From ac83694970f06498fc3ace0921cd3684fd80d7b1 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Wed, 28 Feb 2024 09:54:53 -0800 Subject: [PATCH] Initial SPIRE 1.9.0 support (#262) --- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 7 ++++++- .../spiffe-oidc-discovery-provider/Chart.yaml | 2 +- charts/spire/charts/spire-agent/Chart.yaml | 2 +- charts/spire/charts/spire-agent/README.md | 1 + .../charts/spire-agent/templates/configmap.yaml | 3 +++ charts/spire/charts/spire-agent/values.yaml | 3 +++ charts/spire/charts/spire-server/Chart.yaml | 2 +- charts/spire/charts/spire-server/README.md | 2 ++ .../charts/spire-server/templates/configmap.yaml | 7 ++++++- charts/spire/charts/spire-server/values.yaml | 8 ++++++++ tests/go.mod | 4 +++- tests/go.sum | 6 ++++++ tests/unit/spire_test.go | 13 +++++++++++++ 14 files changed, 55 insertions(+), 7 deletions(-) diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index f03638567..5dab21752 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -4,7 +4,7 @@ description: > A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. type: application version: 0.17.2 -appVersion: "1.8.7" +appVersion: "1.9.0" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/README.md b/charts/spire/README.md index 61eb9c58e..aa78b5430 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.17.2](https://img.shields.io/badge/Version-0.17.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.7](https://img.shields.io/badge/AppVersion-1.8.7-informational?style=flat-square) +![Version: 0.17.2](https://img.shields.io/badge/Version-0.17.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.0](https://img.shields.io/badge/AppVersion-1.9.0-informational?style=flat-square) [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development) A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager. @@ -77,6 +77,11 @@ kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeid We only support upgrading one major version at a time. Version skipping isn't supported. +### 0.18.x + +- SPIRE no longer emits x509UniqueIdentifiers in x509-SVIDS by default. The old behavior can be reenabled with spire-server.credentialComposer.uniqueID.enabled=true. See https://github.com/spiffe/spire/pull/4862 for details. +- SPIRE agents will now automatically reattest when they can. The old behavior can be reenabled with spire-agent.disableReattestToRenew=true. See https://github.com/spiffe/spire/pull/4791 for details. + ### 0.17.X - If you set spire-server.replicaCount > 1, update it to 1 before upgrading and after upgrade you can set it back to its previous value. diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml index 3f29481c0..98f430e30 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml @@ -3,7 +3,7 @@ name: spiffe-oidc-discovery-provider description: A Helm chart to install the SPIFFE OIDC discovery provider. type: application version: 0.1.0 -appVersion: "1.8.7" +appVersion: "1.9.0" keywords: ["spiffe", "oidc"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-agent/Chart.yaml b/charts/spire/charts/spire-agent/Chart.yaml index 1fc821abe..6082f0250 100644 --- a/charts/spire/charts/spire-agent/Chart.yaml +++ b/charts/spire/charts/spire-agent/Chart.yaml @@ -3,7 +3,7 @@ name: spire-agent description: A Helm chart to install the SPIRE agent. type: application version: 0.1.0 -appVersion: "1.8.7" +appVersion: "1.9.0" keywords: ["spiffe", "spire-agent"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index bf57b7b55..204a4cc1a 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -54,6 +54,7 @@ A Helm chart to install the SPIRE agent. | `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `pem` | | `bundleConfigMap` | Configmap name for Spire bundle | `spire-bundle` | | `availabilityTarget` | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. | `""` | +| `disableReattestToRenew` | Deprecated: Allow agent to renew certificate when it expires rather than reattest | `false` | | `server.address` | Address for Spire server | `""` | | `server.port` | Port number for Spire server | `8081` | | `server.namespaceOverride` | Override the namespace for Spire server | `""` | diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index b89df42d1..42dd8e31c 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -23,6 +23,9 @@ {{- end }} {{- define "spire-agent.yaml-config" -}} agent: + {{- if .Values.disableReattestToRenew }} + disable_reattest_to_renew: true + {{- end }} {{- if .Values.sockets.admin.enabled }} admin_socket_dir: /tmp/spire-agent/private/admin.sock {{- end }} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 6b39da8a1..e6cd72057 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -97,6 +97,9 @@ bundleConfigMap: spire-bundle ## @param availabilityTarget The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. availabilityTarget: "" +## @param disableReattestToRenew Deprecated: Allow agent to renew certificate when it expires rather than reattest +disableReattestToRenew: false + ## @skip upstream upstream: false diff --git a/charts/spire/charts/spire-server/Chart.yaml b/charts/spire/charts/spire-server/Chart.yaml index 21181447c..f992a291a 100644 --- a/charts/spire/charts/spire-server/Chart.yaml +++ b/charts/spire/charts/spire-server/Chart.yaml @@ -3,7 +3,7 @@ name: spire-server description: A Helm chart to install the SPIRE server. type: application version: 0.1.0 -appVersion: "1.8.7" +appVersion: "1.9.0" keywords: ["spiffe", "spire-server", "spire-controller-manager"] home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire sources: diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index bceb56376..be54d7d03 