Skip to content

Commit

Permalink
Initial SPIRE 1.9.0 support (#262)
Browse files Browse the repository at this point in the history
  • Loading branch information
@kfox1111
kfox1111 authored Feb 28, 2024
1 parent 40d5fef commit ac83694
Show file tree
Hide file tree
Showing 14 changed files with 55 additions and 7 deletions.
2 changes: 1 addition & 1 deletion charts/spire/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ description: >
A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
type: application
version: 0.17.2
appVersion: "1.8.7"
appVersion: "1.9.0"
keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources:
Expand Down
7 changes: 6 additions & 1 deletion charts/spire/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# spire

![Version: 0.17.2](https://img.shields.io/badge/Version-0.17.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.7](https://img.shields.io/badge/AppVersion-1.8.7-informational?style=flat-square)
![Version: 0.17.2](https://img.shields.io/badge/Version-0.17.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.0](https://img.shields.io/badge/AppVersion-1.9.0-informational?style=flat-square)
[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)

A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
Expand Down Expand Up @@ -77,6 +77,11 @@ kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeid

We only support upgrading one major version at a time. Version skipping isn't supported.

### 0.18.x

- SPIRE no longer emits x509UniqueIdentifiers in x509-SVIDS by default. The old behavior can be reenabled with spire-server.credentialComposer.uniqueID.enabled=true. See https://github.com/spiffe/spire/pull/4862 for details.
- SPIRE agents will now automatically reattest when they can. The old behavior can be reenabled with spire-agent.disableReattestToRenew=true. See https://github.com/spiffe/spire/pull/4791 for details.

### 0.17.X

- If you set spire-server.replicaCount > 1, update it to 1 before upgrading and after upgrade you can set it back to its previous value.
Expand Down
2 changes: 1 addition & 1 deletion charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: spiffe-oidc-discovery-provider
description: A Helm chart to install the SPIFFE OIDC discovery provider.
type: application
version: 0.1.0
appVersion: "1.8.7"
appVersion: "1.9.0"
keywords: ["spiffe", "oidc"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources:
Expand Down
2 changes: 1 addition & 1 deletion charts/spire/charts/spire-agent/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: spire-agent
description: A Helm chart to install the SPIRE agent.
type: application
version: 0.1.0
appVersion: "1.8.7"
appVersion: "1.9.0"
keywords: ["spiffe", "spire-agent"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources:
Expand Down
1 change: 1 addition & 0 deletions charts/spire/charts/spire-agent/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ A Helm chart to install the SPIRE agent.
| `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `pem` |
| `bundleConfigMap` | Configmap name for Spire bundle | `spire-bundle` |
| `availabilityTarget` | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. | `""` |
| `disableReattestToRenew` | Deprecated: Allow agent to renew certificate when it expires rather than reattest | `false` |
| `server.address` | Address for Spire server | `""` |
| `server.port` | Port number for Spire server | `8081` |
| `server.namespaceOverride` | Override the namespace for Spire server | `""` |
Expand Down
3 changes: 3 additions & 0 deletions charts/spire/charts/spire-agent/templates/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@
{{- end }}
{{- define "spire-agent.yaml-config" -}}
agent:
{{- if .Values.disableReattestToRenew }}
disable_reattest_to_renew: true
{{- end }}
{{- if .Values.sockets.admin.enabled }}
admin_socket_dir: /tmp/spire-agent/private/admin.sock
{{- end }}
Expand Down
3 changes: 3 additions & 0 deletions charts/spire/charts/spire-agent/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,9 @@ bundleConfigMap: spire-bundle
## @param availabilityTarget The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h.
availabilityTarget: ""

## @param disableReattestToRenew Deprecated: Allow agent to renew certificate when it expires rather than reattest
disableReattestToRenew: false

## @skip upstream
upstream: false

Expand Down
2 changes: 1 addition & 1 deletion charts/spire/charts/spire-server/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: spire-server
description: A Helm chart to install the SPIRE server.
type: application
version: 0.1.0
appVersion: "1.8.7"
appVersion: "1.9.0"
keywords: ["spiffe", "spire-server", "spire-controller-manager"]
home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
sources:
Expand Down
2 changes: 2 additions & 0 deletions charts/spire/charts/spire-server/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `ca_subject.country` | Country for Spire server CA | `ARPA` |
| `ca_subject.organization` | Organization for Spire server CA | `Example` |
| `ca_subject.common_name` | Common Name for Spire server CA | `example.org` |
| `credentialComposer.uniqueID.enabled` | Add the x509UniqueIdentifier attribute to workload X509-SVIDs | `false` |
| `keyManager.disk.enabled` | Flag to enable keyManager on disk | `true` |
| `keyManager.memory.enabled` | Flag to enable keyManager in memory | `false` |
| `keyManager.awsKMS.enabled` | Flag to enable keyManager in memory | `false` |
Expand Down Expand Up @@ -332,6 +333,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| `tornjak.resources` | Resource requests and limits | `{}` |
| `tornjak.securityContext` | Security Context to use | `{}` |
| `customPlugins.bundlePublisher` | Custom plugins of type BundlePublisher are configured here | `{}` |
| `customPlugins.credentialComposer` | Custom plugins of type CredentialComposer are configured here | `{}` |
| `customPlugins.keyManager` | Custom plugins of type KeyManager are configured here | `{}` |
| `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` |
| `customPlugins.upstreamAuthority` | Custom plugins of type upstreamAuthority are configured here | `{}` |
Expand Down
7 changes: 6 additions & 1 deletion charts/spire/charts/spire-server/templates/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
{{- include "spire-lib.check-strict-mode" (list . "ca_subject.organization must be set" (eq .Values.ca_subject.organization "Example"))}}
{{- include "spire-lib.check-strict-mode" (list . "ca_subject.common_name must be set" (eq .Values.ca_subject.common_name "example.org"))}}
{{- range $type, $tvals := .Values.customPlugins }}
{{- if not (has $type (list "bundlePublisher" "keyManager" "nodeAttestor" "upstreamAuthority" "notifier")) }}
{{- if not (has $type (list "bundlePublisher" "credentialComposer" "keyManager" "nodeAttestor" "upstreamAuthority" "notifier")) }}
{{- fail (printf "Unknown plugin type specified: %s" $type) }}
{{- end }}
{{- range $name, $nval := $tvals }}
Expand Down Expand Up @@ -87,6 +87,11 @@ server:
{{- end }}

plugins:
{{- if .Values.credentialComposer.uniqueID.enabled }}
CredentialComposer:
uniqueid: {}
{{- end }}

DataStore:
sql:
plugin_data:
Expand Down
8 changes: 8 additions & 0 deletions charts/spire/charts/spire-server/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,11 @@ ca_subject:
## @param ca_subject.common_name Common Name for Spire server CA
common_name: example.org

credentialComposer:
uniqueID:
## @param credentialComposer.uniqueID.enabled Add the x509UniqueIdentifier attribute to workload X509-SVIDs
enabled: false

keyManager:
disk:
## @param keyManager.disk.enabled Flag to enable keyManager on disk
Expand Down Expand Up @@ -811,18 +816,21 @@ tornjak:
## @skip unsupportedBuiltInPlugins
unsupportedBuiltInPlugins:
bundlePublisher: {}
credentialComposer: {}
keyManager: {}
nodeAttestor: {}
upstreamAuthority: {}
notifier: {}

## @param customPlugins.bundlePublisher Custom plugins of type BundlePublisher are configured here
## @param customPlugins.credentialComposer Custom plugins of type CredentialComposer are configured here
## @param customPlugins.keyManager Custom plugins of type KeyManager are configured here
## @param customPlugins.nodeAttestor Custom plugins of type NodeAttestor are configured here
## @param customPlugins.upstreamAuthority Custom plugins of type upstreamAuthority are configured here
## @param customPlugins.notifier Custom plugins of type notifier are configured here
customPlugins:
bundlePublisher: {}
credentialComposer: {}
keyManager: {}
nodeAttestor: {}
upstreamAuthority: {}
Expand Down
4 changes: 3 additions & 1 deletion tests/go.mod
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
module github.com/spiffe/helm-charts/tests

go 1.20
go 1.21

toolchain go1.21.5

require (
github.com/onsi/ginkgo/v2 v2.15.0
Expand Down
6 changes: 6 additions & 0 deletions tests/go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,9 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI=
github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps=
github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
Expand Down Expand Up @@ -67,6 +69,7 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
Expand Down Expand Up @@ -95,13 +98,15 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8=
github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
Expand All @@ -113,6 +118,7 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
Expand Down
13 changes: 13 additions & 0 deletions tests/unit/spire_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,19 @@ spire-agent:
objs, err := ValueStringRender(chart, `
spire-server:
enabled: false
`)
Expect(err).Should(Succeed())
notes := objs["spire/templates/NOTES.txt"]
Expect(notes).Should(ContainSubstring("Installed"))
})
})
Describe("spire-server.credentialComposer.uniqueID", func() {
It("spire server uniqueid credential composer", func() {
objs, err := ValueStringRender(chart, `
spire-server:
credentialComposer:
uniqueID:
enabled: true
`)
Expect(err).Should(Succeed())
notes := objs["spire/templates/NOTES.txt"]
Expand Down

0 comments on commit ac83694

Please sign in to comment.