spiffe
/
helm-charts-hardened
mirror of https://github.com/spiffe/helm-charts-hardened.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: spiffe:main
Branches Tags
spiffe:main
spiffe:gh-pages
spiffe:release
spiffe:spire-ha-agent
spiffe:helper-csi
spiffe:rancher-ver
spiffe:nested-tags-single
spiffe:spire-lib-nested
spiffe:dummy-change
spiffe:fix-security-recommendation-spire-agent-init
spiffe:recommendations-strict-mode
spiffe:dp-ssl-test
spiffe:dummy
spiffe:openshift-doc
spiffe:recommendations-namespaces
spiffe:recommendations
spiffe:note
spiffe:release-patch-0-13-2
spiffe:release-workflow
spiffe:update-maintainers
spiffe:spire-0.26.1
spiffe:spire-nested-0.26.1
spiffe:spiffe-step-ssh-0.1.1
spiffe:spire-nested-0.26.0
spiffe:spire-0.26.0
spiffe:spire-0.25.0
spiffe:spire-nested-0.25.0
spiffe:spire-0.24.5
spiffe:spire-nested-0.24.5
spiffe:spire-nested-0.24.4
spiffe:spire-0.24.4
spiffe:spire-0.24.3
spiffe:spire-nested-0.24.3
spiffe:spire-nested-0.24.2
spiffe:spire-0.24.2
spiffe:spire-0.24.1
spiffe:spiffe-step-ssh-0.1.0
spiffe:spire-nested-0.24.1
spiffe:spire-0.24.0
spiffe:spire-nested-0.24.0
spiffe:spire-crds-0.5.0
spiffe:spire-0.23.0
spiffe:spire-nested-0.23.0
spiffe:spire-0.22.0
spiffe:spire-nested-0.22.0
spiffe:spire-nested-0.21.1
spiffe:spire-0.21.1
spiffe:spire-nested-0.21.0
spiffe:spire-nested-0.20.0
spiffe:spire-0.21.0
spiffe:spire-crds-0.4.0
spiffe:spire-0.20.0
spiffe:spire-0.19.2
spiffe:spire-0.19.1
spiffe:spire-0.19.0
spiffe:spire-0.18.2
spiffe:spire-0.18.1
spiffe:spire-0.18.0
spiffe:spire-0.17.2
spiffe:spire-0.17.1
spiffe:spire-crds-0.3.0
spiffe:spire-0.17.0
spiffe:spire-0.16.0
spiffe:spire-0.15.1
spiffe:spire-crds-0.2.0
spiffe:spire-0.15.0
spiffe:spire-0.14.0
spiffe:spire-crds-0.0.1
spiffe:spire-0.13.2
spiffe:spire-0.13.1
spiffe:spire-0.13.0
spiffe:spire-0.12.0
spiffe:spire-0.11.1
spiffe:spire-0.11.0
spiffe:spire-0.10.1
spiffe:spire-0.10.0
spiffe:spire-0.9.1
spiffe:spire-0.9.0
spiffe:spire-0.8.1
spiffe:spire-0.8.0
spiffe:spire-0.7.0
spiffe:spire-0.6.3
spiffe:spire-0.6.2
spiffe:spire-0.6.1
spiffe:spire-0.6.0
spiffe:spire-0.5.1
spiffe:spire-0.5.0
spiffe:spire-0.4.0
spiffe:spire-0.3.0
spiffe:spire-0.2.0
spiffe:spire-0.1.0
..
compare: spiffe:spire-0.24.4
Branches Tags
spiffe:main
spiffe:gh-pages
spiffe:release
spiffe:spire-ha-agent
spiffe:helper-csi
spiffe:rancher-ver
spiffe:nested-tags-single
spiffe:spire-lib-nested
spiffe:dummy-change
spiffe:fix-security-recommendation-spire-agent-init
spiffe:recommendations-strict-mode
spiffe:dp-ssl-test
spiffe:dummy
spiffe:openshift-doc
spiffe:recommendations-namespaces
spiffe:recommendations
spiffe:note
spiffe:release-patch-0-13-2
spiffe:release-workflow
spiffe:update-maintainers
spiffe:spire-0.26.1
spiffe:spire-nested-0.26.1
spiffe:spiffe-step-ssh-0.1.1
spiffe:spire-nested-0.26.0
spiffe:spire-0.26.0
spiffe:spire-0.25.0
spiffe:spire-nested-0.25.0
spiffe:spire-0.24.5
spiffe:spire-nested-0.24.5
spiffe:spire-nested-0.24.4
spiffe:spire-0.24.4
spiffe:spire-0.24.3
spiffe:spire-nested-0.24.3
spiffe:spire-nested-0.24.2
spiffe:spire-0.24.2
spiffe:spire-0.24.1
spiffe:spiffe-step-ssh-0.1.0
spiffe:spire-nested-0.24.1
spiffe:spire-0.24.0
spiffe:spire-nested-0.24.0
spiffe:spire-crds-0.5.0
spiffe:spire-0.23.0
spiffe:spire-nested-0.23.0
spiffe:spire-0.22.0
spiffe:spire-nested-0.22.0
spiffe:spire-nested-0.21.1
spiffe:spire-0.21.1
spiffe:spire-nested-0.21.0
spiffe:spire-nested-0.20.0
spiffe:spire-0.21.0
spiffe:spire-crds-0.4.0
spiffe:spire-0.20.0
spiffe:spire-0.19.2
spiffe:spire-0.19.1
spiffe:spire-0.19.0
spiffe:spire-0.18.2
spiffe:spire-0.18.1
spiffe:spire-0.18.0
spiffe:spire-0.17.2
spiffe:spire-0.17.1
spiffe:spire-crds-0.3.0
spiffe:spire-0.17.0
spiffe:spire-0.16.0
spiffe:spire-0.15.1
spiffe:spire-crds-0.2.0
spiffe:spire-0.15.0
spiffe:spire-0.14.0
spiffe:spire-crds-0.0.1
spiffe:spire-0.13.2
spiffe:spire-0.13.1
spiffe:spire-0.13.0
spiffe:spire-0.12.0
spiffe:spire-0.11.1
spiffe:spire-0.11.0
spiffe:spire-0.10.1
spiffe:spire-0.10.0
spiffe:spire-0.9.1
spiffe:spire-0.9.0
spiffe:spire-0.8.1
spiffe:spire-0.8.0
spiffe:spire-0.7.0
spiffe:spire-0.6.3
spiffe:spire-0.6.2
spiffe:spire-0.6.1
spiffe:spire-0.6.0
spiffe:spire-0.5.1
spiffe:spire-0.5.0
spiffe:spire-0.4.0
spiffe:spire-0.3.0
spiffe:spire-0.2.0
spiffe:spire-0.1.0

60 Commits
main ... spire-0.24

Author SHA1 Message Date
Faisal Memon 7c7f791e33 Merge branch 'main' into release 2025-04-10 14:35:39 -07:00
Faisal Memon 815fbd00ed Merge branch 'main' into release 2025-04-06 22:03:03 -07:00
Faisal Memon 1b7e3a8755 Merge branch 'main' into release 2025-02-27 11:03:07 -08:00
Faisal Memon c7feff579b Merge branch 'main' into release 2024-11-17 14:59:08 -08:00
Faisal Memon 9da5fa24dd Merge branch 'main' into release 2024-10-28 15:27:45 -07:00
Faisal Memon e6d7d5784b Merge branch 'main' into release 2024-09-04 14:04:14 -07:00
Faisal Memon e5138372f7 Merge branch 'main' into release 2024-08-15 12:13:23 -05:00
Faisal Memon 627da2ad58 Merge branch 'main' into release 2024-08-06 09:31:38 -07:00
Faisal Memon 470acf2259 Merge branch 'main' into release 2024-05-30 15:28:42 -07:00
Faisal Memon 1c271e17ca Merge branch 'main' into release 2024-05-30 15:16:10 -07:00
Faisal Memon d1576b638f Merge branch 'main' into release 2024-04-11 16:11:06 -07:00
Faisal Memon 8e6704e588 Merge branch 'main' into release 2024-04-11 15:57:17 -07:00
Faisal Memon 26ff986c63 Merge branch 'main' into release 2024-04-05 18:25:34 -07:00
Faisal Memon b693e74a2e Merge branch 'main' into release 2024-03-29 14:41:01 -07:00
Faisal Memon 3e70c74c24 Merge branch 'main' into release 2024-03-22 13:44:11 -07:00
Faisal Memon b759abea7f Merge branch 'main' into release 2024-03-07 10:50:41 -08:00
Faisal Memon 1131141daa Merge branch 'main' into release 2024-03-06 09:38:40 -08:00
Faisal Memon 446952920b Merge branch 'main' into release 2024-03-04 09:54:53 -08:00
Faisal Memon bea59729fb Merge branch 'main' into release 2024-02-05 13:08:35 -08:00
Faisal Memon f2f56fa055 Merge branch 'main' into release 2024-01-30 13:54:14 -08:00
Marco Franssen 5f46d7bfc2
Merge branch 'main' into release 2024-01-24 12:38:04 +01:00
Kevin Fox 69511f5a6c Merge branch 'main' into release 2023-12-01 07:17:40 -08:00
Marco Franssen b469b62f1a
Merge branch 'main' into release 2023-11-10 14:15:42 +01:00
Faisal Memon c07ca2597d Merge branch 'main' into release 2023-11-09 16:53:37 -08:00
Faisal Memon 2108f80f48 Merge branch 'main' into release 2023-11-09 14:22:14 -08:00
Faisal Memon e458ca371f Merge branch 'main' into release 2023-10-18 13:52:42 -07:00
unufr33 1c98c618b1 Fix spire-server configmap UpstreamAuthority/aws_pca and KeyManager/a… (#489) 
Current configmap template renders to a wrong KeyManager and
UpstreamAuthority configurarion when aws_kms and aws_pca are enabled and
container is crashing. The proposed changes will fix the issue.

---------

Signed-off-by: unufree <geno.velkov@gmail.com>
Signed-off-by: unufr33 <129618334+unufr33@users.noreply.github.com>
Co-authored-by: Faisal Memon <fymemon@yahoo.com>
 2023-10-12 15:21:59 -07:00
Faisal Memon ff0b0683e3 Bump spire Helm Chart version from 0.13.1 to 0.13.2 
* dd87bc0 Bump spire versions to 1.7.4 (#35)
* fdba5d0 Bump spire Helm Chart version from 0.13.0 to 0.13.1
* 0e41a7d Fix failing Tornjak ingress port (#28)
* df1abf6 Bump to spire 1.7.3 (#31)
* 69a20e3 Merge pull request #29 from spiffe/tornjak-version
* 3036a41 Switch to version v1.4.0
* da49059 Update Tornjak image version
* 0fa43a5 Add plugin support to the spire agent (#22)
* c5c5320 Bump github.com/onsi/ginkgo/v2 from 2.12.1 to 2.13.0 in /tests (#27)
* afba33f Add spire agent experimental flags (#26)
* 1107278 Bump test chart dependencies
* 03ff618 Add Tornjak ingress (#16)
* 8f1bfc1 Merge pull request #23 from spiffe/examples-doc
* cd386eb Merge branch 'main' into examples-doc
* 12937db Update Example README
* 06d6690 Bump test chart dependencies (#20)
* 8aca48f Push the changes that update-tags creates (#19)
* a6cb397 Exit code from diff indicating changes should not block commit. (#17)
* ebfa518 Update FAQ from repo switch (#15)
* c23e6cb Fix issue with version checker not running
* 51c20b1 Bump actions/checkout from 4.0.0 to 4.1.0 (#9)
* 21db1e4 Add a test to ensure upgrades work (#6)
* f86648f Bump github.com/onsi/gomega from 1.27.10 to 1.28.0 in /tests
* babd677 Bump helm.sh/helm/v3 from 3.12.3 to 3.13.0 in /tests
* 45187fe Add back CODE-OF-CONDUCT
* 50825d9 Deny production runs of example.org trust domains (#229)
* 712a0f6 Bump actions/checkout from 4.0.0 to 4.1.0
* f04bdc3 Add support for experimental flags (#492)
* 7cdae92 Bump github.com/onsi/ginkgo/v2 from 2.12.0 to 2.12.1 in /tests (#490)
* d3091a8 Fix spire-server configmap UpstreamAuthority/aws_pca and KeyManager/a… (#489)
* 7a96175 Remove developer-guy as a CODEOWNER

Signed-off-by: Faisal Memon <fymemon@yahoo.com>
 2023-10-12 15:18:03 -07:00
kfox1111 af842bec0a Bump spire versions to 1.7.4 (#35) 
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
 2023-10-12 15:17:46 -07:00
Faisal Memon fdffbea7aa Bump spire Helm Chart version from 0.13.0 to 0.13.1 
* 0e41a7d Fix failing Tornjak ingress port (#28)
* df1abf6 Bump to spire 1.7.3 (#31)
* 69a20e3 Merge pull request #29 from spiffe/tornjak-version
* 3036a41 Switch to version v1.4.0
* da49059 Update Tornjak image version
* 0fa43a5 Add plugin support to the spire agent (#22)
* c5c5320 Bump github.com/onsi/ginkgo/v2 from 2.12.1 to 2.13.0 in /tests (#27)
* afba33f Add spire agent experimental flags (#26)
* 1107278 Bump test chart dependencies
* 03ff618 Add Tornjak ingress (#16)
* 8f1bfc1 Merge pull request #23 from spiffe/examples-doc
* cd386eb Merge branch 'main' into examples-doc
* 12937db Update Example README
* 06d6690 Bump test chart dependencies (#20)
* 8aca48f Push the changes that update-tags creates (#19)
* a6cb397 Exit code from diff indicating changes should not block commit. (#17)
* ebfa518 Update FAQ from repo switch (#15)
* c23e6cb Fix issue with version checker not running
* 51c20b1 Bump actions/checkout from 4.0.0 to 4.1.0 (#9)
* 21db1e4 Add a test to ensure upgrades work (#6)
* f86648f Bump github.com/onsi/gomega from 1.27.10 to 1.28.0 in /tests
* babd677 Bump helm.sh/helm/v3 from 3.12.3 to 3.13.0 in /tests
* 45187fe Add back CODE-OF-CONDUCT
* 50825d9 Deny production runs of example.org trust domains (#229)
* 712a0f6 Bump actions/checkout from 4.0.0 to 4.1.0
* f04bdc3 Add support for experimental flags (#492)
* 7cdae92 Bump github.com/onsi/ginkgo/v2 from 2.12.0 to 2.12.1 in /tests (#490)
* d3091a8 Fix spire-server configmap UpstreamAuthority/aws_pca and KeyManager/a… (#489)
* 7a96175 Remove developer-guy as a CODEOWNER

Signed-off-by: Faisal Memon <fymemon@yahoo.com>
 2023-10-11 11:28:12 -07:00
kfox1111 d13a68c5ce Bump to spire 1.7.3 (#31) 
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
 2023-10-11 11:27:53 -07:00
Marco Franssen b2f04230cc
Merge branch 'main' into release 2023-09-15 19:30:20 +02:00
Faisal Memon 2675f130f4 Merge branch 'main' into release 2023-08-21 10:54:05 -07:00
Faisal Memon 7af7e1d6de
Merge pull request #420 from spiffe/release-patch-0-11-1 
Cut patch release 0.11.1
 2023-08-03 09:56:54 -07:00
Faisal Memon 431d77f40b Bump spire Helm Chart version from 0.11.0 to 0.11.1 (#419) 
Please review the below changelog to ensure this matches up with the
semantic version being applied.

**Note**: As this is a patch release we will make a cherry-picked
release using a followup PR targetering the release branch. Will
cherrypick the following commits into this patch release + the commit
bumping this version number.

**Changes in this release**

* d2e1606 issuer naming should respect issuer_name override (#378)
* a09e054 support annotations so oidc can be annotated (#391)
* 7d94b10 Update spire to 1.7.1 (#412)
* 9a6768b Add support for disabling container selectors (#399)
* 624ca9c Remove misadded lockfile (#400)

Signed-off-by: Faisal Memon <fymemon@yahoo.com>
 2023-08-03 09:22:24 -07:00
Faisal Memon cfd6aa7985 Add support for disabling container selectors (#399) 2023-08-02 15:00:49 -07:00
kfox1111 b3d04ae162 Remove misadded lockfile (#400) 2023-08-02 14:56:55 -07:00
kfox1111 604743d0bf Update spire to 1.7.1 (#412) 
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
 2023-08-02 14:56:41 -07:00
Drew Wells 99c0f148ac support annotations so oidc can be annotated (#391) 
Signed-off-by: Drew Wells <dwells@infoblox.com>
Signed-off-by: Drew Wells <drew.wells00@gmail.com>
Co-authored-by: Faisal Memon <fymemon@yahoo.com>
 2023-08-02 14:55:15 -07:00
Drew Wells b0d9a736fe issuer naming should respect issuer_name override (#378) 
align the spire-server configmap and issuer CR naming

---------

Signed-off-by: Drew Wells <dwells@infoblox.com>
Signed-off-by: Faisal Memon <fymemon@yahoo.com>
Co-authored-by: Faisal Memon <fymemon@yahoo.com>
 2023-08-02 14:53:13 -07:00
Marco Franssen ca418613a2
Merge branch 'main' into release 2023-07-20 10:51:10 +02:00
Marco Franssen cc9565be5d
Merge branch 'main' into release 2023-06-30 22:18:45 +02:00
Marco Franssen 8b5f9703ff
Merge branch 'main' into release 2023-06-28 22:54:51 +02:00
Marco Franssen 8f7c9ba6a4
Bump spire Helm Chart version from 0.9.0 to 0.9.1 (#365) 2023-06-22 19:01:05 +02:00
kfox1111 622d5c9caf
Fix the init container flags of the statefulset (#366) 2023-06-22 19:00:57 +02:00
Drew Wells 2620c8357a
fixes missing template (#362) 2023-06-22 18:59:32 +02:00
Faisal Memon 49025cd3db
Always add parseTime=true for mysql query string (#352) 2023-06-22 18:59:22 +02:00
github-actions[bot] ee0a16bdc8
Bump test chart dependencies (#358) 
Co-authored-by: marcofranssen <marcofranssen@users.noreply.github.com>
Co-authored-by: Faisal Memon <fymemon@yahoo.com>
 2023-06-22 18:59:13 +02:00
Marco Franssen 0e5d2817fa
Merge branch 'main' into release 2023-06-20 08:33:33 +02:00
Marco Franssen b628b08e16
Merge branch 'main' into release 2023-05-30 19:30:17 +02:00
Marco Franssen 191d1f05d8
Merge branch 'main' into release 2023-05-25 14:22:51 +02:00
Faisal Memon f7403f45cb Merge branch 'main' into release 2023-05-12 11:20:47 -07:00
Marco Franssen 7a67caca5c
Merge branch 'main' into release 2023-04-14 09:53:32 +02:00
Marco Franssen e9de49e93b
Merge branch 'main' into release 2023-04-12 11:09:48 +02:00
Marco Franssen 949d34828e
Merge branch 'main' into release 2023-04-06 09:46:22 +02:00
Marco Franssen 3f044af7b9
Merge branch 'main' into release 2023-04-04 14:27:34 +02:00
kfox1111 545059c316
Merge pull request #176 from spiffe/release-patch 
Cut patch release for 0.5.0
 2023-03-28 09:02:20 -07:00
Marco Franssen a1b19dd215
Bump spire Helm Chart version from 0.5.0 to 0.5.1 
* 64585ba Fix formatting issues introduced with #152
* 0dac0db Improve Spire Chart documentation
* f709ed9 Bump actions/checkout from 3.4.0 to 3.5.0
* faef439 Bump helm/chart-testing-action from 2.3.1 to 2.4.0
* ae62dd1 Bump spire version to 1.6.1
* 02fda80 Add Artifact Hub badge to README.md
* 901e670 Disable default Tornjak deployment (#153)
* 05d0f47 Introduction of Tornjak to SPIRE Server helm charts (#144)
* b25dc77 Test fixing the tests (#148)
* b4be9ed Add maturity tag (#138)
* d4fd2ce Extract the namespace override test out of the old lockdown test. (#145)
* 4f85802 Update lockdown test to test the production example
* 04a1305 Fork the lockdown test to two tests as it is doing the work of 2 (#134)
* 64d0107 Resolve issue in prod example on volume mount (#143)
* 5b6708b Remove @dennisgove from CODEOWNERS (#140)
* a516caa Remove k8s 1.21 from test matrix + small syntax error fix (#133)
* 811a2f6 Add option to enable federation on spire-server (#97)

Signed-off-by: Marco Franssen <marco.franssen@gmail.com>
 2023-03-28 15:16:48 +02:00
Marco Franssen 088f4f3676
Improve Spire Chart documentation 
Signed-off-by: Marco Franssen <marco.franssen@gmail.com>
 2023-03-28 15:16:48 +02:00
Marco Franssen 37e469c725
Bump spire version to 1.6.1 
Signed-off-by: Marco Franssen <marco.franssen@gmail.com>
 2023-03-28 15:16:48 +02:00
80 changed files with 319 additions and 2406 deletions
Show Stats Expand all files Collapse all files

6
.github/tests/charts.json vendored
View File

@ -2,16 +2,16 @@
{ {
"name": "kube-prometheus-stack", "name": "kube-prometheus-stack",
"repo": "https://prometheus-community.github.io/helm-charts", "repo": "https://prometheus-community.github.io/helm-charts",
"version": "75.15.1" "version": "70.4.1"
}, },
{ {
"name": "cert-manager", "name": "cert-manager",
"repo": "https://charts.jetstack.io", "repo": "https://charts.jetstack.io",
"version": "v1.18.2" "version": "v1.17.1"
}, },
{ {
"name": "ingress-nginx", "name": "ingress-nginx",
"repo": "https://kubernetes.github.io/ingress-nginx", "repo": "https://kubernetes.github.io/ingress-nginx",
"version": "4.13.0" "version": "4.12.1"
} }
] ]

9
.github/tests/images.json vendored
View File

@ -7,13 +7,8 @@
}, },
{ {
"query": "chown.image", "query": "chown.image",
"filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$", "filter": "LATESTSHA",
"sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"] "sort-flags": []
},
{
"query": "tools.busybox.image",
"filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
"sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
} }
], ],
"spire-agent/values.yaml": [ "spire-agent/values.yaml": [

6
.github/tests/oci-charts.json vendored
View File

@ -2,16 +2,16 @@
{ {
"name": "mysql", "name": "mysql",
"registry": "docker.io/bitnamicharts/mysql", "registry": "docker.io/bitnamicharts/mysql",
"version": "14.0.0" "version": "12.3.2"
}, },
{ {
"name": "postgresql", "name": "postgresql",
"registry": "docker.io/bitnamicharts/postgresql", "registry": "docker.io/bitnamicharts/postgresql",
"version": "16.7.9" "version": "16.6.1"
}, },
{ {
"name": "envoy-gateway", "name": "envoy-gateway",
"registry": "docker.io/envoyproxy/gateway-helm", "registry": "docker.io/envoyproxy/gateway-helm",
"version": "v1.4.2" "version": "v1.3.2"
} }
] ]

2
charts/spiffe-step-ssh/Chart.yaml
View File

@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes # This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version. # to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/) # Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.1 version: 0.1.0
# This is the version number of the application being deployed. This version number should be # This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to # incremented each time you make changes to the application. Versions are not expected to

4
charts/spiffe-step-ssh/values.yaml
View File

@ -123,8 +123,8 @@ kubectl:
## @param kubectl.image.tag Overrides the image tag whose default is the chart appVersion ## @param kubectl.image.tag Overrides the image tag whose default is the chart appVersion
## ##
image: image:
registry: registry.k8s.io registry: docker.io
repository: kubectl repository: rancher/kubectl
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: "" tag: ""

4
charts/spire-nested/Chart.yaml
View File

@ -3,8 +3,8 @@ name: spire-nested
description: > description: >
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
type: application type: application
version: 0.26.1 version: 0.24.4
appVersion: "1.12.4" appVersion: "1.12.0"
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources: sources:

4
charts/spire-nested/README.md
View File

@ -1,6 +1,6 @@
# spire # spire
![Version: 0.26.1](https://img.shields.io/badge/Version-0.26.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.12.4](https://img.shields.io/badge/AppVersion-1.12.4-informational?style=flat-square) ![Version: 0.24.4](https://img.shields.io/badge/Version-0.24.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.12.0](https://img.shields.io/badge/AppVersion-1.12.0-informational?style=flat-square)
[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
@ -350,6 +350,6 @@ Now you can interact with the Spire agent socket from your own application. The
| `external-spire-server.upstreamAuthority.spire.enabled` | Enable upstream SPIRE server | `true` | | `external-spire-server.upstreamAuthority.spire.enabled` | Enable upstream SPIRE server | `true` |
| `external-spire-server.upstreamAuthority.spire.upstreamDriver` | Use an upstream driver for authentication | `upstream.csi.spiffe.io` | | `external-spire-server.upstreamAuthority.spire.upstreamDriver` | Use an upstream driver for authentication | `upstream.csi.spiffe.io` |
| `external-spire-server.upstreamAuthority.spire.server.nameOverride` | The name override setting of the root SPIRE server | `root-server` | | `external-spire-server.upstreamAuthority.spire.server.nameOverride` | The name override setting of the root SPIRE server | `root-server` |
| `external-spire-server.bundlePublisher.k8sConfigMap.enabled` | Enable local k8s bundle uploader | `false` | | `external-spire-server.notifier.k8sBundle.enabled` | Enable local k8s bundle uploader | `false` |
| `external-spire-server.nodeAttestor.k8sPSAT.enabled` | Enable PSAT k8s nodeattestor | `false` | | `external-spire-server.nodeAttestor.k8sPSAT.enabled` | Enable PSAT k8s nodeattestor | `false` |
| `external-spire-server.nodeAttestor.joinToken.enabled` | Enable the join_token nodeattestor | `true` | | `external-spire-server.nodeAttestor.joinToken.enabled` | Enable the join_token nodeattestor | `true` |