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -167,6 +167,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `ca_subject.country` | Country for Spire server CA | `ARPA` | | `ca_subject.organization` | Organization for Spire server CA | `Example` | | `ca_subject.common_name` | Common Name for Spire server CA | `example.org` | +| `credentialComposer.uniqueID.enabled` | Add the x509UniqueIdentifier attribute to workload X509-SVIDs | `false` | | `keyManager.disk.enabled` | Flag to enable keyManager on disk | `true` | | `keyManager.memory.enabled` | Flag to enable keyManager in memory | `false` | | `keyManager.awsKMS.enabled` | Flag to enable keyManager in memory | `false` | @@ -332,6 +333,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `tornjak.resources` | Resource requests and limits | `{}` | | `tornjak.securityContext` | Security Context to use | `{}` | | `customPlugins.bundlePublisher` | Custom plugins of type BundlePublisher are configured here | `{}` | +| `customPlugins.credentialComposer` | Custom plugins of type CredentialComposer are configured here | `{}` | | `customPlugins.keyManager` | Custom plugins of type KeyManager are configured here | `{}` | | `customPlugins.nodeAttestor` | Custom plugins of type NodeAttestor are configured here | `{}` | | `customPlugins.upstreamAuthority` | Custom plugins of type upstreamAuthority are configured here | `{}` | diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index c4f9d73e2..8e5ac708a 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -5,7 +5,7 @@ {{- include "spire-lib.check-strict-mode" (list . "ca_subject.organization must be set" (eq .Values.ca_subject.organization "Example"))}} {{- include "spire-lib.check-strict-mode" (list . "ca_subject.common_name must be set" (eq .Values.ca_subject.common_name "example.org"))}} {{- range $type, $tvals := .Values.customPlugins }} -{{- if not (has $type (list "bundlePublisher" "keyManager" "nodeAttestor" "upstreamAuthority" "notifier")) }} +{{- if not (has $type (list "bundlePublisher" "credentialComposer" "keyManager" "nodeAttestor" "upstreamAuthority" "notifier")) }} {{- fail (printf "Unknown plugin type specified: %s" $type) }} {{- end }} {{- range $name, $nval := $tvals }} @@ -87,6 +87,11 @@ server: {{- end }} plugins: + {{- if .Values.credentialComposer.uniqueID.enabled }} + CredentialComposer: + uniqueid: {} + {{- end }} + DataStore: sql: plugin_data: diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 47d9ede36..0ee2c4af4 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -284,6 +284,11 @@ ca_subject: ## @param ca_subject.common_name Common Name for Spire server CA common_name: example.org +credentialComposer: + uniqueID: + ## @param credentialComposer.uniqueID.enabled Add the x509UniqueIdentifier attribute to workload X509-SVIDs + enabled: false + keyManager: disk: ## @param keyManager.disk.enabled Flag to enable keyManager on disk @@ -811,18 +816,21 @@ tornjak: ## @skip unsupportedBuiltInPlugins unsupportedBuiltInPlugins: bundlePublisher: {} + credentialComposer: {} keyManager: {} nodeAttestor: {} upstreamAuthority: {} notifier: {} ## @param customPlugins.bundlePublisher Custom plugins of type BundlePublisher are configured here +## @param customPlugins.credentialComposer Custom plugins of type CredentialComposer are configured here ## @param customPlugins.keyManager Custom plugins of type KeyManager are configured here ## @param customPlugins.nodeAttestor Custom plugins of type NodeAttestor are configured here ## @param customPlugins.upstreamAuthority Custom plugins of type upstreamAuthority are configured here ## @param customPlugins.notifier Custom plugins of type notifier are configured here customPlugins: bundlePublisher: {} + credentialComposer: {} keyManager: {} nodeAttestor: {} upstreamAuthority: {} diff --git a/tests/go.mod b/tests/go.mod index 173ad97cb..508a4765b 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -1,6 +1,8 @@ module github.com/spiffe/helm-charts/tests -go 1.20 +go 1.21 + +toolchain go1.21.5 require ( github.com/onsi/ginkgo/v2 v2.15.0 diff --git a/tests/go.sum b/tests/go.sum index d3e9f5987..779a9c24f 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -19,7 +19,9 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= +github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE= +github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps= github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= @@ -67,6 +69,7 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -95,6 +98,7 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8= github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= @@ -102,6 +106,7 @@ github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkU github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w= github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= @@ -113,6 +118,7 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= diff --git a/tests/unit/spire_test.go b/tests/unit/spire_test.go index f3566362e..7e6e1f096 100644 --- a/tests/unit/spire_test.go +++ b/tests/unit/spire_test.go @@ -144,6 +144,19 @@ spire-agent: objs, err := ValueStringRender(chart, ` spire-server: enabled: false +`) + Expect(err).Should(Succeed()) + notes := objs["spire/templates/NOTES.txt"] + Expect(notes).Should(ContainSubstring("Installed")) + }) + }) + Describe("spire-server.credentialComposer.uniqueID", func() { + It("spire server uniqueid credential composer", func() { + objs, err := ValueStringRender(chart, ` +spire-server: + credentialComposer: + uniqueID: + enabled: true `) Expect(err).Should(Succeed()) notes := objs["spire/templates/NOTES.txt"]