2}    | ${release_name}-spiffe-csi-driver              | <pre>$(k_rollout_status "${ns2}" daemonset "${release_name}-spiffe-csi-driver")</pre> |
 | ${ns2}    | ${release_name}-agent                          | <pre>$(k_rollout_status "${ns2}" daemonset "${release_name}-agent")</pre> |
 | ${ns1}    | ${release_name}-spiffe-oidc-discovery-provider | <pre>$(k_rollout_status "${ns1}" deployments.apps "${release_name}-spiffe-oidc-discovery-provider")</pre> |
@@ -70,3 +71,23 @@ $(helm ls -A | sed 's/\t/ | /g' | sed 's/^/| /' | sed 's/$/ |/' | sed '/^| NAME.
 
 EOF
 }
+
+# Used just for testing. You should provide your own values as described in the install instructions.
+common_test_your_values () {
+cat > /tmp/$$.example-your-values.yaml <<EOF
+global:
+  spire:
+    recommendations:
+      enabled: true
+    clusterName: production
+    trustDomain: production.other
+    caSubject:
+      country: US
+      organization: Production
+      commonName: production.other
+EOF
+echo "/tmp/$$.example-your-values.yaml"
+}
+
+COMMON_TEST_YOUR_VALUES="$(common_test_your_values)"
+export COMMON_TEST_YOUR_VALUES

.github/tests/images.json

@@ -8,7 +8,7 @@
   ],
   "spire-agent/values.yaml": [
     {
-      "query": "waitForIt.image",
+      "query": "socketAlternate.image",
       "filter": "LATESTSHA",
       "sort-flags": []
     },

.github/workflows/check-versions.yaml

@@ -59,11 +59,18 @@ jobs:
           ./.github/scripts/update-tags.sh
           git diff
 
+      - name: Generate Token
+        uses: tibdex/[email protected]
+        id: generate-token
+        with:
+          app_id: ${{ vars.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: Create Pull Request
         id: cpr
-        uses: peter-evans/[email protected].0
+        uses: peter-evans/[email protected].2
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.generate-token.outputs.token }}
           title: Bump test chart dependencies
           branch: bump-test-chart-deps
           commit-message: Bump test chart dependencies

.github/workflows/helm-chart-ci-ignore.yaml

@@ -45,16 +45,25 @@ jobs:
       - name: Checkout
         uses: actions/[email protected]
 
-      - id: set-matrix
+      - id: set-matrix-example
         name: Collect all examples
         run: |
           examples="$(find examples -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
           examples_json="$(echo "$examples" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
           echo "${examples_json}"
           echo "examples=$examples_json" >>"$GITHUB_OUTPUT"
 
+      - id: set-matrix-integration
+        name: Collect all integration tests
+        run: |
+          integrationtests="$(find tests/integration -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
+          integrationtests_json="$(echo "$integrationtests" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
+          echo "${integrationtests_json}"
+          echo "integrationtests=$integrationtests_json" >>"$GITHUB_OUTPUT"
+
     outputs:
-      examples: ${{ steps.set-matrix.outputs.examples }}
+      examples: ${{ steps.set-matrix-example.outputs.examples }}
+      integrationtests: ${{ steps.set-matrix-integration.outputs.integrationtests }}
 
   example-test:
     runs-on: ubuntu-22.04
@@ -74,6 +83,24 @@ jobs:
     steps:
       - run: 'echo "Skipping example-test"'
 
+  integration-test:
+    runs-on: ubuntu-22.04
+
+    needs:
+      - build-matrix
+
+    strategy:
+      matrix:
+        k8s:
+          - v1.28.0
+          - v1.27.3
+          - v1.26.6
+        example:
+          - ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}
+
+    steps:
+      - run: 'echo "Skipping integration-test"'
+
   upgrade-test:
     runs-on: ubuntu-22.04
 

.github/workflows/helm-chart-ci.yaml

@@ -156,7 +156,7 @@ jobs:
           version: ${{ env.CHART_TESTING_VERSION }}
 
       - name: Create kind ${{ matrix.k8s }} cluster
-        uses: helm/kind-action@v1.8.0
+        uses: helm/kind-action@v1.9.0
         # Only build a kind cluster if there are chart changes to test.
         with:
           version: ${{ env.KIND_VERSION }}
@@ -187,16 +187,25 @@ jobs:
       - name: Checkout
         uses: actions/[email protected]
 
