diff --git a/.github/tests/charts.json b/.github/tests/charts.json index da053ad9c..cd9628467 100644 --- a/.github/tests/charts.json +++ b/.github/tests/charts.json @@ -2,26 +2,26 @@ { "name": "kube-prometheus-stack", "repo": "https://prometheus-community.github.io/helm-charts", - "version": "58.7.2" + "version": "61.7.0" }, { "name": "cert-manager", "repo": "https://charts.jetstack.io", - "version": "v1.14.5" + "version": "v1.15.2" }, { "name": "ingress-nginx", "repo": "https://kubernetes.github.io/ingress-nginx", - "version": "4.10.1" + "version": "4.11.1" }, { "name": "mysql", "repo": "https://charts.bitnami.com/bitnami", - "version": "11.0.0" + "version": "11.1.14" }, { "name": "postgresql", "repo": "https://charts.bitnami.com/bitnami", - "version": "15.4.0" + "version": "15.5.20" } ] diff --git a/charts/spire-nested/Chart.yaml b/charts/spire-nested/Chart.yaml index cbe023d79..707bc4960 100644 --- a/charts/spire-nested/Chart.yaml +++ b/charts/spire-nested/Chart.yaml @@ -3,8 +3,8 @@ name: spire-nested description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.21.0 -appVersion: "1.9.6" +version: 0.21.1 +appVersion: "1.10.0" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire-nested/README.md b/charts/spire-nested/README.md index e56278dde..aa520b9f1 100644 --- a/charts/spire-nested/README.md +++ b/charts/spire-nested/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.21.0](https://img.shields.io/badge/Version-0.21.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.6](https://img.shields.io/badge/AppVersion-1.9.6-informational?style=flat-square) +![Version: 0.21.1](https://img.shields.io/badge/Version-0.21.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 54c80a890..2ead16ff0 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -3,8 +3,8 @@ name: spire description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application -version: 0.21.0 -appVersion: "1.9.6" +version: 0.21.1 +appVersion: "1.10.0" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/README.md b/charts/spire/README.md index d16af86b0..3b1e89374 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.21.0](https://img.shields.io/badge/Version-0.21.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.6](https://img.shields.io/badge/AppVersion-1.9.6-informational?style=flat-square) +![Version: 0.21.1](https://img.shields.io/badge/Version-0.21.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. @@ -10,6 +10,7 @@ A Helm chart for deploying the complete Spire stack including: spire-server, spi ## Install Instructions ### Non Production + To do a quick install suitable for testing in something like minikube: ```shell @@ -22,6 +23,12 @@ helm upgrade --install -n spire-server spire spire --repo https://spiffe.github. Preparing a production deployment requires a few steps. 1. Save the following to your-values.yaml, ideally in your git repo. + +> [!NOTE] +> Please note that `rancher/kubectl` image does not always correspond to the most +> recent version of Kubernetes. In order to find the most up-to-date version, +> please visit their [releases](https://github.com/rancher/kubectl/releases) page. + ```yaml global: openshift: false # If running on openshift, set to true @@ -38,15 +45,21 @@ global: country: ARPA organization: Example commonName: example.org +# If rancher/kubectl doesn't have a version that matches your cluster, uncomment and update: +# tools: +# kubectl: +# tag: "v1.23.3" ``` 2. If you need a non default storageClass, append the following to the global.spire section and update: + ``` persistence: storageClass: your-storage-class ``` 3. If your Kubernetes cluster is OpenShift based, use the output of the following command to update the trustDomain setting: + ```shell oc get cm -n openshift-config-managed console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//' ``` @@ -73,7 +86,7 @@ kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeid ## Upgrade notes -We only support upgrading one major/minor version at a time. Version skipping isn't supported. Please see https://spiffe.io/docs/latest/spire-helm-charts-hardened-about/upgrading/ for details. +We only support upgrading one major/minor version at a time. Version skipping isn't supported. Please see for details. ### 0.21.X @@ -98,8 +111,8 @@ setting and waiting for a spire-controller-manager sync. ### 0.18.X -- SPIRE no longer emits x509UniqueIdentifiers in x509-SVIDS by default. The old behavior can be reenabled with spire-server.credentialComposer.uniqueID.enabled=true. See https://github.com/spiffe/spire/pull/4862 for details. -- SPIRE