From 6c2b5e64cc59eb29810a6891094dcb5bbe4b2d3a Mon Sep 17 00:00:00 2001 From: "spire-helm-version-checker[bot]" <161522935+spire-helm-version-checker[bot]@users.noreply.github.com> Date: Mon, 3 Jun 2024 06:50:32 -0700 Subject: [PATCH 01/27] Bump test chart dependencies (#376) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: marcofranssen <694733+marcofranssen@users.noreply.github.com> --- .github/tests/charts.json | 6 +++--- .../spire/charts/spiffe-oidc-discovery-provider/README.md | 8 ++++---- .../charts/spiffe-oidc-discovery-provider/values.yaml | 8 ++++---- charts/spire/charts/spire-agent/README.md | 4 ++-- charts/spire/charts/spire-agent/values.yaml | 4 ++-- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/charts/tornjak-frontend/README.md | 2 +- charts/spire/charts/tornjak-frontend/values.yaml | 2 +- 9 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index da053ad9c..89b1334c9 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,7 +2,7 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "58.7.2" + "version": "59.1.0" }, { "name": "cert-manager", @@ -17,11 +17,11 @@ { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "11.0.0" + "version": "11.1.0" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "15.4.0" + "version": "15.5.1" } ] diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index ed121b9c6..4495d356d 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -69,7 +69,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `insecureScheme.nginx.image.registry` | The OCI registry to pull the image from. Only used when TLS is disabled. | `docker.io` | | `insecureScheme.nginx.image.repository` | The repository within the registry. Only used when TLS is disabled. | `nginxinc/nginx-unprivileged` | | `insecureScheme.nginx.image.pullPolicy` | The image pull policy. Only used when TLS is disabled. | `IfNotPresent` | -| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. | `1.26.0-alpine` | +| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. | `1.27.0-alpine` | | `insecureScheme.nginx.resources` | Resource requests and limits | `{}` | | `jwtIssuer` | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset | `""` | | `config.logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | @@ -99,7 +99,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `telemetry.prometheus.nginxExporter.image.registry` | The OCI registry to pull the image from | `docker.io` | | `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry | `nginx/nginx-prometheus-exporter` | | `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.1.0` | +| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.2.0` | | `telemetry.prometheus.nginxExporter.resources` | Resource requests and limits | `{}` | | `ingress.enabled` | Flag to enable ingress | `false` | | `ingress.className` | Ingress class name | `""` | @@ -115,11 +115,11 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d94454739d8be0239cfe93453df79c88d25d38b7a97084d81a49e9403a90d07c` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:2b9b5da030a36759febd519cbaab5f933de8e4c6eb4ef680b955df568cd96b98` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index b43b3df35..c0b933ada 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -164,7 +164,7 @@ insecureScheme: registry: docker.io repository: nginxinc/nginx-unprivileged pullPolicy: IfNotPresent - tag: 1.26.0-alpine + tag: 1.27.0-alpine ## @param insecureScheme.nginx.resources Resource requests and limits resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -262,7 +262,7 @@ telemetry: registry: docker.io repository: nginx/nginx-prometheus-exporter pullPolicy: IfNotPresent - tag: "1.1.0" + tag: "1.2.0" ## @param telemetry.prometheus.nginxExporter.resources [object] Resource requests and limits resources: {} @@ -328,7 +328,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + tag: latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038 toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from @@ -340,7 +340,7 @@ tests: registry: cgr.dev repository: chainguard/min-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:d94454739d8be0239cfe93453df79c88d25d38b7a97084d81a49e9403a90d07c + tag: latest@sha256:2b9b5da030a36759febd519cbaab5f933de8e4c6eb4ef680b955df568cd96b98 step: ## @param tests.step.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index b609866e1..7b664dbc2 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -70,7 +70,7 @@ A Helm chart to install the SPIRE agent. | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` | | `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s Node Attestor | `true` | @@ -108,7 +108,7 @@ A Helm chart to install the SPIRE agent. | `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` | | `socketAlternate.image.pullPolicy` | The image pull policy | `Always` | -| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d` | +| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038` | | `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | | `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index d7f962e5d..1ece27621 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -154,7 +154,7 @@ fsGroupFix: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + tag: latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038 ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -266,7 +266,7 @@ socketAlternate: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + tag: latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038 ## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 4536103c1..750ceafbf 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -404,5 +404,5 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038` | | `kubeConfigs` | Manage additional kubeconfig files to talk to external Kubernetes clusters | `{}` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index da3b8a0de..5d603adc8 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -1063,7 +1063,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + tag: latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038 ## @param kubeConfigs [object] Manage additional kubeconfig files to talk to external Kubernetes clusters kubeConfigs: {} diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 0b8a46f5f..6f52e3b56 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -101,4 +101,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index d3f71c59f..8b9f59573 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -162,4 +162,4 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + tag: latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038 From 1dc650f06eb20a907beede75d6a589443e89edd4 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Thu, 6 Jun 2024 18:56:15 -0400 Subject: [PATCH 02/27] Apply wildcard for ignoreNamespaces in Controller Manager (#378) * Apply wildcard for ignoreNamespaces in Controller Manager Signed-off-by: Mariusz Sabath * Add the doc updates Signed-off-by: Mariusz Sabath * Update charts/spire/charts/spire-server/values.yaml Co-authored-by: kfox1111 Signed-off-by: Edwin Buck --------- Signed-off-by: Mariusz Sabath Signed-off-by: Edwin Buck Co-authored-by: Edwin Buck Co-authored-by: kfox1111 --- charts/spire/charts/spire-server/README.md | 16 ++--- charts/spire/charts/spire-server/values.yaml | 75 +++++--------------- 2 files changed, 24 insertions(+), 67 deletions(-) diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 750ceafbf..16adcf0f2 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -109,7 +109,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `autoscaling.enabled` | Flag to enable autoscaling | `false` | | `autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | | `autoscaling.maxReplicas` | Maximum replicas for autoscaling | `100` | -| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utlization that triggers autoscaling | `80` | +| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization that triggers autoscaling | `80` | | `nodeSelector` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | `{}` | | `tolerations` | List of tolerations | `[]` | | `affinity` | List of node affinities | `{}` | @@ -166,8 +166,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `federation.ingress.annotations` | Annotations for the ingress object | `{}` | | `federation.ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server-federation` | | `federation.ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | -| `federation.ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | -| `federation.ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | +| `federation.ingress.hosts` | Host paths for ingress object. If empty, rules will be built based on the host var. | `[]` | +| `federation.ingress.tls` | Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars. | `[]` | | `ca_subject.country` | Country for Spire server CA | `ARPA` | | `ca_subject.organization` | Organization for Spire server CA | `Example` | | `ca_subject.common_name` | Common Name for Spire server CA | `example.org` | @@ -232,7 +232,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `upstreamAuthority.vault.k8sAuth.token.expiry` | Expiry time in seconds for the token | `7200` | | `notifier.k8sbundle.enabled` | Enable local k8s bundle uploader | `true` | | `notifier.k8sbundle.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` | -| `notifier.externalK8sBundle.enabled` | Enable exernal k8s bundle uploader | `true` | +| `notifier.externalK8sBundle.enabled` | Enable external k8s bundle uploader | `true` | | `notifier.externalK8sBundle.defaults.namespace` | Namespace to push the bundle into on clusters | `spire-system` | | `notifier.externalK8sBundle.defaults.configMap` | ConfigMap name to push the bundle into on external clusters | `spire-bundle-upstream` | | `notifier.externalK8sBundle.defaults.configMapKey` | ConfigMap key to push the bundle into on external clusters | `bundle.crt` | @@ -263,7 +263,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `controllerManager.identities.clusterSPIFFEIDs.default.enabled` | Enable this identity for controller manager | `true` | | `controllerManager.identities.clusterSPIFFEIDs.default.spiffeIDTemplate` | Spiffe ID template for identities | `spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}` | | `controllerManager.identities.clusterSPIFFEIDs.default.podSelector` | Selector for pods to issue identity | `{}` | -| `controllerManager.identities.clusterSPIFFEIDs.default.namespaceSelector` | Selector for namespacs to issue identity | `{}` | +| `controllerManager.identities.clusterSPIFFEIDs.default.namespaceSelector` | Selector for namespaces to issue identity | `{}` | | `controllerManager.identities.clusterSPIFFEIDs.default.dnsNameTemplates` | DNS name template for issued identities | `[]` | | `controllerManager.identities.clusterSPIFFEIDs.default.federatesWith` | Other Spire server URLs for identity federation | `[]` | | `controllerManager.identities.clusterSPIFFEIDs.default.workloadSelectorTemplates` | Templates to produce selectors that apply to a given workload before it will receive an ID | `[]` | @@ -316,8 +316,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `ingress.annotations` | Annotations for the ingress object | `{}` | | `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server` | | `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | -| `ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | -| `ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | +| `ingress.hosts` | Host paths for ingress object. If empty, rules will be built based on the host var. | `[]` | +| `ingress.tls` | Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars. | `[]` | | `extraEnv` | Extra environment variables to add to the spire server | `[]` | | `extraVolumes` | Extra volumes to be mounted | `[]` | | `extraVolumeMounts` | Extra volume mounts | `[]` | @@ -369,7 +369,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tornjak.ingress.annotations` | Annotations for Tornjak backend service | `{}` | | `tornjak.ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `tornjak-backend` | | `tornjak.ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | -| `tornjak.ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | +| `tornjak.ingress.hosts` | Host paths for ingress object. If empty, rules will be built based on the host var. | `[]` | | `tornjak.ingress.tls` | Secrets containing TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | | `tornjak.startupProbe.failureThreshold` | Failure threshold count | `3` | | `tornjak.startupProbe.initialDelaySeconds` | Initial delay seconds | `5` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 5d603adc8..65c8c290b 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -101,7 +101,7 @@ resources: {} ## @param autoscaling.enabled Flag to enable autoscaling ## @param autoscaling.minReplicas Minimum replicas for autoscaling ## @param autoscaling.maxReplicas Maximum replicas for autoscaling -## @param autoscaling.targetCPUUtilizationPercentage Target CPU utlization that triggers autoscaling +## @param autoscaling.targetCPUUtilizationPercentage Target CPU utilization that triggers autoscaling ## autoscaling: enabled: false @@ -273,14 +273,14 @@ federation: ## @param federation.ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var. tlsSecret: "" - ## @param federation.ingress.hosts [array] Host paths for ingress object. If emtpy, rules will be built based on the host var. + ## @param federation.ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var. hosts: [] # - host: spire-server-federation.example.org # paths: # - path: / # pathType: Prefix - ## @param federation.ingress.tls [array] Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. + ## @param federation.ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars. tls: [] # - hosts: # - spire-server-federation.example.org @@ -446,7 +446,7 @@ notifier: ## @param notifier.k8sbundle.namespace Namespace to push the bundle into, if blank will default to SPIRE Server namespace namespace: "" externalK8sBundle: - ## @param notifier.externalK8sBundle.enabled Enable exernal k8s bundle uploader + ## @param notifier.externalK8sBundle.enabled Enable external k8s bundle uploader enabled: true defaults: ## @param notifier.externalK8sBundle.defaults.namespace Namespace to push the bundle into on clusters @@ -540,32 +540,10 @@ controllerManager: - kube-system - kube-public - local-path-storage - # openshift related namespaces that should be typically ignored - - openshift-cluster-node-tuning-operator - - openshift-cluster-samples-operator - - openshift-cluster-storage-operator - - openshift-console-operator - - openshift-console - - openshift-dns - - openshift-dns-operator - - openshift-image-registry - - openshift-ingress - - openshift-kube-storage-version-migrator - - openshift-kube-storage-version-migrator-operator - - openshift-kube-proxy - - openshift-marketplace - - openshift-monitoring - - openshift-multus - - openshift-network-diagnostics - - openshift-network-operator - - openshift-operator-lifecycle-manager - - openshift-roks-metrics - - openshift-service-ca-operator - - openshift-service-ca - # ibmcloud specific namespaces - - ibm-odf-validation-webhook - - ibm-system - + # openshift creates many namespaces that should be typically ignored: + - openshift-* + # ibmcloud specific namespaces: + - ibm-* ## @param controllerManager.reconcile.clusterSPIFFEIDs Enable reconciliation of clusterSPIFFEIDs from K8s to the SPIRE server ## @param controllerManager.reconcile.clusterStaticEntries Enable reconciliation of clusterStaticEntries from K8s to the SPIRE server ## @param controllerManager.reconcile.clusterFederatedTrustDomains Enable reconciliation of clusterFederatedTrustDomains from K8s to the SPIRE server @@ -585,7 +563,7 @@ controllerManager: podSelector: {} # matchLabels: # spiffe.io/spiffe-id: "true" - ## @param controllerManager.identities.clusterSPIFFEIDs.default.namespaceSelector [object] Selector for namespacs to issue identity + ## @param controllerManager.identities.clusterSPIFFEIDs.default.namespaceSelector [object] Selector for namespaces to issue identity namespaceSelector: {} # matchLabels: # spiffe.io/spiffe-id: "true" @@ -718,31 +696,10 @@ externalControllerManagers: - kube-system - kube-public - local-path-storage - # openshift related namespaces that should be typically ignored - - openshift-cluster-node-tuning-operator - - openshift-cluster-samples-operator - - openshift-cluster-storage-operator - - openshift-console-operator - - openshift-console - - openshift-dns - - openshift-dns-operator - - openshift-image-registry - - openshift-ingress - - openshift-kube-storage-version-migrator - - openshift-kube-storage-version-migrator-operator - - openshift-kube-proxy - - openshift-marketplace - - openshift-monitoring - - openshift-multus - - openshift-network-diagnostics - - openshift-network-operator - - openshift-operator-lifecycle-manager - - openshift-roks-metrics - - openshift-service-ca-operator - - openshift-service-ca - # ibmcloud specific namespaces - - ibm-odf-validation-webhook - - ibm-system + # openshift creates many namespaces that should be typically ignored: + - openshift-.* + # ibmcloud specific namespaces: + - ibm-.* ## @param externalControllerManagers.defaults.cacheNamespaces [object] If specified restricts the manager's cache to watch objects in the desired namespaces. Defaults to all namespaces. cacheNamespaces: {} @@ -800,14 +757,14 @@ ingress: ## @param ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var. tlsSecret: "" - ## @param ingress.hosts [array] Host paths for ingress object. If emtpy, rules will be built based on the host var. + ## @param ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var. hosts: [] # - host: spire-server.example.org # paths: # - path: / # pathType: Prefix - ## @param ingress.tls [array] Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. + ## @param ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars. tls: [] # - secretName: spire-server-tls # hosts: @@ -936,7 +893,7 @@ tornjak: ## @param tornjak.ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var. tlsSecret: "" - ## @param tornjak.ingress.hosts [array] Host paths for ingress object. If emtpy, rules will be built based on the host var. + ## @param tornjak.ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var. hosts: [] # - host: tornjak-backend.example.org # paths: From 4c9059ea524327849a49ff4b189ace99b5bdb621 Mon Sep 17 00:00:00 2001 From: "spire-helm-version-checker[bot]" <161522935+spire-helm-version-checker[bot]@users.noreply.github.com> Date: Mon, 10 Jun 2024 05:24:55 -0700 Subject: [PATCH 03/27] Bump test chart dependencies (#379) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: marcofranssen <694733+marcofranssen@users.noreply.github.com> --- .github/tests/charts.json | 8 ++++---- .../spire/charts/spiffe-oidc-discovery-provider/README.md | 2 +- .../charts/spiffe-oidc-discovery-provider/values.yaml | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 89b1334c9..f29950353 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,12 +2,12 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "59.1.0" + "version": "60.0.2" }, { "name": "cert-manager", "repo": "https://charts.jetstack.io", - "version": "v1.14.5" + "version": "v1.15.0" }, { "name": "ingress-nginx", @@ -17,11 +17,11 @@ { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "11.1.0" + "version": "11.1.2" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "15.5.1" + "version": "15.5.4" } ] diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 4495d356d..0e5322cb7 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -119,7 +119,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:2b9b5da030a36759febd519cbaab5f933de8e4c6eb4ef680b955df568cd96b98` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:adcd4e72b5349b99b1f3896c9a05763add513c51ed364134da870c64c1302d8c` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index c0b933ada..be3d00ea5 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -340,7 +340,7 @@ tests: registry: cgr.dev repository: chainguard/min-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:2b9b5da030a36759febd519cbaab5f933de8e4c6eb4ef680b955df568cd96b98 + tag: latest@sha256:adcd4e72b5349b99b1f3896c9a05763add513c51ed364134da870c64c1302d8c step: ## @param tests.step.image.registry The OCI registry to pull the image from From 2fdebf09a8a09888b994d2b5c627eef764ac8ace Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 13 Jun 2024 03:50:12 +0000 Subject: [PATCH 04/27] Bump helm.sh/helm/v3 from 3.15.1 to 3.15.2 in /tests Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.15.1 to 3.15.2. - [Release notes](https://github.com/helm/helm/releases) - [Commits](https://github.com/helm/helm/compare/v3.15.1...v3.15.2) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- tests/go.mod | 4 ++-- tests/go.sum | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index e292ca58d..1073cf267 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -1,12 +1,12 @@ module github.com/spiffe/helm-charts/tests go 1.21 -toolchain go1.22.2 +toolchain go1.22.3 require ( github.com/onsi/ginkgo/v2 v2.19.0 github.com/onsi/gomega v1.33.1 - helm.sh/helm/v3 v3.15.1 + helm.sh/helm/v3 v3.15.2 ) require ( diff --git a/tests/go.sum b/tests/go.sum index d405560e9..174025bc2 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -201,8 +201,8 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -helm.sh/helm/v3 v3.15.1 h1:22ztacHz4gMqhXNqCQ9NAg6BFWoRUryNLvnkz6OVyw0= -helm.sh/helm/v3 v3.15.1/go.mod h1:fvfoRcB8UKRUV5jrIfOTaN/pG1TPhuqSb56fjYdTKXg= +helm.sh/helm/v3 v3.15.2 h1:/3XINUFinJOBjQplGnjw92eLGpgXXp1L8chWPkCkDuw= +helm.sh/helm/v3 v3.15.2/go.mod h1:FzSIP8jDQaa6WAVg9F+OkKz7J0ZmAga4MABtTbsb9WQ= k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA= k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE= k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs= From 29d4b57373b901bca094a745b72701022b93be22 Mon Sep 17 00:00:00 2001 From: marcofranssen <694733+marcofranssen@users.noreply.github.com> Date: Mon, 17 Jun 2024 08:07:46 +0000 Subject: [PATCH 05/27] Bump test chart dependencies Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .github/tests/charts.json | 4 ++-- charts/spire/charts/spiffe-oidc-discovery-provider/README.md | 4 ++-- .../spire/charts/spiffe-oidc-discovery-provider/values.yaml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index f29950353..eeed6d10b 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,7 +2,7 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "60.0.2" + "version": "60.2.0" }, { "name": "cert-manager", @@ -22,6 +22,6 @@ { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "15.5.4" + "version": "15.5.5" } ] diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 0e5322cb7..25c591def 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -119,11 +119,11 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:adcd4e72b5349b99b1f3896c9a05763add513c51ed364134da870c64c1302d8c` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8f4aec5b12ba4783900ad91aa5966cc9176ad4ea240382ecfd84f202fff356d8` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.26.1` | +| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.26.2` | | `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | | `tests.busybox.image.repository` | The repository within the registry | `busybox` | | `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index be3d00ea5..20539ce81 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -340,7 +340,7 @@ tests: registry: cgr.dev repository: chainguard/min-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:adcd4e72b5349b99b1f3896c9a05763add513c51ed364134da870c64c1302d8c + tag: latest@sha256:8f4aec5b12ba4783900ad91aa5966cc9176ad4ea240382ecfd84f202fff356d8 step: ## @param tests.step.image.registry The OCI registry to pull the image from @@ -352,7 +352,7 @@ tests: registry: "docker.io" repository: smallstep/step-cli pullPolicy: IfNotPresent - tag: 0.26.1 + tag: 0.26.2 busybox: ## @param tests.busybox.image.registry The OCI registry to pull the image from From f7e0d4b831fe09c257c51bd0810c7039747bf169 Mon Sep 17 00:00:00 2001 From: tuxotron Date: Mon, 17 Jun 2024 19:56:35 -0400 Subject: [PATCH 06/27] Update _spire-system-namespace.yaml (#381) set right namespace labels Signed-off-by: tuxotron Co-authored-by: kfox1111 --- .../charts/spire-lib/templates/_spire-system-namespace.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-lib/templates/_spire-system-namespace.yaml b/charts/spire/charts/spire-lib/templates/_spire-system-namespace.yaml index 2e0c5c2e4..7027e8dc4 100644 --- a/charts/spire/charts/spire-lib/templates/_spire-system-namespace.yaml +++ b/charts/spire/charts/spire-lib/templates/_spire-system-namespace.yaml @@ -12,7 +12,7 @@ {{- $_ := set $labels "security.openshift.io/scc.podSecurityLabelSync" "false" }} {{- end }} {{- end }} -{{- $labels = mergeOverwrite $labels .Values.global.spire.namespaces.server.labels }} +{{- $labels = mergeOverwrite $labels .Values.global.spire.namespaces.system.labels }} apiVersion: v1 kind: Namespace metadata: From 1d2d7550c5c67e9168124e8aa417237d7d9eef45 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Wed, 19 Jun 2024 12:50:21 -0700 Subject: [PATCH 07/27] Add resource limits for upgrade and delete hook batch jobs (#366) * Add resource limits for upgrade and delete hook batch jobs Signed-off-by: aniket patel * Fix value of resource Signed-off-by: aniket patel * Fix resource limit in server template Signed-off-by: aniket patel * Incorperate feedback Signed-off-by: Kevin Fox * Fix up doc comment Signed-off-by: Kevin Fox --------- Signed-off-by: aniket patel Signed-off-by: Kevin Fox Co-authored-by: aniket patel --- charts/spire/README.md | 2 ++ .../templates/pre-delete-hook.yaml | 4 ++++ .../templates/post-install-hook.yaml | 4 ++++ .../templates/post-upgrade-hook.yaml | 4 ++++ .../templates/pre-delete-hook.yaml | 8 +++++++ .../templates/pre-upgrade-hook.yaml | 4 ++++ charts/spire/values.yaml | 24 +++++++++++++++++++ 7 files changed, 50 insertions(+) diff --git a/charts/spire/README.md b/charts/spire/README.md index d16af86b0..3335aff71 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -258,7 +258,9 @@ Now you can interact with the Spire agent socket from your own application. The | `global.spire.ingressControllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | | `global.spire.tools.kubectl.tag` | Set to force the tag to use for all kubectl instances | `""` | | `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | +| `global.installAndUpgradeHooks.resources` | Resource requests and limits for installAndUpgradeHooks | `{}` | | `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` | +| `global.deleteHooks.resources` | Resource requests and limits for deleteHooks | `{}` | ### Spire server parameters diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml index a2ad605a0..dd64a4a75 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml @@ -72,4 +72,8 @@ spec: - deployment - {{ include "spiffe-oidc-discovery-provider.fullname" . }} - --wait + {{- with (((.Values).global).deleteHooks).resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/post-install-hook.yaml b/charts/spire/charts/spire-server/templates/post-install-hook.yaml index 3b9bf1b03..4f43dd2e9 100644 --- a/charts/spire/charts/spire-server/templates/post-install-hook.yaml +++ b/charts/spire/charts/spire-server/templates/post-install-hook.yaml @@ -85,6 +85,10 @@ spec: } ] } + {{- with (((.Values).global).installAndUpgradeHooks).resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml index 683ba91db..1d6f0a069 100644 --- a/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml @@ -85,6 +85,10 @@ spec: } ] } + {{- with (((.Values).global).installAndUpgradeHooks).resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml b/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml index 7c4c0e80b..6af0a89c9 100644 --- a/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml +++ b/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml @@ -77,6 +77,10 @@ spec: - {{ include "spire-server.kind" . }} - {{ include "spire-server.fullname" . }} - --wait + {{- with (((.Values).global).deleteHooks).resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} - name: pre-delete-check securityContext: {{- include "spire-lib.securitycontext" . | nindent 10 }} @@ -89,6 +93,10 @@ spec: - app.kubernetes.io/instance={{ include "spire-server.name" . }},app.kubernetes.io/name={{ .Release.Name }},app.kubernetes.io/component=server - -n - {{ include "spire-server.namespace" . }} + {{- with (((.Values).global).deleteHooks).resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml index a3a86b6f4..a3258b00c 100644 --- a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml @@ -85,6 +85,10 @@ spec: } ] } + {{- with (((.Values).global).installAndUpgradeHooks).resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index ce3b5391e..fa805b7c4 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -89,9 +89,33 @@ global: installAndUpgradeHooks: ## @param global.installAndUpgradeHooks.enabled Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) enabled: true + ## @param global.installAndUpgradeHooks.resources [object] Resource requests and limits for installAndUpgradeHooks + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, copy the following + # to your values file and edit as needed. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi deleteHooks: ## @param global.deleteHooks.enabled Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) enabled: true + ## @param global.deleteHooks.resources [object] Resource requests and limits for deleteHooks + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, copy the following + # to your values file and edit as needed. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi # telemetry: # prometheus: From 7a0a77b6b8568b7001b2146d037e4fea87e8a786 Mon Sep 17 00:00:00 2001 From: knp-sap <140621443+knp-sap@users.noreply.github.com> Date: Sun, 23 Jun 2024 18:54:39 +0200 Subject: [PATCH 08/27] Fix host path of "spire-agent-admin-socket-dir" volume (#386) Signed-off-by: knp-sap <140621443+knp-sap@users.noreply.github.com> --- charts/spire/charts/spire-agent/templates/daemonset.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 3a785541f..577d153b7 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -251,7 +251,7 @@ spec: {{- if .Values.sockets.admin.mountOnHost }} - name: spire-agent-admin-socket-dir hostPath: - hostPath: {{ .Values.sockets.hostBasePath }}/{{ if .Values.upstream }}upstream.csi.spiffe.io{{ else }}csi.spiffe.io{{ end }}/admin + path: {{ .Values.sockets.hostBasePath }}/{{ if .Values.upstream }}upstream.csi.spiffe.io{{ else }}csi.spiffe.io{{ end }}/admin type: DirectoryOrCreate {{- else }} - name: spire-agent-admin-socket-dir From fb7fb809fadea42c9f7b27bfe036c39ee7e262ef Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Sun, 23 Jun 2024 19:29:39 -0400 Subject: [PATCH 09/27] Fix format for ignoreNamespaces (#388) Signed-off-by: Mariusz Sabath --- charts/spire/charts/spire-server/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 65c8c290b..da5326b7f 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -541,9 +541,9 @@ controllerManager: - kube-public - local-path-storage # openshift creates many namespaces that should be typically ignored: - - openshift-* + - openshift-.* # ibmcloud specific namespaces: - - ibm-* + - ibm-.* ## @param controllerManager.reconcile.clusterSPIFFEIDs Enable reconciliation of clusterSPIFFEIDs from K8s to the SPIRE server ## @param controllerManager.reconcile.clusterStaticEntries Enable reconciliation of clusterStaticEntries from K8s to the SPIRE server ## @param controllerManager.reconcile.clusterFederatedTrustDomains Enable reconciliation of clusterFederatedTrustDomains from K8s to the SPIRE server From 690429525c2454cf8af573ed1a94171e98f66d3f Mon Sep 17 00:00:00 2001 From: "spire-helm-version-checker[bot]" <161522935+spire-helm-version-checker[bot]@users.noreply.github.com> Date: Mon, 24 Jun 2024 08:20:59 +0000 Subject: [PATCH 10/27] Bump test chart dependencies (#389) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: marcofranssen <694733+marcofranssen@users.noreply.github.com> --- .github/tests/charts.json | 6 +++--- .../spire/charts/spiffe-oidc-discovery-provider/README.md | 4 ++-- .../spire/charts/spiffe-oidc-discovery-provider/values.yaml | 4 ++-- charts/spire/charts/spire-agent/README.md | 4 ++-- charts/spire/charts/spire-agent/values.yaml | 4 ++-- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/charts/tornjak-frontend/README.md | 2 +- charts/spire/charts/tornjak-frontend/values.yaml | 2 +- 9 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index eeed6d10b..93a3d0237 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,7 +2,7 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "60.2.0" + "version": "60.3.0" }, { "name": "cert-manager", @@ -17,11 +17,11 @@ { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "11.1.2" + "version": "11.1.4" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "15.5.5" + "version": "15.5.9" } ] diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 25c591def..dae07c2fa 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -115,11 +115,11 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8f4aec5b12ba4783900ad91aa5966cc9176ad4ea240382ecfd84f202fff356d8` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:66387a4dd3ae00ac2de7c3f6716ef947a6b9f9beb5fc242dcc2ce16d1f857a19` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 20539ce81..19f61efea 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -328,7 +328,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038 + tag: latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770 toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from @@ -340,7 +340,7 @@ tests: registry: cgr.dev repository: chainguard/min-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:8f4aec5b12ba4783900ad91aa5966cc9176ad4ea240382ecfd84f202fff356d8 + tag: latest@sha256:66387a4dd3ae00ac2de7c3f6716ef947a6b9f9beb5fc242dcc2ce16d1f857a19 step: ## @param tests.step.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 7b664dbc2..bd2e61c04 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -70,7 +70,7 @@ A Helm chart to install the SPIRE agent. | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` | | `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s Node Attestor | `true` | @@ -108,7 +108,7 @@ A Helm chart to install the SPIRE agent. | `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` | | `socketAlternate.image.pullPolicy` | The image pull policy | `Always` | -| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038` | +| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770` | | `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | | `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 1ece27621..b80035c79 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -154,7 +154,7 @@ fsGroupFix: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038 + tag: latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770 ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -266,7 +266,7 @@ socketAlternate: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038 + tag: latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770 ## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 16adcf0f2..3d90d15de 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -404,5 +404,5 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770` | | `kubeConfigs` | Manage additional kubeconfig files to talk to external Kubernetes clusters | `{}` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index da5326b7f..216879acf 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -1020,7 +1020,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038 + tag: latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770 ## @param kubeConfigs [object] Manage additional kubeconfig files to talk to external Kubernetes clusters kubeConfigs: {} diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 6f52e3b56..e83d4df41 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -101,4 +101,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 8b9f59573..2c37c5449 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -162,4 +162,4 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:553a2674ec4f7d8a701873c1dcb43138f83e787ac1d17043cba0085ae3bd7038 + tag: latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770 From 08fc5f3d46ef1b71589564da184b70a9ec0b3165 Mon Sep 17 00:00:00 2001 From: "spire-helm-version-checker[bot]" <161522935+spire-helm-version-checker[bot]@users.noreply.github.com> Date: Mon, 1 Jul 2024 08:20:53 +0000 Subject: [PATCH 11/27] Bump test chart dependencies (#390) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: marcofranssen <694733+marcofranssen@users.noreply.github.com> --- .github/tests/charts.json | 6 +++--- .../spire/charts/spiffe-oidc-discovery-provider/README.md | 4 ++-- .../spire/charts/spiffe-oidc-discovery-provider/values.yaml | 4 ++-- charts/spire/charts/spire-agent/README.md | 4 ++-- charts/spire/charts/spire-agent/values.yaml | 4 ++-- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/charts/tornjak-frontend/README.md | 2 +- charts/spire/charts/tornjak-frontend/values.yaml | 2 +- 9 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 93a3d0237..b2914c493 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,12 +2,12 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "60.3.0" + "version": "61.1.0" }, { "name": "cert-manager", "repo": "https://charts.jetstack.io", - "version": "v1.15.0" + "version": "v1.15.1" }, { "name": "ingress-nginx", @@ -22,6 +22,6 @@ { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "15.5.9" + "version": "15.5.11" } ] diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index dae07c2fa..cd886224f 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -115,11 +115,11 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:66387a4dd3ae00ac2de7c3f6716ef947a6b9f9beb5fc242dcc2ce16d1f857a19` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:fb617d005f1b2988d855ba31149c417f61edc9594ffac08a8b0d9fceaca8a3f5` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 19f61efea..c41359ed8 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -328,7 +328,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770 + tag: latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6 toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from @@ -340,7 +340,7 @@ tests: registry: cgr.dev repository: chainguard/min-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:66387a4dd3ae00ac2de7c3f6716ef947a6b9f9beb5fc242dcc2ce16d1f857a19 + tag: latest@sha256:fb617d005f1b2988d855ba31149c417f61edc9594ffac08a8b0d9fceaca8a3f5 step: ## @param tests.step.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index bd2e61c04..9a2b5a4bf 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -70,7 +70,7 @@ A Helm chart to install the SPIRE agent. | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` | | `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s Node Attestor | `true` | @@ -108,7 +108,7 @@ A Helm chart to install the SPIRE agent. | `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` | | `socketAlternate.image.pullPolicy` | The image pull policy | `Always` | -| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770` | +| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6` | | `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | | `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index b80035c79..63fe8e67c 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -154,7 +154,7 @@ fsGroupFix: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770 + tag: latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6 ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -266,7 +266,7 @@ socketAlternate: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770 + tag: latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6 ## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 3d90d15de..4373c0178 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -404,5 +404,5 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6` | | `kubeConfigs` | Manage additional kubeconfig files to talk to external Kubernetes clusters | `{}` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 216879acf..1f45e8024 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -1020,7 +1020,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770 + tag: latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6 ## @param kubeConfigs [object] Manage additional kubeconfig files to talk to external Kubernetes clusters kubeConfigs: {} diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index e83d4df41..e27820a72 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -101,4 +101,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 2c37c5449..8ebfd2098 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -162,4 +162,4 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:3ac6182f4d9624d844c6c4c0b3b5168eb2bcd8a57fce46d7d3c90fcef2365770 + tag: latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6 From 500fdd9ac34c5a17665ac711952e89232d9c4f9d Mon Sep 17 00:00:00 2001 From: "spire-helm-version-checker[bot]" <161522935+spire-helm-version-checker[bot]@users.noreply.github.com> Date: Mon, 8 Jul 2024 12:03:03 +0200 Subject: [PATCH 12/27] Bump test chart dependencies (#391) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: marcofranssen <694733+marcofranssen@users.noreply.github.com> --- .github/tests/charts.json | 6 +++--- .../spire/charts/spiffe-oidc-discovery-provider/README.md | 4 ++-- .../spire/charts/spiffe-oidc-discovery-provider/values.yaml | 4 ++-- charts/spire/charts/spire-agent/README.md | 4 ++-- charts/spire/charts/spire-agent/values.yaml | 4 ++-- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/charts/tornjak-frontend/README.md | 2 +- charts/spire/charts/tornjak-frontend/values.yaml | 2 +- 9 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index b2914c493..387aca845 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,7 +2,7 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "61.1.0" + "version": "61.2.0" }, { "name": "cert-manager", @@ -17,11 +17,11 @@ { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "11.1.4" + "version": "11.1.7" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "15.5.11" + "version": "15.5.14" } ] diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index cd886224f..947a645f9 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -115,11 +115,11 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:fb617d005f1b2988d855ba31149c417f61edc9594ffac08a8b0d9fceaca8a3f5` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:75a1c6e9737b474e03b56b0d94c36ef932e938220bb5fade61ee5e1d6319c0b2` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index c41359ed8..5bb68ff92 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -328,7 +328,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6 + tag: latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8 toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from @@ -340,7 +340,7 @@ tests: registry: cgr.dev repository: chainguard/min-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:fb617d005f1b2988d855ba31149c417f61edc9594ffac08a8b0d9fceaca8a3f5 + tag: latest@sha256:75a1c6e9737b474e03b56b0d94c36ef932e938220bb5fade61ee5e1d6319c0b2 step: ## @param tests.step.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 9a2b5a4bf..44eb33823 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -70,7 +70,7 @@ A Helm chart to install the SPIRE agent. | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` | | `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s Node Attestor | `true` | @@ -108,7 +108,7 @@ A Helm chart to install the SPIRE agent. | `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` | | `socketAlternate.image.pullPolicy` | The image pull policy | `Always` | -| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6` | +| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8` | | `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | | `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 63fe8e67c..1e304b219 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -154,7 +154,7 @@ fsGroupFix: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6 + tag: latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8 ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -266,7 +266,7 @@ socketAlternate: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6 + tag: latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8 ## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 4373c0178..892eca751 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -404,5 +404,5 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8` | | `kubeConfigs` | Manage additional kubeconfig files to talk to external Kubernetes clusters | `{}` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 1f45e8024..0263e1b8a 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -1020,7 +1020,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6 + tag: latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8 ## @param kubeConfigs [object] Manage additional kubeconfig files to talk to external Kubernetes clusters kubeConfigs: {} diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index e27820a72..0c82fe37b 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -101,4 +101,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 8ebfd2098..96ae76285 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -162,4 +162,4 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:245a25e5908f7cd5bd009b373b7ff3f1b36848eb4b60495a085053deae2d0ad6 + tag: latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8 From c93ad87c157a29d12b0d7b8491e21c3e11cc5672 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 9 Jul 2024 11:42:27 -0400 Subject: [PATCH 13/27] Add valid kubectl version to examples Signed-off-by: Mariusz Sabath --- charts/spire/README.md | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 3335aff71..bbd20b47c 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -10,6 +10,7 @@ A Helm chart for deploying the complete Spire stack including: spire-server, spi ## Install Instructions ### Non Production + To do a quick install suitable for testing in something like minikube: ```shell @@ -22,6 +23,12 @@ helm upgrade --install -n spire-server spire spire --repo https://spiffe.github. Preparing a production deployment requires a few steps. 1. Save the following to your-values.yaml, ideally in your git repo. + +> [!NOTE] +> Please note that `rancher/kubectl` image does not always correspond to the most +> recent version of Kubernetes. In order to find the most up-to-date version, +> please visit their [releases](https://github.com/rancher/kubectl/releases) page. + ```yaml global: openshift: false # If running on openshift, set to true @@ -38,15 +45,27 @@ global: country: ARPA organization: Example commonName: example.org +spire-server: + tools: + kubectl: + image: + tag: "v1.23.3" +spiffe-oidc-discovery-provider: + tools: + kubectl: + image: + tag: "v1.23.3" ``` 2. If you need a non default storageClass, append the following to the global.spire section and update: + ``` persistence: storageClass: your-storage-class ``` 3. If your Kubernetes cluster is OpenShift based, use the output of the following command to update the trustDomain setting: + ```shell oc get cm -n openshift-config-managed console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//' ``` @@ -73,7 +92,7 @@ kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeid ## Upgrade notes -We only support upgrading one major/minor version at a time. Version skipping isn't supported. Please see https://spiffe.io/docs/latest/spire-helm-charts-hardened-about/upgrading/ for details. +We only support upgrading one major/minor version at a time. Version skipping isn't supported. Please see for details. ### 0.21.X @@ -98,8 +117,8 @@ setting and waiting for a spire-controller-manager sync. ### 0.18.X -- SPIRE no longer emits x509UniqueIdentifiers in x509-SVIDS by default. The old behavior can be reenabled with spire-server.credentialComposer.uniqueID.enabled=true. See https://github.com/spiffe/spire/pull/4862 for details. -- SPIRE agents will now automatically reattest when they can. The old behavior can be reenabled with spire-agent.disableReattestToRenew=true. See https://github.com/spiffe/spire/pull/4791 for details. +- SPIRE no longer emits x509UniqueIdentifiers in x509-SVIDS by default. The old behavior can be reenabled with spire-server.credentialComposer.uniqueID.enabled=true. See for details. +- SPIRE agents will now automatically reattest when they can. The old behavior can be reenabled with spire-agent.disableReattestToRenew=true. See for details. ### 0.17.X From eb6d89b4727543aa15e36f0d2d155e21fc3f73a2 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 9 Jul 2024 14:08:55 -0400 Subject: [PATCH 14/27] Update charts/spire/README.md Co-authored-by: kfox1111 Signed-off-by: Mariusz Sabath --- charts/spire/README.md | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index bbd20b47c..a5c517ff6 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -45,16 +45,10 @@ global: country: ARPA organization: Example commonName: example.org -spire-server: - tools: - kubectl: - image: - tag: "v1.23.3" -spiffe-oidc-discovery-provider: - tools: - kubectl: - image: - tag: "v1.23.3" +# If rancher/kubectl doesn't have a version that matches your cluster, uncomment and update: +# tools: +# kubectl: +# tag: "v1.23.3" ``` 2. If you need a non default storageClass, append the following to the global.spire section and update: From 9c77280e6ea8e07c5e17ec0a49a5697ac1eda292 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Jul 2024 07:53:04 +0000 Subject: [PATCH 15/27] Bump helm.sh/helm/v3 from 3.15.2 to 3.15.3 in /tests (#395) Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.15.2 to 3.15.3. - [Release notes](https://github.com/helm/helm/releases) - [Commits](https://github.com/helm/helm/compare/v3.15.2...v3.15.3) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/go.mod | 4 ++-- tests/go.sum | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index 1073cf267..44c561cbd 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -1,12 +1,12 @@ module github.com/spiffe/helm-charts/tests go 1.21 -toolchain go1.22.3 +toolchain go1.22.5 require ( github.com/onsi/ginkgo/v2 v2.19.0 github.com/onsi/gomega v1.33.1 - helm.sh/helm/v3 v3.15.2 + helm.sh/helm/v3 v3.15.3 ) require ( diff --git a/tests/go.sum b/tests/go.sum index 174025bc2..06d64975c 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -201,8 +201,8 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -helm.sh/helm/v3 v3.15.2 h1:/3XINUFinJOBjQplGnjw92eLGpgXXp1L8chWPkCkDuw= -helm.sh/helm/v3 v3.15.2/go.mod h1:FzSIP8jDQaa6WAVg9F+OkKz7J0ZmAga4MABtTbsb9WQ= +helm.sh/helm/v3 v3.15.3 h1:HcZDaVFe9uHa6hpsR54mJjYyRy4uz/pc6csg27nxFOc= +helm.sh/helm/v3 v3.15.3/go.mod h1:FzSIP8jDQaa6WAVg9F+OkKz7J0ZmAga4MABtTbsb9WQ= k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA= k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE= k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs= From 199bb6f998ff15d5e6fb10b693d52afc9fb681d9 Mon Sep 17 00:00:00 2001 From: tuxotron Date: Thu, 11 Jul 2024 15:47:57 -0400 Subject: [PATCH 16/27] Add connect by hostname to agent cofigmap (#392) When setting the kubeletConnectByHostname to "true", the charts update the agent daemonset to define the MY_NODE_NAME environment variable, but it doesn't set the "node_name_env" setting in the WorkloadAttestor:k8s plugin, therefore the agent continues trying to connect to the kubelet using the localhost interface Signed-off-by: tuxotron Co-authored-by: kfox1111 --- charts/spire/charts/spire-agent/templates/configmap.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index 6da906918..18c68c9d5 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -116,6 +116,9 @@ plugins: disable_container_selectors: {{ .Values.workloadAttestors.k8s.disableContainerSelectors }} use_new_container_locator: {{ .Values.workloadAttestors.k8s.useNewContainerLocator }} verbose_container_locator_logs: {{ .Values.workloadAttestors.k8s.verboseContainerLocatorLogs }} + {{- if eq (include "spire-agent.connect-by-hostname" .) "true" }} + node_name_env: "MY_NODE_NAME" + {{- end }} {{- end }} {{- if .Values.workloadAttestors.unix.enabled }} From c507ee0ea38c87976cc0dbc879f9b677f76a54ec Mon Sep 17 00:00:00 2001 From: "spire-helm-version-checker[bot]" <161522935+spire-helm-version-checker[bot]@users.noreply.github.com> Date: Mon, 15 Jul 2024 15:14:13 +0200 Subject: [PATCH 17/27] Bump test chart dependencies (#397) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: marcofranssen <694733+marcofranssen@users.noreply.github.com> --- .github/tests/charts.json | 8 ++++---- .../spire/charts/spiffe-oidc-discovery-provider/README.md | 6 +++--- .../charts/spiffe-oidc-discovery-provider/values.yaml | 6 +++--- charts/spire/charts/spire-agent/README.md | 4 ++-- charts/spire/charts/spire-agent/values.yaml | 4 ++-- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/charts/tornjak-frontend/README.md | 2 +- charts/spire/charts/tornjak-frontend/values.yaml | 2 +- 9 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 387aca845..36c182764 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,7 +2,7 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "61.2.0" + "version": "61.3.1" }, { "name": "cert-manager", @@ -12,16 +12,16 @@ { "name": "ingress-nginx", "repo": "https://kubernetes.github.io/ingress-nginx", - "version": "4.10.1" + "version": "4.11.0" }, { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "11.1.7" + "version": "11.1.9" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "15.5.14" + "version": "15.5.16" } ] diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 947a645f9..7fdac1464 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -115,15 +115,15 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:75a1c6e9737b474e03b56b0d94c36ef932e938220bb5fade61ee5e1d6319c0b2` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:b84995d261e6a73359954fdd509ff0ad97374cf4d813da0b0fb25149b40d663f` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.26.2` | +| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.27.1` | | `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | | `tests.busybox.image.repository` | The repository within the registry | `busybox` | | `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 5bb68ff92..4619acd1f 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -328,7 +328,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8 + tag: latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795 toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from @@ -340,7 +340,7 @@ tests: registry: cgr.dev repository: chainguard/min-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:75a1c6e9737b474e03b56b0d94c36ef932e938220bb5fade61ee5e1d6319c0b2 + tag: latest@sha256:b84995d261e6a73359954fdd509ff0ad97374cf4d813da0b0fb25149b40d663f step: ## @param tests.step.image.registry The OCI registry to pull the image from @@ -352,7 +352,7 @@ tests: registry: "docker.io" repository: smallstep/step-cli pullPolicy: IfNotPresent - tag: 0.26.2 + tag: 0.27.1 busybox: ## @param tests.busybox.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 44eb33823..64576ced9 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -70,7 +70,7 @@ A Helm chart to install the SPIRE agent. | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` | | `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s Node Attestor | `true` | @@ -108,7 +108,7 @@ A Helm chart to install the SPIRE agent. | `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` | | `socketAlternate.image.pullPolicy` | The image pull policy | `Always` | -| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8` | +| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795` | | `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | | `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 1e304b219..1112b5c52 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -154,7 +154,7 @@ fsGroupFix: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8 + tag: latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795 ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -266,7 +266,7 @@ socketAlternate: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8 + tag: latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795 ## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 892eca751..00dba3fa5 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -404,5 +404,5 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795` | | `kubeConfigs` | Manage additional kubeconfig files to talk to external Kubernetes clusters | `{}` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 0263e1b8a..c090671bb 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -1020,7 +1020,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8 + tag: latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795 ## @param kubeConfigs [object] Manage additional kubeconfig files to talk to external Kubernetes clusters kubeConfigs: {} diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 0c82fe37b..f8582e9da 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -101,4 +101,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 96ae76285..6e2de7b37 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -162,4 +162,4 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:83497b23e6e94c48b7f446131d82dbbc88ed60d854727ab2b42cb04251ed88e8 + tag: latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795 From 741cd9c6b45dde48d066d5ca7da4f66d7e5bcc76 Mon Sep 17 00:00:00 2001 From: "spire-helm-version-checker[bot]" <161522935+spire-helm-version-checker[bot]@users.noreply.github.com> Date: Mon, 22 Jul 2024 07:41:57 -0700 Subject: [PATCH 18/27] Bump test chart dependencies (#398) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: marcofranssen <694733+marcofranssen@users.noreply.github.com> --- .github/tests/charts.json | 8 ++++---- .../spire/charts/spiffe-oidc-discovery-provider/README.md | 4 ++-- .../charts/spiffe-oidc-discovery-provider/values.yaml | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 36c182764..3f2707314 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,7 +2,7 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "61.3.1" + "version": "61.3.2" }, { "name": "cert-manager", @@ -12,16 +12,16 @@ { "name": "ingress-nginx", "repo": "https://kubernetes.github.io/ingress-nginx", - "version": "4.11.0" + "version": "4.11.1" }, { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "11.1.9" + "version": "11.1.10" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "15.5.16" + "version": "15.5.17" } ] diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 7fdac1464..d139a3ab1 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -119,11 +119,11 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:b84995d261e6a73359954fdd509ff0ad97374cf4d813da0b0fb25149b40d663f` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:45d5c11bdf33badec9b812acc82cefec7efbf3830b16a779d41ba3a22151b68c` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.27.1` | +| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.27.2` | | `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | | `tests.busybox.image.repository` | The repository within the registry | `busybox` | | `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 4619acd1f..972a541e0 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -340,7 +340,7 @@ tests: registry: cgr.dev repository: chainguard/min-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:b84995d261e6a73359954fdd509ff0ad97374cf4d813da0b0fb25149b40d663f + tag: latest@sha256:45d5c11bdf33badec9b812acc82cefec7efbf3830b16a779d41ba3a22151b68c step: ## @param tests.step.image.registry The OCI registry to pull the image from @@ -352,7 +352,7 @@ tests: registry: "docker.io" repository: smallstep/step-cli pullPolicy: IfNotPresent - tag: 0.27.1 + tag: 0.27.2 busybox: ## @param tests.busybox.image.registry The OCI registry to pull the image from From c3d1d39ed700ab9d07efcaad9c4dd35506d51ea3 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Wed, 24 Jul 2024 12:19:06 -0700 Subject: [PATCH 19/27] Update to SPIRE 1.10.0 (#393) * Update to SPIRE 1.10.0 Remove the options that were removed in 1.10, and update. Signed-off-by: Kevin Fox * Update docs Signed-off-by: Kevin Fox * Fix uid mismatch issue on 1.10.0+ Signed-off-by: Kevin Fox --------- Signed-off-by: Kevin Fox Co-authored-by: Faisal Memon --- charts/spire-nested/Chart.yaml | 2 +- charts/spire-nested/README.md | 2 +- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 2 +- .../spiffe-oidc-discovery-provider/Chart.yaml | 2 +- .../templates/_helpers.tpl | 14 ++++++++++++++ .../templates/deployment.yaml | 2 +- charts/spire/charts/spire-agent/Chart.yaml | 2 +- charts/spire/charts/spire-agent/README.md | 1 - .../charts/spire-agent/templates/configmap.yaml | 3 --- charts/spire/charts/spire-agent/values.yaml | 3 --- charts/spire/charts/spire-server/Chart.yaml | 2 +- .../charts/spire-server/templates/configmap.yaml | 2 -- 13 files changed, 22 insertions(+), 17 deletions(-) diff --git a/charts/spire-nested/Chart.yaml b/charts/spire-nested/Chart.yaml index cbe023d79..ac2b4c29e 100644 --- a/charts/spire-nested/Chart.yaml +++ b/charts/spire-nested/Chart.yaml @@ -4,7 +4,7 @@ description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application version: 0.21.0 -appVersion: "1.9.6" +appVersion: "1.10.0" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire-nested/README.md b/charts/spire-nested/README.md index e56278dde..ddf65912f 100644 --- a/charts/spire-nested/README.md +++ b/charts/spire-nested/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.21.0](https://img.shields.io/badge/Version-0.21.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.6](https://img.shields.io/badge/AppVersion-1.9.6-informational?style=flat-square) +![Version: 0.21.0](https://img.shields.io/badge/Version-0.21.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 54c80a890..980125d0e 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -4,7 +4,7 @@ description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application version: 0.21.0 -appVersion: "1.9.6" +appVersion: "1.10.0" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/README.md b/charts/spire/README.md index a5c517ff6..aeea71ca9 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.21.0](https://img.shields.io/badge/Version-0.21.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.6](https://img.shields.io/badge/AppVersion-1.9.6-informational?style=flat-square) +![Version: 0.21.0](https://img.shields.io/badge/Version-0.21.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml index 0416195e1..c3077e6ab 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml @@ -3,7 +3,7 @@ name: spiffe-oidc-discovery-provider description: A Helm chart to install the SPIFFE OIDC discovery provider. type: application version: 0.1.0 -appVersion: "1.9.6" +appVersion: "1.10.0" keywords: ["spiffe", "oidc"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl index 7780aa725..4f0500c54 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl @@ -99,3 +99,17 @@ Create the name of the service account to use {{- false }} {{- end }} {{- end }} + +{{- define "spiffe-oidc-discovery-provider.podSecurityContext" -}} +{{- $podSecurityContext := include "spire-lib.podsecuritycontext" . | fromYaml }} +{{- $openshift := ((.Values).global).openshift | default false }} +{{- if and .Values.tls.spire.enabled (not $openshift) }} +{{- if not (hasKey $podSecurityContext "runAsUser") }} +{{- $_ := set $podSecurityContext "runAsUser" 1000 }} +{{- end }} +{{- if not (hasKey $podSecurityContext "runAsGroup") }} +{{- $_ := set $podSecurityContext "runAsGroup" 1000 }} +{{- end }} +{{- end }} +{{- toYaml $podSecurityContext }} +{{- end }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml index 407e39b3d..3e99bb26d 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml @@ -37,7 +37,7 @@ spec: {{- end }} serviceAccountName: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }} securityContext: - {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} + {{- include "spiffe-oidc-discovery-provider.podSecurityContext" . | nindent 8 }} initContainers: {{- if .Values.tls.spire.enabled }} - name: init diff --git a/charts/spire/charts/spire-agent/Chart.yaml b/charts/spire/charts/spire-agent/Chart.yaml index d087332d8..9ae254d94 100644 --- a/charts/spire/charts/spire-agent/Chart.yaml +++ b/charts/spire/charts/spire-agent/Chart.yaml @@ -3,7 +3,7 @@ name: spire-agent description: A Helm chart to install the SPIRE agent. type: application version: 0.1.0 -appVersion: "1.9.6" +appVersion: "1.10.0" keywords: ["spiffe", "spire-agent"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 64576ced9..59e664fcd 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -55,7 +55,6 @@ A Helm chart to install the SPIRE agent. | `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `pem` | | `bundleConfigMap` | Configmap name for Spire bundle | `spire-bundle` | | `availabilityTarget` | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. | `""` | -| `disableReattestToRenew` | Deprecated: Allow agent to renew certificate when it expires rather than reattest | `false` | | `server.address` | Address for Spire server | `""` | | `server.port` | Port number for Spire server | `443` | | `server.namespaceOverride` | Override the namespace for Spire server | `""` | diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index 18c68c9d5..defc046cb 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -25,9 +25,6 @@ {{- end }} {{- define "spire-agent.yaml-config" -}} agent: - {{- if .Values.disableReattestToRenew }} - disable_reattest_to_renew: true - {{- end }} {{- if .Values.sockets.admin.enabled }} admin_socket_dir: /tmp/spire-agent/private/admin.sock {{- end }} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 1112b5c52..11b345ec1 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -100,9 +100,6 @@ bundleConfigMap: spire-bundle ## @param availabilityTarget The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. availabilityTarget: "" -## @param disableReattestToRenew Deprecated: Allow agent to renew certificate when it expires rather than reattest -disableReattestToRenew: false - ## @skip upstream upstream: false diff --git a/charts/spire/charts/spire-server/Chart.yaml b/charts/spire/charts/spire-server/Chart.yaml index 62c510fbe..7fa03269f 100644 --- a/charts/spire/charts/spire-server/Chart.yaml +++ b/charts/spire/charts/spire-server/Chart.yaml @@ -3,7 +3,7 @@ name: spire-server description: A Helm chart to install the SPIRE server. type: application version: 0.1.0 -appVersion: "1.9.6" +appVersion: "1.10.0" keywords: ["spiffe", "spire-server", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index bdd9d8fc0..0744d9d95 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -200,8 +200,6 @@ plugins: key_identifier_file: "/run/spire/data/aws-kms-key-identifier" {{- else if eq (.keyIdentifierValue.enabled | toString) "true" }} key_identifier_value: {{ .keyIdentifierValue.identifier | quote }} - {{- else }} - key_metadata_file: "/run/spire/data/aws-kms-key-metadata" {{- end }} {{- if ne .accessKeyID "" }} access_key_id: "${AWS_KMS_ACCESS_KEY_ID}" From 6f38f525c856e35ce3d7d9772e433d24a05b2d92 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Jul 2024 07:33:26 -0700 Subject: [PATCH 20/27] Bump github.com/onsi/gomega from 1.33.1 to 1.34.0 in /tests (#400) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.33.1 to 1.34.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.33.1...v1.34.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/go.mod | 4 ++-- tests/go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index 44c561cbd..49808679a 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -5,7 +5,7 @@ toolchain go1.22.5 require ( github.com/onsi/ginkgo/v2 v2.19.0 - github.com/onsi/gomega v1.33.1 + github.com/onsi/gomega v1.34.0 helm.sh/helm/v3 v3.15.3 ) @@ -55,7 +55,7 @@ require ( golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.21.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/protobuf v1.33.0 // indirect + google.golang.org/protobuf v1.34.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/tests/go.sum b/tests/go.sum index 06d64975c..37ed8d5d7 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -85,8 +85,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= -github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= -github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= +github.com/onsi/gomega v1.34.0 h1:eSSPsPNp6ZpsG8X1OVmOTxig+CblTc4AxpPBykhe2Os= +github.com/onsi/gomega v1.34.0/go.mod h1:MIKI8c+f+QLWk+hxbePD4i0LMJSExPaZOVfkoex4cAo= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= @@ -185,8 +185,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= -google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= +google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= From 6679846c29e1c3905b922d772767c51c2d9b34a3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 05:35:35 -0700 Subject: [PATCH 21/27] Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in /tests (#401) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.19.0 to 2.19.1. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.19.0...v2.19.1) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/go.mod | 6 +++--- tests/go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index 49808679a..4c8b360b6 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -4,7 +4,7 @@ go 1.21 toolchain go1.22.5 require ( - github.com/onsi/ginkgo/v2 v2.19.0 + github.com/onsi/ginkgo/v2 v2.19.1 github.com/onsi/gomega v1.34.0 helm.sh/helm/v3 v3.15.3 ) @@ -17,7 +17,7 @@ require ( github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect - github.com/go-logr/logr v1.4.1 // indirect + github.com/go-logr/logr v1.4.2 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect github.com/go-openapi/swag v0.22.3 // indirect @@ -49,7 +49,7 @@ require ( golang.org/x/crypto v0.23.0 // indirect golang.org/x/net v0.25.0 // indirect golang.org/x/oauth2 v0.10.0 // indirect - golang.org/x/sys v0.20.0 // indirect + golang.org/x/sys v0.21.0 // indirect golang.org/x/term v0.20.0 // indirect golang.org/x/text v0.15.0 // indirect golang.org/x/time v0.3.0 // indirect diff --git a/tests/go.sum b/tests/go.sum index 37ed8d5d7..a056b8400 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -19,8 +19,8 @@ github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE= github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps= -github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= -github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= @@ -83,8 +83,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= -github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= +github.com/onsi/ginkgo/v2 v2.19.1 h1:QXgq3Z8Crl5EL1WBAC98A5sEBHARrAJNzAmMxzLcRF0= +github.com/onsi/ginkgo/v2 v2.19.1/go.mod h1:O3DtEWQkPa/F7fBMgmZQKKsluAy8pd3rEQdrjkPb9zA= github.com/onsi/gomega v1.34.0 h1:eSSPsPNp6ZpsG8X1OVmOTxig+CblTc4AxpPBykhe2Os= github.com/onsi/gomega v1.34.0/go.mod h1:MIKI8c+f+QLWk+hxbePD4i0LMJSExPaZOVfkoex4cAo= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -156,8 +156,8 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= -golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= +golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= From 6240c0b08ca9148baee97c6e8630d1c051455563 Mon Sep 17 00:00:00 2001 From: "spire-helm-version-checker[bot]" <161522935+spire-helm-version-checker[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 12:57:07 +0000 Subject: [PATCH 22/27] Bump test chart dependencies (#402) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: marcofranssen <694733+marcofranssen@users.noreply.github.com> Co-authored-by: kfox1111 --- .github/tests/charts.json | 6 +++--- .../spire/charts/spiffe-oidc-discovery-provider/README.md | 6 +++--- .../spire/charts/spiffe-oidc-discovery-provider/values.yaml | 6 +++--- charts/spire/charts/spire-agent/README.md | 4 ++-- charts/spire/charts/spire-agent/values.yaml | 4 ++-- charts/spire/charts/spire-server/README.md | 2 +- charts/spire/charts/spire-server/values.yaml | 2 +- charts/spire/charts/tornjak-frontend/README.md | 2 +- charts/spire/charts/tornjak-frontend/values.yaml | 2 +- 9 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 3f2707314..3929f8a24 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,7 +2,7 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "61.3.2" + "version": "61.5.0" }, { "name": "cert-manager", @@ -17,11 +17,11 @@ { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "11.1.10" + "version": "11.1.14" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "15.5.17" + "version": "15.5.20" } ] diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index d139a3ab1..5026012b5 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -99,7 +99,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `telemetry.prometheus.nginxExporter.image.registry` | The OCI registry to pull the image from | `docker.io` | | `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry | `nginx/nginx-prometheus-exporter` | | `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.2.0` | +| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.3.0` | | `telemetry.prometheus.nginxExporter.resources` | Resource requests and limits | `{}` | | `ingress.enabled` | Flag to enable ingress | `false` | | `ingress.className` | Ingress class name | `""` | @@ -115,11 +115,11 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:45d5c11bdf33badec9b812acc82cefec7efbf3830b16a779d41ba3a22151b68c` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:7f6d87d080ccae67e0eccf1c46ce199cfe41fa972a42c3d2261cf67bb0d1212e` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index 972a541e0..60146aec3 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -262,7 +262,7 @@ telemetry: registry: docker.io repository: nginx/nginx-prometheus-exporter pullPolicy: IfNotPresent - tag: "1.2.0" + tag: "1.3.0" ## @param telemetry.prometheus.nginxExporter.resources [object] Resource requests and limits resources: {} @@ -328,7 +328,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795 + tag: latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from @@ -340,7 +340,7 @@ tests: registry: cgr.dev repository: chainguard/min-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:45d5c11bdf33badec9b812acc82cefec7efbf3830b16a779d41ba3a22151b68c + tag: latest@sha256:7f6d87d080ccae67e0eccf1c46ce199cfe41fa972a42c3d2261cf67bb0d1212e step: ## @param tests.step.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 59e664fcd..f8608898e 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -69,7 +69,7 @@ A Helm chart to install the SPIRE agent. | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` | | `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s Node Attestor | `true` | @@ -107,7 +107,7 @@ A Helm chart to install the SPIRE agent. | `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` | | `socketAlternate.image.pullPolicy` | The image pull policy | `Always` | -| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795` | +| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd` | | `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | | `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 11b345ec1..03cd01ca6 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -151,7 +151,7 @@ fsGroupFix: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795 + tag: latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -263,7 +263,7 @@ socketAlternate: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795 + tag: latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd ## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 00dba3fa5..acc1c1491 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -404,5 +404,5 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd` | | `kubeConfigs` | Manage additional kubeconfig files to talk to external Kubernetes clusters | `{}` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index c090671bb..fc0683b35 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -1020,7 +1020,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795 + tag: latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd ## @param kubeConfigs [object] Manage additional kubeconfig files to talk to external Kubernetes clusters kubeConfigs: {} diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index f8582e9da..3f0eb76e1 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -101,4 +101,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index 6e2de7b37..c3d5c91fa 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -162,4 +162,4 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:3de8ff456cd174ffff02585516924a1b29f439f7af6cbbee786d259fa1170795 + tag: latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd From 0fd587a7ad9a2e19cacc7aeb4791d5f4335a70e5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Jul 2024 08:42:06 -0700 Subject: [PATCH 23/27] Bump github.com/onsi/gomega from 1.34.0 to 1.34.1 in /tests (#403) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.34.0 to 1.34.1. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.34.0...v1.34.1) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/go.mod | 15 ++++++++------- tests/go.sum | 30 ++++++++++++++++-------------- 2 files changed, 24 insertions(+), 21 deletions(-) diff --git a/tests/go.mod b/tests/go.mod index 4c8b360b6..aee4c61c6 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -5,7 +5,7 @@ toolchain go1.22.5 require ( github.com/onsi/ginkgo/v2 v2.19.1 - github.com/onsi/gomega v1.34.0 + github.com/onsi/gomega v1.34.1 helm.sh/helm/v3 v3.15.3 ) @@ -46,14 +46,15 @@ require ( github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect - golang.org/x/crypto v0.23.0 // indirect - golang.org/x/net v0.25.0 // indirect + golang.org/x/crypto v0.25.0 // indirect + golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect + golang.org/x/net v0.27.0 // indirect golang.org/x/oauth2 v0.10.0 // indirect - golang.org/x/sys v0.21.0 // indirect - golang.org/x/term v0.20.0 // indirect - golang.org/x/text v0.15.0 // indirect + golang.org/x/sys v0.22.0 // indirect + golang.org/x/term v0.22.0 // indirect + golang.org/x/text v0.16.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.21.0 // indirect + golang.org/x/tools v0.23.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/protobuf v1.34.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/tests/go.sum b/tests/go.sum index a056b8400..79e7bad71 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -85,8 +85,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onsi/ginkgo/v2 v2.19.1 h1:QXgq3Z8Crl5EL1WBAC98A5sEBHARrAJNzAmMxzLcRF0= github.com/onsi/ginkgo/v2 v2.19.1/go.mod h1:O3DtEWQkPa/F7fBMgmZQKKsluAy8pd3rEQdrjkPb9zA= -github.com/onsi/gomega v1.34.0 h1:eSSPsPNp6ZpsG8X1OVmOTxig+CblTc4AxpPBykhe2Os= -github.com/onsi/gomega v1.34.0/go.mod h1:MIKI8c+f+QLWk+hxbePD4i0LMJSExPaZOVfkoex4cAo= +github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k= +github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= @@ -127,8 +127,10 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= -golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= +golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= +golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= @@ -140,8 +142,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= -golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= +golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= +golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -156,20 +158,20 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= +golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= -golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= +golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= +golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= -golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -177,8 +179,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= -golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg= +golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 1ca738fedcbdd03cd6562c80447fb967dea0fa96 Mon Sep 17 00:00:00 2001 From: "spire-helm-version-checker[bot]" <161522935+spire-helm-version-checker[bot]@users.noreply.github.com> Date: Mon, 5 Aug 2024 10:45:15 -0700 Subject: [PATCH 24/27] Bump test chart dependencies (#404) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: marcofranssen <694733+marcofranssen@users.noreply.github.com> --- .github/tests/charts.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/tests/charts.json b/.github/tests/charts.json index 3929f8a24..cd9628467 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,12 +2,12 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "61.5.0" + "version": "61.7.0" }, { "name": "cert-manager", "repo": "https://charts.jetstack.io", - "version": "v1.15.1" + "version": "v1.15.2" }, { "name": "ingress-nginx", From 82a6d5d4106ffc799f999a82839779d083058751 Mon Sep 17 00:00:00 2001 From: Ben Leggett <854255+bleggett@users.noreply.github.com> Date: Mon, 5 Aug 2024 18:49:01 -0400 Subject: [PATCH 25/27] Should be `admin_socket_path` not `admin_socket_dir` (#407) Signed-off-by: Benjamin Leggett --- charts/spire/charts/spire-agent/templates/configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index defc046cb..1d3aab620 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -26,7 +26,7 @@ {{- define "spire-agent.yaml-config" -}} agent: {{- if .Values.sockets.admin.enabled }} - admin_socket_dir: /tmp/spire-agent/private/admin.sock + admin_socket_path: /tmp/spire-agent/private/admin.sock {{- end }} {{- with .Values.authorizedDelegates }} authorized_delegates: From b4d4d901b93faff2293515625dfe7bbc7c10d4e2 Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Tue, 6 Aug 2024 08:28:22 -0700 Subject: [PATCH 26/27] Bump spire Helm Chart version from 0.21.0 to 0.21.1 (#409) * 82a6d5d Should be `admin_socket_path` not `admin_socket_dir` (#407) * 6240c0b Bump test chart dependencies (#402) * c3d1d39 Update to SPIRE 1.10.0 (#393) * 741cd9c Bump test chart dependencies (#398) * c507ee0 Bump test chart dependencies (#397) * 199bb6f Add connect by hostname to agent cofigmap (#392) * eb6d89b Update charts/spire/README.md * c93ad87 Add valid kubectl version to examples * 500fdd9 Bump test chart dependencies (#391) * 08fc5f3 Bump test chart dependencies (#390) * 6904295 Bump test chart dependencies (#389) * fb7fb80 Fix format for ignoreNamespaces (#388) * 7a0a77b Fix host path of "spire-agent-admin-socket-dir" volume (#386) * 1d2d755 Add resource limits for upgrade and delete hook batch jobs (#366) * f7e0d4b Update _spire-system-namespace.yaml (#381) * 29d4b57 Bump test chart dependencies * 4c9059e Bump test chart dependencies (#379) * 1dc650f Apply wildcard for ignoreNamespaces in Controller Manager (#378) * 6c2b5e6 Bump test chart dependencies (#376) Signed-off-by: Faisal Memon --- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 980125d0e..2ead16ff0 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,7 +3,7 @@ name: spire description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.21.0 +version: 0.21.1 appVersion: "1.10.0" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire diff --git a/charts/spire/README.md b/charts/spire/README.md index aeea71ca9..3b1e89374 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.21.0](https://img.shields.io/badge/Version-0.21.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square) +![Version: 0.21.1](https://img.shields.io/badge/Version-0.21.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. From 42e702a8da5082b2a941e80718b27f5fb3a023f7 Mon Sep 17 00:00:00 2001 From: Faisal Memon Date: Tue, 6 Aug 2024 09:31:12 -0700 Subject: [PATCH 27/27] Bump spire-nested Helm Chart version from 0.21.0 to 0.21.1 (#410) * c3d1d39 Update to SPIRE 1.10.0 (#393) Signed-off-by: Faisal Memon --- charts/spire-nested/Chart.yaml | 2 +- charts/spire-nested/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/spire-nested/Chart.yaml b/charts/spire-nested/Chart.yaml index ac2b4c29e..707bc4960 100644 --- a/charts/spire-nested/Chart.yaml +++ b/charts/spire-nested/Chart.yaml @@ -3,7 +3,7 @@ name: spire-nested description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.21.0 +version: 0.21.1 appVersion: "1.10.0" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire diff --git a/charts/spire-nested/README.md b/charts/spire-nested/README.md index ddf65912f..aa520b9f1 100644 --- a/charts/spire-nested/README.md +++ b/charts/spire-nested/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.21.0](https://img.shields.io/badge/Version-0.21.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square) +![Version: 0.21.1](https://img.shields.io/badge/Version-0.21.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.