-      - id: set-matrix
+      - id: set-matrix-example
         name: Collect all examples
         run: |
           examples="$(find examples -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
           examples_json="$(echo "$examples" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
           echo "${examples_json}"
           echo "examples=$examples_json" >>"$GITHUB_OUTPUT"
 
+      - id: set-matrix-integration
+        name: Collect all integration tests
+        run: |
+          integrationtests="$(find tests/integration -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
+          integrationtests_json="$(echo "$integrationtests" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
+          echo "${integrationtests_json}"
+          echo "integrationtests=$integrationtests_json" >>"$GITHUB_OUTPUT"
+
     outputs:
-      examples: ${{ steps.set-matrix.outputs.examples }}
+      examples: ${{ steps.set-matrix-example.outputs.examples }}
+      integrationtests: ${{ steps.set-matrix-integration.outputs.integrationtests }}
 
   example-test:
     runs-on: ubuntu-22.04
@@ -230,7 +239,7 @@ jobs:
           python-version: ${{ env.PYTHON_VERSION }}
 
       - name: Create kind cluster
-        uses: helm/kind-action@v1.8.0
+        uses: helm/kind-action@v1.9.0
         # Only build a kind cluster if there are chart changes to test.
         with:
           version: ${{ env.KIND_VERSION }}
@@ -240,7 +249,7 @@ jobs:
 
       - name: Install and test example
         run: |
-          if [ "${{ matrix.example }}" = "examples/federation" ]; then
+          if [ "${{ matrix.example }}" = "examples/federation" -o "${{ matrix.example }}" = "examples/nested-full" -o "${{ matrix.example }}" = "examples/nested-security" ]; then
             kubectl create namespace spire-mgmt
             helm install -n spire-mgmt spire-crds charts/spire-crds
           else
@@ -249,6 +258,51 @@ jobs:
           fi
           ${{ matrix.example }}/run-tests.sh
 
+  integration-test:
+    runs-on: ubuntu-22.04
+
+    needs:
+      - lint-chart
+      - build-matrix
+
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s:
+          - v1.28.0
+          - v1.27.3
+          - v1.26.6
+        integrationtest:
+          - ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}
+
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+
+      - name: Set up Helm
+        uses: azure/[email protected]
+        with:
+          version: ${{ env.HELM_VERSION }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Create kind cluster
+        uses: helm/[email protected]
+        # Only build a kind cluster if there are chart changes to test.
+        with:
+          version: ${{ env.KIND_VERSION }}
+          node_image: kindest/node:v1.26.4
+          config: .github/kind/conf/kind-config.yaml
+          verbosity: 1
+
+      - name: Install and test integration
+        run: |
+          helm install --create-namespace -n spire-mgmt spire-crds charts/spire-crds
+          ${{ matrix.integrationtest }}/run-tests.sh
+
   upgrade-test:
     runs-on: ubuntu-22.04
 
@@ -279,7 +333,7 @@ jobs:
           python-version: ${{ env.PYTHON_VERSION }}
 
       - name: Create kind cluster
-        uses: helm/kind-action@v1.8.0
+        uses: helm/kind-action@v1.9.0
         # Only build a kind cluster if there are chart changes to test.
         with:
           version: ${{ env.KIND_VERSION }}
@@ -288,4 +342,4 @@ jobs:
           verbosity: 1
 
       - name: Install and test example
-        run: examples/production/run-tests.sh -u
+        run: tests/integration/production/run-tests.sh -u

.github/workflows/helm-release.yaml

@@ -44,7 +44,7 @@ jobs:
           CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v3.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/update-devcontainer-image.yaml

@@ -31,7 +31,7 @@ jobs:
       - name: Install regctl
         uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
       - name: Log in to GHCR
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

charts/spire-crds/Chart.yaml

@@ -3,7 +3,7 @@ name: spire-crds
 description: >
   A Helm chart for deploying the Spire CRDS
 type: application
-version: 0.3.0
+version: 0.4.0
 appVersion: "0.0.1"
 keywords: ["spire-crds"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire

charts/spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml

@@ -64,6 +64,8 @@ spec:
                 type: array
               spiffeID:
                 type: string
+              storeSVID:
+                type: boolean
               x509SVIDTTL:
                 type: string
             required:

charts/spire-nested/.helmignore

@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+ci/