agents will now automatically reattest when they can. The old behavior can be reenabled with spire-agent.disableReattestToRenew=true. See https://github.com/spiffe/spire/pull/4791 for details. +- SPIRE no longer emits x509UniqueIdentifiers in x509-SVIDS by default. The old behavior can be reenabled with spire-server.credentialComposer.uniqueID.enabled=true. See for details. +- SPIRE agents will now automatically reattest when they can. The old behavior can be reenabled with spire-agent.disableReattestToRenew=true. See for details. ### 0.17.X @@ -258,7 +271,9 @@ Now you can interact with the Spire agent socket from your own application. The | `global.spire.ingressControllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | | `global.spire.tools.kubectl.tag` | Set to force the tag to use for all kubectl instances | `""` | | `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | +| `global.installAndUpgradeHooks.resources` | Resource requests and limits for installAndUpgradeHooks | `{}` | | `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` | +| `global.deleteHooks.resources` | Resource requests and limits for deleteHooks | `{}` | ### Spire server parameters diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml index 0416195e1..c3077e6ab 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml @@ -3,7 +3,7 @@ name: spiffe-oidc-discovery-provider description: A Helm chart to install the SPIFFE OIDC discovery provider. type: application version: 0.1.0 -appVersion: "1.9.6" +appVersion: "1.10.0" keywords: ["spiffe", "oidc"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index ed121b9c6..5026012b5 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -69,7 +69,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `insecureScheme.nginx.image.registry` | The OCI registry to pull the image from. Only used when TLS is disabled. | `docker.io` | | `insecureScheme.nginx.image.repository` | The repository within the registry. Only used when TLS is disabled. | `nginxinc/nginx-unprivileged` | | `insecureScheme.nginx.image.pullPolicy` | The image pull policy. Only used when TLS is disabled. | `IfNotPresent` | -| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. | `1.26.0-alpine` | +| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. | `1.27.0-alpine` | | `insecureScheme.nginx.resources` | Resource requests and limits | `{}` | | `jwtIssuer` | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset | `""` | | `config.logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | @@ -99,7 +99,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `telemetry.prometheus.nginxExporter.image.registry` | The OCI registry to pull the image from | `docker.io` | | `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry | `nginx/nginx-prometheus-exporter` | | `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.1.0` | +| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.3.0` | | `telemetry.prometheus.nginxExporter.resources` | Resource requests and limits | `{}` | | `ingress.enabled` | Flag to enable ingress | `false` | | `ingress.className` | Ingress class name | `""` | @@ -115,15 +115,15 @@ A Helm chart to install the SPIFFE OIDC discovery provider. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d94454739d8be0239cfe93453df79c88d25d38b7a97084d81a49e9403a90d07c` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:7f6d87d080ccae67e0eccf1c46ce199cfe41fa972a42c3d2261cf67bb0d1212e` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.26.1` | +| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.27.2` | | `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | | `tests.busybox.image.repository` | The repository within the registry | `busybox` | | `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl index 7780aa725..4f0500c54 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl @@ -99,3 +99,17 @@ Create the name of the service account to use {{- false }} {{- end }} {{- end }} + +{{- define "spiffe-oidc-discovery-provider.podSecurityContext" -}} +{{- $podSecurityContext := include "spire-lib.podsecuritycontext" . | fromYaml }} +{{- $openshift := ((.Values).global).openshift | default false }} +{{- if and .Values.tls.spire.enabled (not $openshift) }} +{{- if not (hasKey $podSecurityContext "runAsUser") }} +{{- $_ := set $podSecurityContext "runAsUser" 1000 }} +{{- end }} +{{- if not (hasKey $podSecurityContext "runAsGroup") }} +{{- $_ := set $podSecurityContext "runAsGroup" 1000 }} +{{- end }} +{{- end }} +{{- toYaml $podSecurityContext }} +{{- end }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml index 407e39b3d..3e99bb26d 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml @@ -37,7 +37,7 @@ spec: {{- end }} serviceAccountName: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }} securityContext: - {{- include "spire-lib.podsecuritycontext" . | nindent 8 }} + {{- include "spiffe-oidc-discovery-provider.podSecurityContext" . | nindent 8 }} initContainers: {{- if .Values.tls.spire.enabled }} - name: init diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml index a2ad605a0..dd64a4a75 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml @@ -72,4 +72,8 @@ spec: - deployment - {{ include "spiffe-oidc-discovery-provider.fullname" . }} - --wait + {{- with (((.Values).global).deleteHooks).resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} {{- end }} diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index b43b3df35..60146aec3 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -164,7 +164,7 @@ insecureScheme: registry: docker.io repository: nginxinc/nginx-unprivileged pullPolicy: IfNotPresent - tag: 1.26.0-alpine + tag: 1.27.0-alpine ## @param insecureScheme.nginx.resources Resource requests and limits resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -262,7 +262,7 @@ telemetry: registry: docker.io repository: nginx/nginx-prometheus-exporter pullPolicy: IfNotPresent - tag: "1.1.0" + tag: "1.3.0" ## @param telemetry.prometheus.nginxExporter.resources [object] Resource requests and limits resources: {} @@ -328,7 +328,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + tag: latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd toolkit: ## @param tests.toolkit.image.registry The OCI registry to pull the image from @@ -340,7 +340,7 @@ tests: registry: cgr.dev repository: chainguard/min-toolkit-debug pullPolicy: IfNotPresent - tag: latest@sha256:d94454739d8be0239cfe93453df79c88d25d38b7a97084d81a49e9403a90d07c + tag: latest@sha256:7f6d87d080ccae67e0eccf1c46ce199cfe41fa972a42c3d2261cf67bb0d1212e step: ## @param tests.step.image.registry The OCI registry to pull the image from @@ -352,7 +352,7 @@ tests: registry: "docker.io" repository: smallstep/step-cli pullPolicy: IfNotPresent - tag: 0.26.1 + tag: 0.27.2 busybox: ## @param tests.busybox.image.registry The OCI registry to pull the image from diff --git a/charts/spire/charts/spire-agent/Chart.yaml b/charts/spire/charts/spire-agent/Chart.yaml index d087332d8..9ae254d94 100644 --- a/charts/spire/charts/spire-agent/Chart.yaml +++ b/charts/spire/charts/spire-agent/Chart.yaml @@ -3,7 +3,7 @@ name: spire-agent description: A Helm chart to install the SPIRE agent. type: application version: 0.1.0 -appVersion: "1.9.6" +appVersion: "1.10.0" keywords: ["spiffe", "spire-agent"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index b609866e1..f8608898e 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -55,7 +55,6 @@ A Helm chart to install the SPIRE agent. | `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `pem` | | `bundleConfigMap` | Configmap name for Spire bundle | `spire-bundle` | | `availabilityTarget` | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. | `""` | -| `disableReattestToRenew` | Deprecated: Allow agent to renew certificate when it expires rather than reattest | `false` | | `server.address` | Address for Spire server | `""` | | `server.port` | Port number for Spire server | `443` | | `server.namespaceOverride` | Override the namespace for Spire server | `""` | @@ -70,7 +69,7 @@ A Helm chart to install the SPIRE agent. | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | -| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` | | `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s Node Attestor | `true` | @@ -108,7 +107,7 @@ A Helm chart to install the SPIRE agent. | `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` | | `socketAlternate.image.pullPolicy` | The image pull policy | `Always` | -| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d` | +| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd` | | `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | | `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index 6da906918..1d3aab620 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -25,11 +25,8 @@ {{- end }} {{- define "spire-agent.yaml-config" -}} agent: - {{- if .Values.disableReattestToRenew }} - disable_reattest_to_renew: true - {{- end }} {{- if .Values.sockets.admin.enabled }} - admin_socket_dir: /tmp/spire-agent/private/admin.sock + admin_socket_path: /tmp/spire-agent/private/admin.sock {{- end }} {{- with .Values.authorizedDelegates }} authorized_delegates: @@ -116,6 +113,9 @@ plugins: disable_container_selectors: {{ .Values.workloadAttestors.k8s.disableContainerSelectors }} use_new_container_locator: {{ .Values.workloadAttestors.k8s.useNewContainerLocator }} verbose_container_locator_logs: {{ .Values.workloadAttestors.k8s.verboseContainerLocatorLogs }} + {{- if eq (include "spire-agent.connect-by-hostname" .) "true" }} + node_name_env: "MY_NODE_NAME" + {{- end }} {{- end }} {{- if .Values.workloadAttestors.unix.enabled }} diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 3a785541f..577d153b7 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -251,7 +251,7 @@ spec: {{- if .Values.sockets.admin.mountOnHost }} - name: spire-agent-admin-socket-dir hostPath: - hostPath: {{ .Values.sockets.hostBasePath }}/{{ if .Values.upstream }}upstream.csi.spiffe.io{{ else }}csi.spiffe.io{{ end }}/admin + path: {{ .Values.sockets.hostBasePath }}/{{ if .Values.upstream }}upstream.csi.spiffe.io{{ else }}csi.spiffe.io{{ end }}/admin type: DirectoryOrCreate {{- else }} - name: spire-agent-admin-socket-dir diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index d7f962e5d..03cd01ca6 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -100,9 +100,6 @@ bundleConfigMap: spire-bundle ## @param availabilityTarget The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. availabilityTarget: "" -## @param disableReattestToRenew Deprecated: Allow agent to renew certificate when it expires rather than reattest -disableReattestToRenew: false - ## @skip upstream upstream: false @@ -154,7 +151,7 @@ fsGroupFix: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + tag: latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -266,7 +263,7 @@ socketAlternate: registry: cgr.dev repository: chainguard/bash pullPolicy: Always - tag: latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + tag: latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd ## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} diff --git a/charts/spire/charts/spire-lib/templates/_spire-system-namespace.yaml b/charts/spire/charts/spire-lib/templates/_spire-system-namespace.yaml index 2e0c5c2e4..7027e8dc4 100644 --- a/charts/spire/charts/spire-lib/templates/_spire-system-namespace.yaml +++ b/charts/spire/charts/spire-lib/templates/_spire-system-namespace.yaml @@ -12,7 +12,7 @@ {{- $_ := set $labels "security.openshift.io/scc.podSecurityLabelSync" "false" }} {{- end }} {{- end }} -{{- $labels = mergeOverwrite $labels .Values.global.spire.namespaces.server.labels }} +{{- $labels = mergeOverwrite $labels .Values.global.spire.namespaces.system.labels }} apiVersion: v1 kind: Namespace metadata: diff --git a/charts/spire/charts/spire-server/Chart.yaml b/charts/spire/charts/spire-server/Chart.yaml index 62c510fbe..7fa03269f 100644 --- a/charts/spire/charts/spire-server/Chart.yaml +++ b/charts/spire/charts/spire-server/Chart.yaml @@ -3,7 +3,7 @@ name: spire-server description: A Helm chart to install the SPIRE server. type: application version: 0.1.0 -appVersion: "1.9.6" +appVersion: "1.10.0" keywords: ["spiffe", "spire-server", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 4536103c1..acc1c1491 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -109,7 +109,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `autoscaling.enabled` | Flag to enable autoscaling | `false` | | `autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | | `autoscaling.maxReplicas` | Maximum replicas for autoscaling | `100` | -| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utlization that triggers autoscaling | `80` | +| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization that triggers autoscaling | `80` | | `nodeSelector` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | `{}` | | `tolerations` | List of tolerations | `[]` | | `affinity` | List of node affinities | `{}` | @@ -166,8 +166,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `federation.ingress.annotations` | Annotations for the ingress object | `{}` | | `federation.ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server-federation` | | `federation.ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | -| `federation.ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | -| `federation.ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | +| `federation.ingress.hosts` | Host paths for ingress object. If empty, rules will be built based on the host var. | `[]` | +| `federation.ingress.tls` | Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars. | `[]` | | `ca_subject.country` | Country for Spire server CA | `ARPA` | | `ca_subject.organization` | Organization for Spire server CA | `Example` | | `ca_subject.common_name` | Common Name for Spire server CA | `example.org` | @@ -232,7 +232,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `upstreamAuthority.vault.k8sAuth.token.expiry` | Expiry time in seconds for the token | `7200` | | `notifier.k8sbundle.enabled` | Enable local k8s bundle uploader | `true` | | `notifier.k8sbundle.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` | -| `notifier.externalK8sBundle.enabled` | Enable exernal k8s bundle uploader | `true` | +| `notifier.externalK8sBundle.enabled` | Enable external k8s bundle uploader | `true` | | `notifier.externalK8sBundle.defaults.namespace` | Namespace to push the bundle into on clusters | `spire-system` | | `notifier.externalK8sBundle.defaults.configMap` | ConfigMap name to push the bundle into on external clusters | `spire-bundle-upstream` | | `notifier.externalK8sBundle.defaults.configMapKey` | ConfigMap key to push the bundle into on external clusters | `bundle.crt` | @@ -263,7 +263,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `controllerManager.identities.clusterSPIFFEIDs.default.enabled` | Enable this identity for controller manager | `true` | | `controllerManager.identities.clusterSPIFFEIDs.default.spiffeIDTemplate` | Spiffe ID template for identities | `spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}` | | `controllerManager.identities.clusterSPIFFEIDs.default.podSelector` | Selector for pods to issue identity | `{}` | -| `controllerManager.identities.clusterSPIFFEIDs.default.namespaceSelector` | Selector for namespacs to issue identity | `{}` | +| `controllerManager.identities.clusterSPIFFEIDs.default.namespaceSelector` | Selector for namespaces to issue identity | `{}` | | `controllerManager.identities.clusterSPIFFEIDs.default.dnsNameTemplates` | DNS name template for issued identities | `[]` | | `controllerManager.identities.clusterSPIFFEIDs.default.federatesWith` | Other Spire server URLs for identity federation | `[]` | | `controllerManager.identities.clusterSPIFFEIDs.default.workloadSelectorTemplates` | Templates to produce selectors that apply to a given workload before it will receive an ID | `[]` | @@ -316,8 +316,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `ingress.annotations` | Annotations for the ingress object | `{}` | | `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `spire-server` | | `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | -| `ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | -| `ingress.tls` | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | +| `ingress.hosts` | Host paths for ingress object. If empty, rules will be built based on the host var. | `[]` | +| `ingress.tls` | Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars. | `[]` | | `extraEnv` | Extra environment variables to add to the spire server | `[]` | | `extraVolumes` | Extra volumes to be mounted | `[]` | | `extraVolumeMounts` | Extra volume mounts | `[]` | @@ -369,7 +369,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tornjak.ingress.annotations` | Annotations for Tornjak backend service | `{}` | | `tornjak.ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `tornjak-backend` | | `tornjak.ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` | -| `tornjak.ingress.hosts` | Host paths for ingress object. If emtpy, rules will be built based on the host var. | `[]` | +| `tornjak.ingress.hosts` | Host paths for ingress object. If empty, rules will be built based on the host var. | `[]` | | `tornjak.ingress.tls` | Secrets containing TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. | `[]` | | `tornjak.startupProbe.failureThreshold` | Failure threshold count | `3` | | `tornjak.startupProbe.initialDelaySeconds` | Initial delay seconds | `5` | @@ -404,5 +404,5 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd` | | `kubeConfigs` | Manage additional kubeconfig files to talk to external Kubernetes clusters | `{}` | diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index bdd9d8fc0..0744d9d95 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -200,8 +200,6 @@ plugins: key_identifier_file: "/run/spire/data/aws-kms-key-identifier" {{- else if eq (.keyIdentifierValue.enabled | toString) "true" }} key_identifier_value: {{ .keyIdentifierValue.identifier | quote }} - {{- else }} - key_metadata_file: "/run/spire/data/aws-kms-key-metadata" {{- end }} {{- if ne .accessKeyID "" }} access_key_id: "${AWS_KMS_ACCESS_KEY_ID}" diff --git a/charts/spire/charts/spire-server/templates/post-install-hook.yaml