Update the documentation (#172)

* SPIFFE OIDC Discovery Provider Rework

Fixes: #151

Signed-off-by: Kevin Fox <[email protected]>

* Enhance clusterspiffeid's so the discovery provider is independently configurable

Signed-off-by: Kevin Fox <[email protected]>

* Fix tests

Signed-off-by: Kevin Fox <[email protected]>

* More fix tests

Signed-off-by: Kevin Fox <[email protected]>

* More fix tests

Signed-off-by: Kevin Fox <[email protected]>

* Undo

Signed-off-by: Kevin Fox <[email protected]>

* Fix logging

Signed-off-by: Kevin Fox <[email protected]>

* Try to get output

Signed-off-by: Kevin Fox <[email protected]>

* Try and get error code

Signed-off-by: Kevin Fox <[email protected]>

* Fix more logging. Switch port used.

Signed-off-by: Kevin Fox <[email protected]>

* Fix logging

Signed-off-by: Kevin Fox <[email protected]>

* Fix port

Signed-off-by: Kevin Fox <[email protected]>

* Fix up logs for nested test and fix values

Signed-off-by: Kevin Fox <[email protected]>

* Make consistent

Signed-off-by: Kevin Fox <[email protected]>

* Fix nested test

Signed-off-by: Kevin Fox <[email protected]>

* Fix insecure mode and test.

Signed-off-by: Kevin Fox <[email protected]>

* Fix test.

Signed-off-by: Kevin Fox <[email protected]>

* Fix var scoping issue

Signed-off-by: Kevin Fox <[email protected]>

* Set the right flags for ingress

Signed-off-by: Kevin Fox <[email protected]>

* Update dns template

Signed-off-by: Kevin Fox <[email protected]>

* Use more standard port

Signed-off-by: Kevin Fox <[email protected]>

* Fix test logging

Signed-off-by: Kevin Fox <[email protected]>

* Allow reencrypt.

Signed-off-by: Kevin Fox <[email protected]>

* Remove testing changes

Signed-off-by: Kevin Fox <[email protected]>

* Fix formatting

Signed-off-by: Kevin Fox <[email protected]>

* Add LetsEncrypt/ACME/cert-manager support. Remove broken ACME support.

Signed-off-by: Kevin Fox <[email protected]>

* Use spiffe-helper as a sidecar. Significant space savings and read only cert dir

Signed-off-by: Kevin Fox <[email protected]>

* Fix the nested test

Signed-off-by: Kevin Fox <[email protected]>

* Fix merge issue

Signed-off-by: Kevin Fox <[email protected]>

* Remove 1.29.0 until deps catch up.

Related issue: rancher/kubectl#94

Signed-off-by: Kevin Fox <[email protected]>

* Add more error checking

Signed-off-by: Kevin Fox <[email protected]>

* Remove testing code

Signed-off-by: Kevin Fox <[email protected]>

* Simplify the ids. Fix docs

Signed-off-by: Kevin Fox <[email protected]>

* Fix logic

Signed-off-by: Kevin Fox <[email protected]>

* Fix var

Signed-off-by: Kevin Fox <[email protected]>

* Make cert-manager bits more readable

Signed-off-by: Kevin Fox <[email protected]>

* Fix template

Signed-off-by: Kevin Fox <[email protected]>

* Fix openshift ingress

Signed-off-by: Kevin Fox <[email protected]>

* Incorperate feedback

Signed-off-by: Kevin Fox <[email protected]>

* Update docs

Signed-off-by: Kevin Fox <[email protected]>

* Add resource spec

Signed-off-by: Kevin Fox <[email protected]>

* Remove parts that cant merge yet

Signed-off-by: Kevin Fox <[email protected]>

* Add support for running spiffe secured discovery provider (default)

Signed-off-by: Kevin Fox <[email protected]>

* Fix tests

Signed-off-by: Kevin Fox <[email protected]>

* Incorperate feedback

Signed-off-by: Kevin Fox <[email protected]>

* Incorperate feedback

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Apply suggestions from code review

Co-authored-by: Faisal Memon <[email protected]>
Signed-off-by: kfox1111 <[email protected]>

* Fix docs

Signed-off-by: Kevin Fox <[email protected]>

* Apply suggestions from code review

Co-authored-by: Faisal Memon <[email protected]>
Signed-off-by: kfox1111 <[email protected]>

* Incorperate feedback

Signed-off-by: Kevin Fox <[email protected]>

* Incorperate feedback

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix test

Signed-off-by: Kevin Fox <[email protected]>

* Fix merge conflict

Signed-off-by: Kevin Fox <[email protected]>

* Fix merge conflict

Signed-off-by: Kevin Fox <[email protected]>

* Remove defaults

Signed-off-by: Kevin Fox <[email protected]>

* Apply suggestions from code review

Co-authored-by: Faisal Memon <[email protected]>
Signed-off-by: kfox1111 <[email protected]>

* Fix docs

Signed-off-by: Kevin Fox <[email protected]>

* Incorperate feedback

Signed-off-by: Kevin Fox <[email protected]>

* Add missing configurable for the discovery providers csi driver

Signed-off-by: Kevin Fox <[email protected]>

* Update the documentation

Signed-off-by: Kevin Fox <[email protected]>

* Apply suggestions from code review

Signed-off-by: kfox1111 <[email protected]>

* Apply suggestions from code review

Signed-off-by: kfox1111 <[email protected]>

* Apply suggestions from code review

Signed-off-by: kfox1111 <[email protected]>

* Apply suggestions from code review

Signed-off-by: kfox1111 <[email protected]>

* Add missing file

Signed-off-by: Kevin Fox <[email protected]>

* Update for changes in spiffe-helper

Signed-off-by: Kevin Fox <[email protected]>

* Incorperate feedback

Signed-off-by: Kevin Fox <[email protected]>

* Apply suggestions from code review

Co-authored-by: Faisal Memon <[email protected]>
Signed-off-by: kfox1111 <[email protected]>

* Incorperate feedback

Signed-off-by: Kevin Fox <[email protected]>

* Incorperate feedback

Signed-off-by: Kevin Fox <[email protected]>

---------

Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: kfox1111 <[email protected]>
Co-authored-by: Faisal Memon <[email protected]>

README.md

@@ -14,7 +14,7 @@ A suite of [Helm Charts](https://helm.sh/docs) for standardized installations of
 ## How to install or upgrade
 
 You most likely want to do an integrated setup based on the spire chart.
-See the [Instructions](https://artifacthub.io/packages/helm/spiffe/spire#install-notes).
+See the [Instructions](https://artifacthub.io/packages/helm/spiffe/spire#install-instructions).
 
 ## Contributing
 

charts/spire/README.md

@@ -7,33 +7,74 @@ A Helm chart for deploying the complete Spire stack including: spire-server, spi
 
 **Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
 
-## Install notes
+## Install Instructions
 
-To do a quick non production install suitable for quick testing in something like minikube:
+### Non Production
+To do a quick install suitable for testing in something like minikube:
 
 ```shell
-helm install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
-helm install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/
+helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
+helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/
 ```
 
-To customize, start with a base values file and edit as needed:
+### Production
+
+Preparing a production deployment requires a few steps.
+
+1. Save the following to your-values.yaml, ideally in your git repo.
+```yaml
+global:
+  openshift: false # If running on openshift, set to true
+  spire:
+    recommendations:
+      enabled: true
+    namespaces:
+      create: true
+    ingressControllerType: "" # If not openshift, and want to expose services, set to a supported option [ingress-nginx]
+    # Update these
+    clusterName: example-cluster
+    trustDomain: example.org
+spire-server:
+  ca_subject:
+    # Update these
+    country: ARPA
+    organization: Example
+    common_name: example.org
+```
 
+2. If you need a non default storageClass, append the following to the spire-server section and update:
+```
+  persistence:
+    storageClass: your-storage-class
+```
+
+3. If your Kubernetes cluster is OpenShift based, use the output of the following command to update the trustDomain setting:
 ```shell
-curl -o your-values.yaml https://raw.githubusercontent.com/spiffe/helm-charts-hardened/main/examples/production/example-your-values.yaml
+oc get cm -n openshift-config-managed  console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//'
 ```
 
-Then:
+4. Find any additional values you might want to set based on the documentation below or using the [examples](https://github.com/spiffe/helm-charts-hardened/tree/main/examples)
+
+In particular, consider using an external database.
+
+5. Deploy
 
 ```shell
-helm install -n spire-server spire --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml
+helm upgrade --install -n spire-mgmt spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
+helm upgrade --install -n spire-mgmt spire spire --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml
 ```
 
-For production installs, please see [the production example](https://github.com/spiffe/helm-charts-hardened/tree/spire-0.16.0/examples/production).
-
 ## Upgrade notes
 
 We only support upgrading one major version at a time. Version skipping isn't supported.
 
+### 0.17.X
+
+- The SPIFFE OIDC Discovery Provider now has many new TLS options and defaults to using SPIRE to issue its certificate.
+- The `spiffe-oidc-discovery-provider.insecureScheme.enabled` flag was removed. If you previously set that flag, remove the setting from your values.yaml and see if the new default of using a SPIRE issued certificate is suitable for your deployment. If it isn't, please consider one of the other options under `spiffe-oidc-discovery-provider.tls`. If all other options are still unsuitable, you can still enable the previous mode by disabling TLS. (`spiffe-oidc-discovery-provider.spire.enabled=false`)
+
+- The SPIFFE OIDC Discovery Provider is now enabled by default. If you previously chose to have it off, you can disable it explicitly with `spiffe-oidc-discovery-provider.enabled=false`.
+
 ### 0.16.X
 
 The settings under "spire-server.controllerManager.identities" have all been moved under "spire-server.controllerManager.identities.clusterSPIFFEIDs.default". If you have changed any from the defaults, please update them to the new location during upgrade.

examples/nested/values.yaml

@@ -3,13 +3,11 @@ global:
     upstreamSpireAddress: spire-server.spire-root-server
 
 spire-server:
-  enabled: true
   upstreamAuthority:
     spire:
       enabled: true
       upstreamDriver: upstream.csi.spiffe.io
   controllerManager:
-    enabled: true
     identities:
       clusterSPIFFEIDs:
         default:

examples/openshift/values-ibm-cloud.yaml

@@ -0,0 +1,5 @@
+spiffe-csi-driver:
+  kubeletPath: /var/data/kubelet
+  restrictedScc:
+    enabled: true
+