6
charts/spire-nested/values.yaml
View File

@ -384,9 +384,9 @@ external-spire-server:
server: server:
## @param external-spire-server.upstreamAuthority.spire.server.nameOverride The name override setting of the root SPIRE server ## @param external-spire-server.upstreamAuthority.spire.server.nameOverride The name override setting of the root SPIRE server
nameOverride: root-server nameOverride: root-server
bundlePublisher: notifier:
k8sConfigMap: k8sBundle:
## @param external-spire-server.bundlePublisher.k8sConfigMap.enabled Enable local k8s bundle uploader ## @param external-spire-server.notifier.k8sBundle.enabled Enable local k8s bundle uploader
enabled: false enabled: false
nodeAttestor: nodeAttestor:
k8sPSAT: k8sPSAT:

16
charts/spire/Chart.yaml
View File

@ -3,8 +3,8 @@ name: spire
description: > description: >
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
type: application type: application
version: 0.26.1 version: 0.24.4
appVersion: "1.12.4" appVersion: "1.12.0"
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources: sources:
@ -55,18 +55,6 @@ dependencies:
condition: tornjak-frontend.enabled condition: tornjak-frontend.enabled
repository: file://./charts/tornjak-frontend repository: file://./charts/tornjak-frontend
version: 0.1.0 version: 0.1.0
- name: spike-keeper
condition: spike-keeper.enabled
repository: file://./charts/spike-keeper
version: 0.1.0
- name: spike-nexus
condition: spike-nexus.enabled
repository: file://./charts/spike-nexus
version: 0.1.0
- name: spike-pilot
condition: spike-pilot.enabled
repository: file://./charts/spike-pilot
version: 0.1.0
annotations: annotations:
artifacthub.io/category: security artifacthub.io/category: security
artifacthub.io/license: Apache-2.0 artifacthub.io/license: Apache-2.0

34
charts/spire/README.md
View File

@ -1,6 +1,6 @@
# spire # spire
![Version: 0.26.1](https://img.shields.io/badge/Version-0.26.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.12.4](https://img.shields.io/badge/AppVersion-1.12.4-informational?style=flat-square) ![Version: 0.24.4](https://img.shields.io/badge/Version-0.24.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.12.0](https://img.shields.io/badge/AppVersion-1.12.0-informational?style=flat-square)
[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
@ -24,6 +24,11 @@ Preparing a production deployment requires a few steps.
1. Save the following to your-values.yaml, ideally in your git repo. 1. Save the following to your-values.yaml, ideally in your git repo.
> [!NOTE]
> Please note that `rancher/kubectl` image does not always correspond to the most
> recent version of Kubernetes. In order to find the most up-to-date version,
> please visit their [releases](https://github.com/rancher/kubectl/releases) page.
```yaml ```yaml
global: global:
openshift: false # If running on openshift, set to true openshift: false # If running on openshift, set to true
@ -40,6 +45,10 @@ global:
country: ARPA country: ARPA
organization: Example organization: Example
commonName: example.org commonName: example.org
# If rancher/kubectl doesn't have a version that matches your cluster, uncomment and update:
# tools:
# kubectl:
# tag: "v1.23.3"
``` ```
2. If you need a non default storageClass, append the following to the global.spire section and update: 2. If you need a non default storageClass, append the following to the global.spire section and update:
@ -79,11 +88,6 @@ kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeid
We only support upgrading one major/minor version at a time. Version skipping isn't supported. Please see <https://spiffe.io/docs/latest/spire-helm-charts-hardened-about/upgrading/> for details. We only support upgrading one major/minor version at a time. Version skipping isn't supported. Please see <https://spiffe.io/docs/latest/spire-helm-charts-hardened-about/upgrading/> for details.
### 0.26.X
- The notifier.k8sBundle plugin has been deprecated in favor of bundlePublisher.k8sConfigMap. The only features it does not provide are the settings `apiServiceLabel` and `webhookLabel`. If you are using either of these two features, set the chart to use the notifier.k8sBundle plugin again, and let us know. We don't think anyone is using these features.
- The default trust bundle format has been changed to `spiffe`. This switch should be transparent unless you ware fetching the bundle from the configmap manually, or have a nested setup and dont upgrade the root, then child clusters in short order.
### 0.24.X ### 0.24.X
- You must upgrade [spire-crds](https://artifacthub.io/packages/helm/spiffe/spire-crds) to 0.5.0+ before performing this upgrade. - You must upgrade [spire-crds](https://artifacthub.io/packages/helm/spiffe/spire-crds) to 0.5.0+ before performing this upgrade.
@ -369,21 +373,3 @@ Now you can interact with the Spire agent socket from your own application. The
| Name | Description | Value | | Name | Description | Value |
| -------------------------- | -------------------------------------------------------------- | ------- | | -------------------------- | -------------------------------------------------------------- | ------- |
| `tornjak-frontend.enabled` | Enables deployment of Tornjak frontend/UI (Not for production) | `false` | | `tornjak-frontend.enabled` | Enables deployment of Tornjak frontend/UI (Not for production) | `false` |
### SPIKE Keeper parameters
| Name | Description | Value |
| ---------------------- | ------------------------------------------------------- | ------- |
| `spike-keeper.enabled` | Enables deployment of SPIKE Keeper (Not for production) | `false` |
### SPIKE Nexus parameters
| Name | Description | Value |
| --------------------- | ------------------------------------------------------ | ------- |
| `spike-nexus.enabled` | Enables deployment of SPIKE Nexus (Not for production) | `false` |
### SPIKE Pilot parameters
| Name | Description | Value |
| --------------------- | ------------------------------------------------------ | ------- |
| `spike-pilot.enabled` | Enables deployment of SPIKE Pilot (Not for production) | `false` |

2
charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml
View File

@ -3,7 +3,7 @@ name: spiffe-oidc-discovery-provider
description: A Helm chart to install the SPIFFE OIDC discovery provider. description: A Helm chart to install the SPIFFE OIDC discovery provider.
type: application type: application
version: 0.1.0 version: 0.1.0
appVersion: "1.12.4" appVersion: "1.12.0"
keywords: ["spiffe", "oidc"] keywords: ["spiffe", "oidc"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources: sources:

18
charts/spire/charts/spiffe-oidc-discovery-provider/README.md
View File

@ -29,8 +29,6 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
| ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | | ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- |
| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` | | `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` |
| `csiDriverName` | The csi driver to use | `csi.spiffe.io` | | `csiDriverName` | The csi driver to use | `csi.spiffe.io` |
| `bundleSource` | Configure where to fetch the trust bundle from. Must be CSI or ConfigMap. | `CSI` |
| `bundleConfigMap` | ConfigMap name for SPIRE bundle when bundleSource is ConfigMap | `spire-bundle` |
| `replicaCount` | Replica count | `1` | | `replicaCount` | Replica count | `1` |
| `namespaceOverride` | Namespace override | `""` | | `namespaceOverride` | Namespace override | `""` |
| `annotations` | Annotations for the deployment | `{}` | | `annotations` | Annotations for the deployment | `{}` |
@ -43,7 +41,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
| `spiffeHelper.image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `spiffeHelper.image.registry` | The OCI registry to pull the image from | `ghcr.io` |
| `spiffeHelper.image.repository` | The repository within the registry | `spiffe/spiffe-helper` | | `spiffeHelper.image.repository` | The repository within the registry | `spiffe/spiffe-helper` |
| `spiffeHelper.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `spiffeHelper.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `spiffeHelper.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.10.1` | | `spiffeHelper.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.10.0` |
| `spiffeHelper.resources` | Resource requests and limits | `{}` | | `spiffeHelper.resources` | Resource requests and limits | `{}` |
| `resources` | Resource requests and limits | `{}` | | `resources` | Resource requests and limits | `{}` |
| `service.type` | Service type | `ClusterIP` | | `service.type` | Service type | `ClusterIP` |
@ -73,7 +71,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
| `insecureScheme.nginx.image.registry` | The OCI registry to pull the image from. Only used when TLS is disabled. | `docker.io` | | `insecureScheme.nginx.image.registry` | The OCI registry to pull the image from. Only used when TLS is disabled. | `docker.io` |
| `insecureScheme.nginx.image.repository` | The repository within the registry. Only used when TLS is disabled. | `nginxinc/nginx-unprivileged` | | `insecureScheme.nginx.image.repository` | The repository within the registry. Only used when TLS is disabled. | `nginxinc/nginx-unprivileged` |
| `insecureScheme.nginx.image.pullPolicy` | The image pull policy. Only used when TLS is disabled. | `IfNotPresent` | | `insecureScheme.nginx.image.pullPolicy` | The image pull policy. Only used when TLS is disabled. | `IfNotPresent` |
| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. | `1.29.0-alpine` | | `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled. | `1.27.4-alpine` |
| `insecureScheme.nginx.ipMode` | IP modes supported by the cluster. Must be one of [ipv4, ipv6, both] | `both` | | `insecureScheme.nginx.ipMode` | IP modes supported by the cluster. Must be one of [ipv4, ipv6, both] | `both` |
| `insecureScheme.nginx.resources` | Resource requests and limits | `{}` | | `insecureScheme.nginx.resources` | Resource requests and limits | `{}` |
| `jwtIssuer` | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset | `""` | | `jwtIssuer` | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset | `""` |
@ -106,7 +104,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
| `telemetry.prometheus.nginxExporter.image.registry` | The OCI registry to pull the image from | `docker.io` | | `telemetry.prometheus.nginxExporter.image.registry` | The OCI registry to pull the image from | `docker.io` |
| `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry | `nginx/nginx-prometheus-exporter` | | `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry | `nginx/nginx-prometheus-exporter` |
| `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.4.2` | | `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.4.1` |
| `telemetry.prometheus.nginxExporter.resources` | Resource requests and limits | `{}` | | `telemetry.prometheus.nginxExporter.resources` | Resource requests and limits | `{}` |
| `ingress.enabled` | Flag to enable ingress | `false` | | `ingress.enabled` | Flag to enable ingress | `false` |
| `ingress.className` | Ingress class name | `""` | | `ingress.className` | Ingress class name | `""` |
@ -122,15 +120,15 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` |
| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` | | `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:ce272ee5a3739a3c45784c317b2fb1e93a4cc4ea1f4d3feabb702b278e5bf514` |
| `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | | `tests.toolkit.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` |
| `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53` | | `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:2f8ac6547029ed217bb40167bf39883b4bc606b3b747ecaf710fab9779ef786f` |
| `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` | | `tests.step.image.registry` | The OCI registry to pull the image from | `docker.io` |
| `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` | | `tests.step.image.repository` | The repository within the registry | `smallstep/step-cli` |
| `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.step.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.28.7` | | `tests.step.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.28.6` |
| `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | | `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` |
| `tests.busybox.image.repository` | The repository within the registry | `busybox` | | `tests.busybox.image.repository` | The repository within the registry | `busybox` |
| `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` |
@ -139,7 +137,7 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
| `tests.agent.image.repository` | The repository within the registry | `spiffe/spire-agent` | | `tests.agent.image.repository` | The repository within the registry | `spiffe/spire-agent` |
| `tests.agent.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.agent.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tests.agent.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | | `tests.agent.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` | | `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` |
| `tools.kubectl.image.repository` | The repository within the registry | `kubectl` | | `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` |
| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | | `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |

8
charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml
View File

@ -1,6 +1,3 @@
{{- if and (ne .Values.bundleSource "ConfigMap") (ne .Values.bundleSource "CSI") }}
{{- fail "Bundle source must be CSI or ConfigmMap" }}
{{- end }}
{{- $tlsCount := 0 }} {{- $tlsCount := 0 }}
{{- if and .Values.enabled .Values.tls.spire.enabled }} {{- if and .Values.enabled .Values.tls.spire.enabled }}
{{- $tlsCount = add $tlsCount 1 }} {{- $tlsCount = add $tlsCount 1 }}
@ -47,14 +44,9 @@ serving_cert_file:
jwks_uri: {{ .Values.config.jwksUri | quote }} jwks_uri: {{ .Values.config.jwksUri | quote }}
{{- end }} {{- end }}
{{- if eq .Values.bundleSource "ConfigMap" }}
file:
path: /bundle/bundle.spiffe
{{- else }}
workload_api: workload_api:
socket_path: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | quote }} socket_path: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | quote }}
trust_domain: {{ include "spire-lib.trust-domain" . | quote }} trust_domain: {{ include "spire-lib.trust-domain" . | quote }}
{{- end }}
health_checks: health_checks:
bind_port: "8008" bind_port: "8008"

13
charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml
View File

@ -86,15 +86,9 @@ spec:
name: https name: https
{{- end }} {{- end }}
volumeMounts: volumeMounts:
{{- if eq .Values.bundleSource "ConfigMap" }}
- name: spiffe-bundle
mountPath: /bundle
readOnly: true
{{- else }}
- name: spiffe-workload-api - name: spiffe-workload-api
mountPath: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | dir }} mountPath: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | dir }}
readOnly: true readOnly: true
{{- end }}
- name: spire-oidc-sockets - name: spire-oidc-sockets
mountPath: /run/spire/oidc-sockets mountPath: /run/spire/oidc-sockets
readOnly: false readOnly: false
@ -177,17 +171,10 @@ spec:
{{- end }} {{- end }}
{{- end }} {{- end }}
volumes: volumes:
{{- if or .Values.tls.spire.enabled (eq .Values.bundleSource "CSI") }}
- name: spiffe-workload-api - name: spiffe-workload-api
csi: csi:
driver: "{{ .Values.csiDriverName }}" driver: "{{ .Values.csiDriverName }}"
readOnly: true readOnly: true
{{- end }}
{{- if eq .Values.bundleSource "ConfigMap" }}
- name: spiffe-bundle
configMap:
name: {{ include "spire-lib.bundle-configmap" . }}
{{- end }}
- name: spire-oidc-sockets - name: spire-oidc-sockets
emptyDir: {} emptyDir: {}
- name: spire-oidc-config - name: spire-oidc-config

22
charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml
View File

@ -11,12 +11,6 @@ agentSocketName: spire-agent.sock
## @param csiDriverName The csi driver to use ## @param csiDriverName The csi driver to use
csiDriverName: csi.spiffe.io csiDriverName: csi.spiffe.io
## @param bundleSource Configure where to fetch the trust bundle from. Must be CSI or ConfigMap.
bundleSource: CSI
## @param bundleConfigMap ConfigMap name for SPIRE bundle when bundleSource is ConfigMap
bundleConfigMap: spire-bundle
## @param replicaCount Replica count ## @param replicaCount Replica count
replicaCount: 1 replicaCount: 1
@ -53,7 +47,7 @@ spiffeHelper:
registry: ghcr.io registry: ghcr.io
repository: spiffe/spiffe-helper repository: spiffe/spiffe-helper
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: 0.10.1 tag: 0.10.0
## @param spiffeHelper.resources [object] Resource requests and limits ## @param spiffeHelper.resources [object] Resource requests and limits
resources: {} resources: {}
@ -176,7 +170,7 @@ insecureScheme:
registry: docker.io registry: docker.io
repository: nginxinc/nginx-unprivileged repository: nginxinc/nginx-unprivileged
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: 1.29.0-alpine tag: 1.27.4-alpine
## @param insecureScheme.nginx.ipMode IP modes supported by the cluster. Must be one of [ipv4, ipv6, both] ## @param insecureScheme.nginx.ipMode IP modes supported by the cluster. Must be one of [ipv4, ipv6, both]
ipMode: both ipMode: both
## @param insecureScheme.nginx.resources Resource requests and limits ## @param insecureScheme.nginx.resources Resource requests and limits
@ -280,7 +274,7 @@ telemetry:
registry: docker.io registry: docker.io
repository: nginx/nginx-prometheus-exporter repository: nginx/nginx-prometheus-exporter
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: "1.4.2" tag: "1.4.1"
## @param telemetry.prometheus.nginxExporter.resources [object] Resource requests and limits ## @param telemetry.prometheus.nginxExporter.resources [object] Resource requests and limits
resources: {} resources: {}
@ -346,7 +340,7 @@ tests:
registry: cgr.dev registry: cgr.dev
repository: chainguard/bash repository: chainguard/bash
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679 tag: latest@sha256:ce272ee5a3739a3c45784c317b2fb1e93a4cc4ea1f4d3feabb702b278e5bf514
toolkit: toolkit:
## @param tests.toolkit.image.registry The OCI registry to pull the image from ## @param tests.toolkit.image.registry The OCI registry to pull the image from
@ -358,7 +352,7 @@ tests:
registry: cgr.dev registry: cgr.dev
repository: chainguard/min-toolkit-debug repository: chainguard/min-toolkit-debug
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53 tag: latest@sha256:2f8ac6547029ed217bb40167bf39883b4bc606b3b747ecaf710fab9779ef786f
step: step:
## @param tests.step.image.registry The OCI registry to pull the image from ## @param tests.step.image.registry The OCI registry to pull the image from
@ -370,7 +364,7 @@ tests:
registry: "docker.io" registry: "docker.io"
repository: smallstep/step-cli repository: smallstep/step-cli
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: 0.28.7 tag: 0.28.6
busybox: busybox:
## @param tests.busybox.image.registry The OCI registry to pull the image from ## @param tests.busybox.image.registry The OCI registry to pull the image from
@ -404,7 +398,7 @@ tools:
## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion ## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion
## ##
image: image:
registry: registry.k8s.io registry: docker.io
repository: kubectl repository: rancher/kubectl
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: "" tag: ""

13
charts/spire/charts/spike-keeper/Chart.yaml
View File

@ -1,13 +0,0 @@
apiVersion: v2
name: spike-keeper
description: A Helm chart to deploy SPIKE Keeper
type: application
version: 0.1.0
appVersion: "0.4.2"
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources:
- https://github.com/spiffe/spike
icon: https://spike.ist/assets/spike-banner.png
maintainers:
- name: kfox1111
email: Kevin.Fox@pnnl.gov

72
charts/spire/charts/spike-keeper/README.md
View File

@ -1,72 +0,0 @@
# spike-keeper
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.1](https://img.shields.io/badge/AppVersion-v0.4.1-informational?style=flat-square)
[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
A Helm chart to deploy spike keepers
**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
## Version support
> [!Note]
> This Chart is still in development and still subject to change the API (`values.yaml`).
> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
> we do aim for as much stability as possible.
| Dependency | Supported Versions |
|:-----------|:-------------------|
| Helm | `3.x` |
## Source Code
* <https://github.com/spiffe/spike>
<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
## Parameters
### Chart parameters
| Name | Description | Value |
| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
| `image.registry` | The OCI registry to pull the image from | `ghcr.io` |
| `image.repository` | The repository within the registry | `spiffe/spike-keeper` |
| `image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
| `replicas` | The number of keepers to launch | `3` |
| `trustRoot.nexus` | Override which trustRoot Nexus is in | `""` |
| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `debug` |
| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` |
| `csiDriverName` | The csi driver to use | `csi.spiffe.io` |
| `imagePullSecrets` | Pull secrets for images | `[]` |
| `nameOverride` | Name override | `""` |
| `namespaceOverride` | Namespace override | `""` |
| `fullnameOverride` | Fullname override | `""` |
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` |
| `labels` | Labels for pods | `{}` |
| `podSecurityContext` | Pod security context | `{}` |
| `securityContext` | Security context | `{}` |
| `service.type` | Service type | `ClusterIP` |
| `service.port` | Service port | `443` |
| `service.annotations` | Annotations for service resource | `{}` |
| `nodeSelector` | (Optional) Select specific nodes to run on. | `{}` |
| `affinity` | Affinity rules | `{}` |
| `tolerations` | List of tolerations | `[]` |
| `topologySpreadConstraints` | List of topology spread constraints for resilience | `[]` |
| `startupProbe.enabled` | Enable startupProbe | `true` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` |
| `startupProbe.failureThreshold` | Failure threshold count for startupProbe | `6` |
| `startupProbe.successThreshold` | Success threshold count for startupProbe | `1` |
| `ingress.enabled` | Flag to enable ingress | `false` |
| `ingress.className` | Ingress class name | `""` |
| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` |
| `ingress.annotations` | Annotations | `{}` |
| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `keeper` |
| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` |
| `ingress.hosts` | Host paths for ingress object. If empty, rules will be built based on the host var. | `[]` |
| `ingress.tls` | Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars. | `[]` |

1
charts/spire/charts/spike-keeper/templates/NOTES.txt
View File

@ -1 +0,0 @@
Installed {{ .Chart.Name }}…

83
charts/spire/charts/spike-keeper/templates/_helpers.tpl
View File

@ -1,83 +0,0 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "spike-keeper.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "spike-keeper.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Allow the release namespace to be overridden for multi-namespace deployments in combined charts
*/}}
{{- define "spike-keeper.namespace" -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
{{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
{{- .Values.global.spire.namespaces.server.name }}
{{- else }}
{{- printf "spire-server" }}
{{- end }}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "spike-keeper.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "spike-keeper.labels" -}}
helm.sh/chart: {{ include "spike-keeper.chart" . }}
{{ include "spike-keeper.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "spike-keeper.selectorLabels" -}}
app.kubernetes.io/name: {{ include "spike-keeper.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "spike-keeper.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "spike-keeper.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "spike-keeper.workload-api-socket-path" -}}
{{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }}
{{- end }}

44
charts/spire/charts/spike-keeper/templates/ingress.yaml
View File

@ -1,44 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{ $root := . }}
{{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.ingress) }}
{{- $fullName := include "spike-keeper.fullname" . -}}
{{- $tlsSection := true }}
{{- $annotations := deepCopy .Values.ingress.annotations }}
{{- if eq $ingressControllerType "ingress-nginx" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
{{- else if eq $ingressControllerType "openshift" }}
{{- $path = "" }}
{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
{{- $tlsSection = false }}
{{- end }}
{{ $last := sub (.Values.replicas | int) 1 | int }}
{{ range (seq 0 ($last) | toString | split " ") }}
{{ $i := . }}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}-{{ $i }}
namespace: {{ include "spike-keeper.namespace" $root }}
labels:
{{ include "spike-keeper.labels" $root | nindent 4}}
{{- with $annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- $host := $root.Values.ingress.host }}
{{- if contains "." $host }}
{{- $hostParts := regexSplit "[.]" $host 2 }}
{{- $host = printf "%s-%s.%s" (index $hostParts 0) $i (index $hostParts 1) }}
{{- else }}
{{- $host = printf "%s-%s" $host $i }}
{{- end }}
{{ $ingress := deepCopy $root.Values.ingress }}
{{ $_ := set $ingress "host" $host }}
{{ include "spire-lib.ingress-spec" (dict "ingress" $ingress "svcName" (printf "%s-%s" $fullName $i) "port" $root.Values.service.port "path" "/" "pathType" "Prefix" "tlsSection" $tlsSection "Values" $root.Values) | nindent 2 }}
{{- end }}
{{- end }}

48
charts/spire/charts/spike-keeper/templates/service.yaml
View File

@ -1,48 +0,0 @@
{{ $root := . }}
{{ $last := sub (.Values.replicas | int) 1 | int }}
{{ range (seq 0 ($last) | toString | split " ") }}
{{ $i := . }}
---
apiVersion: v1
kind: Service
metadata:
namespace: {{ include "spike-keeper.namespace" $root }}
name: {{ include "spike-keeper.fullname" $root }}-{{ $i }}
{{- with $root.Values.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
apps.kubernetes.io/pod-index: {{ $i | quote }}
{{- include "spike-keeper.labels" $root | nindent 4 }}
spec:
type: {{ $root.Values.service.type }}
selector:
apps.kubernetes.io/pod-index: {{ $i | quote }}
{{- include "spike-keeper.selectorLabels" $root | nindent 4 }}
ports:
- name: {{ include "spike-keeper.fullname" $root }}
port: {{ $root.Values.service.port }}
targetPort: http
{{ end }}
---
apiVersion: v1
kind: Service
metadata:
namespace: {{ include "spike-keeper.namespace" $root }}
name: {{ include "spike-keeper.fullname" $root }}-headless
{{- with $root.Values.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "spike-keeper.labels" $root | nindent 4 }}
spec:
type: {{ $root.Values.service.type }}
clusterIP: None
selector:
{{- include "spike-keeper.selectorLabels" $root | nindent 4 }}
ports:
- name: {{ include "spike-keeper.fullname" $root }}
port: {{ $root.Values.service.port }}
targetPort: http

13
charts/spire/charts/spike-keeper/templates/serviceaccount.yaml
View File

@ -1,13 +0,0 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "spike-keeper.serviceAccountName" . }}
namespace: {{ include "spike-keeper.namespace" . }}
labels:
{{- include "spike-keeper.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