b/charts/spire/charts/spire-server/templates/post-install-hook.yaml index 3b9bf1b03..4f43dd2e9 100644 --- a/charts/spire/charts/spire-server/templates/post-install-hook.yaml +++ b/charts/spire/charts/spire-server/templates/post-install-hook.yaml @@ -85,6 +85,10 @@ spec: } ] } + {{- with (((.Values).global).installAndUpgradeHooks).resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml index 683ba91db..1d6f0a069 100644 --- a/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml @@ -85,6 +85,10 @@ spec: } ] } + {{- with (((.Values).global).installAndUpgradeHooks).resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml b/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml index 7c4c0e80b..6af0a89c9 100644 --- a/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml +++ b/charts/spire/charts/spire-server/templates/pre-delete-hook.yaml @@ -77,6 +77,10 @@ spec: - {{ include "spire-server.kind" . }} - {{ include "spire-server.fullname" . }} - --wait + {{- with (((.Values).global).deleteHooks).resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} - name: pre-delete-check securityContext: {{- include "spire-lib.securitycontext" . | nindent 10 }} @@ -89,6 +93,10 @@ spec: - app.kubernetes.io/instance={{ include "spire-server.name" . }},app.kubernetes.io/name={{ .Release.Name }},app.kubernetes.io/component=server - -n - {{ include "spire-server.namespace" . }} + {{- with (((.Values).global).deleteHooks).resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml index a3a86b6f4..a3258b00c 100644 --- a/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml +++ b/charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml @@ -85,6 +85,10 @@ spec: } ] } + {{- with (((.Values).global).installAndUpgradeHooks).resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index da3b8a0de..fc0683b35 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -101,7 +101,7 @@ resources: {} ## @param autoscaling.enabled Flag to enable autoscaling ## @param autoscaling.minReplicas Minimum replicas for autoscaling ## @param autoscaling.maxReplicas Maximum replicas for autoscaling -## @param autoscaling.targetCPUUtilizationPercentage Target CPU utlization that triggers autoscaling +## @param autoscaling.targetCPUUtilizationPercentage Target CPU utilization that triggers autoscaling ## autoscaling: enabled: false @@ -273,14 +273,14 @@ federation: ## @param federation.ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var. tlsSecret: "" - ## @param federation.ingress.hosts [array] Host paths for ingress object. If emtpy, rules will be built based on the host var. + ## @param federation.ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var. hosts: [] # - host: spire-server-federation.example.org # paths: # - path: / # pathType: Prefix - ## @param federation.ingress.tls [array] Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. + ## @param federation.ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars. tls: [] # - hosts: # - spire-server-federation.example.org @@ -446,7 +446,7 @@ notifier: ## @param notifier.k8sbundle.namespace Namespace to push the bundle into, if blank will default to SPIRE Server namespace namespace: "" externalK8sBundle: - ## @param notifier.externalK8sBundle.enabled Enable exernal k8s bundle uploader + ## @param notifier.externalK8sBundle.enabled Enable external k8s bundle uploader enabled: true defaults: ## @param notifier.externalK8sBundle.defaults.namespace Namespace to push the bundle into on clusters @@ -540,32 +540,10 @@ controllerManager: - kube-system - kube-public - local-path-storage - # openshift related namespaces that should be typically ignored - - openshift-cluster-node-tuning-operator - - openshift-cluster-samples-operator - - openshift-cluster-storage-operator - - openshift-console-operator - - openshift-console - - openshift-dns - - openshift-dns-operator - - openshift-image-registry - - openshift-ingress - - openshift-kube-storage-version-migrator - - openshift-kube-storage-version-migrator-operator - - openshift-kube-proxy - - openshift-marketplace - - openshift-monitoring - - openshift-multus - - openshift-network-diagnostics - - openshift-network-operator - - openshift-operator-lifecycle-manager - - openshift-roks-metrics - - openshift-service-ca-operator - - openshift-service-ca - # ibmcloud specific namespaces - - ibm-odf-validation-webhook - - ibm-system - + # openshift creates many namespaces that should be typically ignored: + - openshift-.* + # ibmcloud specific namespaces: + - ibm-.