84
charts/spire/charts/spike-keeper/templates/statefulset.yaml
View File

@ -1,84 +0,0 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "spike-keeper.fullname" . }}
namespace: {{ include "spike-keeper.namespace" . }}
labels:
{{- include "spike-keeper.labels" . | nindent 4 }}
spec:
serviceName: {{ include "spike-keeper.fullname" . }}-headless
replicas: {{ .Values.replicas }}
selector:
matchLabels:
{{- include "spike-keeper.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "spike-keeper.selectorLabels" . | nindent 8 }}
release: {{ .Release.Name }}
release-namespace: {{ .Release.Namespace }}
component: spike-keeper
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "spike-keeper.serviceAccountName" . }}
securityContext:
{{- include "spire-lib.podsecuritycontext" . | nindent 8 }}
containers:
- name: {{ include "spike-keeper.fullname" . }}
image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global "ubi" true) }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 12 }}
ports:
- name: http
containerPort: 8443
protocol: TCP
env:
- name: SPIFFE_ENDPOINT_SOCKET
value: unix://{{ include "spike-keeper.workload-api-socket-path" . }}
- name: SPIKE_SYSTEM_LOG_LEVEL
value: {{ .Values.logLevel | upper }}
- name: SPIKE_TRUST_ROOT
value: {{ include "spire-lib.trust-domain" . }}
- name: SPIKE_TRUST_ROOT_NEXUS
value: {{if eq .Values.trustRoot.nexus "" }}{{ include "spire-lib.trust-domain" . }}{{ else }}{{.Values.trustRoot.nexus }}{{ end }}
- name: SPIKE_KEEPER_TLS_PORT
value: ":8443"
{{- if .Values.startupProbe.enabled }}
startupProbe:
tcpSocket:
port: 8443
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.startupProbe.periodSeconds }}
successThreshold: {{ .Values.startupProbe.successThreshold }}
timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
{{- end }}
volumeMounts:
- name: spiffe-workload-api
mountPath: {{ include "spike-keeper.workload-api-socket-path" . | dir }}
readOnly: true
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: spiffe-workload-api
csi:
driver: "{{ .Values.csiDriverName }}"
readOnly: true

139
charts/spire/charts/spike-keeper/values.yaml
View File

@ -1,139 +0,0 @@
# Default configuration for SPIKE Keeper
# SPDX-License-Identifier: APACHE-2.0
## @skip global
global: {}
## @section Chart parameters
##
## @param image.registry The OCI registry to pull the image from
## @param image.repository The repository within the registry
## @param image.pullPolicy The image pull policy
## @param image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: ghcr.io
repository: spiffe/spike-keeper
pullPolicy: IfNotPresent
tag: ""
## @param replicas The number of keepers to launch
replicas: 3
trustRoot:
## @param trustRoot.nexus Override which trustRoot Nexus is in
nexus: ""
## @param logLevel The log level, valid values are "debug", "info", "warn", and "error"
logLevel: debug
## @param agentSocketName The name of the spire-agent unix socket
agentSocketName: spire-agent.sock
## @param csiDriverName The csi driver to use
csiDriverName: csi.spiffe.io
## @param imagePullSecrets [array] Pull secrets for images
imagePullSecrets: []
## @param nameOverride Name override
nameOverride: ""
## @param namespaceOverride Namespace override
namespaceOverride: ""
## @param fullnameOverride Fullname override
fullnameOverride: ""
## @param serviceAccount.create Specifies whether a service account should be created
## @param serviceAccount.annotations [object] Annotations to add to the service account
## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
##
serviceAccount:
create: true
annotations: {}
name: ""
## @param labels [object] Labels for pods
labels: {}
## @param podSecurityContext [object] Pod security context
podSecurityContext: {}
# fsGroup: 2000
## @param securityContext [object] Security context
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
## @param service.type Service type
## @param service.port Service port
## @param service.annotations Annotations for service resource
##
service:
type: ClusterIP
port: 443
annotations: {}
## @param nodeSelector (Optional) Select specific nodes to run on.
nodeSelector: {}
## @param affinity [object] Affinity rules
affinity: {}
## @param tolerations [array] List of tolerations
tolerations: []
## @param topologySpreadConstraints [array] List of topology spread constraints for resilience
topologySpreadConstraints: []
## Provide minimal resources to prevent accidental crashes due to resource exhaustion
# resources:
# requests:
# cpu: 50m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 512Mi
## Configure extra options for startup probe
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
## @param startupProbe.enabled Enable startupProbe
## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
## @param startupProbe.periodSeconds Period seconds for startupProbe
## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
## @param startupProbe.failureThreshold Failure threshold count for startupProbe
## @param startupProbe.successThreshold Success threshold count for startupProbe
##
startupProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
## @param ingress.enabled Flag to enable ingress
## @param ingress.className Ingress class name
## @param ingress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
## @param ingress.annotations [object] Annotations
ingress:
enabled: false
className: ""
controllerType: ""
annotations: {}
## @param ingress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
host: "keeper"
## @param ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
tlsSecret: ""
## @param ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
hosts: []
## @param ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
tls: []

13
charts/spire/charts/spike-nexus/Chart.yaml
View File

@ -1,13 +0,0 @@
apiVersion: v2
name: spike-nexus
description: A Helm chart to deploy SPIKE Nexus
type: application
version: 0.1.0
appVersion: "0.4.2"
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources:
- https://github.com/spiffe/spike
icon: https://spike.ist/assets/spike-banner.png
maintainers:
- name: kfox1111
email: Kevin.Fox@pnnl.gov

83
charts/spire/charts/spike-nexus/README.md
View File

@ -1,83 +0,0 @@
# spike-nexus
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.1](https://img.shields.io/badge/AppVersion-v0.4.1-informational?style=flat-square)
[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
A Helm chart to deploy spike nexus
**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
## Version support
> [!Note]
> This Chart is still in development and still subject to change the API (`values.yaml`).
> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
> we do aim for as much stability as possible.
| Dependency | Supported Versions |
|:-----------|:-------------------|
| Helm | `3.x` |
## Source Code
* <https://github.com/spiffe/spike>
<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
## Parameters
### Chart parameters
| Name | Description | Value |
| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- |
| `image.registry` | The OCI registry to pull the image from | `ghcr.io` |
| `image.repository` | The repository within the registry | `spiffe/spike-nexus` |
| `image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
| `backendStore` | The backend store to use. Must be one of [sqlite, memory, lite] | `sqlite` |
| `replicas` | The number of keepers to launch | `1` |
| `shamir.shares` | How many shares to configure for shamir secrets | `3` |
| `shamir.threshold` | How many shares needed to recover | `2` |
| `keeperPeers` | Keeper peer configuration. If blank, it will be autodetected | `[]` |
| `trustRoot.nexus` | Override which trustRoot Nexus is in | `""` |
| `trustRoot.keepers` | Override which trustRoot Keepers are in | `[]` |
| `trustRoot.pilot` | Override which trustRoot Pilot is in | `""` |
| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `debug` |
| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` |
| `csiDriverName` | The csi driver to use | `csi.spiffe.io` |
| `imagePullSecrets` | Pull secrets for images | `[]` |
| `nameOverride` | Name override | `""` |
| `namespaceOverride` | Namespace override | `""` |
| `fullnameOverride` | Fullname override | `""` |
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` |
| `labels` | Labels for pods | `{}` |
| `podSecurityContext` | Pod security context | `{}` |
| `securityContext` | Security context | `{}` |
| `service.type` | Service type | `ClusterIP` |
| `service.port` | Service port | `443` |
| `service.annotations` | Annotations for service resource | `{}` |
| `nodeSelector` | (Optional) Select specific nodes to run on. | `{}` |
| `affinity` | Affinity rules | `{}` |
| `tolerations` | List of tolerations | `[]` |
| `topologySpreadConstraints` | List of topology spread constraints for resilience | `[]` |
| `startupProbe.enabled` | Enable startupProbe | `true` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` |
| `startupProbe.failureThreshold` | Failure threshold count for startupProbe | `6` |
| `startupProbe.successThreshold` | Success threshold count for startupProbe | `1` |
| `ingress.enabled` | Flag to enable ingress | `false` |
| `ingress.className` | Ingress class name | `""` |
| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` |
| `ingress.annotations` | Annotations | `{}` |
| `ingress.host` | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead. | `nexus` |
| `ingress.tlsSecret` | Secret that has the certs. If blank will use default certs. Used with host var. | `""` |
| `ingress.hosts` | Host paths for ingress object. If empty, rules will be built based on the host var. | `[]` |
| `ingress.tls` | Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars. | `[]` |
| `persistence.type` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `pvc` |
| `persistence.size` | What size volume to use for persistence | `1Gi` |
| `persistence.accessMode` | What access mode to use for persistence. Valid options are ReadWriteOnce (recommended), ReadWriteOncePod, ReadWriteMany (not recommended) | `ReadWriteOnce` |
| `persistence.storageClass` | What storage class to use for persistence | `nil` |
| `persistence.hostPath` | Which path to use on the host when persistence.type = hostPath | `""` |

1
charts/spire/charts/spike-nexus/templates/NOTES.txt
View File

@ -1 +0,0 @@
Installed {{ .Chart.Name }}…

83
charts/spire/charts/spike-nexus/templates/_helpers.tpl
View File

@ -1,83 +0,0 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "spike-nexus.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "spike-nexus.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Allow the release namespace to be overridden for multi-namespace deployments in combined charts
*/}}
{{- define "spike-nexus.namespace" -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
{{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
{{- .Values.global.spire.namespaces.server.name }}
{{- else }}
{{- printf "spire-server" }}
{{- end }}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "spike-nexus.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "spike-nexus.labels" -}}
helm.sh/chart: {{ include "spike-nexus.chart" . }}
{{ include "spike-nexus.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "spike-nexus.selectorLabels" -}}
app.kubernetes.io/name: {{ include "spike-nexus.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "spike-nexus.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "spike-nexus.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "spike-nexus.workload-api-socket-path" -}}
{{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }}
{{- end }}

31
charts/spire/charts/spike-nexus/templates/ingress.yaml
View File

@ -1,31 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{ $root := . }}
{{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.ingress) }}
{{- $fullName := include "spike-nexus.fullname" . -}}
{{- $tlsSection := true }}
{{- $annotations := deepCopy .Values.ingress.annotations }}
{{- if eq $ingressControllerType "ingress-nginx" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
{{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
{{- else if eq $ingressControllerType "openshift" }}
{{- $path = "" }}
{{- $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
{{- $tlsSection = false }}
{{- end }}
{{ $last := sub (.Values.replicas | int) 1 | int }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}
namespace: {{ include "spike-nexus.namespace" $root }}
labels:
{{ include "spike-nexus.labels" $root | nindent 4}}
{{- with $annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{ include "spire-lib.ingress-spec" (dict "ingress" .Values.ingress "svcName" $fullName "port" $root.Values.service.port "path" "/" "pathType" "Prefix" "tlsSection" $tlsSection "Values" $root.Values) | nindent 2 }}
{{- end }}

20
charts/spire/charts/spike-nexus/templates/service.yaml
View File

@ -1,20 +0,0 @@
{{ $root := . }}
apiVersion: v1
kind: Service
metadata:
namespace: {{ include "spike-nexus.namespace" $root }}
name: {{ include "spike-nexus.fullname" $root }}
{{- with $root.Values.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "spike-nexus.labels" $root | nindent 4 }}
spec:
type: {{ $root.Values.service.type }}
selector:
{{- include "spike-nexus.selectorLabels" $root | nindent 4 }}
ports:
- name: {{ include "spike-nexus.fullname" $root }}
port: {{ $root.Values.service.port }}
targetPort: http

13
charts/spire/charts/spike-nexus/templates/serviceaccount.yaml
View File

@ -1,13 +0,0 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "spike-nexus.serviceAccountName" . }}
namespace: {{ include "spike-nexus.namespace" . }}
labels:
{{- include "spike-nexus.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

114
charts/spire/charts/spike-nexus/templates/statefulset.yaml
View File

@ -1,114 +0,0 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "spike-nexus.fullname" . }}
namespace: {{ include "spike-nexus.namespace" . }}
labels:
{{- include "spike-nexus.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicas }}
selector:
matchLabels:
{{- include "spike-nexus.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "spike-nexus.selectorLabels" . | nindent 8 }}
release: {{ .Release.Name }}
release-namespace: {{ .Release.Namespace }}
component: spike-nexus
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "spike-nexus.serviceAccountName" . }}
securityContext:
{{- include "spire-lib.podsecuritycontext" . | nindent 8 }}
containers:
- name: {{ include "spike-nexus.fullname" . }}
image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global "ubi" true) }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 12 }}
ports:
- name: http
containerPort: 8443
protocol: TCP
env:
- name: SPIKE_NEXUS_BACKEND_STORE
value: {{ .Values.backendStore | quote }}
- name: SPIKE_NEXUS_SHAMIR_SHARES
value: {{ .Values.shamir.shares | quote }}
- name: SPIKE_NEXUS_SHAMIR_THRESHOLD
value: {{ .Values.shamir.threshold | quote }}
# Note: IP will depend on the testbed.
- name: SPIKE_NEXUS_KEEPER_PEERS
{{- if gt (len .Values.keeperPeers) 0 }}
value: {{ .Values.keeperPeers | join "," | quote }}
{{- else }}
value: https://{{ .Release.Name }}-spike-keeper-0.{{ .Release.Name }}-spike-keeper-headless:8443,https://{{ .Release.Name }}-spike-keeper-1.{{ .Release.Name }}-spike-keeper-headless:8443,https://{{ .Release.Name }}-spike-keeper-2.{{ .Release.Name }}-spike-keeper-headless:8443
{{- end }}
- name: SPIFFE_ENDPOINT_SOCKET
value: unix://{{ include "spike-nexus.workload-api-socket-path" . }}
- name: SPIKE_SYSTEM_LOG_LEVEL
value: {{ .Values.logLevel | upper }}
- name: SPIKE_TRUST_ROOT
value: {{ include "spire-lib.trust-domain" . }}
- name: SPIKE_TRUST_ROOT_KEEPER
value: {{ if gt (len .Values.trustRoot.keepers) 0 }}{{ .Values.trustRoot.keepers | join "," | quote}}{{ else }}{{ include "spire-lib.trust-domain" . }}{{ end }}
- name: SPIKE_TRUST_ROOT_PILOT
value: {{if eq .Values.trustRoot.pilot "" }}{{ include "spire-lib.trust-domain" . }}{{ else }}{{.Values.trustRoot.pilot }}{{ end }}
- name: SPIKE_NEXUS_TLS_PORT
value: ":8443"
{{- if .Values.startupProbe.enabled }}
startupProbe:
tcpSocket:
port: 8443
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.startupProbe.periodSeconds }}
successThreshold: {{ .Values.startupProbe.successThreshold }}
timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
{{- end }}
volumeMounts:
- name: spiffe-workload-api
mountPath: {{ include "spike-nexus.workload-api-socket-path" . | dir }}
readOnly: true
- name: nexus-data
mountPath: /.spike
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: spiffe-workload-api
csi:
driver: "{{ .Values.csiDriverName }}"
readOnly: true
volumeClaimTemplates:
- metadata:
name: nexus-data
spec:
accessModes:
- {{ .Values.persistence.accessMode | default "ReadWriteOnce" }}
resources:
requests:
storage: {{ .Values.persistence.size }}
{{- $storageClass := (dig "spire" "persistence" "storageClass" nil .Values.global) | default .Values.persistence.storageClass }}
{{- if $storageClass }}
storageClassName: {{ $storageClass }}
{{- end }}

175
charts/spire/charts/spike-nexus/values.yaml
View File

@ -1,175 +0,0 @@
# Default configuration for SPIKE Keeper
# SPDX-License-Identifier: APACHE-2.0
## @skip global
global: {}
## @section Chart parameters
##
## @param image.registry The OCI registry to pull the image from
## @param image.repository The repository within the registry
## @param image.pullPolicy The image pull policy
## @param image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: ghcr.io
repository: spiffe/spike-nexus
pullPolicy: IfNotPresent
tag: ""
## @param backendStore The backend store to use. Must be one of [sqlite, memory, lite]
backendStore: sqlite
## @param replicas The number of keepers to launch
replicas: 1
shamir:
## @param shamir.shares How many shares to configure for shamir secrets
shares: 3
## @param shamir.threshold How many shares needed to recover
threshold: 2
## @param keeperPeers Keeper peer configuration. If blank, it will be autodetected
keeperPeers: []
trustRoot:
## @param trustRoot.nexus Override which trustRoot Nexus is in
nexus: ""
## @param trustRoot.keepers Override which trustRoot Keepers are in
keepers: []
## @param trustRoot.pilot Override which trustRoot Pilot is in
pilot: ""
## @param logLevel The log level, valid values are "debug", "info", "warn", and "error"
logLevel: debug
## @param agentSocketName The name of the spire-agent unix socket
agentSocketName: spire-agent.sock
## @param csiDriverName The csi driver to use
csiDriverName: csi.spiffe.io
## @param imagePullSecrets [array] Pull secrets for images
imagePullSecrets: []
## @param nameOverride Name override
nameOverride: ""
## @param namespaceOverride Namespace override
namespaceOverride: ""
## @param fullnameOverride Fullname override
fullnameOverride: ""
## @param serviceAccount.create Specifies whether a service account should be created
## @param serviceAccount.annotations [object] Annotations to add to the service account
## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
##
serviceAccount:
create: true
annotations: {}
name: ""
## @param labels [object] Labels for pods
labels: {}
## @param podSecurityContext [object] Pod security context
podSecurityContext: {}
# fsGroup: 2000
## @param securityContext [object] Security context
securityContext:
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
## @param service.type Service type
## @param service.port Service port
## @param service.annotations Annotations for service resource
##
service:
type: ClusterIP
port: 443
annotations: {}
## @param nodeSelector (Optional) Select specific nodes to run on.
nodeSelector: {}
## @param affinity [object] Affinity rules
affinity: {}
## @param tolerations [array] List of tolerations
tolerations: []
## @param topologySpreadConstraints [array] List of topology spread constraints for resilience
topologySpreadConstraints: []
## Provide minimal resources to prevent accidental crashes due to resource exhaustion
# resources:
# requests:
# cpu: 50m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 512Mi
## Configure extra options for startup probe
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
## @param startupProbe.enabled Enable startupProbe
## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
## @param startupProbe.periodSeconds Period seconds for startupProbe
## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
## @param startupProbe.failureThreshold Failure threshold count for startupProbe
## @param startupProbe.successThreshold Success threshold count for startupProbe
##
startupProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
## @param ingress.enabled Flag to enable ingress
## @param ingress.className Ingress class name
## @param ingress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
## @param ingress.annotations [object] Annotations
ingress:
enabled: false
className: ""
controllerType: ""
annotations: {}
## @param ingress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
host: "nexus"
## @param ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
tlsSecret: ""
## @param ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
hosts: []
# - host: nexus.example.org
# paths:
# - path: /
# pathType: Prefix
## @param ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
tls: []
# - secretName: chart-example-tls
# hosts:
# - nexus.example.org
## @param persistence.type What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only)
## @param persistence.size What size volume to use for persistence
## @param persistence.accessMode What access mode to use for persistence. Valid options are ReadWriteOnce (recommended), ReadWriteOncePod, ReadWriteMany (not recommended)
## @param persistence.storageClass What storage class to use for persistence
## @param persistence.hostPath Which path to use on the host when persistence.type = hostPath
##
persistence:
type: pvc
size: 1Gi
accessMode: ReadWriteOnce
storageClass: null
hostPath: ""

13
charts/spire/charts/spike-pilot/Chart.yaml
View File

@ -1,13 +0,0 @@
apiVersion: v2
name: spike-pilot
description: A Helm chart to deploy SPIKE Pilot
type: application
version: 0.1.0
appVersion: "0.4.2"
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources:
- https://github.com/spiffe/spike
icon: https://spike.ist/assets/spike-banner.png
maintainers:
- name: kfox1111
email: Kevin.Fox@pnnl.gov

63
charts/spire/charts/spike-pilot/README.md
View File

@ -1,63 +0,0 @@
# spike-pilot
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.1](https://img.shields.io/badge/AppVersion-v0.4.1-informational?style=flat-square)
[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
A Helm chart to deploy spike pilot
**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
## Version support
> [!Note]
> This Chart is still in development and still subject to change the API (`values.yaml`).
> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
> we do aim for as much stability as possible.
| Dependency | Supported Versions |
|:-----------|:-------------------|
| Helm | `3.x` |
## Source Code
* <https://github.com/spiffe/spike>
<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
## Parameters
### Chart parameters
| Name | Description | Value |
| -------------------------------- | ------------------------------------------------------------------------------------------- | -------------------- |
| `image.registry` | The OCI registry to pull the image from | `ghcr.io` |
| `image.repository` | The repository within the registry | `spiffe/spike-pilot` |
| `image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
| `shell.image.registry` | The OCI registry to pull the image from | `""` |
| `shell.image.repository` | The repository within the registry | `busybox` |
| `shell.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `shell.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.37.0-uclibc` |
| `tools.busybox.image.registry` | The OCI registry to pull the image from | `""` |
| `tools.busybox.image.repository` | The repository within the registry | `busybox` |
| `tools.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tools.busybox.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.37.0-uclibc` |
| `replicas` | The number of keepers to launch | `1` |
| `trustRoot.nexus` | Override which trustRoot Nexus is in | `""` |
| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `debug` |
| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` |
| `csiDriverName` | The csi driver to use | `csi.spiffe.io` |
| `imagePullSecrets` | Pull secrets for images | `[]` |
| `nameOverride` | Name override | `""` |
| `namespaceOverride` | Namespace override | `""` |
| `fullnameOverride` | Fullname override | `""` |
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` |
| `labels` | Labels for pods | `{}` |
| `podSecurityContext` | Pod security context | `{}` |
| `securityContext` | Security context | `{}` |
| `nodeSelector` | (Optional) Select specific nodes to run on. | `{}` |
| `affinity` | Affinity rules | `{}` |
| `tolerations` | List of tolerations | `[]` |
| `topologySpreadConstraints` | List of topology spread constraints for resilience | `[]` |

1
charts/spire/charts/spike-pilot/templates/NOTES.txt
View File

@ -1 +0,0 @@
Installed {{ .Chart.Name }}…

83
charts/spire/charts/spike-pilot/templates/_helpers.tpl
View File

@ -1,83 +0,0 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "spike-pilot.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "spike-pilot.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Allow the release namespace to be overridden for multi-namespace deployments in combined charts
*/}}
{{- define "spike-pilot.namespace" -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
{{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
{{- .Values.global.spire.namespaces.server.name }}
{{- else }}
{{- printf "spire-server" }}
{{- end }}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "spike-pilot.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "spike-pilot.labels" -}}
helm.sh/chart: {{ include "spike-pilot.chart" . }}
{{ include "spike-pilot.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "spike-pilot.selectorLabels" -}}
app.kubernetes.io/name: {{ include "spike-pilot.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "spike-pilot.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "spike-pilot.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "spike-pilot.workload-api-socket-path" -}}
{{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }}
{{- end }}

96
charts/spire/charts/spike-pilot/templates/deployment.yaml
View File

@ -1,96 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "spike-pilot.fullname" . }}
namespace: {{ include "spike-pilot.namespace" . }}
labels:
{{- include "spike-pilot.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicas }}
selector:
matchLabels:
{{- include "spike-pilot.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "spike-pilot.selectorLabels" . | nindent 8 }}
release: {{ .Release.Name }}
release-namespace: {{ .Release.Namespace }}
component: spike-pilot
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "spike-pilot.serviceAccountName" . }}
securityContext:
{{- include "spire-lib.podsecuritycontext" . | nindent 8 }}
initContainers:
- name: init
image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.busybox.image "global" .Values.global "ubi" true) }}
imagePullPolicy: {{ .Values.tools.busybox.image.pullPolicy }}
command: ["/bin/sh", "-c", "cp -a /bin/busybox /data"]
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 12 }}
volumeMounts:
- name: pilot
mountPath: /data
- name: init2
image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global "ubi" true) }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command: ["/data/busybox", "sh", "-c", "/data/busybox cp -a /usr/local/bin/spike /data && /data/busybox rm -f /data/busybox"]
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 12 }}
volumeMounts:
- name: pilot
mountPath: /data
containers:
- name: {{ include "spike-pilot.fullname" . }}
image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.shell.image "global" .Values.global "ubi" true) }}
imagePullPolicy: {{ .Values.shell.image.pullPolicy }}
command: ["/bin/sh", "-c", "echo I live; while true; do sleep 1000; done"]
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 12 }}
env:
#FIXME make this configurable
- name: SPIKE_NEXUS_API_URL
value: https://{{ .Release.Name }}-spike-nexus:443
- name: SPIFFE_ENDPOINT_SOCKET
value: unix://{{ include "spike-pilot.workload-api-socket-path" . }}
- name: SPIKE_SYSTEM_LOG_LEVEL
value: {{ .Values.logLevel | upper }}
- name: SPIKE_TRUST_ROOT
value: {{ include "spire-lib.trust-domain" . }}
- name: SPIKE_TRUST_ROOT_NEXUS
value: {{if eq .Values.trustRoot.Nexus "" }}{{ include "spire-lib.trust-domain" . }}{{ else }}{{.Values.trustRoot.Nexus }}{{ end }}
volumeMounts:
- name: spiffe-workload-api
mountPath: {{ include "spike-pilot.workload-api-socket-path" . | dir }}
readOnly: true
- name: pilot
mountPath: /bin/spike
subPath: spike
readOnly: true
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: pilot
emptyDir: {}
- name: spiffe-workload-api
csi:
driver: "{{ .Values.csiDriverName }}"
readOnly: true

13
charts/spire/charts/spike-pilot/templates/serviceaccount.yaml
View File

@ -1,13 +0,0 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "spike-pilot.serviceAccountName" . }}
namespace: {{ include "spike-pilot.namespace" . }}
labels:
{{- include "spike-pilot.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

116
charts/spire/charts/spike-pilot/values.yaml
View File

@ -1,116 +0,0 @@
# Default configuration for SPIKE Keeper
# SPDX-License-Identifier: APACHE-2.0
## @skip global
global: {}
## @section Chart parameters
##
## @param image.registry The OCI registry to pull the image from
## @param image.repository The repository within the registry
## @param image.pullPolicy The image pull policy
## @param image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: ghcr.io
repository: spiffe/spike-pilot
pullPolicy: IfNotPresent
tag: ""
shell:
## @param shell.image.registry The OCI registry to pull the image from
## @param shell.image.repository The repository within the registry
## @param shell.image.pullPolicy The image pull policy
## @param shell.image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: ""
repository: busybox
pullPolicy: IfNotPresent
tag: 1.37.0-uclibc
tools:
busybox:
## @param tools.busybox.image.registry The OCI registry to pull the image from
## @param tools.busybox.image.repository The repository within the registry
## @param tools.busybox.image.pullPolicy The image pull policy
## @param tools.busybox.image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: ""
repository: busybox
pullPolicy: IfNotPresent
tag: 1.37.0-uclibc
## @param replicas The number of keepers to launch
replicas: 1
trustRoot:
## @param trustRoot.nexus Override which trustRoot Nexus is in
nexus: ""
## @param logLevel The log level, valid values are "debug", "info", "warn", and "error"
logLevel: debug
## @param agentSocketName The name of the spire-agent unix socket
agentSocketName: spire-agent.sock
## @param csiDriverName The csi driver to use
csiDriverName: csi.spiffe.io
## @param imagePullSecrets [array] Pull secrets for images
imagePullSecrets: []
## @param nameOverride Name override
nameOverride: ""
## @param namespaceOverride Namespace override
namespaceOverride: ""
## @param fullnameOverride Fullname override
fullnameOverride: ""
## @param serviceAccount.create Specifies whether a service account should be created
## @param serviceAccount.annotations [object] Annotations to add to the service account
## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
##
serviceAccount:
create: true
annotations: {}
name: ""
## @param labels [object] Labels for pods
labels: {}
## @param podSecurityContext [object] Pod security context
podSecurityContext: {}
# fsGroup: 2000
## @param securityContext [object] Security context
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
## @param nodeSelector (Optional) Select specific nodes to run on.
nodeSelector: {}
## @param affinity [object] Affinity rules
affinity: {}
## @param tolerations [array] List of tolerations
tolerations: []
## @param topologySpreadConstraints [array] List of topology spread constraints for resilience
topologySpreadConstraints: []
## Provide minimal resources to prevent accidental crashes due to resource exhaustion
# resources:
# requests:
# cpu: 50m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 512Mi

2
charts/spire/charts/spire-agent/Chart.yaml
View File

@ -3,7 +3,7 @@ name: spire-agent
description: A Helm chart to install the SPIRE agent. description: A Helm chart to install the SPIRE agent.
type: application type: application
version: 0.1.0 version: 0.1.0
appVersion: "1.12.4" appVersion: "1.12.0"
keywords: ["spiffe", "spire-agent"] keywords: ["spiffe", "spire-agent"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources: sources:

31
charts/spire/charts/spire-agent/README.md
View File

@ -52,7 +52,7 @@ A Helm chart to install the SPIRE agent.
| `clusterName` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `example-cluster` | | `clusterName` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `example-cluster` |
| `trustDomain` | The trust domain to be used for the SPIFFE identifiers | `example.org` | | `trustDomain` | The trust domain to be used for the SPIFFE identifiers | `example.org` |
| `trustBundleURL` | If set, obtain trust bundle from url instead of Kubernetes ConfigMap | `""` | | `trustBundleURL` | If set, obtain trust bundle from url instead of Kubernetes ConfigMap | `""` |
| `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `spiffe` | | `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `pem` |
| `trustBundleHostPath` | If set, obtain trust bundle from a file on the host instead of from the ConfigMap | `""` | | `trustBundleHostPath` | If set, obtain trust bundle from a file on the host instead of from the ConfigMap | `""` |
| `bundleConfigMap` | Configmap name for Spire bundle | `spire-bundle` | | `bundleConfigMap` | Configmap name for Spire bundle | `spire-bundle` |
| `availabilityTarget` | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. | `""` | | `availabilityTarget` | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. | `""` |
@ -70,28 +70,26 @@ A Helm chart to install the SPIRE agent.
| `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | | `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` |
| `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | | `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` |
| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` | | `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:ce272ee5a3739a3c45784c317b2fb1e93a4cc4ea1f4d3feabb702b278e5bf514` |
| `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` |
| `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` | | `keyManager.memory.enabled` | Enable the memory based Key Manager | `true` |
| `keyManager.disk.enabled` | Enable the disk based Key Manager (must have persistence.type set to hostPath when enabled) | `false` |
| `nodeAttestor.k8sPSAT.enabled` | Enable PSAT k8s Node Attestor | `true` | | `nodeAttestor.k8sPSAT.enabled` | Enable PSAT k8s Node Attestor | `true` |
| `nodeAttestor.httpChallenge.enabled` | Enable the http challenge Node Attestor | `false` | | `nodeAttestor.httpChallenge.enabled` | Enable the http challenge Node Attestor | `false` |
| `nodeAttestor.httpChallenge.agentname` | Name of this agent. Useful if you have multiple agents bound to different spire servers on the same host and sharing the same port. | `default` | | `nodeAttestor.httpChallenge.agentname` | Name of this agent. Useful if you have multiple agents bound to different spire servers on the same host and sharing the same port. | `default` |
| `nodeAttestor.httpChallenge.port` | The port to listen on. If 0, a random value will be used. | `0` | | `nodeAttestor.httpChallenge.port` | The port to listen on. If 0, a random value will be used. | `0` |
| `nodeAttestor.httpChallenge.advertisedPort` | The port to tell the server to call back on. Set only if your using an http proxy on the hosts. If 0, will use the port setting. | `0` | | `nodeAttestor.httpChallenge.advertisedPort` | The port to tell the server to call back on. Set only if your using an http proxy on the hosts. If 0, will use the port setting. | `0` |
| `nodeAttestor.tpmDirect.enabled` | Enable the direct TPM node attestor, a 3rd party plugin by Boxboat. This plugin is experimental. | `false` | | `nodeAttestor.tpmDirect.enabled` | Enable the direct TPM node attestor, a 3rd party plugin by Boxboat. This plugin is experimental. | `false` |
| `nodeAttestor.tpmDirect.plugin.image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `nodeAttestor.tpmDirect.plugin.image.registry` | The OCI registry to pull the image from | `docker.io` |
| `nodeAttestor.tpmDirect.plugin.image.repository` | The repository within the registry | `spiffe/spire-tpm-plugin-tpm-attestor-agent` | | `nodeAttestor.tpmDirect.plugin.image.repository` | The repository within the registry | `boxboat/spire-tpm-plugin-tpm-attestor-agent` |
| `nodeAttestor.tpmDirect.plugin.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `nodeAttestor.tpmDirect.plugin.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `nodeAttestor.tpmDirect.plugin.image.tag` | Overrides the image tag | `v1.9.0` | | `nodeAttestor.tpmDirect.plugin.image.tag` | Overrides the image tag | `v1.8.7` |
| `nodeAttestor.tpmDirect.plugin.checksum` | The sha256 checksum of the plugin binary | `22f67063f1699330e70cdedc9b923e517688f5ae71085a26bd9b83b3060ee86e` | | `nodeAttestor.tpmDirect.plugin.checksum` | The sha256 checksum of the plugin binary | `1d7c73ccac948ee86cbd78ddde2d30128a1838b403f7bb2100d38d916a252244` |
| `nodeAttestor.tpmDirect.plugin.path` | The filename in the container of the plugin | `/app/tpm_attestor_agent` | | `nodeAttestor.tpmDirect.plugin.path` | The filename in the container of the plugin | `/app/tpm_attestor_agent` |
| `nodeAttestor.tpmDirect.pubHash.enabled` | Display pubhash in logs | `true` | | `nodeAttestor.tpmDirect.pubHash.enabled` | Display pubhash in logs | `true` |
| `nodeAttestor.tpmDirect.pubHash.image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `nodeAttestor.tpmDirect.pubHash.image.registry` | The OCI registry to pull the image from | `docker.io` |
| `nodeAttestor.tpmDirect.pubHash.image.repository` | The repository within the registry | `spiffe/spire-tpm-plugin-get-tpm-pubhash` | | `nodeAttestor.tpmDirect.pubHash.image.repository` | The repository within the registry | `boxboat/spire-tpm-plugin-get-tpm-pubhash` |
| `nodeAttestor.tpmDirect.pubHash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `nodeAttestor.tpmDirect.pubHash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `nodeAttestor.tpmDirect.pubHash.image.tag` | Overrides the image tag | `v1.9.0` | | `nodeAttestor.tpmDirect.pubHash.image.tag` | Overrides the image tag | `v1.8.7` |
| `nodeAttestor.awsIID.enabled` | Enable the aws_iid Node Attestor | `false` |
| `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | | `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` |
| `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` | | `workloadAttestors.k8s.enabled` | Enables the Kubernetes workload attestor | `true` |
| `workloadAttestors.k8s.verification.type` | What kind of verification to do against kubelet. auto will first attempt to use hostCert, and then fall back to apiServerCA. Valid options are [auto, hostCert, apiServerCA, skip] | `skip` | | `workloadAttestors.k8s.verification.type` | What kind of verification to do against kubelet. auto will first attempt to use hostCert, and then fall back to apiServerCA. Valid options are [auto, hostCert, apiServerCA, skip] | `skip` |
@ -110,21 +108,18 @@ A Helm chart to install the SPIRE agent.
| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | | `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` |
| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | | `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` |
| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | | `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` |
| `telemetry.datadog.enabled` | Flag to enable datadog monitoring | `false` |
| `telemetry.datadog.address` | The address of the datadog service to send metrics to. The default URL for services are `<service-name>.<namespace>.svc` | `datadog.kube-system.svc` |
| `telemetry.datadog.port` | The port of the datadog service to send metrics to | `8125` |
| `kubeletConnectByHostname` | If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise. | `""` | | `kubeletConnectByHostname` | If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise. | `""` |
| `socketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | | `socketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` |
| `socketAlternate.names` | List of alternate names for the socket that workloads might expect to be able to access in the driver mount. | `["socket","spire-agent.sock","api.sock"]` | | `socketAlternate.names` | List of alternate names for the socket that workloads might expect to be able to access in the driver mount. | `["socket","spire-agent.sock","api.sock"]` |
| `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `socketAlternate.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` | | `socketAlternate.image.repository` | The repository within the registry | `chainguard/bash` |
| `socketAlternate.image.pullPolicy` | The image pull policy | `Always` | | `socketAlternate.image.pullPolicy` | The image pull policy | `Always` |
| `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` | | `socketAlternate.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:ce272ee5a3739a3c45784c317b2fb1e93a4cc4ea1f4d3feabb702b278e5bf514` |
| `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `socketAlternate.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` |
| `hostCert.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `hostCert.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `hostCert.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` | | `hostCert.image.repository` | The repository within the registry | `chainguard/min-toolkit-debug` |
| `hostCert.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `hostCert.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `hostCert.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53` | | `hostCert.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:2f8ac6547029ed217bb40167bf39883b4bc606b3b747ecaf710fab9779ef786f` |
| `hostCert.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `hostCert.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` |
| `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` | | `priorityClassName` | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName. | `""` |
| `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` | | `extraEnvVars` | Extra environment variables to be added to the Spire Agent container | `[]` |
@ -141,8 +136,8 @@ A Helm chart to install the SPIRE agent.
| `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` | | `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` |
| `experimental.featureFlags` | List of developer feature flags | `[]` | | `experimental.featureFlags` | List of developer feature flags | `[]` |
| `agents` | Configure multiple agent DaemonSets. Useful when you have different node types and nodeAttestors | `{}` | | `agents` | Configure multiple agent DaemonSets. Useful when you have different node types and nodeAttestors | `{}` |
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` | | `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` |
| `tools.kubectl.image.repository` | The repository within the registry | `kubectl` | | `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` |
| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | | `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
| `sockets.hostBasePath` | Path on which the agent socket is made available when admin.mountOnHost is true | `/run/spire/agent/sockets` | | `sockets.hostBasePath` | Path on which the agent socket is made available when admin.mountOnHost is true | `/run/spire/agent/sockets` |

29
charts/spire/charts/spire-agent/templates/configmap.yaml
View File

@ -19,11 +19,8 @@
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if and .Values.keyManager.disk.enabled (ne .Values.persistence.type "hostPath") }}
{{- fail "keyManager.disk.enabled is true but persistence.type is not hostPath. Ensure persistence.type is hostPath when keyManager.disk.enabled is true." }}
{{- end }}
{{- if hasPrefix (.Values.socketPath | dir | clean) (.Values.sockets.hostBasePath | clean) }} {{- if hasPrefix (.Values.socketPath | dir | clean) (.Values.sockets.hostBasePath | clean) }}
{{- fail "The sockets.hostBasePath can not be located under the socketPath directory" }} {{- fail "The sockets.hostBasePath can not be located under the socketPath direcotry" }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- define "spire-agent.yaml-config" -}} {{- define "spire-agent.yaml-config" -}}
@ -41,13 +38,13 @@ agent:
server_address: {{ include "spire-agent.server-address" . | trim | quote }} server_address: {{ include "spire-agent.server-address" . | trim | quote }}
server_port: {{ .Values.server.port | quote }} server_port: {{ .Values.server.port | quote }}
socket_path: /tmp/spire-agent/public/{{ include "spire-agent.socket-path" . | base }} socket_path: /tmp/spire-agent/public/{{ include "spire-agent.socket-path" . | base }}
trust_bundle_format: {{ .Values.trustBundleFormat | quote }}
{{- if ne (len .Values.trustBundleURL) 0 }} {{- if ne (len .Values.trustBundleURL) 0 }}
trust_bundle_url: {{ .Values.trustBundleURL | quote }} trust_bundle_url: {{ .Values.trustBundleURL | quote }}
trust_bundle_format: {{ .Values.trustBundleFormat | quote }}
{{- else if ne (len .Values.trustBundleHostPath) 0 }} {{- else if ne (len .Values.trustBundleHostPath) 0 }}
trust_bundle_path: {{ .Values.trustBundleHostPath | quote }} trust_bundle_path: {{ .Values.trustBundleHostPath | quote }}
{{- else }} {{- else }}
trust_bundle_path: {{ printf "/run/spire/bundle/bundle.%s" (include "spire-lib.trust-bundle-ext" (dict "trustBundleFormat" .Values.trustBundleFormat)) | quote }} trust_bundle_path: "/run/spire/bundle/bundle.crt"
{{- end }} {{- end }}
trust_domain: {{ include "spire-lib.trust-domain" . | quote }} trust_domain: {{ include "spire-lib.trust-domain" . | quote }}
{{- with .Values.availabilityTarget }} {{- with .Values.availabilityTarget }}
@ -107,13 +104,6 @@ plugins:
{{- $nodeAttestorUsed = add1 $nodeAttestorUsed }} {{- $nodeAttestorUsed = add1 $nodeAttestorUsed }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- with .Values.nodeAttestor.awsIID }}
{{- if eq (.enabled | toString) "true" }}
aws_iid:
plugin_data: {}
{{- $nodeAttestorUsed = add1 $nodeAttestorUsed }}
{{- end }}
{{- end }}
{{- if ne $nodeAttestorUsed 1 }} {{- if ne $nodeAttestorUsed 1 }}
{{- fail (printf "You have to enable exactly one Node Attestor. There are %d enabled." $nodeAttestorUsed) }} {{- fail (printf "You have to enable exactly one Node Attestor. There are %d enabled." $nodeAttestorUsed) }}
{{- end }} {{- end }}
@ -124,12 +114,6 @@ plugins:
plugin_data: plugin_data:
{{- $keyManagerUsed = add1 $keyManagerUsed }} {{- $keyManagerUsed = add1 $keyManagerUsed }}
{{- end }} {{- end }}
{{- if .Values.keyManager.disk.enabled }}
disk:
plugin_data:
directory: {{ .Values.persistence.hostPath }}
{{- $keyManagerUsed = add1 $keyManagerUsed }}
{{- end }}
{{- if ne $keyManagerUsed 1 }} {{- if ne $keyManagerUsed 1 }}
{{- fail (printf "You have to enable exactly one Key Manager. There are %d enabled." $keyManagerUsed) }} {{- fail (printf "You have to enable exactly one Key Manager. There are %d enabled." $keyManagerUsed) }}
{{- end }} {{- end }}
@ -170,13 +154,6 @@ telemetry:
- host: "0.0.0.0" - host: "0.0.0.0"
port: {{ .Values.telemetry.prometheus.port }} port: {{ .Values.telemetry.prometheus.port }}
{{- end }} {{- end }}
{{- if .Values.telemetry.datadog.enabled }}
telemetry:
- DogStatsd:
- address: "{{ .Values.telemetry.datadog.address }}:{{ .Values.telemetry.datadog.port }}"
{{- end }}
{{- end }} {{- end }}
{{- $root := . }} {{- $root := . }}
{{- range $name := (concat (list "default") (keys .Values.agents)) | uniq }} {{- range $name := (concat (list "default") (keys .Values.agents)) | uniq }}

14
charts/spire/charts/spire-agent/templates/daemonset.yaml
View File

@ -9,9 +9,6 @@
{{- if hasKey .Values.sds "disableSpiffeCertValidation" }} {{- if hasKey .Values.sds "disableSpiffeCertValidation" }}
{{- fail "disableSpiffeCertValidation was renamed to disableSPIFFECertValidation. Please update your config." }} {{- fail "disableSpiffeCertValidation was renamed to disableSPIFFECertValidation. Please update your config." }}
{{- end }} {{- end }}
{{- if and .Values.keyManager.disk.enabled (ne .Values.persistence.type "hostPath") }}
{{- fail "keyManager.disk.enabled is true but persistence.type is not hostPath. Ensure persistence.type is hostPath when keyManager.disk.enabled is true." }}
{{- end }}
{{- range $name := (concat (list "default") (keys .Values.agents)) | uniq }} {{- range $name := (concat (list "default") (keys .Values.agents)) | uniq }}
{{- with (dict "Release" $root.Release "Chart" $root.Chart "Values" (deepCopy $root.Values)) }} {{- with (dict "Release" $root.Release "Chart" $root.Chart "Values" (deepCopy $root.Values)) }}
{{- $nameSuffix := "" }} {{- $nameSuffix := "" }}
@ -259,11 +256,6 @@ spec:
- name: spire-config - name: spire-config
mountPath: /opt/spire/conf/agent mountPath: /opt/spire/conf/agent
readOnly: true readOnly: true
{{- if .Values.keyManager.disk.enabled }}
- name: spire-key-manager
mountPath: {{ .Values.persistence.hostPath }}
readOnly: false
{{- end }}
- name: spire-agent-persistence - name: spire-agent-persistence
mountPath: /var/lib/spire mountPath: /var/lib/spire
{{- if .Values.sockets.admin.enabled }} {{- if .Values.sockets.admin.enabled }}
@ -332,12 +324,6 @@ spec:
- name: spire-config - name: spire-config
configMap: configMap:
name: {{ include "spire-agent.fullname" . }} name: {{ include "spire-agent.fullname" . }}
{{- if .Values.keyManager.disk.enabled }}
- name: spire-key-manager
hostPath:
path: {{ .Values.persistence.hostPath }}
type: DirectoryOrCreate
{{- end }}
{{- if .Values.sockets.admin.mountOnHost }} {{- if .Values.sockets.admin.mountOnHost }}
- name: spire-agent-admin-socket-dir - name: spire-agent-admin-socket-dir
hostPath: hostPath:

39
charts/spire/charts/spire-agent/values.yaml
View File

@ -94,7 +94,7 @@ trustDomain: example.org
## @param trustBundleURL If set, obtain trust bundle from url instead of Kubernetes ConfigMap ## @param trustBundleURL If set, obtain trust bundle from url instead of Kubernetes ConfigMap
trustBundleURL: "" trustBundleURL: ""
## @param trustBundleFormat If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" ## @param trustBundleFormat If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe"
trustBundleFormat: spiffe trustBundleFormat: pem
## @param trustBundleHostPath If set, obtain trust bundle from a file on the host instead of from the ConfigMap ## @param trustBundleHostPath If set, obtain trust bundle from a file on the host instead of from the ConfigMap
trustBundleHostPath: "" trustBundleHostPath: ""
## @param bundleConfigMap Configmap name for Spire bundle ## @param bundleConfigMap Configmap name for Spire bundle
@ -153,7 +153,7 @@ fsGroupFix:
registry: cgr.dev registry: cgr.dev
repository: chainguard/bash repository: chainguard/bash
pullPolicy: Always pullPolicy: Always
tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679 tag: latest@sha256:ce272ee5a3739a3c45784c317b2fb1e93a4cc4ea1f4d3feabb702b278e5bf514
## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources: {} resources: {}
@ -162,9 +162,6 @@ keyManager:
memory: memory:
## @param keyManager.memory.enabled Enable the memory based Key Manager ## @param keyManager.memory.enabled Enable the memory based Key Manager
enabled: true enabled: true
disk:
## @param keyManager.disk.enabled Enable the disk based Key Manager (must have persistence.type set to hostPath when enabled)
enabled: false
nodeAttestor: nodeAttestor:
k8sPSAT: k8sPSAT:
@ -189,12 +186,12 @@ nodeAttestor:
## @param nodeAttestor.tpmDirect.plugin.image.tag Overrides the image tag ## @param nodeAttestor.tpmDirect.plugin.image.tag Overrides the image tag
## ##
image: image:
registry: ghcr.io registry: docker.io
repository: spiffe/spire-tpm-plugin-tpm-attestor-agent repository: boxboat/spire-tpm-plugin-tpm-attestor-agent
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: "v1.9.0" tag: "v1.8.7"
## @param nodeAttestor.tpmDirect.plugin.checksum The sha256 checksum of the plugin binary ## @param nodeAttestor.tpmDirect.plugin.checksum The sha256 checksum of the plugin binary
checksum: 22f67063f1699330e70cdedc9b923e517688f5ae71085a26bd9b83b3060ee86e checksum: 1d7c73ccac948ee86cbd78ddde2d30128a1838b403f7bb2100d38d916a252244
## @param nodeAttestor.tpmDirect.plugin.path The filename in the container of the plugin ## @param nodeAttestor.tpmDirect.plugin.path The filename in the container of the plugin
path: /app/tpm_attestor_agent path: /app/tpm_attestor_agent
pubHash: pubHash:
@ -206,13 +203,10 @@ nodeAttestor:
## @param nodeAttestor.tpmDirect.pubHash.image.tag Overrides the image tag ## @param nodeAttestor.tpmDirect.pubHash.image.tag Overrides the image tag
## ##
image: image:
registry: ghcr.io registry: docker.io
repository: spiffe/spire-tpm-plugin-get-tpm-pubhash repository: boxboat/spire-tpm-plugin-get-tpm-pubhash
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: "v1.9.0" tag: "v1.8.7"
awsIID:
## @param nodeAttestor.awsIID.enabled Enable the aws_iid Node Attestor
enabled: false
# workloadAttestors determine a workload's properties and then generate a set of selectors associated with it. # workloadAttestors determine a workload's properties and then generate a set of selectors associated with it.
workloadAttestors: workloadAttestors:
@ -263,13 +257,6 @@ telemetry:
namespace: "" namespace: ""
## @param telemetry.prometheus.podMonitor.labels [object] Pod labels to filter for prometheus monitoring ## @param telemetry.prometheus.podMonitor.labels [object] Pod labels to filter for prometheus monitoring
labels: {} labels: {}
datadog:
## @param telemetry.datadog.enabled Flag to enable datadog monitoring
enabled: false
## @param telemetry.datadog.address The address of the datadog service to send metrics to. The default URL for services are `<service-name>.<namespace>.svc`
address: "datadog.kube-system.svc"
## @param telemetry.datadog.port The port of the datadog service to send metrics to
port: 8125
## @param kubeletConnectByHostname If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise. ## @param kubeletConnectByHostname If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise.
kubeletConnectByHostname: "" kubeletConnectByHostname: ""
@ -293,7 +280,7 @@ socketAlternate:
registry: cgr.dev registry: cgr.dev
repository: chainguard/bash repository: chainguard/bash
pullPolicy: Always pullPolicy: Always
tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679 tag: latest@sha256:ce272ee5a3739a3c45784c317b2fb1e93a4cc4ea1f4d3feabb702b278e5bf514
## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources: {} resources: {}
@ -308,7 +295,7 @@ hostCert:
registry: cgr.dev registry: cgr.dev
repository: chainguard/min-toolkit-debug repository: chainguard/min-toolkit-debug
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53 tag: latest@sha256:2f8ac6547029ed217bb40167bf39883b4bc606b3b747ecaf710fab9779ef786f
## @param hostCert.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## @param hostCert.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources: {} resources: {}
@ -383,8 +370,8 @@ tools:
## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion ## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion
## ##
image: image:
registry: registry.k8s.io registry: docker.io
repository: kubectl repository: rancher/kubectl
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: "" tag: ""

10
charts/spire/charts/spire-lib/templates/_helpers.tpl
View File

@ -53,7 +53,7 @@
{{- $repo := .image.repository }} {{- $repo := .image.repository }}
{{- $tag := .image.tag | toString }} {{- $tag := .image.tag | toString }}
{{- if eq (substr 0 7 $tag) "sha256:" }} {{- if eq (substr 0 7 $tag) "sha256:" }}
{{- printf "%s%s@%s" $registry $repo $tag | quote }} {{- printf "%s/%s@%s" $registry $repo $tag | quote }}
{{- else if .appVersion }} {{- else if .appVersion }}
{{- $appVersion := .appVersion }} {{- $appVersion := .appVersion }}
{{- if and (hasKey . "ubi") (dig "openshift" false .global) }} {{- if and (hasKey . "ubi") (dig "openshift" false .global) }}
@ -336,11 +336,3 @@ Anything lower has an incompatible API.
{{- fail "Unsupported autoscaling API version" }} {{- fail "Unsupported autoscaling API version" }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- define "spire-lib.trust-bundle-ext" -}}
{{- if eq .trustBundleFormat "spiffe" }}
{{- print "spiffe" }}
{{- else }}
{{- print "crt" }}
{{- end }}
{{- end }}

2
charts/spire/charts/spire-server/Chart.yaml
View File

@ -3,7 +3,7 @@ name: spire-server
description: A Helm chart to install the SPIRE server. description: A Helm chart to install the SPIRE server.
type: application type: application
version: 0.1.0 version: 0.1.0
appVersion: "1.12.4" appVersion: "1.12.0"
keywords: ["spiffe", "spire-server", "spire-controller-manager"] keywords: ["spiffe", "spire-server", "spire-controller-manager"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources: sources:

70
charts/spire/charts/spire-server/README.md
View File

@ -131,8 +131,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `dataStore.sql.port` | If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases. | `0` | | `dataStore.sql.port` | If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases. | `0` |
| `dataStore.sql.username` | Only used when type != "sqlite3" | `spire` | | `dataStore.sql.username` | Only used when type != "sqlite3" | `spire` |
| `dataStore.sql.password` | Only used when type != "sqlite3" | `""` | | `dataStore.sql.password` | Only used when type != "sqlite3" | `""` |
| `dataStore.sql.file` | Data source file. Only used when type == "sqlite3" | `/run/spire/data/datastore.sqlite3` | | `dataStore.sql.options` | Only used when type != "sqlite3" | `[]` |
| `dataStore.sql.options` | takes an array of objects of form {<key>: <value>} to use when building the database connection string | `[]` |
| `dataStore.sql.rootCAPath` | Path to Root CA bundle (MySQL only) | `""` | | `dataStore.sql.rootCAPath` | Path to Root CA bundle (MySQL only) | `""` |
| `dataStore.sql.clientCertPath` | Path to client certificate (MySQL only) | `""` | | `dataStore.sql.clientCertPath` | Path to client certificate (MySQL only) | `""` |
| `dataStore.sql.clientKeyPath` | Path to private key for client certificate (MySQL only) | `""` | | `dataStore.sql.clientKeyPath` | Path to private key for client certificate (MySQL only) | `""` |
@ -159,7 +158,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `jwtIssuer` | The JWT issuer domain. Defaults to oidc-discovery.$trustDomain if unset | `""` | | `jwtIssuer` | The JWT issuer domain. Defaults to oidc-discovery.$trustDomain if unset | `""` |
| `clusterName` | Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`) | `example-cluster` | | `clusterName` | Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`) | `example-cluster` |
| `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` | | `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` |
| `bundleConfigMap` | Set the Configmap name for SPIRE bundle | `spire-bundle` | | `bundleConfigMap` | Set the trust domain to be used for the SPIFFE identifiers | `spire-bundle` |
| `clusterDomain` | This is the value of your clusters `kubeadm init --service-dns-domain` flag | `cluster.local` | | `clusterDomain` | This is the value of your clusters `kubeadm init --service-dns-domain` flag | `cluster.local` |
| `federation.enabled` | Flag to enable federation | `false` | | `federation.enabled` | Flag to enable federation | `false` |
| `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` | | `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` |
@ -189,14 +188,6 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `caSubject.country` | Country for Spire server CA | `ARPA` | | `caSubject.country` | Country for Spire server CA | `ARPA` |
| `caSubject.organization` | Organization for Spire server CA | `Example` | | `caSubject.organization` | Organization for Spire server CA | `Example` |
| `caSubject.commonName` | Common Name for Spire server CA | `example.org` | | `caSubject.commonName` | Common Name for Spire server CA | `example.org` |
| `credentialComposer.cel.enabled` | Enable the cel based credential composer | `false` |
| `credentialComposer.cel.image.registry` | The OCI registry to pull the image from | `ghcr.io` |
| `credentialComposer.cel.image.repository` | The repository within the registry | `spiffe/spire-credentialcomposer-cel` |
| `credentialComposer.cel.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `credentialComposer.cel.image.tag` | Overrides the image tag | `0.0.2` |
| `credentialComposer.cel.checksum` | The sha256 checksum of the plugin binary | `23fa1d10f15ad5d5c555930cf82289c664801d7d5609bfd8847f95a0a667e4e4` |
| `credentialComposer.cel.pluginPath` | The filename in the container of the plugin | `/ko-app/cmd` |
| `credentialComposer.cel.jwt.expression` | The expression to use for jwt token composing | `""` |
| `credentialComposer.uniqueID.enabled` | Add the x509UniqueIdentifier attribute to workload X509-SVIDs | `false` | | `credentialComposer.uniqueID.enabled` | Add the x509UniqueIdentifier attribute to workload X509-SVIDs | `false` |
| `keyManager.disk.enabled` | Flag to enable keyManager on disk | `true` | | `keyManager.disk.enabled` | Flag to enable keyManager on disk | `true` |
| `keyManager.memory.enabled` | Flag to enable keyManager in memory | `false` | | `keyManager.memory.enabled` | Flag to enable keyManager in memory | `false` |
@ -256,17 +247,16 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `upstreamAuthority.vault.k8sAuth.k8sAuthRoleName` | Required - Name of the Vault role. The plugin authenticates against the named role | `""` | | `upstreamAuthority.vault.k8sAuth.k8sAuthRoleName` | Required - Name of the Vault role. The plugin authenticates against the named role | `""` |
| `upstreamAuthority.vault.k8sAuth.token.audience` | Intended audience of the PSAT, it must match one of the audiences supported by the Kubernetes API server. If no audience is specified, it defaults to the identifier of API Server. See ['Service Account Documentation'](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) for more info. | `vault` | | `upstreamAuthority.vault.k8sAuth.token.audience` | Intended audience of the PSAT, it must match one of the audiences supported by the Kubernetes API server. If no audience is specified, it defaults to the identifier of API Server. See ['Service Account Documentation'](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) for more info. | `vault` |
| `upstreamAuthority.vault.k8sAuth.token.expiry` | Expiry time in seconds for the token | `7200` | | `upstreamAuthority.vault.k8sAuth.token.expiry` | Expiry time in seconds for the token | `7200` |
| `notifier.k8sBundle.enabled` | Enable local k8s bundle uploader | `false` | | `notifier.k8sBundle.enabled` | Enable local k8s bundle uploader | `true` |
| `notifier.k8sBundle.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` | | `notifier.k8sBundle.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` |
| `notifier.k8sBundle.apiServiceLabel` | If set, rotate the CA Bundle in API services with this label set to true. | `""` | | `notifier.k8sBundle.apiServiceLabel` | If set, rotate the CA Bundle in API services with this label set to true. | `""` |
| `notifier.k8sBundle.webhookLabel` | If set, rotate the CA Bundle in validating and mutating webhooks with this label set to true. | `""` | | `notifier.k8sBundle.webhookLabel` | If set, rotate the CA Bundle in validating and mutating webhooks with this label set to true. | `""` |
| `notifier.externalK8sBundle.enabled` | Enable external k8s bundle uploader | `false` | | `notifier.externalK8sBundle.enabled` | Enable external k8s bundle uploader | `true` |
| `notifier.externalK8sBundle.defaults.namespace` | Namespace to push the bundle into on clusters | `spire-system` | | `notifier.externalK8sBundle.defaults.namespace` | Namespace to push the bundle into on clusters | `spire-system` |
| `notifier.externalK8sBundle.defaults.configMap` | ConfigMap name to push the bundle into on external clusters | `spire-bundle-upstream` | | `notifier.externalK8sBundle.defaults.configMap` | ConfigMap name to push the bundle into on external clusters | `spire-bundle-upstream` |
| `notifier.externalK8sBundle.defaults.configMapKey` | ConfigMap key to push the bundle into on external clusters | `bundle.crt` | | `notifier.externalK8sBundle.defaults.configMapKey` | ConfigMap key to push the bundle into on external clusters | `bundle.crt` |
| `notifier.externalK8sBundle.clusters` | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used. | `{}` | | `notifier.externalK8sBundle.clusters` | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used. | `{}` |
| `controllerManager.enabled` | Flag to enable controller manager | `false` | | `controllerManager.enabled` | Flag to enable controller manager | `false` |
| `controllerManager.staticManifestMode` | Flag to configure static mode. Valid options off, internal, and external. If internal, the identities config options will be rendered to an included configmap | `off` |
| `controllerManager.className` | specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs. | `""` | | `controllerManager.className` | specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs. | `""` |
| `controllerManager.watchClassless` | specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. | `false` | | `controllerManager.watchClassless` | specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. | `false` |
| `controllerManager.entryIDPrefixCleanup` | Sets which entry prefixes to remove for migrations. Consult the spiffe.io docs about this option before changing. Its unlikely you will need to ever change it. | `false` | | `controllerManager.entryIDPrefixCleanup` | Sets which entry prefixes to remove for migrations. Consult the spiffe.io docs about this option before changing. Its unlikely you will need to ever change it. | `false` |
@ -278,7 +268,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `controllerManager.image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `controllerManager.image.registry` | The OCI registry to pull the image from | `ghcr.io` |
| `controllerManager.image.repository` | The repository within the registry | `spiffe/spire-controller-manager` | | `controllerManager.image.repository` | The repository within the registry | `spiffe/spire-controller-manager` |
| `controllerManager.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `controllerManager.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.6.2` | | `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.6.0` |
| `controllerManager.resources` | Resource requests and limits for controller manager | `{}` | | `controllerManager.resources` | Resource requests and limits for controller manager | `{}` |
| `controllerManager.securityContext` | Security context | `{}` | | `controllerManager.securityContext` | Security context | `{}` |
| `controllerManager.service.type` | Service type for controller manager | `ClusterIP` | | `controllerManager.service.type` | Service type for controller manager | `ClusterIP` |
@ -311,15 +301,6 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.dnsNameTemplates` | DNS name template for issued identities | `[]` | | `controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.dnsNameTemplates` | DNS name template for issued identities | `[]` |
| `controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled` | Enable this identity for controller manager | `true` | | `controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled` | Enable this identity for controller manager | `true` |
| `controllerManager.identities.clusterSPIFFEIDs.test-keys.type` | The type of rule this is. | `test-keys` | | `controllerManager.identities.clusterSPIFFEIDs.test-keys.type` | The type of rule this is. | `test-keys` |
| `controllerManager.identities.clusterSPIFFEIDs.spike-keeper.enabled` | Enable this identity for controller manager | `true` |
| `controllerManager.identities.clusterSPIFFEIDs.spike-keeper.type` | The type of rule this is. | `spike-keeper` |
| `controllerManager.identities.clusterSPIFFEIDs.spike-keeper.spiffeIDTemplate` | The template to use for this rule. | `spiffe://{{ .TrustDomain }}/spike/keeper` |
| `controllerManager.identities.clusterSPIFFEIDs.spike-nexus.enabled` | Enable this identity for controller manager | `true` |
| `controllerManager.identities.clusterSPIFFEIDs.spike-nexus.type` | The type of rule this is. | `spike-nexus` |
| `controllerManager.identities.clusterSPIFFEIDs.spike-nexus.spiffeIDTemplate` | The template to use for this rule. | `spiffe://{{ .TrustDomain }}/spike/nexus` |
| `controllerManager.identities.clusterSPIFFEIDs.spike-pilot.enabled` | Enable this identity for controller manager | `true` |
| `controllerManager.identities.clusterSPIFFEIDs.spike-pilot.type` | The type of rule this is. | `spike-pilot` |
| `controllerManager.identities.clusterSPIFFEIDs.spike-pilot.spiffeIDTemplate` | The template to use for this rule. | `spiffe://{{ .TrustDomain }}/spike/pilot/role/superuser` |
| `controllerManager.identities.clusterStaticEntries` | Specify ClusterStaticEntry objects. | `{}` | | `controllerManager.identities.clusterStaticEntries` | Specify ClusterStaticEntry objects. | `{}` |
| `controllerManager.identities.clusterFederatedTrustDomains` | Specify ClusterFederatedTrustDomain objects. | `{}` | | `controllerManager.identities.clusterFederatedTrustDomains` | Specify ClusterFederatedTrustDomain objects. | `{}` |
| `controllerManager.validatingWebhookConfiguration.enabled` | Disable only when you have another chart instance on the k8s cluster with webhooks enabled. | `true` | | `controllerManager.validatingWebhookConfiguration.enabled` | Disable only when you have another chart instance on the k8s cluster with webhooks enabled. | `true` |
@ -341,21 +322,14 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `externalControllerManagers.defaults.ignoreNamespaces` | These namespaces are ignored by controller manager | `[]` | | `externalControllerManagers.defaults.ignoreNamespaces` | These namespaces are ignored by controller manager | `[]` |
| `externalControllerManagers.defaults.cacheNamespaces` | If specified restricts the manager's cache to watch objects in the desired namespaces. Defaults to all namespaces. | `{}` | | `externalControllerManagers.defaults.cacheNamespaces` | If specified restricts the manager's cache to watch objects in the desired namespaces. Defaults to all namespaces. | `{}` |
| `externalControllerManagers.clusters` | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used. | `{}` | | `externalControllerManagers.clusters` | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used. | `{}` |
| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` | | `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` |
| `tools.kubectl.image.repository` | The repository within the registry | `kubectl` | | `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` |
| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | | `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
| `tools.busybox.image.registry` | The OCI registry to pull the image from | `""` |
| `tools.busybox.image.repository` | The repository within the registry | `busybox` |
| `tools.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tools.busybox.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.37.0-uclibc` |
| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | | `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` |
| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | | `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` |
| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | | `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` |
| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | | `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` |
| `telemetry.datadog.enabled` | Flag to enable datadog monitoring | `false` |
| `telemetry.datadog.address` | The address of the datadog service to send metrics to. The default URL for services are `<service-name>.<namespace>.svc` | `datadog.kube-system.svc` |
| `telemetry.datadog.port` | The port of the datadog service to send metrics to | `8125` |
| `ingress.enabled` | Flag to enable ingress | `false` | | `ingress.enabled` | Flag to enable ingress | `false` |
| `ingress.className` | Ingress class name | `""` | | `ingress.className` | Ingress class name | `""` |
| `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` | | `ingress.controllerType` | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""` |
@ -371,7 +345,6 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `initContainers` | Additional init containers to create | `[]` | | `initContainers` | Additional init containers to create | `[]` |
| `caKeyType` | The CA key type to use, possible values are rsa-2048, rsa-4096, ec-p256, ec-p384 (AWS requires the use of RSA. EC cryptography is not supported) | `rsa-2048` | | `caKeyType` | The CA key type to use, possible values are rsa-2048, rsa-4096, ec-p256, ec-p384 (AWS requires the use of RSA. EC cryptography is not supported) | `rsa-2048` |
| `caTTL` | TTL for CA | `24h` | | `caTTL` | TTL for CA | `24h` |
| `agentTTL` | The TTL to use for agent SVIDs. If unset, the defaultX509SvidTTL will be used. | `""` |
| `defaultX509SvidTTL` | TTL for X509 Svids | `4h` | | `defaultX509SvidTTL` | TTL for X509 Svids | `4h` |
| `defaultJwtSvidTTL` | TTL for JWT Svids | `1h` | | `defaultJwtSvidTTL` | TTL for JWT Svids | `1h` |
| `nodeAttestor.k8sPSAT.enabled` | Enable PSAT k8s nodeattestor | `true` | | `nodeAttestor.k8sPSAT.enabled` | Enable PSAT k8s nodeattestor | `true` |
@ -392,25 +365,14 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `nodeAttestor.httpChallenge.allowNonRootPorts` | Allow using ports >= 1024 from clients for attestation | `true` | | `nodeAttestor.httpChallenge.allowNonRootPorts` | Allow using ports >= 1024 from clients for attestation | `true` |
| `nodeAttestor.httpChallenge.tofu` | Trust on first use of the successful challenge. Can only be disabled if allowNonRootPorts=false or requiredPort < 1024 | `true` | | `nodeAttestor.httpChallenge.tofu` | Trust on first use of the successful challenge. Can only be disabled if allowNonRootPorts=false or requiredPort < 1024 | `true` |
| `nodeAttestor.tpmDirect.enabled` | Enable the direct TPM node attestor, a 3rd party plugin by Boxboat. This plugin is experimental. | `false` | | `nodeAttestor.tpmDirect.enabled` | Enable the direct TPM node attestor, a 3rd party plugin by Boxboat. This plugin is experimental. | `false` |
| `nodeAttestor.tpmDirect.image.registry` | The OCI registry to pull the image from | `ghcr.io` | | `nodeAttestor.tpmDirect.image.registry` | The OCI registry to pull the image from | `docker.io` |
| `nodeAttestor.tpmDirect.image.repository` | The repository within the registry | `spiffe/spire-tpm-plugin-tpm-attestor-server` | | `nodeAttestor.tpmDirect.image.repository` | The repository within the registry | `boxboat/spire-tpm-plugin-tpm-attestor-server` |
| `nodeAttestor.tpmDirect.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `nodeAttestor.tpmDirect.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `nodeAttestor.tpmDirect.image.tag` | Overrides the image tag | `v1.9.0` | | `nodeAttestor.tpmDirect.image.tag` | Overrides the image tag | `v1.8.7` |
| `nodeAttestor.tpmDirect.checksum` | The sha256 checksum of the plugin binary | `46d0caad8c25a027dd11c93e18b58a8bc6fbd9f1fe2e36fa2a0dd440986de4dc` | | `nodeAttestor.tpmDirect.checksum` | The sha256 checksum of the plugin binary | `f39ef9cdd2b3dd74112bfe827b79d6721c59215d0d5f4c2e34fa09bbc60d36d2` |
| `nodeAttestor.tpmDirect.pluginPath` | The filename in the container of the plugin | `/app/tpm_attestor_server` | | `nodeAttestor.tpmDirect.pluginPath` | The filename in the container of the plugin | `/app/tpm_attestor_server` |
| `nodeAttestor.tpmDirect.cas` | A dictionary of TPM CA PEM or DER files that are allowed to connect. | `{}` | | `nodeAttestor.tpmDirect.cas` | A dictionary of TPM CA PEM or DER files that are allowed to connect. | `{}` |
| `nodeAttestor.tpmDirect.hashes` | A list of TPM hashes that are allowed to connect. | `[]` | | `nodeAttestor.tpmDirect.hashes` | A list of TPM hashes that are allowed to connect. | `[]` |
| `nodeAttestor.awsIID.enabled` | Enable the aws_iid node attestor | `false` |
| `nodeAttestor.awsIID.assumeRole` | AWS IAM Role NAME to use for the attestation | `""` |
| `bundlePublisher.k8sConfigMap.enabled` | Enable local k8s bundle uploader | `true` |
| `bundlePublisher.k8sConfigMap.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` |
| `bundlePublisher.k8sConfigMap.format` | Format of the trust bundle. Can be pem or spiffe | `spiffe` |
| `bundlePublisher.externalK8sConfigMap.enabled` | Enable external k8s bundle uploader | `true` |
| `bundlePublisher.externalK8sConfigMap.defaults.namespace` | Namespace to push the bundle into on clusters | `spire-system` |
| `bundlePublisher.externalK8sConfigMap.defaults.configMapName` | ConfigMap name to push the bundle into on external clusters | `spire-bundle-upstream` |
| `bundlePublisher.externalK8sConfigMap.defaults.configMapKey` | ConfigMap key to push the bundle into on external clusters | `""` |
| `bundlePublisher.externalK8sConfigMap.defaults.format` | Format of the trust bundle. Can be pem or spiffe | `spiffe` |
| `bundlePublisher.externalK8sConfigMap.clusters` | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used. | `{}` |
| `bundlePublisher.awsRolesAnywhereTrustAnchor.enabled` | Enable the AWS S3 bundle publisher | `false` | | `bundlePublisher.awsRolesAnywhereTrustAnchor.enabled` | Enable the AWS S3 bundle publisher | `false` |
| `bundlePublisher.awsRolesAnywhereTrustAnchor.region` | AWS region to store the trust bundle | `""` | | `bundlePublisher.awsRolesAnywhereTrustAnchor.region` | AWS region to store the trust bundle | `""` |
| `bundlePublisher.awsRolesAnywhereTrustAnchor.trustAnchorID` | AWS trust anchor ID to publish to | `""` | | `bundlePublisher.awsRolesAnywhereTrustAnchor.trustAnchorID` | AWS trust anchor ID to publish to | `""` |
@ -434,7 +396,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `tornjak.image.repository` | The repository within the registry | `spiffe/tornjak-backend` | | `tornjak.image.repository` | The repository within the registry | `spiffe/tornjak-backend` |
| `tornjak.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tornjak.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tornjak.image.tag` | Overrides the image tag to be whatever you need it to be. It will always be the flag you set without modifications | `""` | | `tornjak.image.tag` | Overrides the image tag to be whatever you need it to be. It will always be the flag you set without modifications | `""` |
| `tornjak.image.defaultTag` | Sets the default image to use when image.tag is not set. It will automatically be updated with a ubi- prefix if on OpenShift. | `v2.1.0` | | `tornjak.image.defaultTag` | Sets the default image to use when image.tag is not set. It will automatically be updated with a ubi- prefix if on OpenShift. | `v1.6.0` |
| `tornjak.service.type` | Type of service resource | `ClusterIP` | | `tornjak.service.type` | Type of service resource | `ClusterIP` |
| `tornjak.service.ports.http` | Insecure port for tornjak service | `10000` | | `tornjak.service.ports.http` | Insecure port for tornjak service | `10000` |
| `tornjak.service.ports.https` | Secure port for tornjak service | `10443` | | `tornjak.service.ports.https` | Secure port for tornjak service | `10443` |
@ -472,10 +434,10 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` | | `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` |
| `customPlugins.upstreamAuthority` | Custom plugins of type upstreamAuthority are configured here | `{}` | | `customPlugins.upstreamAuthority` | Custom plugins of type upstreamAuthority are configured here | `{}` |
| `customPlugins.notifier` | Custom plugins of type notifier are configured here | `{}` | | `customPlugins.notifier` | Custom plugins of type notifier are configured here | `{}` |
| `chown.image.registry` | The OCI registry to pull the image from | `""` | | `chown.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `chown.image.repository` | The repository within the registry | `busybox` | | `chown.image.repository` | The repository within the registry | `chainguard/bash` |
| `chown.image.pullPolicy` | The image pull policy | `Always` | | `chown.image.pullPolicy` | The image pull policy | `Always` |
| `chown.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.37.0-uclibc` | | `chown.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:ce272ee5a3739a3c45784c317b2fb1e93a4cc4ea1f4d3feabb702b278e5bf514` |
| `chown.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | | `chown.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` |
| `experimental.enabled` | Allow configuration of experimental features | `false` | | `experimental.enabled` | Allow configuration of experimental features | `false` |
| `experimental.cacheReloadInterval` | The amount of time between two reloads of the in-memory entry cache. | `5s` | | `experimental.cacheReloadInterval` | The amount of time between two reloads of the in-memory entry cache. | `5s` |
@ -488,5 +450,5 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` |
| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` | | `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:ce272ee5a3739a3c45784c317b2fb1e93a4cc4ea1f4d3feabb702b278e5bf514` |
| `kubeConfigs` | Manage additional kubeconfig files to talk to external Kubernetes clusters | `{}` | | `kubeConfigs` | Manage additional kubeconfig files to talk to external Kubernetes clusters | `{}` |

10
charts/spire/charts/spire-server/templates/_controller-manager-container.tpl
View File

@ -75,11 +75,7 @@
{{- end }} {{- end }}
env: env:
- name: ENABLE_WEBHOOKS - name: ENABLE_WEBHOOKS
{{- if eq .Values.controllerManager.staticManifestMode "off" }}
value: {{ .webhooksEnabled | toString | quote }} value: {{ .webhooksEnabled | toString | quote }}
{{- else }}
value: "false"
{{- end }}
{{- if gt (len $extraEnv) 0 }} {{- if gt (len $extraEnv) 0 }}
{{- $extraEnv | toYaml | nindent 4 }} {{- $extraEnv | toYaml | nindent 4 }}
{{- end }} {{- end }}
@ -95,7 +91,6 @@
- containerPort: {{ $promPort }} - containerPort: {{ $promPort }}
name: prom-cm{{ .suffix }} name: prom-cm{{ .suffix }}
{{- end }} {{- end }}
{{- if eq .Values.controllerManager.staticManifestMode "off" }}
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz
@ -104,17 +99,12 @@
httpGet: httpGet:
path: /readyz path: /readyz
port: healthz port: healthz
{{- end }}
resources: resources:
{{- toYaml .Values.controllerManager.resources | nindent 4 }} {{- toYaml .Values.controllerManager.resources | nindent 4 }}
volumeMounts: volumeMounts:
- name: spire-server-socket - name: spire-server-socket
mountPath: /tmp/spire-server/private mountPath: /tmp/spire-server/private
readOnly: true readOnly: true
{{- if ne .Values.controllerManager.staticManifestMode "off" }}
- name: controller-manager-static-config
mountPath: /manifests
{{- end }}
- name: controller-manager-config - name: controller-manager-config
mountPath: /controller-manager-config{{ .suffix }}.yaml mountPath: /controller-manager-config{{ .suffix }}.yaml
subPath: controller-manager-config{{ .suffix }}.yaml subPath: controller-manager-config{{ .suffix }}.yaml

61
charts/spire/charts/spire-server/templates/_helpers.tpl
View File

@ -65,45 +65,21 @@ Allow the release namespace to be overridden for multi-namespace deployments in
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- define "spire-server.bundle-namespace-bundlepublisher" -}}
{{- if .Values.bundlePublisher.k8sConfigMap.namespace }}
{{- .Values.bundlePublisher.k8sConfigMap.namespace }}
{{- else if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
{{- if ne (len (dig "spire" "namespaces" "system" "name" "" .Values.global)) 0 }}
{{- .Values.global.spire.namespaces.system.name }}
{{- else }}
{{- printf "spire-system" }}
{{- end }}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{- define "spire-server.bundle-namespace-notifier" -}}
{{- if .Values.notifier.k8sBundle.namespace }}
{{- .Values.notifier.k8sBundle.namespace }}
{{- else if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
{{- if ne (len (dig "spire" "namespaces" "system" "name" "" .Values.global)) 0 }}
{{- .Values.global.spire.namespaces.system.name }}
{{- else }}
{{- printf "spire-system" }}
{{- end }}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{- define "spire-server.bundle-namespace" -}} {{- define "spire-server.bundle-namespace" -}}
{{- if .Values.notifier.k8sBundle.namespace }} {{- if .Values.notifier.k8sBundle.namespace }}
{{- .Values.notifier.k8sBundle.namespace }} {{- .Values.notifier.k8sBundle.namespace }}
{{- else if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
{{- if ne (len (dig "spire" "namespaces" "system" "name" "" .Values.global)) 0 }}
{{- .Values.global.spire.namespaces.system.name }}
{{- else }} {{- else }}
{{- include "spire-server.bundle-namespace-bundlepublisher" . -}} {{- printf "spire-system" }}
{{- end }} {{- end }}
{{- end }} {{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{- define "spire-server.podMonitor.namespace" -}} {{- define "spire-server.podMonitor.namespace" -}}
{{- if ne (len .Values.telemetry.prometheus.podMonitor.namespace) 0 }} {{- if ne (len .Values.telemetry.prometheus.podMonitor.namespace) 0 }}
@ -185,20 +161,6 @@ Create the name of the service account to use
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- define "spire-server.config-sqlite-query" }}
{{- $lst := list }}
{{- range . }}
{{- range $key, $value := . }}
{{- $eValue := toString $value }}
{{- $entry := printf "%s=%s" (urlquery $key) (urlquery $eValue) }}
{{- $lst = append $lst $entry }}
{{- end }}
{{- end }}
{{- if gt (len $lst) 0 }}
{{- printf "?%s" (join "&" (uniq $lst)) }}
{{- end }}
{{- end }}
{{- define "spire-server.config-mysql-query" }} {{- define "spire-server.config-mysql-query" }}
{{- $lst := list }} {{- $lst := list }}
{{- range . }} {{- range . }}
@ -232,8 +194,7 @@ Create the name of the service account to use
{{- $ropw := "" }} {{- $ropw := "" }}
{{- if eq .Values.dataStore.sql.databaseType "sqlite3" }} {{- if eq .Values.dataStore.sql.databaseType "sqlite3" }}
{{- $_ := set $config "database_type" "sqlite3" }} {{- $_ := set $config "database_type" "sqlite3" }}
{{- $query := include "spire-server.config-sqlite-query" .Values.dataStore.sql.options }} {{- $_ := set $config "connection_string" "/run/spire/data/datastore.sqlite3" }}
{{- $_ := set $config "connection_string" (printf "%s%s" .Values.dataStore.sql.file $query) }}
{{- else if or (eq .Values.dataStore.sql.databaseType "mysql") (eq .Values.dataStore.sql.databaseType "aws_mysql") }} {{- else if or (eq .Values.dataStore.sql.databaseType "mysql") (eq .Values.dataStore.sql.databaseType "aws_mysql") }}
{{- if eq .Values.dataStore.sql.databaseType "mysql" }} {{- if eq .Values.dataStore.sql.databaseType "mysql" }}
{{- $_ := set $config "database_type" "mysql" }} {{- $_ := set $config "database_type" "mysql" }}

5
charts/spire/charts/spire-server/templates/bundle-configmap.yaml
View File

@ -1,7 +1,3 @@
{{- if and .Values.notifier.k8sBundle.enabled .Values.bundlePublisher.k8sConfigMap.enabled }}
{{- fail "You can only enable either notifier.k8sBundle or bundlePublisher.k8sConfigMap." }}
{{- end }}
{{- if .Values.notifier.k8sBundle.enabled }}
{{- $namespace := include "spire-server.bundle-namespace" . }} {{- $namespace := include "spire-server.bundle-namespace" . }}
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
@ -12,4 +8,3 @@ metadata:
annotations: annotations:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
{{- end }}

82
charts/spire/charts/spire-server/templates/configmap.yaml
View File

@ -58,9 +58,6 @@ server:
ca_key_type: {{ .Values.caKeyType | quote }} ca_key_type: {{ .Values.caKeyType | quote }}
ca_ttl: {{ .Values.caTTL | quote }} ca_ttl: {{ .Values.caTTL | quote }}
{{- if .Values.agentTTL }}
agent_ttl: {{ .Values.agentTTL | quote }}
{{- end }}
default_x509_svid_ttl: {{ .Values.defaultX509SvidTTL | quote }} default_x509_svid_ttl: {{ .Values.defaultX509SvidTTL | quote }}
default_jwt_svid_ttl: {{ .Values.defaultJwtSvidTTL | quote }} default_jwt_svid_ttl: {{ .Values.defaultJwtSvidTTL | quote }}
@ -105,22 +102,10 @@ server:
{{- end }} {{- end }}
plugins: plugins:
{{- if or .Values.credentialComposer.uniqueID.enabled .Values.credentialComposer.cel.enabled }} {{- if .Values.credentialComposer.uniqueID.enabled }}
CredentialComposer: CredentialComposer:
{{- if or .Values.credentialComposer.uniqueID.enabled }}
uniqueid: {} uniqueid: {}
{{- end }} {{- end }}
{{- with .Values.credentialComposer.cel }}
{{- if .enabled }}
cel:
plugin_cmd: "/cel/credentialcomposer-cel"
plugin_checksum: {{ .checksum }}
plugin_data:
jwt:
expression_string: {{ .jwt.expression | quote }}
{{- end }}
{{- end }}
{{- end }}
DataStore: DataStore:
sql: sql:
@ -142,7 +127,7 @@ plugins:
{{- end }} {{- end }}
disable_migration: {{ .Values.dataStore.sql.disableMigration }} disable_migration: {{ .Values.dataStore.sql.disableMigration }}
{{- if or .Values.nodeAttestor.k8sPSAT.enabled .Values.nodeAttestor.externalK8sPSAT.enabled .Values.nodeAttestor.joinToken.enabled .Values.nodeAttestor.httpChallenge.enabled .Values.nodeAttestor.tpmDirect.enabled .Values.nodeAttestor.awsIID.enabled }} {{- if or .Values.nodeAttestor.k8sPSAT.enabled .Values.nodeAttestor.externalK8sPSAT.enabled .Values.nodeAttestor.joinToken.enabled .Values.nodeAttestor.httpChallenge.enabled .Values.nodeAttestor.tpmDirect.enabled }}
NodeAttestor: NodeAttestor:
{{- $clusters := default .Values.kubeConfigs .Values.nodeAttestor.externalK8sPSAT.clusters }} {{- $clusters := default .Values.kubeConfigs .Values.nodeAttestor.externalK8sPSAT.clusters }}
{{- if or (eq (.Values.nodeAttestor.k8sPSAT.enabled | toString) "true") (and (eq (.Values.nodeAttestor.externalK8sPSAT.enabled | toString) "true") (gt (len $clusters) 0)) }} {{- if or (eq (.Values.nodeAttestor.k8sPSAT.enabled | toString) "true") (and (eq (.Values.nodeAttestor.externalK8sPSAT.enabled | toString) "true") (gt (len $clusters) 0)) }}
@ -222,15 +207,6 @@ plugins:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- with .Values.nodeAttestor.awsIID }}
{{- if eq (.enabled | toString) "true" }}
aws_iid:
plugin_data:
{{- if ne .assumeRole "" }}
assume_role: {{ .assumeRole | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }} {{- end }}
{{- with .Values.keyManager.disk }} {{- with .Values.keyManager.disk }}
@ -286,7 +262,7 @@ plugins:
k8sbundle: k8sbundle:
plugin_data: plugin_data:
{{- if eq (.Values.notifier.k8sBundle.enabled | toString) "true" }} {{- if eq (.Values.notifier.k8sBundle.enabled | toString) "true" }}
namespace: {{ include "spire-server.bundle-namespace-notifier" . | quote }} namespace: {{ include "spire-server.bundle-namespace" . | quote }}
config_map: {{ include "spire-lib.bundle-configmap" . | quote }} config_map: {{ include "spire-lib.bundle-configmap" . | quote }}
{{- with .Values.notifier.k8sBundle.apiServiceLabel }} {{- with .Values.notifier.k8sBundle.apiServiceLabel }}
api_service_label: {{ . | quote }} api_service_label: {{ . | quote }}
@ -316,51 +292,8 @@ plugins:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- $externalK8sConfigMapClusters := default .Values.kubeConfigs .Values.bundlePublisher.externalK8sConfigMap.clusters }} {{- if or .Values.bundlePublisher.awsRolesAnywhereTrustAnchor.enabled .Values.bundlePublisher.awsS3.enabled .Values.bundlePublisher.gcpCloudStorage.enabled }}
{{- if or .Values.bundlePublisher.awsRolesAnywhereTrustAnchor.enabled .Values.bundlePublisher.awsS3.enabled .Values.bundlePublisher.gcpCloudStorage.enabled .Values.bundlePublisher.k8sConfigMap.enabled (and .Values.bundlePublisher.externalK8sConfigMap.enabled (ne (len $externalK8sConfigMapClusters) 0)) }}
BundlePublisher: BundlePublisher:
{{- if or .Values.bundlePublisher.k8sConfigMap.enabled (and .Values.bundlePublisher.externalK8sConfigMap.enabled (ne (len $externalK8sConfigMapClusters) 0)) }}
k8s_configmap:
plugin_data:
clusters:
{{- $prefix := "-" }}
{{- if eq (.Values.bundlePublisher.k8sConfigMap.enabled | toString) "true" }}
{{ $prefix }} chart-internal:
format: {{ .Values.bundlePublisher.k8sConfigMap.format | quote }}
namespace: {{ include "spire-server.bundle-namespace-bundlepublisher" . | quote }}
configmap_name: {{ include "spire-lib.bundle-configmap" . | quote }}
configmap_key: {{ printf "bundle.%s" (include "spire-lib.trust-bundle-ext" (dict "trustBundleFormat" .Values.bundlePublisher.k8sConfigMap.format)) | quote }}
{{- $prefix := " " }}
{{- end }}
{{- if and (eq (.Values.bundlePublisher.externalK8sConfigMap.enabled | toString) "true") (ne (len $externalK8sConfigMapClusters) 0) }}
{{- $clusterDefaults := .Values.bundlePublisher.externalK8sConfigMap.defaults }}
{{- range $name, $_ := $externalK8sConfigMapClusters }}
{{ $prefix }} {{ $name | quote }}:
{{- $clusterSettings := dict }}
{{- if hasKey $root.Values.bundlePublisher.externalK8sConfigMap.clusters $name }}
{{- $clusterSettings = index $root.Values.bundlePublisher.externalK8sConfigMap.clusters $name }}
{{- end }}
{{- if hasKey $clusterSettings "kubeConfigName" }}
kubeconfig_path: /kubeconfigs/{{ $clusterSettings.kubeConfigName }}
{{- else }}
kubeconfig_path: /kubeconfigs/{{ $name }}
{{- end }}
{{- $format := $clusterDefaults.format }}
{{- if hasKey $clusterSettings "format" }}{{- $format = $clusterSettings.format }}{{- end }}
format: {{ $format | quote }}
namespace: {{ if hasKey $clusterSettings "namespace" }}{{ $clusterSettings.namespace }}{{ else }}{{ $clusterDefaults.namespace }}{{ end }}
configmap_name: {{ if hasKey $clusterSettings "configMapName" }}{{ $clusterSettings.configMapName }}{{ else }}{{ $clusterDefaults.configMapName }}{{ end }}
{{- if hasKey $clusterSettings "configMapKey" }}
configmap_key: {{ $clusterSettings.configMapKey | quote }}
{{- else if ne $clusterDefaults.configMapKey "" }}
configmap_key: {{ $clusterDefaults.configMapKey | quote }}
{{- else }}
configmap_key: {{ printf "bundle.%s" (include "spire-lib.trust-bundle-ext" (dict "trustBundleFormat" $format)) | quote }}
{{- end }}
{{- $prefix := " " }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.bundlePublisher.awsRolesAnywhereTrustAnchor.enabled }} {{- if .Values.bundlePublisher.awsRolesAnywhereTrustAnchor.enabled }}
aws_rolesanywhere_trustanchor: aws_rolesanywhere_trustanchor:
plugin_data: plugin_data:
@ -499,13 +432,6 @@ telemetry:
- host: "0.0.0.0" - host: "0.0.0.0"
port: 9988 port: 9988
{{- end }} {{- end }}
{{- if .Values.telemetry.datadog.enabled }}
telemetry:
- DogStatsd:
- address: "{{ .Values.telemetry.datadog.address }}:{{ .Values.telemetry.datadog.port }}"
{{- end }}
{{- end }} {{- end }}
{{- if not .Values.externalServer }} {{- if not .Values.externalServer }}
apiVersion: v1 apiVersion: v1

21
charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml
View File

@ -17,21 +17,6 @@ matchLabels:
release: {{ .Release.Name }} release: {{ .Release.Name }}
release-namespace: {{ .Release.Namespace }} release-namespace: {{ .Release.Namespace }}
component: oidc-discovery-provider component: oidc-discovery-provider
{{- else if eq .type "spike-keeper" }}
matchLabels:
release: {{ .Release.Name }}
release-namespace: {{ .Release.Namespace }}
component: spike-keeper
{{- else if eq .type "spike-nexus" }}
matchLabels:
release: {{ .Release.Name }}
release-namespace: {{ .Release.Namespace }}
component: spike-nexus
{{- else if eq .type "spike-pilot" }}
matchLabels:
release: {{ .Release.Name }}
release-namespace: {{ .Release.Namespace }}
component: spike-pilot
{{- else if eq .type "test-keys" }} {{- else if eq .type "test-keys" }}
matchLabels: matchLabels:
release: {{ .Release.Name }} release: {{ .Release.Name }}
@ -41,7 +26,6 @@ matchLabels:
{} {}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if eq .Values.controllerManager.staticManifestMode "off" }}
{{- $root := . }} {{- $root := . }}
{{ $namespaces := list .Release.Namespace .Values.namespaceOverride (dig "spire" "namespaces" "server" "name" "" .Values.global) (dig "spire" "namespaces" "system" "name" "" .Values.global) | compact | uniq }} {{ $namespaces := list .Release.Namespace .Values.namespaceOverride (dig "spire" "namespaces" "server" "name" "" .Values.global) (dig "spire" "namespaces" "system" "name" "" .Values.global) | compact | uniq }}
{{- range $key, $value := .Values.controllerManager.identities.clusterSPIFFEIDs }} {{- range $key, $value := .Values.controllerManager.identities.clusterSPIFFEIDs }}
@ -53,8 +37,8 @@ matchLabels:
{{- if eq ($root.Values.controllerManager.enabled | toString) "true" }} {{- if eq ($root.Values.controllerManager.enabled | toString) "true" }}
{{- if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }} {{- if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }}
{{- $type := dig "type" "base" $value }} {{- $type := dig "type" "base" $value }}
{{- if not (has $type (list "base" "raw" "child-servers" "oidc-discovery-provider" "spike-keeper" "spike-nexus" "spike-pilot" "test-keys")) }} {{- if not (has $type (list "base" "raw" "child-servers" "oidc-discovery-provider" "test-keys")) }}
{{- fail (printf "Type given: %s, must be one of [base, raw, child-servers, oidc-discovery-provider, spike-keeper, spike-nexus, spike-pilot, test-keys]" $type) }} {{- fail (printf "Type given: %s, must be one of [base, raw, child-servers, oidc-discovery-provider, test-keys]" $type) }}
{{- end }} {{- end }}
{{- $namespaceSelector := deepCopy (dig "namespaceSelector" (dict) $value) }} {{- $namespaceSelector := deepCopy (dig "namespaceSelector" (dict) $value) }}
{{- if ne $type "raw" }} {{- if ne $type "raw" }}
@ -132,4 +116,3 @@ spec:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}

7
charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml
View File

@ -47,12 +47,10 @@ metrics:
bindAddress: 0.0.0.0:{{ $promPort }} bindAddress: 0.0.0.0:{{ $promPort }}
health: health:
healthProbeBindAddress: 0.0.0.0:{{ $healthPort }} healthProbeBindAddress: 0.0.0.0:{{ $healthPort }}
{{- if eq .Values.controllerManager.staticManifestMode "off" }}
leaderElection: leaderElection:
leaderElect: true leaderElect: true
resourceName: {{ printf "%s-%s%s" .Release.Namespace (default .Release.Name .Values.crNameOverride) .suffix | sha256sum | trunc 8 }}.spiffe.io resourceName: {{ printf "%s-%s%s" .Release.Namespace (default .Release.Name .Values.crNameOverride) .suffix | sha256sum | trunc 8 }}.spiffe.io
resourceNamespace: {{ include "spire-server.namespace" . }} resourceNamespace: {{ include "spire-server.namespace" . }}
{{- end }}
{{- with .settings.cacheNamespaces }} {{- with .settings.cacheNamespaces }}
cacheNamespaces: cacheNamespaces:
{{- toYaml . | nindent 2 }} {{- toYaml . | nindent 2 }}
@ -87,12 +85,7 @@ parentIDTemplate: {{ if hasKey .settings "parentIDTemplate" }}{{ .settings.paren
{{- $reconcile = .settings.reconcile }} {{- $reconcile = .settings.reconcile }}
{{- end }} {{- end }}
reconcile: reconcile:
{{- if eq .Values.controllerManager.staticManifestMode "off" }}
clusterSPIFFEIDs: {{ if hasKey $reconcile "clusterSPIFFEIDs" }}{{ toYaml $reconcile.clusterSPIFFEIDs }}{{ else }}{{ toYaml .defaults.reconcile.clusterSPIFFEIDs }}{{ end }} clusterSPIFFEIDs: {{ if hasKey $reconcile "clusterSPIFFEIDs" }}{{ toYaml $reconcile.clusterSPIFFEIDs }}{{ else }}{{ toYaml .defaults.reconcile.clusterSPIFFEIDs }}{{ end }}
{{- end }}
clusterStaticEntries: {{ if hasKey $reconcile "clusterStaticEntries" }}{{ toYaml $reconcile.clusterStaticEntries }}{{ else }}{{ toYaml .defaults.reconcile.clusterStaticEntries }}{{ end }} clusterStaticEntries: {{ if hasKey $reconcile "clusterStaticEntries" }}{{ toYaml $reconcile.clusterStaticEntries }}{{ else }}{{ toYaml .defaults.reconcile.clusterStaticEntries }}{{ end }}
clusterFederatedTrustDomains: {{ if hasKey $reconcile "clusterFederatedTrustDomains" }}{{ toYaml $reconcile.clusterFederatedTrustDomains }}{{ else }}{{ toYaml .defaults.reconcile.clusterFederatedTrustDomains }}{{ end }} clusterFederatedTrustDomains: {{ if hasKey $reconcile "clusterFederatedTrustDomains" }}{{ toYaml $reconcile.clusterFederatedTrustDomains }}{{ else }}{{ toYaml .defaults.reconcile.clusterFederatedTrustDomains }}{{ end }}
{{- if ne .Values.controllerManager.staticManifestMode "off" }}
staticManifestPath: /manifests
{{- end }}
{{- end }} {{- end }}

33
charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml
View File

@ -1,7 +1,5 @@
{{- define "spire-server.cluster-federated-trust-domains" -}} {{- $root := . }}
{{- $root := .root }} {{- range $key, $value := .Values.controllerManager.identities.clusterFederatedTrustDomains }}
{{- $useShortName := .useShortName }}
{{- range $key, $value := $root.Values.controllerManager.identities.clusterFederatedTrustDomains }}
{{- range $skey, $svalue := $value }} {{- range $skey, $svalue := $value }}
{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "bundleEndpointProfile" "bundleEndpointURL" "trustDomain" "trustDomainBundle")) }} {{- if not (has $skey (list "name" "annotations" "labels" "enabled" "bundleEndpointProfile" "bundleEndpointURL" "trustDomain" "trustDomainBundle")) }}
{{- fail (printf "Unsupported property specified: %s" $skey) }} {{- fail (printf "Unsupported property specified: %s" $skey) }}
@ -14,27 +12,24 @@
{{- end }} {{- end }}
{{- if eq ($root.Values.controllerManager.enabled | toString) "true" }} {{- if eq ($root.Values.controllerManager.enabled | toString) "true" }}
{{- if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }} {{- if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }}
- apiVersion: spire.spiffe.io/v1alpha1 ---
kind: ClusterFederatedTrustDomain apiVersion: spire.spiffe.io/v1alpha1
metadata: kind: ClusterFederatedTrustDomain
{{- if $useShortName }} metadata:
name: {{ $key }}
{{- else }}
name: {{ $root.Release.Namespace }}-{{ default $root.Release.Name $root.Values.crNameOverride }}-{{ $key }} name: {{ $root.Release.Namespace }}-{{ default $root.Release.Name $root.Values.crNameOverride }}-{{ $key }}
{{- end }}
{{- with $value.annotations }} {{- with $value.annotations }}
annotations: annotations:
{{- toYaml . | nindent 6 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
{{- with $value.labels }} {{- with $value.labels }}
labels: labels:
{{- toYaml . | nindent 6 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
spec: spec:
className: {{ include "spire-server.controller-manager-class-name" $root | quote }} className: {{ include "spire-server.controller-manager-class-name" $root | quote }}
{{- with $value.bundleEndpointProfile }} {{- with $value.bundleEndpointProfile }}
bundleEndpointProfile: bundleEndpointProfile:
{{- toYaml . | nindent 6 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
{{- with $value.bundleEndpointURL }} {{- with $value.bundleEndpointURL }}
bundleEndpointURL: {{ . | quote }} bundleEndpointURL: {{ . | quote }}
@ -48,11 +43,3 @@
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}
{{- if eq .Values.controllerManager.staticManifestMode "off" }}
{{- $t := include "spire-server.cluster-federated-trust-domains" (dict "root" . "useShortName" false) | fromYamlArray }}
{{- range $_, $v := $t }}
---
{{- $v | toYaml }}
{{- end }}
{{- end }}

2
charts/spire/charts/spire-server/templates/controller-manager-roles.yaml
View File

@ -1,4 +1,4 @@
{{- if and (eq (.Values.controllerManager.enabled | toString) "true") (eq .Values.controllerManager.staticManifestMode "off") }} {{- if eq (.Values.controllerManager.enabled | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:

2
charts/spire/charts/spire-server/templates/controller-manager-service.yaml
View File

@ -1,5 +1,4 @@
{{- if not .Values.externalServer }} {{- if not .Values.externalServer }}
{{- if eq .Values.controllerManager.staticManifestMode "off" }}
{{- if eq (.Values.controllerManager.enabled | toString) "true" }} {{- if eq (.Values.controllerManager.enabled | toString) "true" }}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@ -23,4 +22,3 @@ spec:
{{- include "spire-server.selectorLabels" . | nindent 4 }} {{- include "spire-server.selectorLabels" . | nindent 4 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}

21
charts/spire/charts/spire-server/templates/controller-manager-static-configmap.yaml
View File

@ -1,21 +0,0 @@
{{- if not (has .Values.controllerManager.staticManifestMode (list "off" "internal" "external" )) }}
{{- fail "Unsupported option specified for controllerManager.staticManifestMode" }}
{{- end }}
{{- if eq .Values.controllerManager.staticManifestMode "internal" }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "spire-controller-manager.fullname" . }}-static
namespace: {{ include "spire-server.namespace" . }}
data:
{{- $t := include "spire-server.cluster-static-entries" (dict "root" . "useShortName" true) | fromYamlArray }}
{{- range $_, $v := $t }}
"e-{{ $v.metadata.name }}.yaml": |
{{- $v | toYaml | nindent 4 }}
{{- end }}
{{- $t := include "spire-server.cluster-federated-trust-domains" (dict "root" . "useShortName" true) | fromYamlArray }}
{{- range $_, $v := $t }}
"f-{{ $v.metadata.name }}.yaml": |
{{- $v | toYaml | nindent 4 }}
{{- end }}
{{- end }}

37
charts/spire/charts/spire-server/templates/controller-manager-static-entries.yaml
View File

@ -1,7 +1,5 @@
{{- define "spire-server.cluster-static-entries" -}} {{- $root := . }}
{{- $root := .root }} {{- range $key, $value := .Values.controllerManager.identities.clusterStaticEntries }}
{{- $useShortName := .useShortName }}
{{- range $key, $value := $root.Values.controllerManager.identities.clusterStaticEntries }}
{{- range $skey, $svalue := $value }} {{- range $skey, $svalue := $value }}
{{- if not (has $skey (list "name" "annotations" "labels" "enabled" "admin" "dnsNames" "downstream" "federatesWith" "hint" "jwtSVIDTTL" "parentID" "selectors" "spiffeID" "x509SVIDTTL")) }} {{- if not (has $skey (list "name" "annotations" "labels" "enabled" "admin" "dnsNames" "downstream" "federatesWith" "hint" "jwtSVIDTTL" "parentID" "selectors" "spiffeID" "x509SVIDTTL")) }}
{{- fail (printf "Unsupported property specified: %s" $skey) }} {{- fail (printf "Unsupported property specified: %s" $skey) }}
@ -14,39 +12,36 @@
{{- end }} {{- end }}
{{- if eq ($root.Values.controllerManager.enabled | toString) "true" }} {{- if eq ($root.Values.controllerManager.enabled | toString) "true" }}
{{- if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }} {{- if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }}
- apiVersion: spire.spiffe.io/v1alpha1 ---
kind: ClusterStaticEntry apiVersion: spire.spiffe.io/v1alpha1
metadata: kind: ClusterStaticEntry
{{- if $useShortName }} metadata:
name: {{ $key }}
{{- else }}
name: {{ $root.Release.Namespace }}-{{ default $root.Release.Name $root.Values.crNameOverride }}-{{ $key }} name: {{ $root.Release.Namespace }}-{{ default $root.Release.Name $root.Values.crNameOverride }}-{{ $key }}
{{- end }}
{{- with $value.annotations }} {{- with $value.annotations }}
annotations: annotations:
{{- toYaml . | nindent 6 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
{{- with $value.labels }} {{- with $value.labels }}
labels: labels:
{{- toYaml . | nindent 6 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
spec: spec:
className: {{ include "spire-server.controller-manager-class-name" $root | quote }} className: {{ include "spire-server.controller-manager-class-name" $root | quote }}
spiffeID: {{ $value.spiffeID | quote }} spiffeID: {{ $value.spiffeID | quote }}
{{- with $value.federatesWith }} {{- with $value.federatesWith }}
federatesWith: federatesWith:
{{- toYaml . | nindent 6 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
{{- with $value.selectors }} {{- with $value.selectors }}
selectors: selectors:
{{- toYaml . | nindent 6 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
{{- with $value.parentID }} {{- with $value.parentID }}
parentID: {{ . | quote }} parentID: {{ . | quote }}
{{- end }} {{- end }}
{{- with $value.dnsNames }} {{- with $value.dnsNames }}
dnsNames: dnsNames:
{{- toYaml . | nindent 6 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
{{- with $value.hint }} {{- with $value.hint }}
hint: {{ . | quote }} hint: {{ . | quote }}
@ -66,11 +61,3 @@
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}
{{- if eq .Values.controllerManager.staticManifestMode "off" }}
{{- $t := include "spire-server.cluster-static-entries" (dict "root" . "useShortName" false) | fromYamlArray }}
{{- range $_, $v := $t }}
---
{{- $v | toYaml }}
{{- end }}
{{- end }}

2
charts/spire/charts/spire-server/templates/controller-manager-webhook.yaml
View File

@ -1,5 +1,4 @@
{{- if not .Values.externalServer }} {{- if not .Values.externalServer }}
{{- if eq .Values.controllerManager.staticManifestMode "off" }}
{{- if and (eq (.Values.controllerManager.enabled | toString) "true") .Values.controllerManager.validatingWebhookConfiguration.enabled }} {{- if and (eq (.Values.controllerManager.enabled | toString) "true") .Values.controllerManager.validatingWebhookConfiguration.enabled }}
apiVersion: admissionregistration.k8s.io/v1 apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration kind: ValidatingWebhookConfiguration
@ -40,4 +39,3 @@ webhooks:
sideEffects: None sideEffects: None
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}

2
charts/spire/charts/spire-server/templates/post-install-hook.yaml
View File

@ -1,6 +1,5 @@
{{- if not .Values.externalServer }} {{- if not .Values.externalServer }}
{{- if eq ((dig "installAndUpgradeHooks" "enabled" .Values.controllerManager.installAndUpgradeHook.enabled .Values.global) | toString) "true" }} {{- if eq ((dig "installAndUpgradeHooks" "enabled" .Values.controllerManager.installAndUpgradeHook.enabled .Values.global) | toString) "true" }}
{{- if eq .Values.controllerManager.staticManifestMode "off" }}
{{- if and (eq (.Values.controllerManager.enabled | toString) "true") .Values.controllerManager.validatingWebhookConfiguration.enabled }} {{- if and (eq (.Values.controllerManager.enabled | toString) "true") .Values.controllerManager.validatingWebhookConfiguration.enabled }}
{{- if eq .Values.controllerManager.validatingWebhookConfiguration.failurePolicy "Fail" }} {{- if eq .Values.controllerManager.validatingWebhookConfiguration.failurePolicy "Fail" }}
apiVersion: v1 apiVersion: v1
@ -94,4 +93,3 @@ spec:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}

2
charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml
View File

@ -1,6 +1,5 @@
{{- if not .Values.externalServer }} {{- if not .Values.externalServer }}
{{- if eq ((dig "installAndUpgradeHooks" "enabled" .Values.controllerManager.installAndUpgradeHook.enabled .Values.global) | toString) "true" }} {{- if eq ((dig "installAndUpgradeHooks" "enabled" .Values.controllerManager.installAndUpgradeHook.enabled .Values.global) | toString) "true" }}
{{- if eq .Values.controllerManager.staticManifestMode "off" }}
{{- if and (eq (.Values.controllerManager.enabled | toString) "true") .Values.controllerManager.validatingWebhookConfiguration.enabled }} {{- if and (eq (.Values.controllerManager.enabled | toString) "true") .Values.controllerManager.validatingWebhookConfiguration.enabled }}
{{- if eq .Values.controllerManager.validatingWebhookConfiguration.failurePolicy "Fail" }} {{- if eq .Values.controllerManager.validatingWebhookConfiguration.failurePolicy "Fail" }}
apiVersion: v1 apiVersion: v1
@ -94,4 +93,3 @@ spec:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}

2
charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml
View File

@ -1,6 +1,5 @@
{{- if not .Values.externalServer }} {{- if not .Values.externalServer }}
{{- if eq ((dig "installAndUpgradeHooks" "enabled" .Values.controllerManager.installAndUpgradeHook.enabled .Values.global) | toString) "true" }} {{- if eq ((dig "installAndUpgradeHooks" "enabled" .Values.controllerManager.installAndUpgradeHook.enabled .Values.global) | toString) "true" }}
{{- if eq .Values.controllerManager.staticManifestMode "off" }}
{{- if and (eq (.Values.controllerManager.enabled | toString) "true") .Values.controllerManager.validatingWebhookConfiguration.enabled }} {{- if and (eq (.Values.controllerManager.enabled | toString) "true") .Values.controllerManager.validatingWebhookConfiguration.enabled }}
{{- if eq .Values.controllerManager.validatingWebhookConfiguration.failurePolicy "Fail" }} {{- if eq .Values.controllerManager.validatingWebhookConfiguration.failurePolicy "Fail" }}
apiVersion: v1 apiVersion: v1
@ -94,4 +93,3 @@ spec:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}

7
charts/spire/charts/spire-server/templates/roles.yaml
View File

@ -1,7 +1,7 @@
{{- $subject := include "spire-server.subject" . }} {{- $subject := include "spire-server.subject" . }}
{{- $namespace := include "spire-server.namespace" . }} {{- $namespace := include "spire-server.namespace" . }}
{{- $bundleNamespace := include "spire-server.bundle-namespace" . }} {{- $bundleNamespace := include "spire-server.bundle-namespace" . }}
{{- if or .Values.notifier.k8sBundle.enabled .Values.bundlePublisher.k8sConfigMap.enabled }} {{- if .Values.notifier.k8sBundle.enabled }}
# Role to be able to push certificate bundles to a configmap # Role to be able to push certificate bundles to a configmap
kind: Role kind: Role
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
@ -15,9 +15,6 @@ rules:
verbs: verbs:
- get - get
- patch - patch
{{- if .Values.bundlePublisher.k8sConfigMap.enabled }}
- create
{{- end }}
{{- end }} {{- end }}
{{- if and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.rbac.create }} {{- if and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.rbac.create }}
--- ---
@ -51,7 +48,7 @@ roleRef:
name: {{ include "spire-server.fullname" . }}-cm name: {{ include "spire-server.fullname" . }}-cm
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
{{- end }} {{- end }}
{{- if or .Values.notifier.k8sBundle.enabled .Values.bundlePublisher.k8sConfigMap.enabled }} {{- if .Values.notifier.k8sBundle.enabled }}
--- ---
kind: RoleBinding kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1

51
charts/spire/charts/spire-server/templates/server-resource.yaml
View File

@ -121,41 +121,8 @@ spec:
securityContext: securityContext:
{{- $podSecurityContext | toYaml | nindent 8 }} {{- $podSecurityContext | toYaml | nindent 8 }}
{{- include "spire-lib.default_cluster_priority_class_name" . | nindent 6 }} {{- include "spire-lib.default_cluster_priority_class_name" . | nindent 6 }}
{{- if or (gt (len .Values.initContainers) 0) (and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.ca.create) .Values.nodeAttestor.tpmDirect.enabled .Values.credentialComposer.cel.enabled $needsChown }} {{- if or (gt (len .Values.initContainers) 0) (and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.ca.create) .Values.nodeAttestor.tpmDirect.enabled $needsChown }}
initContainers: initContainers:
{{- if .Values.credentialComposer.cel.enabled }}
- name: init-cel
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 12 }}
image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.busybox.image "global" .Values.global) }}
# SPIRE must be able to fork the plugin directly within its container. First copy a busybox so that the plugin can be copied into the right place.
command:
- busybox
- sh
- -ec
- |
cp -a /bin/busybox /cel/busybox
volumeMounts:
- name: cel
mountPath: /cel
imagePullPolicy: {{ .Values.credentialComposer.cel.image.pullPolicy }}
- name: init-cel2
securityContext:
{{- include "spire-lib.securitycontext" . | nindent 12 }}
image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.credentialComposer.cel.image "global" .Values.global) }}
# Second, use the previously copied busybox to copy the plugin into a volume that can be mounted where SPIRE can execute it.
command:
- /cel/busybox
- sh
- -ec
- |
/cel/busybox cp -a {{ .Values.credentialComposer.cel.pluginPath }} /cel/credentialcomposer-cel
/cel/busybox rm -f /cel/busybox
volumeMounts:
- name: cel
mountPath: /cel
imagePullPolicy: {{ .Values.credentialComposer.cel.image.pullPolicy }}
{{- end }}
{{- if .Values.nodeAttestor.tpmDirect.enabled }} {{- if .Values.nodeAttestor.tpmDirect.enabled }}
- name: init-tpm-direct - name: init-tpm-direct
securityContext: securityContext:
@ -180,7 +147,7 @@ spec:
- name: chown - name: chown
image: {{ template "spire-lib.image" (dict "image" .Values.chown.image "global" .Values.global) }} image: {{ template "spire-lib.image" (dict "image" .Values.chown.image "global" .Values.global) }}
imagePullPolicy: {{ .Values.chown.image.pullPolicy }} imagePullPolicy: {{ .Values.chown.image.pullPolicy }}
command: ["sh", "-c"] command: ["bash", "-c"]
args: args:
- | - |
chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.runAsGroup }} /var/lib/spire chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.runAsGroup }} /var/lib/spire
@ -335,11 +302,6 @@ spec:
mountPath: /kubeconfigs mountPath: /kubeconfigs
readOnly: true readOnly: true
{{- end }} {{- end }}
{{- if .Values.credentialComposer.cel.enabled }}
- name: cel
mountPath: /cel
readOnly: true
{{- end }}
{{- if .Values.nodeAttestor.tpmDirect.enabled }} {{- if .Values.nodeAttestor.tpmDirect.enabled }}
- name: tpm-direct - name: tpm-direct
mountPath: /tpm mountPath: /tpm
@ -478,10 +440,6 @@ spec:
secret: secret:
secretName: {{ include "spire-server.fullname" . }}-kubeconfigs secretName: {{ include "spire-server.fullname" . }}-kubeconfigs
{{- end }} {{- end }}
{{- if .Values.credentialComposer.cel.enabled }}
- name: cel
emptyDir: {}
{{- end }}
{{- if .Values.nodeAttestor.tpmDirect.enabled }} {{- if .Values.nodeAttestor.tpmDirect.enabled }}
- name: tpm-direct - name: tpm-direct
emptyDir: {} emptyDir: {}
@ -547,11 +505,6 @@ spec:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if eq (.Values.controllerManager.enabled | toString) "true" }} {{- if eq (.Values.controllerManager.enabled | toString) "true" }}
{{- if ne .Values.controllerManager.staticManifestMode "off" }}
- name: controller-manager-static-config
configMap:
name: {{ include "spire-controller-manager.fullname" . }}-static
{{- end }}
- name: controller-manager-config - name: controller-manager-config
configMap: configMap:
name: {{ include "spire-controller-manager.fullname" . }} name: {{ include "spire-controller-manager.fullname" . }}

4
charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml
View File

@ -17,13 +17,13 @@ spec:
- name: curl-tornjak-backend - name: curl-tornjak-backend
image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
command: ['curl'] command: ['curl']
args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.servicename" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.ports.http }}/api/v1/tornjak/serverinfo'] args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.servicename" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.ports.http }}/api/tornjak/serverinfo']
securityContext: securityContext:
{{- include "spire-lib.securitycontext" . | nindent 8 }} {{- include "spire-lib.securitycontext" . | nindent 8 }}
- name: curl-tornjak-backend-and-spire - name: curl-tornjak-backend-and-spire
image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }} image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
command: ['curl'] command: ['curl']
args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.servicename" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.ports.http }}/api/v1/spire/healthcheck'] args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.servicename" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.ports.http }}/api/healthcheck']
securityContext: securityContext:
{{- include "spire-lib.securitycontext" . | nindent 8 }} {{- include "spire-lib.securitycontext" . | nindent 8 }}
restartPolicy: Never restartPolicy: Never

11
charts/spire/charts/spire-server/templates/tornjak-config.yaml
View File

@ -10,22 +10,25 @@ data:
spire_socket_path = "unix:///tmp/spire-server/private/api.sock" # socket to communicate with SPIRE server spire_socket_path = "unix:///tmp/spire-server/private/api.sock" # socket to communicate with SPIRE server
{{- if eq (include "spire-tornjak.connectionType" .) "http" }} {{- if eq (include "spire-tornjak.connectionType" .) "http" }}
http { http {
enabled = true # if true, opens HTTP server
port = "10000" # if HTTP enabled, opens HTTP listen port at specified container port port = "10000" # if HTTP enabled, opens HTTP listen port at specified container port
} }
{{- end }} {{- end }}
{{- if eq (include "spire-tornjak.connectionType" .) "tls" }} {{- if eq (include "spire-tornjak.connectionType" .) "tls" }}
https { tls {
enabled = true
port = "10443" # container port for TLS connection port = "10443" # container port for TLS connection
cert = "/opt/spire/server/tls.crt" # TLS server cert cert = "/opt/spire/server/tls.crt" # TLS server cert
key = "/opt/spire/server/tls.key" # TLS server key key = "/opt/spire/server/tls.key" # TLS server key
} }
{{- end }} {{- end }}
{{- if eq (include "spire-tornjak.connectionType" .) "mtls" }} {{- if eq (include "spire-tornjak.connectionType" .) "mtls" }}
https { mtls {
enabled = true
port = "10443" # container port for mTLS connection port = "10443" # container port for mTLS connection
cert = "/opt/spire/server/tls.crt" # mTLS server cert cert = "/opt/spire/server/tls.crt" # mTLS server cert
key = "/opt/spire/server/tls.key" # mTLS server key key = "/opt/spire/server/tls.key" # mTLS server key
client_ca = "/opt/spire/user/ca.crt" # mTLS user CA ca = "/opt/spire/user/ca.crt" # mTLS user CA
} }
{{- end }} {{- end }}
} }
@ -40,7 +43,7 @@ data:
} }
{{- end }} {{- end }}
{{- if ne .Values.tornjak.config.userManagement.issuer "" }} {{- if ne .Values.tornjak.config.userManagement.issuer "" }}
Authenticator "Keycloak" { UserManagement "KeycloakAuth" {
plugin_data { plugin_data {
issuer = "{{ .Values.tornjak.config.userManagement.issuer }}" issuer = "{{ .Values.tornjak.config.userManagement.issuer }}"
audience = "{{ .Values.tornjak.config.userManagement.audience }}" audience = "{{ .Values.tornjak.config.userManagement.audience }}"

136
charts/spire/charts/spire-server/values.yaml
View File

@ -167,9 +167,7 @@ dataStore:
username: spire username: spire
## @param dataStore.sql.password Only used when type != "sqlite3" ## @param dataStore.sql.password Only used when type != "sqlite3"
password: "" password: ""
## @param dataStore.sql.file Data source file. Only used when type == "sqlite3" ## @param dataStore.sql.options [array] Only used when type != "sqlite3"
file: "/run/spire/data/datastore.sqlite3"
## @param dataStore.sql.options [array] takes an array of objects of form {<key>: <value>} to use when building the database connection string
options: [] options: []
## @param dataStore.sql.rootCAPath Path to Root CA bundle (MySQL only) ## @param dataStore.sql.rootCAPath Path to Root CA bundle (MySQL only)
@ -236,7 +234,7 @@ clusterName: example-cluster
## @param trustDomain Set the trust domain to be used for the SPIFFE identifiers ## @param trustDomain Set the trust domain to be used for the SPIFFE identifiers
trustDomain: example.org trustDomain: example.org
## @param bundleConfigMap Set the Configmap name for SPIRE bundle ## @param bundleConfigMap Set the trust domain to be used for the SPIFFE identifiers
bundleConfigMap: spire-bundle bundleConfigMap: spire-bundle
## @param clusterDomain This is the value of your clusters `kubeadm init --service-dns-domain` flag ## @param clusterDomain This is the value of your clusters `kubeadm init --service-dns-domain` flag
@ -340,34 +338,6 @@ caSubject:
commonName: example.org commonName: example.org
credentialComposer: credentialComposer:
cel:
## @param credentialComposer.cel.enabled Enable the cel based credential composer
enabled: false
## @param credentialComposer.cel.image.registry The OCI registry to pull the image from
## @param credentialComposer.cel.image.repository The repository within the registry
## @param credentialComposer.cel.image.pullPolicy The image pull policy
## @param credentialComposer.cel.image.tag Overrides the image tag
##
image:
registry: ghcr.io
repository: spiffe/spire-credentialcomposer-cel
pullPolicy: IfNotPresent
tag: "0.0.2"
## @param credentialComposer.cel.checksum The sha256 checksum of the plugin binary
checksum: 23fa1d10f15ad5d5c555930cf82289c664801d7d5609bfd8847f95a0a667e4e4
## @param credentialComposer.cel.pluginPath The filename in the container of the plugin
pluginPath: /ko-app/cmd
jwt:
## @param credentialComposer.cel.jwt.expression The expression to use for jwt token composing
expression: ""
#expression: |
# spire.plugin.server.credentialcomposer.v1.ComposeWorkloadJWTSVIDResponse{
# attributes: spire.plugin.server.credentialcomposer.v1.JWTSVIDAttributes{
# claims: request.attributes.claims.mapOverrideEntries(
# {'newclaim': "value"}
# )
# }
# }
uniqueID: uniqueID:
## @param credentialComposer.uniqueID.enabled Add the x509UniqueIdentifier attribute to workload X509-SVIDs ## @param credentialComposer.uniqueID.enabled Add the x509UniqueIdentifier attribute to workload X509-SVIDs
enabled: false enabled: false
@ -514,7 +484,7 @@ upstreamAuthority:
notifier: notifier:
k8sBundle: k8sBundle:
## @param notifier.k8sBundle.enabled Enable local k8s bundle uploader ## @param notifier.k8sBundle.enabled Enable local k8s bundle uploader
enabled: false enabled: true
## @param notifier.k8sBundle.namespace Namespace to push the bundle into, if blank will default to SPIRE Server namespace ## @param notifier.k8sBundle.namespace Namespace to push the bundle into, if blank will default to SPIRE Server namespace
namespace: "" namespace: ""
## @param notifier.k8sBundle.apiServiceLabel If set, rotate the CA Bundle in API services with this label set to true. ## @param notifier.k8sBundle.apiServiceLabel If set, rotate the CA Bundle in API services with this label set to true.
@ -523,7 +493,7 @@ notifier:
webhookLabel: "" webhookLabel: ""
externalK8sBundle: externalK8sBundle:
## @param notifier.externalK8sBundle.enabled Enable external k8s bundle uploader ## @param notifier.externalK8sBundle.enabled Enable external k8s bundle uploader
enabled: false enabled: true
defaults: defaults:
## @param notifier.externalK8sBundle.defaults.namespace Namespace to push the bundle into on clusters ## @param notifier.externalK8sBundle.defaults.namespace Namespace to push the bundle into on clusters
namespace: "spire-system" namespace: "spire-system"
@ -541,9 +511,6 @@ controllerManager:
## @param controllerManager.enabled Flag to enable controller manager ## @param controllerManager.enabled Flag to enable controller manager
enabled: false enabled: false
## @param controllerManager.staticManifestMode Flag to configure static mode. Valid options off, internal, and external. If internal, the identities config options will be rendered to an included configmap
staticManifestMode: "off"
## @param controllerManager.className specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs. ## @param controllerManager.className specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs.
className: "" className: ""
## @param controllerManager.watchClassless specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true. ## @param controllerManager.watchClassless specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true.
@ -577,7 +544,7 @@ controllerManager:
registry: ghcr.io registry: ghcr.io
repository: spiffe/spire-controller-manager repository: spiffe/spire-controller-manager
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: "0.6.2" tag: "0.6.0"
## @param controllerManager.resources [object] Resource requests and limits for controller manager ## @param controllerManager.resources [object] Resource requests and limits for controller manager
resources: {} resources: {}
@ -695,28 +662,6 @@ controllerManager:
## @param controllerManager.identities.clusterSPIFFEIDs.test-keys.type The type of rule this is. ## @param controllerManager.identities.clusterSPIFFEIDs.test-keys.type The type of rule this is.
type: test-keys type: test-keys
spike-keeper:
## @param controllerManager.identities.clusterSPIFFEIDs.spike-keeper.enabled Enable this identity for controller manager
enabled: true
## @param controllerManager.identities.clusterSPIFFEIDs.spike-keeper.type The type of rule this is.
type: spike-keeper
## @param controllerManager.identities.clusterSPIFFEIDs.spike-keeper.spiffeIDTemplate The template to use for this rule.
spiffeIDTemplate: spiffe://{{ .TrustDomain }}/spike/keeper
spike-nexus:
## @param controllerManager.identities.clusterSPIFFEIDs.spike-nexus.enabled Enable this identity for controller manager
enabled: true
## @param controllerManager.identities.clusterSPIFFEIDs.spike-nexus.type The type of rule this is.
type: spike-nexus
## @param controllerManager.identities.clusterSPIFFEIDs.spike-nexus.spiffeIDTemplate The template to use for this rule.
spiffeIDTemplate: spiffe://{{ .TrustDomain }}/spike/nexus
spike-pilot:
## @param controllerManager.identities.clusterSPIFFEIDs.spike-pilot.enabled Enable this identity for controller manager
enabled: true
## @param controllerManager.identities.clusterSPIFFEIDs.spike-pilot.type The type of rule this is.
type: spike-pilot
## @param controllerManager.identities.clusterSPIFFEIDs.spike-pilot.spiffeIDTemplate The template to use for this rule.
spiffeIDTemplate: spiffe://{{ .TrustDomain }}/spike/pilot/role/superuser
# You can specify additional ClusterSPIFFEIDs following this example: # You can specify additional ClusterSPIFFEIDs following this example:
# foo: # foo:
# labels: # labels:
@ -825,21 +770,10 @@ tools:
## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion ## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion
## ##
image: image:
registry: registry.k8s.io registry: docker.io
repository: kubectl repository: rancher/kubectl
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: "" tag: ""
busybox:
## @param tools.busybox.image.registry The OCI registry to pull the image from
## @param tools.busybox.image.repository The repository within the registry
## @param tools.busybox.image.pullPolicy The image pull policy
## @param tools.busybox.image.tag Overrides the image tag whose default is the chart appVersion
##
image:
registry: ""
repository: busybox
pullPolicy: IfNotPresent
tag: 1.37.0-uclibc
telemetry: telemetry:
prometheus: prometheus:
@ -852,13 +786,6 @@ telemetry:
namespace: "" namespace: ""
## @param telemetry.prometheus.podMonitor.labels [object] Pod labels to filter for prometheus monitoring ## @param telemetry.prometheus.podMonitor.labels [object] Pod labels to filter for prometheus monitoring
labels: {} labels: {}
datadog:
## @param telemetry.datadog.enabled Flag to enable datadog monitoring
enabled: false
## @param telemetry.datadog.address The address of the datadog service to send metrics to. The default URL for services are `<service-name>.<namespace>.svc`
address: "datadog.kube-system.svc"
## @param telemetry.datadog.port The port of the datadog service to send metrics to
port: 8125
ingress: ingress:
## @param ingress.enabled Flag to enable ingress ## @param ingress.enabled Flag to enable ingress
@ -912,8 +839,6 @@ initContainers: []
caKeyType: rsa-2048 caKeyType: rsa-2048
## @param caTTL TTL for CA ## @param caTTL TTL for CA
caTTL: 24h caTTL: 24h
## @param agentTTL The TTL to use for agent SVIDs. If unset, the defaultX509SvidTTL will be used.
agentTTL: ""
## @param defaultX509SvidTTL TTL for X509 Svids ## @param defaultX509SvidTTL TTL for X509 Svids
defaultX509SvidTTL: 4h defaultX509SvidTTL: 4h
## @param defaultJwtSvidTTL TTL for JWT Svids ## @param defaultJwtSvidTTL TTL for JWT Svids
@ -972,50 +897,21 @@ nodeAttestor:
## @param nodeAttestor.tpmDirect.image.tag Overrides the image tag ## @param nodeAttestor.tpmDirect.image.tag Overrides the image tag
## ##
image: image:
registry: ghcr.io registry: docker.io
repository: spiffe/spire-tpm-plugin-tpm-attestor-server repository: boxboat/spire-tpm-plugin-tpm-attestor-server
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: "v1.9.0" tag: "v1.8.7"
## @param nodeAttestor.tpmDirect.checksum The sha256 checksum of the plugin binary ## @param nodeAttestor.tpmDirect.checksum The sha256 checksum of the plugin binary
checksum: 46d0caad8c25a027dd11c93e18b58a8bc6fbd9f1fe2e36fa2a0dd440986de4dc checksum: f39ef9cdd2b3dd74112bfe827b79d6721c59215d0d5f4c2e34fa09bbc60d36d2
## @param nodeAttestor.tpmDirect.pluginPath The filename in the container of the plugin ## @param nodeAttestor.tpmDirect.pluginPath The filename in the container of the plugin
pluginPath: /app/tpm_attestor_server pluginPath: /app/tpm_attestor_server
## @param nodeAttestor.tpmDirect.cas A dictionary of TPM CA PEM or DER files that are allowed to connect. ## @param nodeAttestor.tpmDirect.cas A dictionary of TPM CA PEM or DER files that are allowed to connect.
cas: {} cas: {}
## @param nodeAttestor.tpmDirect.hashes A list of TPM hashes that are allowed to connect. ## @param nodeAttestor.tpmDirect.hashes A list of TPM hashes that are allowed to connect.
hashes: [] hashes: []
awsIID:
## @param nodeAttestor.awsIID.enabled Enable the aws_iid node attestor
enabled: false
## @param nodeAttestor.awsIID.assumeRole AWS IAM Role NAME to use for the attestation
assumeRole: ""
# The secrets needed for this plugin are configured in the secrets: section # The secrets needed for this plugin are configured in the secrets: section
bundlePublisher: bundlePublisher:
k8sConfigMap:
## @param bundlePublisher.k8sConfigMap.enabled Enable local k8s bundle uploader
enabled: true
## @param bundlePublisher.k8sConfigMap.namespace Namespace to push the bundle into, if blank will default to SPIRE Server namespace
namespace: ""
## @param bundlePublisher.k8sConfigMap.format Format of the trust bundle. Can be pem or spiffe
format: spiffe
externalK8sConfigMap:
## @param bundlePublisher.externalK8sConfigMap.enabled Enable external k8s bundle uploader
enabled: true
defaults:
## @param bundlePublisher.externalK8sConfigMap.defaults.namespace Namespace to push the bundle into on clusters
namespace: "spire-system"
## @param bundlePublisher.externalK8sConfigMap.defaults.configMapName ConfigMap name to push the bundle into on external clusters
configMapName: "spire-bundle-upstream"
## @param bundlePublisher.externalK8sConfigMap.defaults.configMapKey ConfigMap key to push the bundle into on external clusters
configMapKey: ""
## @param bundlePublisher.externalK8sConfigMap.defaults.format Format of the trust bundle. Can be pem or spiffe
format: spiffe
## @param bundlePublisher.externalK8sConfigMap.clusters [object] A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used.
clusters: {}
# clustera:
# namespace: foo
# clusterb: {}
awsRolesAnywhereTrustAnchor: awsRolesAnywhereTrustAnchor:
## @param bundlePublisher.awsRolesAnywhereTrustAnchor.enabled Enable the AWS S3 bundle publisher ## @param bundlePublisher.awsRolesAnywhereTrustAnchor.enabled Enable the AWS S3 bundle publisher
enabled: false enabled: false
@ -1061,7 +957,7 @@ tornjak:
repository: spiffe/tornjak-backend repository: spiffe/tornjak-backend
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: "" tag: ""
defaultTag: "v2.1.0" defaultTag: "v1.6.0"
service: service:
## @param tornjak.service.type Type of service resource ## @param tornjak.service.type Type of service resource
@ -1205,10 +1101,10 @@ chown:
## @param chown.image.tag Overrides the image tag whose default is the chart appVersion ## @param chown.image.tag Overrides the image tag whose default is the chart appVersion
## ##
image: image:
registry: "" registry: cgr.dev
repository: busybox repository: chainguard/bash
pullPolicy: Always pullPolicy: Always
tag: 1.37.0-uclibc tag: latest@sha256:ce272ee5a3739a3c45784c317b2fb1e93a4cc4ea1f4d3feabb702b278e5bf514
## @param chown.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## @param chown.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources: {} resources: {}
@ -1243,7 +1139,7 @@ tests:
registry: cgr.dev registry: cgr.dev
repository: chainguard/bash repository: chainguard/bash
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679 tag: latest@sha256:ce272ee5a3739a3c45784c317b2fb1e93a4cc4ea1f4d3feabb702b278e5bf514
## @param kubeConfigs [object] Manage additional kubeconfig files to talk to external Kubernetes clusters ## @param kubeConfigs [object] Manage additional kubeconfig files to talk to external Kubernetes clusters
kubeConfigs: {} kubeConfigs: {}

2
charts/spire/charts/tornjak-frontend/Chart.yaml
View File

@ -3,7 +3,7 @@ name: tornjak-frontend
description: A Helm chart to deploy Tornjak frontend description: A Helm chart to deploy Tornjak frontend
type: application type: application
version: 0.1.0 version: 0.1.0
appVersion: "v2.1.0" appVersion: "v1.6.0"
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources: sources:
- https://github.com/spiffe/tornjak - https://github.com/spiffe/tornjak

2
charts/spire/charts/tornjak-frontend/README.md
View File

@ -101,4 +101,4 @@ port forwarding. See the chart NOTES output for more details.
| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | | `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` |
| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | | `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` |
| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | | `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` | | `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:ce272ee5a3739a3c45784c317b2fb1e93a4cc4ea1f4d3feabb702b278e5bf514` |

2
charts/spire/charts/tornjak-frontend/values.yaml
View File

@ -162,4 +162,4 @@ tests:
registry: cgr.dev registry: cgr.dev
repository: chainguard/bash repository: chainguard/bash
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679 tag: latest@sha256:ce272ee5a3739a3c45784c317b2fb1e93a4cc4ea1f4d3feabb702b278e5bf514

21
charts/spire/values.yaml
View File

@ -219,24 +219,3 @@ spiffe-oidc-discovery-provider:
tornjak-frontend: tornjak-frontend:
## @param tornjak-frontend.enabled Enables deployment of Tornjak frontend/UI (Not for production) ## @param tornjak-frontend.enabled Enables deployment of Tornjak frontend/UI (Not for production)
enabled: false enabled: false
## @section SPIKE Keeper parameters
## Parameter values for SPIKE Keeper
##
spike-keeper:
## @param spike-keeper.enabled Enables deployment of SPIKE Keeper (Not for production)
enabled: false
## @section SPIKE Nexus parameters
## Parameter values for SPIKE Nexus
##
spike-nexus:
## @param spike-nexus.enabled Enables deployment of SPIKE Nexus (Not for production)
enabled: false
## @section SPIKE Pilot parameters
## Parameter values for SPIKE Pilot
##
spike-pilot:
## @param spike-pilot.enabled Enables deployment of SPIKE Pilot (Not for production)
enabled: false

74
examples/aws-iid/README.md
View File

@ -1,74 +0,0 @@
# AWS IID Node Attestor
This document provides a concise guide to the AWS IID node attestor plugin support in your system. The AWS IID attestor plugin automatically verifies instances using AWS's Instance Metadata API and Instance Identity Document.
## Configuration
The AWS IID node attestor can be configured with the following properties:
| Parameter | Description | Default |
|-------------------------------|-----------------------------------------------------|---------|
| **nodeAttestor.awsIID.enabled** | Enable the AWS IID node attestor | false |
| **nodeAttestor.awsIID.assumeRole** | AWS IAM Role NAME to use for the attestation | "" |
### Sample Configuration
Here's a minimal configuration example for the server:
```yaml
awsIID:
enabled: true
region: "us-west-2" # Specify your desired AWS region
assumeRole: "example-role" # Specify the IAM Role NAME
```
For the agent, ensure that the `awsIID` is also enabled:
```yaml
awsIID:
enabled: true
```
**Note:** When the `awsIID` node attestor is enabled on the server, it must also be enabled on the agent to ensure proper attestation.
### IAM Role
The `assumeRole` parameter requires the name of the IAM Role you wish to use for the attestation process. Ensure this role has the appropriate permissions.
### Required IAM Policy
To facilitate the node attestation, the following IAM policy example should be attached to the IAM Role mentioned in the `assumeRole`. This policy example is needed to get the instance's info from AWS:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"iam:GetInstanceProfile"
],
"Resource": "*"
}
]
}
```
## Security Considerations
Its important to note that while the AWS Instance Identity Document is used to prove node identity, it is accessible to any process running on the instance. Therefore, precautions should be made to ensure only the desired agent uses it for attestation.
Always monitor your systems for unauthorized access attempts and ensure your IAM roles follow the principle of least privilege.
For more information on AWS IAM roles and security best practices, refer to the [AWS IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html).
## Additional Information
For more information on the server plugin, see the [Server Plugin Documentation](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_aws_iid.md).
And for the agent, see the [Agent Plugin Documentation](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_aws_iid.md).
---
By following the above guidelines, you can ensure a simple yet secure implementation of the AWS IID node attestor within your system.

14
examples/credentialcomposer-cel/values.yaml
View File

@ -1,14 +0,0 @@
# Details at https://github.com/spiffe/spire-credentialcomposer-cel/blob/main/README.md
spire-server:
credentialComposer:
cel:
enabled: true
jwt:
expression: |
spire.plugin.server.credentialcomposer.v1.ComposeWorkloadJWTSVIDResponse{
attributes: spire.plugin.server.credentialcomposer.v1.JWTSVIDAttributes{
claims: request.attributes.claims.mapOverrideEntries(
{'newclaim': "value"}
)
}
}

15
examples/spike/values.yaml
View File

@ -1,15 +0,0 @@
global:
spire:
ingressControllerType: ingress-nginx
spike-keeper:
enabled: true
#ingress:
# enabled: true
# className: nginx
spike-nexus:
enabled: true
ingress:
enabled: true
className: nginx
spike-pilot:
enabled: true

35
examples/static-manifest-server/values.yaml
View File

@ -1,35 +0,0 @@
spire-server:
nodeAttestor:
k8sPSAT:
enabled: false
joinToken:
enabled: true
tpmDirect:
enabled: true
controllerManager:
enabled: true
staticManifestMode: internal
identities:
clusterStaticEntries:
foo-node:
parentID: spiffe://example.org/spire/server
spiffeID: spiffe://example.org/hosts/foo
selectors:
- tpm:pub_hash:12345
foo-kubelet:
parentID: spiffe://example.org/hosts/foo
spiffeID: spiffe://example.org/k8s/one/node/foo
selectors:
- systemd:id:kubelet.service
ingress:
enabled: true
spire-agent:
enabled: false
spiffe-csi-driver:
enabled: false
spiffe-oidc-discovery-provider:
enabled: true
bundleSource: ConfigMap
tls:
spire:
enabled: false

31
examples/tornjak/README.md
View File

@ -6,17 +6,18 @@
## Deploy Standard SPIRE ## Deploy Standard SPIRE
Follow the production installation of SPIRE as described in the [install instructions](https://artifacthub.io/packages/helm/spiffe/spire) document. Follow the production installation of SPIRE as described in the [install instructions] (https://artifacthub.io/packages/helm/spiffe/spire) document.
## Upgrade to Enable Tornjak ## Upgrade to enable Tornjak
Before we can deploy Tornjak with SPIRE, we need to decide whether the services will be using direct access, ingress, or some other method. Before we can deploy Tornjak with SPIRE we need to decide whether the services would be
using direct access, Ingress, or some other method.
## Tornjak with Direct Access ## Tornjak with Direct Access
This can be done using port forward. This can be done using port-forward. For example, to start Tornjak APIs on port 10000
Deploy SPIRE with Tornjak enabled and start the Tornjak API on port 10000. Deploy SPIRE with Tornjak enabled
```shell ```shell
export TORNJAK_API=http://localhost:10000 export TORNJAK_API=http://localhost:10000
@ -29,11 +30,14 @@ helm upgrade --install -n spire-mgmt spire spire \
--render-subchart-notes --render-subchart-notes
# test the Tornjak deployment # test the Tornjak deployment
helm test spire -n spire-mgmt helm test spire -n spire-server
``` ```
Port forward the Tornjak backend (APIs) and Tornjak frontend (UI) services. Execute these commands in separate consoles. Run following commands from your shell, to start port forwarding for Tornjak backend (APIs)
If you deployed in a different namespace, your values might differ. Consult the install notes printed when running above `helm upgrade` command in that case. and Tornjak frontend (UI) services.
If you deployed in different namespace, your values might differ. Consult the install notes printed when running above `helm upgrade` command in that case.
Since `port-forward` is a blocking command, execute them in two different consoles:
```shell ```shell
kubectl -n spire-server port-forward service/spire-tornjak-backend 10000:10000 kubectl -n spire-server port-forward service/spire-tornjak-backend 10000:10000
@ -49,7 +53,8 @@ See [values.yaml](./values.yaml) for more details on the chart configurations to
## Deploy Tornjak with ingress-nginx ## Deploy Tornjak with ingress-nginx
Update `your-values.yaml` with your ingress information (most importantly your trustDomain) and redeploy by adding the following: Update your-values.yaml with your ingress information, most importantly, trustDomain, and redeploy
adding the following:
```shell ```shell
--set global.spire.ingressControllerType=ingress-nginx \ --set global.spire.ingressControllerType=ingress-nginx \
@ -58,7 +63,8 @@ Update `your-values.yaml` with your ingress information (most importantly your t
## Deploy Tornjak with Ingress on Openshift ## Deploy Tornjak with Ingress on Openshift
Obtain the OpenShift apps subdomain for ingress and assign it to the `trustDomain` environment variable: Obtain the OpenShift Apps Subdomain for Ingress and assign it to the `trustDomain`
environment variable:
```shell ```shell
export appdomain=$(oc get cm -n openshift-config-managed console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//') export appdomain=$(oc get cm -n openshift-config-managed console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//')
@ -73,7 +79,8 @@ So it can be passed as follow:
--values examples/tornjak/values-ingress.yaml \ --values examples/tornjak/values-ingress.yaml \
``` ```
When running on Openshift in some environments like IBM Cloud, you may need to add the following configurations: When running on Openshift in some environments like IBM Cloud,
you might need to also add the following configurations:
```shell ```shell
--values examples/openshift/values-ibm-cloud.yaml --values examples/openshift/values-ibm-cloud.yaml
@ -88,7 +95,7 @@ curl https://tornjak-backend.$appdomain
"Welcome to the Tornjak Backend!" "Welcome to the Tornjak Backend!"
``` ```
If the APIs are accessible, we can verify the Tornjak UI (a React application running in the local browser) can be accessed. If the APIs are accessible, we can verify the Tornjak UI (A React application running in the local browser) can be accessed.
Test access to Tornjak by opening the URL provided in Tornjak-frontend route: Test access to Tornjak by opening the URL provided in Tornjak-frontend route:
```shell ```shell

46
tests/go.mod
View File

@ -1,20 +1,21 @@
module github.com/spiffe/helm-charts/tests module github.com/spiffe/helm-charts/tests
go 1.24.3 go 1.21
toolchain go1.24.1
require ( require (
github.com/onsi/ginkgo/v2 v2.23.4 github.com/onsi/ginkgo/v2 v2.23.4
github.com/onsi/gomega v1.38.0 github.com/onsi/gomega v1.37.0
helm.sh/helm/v3 v3.18.4 helm.sh/helm/v3 v3.17.3
) )
require ( require (
dario.cat/mergo v1.0.1 // indirect dario.cat/mergo v1.0.1 // indirect
github.com/BurntSushi/toml v1.5.0 // indirect github.com/BurntSushi/toml v1.4.0 // indirect
github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver/v3 v3.3.0 // indirect github.com/Masterminds/semver/v3 v3.3.0 // indirect
github.com/Masterminds/sprig/v3 v3.3.0 // indirect github.com/Masterminds/sprig/v3 v3.3.0 // indirect
github.com/cyphar/filepath-securejoin v0.4.1 // indirect github.com/cyphar/filepath-securejoin v0.3.6 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect
github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect
@ -25,8 +26,10 @@ require (
github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
github.com/gobwas/glob v0.2.3 // indirect github.com/gobwas/glob v0.2.3 // indirect
github.com/gogo/protobuf v1.3.2 // indirect github.com/gogo/protobuf v1.3.2 // indirect
github.com/google/gnostic-models v0.6.9 // indirect github.com/golang/protobuf v1.5.4 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-cmp v0.7.0 // indirect github.com/google/go-cmp v0.7.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
github.com/google/uuid v1.6.0 // indirect github.com/google/uuid v1.6.0 // indirect
github.com/huandu/xstrings v1.5.0 // indirect github.com/huandu/xstrings v1.5.0 // indirect
@ -46,26 +49,25 @@ require (
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect
go.uber.org/automaxprocs v1.6.0 // indirect go.uber.org/automaxprocs v1.6.0 // indirect
golang.org/x/crypto v0.39.0 // indirect golang.org/x/crypto v0.36.0 // indirect
golang.org/x/net v0.41.0 // indirect golang.org/x/net v0.37.0 // indirect
golang.org/x/oauth2 v0.28.0 // indirect golang.org/x/oauth2 v0.23.0 // indirect
golang.org/x/sys v0.33.0 // indirect golang.org/x/sys v0.32.0 // indirect
golang.org/x/term v0.32.0 // indirect golang.org/x/term v0.30.0 // indirect
golang.org/x/text v0.26.0 // indirect golang.org/x/text v0.23.0 // indirect
golang.org/x/time v0.9.0 // indirect golang.org/x/time v0.7.0 // indirect
golang.org/x/tools v0.33.0 // indirect golang.org/x/tools v0.31.0 // indirect
google.golang.org/protobuf v1.36.6 // indirect google.golang.org/protobuf v1.36.5 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/api v0.33.2 // indirect k8s.io/api v0.32.2 // indirect
k8s.io/apiextensions-apiserver v0.33.2 // indirect k8s.io/apiextensions-apiserver v0.32.2 // indirect
k8s.io/apimachinery v0.33.2 // indirect k8s.io/apimachinery v0.32.2 // indirect
k8s.io/client-go v0.33.2 // indirect k8s.io/client-go v0.32.2 // indirect
k8s.io/klog/v2 v2.130.1 // indirect k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
sigs.k8s.io/randfill v1.0.0 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect sigs.k8s.io/yaml v1.4.0 // indirect
) )

97
tests/go.sum
View File

@ -2,8 +2,8 @@ dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU= github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg= github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0= github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
@ -11,8 +11,8 @@ github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lpr
github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs= github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs=
github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0= github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= github.com/cyphar/filepath-securejoin v0.3.6 h1:4d9N5ykBnSp5Xn2JkhocYDkOpURL/18CYMpo6xB9uWM=
github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= github.com/cyphar/filepath-securejoin v0.3.6/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@ -39,12 +39,16 @@ github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8= github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA= github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@ -79,8 +83,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus= github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8= github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
github.com/onsi/gomega v1.38.0 h1:c/WX+w8SLAinvuKKQFh77WEucCnPk4j2OTUr7lt7BeY= github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
github.com/onsi/gomega v1.38.0/go.mod h1:OcXcwId0b9QsE7Y49u+BTrL4IdKOBOKnD6VQNTJEB6o= github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@ -88,19 +92,17 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g= github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U= github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w= github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
@ -123,46 +125,46 @@ go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwE
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw= golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA= golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc= golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8= golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M= golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY= golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc= golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU=
golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI= golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY= google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
@ -173,28 +175,25 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
helm.sh/helm/v3 v3.18.4 h1:pNhnHM3nAmDrxz6/UC+hfjDY4yeDATQCka2/87hkZXQ= helm.sh/helm/v3 v3.17.3 h1:3n5rW3D0ArjFl0p4/oWO8IbY/HKaNNwJtOQFdH2AZHg=
helm.sh/helm/v3 v3.18.4/go.mod h1:WVnwKARAw01iEdjpEkP7Ii1tT1pTPYfM1HsakFKM3LI= helm.sh/helm/v3 v3.17.3/go.mod h1:+uJKMH/UiMzZQOALR3XUf3BLIoczI2RKKD6bMhPh4G8=
k8s.io/api v0.33.2 h1:YgwIS5jKfA+BZg//OQhkJNIfie/kmRsO0BmNaVSimvY= k8s.io/api v0.32.2 h1:bZrMLEkgizC24G9eViHGOPbW+aRo9duEISRIJKfdJuw=
k8s.io/api v0.33.2/go.mod h1:fhrbphQJSM2cXzCWgqU29xLDuks4mu7ti9vveEnpSXs= k8s.io/api v0.32.2/go.mod h1:hKlhk4x1sJyYnHENsrdCWw31FEmCijNGPJO5WzHiJ6Y=
k8s.io/apiextensions-apiserver v0.33.2 h1:6gnkIbngnaUflR3XwE1mCefN3YS8yTD631JXQhsU6M8= k8s.io/apiextensions-apiserver v0.32.2 h1:2YMk285jWMk2188V2AERy5yDwBYrjgWYggscghPCvV4=
k8s.io/apiextensions-apiserver v0.33.2/go.mod h1:IvVanieYsEHJImTKXGP6XCOjTwv2LUMos0YWc9O+QP8= k8s.io/apiextensions-apiserver v0.32.2/go.mod h1:GPwf8sph7YlJT3H6aKUWtd0E+oyShk/YHWQHf/OOgCA=
k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY= k8s.io/apimachinery v0.32.2 h1:yoQBR9ZGkA6Rgmhbp/yuT9/g+4lxtsGYwW6dR6BDPLQ=
k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= k8s.io/apimachinery v0.32.2/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
k8s.io/client-go v0.33.2 h1:z8CIcc0P581x/J1ZYf4CNzRKxRvQAwoAolYPbtQes+E= k8s.io/client-go v0.32.2 h1:4dYCD4Nz+9RApM2b/3BtVvBHw54QjMFUl1OLcJG5yOA=
k8s.io/client-go v0.33.2/go.mod h1:9mCgT4wROvL948w6f6ArJNb7yQd7QsvqavDeZHvNmHo= k8s.io/client-go v0.32.2/go.mod h1:fpZ4oJXclZ3r2nDOv+Ux3XcJutfrwjKTCHz2H3sww94=
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4= k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y=
k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8= k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4=
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro= k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8= sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo= sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= sigs.k8s.io/structured-merge-diff/v4 v4.4.2 h1:MdmvkGuXi/8io6ixD5wud3vOLwc1rj0aNqRlpuvjmwA=
sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= sigs.k8s.io/structured-merge-diff/v4 v4.4.2/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4=
sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc=
sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=

2
tests/integration/spiffe-step-ssh/run-tests.sh
View File

@ -152,7 +152,7 @@ popd
helm upgrade --install spiffe-step-ssh charts/spiffe-step-ssh --set caPassword="$(cat spiffe-step-ssh-password.txt)" -f spiffe-step-ssh-values.yaml -f "${SCRIPTPATH}/ingress-values.yaml" --set trustDomain=production.other --wait --timeout 10m helm upgrade --install spiffe-step-ssh charts/spiffe-step-ssh --set caPassword="$(cat spiffe-step-ssh-password.txt)" -f spiffe-step-ssh-values.yaml -f "${SCRIPTPATH}/ingress-values.yaml" --set trustDomain=production.other --wait --timeout 10m
# Is fetchca responding. # Is fetchca responding.
kubectl exec -it -n spire-server spire-internal-server-0 -- spire-server bundle show > /tmp/ca.pem kubectl get configmap -n spire-system spire-bundle-downstream -o go-template='{{ index .data "bundle.crt" }}' > /tmp/ca.pem
cat /tmp/ca.pem cat /tmp/ca.pem
curl https://spiffe-step-ssh-fetchca.production.other -s --cacert /tmp/ca.pem curl https://spiffe-step-ssh-fetchca.production.other -s --cacert /tmp/ca.pem