* ## @param controllerManager.reconcile.clusterSPIFFEIDs Enable reconciliation of clusterSPIFFEIDs from K8s to the SPIRE server ## @param controllerManager.reconcile.clusterStaticEntries Enable reconciliation of clusterStaticEntries from K8s to the SPIRE server ## @param controllerManager.reconcile.clusterFederatedTrustDomains Enable reconciliation of clusterFederatedTrustDomains from K8s to the SPIRE server @@ -585,7 +563,7 @@ controllerManager: podSelector: {} # matchLabels: # spiffe.io/spiffe-id: "true" - ## @param controllerManager.identities.clusterSPIFFEIDs.default.namespaceSelector [object] Selector for namespacs to issue identity + ## @param controllerManager.identities.clusterSPIFFEIDs.default.namespaceSelector [object] Selector for namespaces to issue identity namespaceSelector: {} # matchLabels: # spiffe.io/spiffe-id: "true" @@ -718,31 +696,10 @@ externalControllerManagers: - kube-system - kube-public - local-path-storage - # openshift related namespaces that should be typically ignored - - openshift-cluster-node-tuning-operator - - openshift-cluster-samples-operator - - openshift-cluster-storage-operator - - openshift-console-operator - - openshift-console - - openshift-dns - - openshift-dns-operator - - openshift-image-registry - - openshift-ingress - - openshift-kube-storage-version-migrator - - openshift-kube-storage-version-migrator-operator - - openshift-kube-proxy - - openshift-marketplace - - openshift-monitoring - - openshift-multus - - openshift-network-diagnostics - - openshift-network-operator - - openshift-operator-lifecycle-manager - - openshift-roks-metrics - - openshift-service-ca-operator - - openshift-service-ca - # ibmcloud specific namespaces - - ibm-odf-validation-webhook - - ibm-system + # openshift creates many namespaces that should be typically ignored: + - openshift-.* + # ibmcloud specific namespaces: + - ibm-.* ## @param externalControllerManagers.defaults.cacheNamespaces [object] If specified restricts the manager's cache to watch objects in the desired namespaces. Defaults to all namespaces. cacheNamespaces: {} @@ -800,14 +757,14 @@ ingress: ## @param ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var. tlsSecret: "" - ## @param ingress.hosts [array] Host paths for ingress object. If emtpy, rules will be built based on the host var. + ## @param ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var. hosts: [] # - host: spire-server.example.org # paths: # - path: / # pathType: Prefix - ## @param ingress.tls [array] Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars. + ## @param ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars. tls: [] # - secretName: spire-server-tls # hosts: @@ -936,7 +893,7 @@ tornjak: ## @param tornjak.ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var. tlsSecret: "" - ## @param tornjak.ingress.hosts [array] Host paths for ingress object. If emtpy, rules will be built based on the host var. + ## @param tornjak.ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var. hosts: [] # - host: tornjak-backend.example.org # paths: @@ -1063,7 +1020,7 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + tag: latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd ## @param kubeConfigs [object] Manage additional kubeconfig files to talk to external Kubernetes clusters kubeConfigs: {} diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 0b8a46f5f..3f0eb76e1 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -101,4 +101,4 @@ port forwarding. See the chart NOTES output for more details. | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index d3f71c59f..c3d5c91fa 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -162,4 +162,4 @@ tests: registry: cgr.dev repository: chainguard/bash pullPolicy: IfNotPresent - tag: latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d + tag: latest@sha256:1309073808bd2313c28d52ac617db405d1a00346484a2a600ada2eaf918123fd diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index ce3b5391e..fa805b7c4 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -89,9 +89,33 @@ global: installAndUpgradeHooks: ## @param global.installAndUpgradeHooks.enabled Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) enabled: true + ## @param global.installAndUpgradeHooks.resources [object] Resource requests and limits for installAndUpgradeHooks + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, copy the following + # to your values file and edit as needed. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi deleteHooks: ## @param global.deleteHooks.enabled Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) enabled: true + ## @param global.deleteHooks.resources [object] Resource requests and limits for deleteHooks + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, copy the following + # to your values file and edit as needed. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi # telemetry: # prometheus: diff --git a/tests/go.mod b/tests/go.mod index e292ca58d..aee4c61c6 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -1,12 +1,12 @@ module github.com/spiffe/helm-charts/tests go 1.21 -toolchain go1.22.2 +toolchain go1.22.5 require ( - github.com/onsi/ginkgo/v2 v2.19.0 - github.com/onsi/gomega v1.33.1 - helm.sh/helm/v3 v3.15.1 + github.com/onsi/ginkgo/v2 v2.19.1 + github.com/onsi/gomega v1.34.1 + helm.sh/helm/v3 v3.15.3 ) require ( @@ -17,7 +17,7 @@ require ( github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect - github.com/go-logr/logr v1.4.1 // indirect + github.com/go-logr/logr v1.4.2 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect github.com/go-openapi/swag v0.22.3 // indirect @@ -46,16 +46,17 @@ require ( github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect - golang.org/x/crypto v0.23.0 // indirect - golang.org/x/net v0.25.0 // indirect + golang.org/x/crypto v0.25.0 // indirect + golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect + golang.org/x/net v0.27.0 // indirect golang.org/x/oauth2 v0.10.0 // indirect - golang.org/x/sys v0.20.0 // indirect - golang.org/x/term v0.20.0 // indirect - golang.org/x/text v0.15.0 // indirect + golang.org/x/sys v0.22.0 // indirect + golang.org/x/term v0.22.0 // indirect + golang.org/x/text v0.16.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.21.0 // indirect + golang.org/x/tools v0.23.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/protobuf v1.33.0 // indirect + google.golang.org/protobuf v1.34.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/tests/go.sum b/tests/go.sum index d405560e9..79e7bad71 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -19,8 +19,8 @@ github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE= github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps= -github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= -github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= @@ -83,10 +83,10 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= -github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= -github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= -github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= +github.com/onsi/ginkgo/v2 v2.19.1 h1:QXgq3Z8Crl5EL1WBAC98A5sEBHARrAJNzAmMxzLcRF0= +github.com/onsi/ginkgo/v2 v2.19.1/go.mod h1:O3DtEWQkPa/F7fBMgmZQKKsluAy8pd3rEQdrjkPb9zA= +github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k= +github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= @@ -127,8 +127,10 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= -golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= +golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= +golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= @@ -140,8 +142,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= -golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= +golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= +golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -156,20 +158,20 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= -golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= +golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= -golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= +golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= +golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= -golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -177,16 +179,16 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= -golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg= +golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= -google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= +google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= @@ -201,8 +203,8 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -helm.sh/helm/v3 v3.15.1 h1:22ztacHz4gMqhXNqCQ9NAg6BFWoRUryNLvnkz6OVyw0= -helm.sh/helm/v3 v3.15.1/go.mod h1:fvfoRcB8UKRUV5jrIfOTaN/pG1TPhuqSb56fjYdTKXg= +helm.sh/helm/v3 v3.15.3 h1:HcZDaVFe9uHa6hpsR54mJjYyRy4uz/pc6csg27nxFOc= +helm.sh/helm/v3 v3.15.3/go.mod h1:FzSIP8jDQaa6WAVg9F+OkKz7J0ZmAga4MABtTbsb9WQ= k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA= k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE= k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs=