From dcd4b6df2e3fc31092b446b06bc8b16f86bf17a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20=C3=96z=C3=A7elik?= Date: Sun, 28 Jul 2024 14:57:15 -0700 Subject: [PATCH] =?UTF-8?q?=F0=9F=A7=B9=20chore(vsecm):=20Release=20next?= =?UTF-8?q?=20version's=20manifests=20(#1087)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Release next version’s manifests. Signed-off-by: Volkan Özçelik --- Makefile | 2 +- dockerfiles/example/init-container.Dockerfile | 2 +- .../example/multiple-secrets.Dockerfile | 2 +- dockerfiles/example/sdk-go.Dockerfile | 2 +- dockerfiles/example/sidecar.Dockerfile | 2 +- dockerfiles/util/inspector.Dockerfile | 2 +- dockerfiles/util/keygen.Dockerfile | 2 +- .../vsecm-ist-fips/init-container.Dockerfile | 2 +- .../vsecm-ist-fips/keystone.Dockerfile | 2 +- dockerfiles/vsecm-ist-fips/safe.Dockerfile | 2 +- .../vsecm-ist-fips/sentinel.Dockerfile | 2 +- dockerfiles/vsecm-ist-fips/sidecar.Dockerfile | 2 +- .../vsecm-ist/init-container.Dockerfile | 2 +- dockerfiles/vsecm-ist/keystone.Dockerfile | 2 +- dockerfiles/vsecm-ist/safe.Dockerfile | 2 +- dockerfiles/vsecm-ist/sentinel.Dockerfile | 2 +- dockerfiles/vsecm-ist/sidecar.Dockerfile | 2 +- docs/config.toml | 2 +- .../multiple_secrets/k8s/image-override.yaml | 2 +- examples/operator_decrpyt_secrets/reveal.sh | 2 +- .../k8s/image-override.yaml | 4 +- examples/using_sdk_go/k8s/image-override.yaml | 2 +- .../using_sidecar/k8s/image-override.yaml | 4 +- .../init-container/Deployment.yaml | 4 +- .../init-container/image-override.yaml | 4 +- .../workshop_aegis/inspector/Deployment.yaml | 2 +- .../inspector/image-override.yaml | 2 +- examples/workshop_aegis/sdk/Deployment.yaml | 2 +- .../workshop_aegis/sdk/image-override.yaml | 2 +- .../workshop_aegis/sidecar/Deployment.yaml | 4 +- .../sidecar/image-override.yaml | 4 +- .../cluster-1/inspector/Deployment.yaml | 2 +- .../cluster-1/sentinel/Deployment.yaml | 2 +- .../cluster-2/safe/Deployment.yaml | 2 +- .../k8s/Deployment.yaml | 2 +- .../workshop_vsecm/hack/015-reveal-secrets.sh | 2 +- .../example-init-container/Deployment.yaml | 4 +- .../workloads/inspector/Deployment.yaml | 2 +- .../workloads/keycloak/Deployment.yaml | 2 +- hack/create-custom-manifest.sh | 4 +- hack/tag-docker.sh | 2 +- helm-charts-playground/app/main.go | 4 +- helm-charts/0.27.0/Chart.yaml | 69 ----- helm-charts/0.27.0/README.md | 147 ----------- helm-charts/0.27.0/README.md.gotmpl | 104 -------- .../0.27.0/charts/keystone/.helmignore | 23 -- helm-charts/0.27.0/charts/keystone/Chart.yaml | 34 --- helm-charts/0.27.0/charts/keystone/README.md | 37 --- .../charts/keystone/templates/Deployment.yaml | 156 ------------ .../charts/keystone/templates/Identity.yaml | 26 -- .../keystone/templates/ServiceAccount.yaml | 24 -- .../charts/keystone/templates/_helpers.tpl | 86 ------- .../0.27.0/charts/keystone/values.yaml | 108 -------- helm-charts/0.27.0/charts/safe/.helmignore | 23 -- helm-charts/0.27.0/charts/safe/Chart.yaml | 34 --- helm-charts/0.27.0/charts/safe/README.md | 59 ----- .../charts/safe/templates/Identity.yaml | 26 -- .../charts/safe/templates/RoleBinding.yaml | 44 ---- .../0.27.0/charts/safe/templates/Secret.yaml | 25 -- .../0.27.0/charts/safe/templates/Service.yaml | 26 -- .../charts/safe/templates/ServiceAccount.yaml | 28 -- .../charts/safe/templates/StatefulSet.yaml | 195 -------------- .../0.27.0/charts/safe/templates/_helpers.tpl | 86 ------- .../templates/hook-preinstall-namespace.yaml | 14 - .../safe/templates/hook-preinstall-role.yaml | 72 ------ helm-charts/0.27.0/charts/safe/values.yaml | 191 -------------- .../0.27.0/charts/sentinel/.helmignore | 23 -- helm-charts/0.27.0/charts/sentinel/Chart.yaml | 34 --- helm-charts/0.27.0/charts/sentinel/README.md | 45 ---- .../charts/sentinel/templates/Deployment.yaml | 157 ------------ .../charts/sentinel/templates/Identity.yaml | 26 -- .../charts/sentinel/templates/Role.yaml | 22 -- .../sentinel/templates/RoleBinding.yaml | 23 -- .../charts/sentinel/templates/Secret.yaml | 25 -- .../sentinel/templates/ServiceAccount.yaml | 28 -- .../charts/sentinel/templates/_helpers.tpl | 86 ------- .../0.27.0/charts/sentinel/values.yaml | 163 ------------ helm-charts/0.27.0/charts/spire/.helmignore | 23 -- helm-charts/0.27.0/charts/spire/Chart.yaml | 34 --- helm-charts/0.27.0/charts/spire/README.md | 36 --- .../charts/spire/templates/_helpers.tpl | 61 ----- .../templates/clusterrole-spire-agent.yaml | 22 -- ...spire-server-spire-controller-manager.yaml | 57 ----- ...clusterrole-spire-server-spire-server.yaml | 31 --- .../clusterrolebinding-spire-agent.yaml | 23 -- ...spire-server-spire-controller-manager.yaml | 22 -- ...rolebinding-spire-server-spire-server.yaml | 24 -- ...erspiffeid-spire-server-spire-default.yaml | 27 -- ...spiffeid-spire-server-spire-test-keys.yaml | 30 --- .../templates/configmap-spire-agent.yaml | 76 ------ .../templates/configmap-spire-bundle.yaml | 15 -- .../configmap-spire-controller-manager.yaml | 76 ------ .../templates/configmap-spire-server.yaml | 118 --------- .../templates/daemonset-spire-agent.yaml | 170 ------------- .../daemonset-spire-spiffe-csi-driver.yaml | 150 ----------- ...clusterrole-spire-server-post-install.yaml | 22 -- ...clusterrole-spire-server-post-upgrade.yaml | 22 -- ...-clusterrole-spire-server-pre-upgrade.yaml | 22 -- ...rolebinding-spire-server-post-install.yaml | 25 -- ...rolebinding-spire-server-post-upgrade.yaml | 25 -- ...rrolebinding-spire-server-pre-upgrade.yaml | 25 -- .../hook-job-spire-server-post-install.yaml | 78 ------ .../hook-job-spire-server-post-upgrade.yaml | 77 ------ .../hook-job-spire-server-pre-upgrade.yaml | 77 ------ ...ok-preinstall-csidriver-csi.spiffe.io.yaml | 37 --- ...ook-preinstall-namespace-spire-server.yaml | 23 -- ...ook-preinstall-namespace-spire-system.yaml | 23 -- ...viceaccount-spire-server-post-install.yaml | 24 -- ...viceaccount-spire-server-post-upgrade.yaml | 24 -- ...rviceaccount-spire-server-pre-upgrade.yaml | 24 -- ...penshift-security-context-constraints.yaml | 105 -------- .../spire/templates/role-spire-bundle.yaml | 23 -- ...re-controller-manager-leader-election.yaml | 25 -- .../templates/rolebinding-spire-bundle.yaml | 23 -- ...re-controller-manager-leader-election.yaml | 23 -- ...vice-spire-controller-manager-webhook.yaml | 31 --- .../spire/templates/service-spire-server.yaml | 31 --- .../templates/serviceaccount-spire-agent.yaml | 21 -- .../serviceaccount-spire-server.yaml | 21 -- ...erviceaccount-spire-spiffe-csi-driver.yaml | 21 -- .../templates/statefulset-spire-server.yaml | 201 --------------- ...rver-spire-controller-manager-webhook.yaml | 43 ---- helm-charts/0.27.0/charts/spire/values.yaml | 127 ---------- helm-charts/0.27.0/values-custom.yaml | 100 -------- helm-charts/0.27.0/values.yaml | 194 -------------- helm-charts/0.27.1/README.md | 18 +- helm-charts/0.27.1/charts/keystone/Chart.yaml | 4 +- helm-charts/0.27.1/charts/keystone/README.md | 2 +- helm-charts/0.27.1/charts/safe/README.md | 2 +- helm-charts/0.27.1/charts/sentinel/README.md | 2 +- helm-charts/0.27.1/charts/spire/README.md | 3 +- helm-charts/0.27.1/values-custom.yaml | 8 +- helm-charts/0.27.1/values.yaml | 8 +- ...piffe.io_clusterfederatedtrustdomains.yaml | 100 -------- .../spire.spiffe.io_clusterspiffeids.yaml | 239 ------------------ .../spire.spiffe.io_clusterstaticentries.yaml | 103 -------- ...re.spiffe.io_controllermanagerconfigs.yaml | 68 ----- ...piffe.io_clusterfederatedtrustdomains.yaml | 0 .../spire.spiffe.io_clusterspiffeids.yaml | 0 .../spire.spiffe.io_clusterstaticentries.yaml | 0 ...re.spiffe.io_controllermanagerconfigs.yaml | 0 .../eks/vsecm-distroless-fips.yaml | 56 ++-- .../eks/vsecm-distroless.yaml | 56 ++-- .../local/vsecm-distroless-fips.yaml | 56 ++-- .../local/vsecm-distroless.yaml | 56 ++-- .../remote/vsecm-distroless-fips.yaml | 56 ++-- .../remote/vsecm-distroless.yaml | 56 ++-- k8s/{0.27.0 => 0.27.1}/spire.yaml | 30 +-- 148 files changed, 258 insertions(+), 5548 deletions(-) delete mode 100644 helm-charts/0.27.0/Chart.yaml delete mode 100644 helm-charts/0.27.0/README.md delete mode 100644 helm-charts/0.27.0/README.md.gotmpl delete mode 100644 helm-charts/0.27.0/charts/keystone/.helmignore delete mode 100644 helm-charts/0.27.0/charts/keystone/Chart.yaml delete mode 100644 helm-charts/0.27.0/charts/keystone/README.md delete mode 100644 helm-charts/0.27.0/charts/keystone/templates/Deployment.yaml delete mode 100644 helm-charts/0.27.0/charts/keystone/templates/Identity.yaml delete mode 100644 helm-charts/0.27.0/charts/keystone/templates/ServiceAccount.yaml delete mode 100644 helm-charts/0.27.0/charts/keystone/templates/_helpers.tpl delete mode 100644 helm-charts/0.27.0/charts/keystone/values.yaml delete mode 100644 helm-charts/0.27.0/charts/safe/.helmignore delete mode 100644 helm-charts/0.27.0/charts/safe/Chart.yaml delete mode 100644 helm-charts/0.27.0/charts/safe/README.md delete mode 100644 helm-charts/0.27.0/charts/safe/templates/Identity.yaml delete mode 100644 helm-charts/0.27.0/charts/safe/templates/RoleBinding.yaml delete mode 100644 helm-charts/0.27.0/charts/safe/templates/Secret.yaml delete mode 100644 helm-charts/0.27.0/charts/safe/templates/Service.yaml delete mode 100644 helm-charts/0.27.0/charts/safe/templates/ServiceAccount.yaml delete mode 100644 helm-charts/0.27.0/charts/safe/templates/StatefulSet.yaml delete mode 100644 helm-charts/0.27.0/charts/safe/templates/_helpers.tpl delete mode 100644 helm-charts/0.27.0/charts/safe/templates/hook-preinstall-namespace.yaml delete mode 100644 helm-charts/0.27.0/charts/safe/templates/hook-preinstall-role.yaml delete mode 100644 helm-charts/0.27.0/charts/safe/values.yaml delete mode 100644 helm-charts/0.27.0/charts/sentinel/.helmignore delete mode 100644 helm-charts/0.27.0/charts/sentinel/Chart.yaml delete mode 100644 helm-charts/0.27.0/charts/sentinel/README.md delete mode 100644 helm-charts/0.27.0/charts/sentinel/templates/Deployment.yaml delete mode 100644 helm-charts/0.27.0/charts/sentinel/templates/Identity.yaml delete mode 100644 helm-charts/0.27.0/charts/sentinel/templates/Role.yaml delete mode 100644 helm-charts/0.27.0/charts/sentinel/templates/RoleBinding.yaml delete mode 100644 helm-charts/0.27.0/charts/sentinel/templates/Secret.yaml delete mode 100644 helm-charts/0.27.0/charts/sentinel/templates/ServiceAccount.yaml delete mode 100644 helm-charts/0.27.0/charts/sentinel/templates/_helpers.tpl delete mode 100644 helm-charts/0.27.0/charts/sentinel/values.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/.helmignore delete mode 100644 helm-charts/0.27.0/charts/spire/Chart.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/README.md delete mode 100644 helm-charts/0.27.0/charts/spire/templates/_helpers.tpl delete mode 100644 helm-charts/0.27.0/charts/spire/templates/clusterrole-spire-agent.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/clusterrole-spire-server-spire-controller-manager.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/clusterrole-spire-server-spire-server.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/clusterrolebinding-spire-agent.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/clusterrolebinding-spire-server-spire-controller-manager.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/clusterrolebinding-spire-server-spire-server.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/clusterspiffeid-spire-server-spire-default.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/clusterspiffeid-spire-server-spire-test-keys.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/configmap-spire-agent.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/configmap-spire-bundle.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/configmap-spire-controller-manager.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/configmap-spire-server.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/daemonset-spire-agent.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/daemonset-spire-spiffe-csi-driver.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/hook-clusterrole-spire-server-post-install.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/hook-clusterrole-spire-server-post-upgrade.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/hook-clusterrole-spire-server-pre-upgrade.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/hook-clusterrolebinding-spire-server-post-install.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/hook-clusterrolebinding-spire-server-post-upgrade.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/hook-clusterrolebinding-spire-server-pre-upgrade.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/hook-job-spire-server-post-install.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/hook-job-spire-server-post-upgrade.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/hook-job-spire-server-pre-upgrade.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/hook-preinstall-csidriver-csi.spiffe.io.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/hook-preinstall-namespace-spire-server.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/hook-preinstall-namespace-spire-system.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/hook-serviceaccount-spire-server-post-install.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/hook-serviceaccount-spire-server-post-upgrade.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/hook-serviceaccount-spire-server-pre-upgrade.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/openshift-security-context-constraints.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/role-spire-bundle.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/role-spire-controller-manager-leader-election.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/rolebinding-spire-bundle.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/rolebinding-spire-controller-manager-leader-election.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/service-spire-controller-manager-webhook.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/service-spire-server.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/serviceaccount-spire-agent.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/serviceaccount-spire-server.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/serviceaccount-spire-spiffe-csi-driver.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/statefulset-spire-server.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/templates/validatingwebhookconfiguration-spire-server-spire-controller-manager-webhook.yaml delete mode 100644 helm-charts/0.27.0/charts/spire/values.yaml delete mode 100644 helm-charts/0.27.0/values-custom.yaml delete mode 100644 helm-charts/0.27.0/values.yaml delete mode 100644 k8s/0.27.0/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml delete mode 100644 k8s/0.27.0/crds/spire.spiffe.io_clusterspiffeids.yaml delete mode 100644 k8s/0.27.0/crds/spire.spiffe.io_clusterstaticentries.yaml delete mode 100644 k8s/0.27.0/crds/spire.spiffe.io_controllermanagerconfigs.yaml rename {helm-charts/0.27.0 => k8s/0.27.1}/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml (100%) rename {helm-charts/0.27.0 => k8s/0.27.1}/crds/spire.spiffe.io_clusterspiffeids.yaml (100%) rename {helm-charts/0.27.0 => k8s/0.27.1}/crds/spire.spiffe.io_clusterstaticentries.yaml (100%) rename {helm-charts/0.27.0 => k8s/0.27.1}/crds/spire.spiffe.io_controllermanagerconfigs.yaml (100%) rename k8s/{0.27.0 => 0.27.1}/eks/vsecm-distroless-fips.yaml (97%) rename k8s/{0.27.0 => 0.27.1}/eks/vsecm-distroless.yaml (96%) rename k8s/{0.27.0 => 0.27.1}/local/vsecm-distroless-fips.yaml (96%) rename k8s/{0.27.0 => 0.27.1}/local/vsecm-distroless.yaml (96%) rename k8s/{0.27.0 => 0.27.1}/remote/vsecm-distroless-fips.yaml (96%) rename k8s/{0.27.0 => 0.27.1}/remote/vsecm-distroless.yaml (96%) rename k8s/{0.27.0 => 0.27.1}/spire.yaml (99%) diff --git a/Makefile b/Makefile index bcb56442..90b91bbd 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ ifdef VSECM_VERSION VERSION := $(VSECM_VERSION) else - VERSION := 0.27.0 + VERSION := 0.27.1 endif # Set deploySpire to false, if you want to use existing spire deployment diff --git a/dockerfiles/example/init-container.Dockerfile b/dockerfiles/example/init-container.Dockerfile index 9a1d0b1c..112a6df9 100644 --- a/dockerfiles/example/init-container.Dockerfile +++ b/dockerfiles/example/init-container.Dockerfile @@ -23,7 +23,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o example \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.0" +ENV APP_VERSION="0.27.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/example/multiple-secrets.Dockerfile b/dockerfiles/example/multiple-secrets.Dockerfile index 7bd077df..e660d91b 100644 --- a/dockerfiles/example/multiple-secrets.Dockerfile +++ b/dockerfiles/example/multiple-secrets.Dockerfile @@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o sloth \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.0" +ENV APP_VERSION="0.27.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/example/sdk-go.Dockerfile b/dockerfiles/example/sdk-go.Dockerfile index 60f639b0..93a2135e 100644 --- a/dockerfiles/example/sdk-go.Dockerfile +++ b/dockerfiles/example/sdk-go.Dockerfile @@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o env \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.0" +ENV APP_VERSION="0.27.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/example/sidecar.Dockerfile b/dockerfiles/example/sidecar.Dockerfile index 6943b2e0..54f8cd97 100644 --- a/dockerfiles/example/sidecar.Dockerfile +++ b/dockerfiles/example/sidecar.Dockerfile @@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o env \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.0" +ENV APP_VERSION="0.27.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/util/inspector.Dockerfile b/dockerfiles/util/inspector.Dockerfile index ff2c7388..266f191a 100644 --- a/dockerfiles/util/inspector.Dockerfile +++ b/dockerfiles/util/inspector.Dockerfile @@ -27,7 +27,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o sloth \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.0" +ENV APP_VERSION="0.27.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/util/keygen.Dockerfile b/dockerfiles/util/keygen.Dockerfile index 1f651e83..6cf507f4 100644 --- a/dockerfiles/util/keygen.Dockerfile +++ b/dockerfiles/util/keygen.Dockerfile @@ -24,7 +24,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-keygen \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.0" +ENV APP_VERSION="0.27.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/init-container.Dockerfile b/dockerfiles/vsecm-ist-fips/init-container.Dockerfile index c4236085..1c4e15cd 100644 --- a/dockerfiles/vsecm-ist-fips/init-container.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/init-container.Dockerfile @@ -27,7 +27,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.0" +ENV APP_VERSION="0.27.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/keystone.Dockerfile b/dockerfiles/vsecm-ist-fips/keystone.Dockerfile index e0a0c7ed..1b691ec5 100644 --- a/dockerfiles/vsecm-ist-fips/keystone.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/keystone.Dockerfile @@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.0" +ENV APP_VERSION="0.27.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/safe.Dockerfile b/dockerfiles/vsecm-ist-fips/safe.Dockerfile index 19ee7813..6bfd9e4f 100644 --- a/dockerfiles/vsecm-ist-fips/safe.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/safe.Dockerfile @@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.0" +ENV APP_VERSION="0.27.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/sentinel.Dockerfile b/dockerfiles/vsecm-ist-fips/sentinel.Dockerfile index 3f9ed70d..d77954ab 100644 --- a/dockerfiles/vsecm-ist-fips/sentinel.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/sentinel.Dockerfile @@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.0" +ENV APP_VERSION="0.27.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist-fips/sidecar.Dockerfile b/dockerfiles/vsecm-ist-fips/sidecar.Dockerfile index cbf7c89c..b260046f 100644 --- a/dockerfiles/vsecm-ist-fips/sidecar.Dockerfile +++ b/dockerfiles/vsecm-ist-fips/sidecar.Dockerfile @@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a - # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.0" +ENV APP_VERSION="0.27.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/init-container.Dockerfile b/dockerfiles/vsecm-ist/init-container.Dockerfile index e1a308fe..a27996e5 100644 --- a/dockerfiles/vsecm-ist/init-container.Dockerfile +++ b/dockerfiles/vsecm-ist/init-container.Dockerfile @@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-init-container \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.0" +ENV APP_VERSION="0.27.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/keystone.Dockerfile b/dockerfiles/vsecm-ist/keystone.Dockerfile index 12b6cc79..e25eac08 100644 --- a/dockerfiles/vsecm-ist/keystone.Dockerfile +++ b/dockerfiles/vsecm-ist/keystone.Dockerfile @@ -24,7 +24,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-keystone \ # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.0" +ENV APP_VERSION="0.27.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/safe.Dockerfile b/dockerfiles/vsecm-ist/safe.Dockerfile index 28237bef..7c17fb3b 100644 --- a/dockerfiles/vsecm-ist/safe.Dockerfile +++ b/dockerfiles/vsecm-ist/safe.Dockerfile @@ -23,7 +23,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-safe ./app/safe/cm # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.0" +ENV APP_VERSION="0.27.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/sentinel.Dockerfile b/dockerfiles/vsecm-ist/sentinel.Dockerfile index 7847ef45..f5497a46 100644 --- a/dockerfiles/vsecm-ist/sentinel.Dockerfile +++ b/dockerfiles/vsecm-ist/sentinel.Dockerfile @@ -24,7 +24,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o sloth ./app/sentinel/bac # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.0" +ENV APP_VERSION="0.27.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/dockerfiles/vsecm-ist/sidecar.Dockerfile b/dockerfiles/vsecm-ist/sidecar.Dockerfile index 86339a42..4ad23351 100644 --- a/dockerfiles/vsecm-ist/sidecar.Dockerfile +++ b/dockerfiles/vsecm-ist/sidecar.Dockerfile @@ -23,7 +23,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-sidecar ./app/side # generate clean, final image for end users FROM gcr.io/distroless/static-debian11 -ENV APP_VERSION="0.27.0" +ENV APP_VERSION="0.27.1" LABEL "maintainers"="VSecM Maintainers " LABEL "version"=$APP_VERSION diff --git a/docs/config.toml b/docs/config.toml index 18fee34d..2bcc405d 100644 --- a/docs/config.toml +++ b/docs/config.toml @@ -22,4 +22,4 @@ smart_punctuation = true [extra] author = "VMware Secrets Manager Contributors" -version = "0.27.0" +version = "0.27.1" diff --git a/examples/multiple_secrets/k8s/image-override.yaml b/examples/multiple_secrets/k8s/image-override.yaml index 93eb88fb..4ed722c3 100644 --- a/examples/multiple_secrets/k8s/image-override.yaml +++ b/examples/multiple_secrets/k8s/image-override.yaml @@ -19,7 +19,7 @@ spec: containers: - name: main # Change this, if you want to use a different image: - image: localhost:5000/example-multiple-secrets:0.27.0 + image: localhost:5000/example-multiple-secrets:0.27.1 env: - name: VSECM_LOG_LEVEL value: "7" \ No newline at end of file diff --git a/examples/operator_decrpyt_secrets/reveal.sh b/examples/operator_decrpyt_secrets/reveal.sh index aee2d365..36916257 100644 --- a/examples/operator_decrpyt_secrets/reveal.sh +++ b/examples/operator_decrpyt_secrets/reveal.sh @@ -9,7 +9,7 @@ # <>/' Copyright 2023-present VMware Secrets Manager contributors. # >/' SPDX-License-Identifier: BSD-2-Clause # */ -VERSION="0.27.0" +VERSION="0.27.1" docker run --rm \ -v "$(pwd)":/vsecm \ diff --git a/examples/using_init_container/k8s/image-override.yaml b/examples/using_init_container/k8s/image-override.yaml index db31adbf..ff7720e6 100644 --- a/examples/using_init_container/k8s/image-override.yaml +++ b/examples/using_init_container/k8s/image-override.yaml @@ -19,8 +19,8 @@ spec: containers: - name: main # Change this, if you want to use a different image: - image: localhost:5000/example-using-init-container:0.27.0 + image: localhost:5000/example-using-init-container:0.27.1 initContainers: - name: init-container # Change this, if you want to use a different image: - image: localhost:5000/vsecm-ist-init-container:0.27.0 + image: localhost:5000/vsecm-ist-init-container:0.27.1 diff --git a/examples/using_sdk_go/k8s/image-override.yaml b/examples/using_sdk_go/k8s/image-override.yaml index 89cc6a5a..83ef1070 100644 --- a/examples/using_sdk_go/k8s/image-override.yaml +++ b/examples/using_sdk_go/k8s/image-override.yaml @@ -19,4 +19,4 @@ spec: containers: - name: main # Change this, if you want to use a different image - image: localhost:5000/example-using-sdk-go:0.27.0 + image: localhost:5000/example-using-sdk-go:0.27.1 diff --git a/examples/using_sidecar/k8s/image-override.yaml b/examples/using_sidecar/k8s/image-override.yaml index 87d7a4c6..4d75d99d 100644 --- a/examples/using_sidecar/k8s/image-override.yaml +++ b/examples/using_sidecar/k8s/image-override.yaml @@ -19,7 +19,7 @@ spec: containers: - name: main # Change this, if you want to use a different image - image: localhost:5000/example-using-sidecar:0.27.0 + image: localhost:5000/example-using-sidecar:0.27.1 - name: sidecar # Change this, if you want to use a different image - image: localhost:5000/vsecm-ist-sidecar:0.27.0 + image: localhost:5000/vsecm-ist-sidecar:0.27.1 diff --git a/examples/workshop_aegis/init-container/Deployment.yaml b/examples/workshop_aegis/init-container/Deployment.yaml index 3a8b050b..3d8c7b64 100644 --- a/examples/workshop_aegis/init-container/Deployment.yaml +++ b/examples/workshop_aegis/init-container/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-init-container:0.27.0 + image: vsecm/example-using-init-container:0.27.1 env: - name: SECRET valueFrom: @@ -50,7 +50,7 @@ spec: # See `./register.sh` to register the workload and finalize # this init container. - name: init-container - image: vsecm/vsecm-ist-init-container:0.27.0 + image: vsecm/vsecm-ist-init-container:0.27.1 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/workshop_aegis/init-container/image-override.yaml b/examples/workshop_aegis/init-container/image-override.yaml index 37404c8b..276567c9 100644 --- a/examples/workshop_aegis/init-container/image-override.yaml +++ b/examples/workshop_aegis/init-container/image-override.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: main - image: localhost:5000/example-using-init-container:0.27.0 + image: localhost:5000/example-using-init-container:0.27.1 initContainers: - name: init-container - image: localhost:5000/vsecm-ist-init-container:0.27.0 + image: localhost:5000/vsecm-ist-init-container:0.27.1 diff --git a/examples/workshop_aegis/inspector/Deployment.yaml b/examples/workshop_aegis/inspector/Deployment.yaml index 7390e331..e7c8610b 100644 --- a/examples/workshop_aegis/inspector/Deployment.yaml +++ b/examples/workshop_aegis/inspector/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: vsecm/example-multiple-secrets:0.27.0 + image: vsecm/example-multiple-secrets:0.27.1 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/workshop_aegis/inspector/image-override.yaml b/examples/workshop_aegis/inspector/image-override.yaml index d22fd887..a38fed0e 100644 --- a/examples/workshop_aegis/inspector/image-override.yaml +++ b/examples/workshop_aegis/inspector/image-override.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: main - image: localhost:5000/example-multiple-secrets:0.27.0 + image: localhost:5000/example-multiple-secrets:0.27.1 env: - name: VSECM_LOG_LEVEL value: "7" \ No newline at end of file diff --git a/examples/workshop_aegis/sdk/Deployment.yaml b/examples/workshop_aegis/sdk/Deployment.yaml index f42d2cab..3c57cf46 100644 --- a/examples/workshop_aegis/sdk/Deployment.yaml +++ b/examples/workshop_aegis/sdk/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-sdk-go:0.27.0 + image: vsecm/example-using-sdk-go:0.27.1 volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/workshop_aegis/sdk/image-override.yaml b/examples/workshop_aegis/sdk/image-override.yaml index 4cabeb81..52fa1212 100644 --- a/examples/workshop_aegis/sdk/image-override.yaml +++ b/examples/workshop_aegis/sdk/image-override.yaml @@ -18,4 +18,4 @@ spec: spec: containers: - name: main - image: localhost:5000/example-using-sdk:0.27.0 + image: localhost:5000/example-using-sdk:0.27.1 diff --git a/examples/workshop_aegis/sidecar/Deployment.yaml b/examples/workshop_aegis/sidecar/Deployment.yaml index 9bae6a7c..107a66b6 100644 --- a/examples/workshop_aegis/sidecar/Deployment.yaml +++ b/examples/workshop_aegis/sidecar/Deployment.yaml @@ -28,13 +28,13 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-sidecar:0.27.0 + image: vsecm/example-using-sidecar:0.27.1 volumeMounts: # `main` shares this volume with `sidecar`. - mountPath: /opt/vsecm name: vsecm-secrets-volume - name: sidecar - image: vsecm/vsecm-ist-sidecar:0.27.0 + image: vsecm/vsecm-ist-sidecar:0.27.1 volumeMounts: # /opt/vsecm/secrets.json is the place the secrets will be at. - mountPath: /opt/vsecm diff --git a/examples/workshop_aegis/sidecar/image-override.yaml b/examples/workshop_aegis/sidecar/image-override.yaml index ae4f0c15..b0ee9c37 100644 --- a/examples/workshop_aegis/sidecar/image-override.yaml +++ b/examples/workshop_aegis/sidecar/image-override.yaml @@ -18,6 +18,6 @@ spec: spec: containers: - name: main - image: localhost:5000/example-using-sidecar:0.27.0 + image: localhost:5000/example-using-sidecar:0.27.1 - name: sidecar - image: localhost:5000/vsecm-ist-sidecar:0.27.0 + image: localhost:5000/vsecm-ist-sidecar:0.27.1 diff --git a/examples/workshop_federation/cluster-1/inspector/Deployment.yaml b/examples/workshop_federation/cluster-1/inspector/Deployment.yaml index aa5b3f38..bd55296b 100644 --- a/examples/workshop_federation/cluster-1/inspector/Deployment.yaml +++ b/examples/workshop_federation/cluster-1/inspector/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: localhost:32000/example-multiple-secrets:0.27.0 + image: localhost:32000/example-multiple-secrets:0.27.1 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_federation/cluster-1/sentinel/Deployment.yaml b/examples/workshop_federation/cluster-1/sentinel/Deployment.yaml index 678332ff..50218061 100644 --- a/examples/workshop_federation/cluster-1/sentinel/Deployment.yaml +++ b/examples/workshop_federation/cluster-1/sentinel/Deployment.yaml @@ -31,7 +31,7 @@ spec: serviceAccountName: vsecm-sentinel containers: - name: main - image: localhost:32000/vsecm-ist-sentinel:0.27.0 + image: localhost:32000/vsecm-ist-sentinel:0.27.1 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_federation/cluster-2/safe/Deployment.yaml b/examples/workshop_federation/cluster-2/safe/Deployment.yaml index b401e3c4..7f540c8b 100644 --- a/examples/workshop_federation/cluster-2/safe/Deployment.yaml +++ b/examples/workshop_federation/cluster-2/safe/Deployment.yaml @@ -31,7 +31,7 @@ spec: serviceAccountName: vsecm-safe containers: - name: main - image: localhost:32000/vsecm-ist-safe:0.27.0 + image: localhost:32000/vsecm-ist-safe:0.27.1 ports: - containerPort: 8443 volumeMounts: diff --git a/examples/workshop_istanbul_gophers/k8s/Deployment.yaml b/examples/workshop_istanbul_gophers/k8s/Deployment.yaml index 7392456f..99b46dbd 100644 --- a/examples/workshop_istanbul_gophers/k8s/Deployment.yaml +++ b/examples/workshop_istanbul_gophers/k8s/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: localhost:5000/vsecm-inspector:0.27.0 + image: localhost:5000/vsecm-inspector:0.27.1 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_vsecm/hack/015-reveal-secrets.sh b/examples/workshop_vsecm/hack/015-reveal-secrets.sh index 8c8856c0..1417acb0 100644 --- a/examples/workshop_vsecm/hack/015-reveal-secrets.sh +++ b/examples/workshop_vsecm/hack/015-reveal-secrets.sh @@ -10,7 +10,7 @@ # >/' SPDX-License-Identifier: BSD-2-Clause # */ -VERSION="0.27.0" +VERSION="0.27.1" eval "$(minikube docker-env -u)" diff --git a/examples/workshop_vsecm/workloads/example-init-container/Deployment.yaml b/examples/workshop_vsecm/workloads/example-init-container/Deployment.yaml index ec5c12ab..52e3f0ab 100644 --- a/examples/workshop_vsecm/workloads/example-init-container/Deployment.yaml +++ b/examples/workshop_vsecm/workloads/example-init-container/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-init-container:0.27.0 + image: vsecm/example-using-init-container:0.27.1 env: - name: SECRET valueFrom: @@ -53,7 +53,7 @@ spec: initContainers: - name: init-container - image: vsecm/vsecm-ist-init-container:0.27.0 + image: vsecm/vsecm-ist-init-container:0.27.1 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_vsecm/workloads/inspector/Deployment.yaml b/examples/workshop_vsecm/workloads/inspector/Deployment.yaml index 3ec4c53b..76c5ae84 100644 --- a/examples/workshop_vsecm/workloads/inspector/Deployment.yaml +++ b/examples/workshop_vsecm/workloads/inspector/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: vsecm/example-multiple-secrets:0.27.0 + image: vsecm/example-multiple-secrets:0.27.1 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/examples/workshop_vsecm/workloads/keycloak/Deployment.yaml b/examples/workshop_vsecm/workloads/keycloak/Deployment.yaml index 08b858f5..9aa0d130 100644 --- a/examples/workshop_vsecm/workloads/keycloak/Deployment.yaml +++ b/examples/workshop_vsecm/workloads/keycloak/Deployment.yaml @@ -21,7 +21,7 @@ spec: spec: initContainers: - name: init-container - image: vsecm/vsecm-ist-init-container:0.27.0 + image: vsecm/vsecm-ist-init-container:0.27.1 volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/hack/create-custom-manifest.sh b/hack/create-custom-manifest.sh index a1ca91c1..3fb98950 100755 --- a/hack/create-custom-manifest.sh +++ b/hack/create-custom-manifest.sh @@ -10,5 +10,5 @@ # >/' SPDX-License-Identifier: BSD-2-Clause # */ -cp ./helm-charts/0.27.0/values-custom.yaml ./helm-charts/0.27.0/values.yaml -make k8s-manifests-update VERSION=0.27.0 +cp ./helm-charts/0.27.1/values-custom.yaml ./helm-charts/0.27.1/values.yaml +make k8s-manifests-update VERSION=0.27.1 diff --git a/hack/tag-docker.sh b/hack/tag-docker.sh index 1e3a92f3..86715d8b 100755 --- a/hack/tag-docker.sh +++ b/hack/tag-docker.sh @@ -15,7 +15,7 @@ # and we should not need to pull the images and sign them again. # So we'd rarely (if ever) need to use this script. -VERSION="0.27.0" +VERSION="0.27.1" export DOCKER_CONTENT_TRUST=0 diff --git a/helm-charts-playground/app/main.go b/helm-charts-playground/app/main.go index ecd22f5a..3aac7b6a 100644 --- a/helm-charts-playground/app/main.go +++ b/helm-charts-playground/app/main.go @@ -117,12 +117,12 @@ func copyVSecMCrds(inputDir, outputDir string) { } func main() { - inputFile := "/Users/volkan/Desktop/WORKSPACE/secrets-manager/k8s/0.27.0/spire.yaml" + inputFile := "/Users/volkan/Desktop/WORKSPACE/secrets-manager/k8s/0.27.1/spire.yaml" outputDir := "/Users/volkan/Desktop/WORKSPACE/secrets-manager/helm-charts-playground/vsecm-manifests" createManifests(inputFile, outputDir) - //inputDir := "/Users/volkan/Desktop/WORKSPACE/secrets-manager/k8s/0.27.0/crds" + //inputDir := "/Users/volkan/Desktop/WORKSPACE/secrets-manager/k8s/0.27.1/crds" //outputDir = "/Users/volkan/Desktop/WORKSPACE/secrets-manager/helm-charts-playground/vsecm-manifests/crds" // //copyVSecMCrds(inputDir, outputDir) diff --git a/helm-charts/0.27.0/Chart.yaml b/helm-charts/0.27.0/Chart.yaml deleted file mode 100644 index a8fc8cf5..00000000 --- a/helm-charts/0.27.0/Chart.yaml +++ /dev/null @@ -1,69 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v2 -name: vsecm -description: Helm chart for VMware Secrets Manager - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application -sources: -- https://github.com/vmware-tanzu/secrets-manager - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.27.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.27.0" -home: https://vsecm.com/ - -icon: https://vsecm.com/assets/vsecm-256.png - -keywords: - - secrets - - kubernetes - - secrets-manager - - spire - - spiffe - - zero-trust - - cloud-native - - edge - - secret-management - - security - -dependencies: - - name: keystone - repository: file://charts/keystone - version: 0.27.0 - condition: global.deployKeystone - - name: spire - repository: file://charts/spire - version: 0.27.0 - condition: global.deploySpire - - name: safe - repository: file://charts/safe - version: 0.27.0 - condition: global.deploySafe - - name: sentinel - repository: file://charts/sentinel - version: 0.27.0 - condition: global.deploySentinel diff --git a/helm-charts/0.27.0/README.md b/helm-charts/0.27.0/README.md deleted file mode 100644 index 920c2bcc..00000000 --- a/helm-charts/0.27.0/README.md +++ /dev/null @@ -1,147 +0,0 @@ -# VMware Secrets Manager (VSecM) Helm Chart - -VMware Secrets Manager keeps your secrets secret. With VSecM, you can rest assured -that your sensitive data is always secure and protected. VSecM is perfect for -securely storing arbitrary configuration information at a central location and -securely dispatching it to workloads. - -![Version: 0.27.0](https://img.shields.io/badge/Version-0.27.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.0](https://img.shields.io/badge/AppVersion-0.27.0-informational?style=flat-square) - -[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/vsecm)](https://artifacthub.io/packages/helm/vsecm/vsecm) - -## Quickstart - -To use VMware Secrets Manager, follow the steps below: - -1. Add VMware Secrets Manager Helm repository: - - ```bash - helm repo add vsecm https://vmware-tanzu.github.io/secrets-manager/ - ``` - -2. Update the helm repository: - - ```bash - helm repo update - ``` - -3. Install VMware Secrets Manager using Helm: - - ```bash - helm install vsecm vsecm/vsecm --version 0.27.0 - ``` - -## Options - -The following options can be passed to the `helm install` command to set global -variables: - -*`--set global.deploySpire=`: - This flag can be passed to install or skip SPIRE. -*`--set global.baseImage=`: - This flag can be passed to install VSecM with the given baseImage Docker image. - -Default values are `true` and `distroless` for `global.deploySpire` -and `global.baseImage` respectively. - -Here's an example command with the above options: - -```bash -helm install vsecm vsecm/helm-charts --version 0.27.0 \ - --set global.deploySpire=true --set global.baseImage=distroless -``` - -Make sure to replace `` and -`` with the desired values. - -## Environment Configuration - -**VMware Secrets Manager** can be tweaked further using environment variables. - -[Check out **Configuring VSecM** on the official documentation][configuring-vsecm] -for details. - -These environment variable configurations are expose through subcharts. -You can modify them as follows: - -```bash -helm install vsecm vsecm/helm-charts --version 0.27.0 \ ---set safe.environments.VSECM_LOG_LEVEL="6" ---set sentinel.environments.VSECM_LOGL_LEVEL="5" -# You can update other environment variables too. -# Most of the time VSecM assumes sane defaults if you don't set them. -``` - -[configuring-vsecm]: https://vsecm.com/docs/configuration/ - -## Subcharts - -For further details about subcharts follow these links: - -* [VSecM Safe](charts/safe/README.md) -* [VSecM Sentinel](charts/sentinel/README.md) -* [VsecM Keystone](charts/keystone/README.md) -* [SPIRE](charts/spire/README.md) - -Please check out [the official **VSecM** documentation][ducks] -for more information about **VSecM** components and the overall -**VSecM** architecture. - -[ducks]: https://vsecm.com/documentation/welcome/overview/ - -## Detailed Documentation - -The sections below are autogenerated from chart source code: - -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| file://charts/keystone | keystone | 0.27.0 | -| file://charts/safe | safe | 0.27.0 | -| file://charts/sentinel | sentinel | 0.27.0 | -| file://charts/spire | spire | 0.27.0 | - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| global.baseImage | string | `"distroless"` | Possible options for baseImage (distroless, distroless-fips). When in doubt, stick with distroless. | -| global.deployKeystone | bool | `true` | Deploy the Keystone VSecM component. VSecM Keystone is a lightweight Pod that is initialized only after VSecM Sentinel completes it `initCommand` initialization sequence. | -| global.deploySentinel | bool | `true` | Deploy VSecM Sentinel. VSecM Sentinel is the only admin interface where you can register secrets. For best security, you might want to disable the initial deployment of it. This way, you can deploy VSecM Sentinel off-cycle later when you need it. | -| global.deploySpire | bool | `true` | Deploy SPIRE components. If set to false, SPIRE components will not be deployed. This is useful when SPIRE is already deployed in the cluster. | -| global.enableOpenShift | bool | `false` | Set it to true for OpenShift deployments. This will add necessary annotations to the SPIRE components to make them work on OpenShift. | -| global.images | object | `{"initContainer":{"repository":"vsecm-ist-init-container","tag":"0.27.0"},"keystone":{"distrolessFipsRepository":"vsecm-ist-fips-keystone","distrolessRepository":"vsecm-ist-keystone","pullPolicy":"IfNotPresent","tag":"0.27.0"},"nodeDriverRegistrar":{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-node-driver-registrar","tag":"v2.10.0"},"openShiftHelperUbi9":{"pullPolicy":"IfNotPresent","repository":"registry.access.redhat.com/ubi9","tag":"latest"},"safe":{"distrolessFipsRepository":"vsecm-ist-fips-safe","distrolessRepository":"vsecm-ist-safe","pullPolicy":"IfNotPresent","tag":"0.27.0"},"sentinel":{"distrolessFipsRepository":"vsecm-ist-fips-sentinel","distrolessRepository":"vsecm-ist-sentinel","pullPolicy":"IfNotPresent","tag":"0.27.0"},"spiffeCsiDriver":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spiffe-csi-driver","tag":"0.2.6"},"spireAgent":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.9.6"},"spireControllerManager":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-controller-manager","tag":"0.5.0"},"spireHelperBash":{"pullPolicy":"IfNotPresent","repository":"cgr.dev/chainguard/bash","tag":"latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d"},"spireHelperKubectl":{"pullPolicy":"IfNotPresent","repository":"docker.io/rancher/kubectl","tag":"v1.28.0"},"spireServer":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.9.6"}}` | Where to find the dependent images of VSecM. Normally, you would not need to modify this. | -| global.images.nodeDriverRegistrar | object | `{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-node-driver-registrar","tag":"v2.10.0"}` | Container registry details of SPIFFE CSI Node Driver Registrar. | -| global.images.spiffeCsiDriver | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spiffe-csi-driver","tag":"0.2.6"}` | Container registry details of SPIFFE CSI Driver. | -| global.images.spireAgent | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.9.6"}` | Container registry details of SPIRE Agent. | -| global.images.spireControllerManager | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-controller-manager","tag":"0.5.0"}` | Container registry details of SPIRE Controller Manager. | -| global.images.spireServer | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.9.6"}` | Container registry details of SPIRE Server. | -| global.registry | string | `"vsecm"` | Registry url. Defaults to "vsecm", which points to the public vsecm DockerHub registry: . | -| global.spire | object | `{"caCommonName":"vsecm.com","caCountry":"US","caOrganization":"vsecm.com","controllerManagerClassName":"vsecm","federationEnabled":false,"logLevel":"DEBUG","namespace":"spire-system","serverAddress":"spire-server.spire-server.svc.cluster.local","serverNamespace":"spire-server","serverPort":443,"trustDomain":"vsecm.com"}` | SPIRE-related global configuration. | -| global.spire.caCommonName | string | `"vsecm.com"` | The SPIRE CA common name. | -| global.spire.caCountry | string | `"US"` | The SPIRE CA country. | -| global.spire.caOrganization | string | `"vsecm.com"` | The SPIRE CA organization. | -| global.spire.controllerManagerClassName | string | `"vsecm"` | This is the className that ClusterSPIFFEIDs will use to be able to register their SPIFFE IDs with the SPIRE Server. | -| global.spire.federationEnabled | bool | `false` | Enable federation. If set to true, SPIRE Server will be configured to federate with other SPIRE Servers. This is useful when you have multiple clusters, and you want to establish trust between them. | -| global.spire.logLevel | string | `"DEBUG"` | The log level of the SPIRE components. This is useful for debugging. | -| global.spire.namespace | string | `"spire-system"` | This is the namespace where the SPIRE components will be deployed. | -| global.spire.serverAddress | string | `"spire-server.spire-server.svc.cluster.local"` | The SPIRE Server address. This is the address where the SPIRE Server that the agents will connect to. This address is in the form of ..svc.cluster.local unless you have a custom setup. | -| global.spire.serverNamespace | string | `"spire-server"` | It is best to keep the SPIRE server namespace separate from other SPIRE components for an added layer of security. | -| global.spire.serverPort | int | `443` | The SPIRE Server port. This is the port where the SPIRE Server will listen for incoming connections. This is the port of the SPIRE server k8s Service. | -| global.spire.trustDomain | string | `"vsecm.com"` | The trust domain is the root of the SPIFFE ID hierarchy. It is used to identify the trust domain of a workload. If you use anything other than the default `vsecm.com`, you must also update the relevant environment variables that does SPIFFE ID validation. To prevent accidental collisions (two trust domains select identical names), operators are advised to select trust domain names which are highly likely to be globally unique. Even though a trust domain name is not a DNS name, using a registered domain name as a suffix of a trust domain name, when available, will reduce chances of an accidental collision; for example, if a trust domain operator owns the domain name `example.com`, then using a trust domain name such as `apps.example.com` would likely not produce a collision. When trust domain names are automatically generated without operator input, randomly generating a unique name (such as a UUID) is strongly advised. All SPIFFE IDs shall be prefixed with `spiffe://` unless you have an advanced custom setup. | -| global.vsecm.keystoneSpiffeIdTemplate | string | `"spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }}"` | | -| global.vsecm.namespace | string | `"vsecm-system"` | | -| global.vsecm.safeEndpointUrl | string | `"https://vsecm-safe.vsecm-system.svc.cluster.local:8443/"` | | -| global.vsecm.safeSpiffeIdPrefix | string | `"^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$"` | | -| global.vsecm.safeSpiffeIdTemplate | string | `"spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }}"` | | -| global.vsecm.sentinelSpiffeIdPrefix | string | `"^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$"` | | -| global.vsecm.sentinelSpiffeIdTemplate | string | `"spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }}"` | | -| global.vsecm.workloadNameRegExp | string | `"^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$"` | | -| global.vsecm.workloadSpiffeIdPrefix | string | `"^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$"` | | - -## License - -This project is licensed under the [BSD 2-Clause License][license]. - -[license]: https://github.com/vmware-tanzu/secrets-manager/blob/main/LICENSE diff --git a/helm-charts/0.27.0/README.md.gotmpl b/helm-charts/0.27.0/README.md.gotmpl deleted file mode 100644 index 9599f585..00000000 --- a/helm-charts/0.27.0/README.md.gotmpl +++ /dev/null @@ -1,104 +0,0 @@ -# VMware Secrets Manager (VSecM) Helm Chart - -VMware Secrets Manager keeps your secrets secret. With VSecM, you can rest assured -that your sensitive data is always secure and protected. VSecM is perfect for -securely storing arbitrary configuration information at a central location and -securely dispatching it to workloads. - -{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} - -[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/vsecm)](https://artifacthub.io/packages/helm/vsecm/vsecm) - -## Quickstart - -To use VMware Secrets Manager, follow the steps below: - -1. Add VMware Secrets Manager Helm repository: - - ```bash - helm repo add vsecm https://vmware-tanzu.github.io/secrets-manager/ - ``` - -2. Update the helm repository: - - ```bash - helm repo update - ``` - -3. Install VMware Secrets Manager using Helm: - - ```bash - helm install vsecm vsecm/vsecm --version {{ template "chart.version" . }} - ``` - -## Options - -The following options can be passed to the `helm install` command to set global -variables: - -*`--set global.deploySpire=`: - This flag can be passed to install or skip SPIRE. -*`--set global.baseImage=`: - This flag can be passed to install VSecM with the given baseImage Docker image. - -Default values are `true` and `distroless` for `global.deploySpire` -and `global.baseImage` respectively. - -Here's an example command with the above options: - -```bash -helm install vsecm vsecm/helm-charts --version {{ template "chart.version" . }} \ - --set global.deploySpire=true --set global.baseImage=distroless -``` - -Make sure to replace `` and -`` with the desired values. - -## Environment Configuration - -**VMware Secrets Manager** can be tweaked further using environment variables. - -[Check out **Configuring VSecM** on the official documentation][configuring-vsecm] -for details. - -These environment variable configurations are expose through subcharts. -You can modify them as follows: - -```bash -helm install vsecm vsecm/helm-charts --version {{ template "chart.version" . }} \ ---set safe.environments.VSECM_LOG_LEVEL="6" ---set sentinel.environments.VSECM_LOGL_LEVEL="5" -# You can update other environment variables too. -# Most of the time VSecM assumes sane defaults if you don't set them. -``` - -[configuring-vsecm]: https://vsecm.com/docs/configuration/ - -## Subcharts - -For further details about subcharts follow these links: - -* [VSecM Safe](charts/safe/README.md) -* [VSecM Sentinel](charts/sentinel/README.md) -* [VsecM Keystone](charts/keystone/README.md) -* [SPIRE](charts/spire/README.md) - -Please check out [the official **VSecM** documentation][ducks] -for more information about **VSecM** components and the overall -**VSecM** architecture. - -[ducks]: https://vsecm.com/documentation/welcome/overview/ - -## Detailed Documentation - -The sections below are autogenerated from chart source code: - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -## License - -This project is licensed under the [BSD 2-Clause License][license]. - -[license]: https://github.com/vmware-tanzu/secrets-manager/blob/main/LICENSE diff --git a/helm-charts/0.27.0/charts/keystone/.helmignore b/helm-charts/0.27.0/charts/keystone/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/helm-charts/0.27.0/charts/keystone/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/helm-charts/0.27.0/charts/keystone/Chart.yaml b/helm-charts/0.27.0/charts/keystone/Chart.yaml deleted file mode 100644 index 361bf563..00000000 --- a/helm-charts/0.27.0/charts/keystone/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v2 -name: keystone -description: Helm chart for keystone - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.27.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.27.0" diff --git a/helm-charts/0.27.0/charts/keystone/README.md b/helm-charts/0.27.0/charts/keystone/README.md deleted file mode 100644 index 09c6ffb0..00000000 --- a/helm-charts/0.27.0/charts/keystone/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# keystone - -![Version: 0.27.0](https://img.shields.io/badge/Version-0.27.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.0](https://img.shields.io/badge/AppVersion-0.27.0-informational?style=flat-square) - -Helm chart for keystone - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling settings. Note that, by default, autoscaling is disabled. It does not typically make sense to autoscale VSecM Keystone as it is a control plane component with minimal resource requirements. | -| environments | list | `[{"name":"VSECM_LOG_LEVEL","value":"7"}]` | See https://vsecm.com/configuration for more information about these environment variables. | -| environments[0] | object | `{"name":"VSECM_LOG_LEVEL","value":"7"}` | The log level. 0: Logs are off (only audit events will be logged) 7: TRACE level logging (maximum verbosity). | -| fullnameOverride | string | `""` | The fullname override of the chart. | -| imagePullSecrets | list | `[]` | Override it with an image pull secret that you need as follows: imagePullSecrets: - name: my-registry-secret | -| initEnvironments | list | `[{"name":"SPIFFE_ENDPOINT_SOCKET","value":"unix:///spire-agent-socket/spire-agent.sock"},{"name":"VSECM_BACKOFF_DELAY","value":"1000"},{"name":"VSECM_BACKOFF_MAX_RETRIES","value":"10"},{"name":"VSECM_BACKOFF_MAX_WAIT","value":"10000"},{"name":"VSECM_BACKOFF_MODE","value":"exponential"},{"name":"VSECM_INIT_CONTAINER_POLL_INTERVAL","value":"5000"},{"name":"VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT","value":"0"},{"name":"VSECM_LOG_LEVEL","value":"7"}]` | See https://vsecm.com/configuration for more information about these environment variables. | -| initEnvironments[0] | object | `{"name":"SPIFFE_ENDPOINT_SOCKET","value":"unix:///spire-agent-socket/spire-agent.sock"}` | The SPIFFE endpoint socket. This is used to communicate with the SPIRE agent. If you change this, you will need to change the associated volumeMount in the Deployment.yaml too. The name of the socket should match spireAgent.socketName in values.yaml of the SPIRE chart. | -| initEnvironments[1] | object | `{"name":"VSECM_BACKOFF_DELAY","value":"1000"}` | The interval between retries (in milliseconds) for the default backoff strategy. | -| initEnvironments[2] | object | `{"name":"VSECM_BACKOFF_MAX_RETRIES","value":"10"}` | The maximum number of retries for the default backoff strategy before it gives up. | -| initEnvironments[3] | object | `{"name":"VSECM_BACKOFF_MAX_WAIT","value":"10000"}` | The maximum wait time (in milliseconds) for the default backoff strategy. | -| initEnvironments[4] | object | `{"name":"VSECM_BACKOFF_MODE","value":"exponential"}` | The backoff mode. The default is "exponential". Allowed values: "exponential", "linear" | -| initEnvironments[5] | object | `{"name":"VSECM_INIT_CONTAINER_POLL_INTERVAL","value":"5000"}` | The interval (in milliseconds) that the VSecM Init Container will poll the VSecM Safe for secrets. | -| initEnvironments[6] | object | `{"name":"VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT","value":"0"}` | The time (in milliseconds) that the VSecM Init Container will wait before exiting and yielding the control to the main container. | -| initEnvironments[7] | object | `{"name":"VSECM_LOG_LEVEL","value":"7"}` | The log level. 0: Logs are off (only audit events will be logged) 7: TRACE level logging (maximum verbosity). | -| livenessPort | int | `8081` | The port of the liveness probe. | -| nameOverride | string | `""` | The name override of the chart. | -| podAnnotations | object | `{}` | Additional pod annotations. | -| podSecurityContext | object | `{}` | Pod security context overrides. | -| replicaCount | int | `1` | | -| resources | object | `{"requests":{"cpu":"5m","memory":"20Mi"}}` | Resource limits and requests. | -| serviceAccount | object | `{"annotations":{},"create":true,"name":"vsecm-keystone"}` | The service account to use. | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | -| serviceAccount.name | string | `"vsecm-keystone"` | The name of the service account to use. If not set and 'create' is true, a name is generated using the fullname template. | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/helm-charts/0.27.0/charts/keystone/templates/Deployment.yaml b/helm-charts/0.27.0/charts/keystone/templates/Deployment.yaml deleted file mode 100644 index 51591769..00000000 --- a/helm-charts/0.27.0/charts/keystone/templates/Deployment.yaml +++ /dev/null @@ -1,156 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "keystone.fullname" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "keystone.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "keystone.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "keystone.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "keystone.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - - priorityClassName: system-cluster-critical - - initContainers: - - name: init-container - image: "{{ .Values.global.registry }}/{{ .Values.global.images.initContainer.repository }}:{{ .Values.global.images.initContainer.tag }}" - imagePullPolicy: {{ .Values.global.images.keystone.pullPolicy }} - volumeMounts: - - mountPath: /spire-agent-socket - name: spire-agent-socket - readOnly: true - env: - # - # You can configure VSecM Init Container by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Init Container will assume the default values outlined in the given link above. - # - {{- $safeInitEndpointUrlSet := false }} - {{- $safeInitSpiffeIdPrefixSet := false }} - {{- $workloadInitSpiffeIdPrefixSet := false }} - {{- $vsecmInitNamespaceSet := false }} - {{- $spireInitNamespaceSet := false }} - {{- $spiffeTrustDomainSet := false }} - {{- $workloadNameRegExpSet := false }} - {{- range .Values.initEnvironments }} - {{- if eq .name "VSECM_SAFE_ENDPOINT_URL" }} - {{- $safeInitEndpointUrlSet = true }} - {{- end }} - {{- if eq .name "VSECM_SPIFFEID_PREFIX_SAFE" }} - {{- $safeInitSpiffeIdPrefixSet = true }} - {{- end }} - {{- if eq .name "VSECM_SPIFFEID_PREFIX_WORKLOAD" }} - {{- $workloadInitSpiffeIdPrefixSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SYSTEM" }} - {{- $vsecmInitNamespaceSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SPIRE" }} - {{- $spireInitNamespaceSet = true }} - {{- end }} - {{ if eq .name "SPIFFE_TRUST_DOMAIN" }} - {{- $spiffeTrustDomainSet = true }} - {{- end }} - {{- if eq .name "VSECM_WORKLOAD_NAME_REGEXP" }} - {{- $workloadNameRegExpSet = true }} - {{- end }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- end }} - {{- if not $safeInitEndpointUrlSet }} - - name: VSECM_SAFE_ENDPOINT_URL - value: {{ .Values.global.vsecm.safeEndpointUrl | quote }} - {{- end }} - {{- if not $safeInitSpiffeIdPrefixSet }} - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: {{ .Values.global.vsecm.safeSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $workloadInitSpiffeIdPrefixSet }} - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: {{ .Values.global.vsecm.workloadSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $vsecmInitNamespaceSet }} - - name: VSECM_NAMESPACE_SYSTEM - value: {{ .Values.global.vsecm.namespace | quote }} - {{- end }} - {{- if not $spireInitNamespaceSet }} - - name: VSECM_NAMESPACE_SPIRE - value: {{ .Values.global.spire.namespace | quote }} - {{- end }} - {{- if not $spiffeTrustDomainSet }} - - name: SPIFFE_TRUST_DOMAIN - value: {{ .Values.global.spire.trustDomain | quote }} - {{- end }} - {{- if not $workloadNameRegExpSet }} - - name: VSECM_WORKLOAD_NAME_REGEXP - value: {{ .Values.global.vsecm.workloadNameRegExp | quote }} - {{- end }} - containers: - - name: main - image: "{{ .Values.global.registry }}/{{- include "keystone.repository" .}}:{{ .Values.global.images.keystone.tag }}" - imagePullPolicy: {{ .Values.global.images.keystone.pullPolicy }} - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - {{- range .Values.environments }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- end }} - resources: - requests: - memory: {{ .Values.resources.requests.memory }} - cpu: {{ .Values.resources.requests.cpu }} - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true diff --git a/helm-charts/0.27.0/charts/keystone/templates/Identity.yaml b/helm-charts/0.27.0/charts/keystone/templates/Identity.yaml deleted file mode 100644 index 26bac553..00000000 --- a/helm-charts/0.27.0/charts/keystone/templates/Identity.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: {{ include "keystone.fullname" . }} - labels: - {{- include "keystone.labels" . | nindent 4 }} -spec: - className: {{ .Values.global.spire.controllerManagerClassName | quote }} - spiffeIDTemplate: {{ .Values.global.vsecm.keystoneSpiffeIdTemplate }} - podSelector: - matchLabels: - app.kubernetes.io/name: {{ include "keystone.fullname" . }} - app.kubernetes.io/part-of: {{ .Values.global.vsecm.namespace }} - workloadSelectorTemplates: - - "k8s:ns:{{ .Values.global.vsecm.namespace }}" - - "k8s:sa:{{ include "keystone.serviceAccountName" . }}" diff --git a/helm-charts/0.27.0/charts/keystone/templates/ServiceAccount.yaml b/helm-charts/0.27.0/charts/keystone/templates/ServiceAccount.yaml deleted file mode 100644 index 1cf52fe8..00000000 --- a/helm-charts/0.27.0/charts/keystone/templates/ServiceAccount.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "keystone.serviceAccountName" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "keystone.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -automountServiceAccountToken: false -{{- end }} diff --git a/helm-charts/0.27.0/charts/keystone/templates/_helpers.tpl b/helm-charts/0.27.0/charts/keystone/templates/_helpers.tpl deleted file mode 100644 index aa8b4a55..00000000 --- a/helm-charts/0.27.0/charts/keystone/templates/_helpers.tpl +++ /dev/null @@ -1,86 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{/* -Expand the name of the chart. -*/}} -{{- define "keystone.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "keystone.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "keystone.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "keystone.labels" -}} -helm.sh/chart: {{ include "keystone.chart" . }} -{{ include "keystone.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "keystone.selectorLabels" -}} -app.kubernetes.io/name: {{ include "keystone.fullname" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/part-of: {{ .Values.global.vsecm.namespace }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "keystone.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "keystone.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -Define image for VSecM Keystone -*/}} -{{- define "keystone.repository" -}} -{{- if eq (lower $.Values.global.baseImage) "distroless" }} -{{- .Values.global.images.keystone.distrolessRepository }} -{{- else if eq (lower $.Values.global.baseImage) "distroless-fips" }} -{{- .Values.global.images.keystone.distrolessFipsRepository }} -{{- else }} -{{- .Values.global.images.keystone.distrolessRepository }} -{{- end }} -{{- end }} diff --git a/helm-charts/0.27.0/charts/keystone/values.yaml b/helm-charts/0.27.0/charts/keystone/values.yaml deleted file mode 100644 index a16e1ce1..00000000 --- a/helm-charts/0.27.0/charts/keystone/values.yaml +++ /dev/null @@ -1,108 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Default values for keystone. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -replicaCount: 1 - -# -- The port of the liveness probe. -livenessPort: 8081 - -# -- See https://vsecm.com/configuration for more information -# about these environment variables. -environments: - # -- The log level. 0: Logs are off (only audit events will be logged) - # 7: TRACE level logging (maximum verbosity). - - name: VSECM_LOG_LEVEL - value: "7" - -# -- See https://vsecm.com/configuration for more information -# about these environment variables. -initEnvironments: - # -- The SPIFFE endpoint socket. This is used to communicate with the SPIRE - # agent. If you change this, you will need to change the associated - # volumeMount in the Deployment.yaml too. - # The name of the socket should match spireAgent.socketName in values.yaml - # of the SPIRE chart. - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - # -- The interval between retries (in milliseconds) for the default backoff strategy. - - name: VSECM_BACKOFF_DELAY - value: "1000" - # -- The maximum number of retries for the default backoff strategy before it gives up. - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - # -- The maximum wait time (in milliseconds) for the default backoff strategy. - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - # -- The backoff mode. The default is "exponential". - # Allowed values: "exponential", "linear" - - name: VSECM_BACKOFF_MODE - value: "exponential" - # -- The interval (in milliseconds) that the VSecM Init Container will poll - # the VSecM Safe for secrets. - - name: VSECM_INIT_CONTAINER_POLL_INTERVAL - value: "5000" - # -- The time (in milliseconds) that the VSecM Init Container will wait - # before exiting and yielding the control to the main container. - - name: VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT - value: "0" - # -- The log level. 0: Logs are off (only audit events will be logged) - # 7: TRACE level logging (maximum verbosity). - - name: VSECM_LOG_LEVEL - value: "7" - -# -- Override it with an image pull secret that you need as follows: -# imagePullSecrets: -# - name: my-registry-secret -imagePullSecrets: [] - -# -- The name override of the chart. -nameOverride: "" -# -- The fullname override of the chart. -fullnameOverride: "" - -# -- The service account to use. -serviceAccount: - # -- Specifies whether a service account should be created. - create: true - # -- Annotations to add to the service account. - annotations: {} - # -- The name of the service account to use. - # If not set and 'create' is true, a name is generated using the fullname - # template. - name: "vsecm-keystone" - -# -- Additional pod annotations. -podAnnotations: {} - -# -- Pod security context overrides. -podSecurityContext: {} -# fsGroup: 2000 - -# -- Resource limits and requests. -resources: - # These are default requests that can be used as a starting point. - # Of course, benchmark your production system to determine the actual - # requests you need. - requests: - memory: "20Mi" - cpu: "5m" - -# -- Autoscaling settings. Note that, by default, autoscaling is disabled. -# It does not typically make sense to autoscale VSecM Keystone as it is -# a control plane component with minimal resource requirements. -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 diff --git a/helm-charts/0.27.0/charts/safe/.helmignore b/helm-charts/0.27.0/charts/safe/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/helm-charts/0.27.0/charts/safe/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/helm-charts/0.27.0/charts/safe/Chart.yaml b/helm-charts/0.27.0/charts/safe/Chart.yaml deleted file mode 100644 index 21731261..00000000 --- a/helm-charts/0.27.0/charts/safe/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v2 -name: safe -description: Helm chart for VMware Secrets Manager (VSecM) Safe - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.27.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.27.0" diff --git a/helm-charts/0.27.0/charts/safe/README.md b/helm-charts/0.27.0/charts/safe/README.md deleted file mode 100644 index 54f16731..00000000 --- a/helm-charts/0.27.0/charts/safe/README.md +++ /dev/null @@ -1,59 +0,0 @@ -# safe - -![Version: 0.27.0](https://img.shields.io/badge/Version-0.27.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.0](https://img.shields.io/badge/AppVersion-0.27.0-informational?style=flat-square) - -Helm chart for VMware Secrets Manager (VSecM) Safe - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| autoscaling | object | `{"enabled":false,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling settings. Note that autoscaling is not supported for VSecM Safe yet. For proper operation there should always be a single VSecM Safe pod at all times. | -| data | object | `{"hostPath":{"path":"/var/local/vsecm/data"},"persistent":false,"persistentVolumeClaim":{"accessMode":"ReadWriteOnce","size":"1Gi","storageClass":""}}` | How persistence is handled. | -| data.hostPath | object | `{"path":"/var/local/vsecm/data"}` | hostPath if `persistent` is false. | -| data.persistent | bool | `false` | If `persistent` is true, a PersistentVolumeClaim is used. Otherwise, a hostPath is used. | -| data.persistentVolumeClaim | object | `{"accessMode":"ReadWriteOnce","size":"1Gi","storageClass":""}` | PVC settings (if `persistent` is true). | -| environments | list | `[{"name":"SPIFFE_ENDPOINT_SOCKET","value":"unix:///spire-agent-socket/spire-agent.sock"},{"name":"VSECM_BACKOFF_DELAY","value":"1000"},{"name":"VSECM_BACKOFF_MAX_RETRIES","value":"10"},{"name":"VSECM_BACKOFF_MAX_WAIT","value":"10000"},{"name":"VSECM_BACKOFF_MODE","value":"exponential"},{"name":"VSECM_LOG_LEVEL","value":"7"},{"name":"VSECM_LOG_SECRET_FINGERPRINTS","value":"false"},{"name":"VSECM_PROBE_LIVENESS_PORT","value":":8081"},{"name":"VSECM_PROBE_READINESS_PORT","value":":8082"},{"name":"VSECM_SAFE_BACKING_STORE","value":"file"},{"name":"VSECM_SAFE_BOOTSTRAP_TIMEOUT","value":"300000"},{"name":"VSECM_ROOT_KEY_INPUT_MODE_MANUAL","value":"false"},{"name":"VSECM_ROOT_KEY_NAME","value":"vsecm-root-key"},{"name":"VSECM_ROOT_KEY_PATH","value":"/key/key.txt"},{"name":"VSECM_SAFE_DATA_PATH","value":"/var/local/vsecm/data"},{"name":"VSECM_SAFE_FIPS_COMPLIANT","value":"false"},{"name":"VSECM_SAFE_IV_INITIALIZATION_INTERVAL","value":"50"},{"name":"VSECM_SAFE_K8S_SECRET_BUFFER_SIZE","value":"10"},{"name":"VSECM_SAFE_SECRET_BACKUP_COUNT","value":"3"},{"name":"VSECM_SAFE_SECRET_BUFFER_SIZE","value":"10"},{"name":"VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE","value":"10"},{"name":"VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT","value":"10000"},{"name":"VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX","value":"k8s:"},{"name":"VSECM_SAFE_ROOT_KEY_STORE","value":"k8s"},{"name":"VSECM_SAFE_TLS_PORT","value":":8443"}]` | See https://vsecm.com/configuration for more information about these environment variables. | -| environments[0] | object | `{"name":"SPIFFE_ENDPOINT_SOCKET","value":"unix:///spire-agent-socket/spire-agent.sock"}` | The SPIFFE endpoint socket. This is used to communicate with the SPIRE agent. If you change this, you will need to change the associated volumeMount in the Deployment.yaml too. The name of the socket should match spireAgent.socketName in values.yaml of the SPIRE chart. | -| environments[10] | object | `{"name":"VSECM_SAFE_BOOTSTRAP_TIMEOUT","value":"300000"}` | The interval (in milliseconds) that the VSecM Safe will wait during bootstrapping before it bails out. | -| environments[11] | object | `{"name":"VSECM_ROOT_KEY_INPUT_MODE_MANUAL","value":"false"}` | Whether to automatically generate root cryptographic material or expect it to be provided through VSecM Sentinel CLI by the operator. If set to "false", VSecM Safe will automatically generate the root keys, which will make the operator's life easier. | -| environments[12] | object | `{"name":"VSECM_ROOT_KEY_NAME","value":"vsecm-root-key"}` | The name of the VSecM Root Key Secret. | -| environments[13] | object | `{"name":"VSECM_ROOT_KEY_PATH","value":"/key/key.txt"}` | The path where the VSecM Root Key will be mounted. | -| environments[14] | object | `{"name":"VSECM_SAFE_DATA_PATH","value":"/var/local/vsecm/data"}` | The path where the VSecM Safe will store its data (if the backing store is "file"). | -| environments[15] | object | `{"name":"VSECM_SAFE_FIPS_COMPLIANT","value":"false"}` | Should VSecM Safe use FIPS-compliant encryption? | -| environments[16] | object | `{"name":"VSECM_SAFE_IV_INITIALIZATION_INTERVAL","value":"50"}` | The IV initialization interval (in milliseconds) for the VSecM Safe. | -| environments[17] | object | `{"name":"VSECM_SAFE_K8S_SECRET_BUFFER_SIZE","value":"10"}` | The number of secrets VSecM Safe can buffer before blocking further operations until the buffer has space. | -| environments[18] | object | `{"name":"VSECM_SAFE_SECRET_BACKUP_COUNT","value":"3"}` | How many versions of older secrets should be kept. | -| environments[19] | object | `{"name":"VSECM_SAFE_SECRET_BUFFER_SIZE","value":"10"}` | The number of secrets VSecM Safe can buffer before blocking further operations until the buffer has space. | -| environments[1] | object | `{"name":"VSECM_BACKOFF_DELAY","value":"1000"}` | The interval between retries (in milliseconds) for the default backoff strategy. | -| environments[20] | object | `{"name":"VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE","value":"10"}` | The number of secrets VSecM Safe can buffer before blocking further operations until the buffer has space. | -| environments[21] | object | `{"name":"VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT","value":"10000"}` | The timeout (in milliseconds) for the VSecM Safe to acquire a source. After this timeout, the VSecM Safe will bail out. | -| environments[22] | object | `{"name":"VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX","value":"k8s:"}` | The prefix to use for the workload names, when storing workload secrets as Kubernetes secrets. | -| environments[23] | object | `{"name":"VSECM_SAFE_ROOT_KEY_STORE","value":"k8s"}` | The place where the VSecM Safe will store its root key. The only possible value is "k8s" at the moment. | -| environments[24] | object | `{"name":"VSECM_SAFE_TLS_PORT","value":":8443"}` | The port that the VSecM Safe will listen on. | -| environments[2] | object | `{"name":"VSECM_BACKOFF_MAX_RETRIES","value":"10"}` | The maximum number of retries for the default backoff strategy before it gives up. | -| environments[3] | object | `{"name":"VSECM_BACKOFF_MAX_WAIT","value":"10000"}` | The maximum wait time (in milliseconds) for the default backoff strategy. | -| environments[4] | object | `{"name":"VSECM_BACKOFF_MODE","value":"exponential"}` | The backoff mode. The default is "exponential". Allowed values: "exponential", "linear" | -| environments[5] | object | `{"name":"VSECM_LOG_LEVEL","value":"7"}` | The log level. 0: Logs are off (only audit events will be logged) 7: TRACE level logging (maximum verbosity). | -| environments[6] | object | `{"name":"VSECM_LOG_SECRET_FINGERPRINTS","value":"false"}` | Useful for debugging. This will log cryptographic fingerprints of secrets without revealing the secret itself. It is recommended to keep this "false" in production. | -| environments[7] | object | `{"name":"VSECM_PROBE_LIVENESS_PORT","value":":8081"}` | The port that the liveness probe listens on. | -| environments[8] | object | `{"name":"VSECM_PROBE_READINESS_PORT","value":":8082"}` | The port that the readiness probe listens on. | -| environments[9] | object | `{"name":"VSECM_SAFE_BACKING_STORE","value":"file"}` | The backing store for VSecM Safe. Possible values are: "memory", "file", "aws-secret", "azure-secret", "gcp-secret", "k8s". Currently, only "memory" and "file" are supported. | -| fullnameOverride | string | `""` | The fullname override of the chart. | -| imagePullSecrets | list | `[]` | Override it with an image pull secret that you need as follows: imagePullSecrets: - name: my-registry-secret | -| livenessPort | int | `8081` | The port that the liveness probe listens on. `environments.VSECM_PROBE_LIVENESS_PORT` should match this value. | -| nameOverride | string | `""` | The name override of the chart. | -| podAnnotations | object | `{}` | Additional pod annotations. | -| podSecurityContext | object | `{}` | Pod security context overrides. | -| readinessPort | int | `8082` | The port that the readiness probe listens on. `environments.VSECM_PROBE_READINESS_PORT` should match this value. | -| replicaCount | int | `1` | Number of replicas to deploy. Note that values greater than 1 are not supported yet. | -| resources | object | `{"requests":{"cpu":"5m","memory":"20Mi"}}` | Resource limits and requests. | -| rootKeySecretName | string | `"vsecm-root-key"` | The name of the root key secret. | -| service | object | `{"port":8443,"targetPort":8443,"type":"ClusterIP"}` | Service settings. | -| serviceAccount | object | `{"annotations":{},"create":true,"name":"vsecm-safe"}` | The service account to use. | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | -| serviceAccount.name | string | `"vsecm-safe"` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/helm-charts/0.27.0/charts/safe/templates/Identity.yaml b/helm-charts/0.27.0/charts/safe/templates/Identity.yaml deleted file mode 100644 index 70240025..00000000 --- a/helm-charts/0.27.0/charts/safe/templates/Identity.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: {{ include "safe.fullname" . }} - labels: - {{- include "safe.labels" . | nindent 4 }} -spec: - className: {{ .Values.global.spire.controllerManagerClassName | quote }} - spiffeIDTemplate: {{ .Values.global.vsecm.safeSpiffeIdTemplate }} - podSelector: - matchLabels: - app.kubernetes.io/name: {{ include "safe.fullname" . }} - app.kubernetes.io/part-of: {{ .Values.global.vsecm.namespace }} - workloadSelectorTemplates: - - "k8s:ns:{{ .Values.global.vsecm.namespace }}" - - "k8s:sa:{{ include "safe.serviceAccountName" . }}" diff --git a/helm-charts/0.27.0/charts/safe/templates/RoleBinding.yaml b/helm-charts/0.27.0/charts/safe/templates/RoleBinding.yaml deleted file mode 100644 index 4b70be7e..00000000 --- a/helm-charts/0.27.0/charts/safe/templates/RoleBinding.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vsecm-secret-readwriter-binding -subjects: - - kind: ServiceAccount - name: vsecm-safe - namespace: {{ .Values.global.vsecm.namespace }} -roleRef: - kind: ClusterRole - name: vsecm-secret-readwriter - apiGroup: rbac.authorization.k8s.io - -## -# -# Alternatively, for a tighter security, you can define a `RoleBinding` -# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to -# maintain. See the discussion about above `Role`s and `RoleBinding`s. -# -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: RoleBinding -# metadata: -# name: vsecm-secret-readwriter-binding -# namespace: {{ .Values.global.vsecm.namespace }} -# subjects: -# - kind: ServiceAccount -# name: vsecm-safe -# namespace: {{ .Values.global.vsecm.namespace }} -# roleRef: -# kind: Role -# name: vsecm-secret-readwriter -# apiGroup: rbac.authorization.k8s.io -# -## diff --git a/helm-charts/0.27.0/charts/safe/templates/Secret.yaml b/helm-charts/0.27.0/charts/safe/templates/Secret.yaml deleted file mode 100644 index 65adcc41..00000000 --- a/helm-charts/0.27.0/charts/safe/templates/Secret.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.rootKeySecretName }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "safe.labels" . | nindent 4 }} - app.kubernetes.io/operated-by: vsecm - annotations: - kubernetes.io/service-account.name: {{ include "safe.serviceAccountName" . }} -type: Opaque -data: - # '{}' (e30=) is a special placeholder to tell Safe that the Secret - # is not initialized. DO NOT remove or change it. - KEY_TXT: "e30=" diff --git a/helm-charts/0.27.0/charts/safe/templates/Service.yaml b/helm-charts/0.27.0/charts/safe/templates/Service.yaml deleted file mode 100644 index a4b6311d..00000000 --- a/helm-charts/0.27.0/charts/safe/templates/Service.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "safe.fullname" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "safe.labels" . | nindent 4 }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: {{ .Values.service.targetPort }} - protocol: TCP - name: http - selector: - {{- include "safe.selectorLabels" . | nindent 4 }} diff --git a/helm-charts/0.27.0/charts/safe/templates/ServiceAccount.yaml b/helm-charts/0.27.0/charts/safe/templates/ServiceAccount.yaml deleted file mode 100644 index 9cd283cb..00000000 --- a/helm-charts/0.27.0/charts/safe/templates/ServiceAccount.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "safe.serviceAccountName" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "safe.labels" . | nindent 4 }} - annotations: - kubernetes.io/enforce-mountable-secrets: "true" - kubernetes.io/mountable-secrets: {{ .Values.rootKeySecretName }} - {{- with .Values.serviceAccount.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -automountServiceAccountToken: true -secrets: - - name: {{ .Values.rootKeySecretName }} -{{- end }} diff --git a/helm-charts/0.27.0/charts/safe/templates/StatefulSet.yaml b/helm-charts/0.27.0/charts/safe/templates/StatefulSet.yaml deleted file mode 100644 index 5fda0575..00000000 --- a/helm-charts/0.27.0/charts/safe/templates/StatefulSet.yaml +++ /dev/null @@ -1,195 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "safe.fullname" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "safe.labels" . | nindent 4 }} -spec: - serviceName: {{ include "safe.fullname" . }} - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "safe.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "safe.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "safe.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "{{ .Values.global.registry }}/{{- include "safe.repository" .}}:{{ .Values.global.images.safe.tag }}" - imagePullPolicy: {{ .Values.global.images.safe.pullPolicy }} - ports: - - containerPort: {{ .Values.service.port }} - name: http - protocol: TCP - volumeMounts: - - name: vsecm-data - mountPath: {{ .Values.data.hostPath.path }} - readOnly: false - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - - name: vsecm-root-key - mountPath: /key - readOnly: true - # - # You can configure VSecM Safe by providing environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VSecM Safe - # will assume the default values outlined in the given link above. - # - env: - {{- $vsecmNamespaceSet := false }} - {{- $spireNamespaceSet := false }} - {{- $safeEndpointUrlSet := false }} - {{- $safeSpiffeIdPrefixSet := false }} - {{- $sentinelSpiffeIdPrefixSet := false }} - {{- $workloadSpiffeIdPrefixSet := false }} - {{- $spiffeTrustDomainSet := false }} - {{- $workloadNameRegExpSet := false }} - {{- range .Values.environments }} - {{- if eq .name "VSECM_SAFE_ENDPOINT_URL" }} - {{- $safeEndpointUrlSet = true }} - {{- end }} - {{- if eq .name "VSECM_SPIFFEID_PREFIX_SAFE" }} - {{- $safeSpiffeIdPrefixSet = true }} - {{- end }} - {{- if eq .name "VSECM_SPIFFEID_PREFIX_SENTINEL" }} - {{- $sentinelSpiffeIdPrefixSet = true }} - {{- end }} - {{- if eq .name "VSECM_SPIFFEID_PREFIX_WORKLOAD" }} - {{- $workloadSpiffeIdPrefixSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SYSTEM" }} - {{- $vsecmNamespaceSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SPIRE" }} - {{- $spireNamespaceSet = true }} - {{- end }} - {{ if eq .name "SPIFFE_TRUST_DOMAIN" }} - {{- $spiffeTrustDomainSet = true }} - {{- end }} - {{- if eq .name "VSECM_WORKLOAD_NAME_REGEXP" }} - {{- $workloadNameRegExpSet = true }} - {{- end }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- end }} - - {{- if not $safeEndpointUrlSet }} - - name: VSECM_SAFE_ENDPOINT_URL - value: {{ .Values.global.vsecm.safeEndpointUrl | quote }} - {{- end }} - {{- if not $safeSpiffeIdPrefixSet }} - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: {{ .Values.global.vsecm.safeSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $sentinelSpiffeIdPrefixSet }} - - name: VSECM_SPIFFEID_PREFIX_SENTINEL - value: {{ .Values.global.vsecm.sentinelSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $workloadSpiffeIdPrefixSet }} - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: {{ .Values.global.vsecm.workloadSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $vsecmNamespaceSet }} - - name: VSECM_NAMESPACE_SYSTEM - value: {{ .Values.global.vsecm.namespace | quote }} - {{- end }} - {{- if not $spireNamespaceSet }} - - name: VSECM_NAMESPACE_SPIRE - value: {{ .Values.global.spire.namespace | quote }} - {{- end }} - {{- if not $spiffeTrustDomainSet }} - - name: SPIFFE_TRUST_DOMAIN - value: {{ .Values.global.spire.trustDomain | quote }} - {{- end }} - {{- if not $workloadNameRegExpSet }} - - name: VSECM_WORKLOAD_NAME_REGEXP - value: {{ .Values.global.vsecm.workloadNameRegExp | quote }} - {{- end }} - livenessProbe: - httpGet: - path: / - port: {{ .Values.livenessPort }} - initialDelaySeconds: 1 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: {{ .Values.readinessPort }} - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: {{ .Values.resources.requests.memory }} - cpu: {{ .Values.resources.requests.cpu }} - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - -{{- if not .Values.data.persistent }} - # `vsecm-data` is used to persist the encrypted backups of the secrets. - - name: vsecm-data - hostPath: - path: {{ .Values.data.hostPath.path }} - type: DirectoryOrCreate -{{- end}} - - # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data. - - name: vsecm-root-key - secret: - secretName: {{ .Values.rootKeySecretName }} - items: - - key: KEY_TXT - path: key.txt - -{{- if .Values.data.persistent }} - volumeClaimTemplates: - - metadata: - name: vsecm-data - spec: - accessModes: - - {{ .Values.data.persistentVolumeClaim.accessMode | default "ReadWriteOnce" }} - resources: - requests: - storage: {{ .Values.data.persistentVolumeClaim.size }} - {{- if .Values.data.persistentVolumeClaim.storageClass }} - storageClassName: {{ .Values.data.persistentVolumeClaim.storageClass }} - {{- end }} -{{- end }} diff --git a/helm-charts/0.27.0/charts/safe/templates/_helpers.tpl b/helm-charts/0.27.0/charts/safe/templates/_helpers.tpl deleted file mode 100644 index f7dd4480..00000000 --- a/helm-charts/0.27.0/charts/safe/templates/_helpers.tpl +++ /dev/null @@ -1,86 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{/* -Expand the name of the chart. -*/}} -{{- define "safe.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "safe.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "safe.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "safe.labels" -}} -helm.sh/chart: {{ include "safe.chart" . }} -{{ include "safe.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "safe.selectorLabels" -}} -app.kubernetes.io/name: {{ include "safe.fullname" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/part-of: {{ .Values.global.vsecm.namespace }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "safe.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "safe.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -Define image for vsecm safe -*/}} -{{- define "safe.repository" -}} -{{- if eq (lower $.Values.global.baseImage) "distroless" }} -{{- .Values.global.images.safe.distrolessRepository }} -{{- else if eq (lower $.Values.global.baseImage) "distroless-fips" }} -{{- .Values.global.images.safe.distrolessFipsRepository }} -{{- else }} -{{- .Values.global.images.safe.distrolessRepository }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/helm-charts/0.27.0/charts/safe/templates/hook-preinstall-namespace.yaml b/helm-charts/0.27.0/charts/safe/templates/hook-preinstall-namespace.yaml deleted file mode 100644 index df206801..00000000 --- a/helm-charts/0.27.0/charts/safe/templates/hook-preinstall-namespace.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Namespace -metadata: - name: {{ .Values.global.vsecm.namespace }} diff --git a/helm-charts/0.27.0/charts/safe/templates/hook-preinstall-role.yaml b/helm-charts/0.27.0/charts/safe/templates/hook-preinstall-role.yaml deleted file mode 100644 index 1250298a..00000000 --- a/helm-charts/0.27.0/charts/safe/templates/hook-preinstall-role.yaml +++ /dev/null @@ -1,72 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vsecm-secret-readwriter -# -# Creating a `ClusterRole` will make the role applicable to all namespaces -# within the cluster. This approach is easier to maintain, and still secure -# enough because VSecM Safe will talk only to the Secrets it knows about. -# Alternatively, you can create a `Role` for tighter control: -# -# kind: Role -# metadata: -# name: vsecm-secret-readwriter -# namespace: {{ .Values.global.vsecm.namespace }} -# -## - -## -# -# It is not possible to implement a more granular regex-based -# access control using RBAC. See, for example: -# https://github.com/kubernetes/kubernetes/issues/93845 -# -# Also, note that you will either need to specify one role for each -# namespace, or you will need to define a ClusterRole across the cluster. -# The former approach is tedious, yet more explicit, and more secure. -# -# If you are NOT planning to use Kubernetes Secrets to sync VSecM-Safe-generated -# secrets (i.e., you don't want to create secrets using the `k8s:` prefix in the -# workload names), then you can limit the scope of this role as follows: -# -# rules -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: [{{ .Values.rootKeySecretName | quote }}] -# verbs: ["get", "watch", "list", "update", "create"] -# -## - -## -# -# This `rules` setting is for legacy support (see the above discussion): -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list", "update", "create"] -# -# This `rules` configuration is the recommended, more secure, way: -# -# rules: -# - apiGroups: [""] -# resources: ["secrets"] -# resourceNames: [{{ .Values.rootKeySecretName | quote }}] -# verbs: ["get", "watch", "list", "update", "create"] -# -# -## - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - "helm.sh/hook-weight": "2" - {{- end }} diff --git a/helm-charts/0.27.0/charts/safe/values.yaml b/helm-charts/0.27.0/charts/safe/values.yaml deleted file mode 100644 index 6f8ecbc1..00000000 --- a/helm-charts/0.27.0/charts/safe/values.yaml +++ /dev/null @@ -1,191 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# -- Number of replicas to deploy. Note that values greater than 1 are not -# supported yet. -replicaCount: 1 - -# -- The port that the liveness probe listens on. -# `environments.VSECM_PROBE_LIVENESS_PORT` should match this value. -livenessPort: 8081 -# -- The port that the readiness probe listens on. -# `environments.VSECM_PROBE_READINESS_PORT` should match this value. -readinessPort: 8082 - -# -- The name of the root key secret. -rootKeySecretName: &rootKeyName vsecm-root-key - -# -- How persistence is handled. -data: - # -- If `persistent` is true, a PersistentVolumeClaim is used. - # Otherwise, a hostPath is used. - persistent: false - # -- PVC settings (if `persistent` is true). - persistentVolumeClaim: - storageClass: "" - accessMode: ReadWriteOnce - size: 1Gi - - # -- hostPath if `persistent` is false. - hostPath: - path: "/var/local/vsecm/data" - -# -- See https://vsecm.com/configuration for more information -# about these environment variables. -environments: - # -- The SPIFFE endpoint socket. This is used to communicate with the SPIRE - # agent. If you change this, you will need to change the associated - # volumeMount in the Deployment.yaml too. - # The name of the socket should match spireAgent.socketName in values.yaml - # of the SPIRE chart. - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - # -- The interval between retries (in milliseconds) for the default backoff strategy. - - name: VSECM_BACKOFF_DELAY - value: "1000" - # -- The maximum number of retries for the default backoff strategy before it gives up. - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - # -- The maximum wait time (in milliseconds) for the default backoff strategy. - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - # -- The backoff mode. The default is "exponential". - # Allowed values: "exponential", "linear" - - name: VSECM_BACKOFF_MODE - value: "exponential" - # -- The log level. 0: Logs are off (only audit events will be logged) - # 7: TRACE level logging (maximum verbosity). - - name: VSECM_LOG_LEVEL - value: "7" - # -- Useful for debugging. This will log cryptographic fingerprints of - # secrets without revealing the secret itself. It is recommended to keep - # this "false" in production. - - name: VSECM_LOG_SECRET_FINGERPRINTS - value: "false" - # -- The port that the liveness probe listens on. - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - # -- The port that the readiness probe listens on. - - name: VSECM_PROBE_READINESS_PORT - value: ":8082" - # -- The backing store for VSecM Safe. - # Possible values are: "memory", "file", "aws-secret", "azure-secret", - # "gcp-secret", "k8s". Currently, only "memory" and "file" are supported. - - name: VSECM_SAFE_BACKING_STORE - value: "file" - # -- The interval (in milliseconds) that the VSecM Safe will wait during - # bootstrapping before it bails out. - - name: VSECM_SAFE_BOOTSTRAP_TIMEOUT - value: "300000" - # -- Whether to automatically generate root cryptographic material or - # expect it to be provided through VSecM Sentinel CLI by the operator. - # If set to "false", VSecM Safe will automatically generate the root keys, - # which will make the operator's life easier. - - name: VSECM_ROOT_KEY_INPUT_MODE_MANUAL - value: "false" - # -- The name of the VSecM Root Key Secret. - - name: VSECM_ROOT_KEY_NAME - value: *rootKeyName - # -- The path where the VSecM Root Key will be mounted. - - name: VSECM_ROOT_KEY_PATH - value: "/key/key.txt" - # -- The path where the VSecM Safe will store its data (if the backing store - # is "file"). - - name: VSECM_SAFE_DATA_PATH - value: "/var/local/vsecm/data" - # -- Should VSecM Safe use FIPS-compliant encryption? - - name: VSECM_SAFE_FIPS_COMPLIANT - value: "false" - # -- The IV initialization interval (in milliseconds) for the VSecM Safe. - - name: VSECM_SAFE_IV_INITIALIZATION_INTERVAL - value: "50" - # -- The number of secrets VSecM Safe can buffer before blocking further - # operations until the buffer has space. - - name: VSECM_SAFE_K8S_SECRET_BUFFER_SIZE - value: "10" - # -- How many versions of older secrets should be kept. - - name: VSECM_SAFE_SECRET_BACKUP_COUNT - value: "3" - # -- The number of secrets VSecM Safe can buffer before blocking further - # operations until the buffer has space. - - name: VSECM_SAFE_SECRET_BUFFER_SIZE - value: "10" - # -- The number of secrets VSecM Safe can buffer before blocking further - # operations until the buffer has space. - - name: VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE - value: "10" - # -- The timeout (in milliseconds) for the VSecM Safe to acquire a source. - # After this timeout, the VSecM Safe will bail out. - - name: VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT - value: "10000" - # -- The prefix to use for the workload names, when storing workload - # secrets as Kubernetes secrets. - - name: VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX - value: "k8s:" - # -- The place where the VSecM Safe will store its root key. - # The only possible value is "k8s" at the moment. - - name: VSECM_SAFE_ROOT_KEY_STORE - value: "k8s" - # -- The port that the VSecM Safe will listen on. - - name: VSECM_SAFE_TLS_PORT - value: ":8443" - -# -- Override it with an image pull secret that you need as follows: -# imagePullSecrets: -# - name: my-registry-secret -imagePullSecrets: [] - -# -- The name override of the chart. -nameOverride: "" -# -- The fullname override of the chart. -fullnameOverride: "" - -# -- The service account to use. -serviceAccount: - # -- Specifies whether a service account should be created - create: true - # -- Annotations to add to the service account - annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "vsecm-safe" - -# -- Additional pod annotations. -podAnnotations: {} - -# -- Pod security context overrides. -podSecurityContext: - {} - # fsGroup: 2000 - -# -- Service settings. -service: - type: ClusterIP - port: 8443 - targetPort: 8443 - -# -- Resource limits and requests. -resources: - # These are default requests that can be used as a starting point. - # Of course, benchmark your production system to determine the actual - # requests you need. - requests: - memory: "20Mi" - cpu: "5m" - -# -- Autoscaling settings. Note that autoscaling is not supported for VSecM -# Safe yet. For proper operation there should always be a single VSecM Safe -# pod at all times. -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 10 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 diff --git a/helm-charts/0.27.0/charts/sentinel/.helmignore b/helm-charts/0.27.0/charts/sentinel/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/helm-charts/0.27.0/charts/sentinel/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/helm-charts/0.27.0/charts/sentinel/Chart.yaml b/helm-charts/0.27.0/charts/sentinel/Chart.yaml deleted file mode 100644 index adb4d011..00000000 --- a/helm-charts/0.27.0/charts/sentinel/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v2 -name: sentinel -description: Helm chart for sentinel - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.27.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.27.0" diff --git a/helm-charts/0.27.0/charts/sentinel/README.md b/helm-charts/0.27.0/charts/sentinel/README.md deleted file mode 100644 index 97c8a01d..00000000 --- a/helm-charts/0.27.0/charts/sentinel/README.md +++ /dev/null @@ -1,45 +0,0 @@ -# sentinel - -![Version: 0.27.0](https://img.shields.io/badge/Version-0.27.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.0](https://img.shields.io/badge/AppVersion-0.27.0-informational?style=flat-square) - -Helm chart for sentinel - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling settings. Note that autoscaling does not make sense for VSecM Sentinel as it is a control plane component that is mainly used as a CLI tool. It is not a server that is expected to be running all the time. | -| environments | list | `[{"name":"SPIFFE_ENDPOINT_SOCKET","value":"unix:///spire-agent-socket/spire-agent.sock"},{"name":"VSECM_BACKOFF_DELAY","value":"1000"},{"name":"VSECM_BACKOFF_MAX_RETRIES","value":"10"},{"name":"VSECM_BACKOFF_MAX_WAIT","value":"10000"},{"name":"VSECM_BACKOFF_MODE","value":"exponential"},{"name":"VSECM_LOG_LEVEL","value":"7"},{"name":"VSECM_LOG_SECRET_FINGERPRINTS","value":"false"},{"name":"VSECM_PROBE_LIVENESS_PORT","value":":8081"},{"name":"VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER","value":"false"},{"name":"VSECM_SENTINEL_INIT_COMMAND_PATH","value":"/opt/vsecm-sentinel/init/data"},{"name":"VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE","value":"0"},{"name":"VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC","value":"0"},{"name":"VSECM_SENTINEL_LOGGER_URL","value":"localhost:50051"},{"name":"VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL","value":"http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect"},{"name":"VSECM_SENTINEL_SECRET_GENERATION_PREFIX","value":"gen:"}]` | See https://vsecm.com/configuration for more information about these environment variables. | -| environments[0] | object | `{"name":"SPIFFE_ENDPOINT_SOCKET","value":"unix:///spire-agent-socket/spire-agent.sock"}` | The SPIFFE endpoint socket. This is used to communicate with the SPIRE. The name of the socket should match spireAgent.socketName in values.yaml of the SPIRE chart. | -| environments[10] | object | `{"name":"VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE","value":"0"}` | The amount of time to wait (in milliseconds) after all initialization commands are executed. | -| environments[11] | object | `{"name":"VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC","value":"0"}` | The amount of time to wait (in milliseconds) before executing the initialization commands. | -| environments[12] | object | `{"name":"VSECM_SENTINEL_LOGGER_URL","value":"localhost:50051"}` | VSecM Sentinel uses a gRPC logger to log audit events. This is the URL of the gRPC logger. | -| environments[13] | object | `{"name":"VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL","value":"http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect"}` | The OIDC provider's base URL. This is the URL that VSecM Sentinel will use to introspect the token. | -| environments[14] | object | `{"name":"VSECM_SENTINEL_SECRET_GENERATION_PREFIX","value":"gen:"}` | The prefix to hint to generate secrets randomly based on regex-like patterns. | -| environments[1] | object | `{"name":"VSECM_BACKOFF_DELAY","value":"1000"}` | The interval between retries (in milliseconds) for the default backoff strategy. | -| environments[2] | object | `{"name":"VSECM_BACKOFF_MAX_RETRIES","value":"10"}` | The maximum number of retries for the default backoff strategy before it gives up. | -| environments[3] | object | `{"name":"VSECM_BACKOFF_MAX_WAIT","value":"10000"}` | The maximum wait time (in milliseconds) for the default backoff strategy. | -| environments[4] | object | `{"name":"VSECM_BACKOFF_MODE","value":"exponential"}` | The backoff mode. The default is "exponential". Allowed values: "exponential", "linear" | -| environments[5] | object | `{"name":"VSECM_LOG_LEVEL","value":"7"}` | The log level. 0: Logs are off (only audit events will be logged), 7: TRACE level logging (maximum verbosity). | -| environments[6] | object | `{"name":"VSECM_LOG_SECRET_FINGERPRINTS","value":"false"}` | Useful for debugging. This will log cryptographic fingerprints of secrets without revealing the secret itself. It is recommended to keep this "false" in production. | -| environments[7] | object | `{"name":"VSECM_PROBE_LIVENESS_PORT","value":":8081"}` | The port that the liveness probe listens on. | -| environments[8] | object | `{"name":"VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER","value":"false"}` | Enable or disable OIDC resource server. When enabled, VSecM Sentinel will act as an OIDC resource server. Note that exposing VSecM Sentinel's functionality through a server significantly alters the attack surface, and the decision should be considered carefully. This option will create a RESTful API around VSecM Sentinel. Since VSecM Sentinel is the main entry point to the system, the server's security is important. Ideally, do not expose this server to the public Internet and protect it with tight security controls. | -| environments[9] | object | `{"name":"VSECM_SENTINEL_INIT_COMMAND_PATH","value":"/opt/vsecm-sentinel/init/data"}` | The path where the initialization commands are mounted. | -| fullnameOverride | string | `""` | The fullname override of the chart. | -| imagePullSecrets | list | `[]` | | -| initCommand | object | `{"command":"exit:true\n--\n","enabled":true}` | The custom initialization commands that will be executed by the VSecM Sentinel during its initial bootstrapping. The commands are executed in the order they are provided. See the official documentation for more information: https://vsecm.com/configuration | -| initCommand.enabled | bool | `true` | Specifies whether the custom initialization commands are enabled. If set to 'false', the custom initialization commands will not be executed. | -| livenessPort | int | `8081` | The port that the liveness probe listens on. | -| nameOverride | string | `""` | The name override of the chart. | -| podAnnotations | object | `{}` | Additional pod annotations. | -| podSecurityContext | object | `{}` | Pod security context overrides. | -| replicaCount | int | `1` | Number of replicas to deploy. Note that values greater than 1 are not supported yet. | -| resources.requests.cpu | string | `"5m"` | | -| resources.requests.memory | string | `"20Mi"` | | -| serviceAccount | object | `{"annotations":{},"create":true,"name":"vsecm-sentinel"}` | The service account to use. | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | -| serviceAccount.name | string | `"vsecm-sentinel"` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/helm-charts/0.27.0/charts/sentinel/templates/Deployment.yaml b/helm-charts/0.27.0/charts/sentinel/templates/Deployment.yaml deleted file mode 100644 index f456c96e..00000000 --- a/helm-charts/0.27.0/charts/sentinel/templates/Deployment.yaml +++ /dev/null @@ -1,157 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "sentinel.fullname" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "sentinel.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "sentinel.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "sentinel.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "sentinel.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - - priorityClassName: system-cluster-critical - - containers: - - name: main - image: "{{ .Values.global.registry }}/{{- include "sentinel.repository" .}}:{{ .Values.global.images.sentinel.tag }}" - imagePullPolicy: {{ .Values.global.images.sentinel.pullPolicy }} - volumeMounts: - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - {{- if .Values.initCommand.enabled }} - - name: init-command-volume - # /opt/vsecm-sentinel/init/data will contain the init script. - mountPath: /opt/vsecm-sentinel/init - {{- end }} - # - # You can configure VSecM Sentinel by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Sentinel will assume the default values outlined in the given link above. - # - env: - {{- $safeEndpointUrlSet := false }} - {{- $safeSpiffeIdPrefixSet := false }} - {{- $sentinelSpiffeIdPrefixSet := false }} - {{- $workloadSpiffeIdPrefixSet := false }} - {{- $vsecmNamespaceSet := false }} - {{- $spireNamespaceSet := false }} - {{- $spiffeTrustDomainSet := false}} - {{- $workloadNameRegExpSet := false}} - {{- range .Values.environments }} - {{- if eq .name "VSECM_SAFE_ENDPOINT_URL" }} - {{- $safeEndpointUrlSet = true }} - {{- end }} - {{- if eq .name "VSECM_SPIFFEID_PREFIX_SAFE" }} - {{- $safeSpiffeIdPrefixSet = true }} - {{- end }} - {{- if eq .name "VSECM_SPIFFEID_PREFIX_SENTINEL" }} - {{- $sentinelSpiffeIdPrefixSet = true }} - {{- end }} - {{- if eq .name "VSECM_SPIFFEID_PREFIX_WORKLOAD" }} - {{- $workloadSpiffeIdPrefixSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SYSTEM" }} - {{- $vsecmNamespaceSet = true }} - {{- end }} - {{ if eq .name "VSECM_NAMESPACE_SPIRE" }} - {{- $spireNamespaceSet = true }} - {{- end }} - {{ if eq .name "SPIFFE_TRUST_DOMAIN" }} - {{- $spiffeTrustDomainSet = true }} - {{- end }} - {{ if eq .name "VSECM_WORKLOAD_NAME_REGEXP" }} - {{- $workloadNameRegExpSet = true }} - {{- end }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- end }} - {{- if not $safeEndpointUrlSet }} - - name: VSECM_SAFE_ENDPOINT_URL - value: {{ .Values.global.vsecm.safeEndpointUrl | quote }} - {{- end }} - {{- if not $safeSpiffeIdPrefixSet }} - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: {{ .Values.global.vsecm.safeSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $sentinelSpiffeIdPrefixSet }} - - name: VSECM_SPIFFEID_PREFIX_SENTINEL - value: {{ .Values.global.vsecm.sentinelSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $workloadSpiffeIdPrefixSet }} - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: {{ .Values.global.vsecm.workloadSpiffeIdPrefix | quote }} - {{- end }} - {{- if not $vsecmNamespaceSet }} - - name: VSECM_NAMESPACE_SYSTEM - value: {{ .Values.global.vsecm.namespace | quote }} - {{- end }} - {{- if not $spireNamespaceSet }} - - name: VSECM_NAMESPACE_SPIRE - value: {{ .Values.global.spire.namespace | quote }} - {{- end }} - {{ if not $spiffeTrustDomainSet }} - - name: SPIFFE_TRUST_DOMAIN - value: {{ .Values.global.spire.trustDomain | quote }} - {{- end }} - {{- if not $workloadNameRegExpSet }} - - name: VSECM_WORKLOAD_NAME_REGEXP - value: {{ .Values.global.vsecm.workloadNameRegExp | quote }} - {{- end }} - livenessProbe: - httpGet: - path: / - port: {{ .Values.livenessPort }} - initialDelaySeconds: 1 - periodSeconds: 10 - resources: - requests: - memory: {{ .Values.resources.requests.memory }} - cpu: {{ .Values.resources.requests.cpu }} - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - {{- if .Values.initCommand.enabled }} - - name: init-command-volume - secret: - secretName: vsecm-sentinel-init-secret - {{- end }} diff --git a/helm-charts/0.27.0/charts/sentinel/templates/Identity.yaml b/helm-charts/0.27.0/charts/sentinel/templates/Identity.yaml deleted file mode 100644 index 434a3eb8..00000000 --- a/helm-charts/0.27.0/charts/sentinel/templates/Identity.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: {{ include "sentinel.fullname" . }} - labels: - {{- include "sentinel.labels" . | nindent 4 }} -spec: - className: {{ .Values.global.spire.controllerManagerClassName | quote }} - spiffeIDTemplate: {{ .Values.global.vsecm.sentinelSpiffeIdTemplate }} - podSelector: - matchLabels: - app.kubernetes.io/name: {{ include "sentinel.fullname" . }} - app.kubernetes.io/part-of: {{ .Values.global.vsecm.namespace }} - workloadSelectorTemplates: - - "k8s:ns:{{ .Values.global.vsecm.namespace }}" - - "k8s:sa:{{ include "sentinel.serviceAccountName" . }}" diff --git a/helm-charts/0.27.0/charts/sentinel/templates/Role.yaml b/helm-charts/0.27.0/charts/sentinel/templates/Role.yaml deleted file mode 100644 index 49c9e02c..00000000 --- a/helm-charts/0.27.0/charts/sentinel/templates/Role.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: vsecm-sentinel-secret-reader - namespace: {{ .Values.global.vsecm.namespace }} -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - resourceNames: ["vsecm-sentinel-init-secret"] - - diff --git a/helm-charts/0.27.0/charts/sentinel/templates/RoleBinding.yaml b/helm-charts/0.27.0/charts/sentinel/templates/RoleBinding.yaml deleted file mode 100644 index 70e8b8fc..00000000 --- a/helm-charts/0.27.0/charts/sentinel/templates/RoleBinding.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: read-secrets - namespace: {{ .Values.global.vsecm.namespace }} -subjects: - - kind: ServiceAccount - name: {{ include "sentinel.serviceAccountName" . }} - namespace: {{ .Values.global.vsecm.namespace }} -roleRef: - kind: Role - name: vsecm-sentinel-secret-reader - apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/helm-charts/0.27.0/charts/sentinel/templates/Secret.yaml b/helm-charts/0.27.0/charts/sentinel/templates/Secret.yaml deleted file mode 100644 index e882fd3e..00000000 --- a/helm-charts/0.27.0/charts/sentinel/templates/Secret.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{- if .Values.initCommand.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: vsecm-sentinel-init-secret - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "sentinel.labels" . | nindent 4 }} - app.kubernetes.io/operated-by: vsecm - annotations: - kubernetes.io/service-account.name: {{ include "sentinel.serviceAccountName" . }} -type: Opaque -stringData: - data: {{ .Values.initCommand.command | quote }} -{{- end }} diff --git a/helm-charts/0.27.0/charts/sentinel/templates/ServiceAccount.yaml b/helm-charts/0.27.0/charts/sentinel/templates/ServiceAccount.yaml deleted file mode 100644 index c9d9bbe9..00000000 --- a/helm-charts/0.27.0/charts/sentinel/templates/ServiceAccount.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "sentinel.serviceAccountName" . }} - namespace: {{ .Values.global.vsecm.namespace }} - labels: - {{- include "sentinel.labels" . | nindent 4 }} - annotations: - kubernetes.io/enforce-mountable-secrets: "true" - kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret - {{- with .Values.serviceAccount.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -automountServiceAccountToken: false -secrets: - - name: vsecm-sentinel-init-secret -{{- end }} diff --git a/helm-charts/0.27.0/charts/sentinel/templates/_helpers.tpl b/helm-charts/0.27.0/charts/sentinel/templates/_helpers.tpl deleted file mode 100644 index 914b1544..00000000 --- a/helm-charts/0.27.0/charts/sentinel/templates/_helpers.tpl +++ /dev/null @@ -1,86 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{/* -Expand the name of the chart. -*/}} -{{- define "sentinel.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "sentinel.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "sentinel.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "sentinel.labels" -}} -helm.sh/chart: {{ include "sentinel.chart" . }} -{{ include "sentinel.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "sentinel.selectorLabels" -}} -app.kubernetes.io/name: {{ include "sentinel.fullname" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/part-of: {{ .Values.global.vsecm.namespace }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "sentinel.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "sentinel.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -Define image for VSecM Sentinel -*/}} -{{- define "sentinel.repository" -}} -{{- if eq (lower $.Values.global.baseImage) "distroless" }} -{{- .Values.global.images.sentinel.distrolessRepository }} -{{- else if eq (lower $.Values.global.baseImage) "distroless-fips" }} -{{- .Values.global.images.sentinel.distrolessFipsRepository }} -{{- else }} -{{- .Values.global.images.sentinel.distrolessRepository }} -{{- end }} -{{- end }} diff --git a/helm-charts/0.27.0/charts/sentinel/values.yaml b/helm-charts/0.27.0/charts/sentinel/values.yaml deleted file mode 100644 index f9244c45..00000000 --- a/helm-charts/0.27.0/charts/sentinel/values.yaml +++ /dev/null @@ -1,163 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# -- Number of replicas to deploy. Note that values greater than 1 are not -# supported yet. -replicaCount: 1 - -# -- The port that the liveness probe listens on. -livenessPort: 8081 - -# -- See https://vsecm.com/configuration for more information -# about these environment variables. -environments: - # -- The SPIFFE endpoint socket. This is used to communicate with the SPIRE. - # The name of the socket should match spireAgent.socketName in values.yaml - # of the SPIRE chart. - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - # -- The interval between retries (in milliseconds) for the default backoff strategy. - - name: VSECM_BACKOFF_DELAY - value: "1000" - # -- The maximum number of retries for the default backoff strategy before it gives up. - - name: VSECM_BACKOFF_MAX_RETRIES - value: "10" - # -- The maximum wait time (in milliseconds) for the default backoff strategy. - - name: VSECM_BACKOFF_MAX_WAIT - value: "10000" - # -- The backoff mode. The default is "exponential". - # Allowed values: "exponential", "linear" - - name: VSECM_BACKOFF_MODE - value: "exponential" - # -- The log level. 0: Logs are off (only audit events will be logged), - # 7: TRACE level logging (maximum verbosity). - - name: VSECM_LOG_LEVEL - value: "7" - # -- Useful for debugging. This will log cryptographic fingerprints of - # secrets without revealing the secret itself. It is recommended to keep - # this "false" in production. - - name: VSECM_LOG_SECRET_FINGERPRINTS - value: "false" - # -- The port that the liveness probe listens on. - - name: VSECM_PROBE_LIVENESS_PORT - value: ":8081" - # -- Enable or disable OIDC resource server. When enabled, VSecM Sentinel will - # act as an OIDC resource server. Note that exposing VSecM Sentinel's functionality - # through a server significantly alters the attack surface, and the decision - # should be considered carefully. This option will create a RESTful API around VSecM - # Sentinel. Since VSecM Sentinel is the main entry point to the system, the - # server's security is important. Ideally, do not expose this server to the - # public Internet and protect it with tight security controls. - - name: VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER - value: "false" - # -- The path where the initialization commands are mounted. - - name: VSECM_SENTINEL_INIT_COMMAND_PATH - value: "/opt/vsecm-sentinel/init/data" - # -- The amount of time to wait (in milliseconds) after all - # initialization commands are executed. - - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE - value: "0" - # -- The amount of time to wait (in milliseconds) before executing the - # initialization commands. - - name: VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC - value: "0" - # -- VSecM Sentinel uses a gRPC logger to log audit events. This is the URL of the - # gRPC logger. - - name: VSECM_SENTINEL_LOGGER_URL - value: "localhost:50051" - # -- The OIDC provider's base URL. This is the URL that VSecM Sentinel will use to - # introspect the token. - - name: VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL - value: "http://0.0.0.0:8080/auth/realms/XXXXX/protocol/openid-connect/token/introspect" - # -- The prefix to hint to generate secrets randomly based on regex-like patterns. - - name: VSECM_SENTINEL_SECRET_GENERATION_PREFIX - value: "gen:" - -# Override it with an image pull secret that you need as follows: -# imagePullSecrets: -# - name: my-registry-secret -imagePullSecrets: [] - -# -- The name override of the chart. -nameOverride: "" -# -- The fullname override of the chart. -fullnameOverride: "" - -# -- The service account to use. -serviceAccount: - # -- Specifies whether a service account should be created - create: true - # -- Annotations to add to the service account - annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "vsecm-sentinel" - -# -- Additional pod annotations. -podAnnotations: {} - -# -- Pod security context overrides. -podSecurityContext: {} - # fsGroup: 2000 - -resources: - # These are default requests that can be used as a starting point. - # Of course, benchmark your production system to determine the actual - # requests you need. - requests: - memory: "20Mi" - cpu: "5m" - -# -- Autoscaling settings. Note that autoscaling does not make sense for VSecM -# Sentinel as it is a control plane component that is mainly used as a CLI -# tool. It is not a server that is expected to be running all the time. -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -# -- The custom initialization commands that will be executed by the VSecM -# Sentinel during its initial bootstrapping. The commands are executed in the -# order they are provided. See the official documentation for more information: -# https://vsecm.com/configuration -initCommand: - # -- Specifies whether the custom initialization commands are enabled. - # If set to 'false', the custom initialization commands will not be executed. - enabled: true - - # Add any initialization command here, separated by a line with only "--" - # The command stanza MUST end with a "--". - command: | - exit:true - -- - - # Example: - # -------- - # - # sleep:30001 - # -- - # w:keycloak-admin-secret,keycloak-db-secret - # n:smo-app,web-app - # s:gen:{"username":"admin-[a-z0-9]{6}","password":"[a-zA-Z0-9]{12}"} - # t:{"KEYCLOAK_ADMIN_USER":"{{.username}}","KEYCLOAK_ADMIN_PASSWORD":"{{.password}}"} - # -- - # w:k8s:keycloak-db-secret - # n:smo-app - # s:gen:{"username":"admin-[a-z0-9]{6}","password":"[a-zA-Z0-9]{12}"} - # t:{"KEYCLOAK_DB_USER":"{{.username}}","KEYCLOAK_DB_PASSWORD":"{{.password}}"} - # -- - # sleep:5000 - # -- - # w:keycloak - # n:default - # s:trigger-init - # -- diff --git a/helm-charts/0.27.0/charts/spire/.helmignore b/helm-charts/0.27.0/charts/spire/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/helm-charts/0.27.0/charts/spire/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/helm-charts/0.27.0/charts/spire/Chart.yaml b/helm-charts/0.27.0/charts/spire/Chart.yaml deleted file mode 100644 index de4d0926..00000000 --- a/helm-charts/0.27.0/charts/spire/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v2 -name: spire -description: Helm chart for spire - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.27.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.27.0" diff --git a/helm-charts/0.27.0/charts/spire/README.md b/helm-charts/0.27.0/charts/spire/README.md deleted file mode 100644 index a732e77a..00000000 --- a/helm-charts/0.27.0/charts/spire/README.md +++ /dev/null @@ -1,36 +0,0 @@ -# spire - -![Version: 0.27.0](https://img.shields.io/badge/Version-0.27.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.0](https://img.shields.io/badge/AppVersion-0.27.0-informational?style=flat-square) - -Helm chart for spire - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| data | object | `{"persistent":true,"persistentVolumeClaim":{"accessMode":"ReadWriteOnce","size":"1Gi","storageClass":""}}` | Persistence settings for the SPIRE Server. | -| data.persistent | bool | `true` | Persistence is enabled by default. However, you are recommended to provide your own storage class if you are using a cloud provider or a storage solution that supports dynamic provisioning. | -| data.persistentVolumeClaim | object | `{"accessMode":"ReadWriteOnce","size":"1Gi","storageClass":""}` | Define the PVC if `persistent` is true. | -| experimental | object | `{"eventsBasedCache":false}` | Experimental settings. | -| experimental.eventsBasedCache | bool | `false` | eventsBasedCache is known to significantly improve SPIRE Server performance. It is set to `false` by default, just in case. | -| fullnameOverride | string | `""` | The fullname override of the chart. | -| imagePullSecrets | list | `[]` | Override it with an image pull secret that you need as follows: imagePullSecrets: - name: my-registry-secret | -| nameOverride | string | `""` | The name override of the chart. | -| resources | object | `{"agent":{"requests":{"cpu":"50m","memory":"512Mi"}},"server":{"requests":{"cpu":"100m","memory":"1Gi"}},"spiffeCsiDriver":{"requests":{"cpu":"50m","memory":"128Mi"}}}` | These are the default resources suitable for a moderate SPIRE usage. Of course, it's best to do your own benchmarks and update these requests and limits to your production needs accordingly. That being said, as a rule of thumb, do not limit the CPU request on SPIRE Agent and SPIRE server. It's best to let them leverage the available excess CPU, if available. | -| resources.agent | object | `{"requests":{"cpu":"50m","memory":"512Mi"}}` | SPIRE Agent resource requests and limits. | -| resources.server | object | `{"requests":{"cpu":"100m","memory":"1Gi"}}` | SPIRE Server resource requests and limits. | -| resources.spiffeCsiDriver | object | `{"requests":{"cpu":"50m","memory":"128Mi"}}` | SPIFFE CSI Driver resource requests and limits. | -| spireAgent | object | `{"hostSocketDir":"/run/spire/agent-sockets","internalAdminSocketDir":"/tmp/spire-agent/private","internalPublicSocketDir":"/tmp/spire-agent/public","socketName":"spire-agent.sock"}` | SPIRE Agent settings. | -| spireAgent.hostSocketDir | string | `"/run/spire/agent-sockets"` | The corresponding SPIRE Agent socket directory on the host. SPIRE Agents and SPIFFE CSI Driver shares this directory. | -| spireAgent.internalAdminSocketDir | string | `"/tmp/spire-agent/private"` | The corresponding SPIRE Agent internal admin directory in the container. The configuration should match the SPIRE Agent configuration and SPIRE Agent DaemonSet. You are advised not to change this value. | -| spireAgent.internalPublicSocketDir | string | `"/tmp/spire-agent/public"` | The corresponding SPIRE Agent internal socket directory in the container. The configuration should match the SPIRE Agent configuration and SPIRE Agent DaemonSet. | -| spireAgent.socketName | string | `"spire-agent.sock"` | The SPIRE Agent socket name. | -| spireServer | object | `{"configDir":"/run/spire/config","dataDir":"/run/spire/data","privateSocketDir":"/tmp/spire-server/private","service":{"type":"ClusterIP"}}` | SPIRE Server settings. | -| spireServer.configDir | string | `"/run/spire/config"` | The configuration directory for the SPIRE Server. | -| spireServer.dataDir | string | `"/run/spire/data"` | The data directory for the SPIRE Server. SPIRE Server’s ConfigMap and StatefulSet should agree on this directory. | -| spireServer.privateSocketDir | string | `"/tmp/spire-server/private"` | The private socket directory for the SPIRE Server. SPIRE Server’s ConfigMap and StatefulSet should agree on this directory. | -| spireServer.service | object | `{"type":"ClusterIP"}` | Service details for the SPIRE Server. | -| spireServer.service.type | string | `"ClusterIP"` | Service type. Possible values are: ClusterIP, NodePort, LoadBalancer. Defaults to `ClusterIP`. | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/helm-charts/0.27.0/charts/spire/templates/_helpers.tpl b/helm-charts/0.27.0/charts/spire/templates/_helpers.tpl deleted file mode 100644 index bfccb818..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/_helpers.tpl +++ /dev/null @@ -1,61 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{/* -Expand the name of the chart. -*/}} -{{- define "spire.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "spire.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "spire.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "spire.labels" -}} -helm.sh/chart: {{ include "spire.chart" . }} -{{ include "spire.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "spire.selectorLabels" -}} -app.kubernetes.io/name: {{ include "spire.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} diff --git a/helm-charts/0.27.0/charts/spire/templates/clusterrole-spire-agent.yaml b/helm-charts/0.27.0/charts/spire/templates/clusterrole-spire-agent.yaml deleted file mode 100644 index ddda58ac..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/clusterrole-spire-agent.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Required cluster role to allow spire-agent to query k8s API server -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent -rules: - - apiGroups: [""] - resources: - - pods - - nodes - - nodes/proxy - verbs: ["get"] diff --git a/helm-charts/0.27.0/charts/spire/templates/clusterrole-spire-server-spire-controller-manager.yaml b/helm-charts/0.27.0/charts/spire/templates/clusterrole-spire-server-spire-controller-manager.yaml deleted file mode 100644 index 2755cef5..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/clusterrole-spire-server-spire-controller-manager.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: spire-server-spire-controller-manager -rules: - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "patch", "watch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains/status"] - verbs: ["get", "patch", "update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids/status"] - verbs: ["get", "patch", "update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterstaticentries"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterstaticentries/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterstaticentries/status"] - verbs: ["get", "patch", "update"] diff --git a/helm-charts/0.27.0/charts/spire/templates/clusterrole-spire-server-spire-server.yaml b/helm-charts/0.27.0/charts/spire/templates/clusterrole-spire-server-spire-server.yaml deleted file mode 100644 index c4e288f1..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/clusterrole-spire-server-spire-server.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# ClusterRole to allow spire-server node attestor to query Token Review API -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-spire-server -rules: -{{- if .Values.global.enableOpenShift }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["get", "create"] -{{- else }} - - apiGroups: [""] - resources: [nodes, pods] - verbs: ["get", "list"] - - apiGroups: [authentication.k8s.io] - resources: [tokenreviews] - verbs: ["get", "watch", "list", "create"] -{{- end }} diff --git a/helm-charts/0.27.0/charts/spire/templates/clusterrolebinding-spire-agent.yaml b/helm-charts/0.27.0/charts/spire/templates/clusterrolebinding-spire-agent.yaml deleted file mode 100644 index c02d04ea..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/clusterrolebinding-spire-agent.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Binds SPIRE Agent Cluster Role to spire-agent service account -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent -subjects: - - kind: ServiceAccount - name: spire-agent - namespace: {{ .Values.global.spire.namespace }} -roleRef: - kind: ClusterRole - name: spire-agent - apiGroup: rbac.authorization.k8s.io diff --git a/helm-charts/0.27.0/charts/spire/templates/clusterrolebinding-spire-server-spire-controller-manager.yaml b/helm-charts/0.27.0/charts/spire/templates/clusterrolebinding-spire-server-spire-controller-manager.yaml deleted file mode 100644 index 350b095b..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/clusterrolebinding-spire-server-spire-controller-manager.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: spire-server-spire-controller-manager -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: spire-server-spire-controller-manager -subjects: - - kind: ServiceAccount - name: spire-server - namespace: {{ .Values.global.spire.serverNamespace }} diff --git a/helm-charts/0.27.0/charts/spire/templates/clusterrolebinding-spire-server-spire-server.yaml b/helm-charts/0.27.0/charts/spire/templates/clusterrolebinding-spire-server-spire-server.yaml deleted file mode 100644 index 53f50c8e..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/clusterrolebinding-spire-server-spire-server.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Binds spire-server-spire-server cluster role to spire-agent service account -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-spire-server - -subjects: - - kind: ServiceAccount - name: spire-server - namespace: {{ .Values.global.spire.serverNamespace }} -roleRef: - kind: ClusterRole - name: spire-server-spire-server - apiGroup: rbac.authorization.k8s.io diff --git a/helm-charts/0.27.0/charts/spire/templates/clusterspiffeid-spire-server-spire-default.yaml b/helm-charts/0.27.0/charts/spire/templates/clusterspiffeid-spire-server-spire-default.yaml deleted file mode 100644 index ef8db644..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/clusterspiffeid-spire-server-spire-default.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{- if .Values.enableSpireMintedDefaultClusterSpiffeIds }} -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: spire-server-spire-default -spec: - className: {{ .Values.global.spire.controllerManagerClassName | quote }} - spiffeIDTemplate: "spiffe://{{"{{"}} .TrustDomain {{"}}"}}/ns/{{"{{"}} .PodMeta.Namespace {{"}}"}}/sa/{{"{{"}} .PodSpec.ServiceAccountName {{"}}"}}" - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - spire-server - - spire-system - - vsecm-system -{{- end }} \ No newline at end of file diff --git a/helm-charts/0.27.0/charts/spire/templates/clusterspiffeid-spire-server-spire-test-keys.yaml b/helm-charts/0.27.0/charts/spire/templates/clusterspiffeid-spire-server-spire-test-keys.yaml deleted file mode 100644 index 38f5582d..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/clusterspiffeid-spire-server-spire-test-keys.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: spire-server-spire-test-keys -spec: - className: {{ .Values.global.spire.controllerManagerClassName | quote }} - spiffeIDTemplate: "spiffe://{{"{{"}} .TrustDomain {{"}}"}}/ns/{{"{{"}} .PodMeta.Namespace {{"}}"}}/sa/{{"{{"}} .PodSpec.ServiceAccountName {{"}}"}}" - podSelector: - matchLabels: - component: test-keys - release: spire - release-namespace: {{ .Values.global.spire.serverNamespace }} - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - - spire-server - - spire-system - - vsecm-system diff --git a/helm-charts/0.27.0/charts/spire/templates/configmap-spire-agent.yaml b/helm-charts/0.27.0/charts/spire/templates/configmap-spire-agent.yaml deleted file mode 100644 index ebac0aec..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/configmap-spire-agent.yaml +++ /dev/null @@ -1,76 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-agent - namespace: {{ .Values.global.spire.namespace }} -data: - agent.conf: | - { - "agent": { - "data_dir": "/run/spire", - "log_level": "info", - "retry_bootstrap": true, - "server_address": "spire-server.spire-server", - "server_port": "443", - "socket_path": "{{ .Values.spireAgent.internalPublicSocketDir }}/{{ .Values.spireAgent.socketName }}", - "trust_bundle_path": "/run/spire/bundle/bundle.crt", - "trust_domain": "vsecm.com" - }, - "health_checks": { - "bind_address": "0.0.0.0", - "bind_port": "9982", - "listener_enabled": true, - "live_path": "/live", - "ready_path": "/ready" - }, - "plugins": { - "KeyManager": [ - { - "memory": { - "plugin_data": null - } - } - ], - "NodeAttestor": [ - { - "k8s_psat": { - "plugin_data": { - "cluster": "vsecm-cluster" - } - } - } - ], - "WorkloadAttestor": [ - { - "k8s": { - "plugin_data": { - "disable_container_selectors": false, - "skip_kubelet_verification": true, - "use_new_container_locator": false, - "verbose_container_locator_logs": false - } - } - } - ] - }, - "telemetry": [ - { - "Prometheus": [ - { - "host": "0.0.0.0", - "port": 9988 - } - ] - } - ] - } \ No newline at end of file diff --git a/helm-charts/0.27.0/charts/spire/templates/configmap-spire-bundle.yaml b/helm-charts/0.27.0/charts/spire/templates/configmap-spire-bundle.yaml deleted file mode 100644 index 7cb7656c..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/configmap-spire-bundle.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-bundle - namespace: {{ .Values.global.spire.namespace }} diff --git a/helm-charts/0.27.0/charts/spire/templates/configmap-spire-controller-manager.yaml b/helm-charts/0.27.0/charts/spire/templates/configmap-spire-controller-manager.yaml deleted file mode 100644 index 72bbed59..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/configmap-spire-controller-manager.yaml +++ /dev/null @@ -1,76 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-controller-manager - namespace: {{ .Values.global.spire.serverNamespace }} -data: - controller-manager-config.yaml: | - - apiVersion: spire.spiffe.io/v1alpha1 - kind: ControllerManagerConfig - metadata: - name: spire-controller-manager - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - metrics: - bindAddress: 0.0.0.0:8082 - health: - healthProbeBindAddress: 0.0.0.0:8083 - leaderElection: - leaderElect: true - resourceName: 6f304bd2.spiffe.io - resourceNamespace: {{ .Values.global.spire.serverNamespace }} - validatingWebhookConfigurationName: spire-server-spire-controller-manager-webhook - entryIDPrefix: vsecm-cluster - clusterName: vsecm-cluster - trustDomain: vsecm.com - ignoreNamespaces: - - kube-system - - kube-public - - local-path-storage - - openshift-cluster-node-tuning-operator - - openshift-cluster-samples-operator - - openshift-cluster-storage-operator - - openshift-console-operator - - openshift-console - - openshift-dns - - openshift-dns-operator - - openshift-image-registry - - openshift-ingress - - openshift-kube-storage-version-migrator - - openshift-kube-storage-version-migrator-operator - - openshift-kube-proxy - - openshift-marketplace - - openshift-monitoring - - openshift-multus - - openshift-network-diagnostics - - openshift-network-operator - - openshift-operator-lifecycle-manager - - openshift-roks-metrics - - openshift-service-ca-operator - - openshift-service-ca - - ibm-odf-validation-webhook - - ibm-system - spireServerSocketPath: "{{ .Values.spireServer.privateSocketDir }}/api.sock" - className: {{ .Values.global.spire.controllerManagerClassName | quote }} - watchClassless: false - parentIDTemplate: "spiffe://{{"{{"}} .TrustDomain {{"}}"}}/spire/agent/k8s_psat/{{"{{"}} .ClusterName {{"}}"}}/{{"{{"}} .NodeMeta.UID {{"}}"}}" - reconcile: - clusterSPIFFEIDs: true - clusterStaticEntries: true - clusterFederatedTrustDomains: true diff --git a/helm-charts/0.27.0/charts/spire/templates/configmap-spire-server.yaml b/helm-charts/0.27.0/charts/spire/templates/configmap-spire-server.yaml deleted file mode 100644 index 11445520..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/configmap-spire-server.yaml +++ /dev/null @@ -1,118 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-server - namespace: {{ .Values.global.spire.serverNamespace }} -data: - server.conf: | - { - "health_checks": { - "bind_address": "0.0.0.0", - "bind_port": "8080", - "listener_enabled": true, - "live_path": "/live", - "ready_path": "/ready" - }, - "plugins": { - "DataStore": [ - { - "sql": { - "plugin_data": { - "connection_string": "/run/spire/data/datastore.sqlite3", - "database_type": "sqlite3" - } - } - } - ], - "KeyManager": [ - { - "disk": { - "plugin_data": { - "keys_path": "/run/spire/data/keys.json" - } - } - } - ], - "NodeAttestor": [ - { - "k8s_psat": { - "plugin_data": { - "clusters": [ - { - "vsecm-cluster": { - "allowed_node_label_keys": [], - "allowed_pod_label_keys": [], - "audience": [ - "spire-server" - ], - "service_account_allow_list": [ - "spire-system:spire-agent" - ] - } - } - ] - } - } - } - ], - "Notifier": [ - { - "k8sbundle": { - "plugin_data": { - "config_map": "spire-bundle", - "namespace": "spire-system" - } - } - } - ] - }, - "server": { -{{- if .Values.experimental.eventsBasedCache }} - "experimental": { - "events_based_cache": true - }, -{{- end }} - "audit_log_enabled": false, - "bind_address": "0.0.0.0", - "bind_port": "8081", - "ca_key_type": "rsa-2048", - "ca_subject": [ - { - "common_name": "aegist.ist", - "country": [ - "US" - ], - "organization": [ - "vsecm.com" - ] - } - ], - "ca_ttl": "24h", - "data_dir": "/run/spire/data", - "default_jwt_svid_ttl": "1h", - "default_x509_svid_ttl": "4h", - "jwt_issuer": "https://oidc-discovery.vsecm.com", - "log_level": "info", - "trust_domain": "vsecm.com" - }, - "telemetry": [ - { - "Prometheus": [ - { - "host": "0.0.0.0", - "port": 9988 - } - ] - } - ] - } diff --git a/helm-charts/0.27.0/charts/spire/templates/daemonset-spire-agent.yaml b/helm-charts/0.27.0/charts/spire/templates/daemonset-spire-agent.yaml deleted file mode 100644 index 24f05a0f..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/daemonset-spire-agent.yaml +++ /dev/null @@ -1,170 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: spire-agent - namespace: {{ .Values.global.spire.namespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: agent - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: default -spec: - selector: - matchLabels: - app.kubernetes.io/name: agent - app.kubernetes.io/instance: spire - app.kubernetes.io/component: default - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: spire-agent - checksum/config: 2ad907b85aad20064f4cbf04be0f3bf500bbe6a43f76c82c48eda97306352008 - labels: - app.kubernetes.io/name: agent - app.kubernetes.io/instance: spire - app.kubernetes.io/component: default - spec: -{{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - - hostPID: true - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - serviceAccountName: spire-agent - securityContext: -{{- if .Values.global.enableOpenShift }} - fsGroupChangePolicy: OnRootMismatch -{{- else }} - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 - {{- end }} - priorityClassName: system-node-critical - initContainers: - - name: ensure-alternate-names - image: "{{ .Values.global.images.spireHelperBash.repository }}:{{ .Values.global.images.spireHelperBash.tag }}" - imagePullPolicy: {{ .Values.global.images.spireHelperBash.pullPolicy }} - command: ["bash", "-xc"] - args: - - | - cd {{ .Values.spireAgent.hostSocketDir }} - L=`readlink socket` - [ "x$L" != "x{{ .Values.spireAgent.socketName }}" ] && rm -f socket - [ ! -L socket ] && ln -s {{ .Values.spireAgent.socketName }} socket - L=`readlink api.sock` - [ "x$L" != "x{{ .Values.spireAgent.socketName }}" ] && rm -f api.sock - [ ! -L api.sock ] && ln -s {{ .Values.spireAgent.socketName }} api.sock - [ -L {{ .Values.spireAgent.socketName }} ] && rm -f {{ .Values.spireAgent.socketName }} - exit 0 - resources: - {} - volumeMounts: - - name: spire-agent-socket-dir - mountPath: {{ .Values.spireAgent.hostSocketDir }} - securityContext: - runAsUser: 0 - runAsGroup: 0 -{{- if not .Values.global.enableOpenShift }} - - name: fsgroupfix - image: "{{ .Values.global.images.spireHelperBash.repository }}:{{ .Values.global.images.spireHelperBash.tag }}" - imagePullPolicy: {{ .Values.global.images.spireHelperBash.pullPolicy }} - command: ["bash", "-c"] - args: - - "chown -R 1000:1000 {{ .Values.spireAgent.hostSocketDir }} {{ .Values.spireAgent.internalAdminSocketDir }}" - resources: - {} - volumeMounts: - - name: spire-agent-socket-dir - mountPath: {{ .Values.spireAgent.hostSocketDir }} - - name: spire-agent-admin-socket-dir - mountPath: {{ .Values.spireAgent.internalAdminSocketDir }} - securityContext: - runAsUser: 0 - runAsGroup: 0 -{{- end }} - containers: - - name: spire-agent - image: "{{ .Values.global.images.spireAgent.repository }}:{{ .Values.global.images.spireAgent.tag }}" - imagePullPolicy: {{ .Values.global.images.spireAgent.pullPolicy }} - args: ["-config", "/opt/spire/conf/agent/agent.conf"] - securityContext: - {} - env: - - name: PATH - value: "/opt/spire/bin:/bin" -{{- if .Values.global.enableOpenShift }} - - name: MY_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName -{{- end}} - ports: - - containerPort: 9982 - name: healthz - - containerPort: 9988 - name: prom - volumeMounts: - - name: spire-config - mountPath: /opt/spire/conf/agent - readOnly: true - - name: spire-bundle - mountPath: /run/spire/bundle - readOnly: true - - name: spire-agent-socket-dir - mountPath: {{ .Values.spireAgent.internalPublicSocketDir }} - readOnly: false - - name: spire-token - mountPath: /var/run/secrets/tokens - livenessProbe: - httpGet: - path: /live - port: healthz - initialDelaySeconds: 15 - periodSeconds: 60 - readinessProbe: - httpGet: - path: /ready - port: healthz - initialDelaySeconds: 10 - periodSeconds: 30 - resources: - {} - volumes: - - name: spire-config - configMap: - name: spire-agent - - name: spire-agent-admin-socket-dir - emptyDir: {} - - name: spire-bundle - configMap: - name: spire-bundle - - name: spire-token - projected: - sources: - - serviceAccountToken: - path: spire-agent - expirationSeconds: 7200 - audience: spire-server - - name: spire-agent-socket-dir - hostPath: - path: {{ .Values.spireAgent.hostSocketDir }} - type: DirectoryOrCreate diff --git a/helm-charts/0.27.0/charts/spire/templates/daemonset-spire-spiffe-csi-driver.yaml b/helm-charts/0.27.0/charts/spire/templates/daemonset-spire-spiffe-csi-driver.yaml deleted file mode 100644 index 97cb57bc..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/daemonset-spire-spiffe-csi-driver.yaml +++ /dev/null @@ -1,150 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: spire-spiffe-csi-driver - namespace: {{ .Values.global.spire.namespace }} - labels: - hhelm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: spiffe-csi-driver - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "0.2.3" - app.kubernetes.io/managed-by: Helm -spec: - selector: - matchLabels: - app.kubernetes.io/name: spiffe-csi-driver - app.kubernetes.io/instance: spire - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - labels: - app.kubernetes.io/name: spiffe-csi-driver - app.kubernetes.io/instance: spire - spec: - serviceAccountName: spire-spiffe-csi-driver - - priorityClassName: system-node-critical -{{- if .Values.global.enableOpenShift }} - initContainers: - - name: set-context - command: - - chcon - - '-Rvt' - - container_file_t - - spire-agent-socket/ - image: "{{ .Values.global.images.openShiftHelperUbi9.repository }}/{{ .Values.global.images.openShiftHelperUbi9.tag }}" - imagePullPolicy: {{ .Values.global.images.openShiftHelperUbi9.pullPolicy }} - securityContext: - capabilities: - drop: - - all - privileged: true - volumeMounts: - - name: spire-agent-socket-dir - mountPath: /spire-agent-socket - terminationMessagePolicy: File - terminationMessagePath: /dev/termination-log -{{- end }} - containers: - # This is the container which runs the SPIFFE CSI driver. - - name: spiffe-csi-driver - image: "{{ .Values.global.images.spiffeCsiDriver.repository }}:{{ .Values.global.images.spiffeCsiDriver.tag }}" - imagePullPolicy: {{ .Values.global.images.spiffeCsiDriver.pullPolicy }} - args: [ - "-workload-api-socket-dir", "/spire-agent-socket", - "-plugin-name", "csi.spiffe.io", - "-csi-socket-path", "/spiffe-csi/csi.sock", - ] - env: - # The CSI driver needs a unique node ID. The node name can be - # used for this purpose. - - name: MY_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - # The volume containing the SPIRE agent socket. The SPIFFE CSI - # driver will mount this directory into containers. - - mountPath: /spire-agent-socket - name: spire-agent-socket-dir - readOnly: true - # The volume that will contain the CSI driver socket shared - # with the kubelet and the driver registrar. - - mountPath: /spiffe-csi - name: spiffe-csi-socket-dir - # The volume containing mount points for containers. - - mountPath: /var/lib/kubelet/pods - mountPropagation: Bidirectional - name: mountpoint-dir - securityContext: - readOnlyRootFilesystem: true - capabilities: - drop: - - all - privileged: true - resources: - {} - # This container runs the CSI Node Driver Registrar which takes care - # of all the little details required to register a CSI driver with - # the kubelet. - - name: node-driver-registrar - image: "{{ .Values.global.images.nodeDriverRegistrar.repository }}:{{ .Values.global.images.nodeDriverRegistrar.tag }}" - imagePullPolicy: {{ .Values.global.images.nodeDriverRegistrar.pullPolicy }} - args: [ - "-csi-address", "/spiffe-csi/csi.sock", - "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", - "-health-port", "9809" - ] - volumeMounts: - # The registrar needs access to the SPIFFE CSI driver socket - - mountPath: /spiffe-csi - name: spiffe-csi-socket-dir - # The registrar needs access to the Kubelet plugin registration - # directory - - name: kubelet-plugin-registration-dir - mountPath: /registration - ports: - - containerPort: 9809 - name: healthz - livenessProbe: - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 5 - timeoutSeconds: 5 - resources: - {} - volumes: - - name: spire-agent-socket-dir - hostPath: - path: {{ .Values.spireAgent.hostSocketDir }} - type: DirectoryOrCreate - # This volume is where the socket for kubelet->driver communication lives - - name: spiffe-csi-socket-dir - hostPath: - path: /var/lib/kubelet/plugins/csi.spiffe.io - type: DirectoryOrCreate - # This volume is where the SPIFFE CSI driver mounts volumes - - name: mountpoint-dir - hostPath: - path: /var/lib/kubelet/pods - type: Directory - # This volume is where the node-driver-registrar registers the plugin - # with kubelet - - name: kubelet-plugin-registration-dir - hostPath: - path: /var/lib/kubelet/plugins_registry - type: Directory \ No newline at end of file diff --git a/helm-charts/0.27.0/charts/spire/templates/hook-clusterrole-spire-server-post-install.yaml b/helm-charts/0.27.0/charts/spire/templates/hook-clusterrole-spire-server-post-install.yaml deleted file mode 100644 index c36af7f1..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/hook-clusterrole-spire-server-post-install.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: spire-server-post-install - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -rules: - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - resourceNames: ["spire-server-spire-controller-manager-webhook"] - verbs: ["get", "patch"] diff --git a/helm-charts/0.27.0/charts/spire/templates/hook-clusterrole-spire-server-post-upgrade.yaml b/helm-charts/0.27.0/charts/spire/templates/hook-clusterrole-spire-server-post-upgrade.yaml deleted file mode 100644 index 9ed33674..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/hook-clusterrole-spire-server-post-upgrade.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: spire-server-post-upgrade - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -rules: - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - resourceNames: ["spire-server-spire-controller-manager-webhook"] - verbs: ["get", "patch"] diff --git a/helm-charts/0.27.0/charts/spire/templates/hook-clusterrole-spire-server-pre-upgrade.yaml b/helm-charts/0.27.0/charts/spire/templates/hook-clusterrole-spire-server-pre-upgrade.yaml deleted file mode 100644 index 9a138035..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/hook-clusterrole-spire-server-pre-upgrade.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: spire-server-pre-upgrade - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -rules: - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - resourceNames: ["spire-server-spire-controller-manager-webhook"] - verbs: ["get", "patch"] diff --git a/helm-charts/0.27.0/charts/spire/templates/hook-clusterrolebinding-spire-server-post-install.yaml b/helm-charts/0.27.0/charts/spire/templates/hook-clusterrolebinding-spire-server-post-install.yaml deleted file mode 100644 index 822bb3ce..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/hook-clusterrolebinding-spire-server-post-install.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-post-install - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -subjects: - - kind: ServiceAccount - name: spire-server-post-install - namespace: {{ .Values.global.spire.serverNamespace }} -roleRef: - kind: ClusterRole - name: spire-server-post-install - apiGroup: rbac.authorization.k8s.io diff --git a/helm-charts/0.27.0/charts/spire/templates/hook-clusterrolebinding-spire-server-post-upgrade.yaml b/helm-charts/0.27.0/charts/spire/templates/hook-clusterrolebinding-spire-server-post-upgrade.yaml deleted file mode 100644 index fe2cbc33..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/hook-clusterrolebinding-spire-server-post-upgrade.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-post-upgrade - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -subjects: - - kind: ServiceAccount - name: spire-server-post-upgrade - namespace: {{ .Values.global.spire.serverNamespace }} -roleRef: - kind: ClusterRole - name: spire-server-post-upgrade - apiGroup: rbac.authorization.k8s.io diff --git a/helm-charts/0.27.0/charts/spire/templates/hook-clusterrolebinding-spire-server-pre-upgrade.yaml b/helm-charts/0.27.0/charts/spire/templates/hook-clusterrolebinding-spire-server-pre-upgrade.yaml deleted file mode 100644 index cbedded1..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/hook-clusterrolebinding-spire-server-pre-upgrade.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-pre-upgrade - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -subjects: - - kind: ServiceAccount - name: spire-server-pre-upgrade - namespace: {{ .Values.global.spire.serverNamespace }} -roleRef: - kind: ClusterRole - name: spire-server-pre-upgrade - apiGroup: rbac.authorization.k8s.io diff --git a/helm-charts/0.27.0/charts/spire/templates/hook-job-spire-server-post-install.yaml b/helm-charts/0.27.0/charts/spire/templates/hook-job-spire-server-post-install.yaml deleted file mode 100644 index c1637b5f..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/hook-job-spire-server-post-install.yaml +++ /dev/null @@ -1,78 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: batch/v1 -kind: Job -metadata: - name: spire-server-post-install - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -spec: - template: - metadata: - name: spire-server-post-install - spec: -{{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - - restartPolicy: Never - serviceAccountName: spire-server-post-install - securityContext: -{{- if .Values.global.enableOpenShift }} - fsGroupChangePolicy: OnRootMismatch -{{- else }} - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 -{{- end }} - - containers: - - name: post-install-job - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - image: "{{ .Values.global.images.spireHelperKubectl.repository }}:{{ .Values.global.images.spireHelperKubectl.tag }}" - imagePullPolicy: {{ .Values.global.images.spireHelperKubectl.pullPolicy }} - args: - - patch - - validatingwebhookconfiguration - - spire-server-spire-controller-manager-webhook - - --type=strategic - - -p - - | - { - "webhooks":[ - { - "name":"vclusterspiffeid.kb.io", - "failurePolicy":"Fail" - }, - { - "name":"vclusterfederatedtrustdomain.kb.io", - "failurePolicy":"Fail" - } - ] - } diff --git a/helm-charts/0.27.0/charts/spire/templates/hook-job-spire-server-post-upgrade.yaml b/helm-charts/0.27.0/charts/spire/templates/hook-job-spire-server-post-upgrade.yaml deleted file mode 100644 index b4d4f3d6..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/hook-job-spire-server-post-upgrade.yaml +++ /dev/null @@ -1,77 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: batch/v1 -kind: Job -metadata: - name: spire-server-post-upgrade - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -spec: - template: - metadata: - name: spire-server-post-upgrade - spec: -{{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - - restartPolicy: Never - serviceAccountName: spire-server-post-upgrade - securityContext: -{{- if .Values.global.enableOpenShift }} - fsGroupChangePolicy: OnRootMismatch -{{- else }} - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 -{{- end }} - containers: - - name: post-upgrade-job - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - image: "{{ .Values.global.images.spireHelperKubectl.repository }}:{{ .Values.global.images.spireHelperKubectl.tag }}" - imagePullPolicy: {{ .Values.global.images.spireHelperKubectl.pullPolicy }} - args: - - patch - - validatingwebhookconfiguration - - spire-server-spire-controller-manager-webhook - - --type=strategic - - -p - - | - { - "webhooks":[ - { - "name":"vclusterspiffeid.kb.io", - "failurePolicy":"Fail" - }, - { - "name":"vclusterfederatedtrustdomain.kb.io", - "failurePolicy":"Fail" - } - ] - } diff --git a/helm-charts/0.27.0/charts/spire/templates/hook-job-spire-server-pre-upgrade.yaml b/helm-charts/0.27.0/charts/spire/templates/hook-job-spire-server-pre-upgrade.yaml deleted file mode 100644 index 294029e9..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/hook-job-spire-server-pre-upgrade.yaml +++ /dev/null @@ -1,77 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: batch/v1 -kind: Job -metadata: - name: spire-server-pre-upgrade - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed -spec: - template: - metadata: - name: spire-server-pre-upgrade - spec: -{{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - - restartPolicy: Never - serviceAccountName: spire-server-pre-upgrade - securityContext: -{{- if .Values.global.enableOpenShift }} - fsGroupChangePolicy: OnRootMismatch -{{- else }} - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 -{{- end }} - containers: - - name: post-install-job - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - image: "{{ .Values.global.images.spireHelperKubectl.repository }}:{{ .Values.global.images.spireHelperKubectl.tag }}" - imagePullPolicy: {{ .Values.global.images.spireHelperKubectl.pullPolicy }} - args: - - patch - - validatingwebhookconfiguration - - spire-server-spire-controller-manager-webhook - - --type=strategic - - -p - - | - { - "webhooks":[ - { - "name":"vclusterspiffeid.kb.io", - "failurePolicy":"Ignore" - }, - { - "name":"vclusterfederatedtrustdomain.kb.io", - "failurePolicy":"Ignore" - } - ] - } diff --git a/helm-charts/0.27.0/charts/spire/templates/hook-preinstall-csidriver-csi.spiffe.io.yaml b/helm-charts/0.27.0/charts/spire/templates/hook-preinstall-csidriver-csi.spiffe.io.yaml deleted file mode 100644 index 25c2931d..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/hook-preinstall-csidriver-csi.spiffe.io.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: storage.k8s.io/v1 -kind: CSIDriver -metadata: - name: "csi.spiffe.io" - annotations: - "helm.sh/hook": pre-install -{{- if .Values.global.enableOpenShift }} - labels: - security.openshift.io/csi-ephemeral-volume-profile: restricted -{{- end }} - -spec: - # Only ephemeral, inline volumes are supported. There is no need for a - # controller to provision and attach volumes. - attachRequired: false - - # Request the pod information which the CSI driver uses to verify that an - # ephemeral mount was requested. - podInfoOnMount: true - - # Don't change ownership on the contents of the mount since the Workload API - # Unix Domain Socket is typically open to all (i.e. 0777). - fsGroupPolicy: None - - # Declare support for ephemeral volumes only. - volumeLifecycleModes: - - Ephemeral diff --git a/helm-charts/0.27.0/charts/spire/templates/hook-preinstall-namespace-spire-server.yaml b/helm-charts/0.27.0/charts/spire/templates/hook-preinstall-namespace-spire-server.yaml deleted file mode 100644 index 7b999309..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/hook-preinstall-namespace-spire-server.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Namespace -metadata: - name: spire-system - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged -{{- if .Values.global.enableOpenShift }} - security.openshift.io/scc.podSecurityLabelSync: "false" -{{- end }} - annotations: - "helm.sh/hook": pre-install \ No newline at end of file diff --git a/helm-charts/0.27.0/charts/spire/templates/hook-preinstall-namespace-spire-system.yaml b/helm-charts/0.27.0/charts/spire/templates/hook-preinstall-namespace-spire-system.yaml deleted file mode 100644 index 2d84643d..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/hook-preinstall-namespace-spire-system.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Namespace -metadata: - name: spire-server - labels: - pod-security.kubernetes.io/audit: restricted - pod-security.kubernetes.io/enforce: restricted - pod-security.kubernetes.io/warn: restricted -{{- if .Values.global.enableOpenShift }} - security.openshift.io/scc.podSecurityLabelSync: "false" -{{- end }} - annotations: - "helm.sh/hook": pre-install \ No newline at end of file diff --git a/helm-charts/0.27.0/charts/spire/templates/hook-serviceaccount-spire-server-post-install.yaml b/helm-charts/0.27.0/charts/spire/templates/hook-serviceaccount-spire-server-post-install.yaml deleted file mode 100644 index c3d9d26b..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/hook-serviceaccount-spire-server-post-install.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server-post-install - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed diff --git a/helm-charts/0.27.0/charts/spire/templates/hook-serviceaccount-spire-server-post-upgrade.yaml b/helm-charts/0.27.0/charts/spire/templates/hook-serviceaccount-spire-server-post-upgrade.yaml deleted file mode 100644 index 85708dd9..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/hook-serviceaccount-spire-server-post-upgrade.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server-post-upgrade - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed diff --git a/helm-charts/0.27.0/charts/spire/templates/hook-serviceaccount-spire-server-pre-upgrade.yaml b/helm-charts/0.27.0/charts/spire/templates/hook-serviceaccount-spire-server-pre-upgrade.yaml deleted file mode 100644 index e638b441..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/hook-serviceaccount-spire-server-pre-upgrade.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server-pre-upgrade - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed diff --git a/helm-charts/0.27.0/charts/spire/templates/openshift-security-context-constraints.yaml b/helm-charts/0.27.0/charts/spire/templates/openshift-security-context-constraints.yaml deleted file mode 100644 index 8e34b4c0..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/openshift-security-context-constraints.yaml +++ /dev/null @@ -1,105 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -{{- if .Values.global.enableOpenShift }} -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - name: spire-spiffe-csi-driver -readOnlyRootFilesystem: true -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: - - system:serviceaccount:spire-system:spire-spiffe-csi-driver -volumes: - - configmap - - hostPath - - secret -allowHostDirVolumePlugin: true -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: true -allowPrivilegedContainer: true -fsGroup: - type: RunAsAny -groups: [] ---- -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - name: spire-spiffe-oidc-discovery-provider -readOnlyRootFilesystem: true -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: - - system:serviceaccount:spire-server:spire-spiffe-oidc-discovery-provider - - system:serviceaccount:spire-server:spire-spiffe-oidc-discovery-provider-pre-delete -volumes: - - configMap - - csi - - downwardAPI - - emptyDir - - ephemeral - - hostPath - - projected - - secret -allowHostDirVolumePlugin: true -allowHostIPC: true -allowHostNetwork: true -allowHostPID: true -allowHostPorts: true -allowPrivilegeEscalation: true -allowPrivilegedContainer: true -fsGroup: - type: RunAsAny -groups: [] -seccompProfiles: - - '*' ---- -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - name: spire-agent -readOnlyRootFilesystem: true -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: - - system:serviceaccount:spire-system:spire-agent -volumes: - - configMap - - hostPath - - projected - - secret - - emptyDir -allowHostDirVolumePlugin: true -allowHostIPC: true -allowHostNetwork: true -allowHostPID: true -allowHostPorts: true -allowPrivilegeEscalation: true -allowPrivilegedContainer: true -fsGroup: - type: RunAsAny -groups: [] -{{- end }} diff --git a/helm-charts/0.27.0/charts/spire/templates/role-spire-bundle.yaml b/helm-charts/0.27.0/charts/spire/templates/role-spire-bundle.yaml deleted file mode 100644 index 8eccaf65..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/role-spire-bundle.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# Role to be able to push certificate bundles to a configmap -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-bundle - namespace: {{ .Values.global.spire.namespace }} -rules: - - apiGroups: [""] - resources: [configmaps] - resourceNames: [spire-bundle] - verbs: - - get - - patch \ No newline at end of file diff --git a/helm-charts/0.27.0/charts/spire/templates/role-spire-controller-manager-leader-election.yaml b/helm-charts/0.27.0/charts/spire/templates/role-spire-controller-manager-leader-election.yaml deleted file mode 100644 index 71b6e60e..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/role-spire-controller-manager-leader-election.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: spire-controller-manager-leader-election - namespace: {{ .Values.global.spire.serverNamespace }} -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] diff --git a/helm-charts/0.27.0/charts/spire/templates/rolebinding-spire-bundle.yaml b/helm-charts/0.27.0/charts/spire/templates/rolebinding-spire-bundle.yaml deleted file mode 100644 index 01605e56..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/rolebinding-spire-bundle.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-bundle - namespace: {{ .Values.global.spire.namespace }} -subjects: - - kind: ServiceAccount - name: spire-server - namespace: {{ .Values.global.spire.serverNamespace }} -roleRef: - kind: Role - name: spire-bundle - apiGroup: rbac.authorization.k8s.io diff --git a/helm-charts/0.27.0/charts/spire/templates/rolebinding-spire-controller-manager-leader-election.yaml b/helm-charts/0.27.0/charts/spire/templates/rolebinding-spire-controller-manager-leader-election.yaml deleted file mode 100644 index aa0de276..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/rolebinding-spire-controller-manager-leader-election.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: spire-controller-manager-leader-election - namespace: {{ .Values.global.spire.serverNamespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: spire-controller-manager-leader-election -subjects: - - kind: ServiceAccount - name: spire-server - namespace: {{ .Values.global.spire.serverNamespace }} diff --git a/helm-charts/0.27.0/charts/spire/templates/service-spire-controller-manager-webhook.yaml b/helm-charts/0.27.0/charts/spire/templates/service-spire-controller-manager-webhook.yaml deleted file mode 100644 index abf54e68..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/service-spire-controller-manager-webhook.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: spire-controller-manager-webhook - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - name: https - port: 443 - targetPort: https - protocol: TCP - selector: - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire diff --git a/helm-charts/0.27.0/charts/spire/templates/service-spire-server.yaml b/helm-charts/0.27.0/charts/spire/templates/service-spire-server.yaml deleted file mode 100644 index e56a2cfd..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/service-spire-server.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Service -metadata: - name: spire-server - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm -spec: - type: {{ .Values.spireServer.service.type }} - ports: - - name: grpc - port: 443 - targetPort: grpc - protocol: TCP - selector: - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire diff --git a/helm-charts/0.27.0/charts/spire/templates/serviceaccount-spire-agent.yaml b/helm-charts/0.27.0/charts/spire/templates/serviceaccount-spire-agent.yaml deleted file mode 100644 index a0c5aaca..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/serviceaccount-spire-agent.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-agent - namespace: {{ .Values.global.spire.namespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: agent - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm diff --git a/helm-charts/0.27.0/charts/spire/templates/serviceaccount-spire-server.yaml b/helm-charts/0.27.0/charts/spire/templates/serviceaccount-spire-server.yaml deleted file mode 100644 index 22566475..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/serviceaccount-spire-server.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm diff --git a/helm-charts/0.27.0/charts/spire/templates/serviceaccount-spire-spiffe-csi-driver.yaml b/helm-charts/0.27.0/charts/spire/templates/serviceaccount-spire-spiffe-csi-driver.yaml deleted file mode 100644 index ee2704da..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/serviceaccount-spire-spiffe-csi-driver.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-spiffe-csi-driver - namespace: {{ .Values.global.spire.namespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: spiffe-csi-driver - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "0.2.3" - app.kubernetes.io/managed-by: Helm diff --git a/helm-charts/0.27.0/charts/spire/templates/statefulset-spire-server.yaml b/helm-charts/0.27.0/charts/spire/templates/statefulset-spire-server.yaml deleted file mode 100644 index 3cfd9dc3..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/statefulset-spire-server.yaml +++ /dev/null @@ -1,201 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: spire-server - namespace: {{ .Values.global.spire.serverNamespace }} - labels: - helm.sh/chart: {{ include "spire.chart" . }} - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/version: "1.9.6" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: server -spec: - replicas: 1 - serviceName: spire-server - selector: - matchLabels: - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/component: server - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: spire-server - checksum/config: 83dddc7bb9f54b5059533228971826c0585045b7c4afb17635ede1e7ef6c1e35 - checksum/config2: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b - checksum/config3: 9742ccbbd63b5da94e50bc34b73c946f254110b1f94fbc4ac437b3bba15cefe8 - checksum/configTornjak: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b - labels: - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - app.kubernetes.io/component: server - component: server - release: spire - release-namespace: {{ .Values.global.spire.serverNamespace }} - spec: -{{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} -{{- end }} - - serviceAccountName: spire-server - shareProcessNamespace: true - securityContext: -{{- if .Values.global.enableOpenShift }} - fsGroupChangePolicy: OnRootMismatch -{{- else }} - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 -{{- end }} - - priorityClassName: system-cluster-critical - containers: - - name: spire-server - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - image: "{{ .Values.global.images.spireServer.repository }}:{{ .Values.global.images.spireServer.tag }}" - imagePullPolicy: {{ .Values.global.images.spireServer.pullPolicy }} - args: - - -expandEnv - - -config - - {{ .Values.spireServer.configDir }}/server.conf - env: - - name: PATH - value: "/opt/spire/bin:/bin" - ports: - - name: grpc - containerPort: 8081 - protocol: TCP - - containerPort: 8080 - name: healthz - - containerPort: 9988 - name: prom - livenessProbe: - httpGet: - path: /live - port: healthz - failureThreshold: 2 - initialDelaySeconds: 15 - periodSeconds: 60 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: /ready - port: healthz - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - {} - volumeMounts: - - name: spire-server-socket - mountPath: {{ .Values.spireServer.privateSocketDir}} - readOnly: false - - name: spire-config - mountPath: {{ .Values.spireServer.configDir }} - readOnly: true - -{{- if .Values.data.persistent }} - - name: spire-data - mountPath: {{ .Values.spireServer.dataDir }} - readOnly: false -{{- end }} - - - name: server-tmp - mountPath: /tmp - readOnly: false - - - name: spire-controller-manager - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - image: "{{ .Values.global.images.spireControllerManager.repository }}:{{ .Values.global.images.spireControllerManager.tag }}" - imagePullPolicy: {{ .Values.global.images.spireControllerManager.pullPolicy }} - args: - - --config=controller-manager-config.yaml - env: - - name: ENABLE_WEBHOOKS - value: "true" - ports: - - name: https - containerPort: 9443 - protocol: TCP - - containerPort: 8083 - name: healthz - - containerPort: 8082 - name: prom-cm - livenessProbe: - httpGet: - path: /healthz - port: healthz - readinessProbe: - httpGet: - path: /readyz - port: healthz - resources: - {} - volumeMounts: - - name: spire-server-socket - mountPath: {{ .Values.spireServer.privateSocketDir }} - readOnly: true - - name: controller-manager-config - mountPath: /controller-manager-config.yaml - subPath: controller-manager-config.yaml - readOnly: true - - name: spire-controller-manager-tmp - mountPath: /tmp - subPath: spire-controller-manager - readOnly: false - volumes: - - name: server-tmp - emptyDir: {} - - name: spire-config - configMap: - name: spire-server - - name: spire-server-socket - emptyDir: {} - - name: spire-controller-manager-tmp - emptyDir: {} - - name: controller-manager-config - configMap: - name: spire-controller-manager - {{- if .Values.data.persistent }} - # noinspection KubernetesUnknownKeys - volumeClaimTemplates: - - metadata: - name: spire-data - spec: - accessModes: - - {{ .Values.data.persistentVolumeClaim.accessMode | default "ReadWriteOnce" }} - resources: - requests: - storage: {{ .Values.data.persistentVolumeClaim.size }} - {{- if .Values.data.persistentVolumeClaim.storageClass }} - storageClassName: {{ .Values.data.persistentVolumeClaim.storageClass }} - {{- end }} - {{- end }} diff --git a/helm-charts/0.27.0/charts/spire/templates/validatingwebhookconfiguration-spire-server-spire-controller-manager-webhook.yaml b/helm-charts/0.27.0/charts/spire/templates/validatingwebhookconfiguration-spire-server-spire-controller-manager-webhook.yaml deleted file mode 100644 index e18947f6..00000000 --- a/helm-charts/0.27.0/charts/spire/templates/validatingwebhookconfiguration-spire-server-spire-controller-manager-webhook.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: spire-server-spire-controller-manager-webhook -webhooks: - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: spire-controller-manager-webhook - namespace: {{ .Values.global.spire.serverNamespace }} - path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain - failurePolicy: Ignore # Actual value to be set by post install/upgrade hooks - name: vclusterfederatedtrustdomain.kb.io - rules: - - apiGroups: ["spire.spiffe.io"] - apiVersions: ["v1alpha1"] - operations: ["CREATE", "UPDATE"] - resources: ["clusterfederatedtrustdomains"] - sideEffects: None - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: spire-controller-manager-webhook - namespace: {{ .Values.global.spire.serverNamespace }} - path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid - failurePolicy: Ignore # Actual value to be set by post install/upgrade hooks - name: vclusterspiffeid.kb.io - rules: - - apiGroups: ["spire.spiffe.io"] - apiVersions: ["v1alpha1"] - operations: ["CREATE", "UPDATE"] - resources: ["clusterspiffeids"] - sideEffects: None diff --git a/helm-charts/0.27.0/charts/spire/values.yaml b/helm-charts/0.27.0/charts/spire/values.yaml deleted file mode 100644 index 20ddb6a0..00000000 --- a/helm-charts/0.27.0/charts/spire/values.yaml +++ /dev/null @@ -1,127 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# -# Commented out for now, as scaling to multiple instances will not work until -# we use an external database. -# Check out the official documentation for more information: -# https://spiffe.io/docs/latest/setup/ -# -# replicaCount: 1 -# -# autoscaling: -# enabled: false -# minReplicas: 1 -# maxReplicas: 100 -# targetCPUUtilizationPercentage: 80 -# # targetMemoryUtilizationPercentage: 80 -# - -# -- Override it with an image pull secret that you need as follows: -# imagePullSecrets: -# - name: my-registry-secret -imagePullSecrets: [] - -# -- The name override of the chart. -nameOverride: "" -# -- The fullname override of the chart. -fullnameOverride: "" - -# -- Experimental settings. -experimental: - # -- eventsBasedCache is known to significantly improve SPIRE Server - # performance. It is set to `false` by default, just in case. - eventsBasedCache: false - -# -- SPIRE assigns a default Cluster SPIFFE ID to all workloads in the -# cluster. The SPIFFEID SPIRE assigns by default is not aligned with the -# SPIFFE ID format that VSecM Safe expects. Also, you might not want -# SPIRE to assign SPIFFE IDs to every single workload you have in your -# cluster if you are not using SPIRE to attest those workloads. Therefore, -# this option is set to false by default. -# -# If you set this to true, make sure you update `safeSpiffeIdTemplate` -# `sentinelSpiffeIdTemplate`, `keystoneSpiffeIdTemplate`, -# `workloadNameRegExp`, `workloadSpiffeIdPrefix`, `safeSpiffeIdPrefix`, -# `sentinelSpiffeIdPrefix` and other relevant configurations to match -# with what SPIRE assigns. -enableSpireMintedDefaultClusterSpiffeIds: false - -# -- SPIRE Agent settings. -spireAgent: - # -- The corresponding SPIRE Agent socket directory on the host. - # SPIRE Agents and SPIFFE CSI Driver shares this directory. - hostSocketDir: "/run/spire/agent-sockets" - # -- The SPIRE Agent socket name. - socketName: "spire-agent.sock" - - # -- The corresponding SPIRE Agent internal socket directory in the - # container. The configuration should match the SPIRE Agent configuration - # and SPIRE Agent DaemonSet. - internalPublicSocketDir: "/tmp/spire-agent/public" - - # -- The corresponding SPIRE Agent internal admin directory in the - # container. The configuration should match the SPIRE Agent configuration - # and SPIRE Agent DaemonSet. You are advised not to change this value. - internalAdminSocketDir: "/tmp/spire-agent/private" - -# -- SPIRE Server settings. -spireServer: - # -- The data directory for the SPIRE Server. - # SPIRE Server’s ConfigMap and StatefulSet should agree on this directory. - dataDir: "/run/spire/data" - # -- The private socket directory for the SPIRE Server. - # SPIRE Server’s ConfigMap and StatefulSet should agree on this directory. - privateSocketDir: "/tmp/spire-server/private" - - # -- The configuration directory for the SPIRE Server. - configDir: "/run/spire/config" - - # -- Service details for the SPIRE Server. - service: - # -- Service type. - # Possible values are: ClusterIP, NodePort, LoadBalancer. - # Defaults to `ClusterIP`. - type: ClusterIP - -# -- These are the default resources suitable for a moderate SPIRE usage. -# Of course, it's best to do your own benchmarks and update these -# requests and limits to your production needs accordingly. -# That being said, as a rule of thumb, do not limit the CPU request -# on SPIRE Agent and SPIRE server. It's best to let them leverage -# the available excess CPU, if available. -resources: - # -- SPIRE Server resource requests and limits. - server: - requests: - memory: "1Gi" - cpu: "100m" - # -- SPIRE Agent resource requests and limits. - agent: - requests: - memory: "512Mi" - cpu: "50m" - # -- SPIFFE CSI Driver resource requests and limits. - spiffeCsiDriver: - requests: - memory: "128Mi" - cpu: "50m" - -# -- Persistence settings for the SPIRE Server. -data: - # -- Persistence is enabled by default. However, you are recommended to - # provide your own storage class if you are using a cloud provider or - # a storage solution that supports dynamic provisioning. - persistent: true - # -- Define the PVC if `persistent` is true. - persistentVolumeClaim: - storageClass: "" - accessMode: ReadWriteOnce - size: 1Gi diff --git a/helm-charts/0.27.0/values-custom.yaml b/helm-charts/0.27.0/values-custom.yaml deleted file mode 100644 index fa8571b1..00000000 --- a/helm-charts/0.27.0/values-custom.yaml +++ /dev/null @@ -1,100 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -# This is a custom values file for VMware Secrets Manager to work with -# Istio-style SPIFFE IDs -# (i.e., `spiffe:///ns//sa/`). -# -# In addition to that, this values file also deploys SPIRE components to -# `spire-system-custom` and `spire-server-custom namespaces` (the defaults for -# those namespaces are `spire-system` and `spire-server` respectively). -# You can replace them with your own preferred namespaces. -# -# The chart also deploys VSecM components to `vsecm-system-custom` namespace -# (the default for that namespace is `vsecm-system`). You can replace it -# with your own preferred namespace. -# -# Finally, we replace the trust domain from the default `vsecm.com` to -# `aegis.ist`. You can replace this with your own trust domain too. -# -# To generate manifests based on this values file: -# -# 1. Define the following environment variables: -# VSECM_NAMESPACE_SYSTEM ?= "vsecm-system-custom" -# VSECM_NAMESPACE_SPIRE ?= "spire-system-custom" -# VSECM_NAMESPACE_SPIRE_SERVER ?= "spire-server-custom" -# -# 2. $un the following command at the root of the project: -# ./hack/create-custom-manifest.sh -# Note that this action will override the existing values.yaml at the root -# of the ./helm-charts/$version/ directory. - -global: - deploySpire: true - deployKeystone: true - deploySentinel: true - baseImage: distroless - registry: vsecm - images: - keystone: - distrolessRepository: vsecm-ist-keystone - distrolessFipsRepository: vsecm-ist-fips-keystone - tag: 0.27.0 - pullPolicy: IfNotPresent - safe: - distrolessRepository: vsecm-ist-safe - distrolessFipsRepository: vsecm-ist-fips-safe - tag: 0.27.0 - pullPolicy: IfNotPresent - sentinel: - distrolessRepository: vsecm-ist-sentinel - distrolessFipsRepository: vsecm-ist-fips-sentinel - tag: 0.27.0 - pullPolicy: IfNotPresent - initContainer: - repository: vsecm-ist-init-container - tag: 0.27.0 - spireAgent: - repository: ghcr.io/spiffe/spire-agent - tag: 1.9.4 - pullPolicy: IfNotPresent - spiffeCsiDriver: - repository: ghcr.io/spiffe/spiffe-csi-driver - tag: 0.2.6 - pullPolicy: IfNotPresent - nodeDriverRegistrar: - repository: registry.k8s.io/sig-storage/csi-node-driver-registrar - tag: v2.10.0 - pullPolicy: IfNotPresent - spireServer: - repository: ghcr.io/spiffe/spire-server - tag: 1.9.4 - pullPolicy: IfNotPresent - spireControllerManager: - repository: ghcr.io/spiffe/spire-controller-manager - tag: 0.5.0 - pullPolicy: IfNotPresent - vsecm: - namespace: vsecm-system-custom - safeEndpointUrl: "https://vsecm-safe.vsecm-system-custom.svc.cluster.local:8443/" - safeSpiffeIdPrefix: "^spiffe://aegis.ist/ns/vsecm-system-custom/sa/vsecm-safe$" - sentinelSpiffeIdPrefix: "^spiffe://aegis.ist/ns/vsecm-system-custom/sa/vsecm-sentinel$" - workloadSpiffeIdPrefix: "^spiffe://aegis.ist/ns/[^/]+/sa/[^/]+$" - workloadNameRegExp: "^spiffe://aegis.ist/ns/[^/]+/sa/([^/]+)$" - safeSpiffeIdTemplate: "spiffe://aegis.ist/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" - sentinelSpiffeIdTemplate: "spiffe://aegis.ist/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" - keystoneSpiffeIdTemplate: "spiffe://aegis.ist/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" - spire: - trustDomain: "aegis.ist" - namespace: spire-system-custom - serverNamespace: spire-server-custom - serverAddress: "spire-server.spire-server-custom.svc.cluster.local" - logLevel: DEBUG - serverPort: 8081 diff --git a/helm-charts/0.27.0/values.yaml b/helm-charts/0.27.0/values.yaml deleted file mode 100644 index 26ce06b6..00000000 --- a/helm-charts/0.27.0/values.yaml +++ /dev/null @@ -1,194 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -global: - # -- Set it to true for OpenShift deployments. This will add necessary - # annotations to the SPIRE components to make them work on OpenShift. - enableOpenShift: false - - # -- Deploy SPIRE components. If set to false, SPIRE components will not be - # deployed. This is useful when SPIRE is already deployed in the cluster. - deploySpire: true - - # -- Deploy the Keystone VSecM component. VSecM Keystone is a lightweight - # Pod that is initialized only after VSecM Sentinel completes it - # `initCommand` initialization sequence. - deployKeystone: true - # -- Deploy VSecM Sentinel. VSecM Sentinel is the only admin interface where - # you can register secrets. For best security, you might want to disable - # the initial deployment of it. This way, you can deploy VSecM Sentinel - # off-cycle later when you need it. - deploySentinel: true - - # -- Possible options for baseImage (distroless, distroless-fips). When in - # doubt, stick with distroless. - baseImage: distroless - # -- Registry url. Defaults to "vsecm", which points to the public vsecm - # DockerHub registry: . - registry: vsecm - - # -- Where to find the dependent images of VSecM. - # Normally, you would not need to modify this. - images: - # - Container registry details for VSecM Keystone. - keystone: - distrolessRepository: vsecm-ist-keystone - distrolessFipsRepository: vsecm-ist-fips-keystone - tag: 0.27.0 - pullPolicy: IfNotPresent - # - Container registry details for VSecM Safe. - safe: - distrolessRepository: vsecm-ist-safe - distrolessFipsRepository: vsecm-ist-fips-safe - tag: 0.27.0 - pullPolicy: IfNotPresent - # - Container registry details for VSecM Sentinel. - sentinel: - distrolessRepository: vsecm-ist-sentinel - distrolessFipsRepository: vsecm-ist-fips-sentinel - tag: 0.27.0 - pullPolicy: IfNotPresent - # - Container registry details of VSecM Init Container. - initContainer: - repository: vsecm-ist-init-container - tag: 0.27.0 - - # -- Container registry details of SPIRE Agent. - spireAgent: - repository: ghcr.io/spiffe/spire-agent - tag: 1.9.6 - pullPolicy: IfNotPresent - # -- Container registry details of SPIFFE CSI Driver. - spiffeCsiDriver: - repository: ghcr.io/spiffe/spiffe-csi-driver - tag: 0.2.6 - pullPolicy: IfNotPresent - # -- Container registry details of SPIFFE CSI Node Driver Registrar. - nodeDriverRegistrar: - repository: registry.k8s.io/sig-storage/csi-node-driver-registrar - tag: v2.10.0 - pullPolicy: IfNotPresent - # -- Container registry details of SPIRE Server. - spireServer: - repository: ghcr.io/spiffe/spire-server - tag: 1.9.6 - pullPolicy: IfNotPresent - # -- Container registry details of SPIRE Controller Manager. - spireControllerManager: - repository: ghcr.io/spiffe/spire-controller-manager - tag: 0.5.0 - pullPolicy: IfNotPresent - - spireHelperBash: - repository: cgr.dev/chainguard/bash - tag: latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d - pullPolicy: IfNotPresent - - spireHelperKubectl: - repository: docker.io/rancher/kubectl - tag: v1.28.0 - pullPolicy: IfNotPresent - - openShiftHelperUbi9: - repository: registry.access.redhat.com/ubi9 - tag: latest - pullPolicy: IfNotPresent - - # - VSecM-related global configuration. - vsecm: - # - This is where all VSecM components will be deployed. - namespace: vsecm-system - - # - The endpoint URL of the VSecM Safe Service - # should match https://..svc.cluster.local: - # unless you have a custom setup. - safeEndpointUrl: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/" - - # - The SPIFFE ID prefix that is used to verify the authenticity of a - # request coming from VSecM Safe. You can also use regular expression - # matchers. Check out the official documentation at https://vsecm.com - # for details. - safeSpiffeIdPrefix: "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$" - # - The SPIFFE ID prefix that is used to verify the authenticity of a - # request coming from VSecM Sentinel. You can also use regular expression - # matchers. Check out the official documentation at https://vsecm.com - # for details. - sentinelSpiffeIdPrefix: "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$" - # - The SPIFFE ID prefix that is used to verify the authenticity of a - # request coming from a Workload. If the SPIFFE ID of the workload does not - # match this pattern, then VSecM Safe will reject the workload's request. - # You can also use regular expression # matchers. Check out the official - # documentation at https://vsecm.com for details. - workloadSpiffeIdPrefix: "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$" - # - The regular expression pattern that VSecM Safe will use to match workloads, - # VSecM Safe, VSecM Sentinel, and VSecM Keystone. The first capture group - # must exist and should match the workload's name. The rest of the capture - # groups will be ignored. - workloadNameRegExp: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" - - # - The SPIFFE ID template that VSecM Safe's ClusterSPIFFEID will use. - safeSpiffeIdTemplate: "spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }}" - # - The SPIFFE ID template that VSecM Sentinel's ClusterSPIFFEID will use. - sentinelSpiffeIdTemplate: "spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }}" - # - The SPIFFE ID template that VSecM Keystone's ClusterSPIFFEID will use. - keystoneSpiffeIdTemplate: "spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }}" - - # -- SPIRE-related global configuration. - spire: - - # -- This is the className that ClusterSPIFFEIDs will use to - # be able to register their SPIFFE IDs with the SPIRE Server. - controllerManagerClassName: "vsecm" - - # -- Enable federation. If set to true, SPIRE Server will be configured - # to federate with other SPIRE Servers. This is useful when you have - # multiple clusters, and you want to establish trust between them. - federationEnabled: false - # -- The trust domain is the root of the SPIFFE ID hierarchy. It is used to - # identify the trust domain of a workload. If you use anything other than - # the default `vsecm.com`, you must also update the relevant environment - # variables that does SPIFFE ID validation. - # - # To prevent accidental collisions (two trust domains select identical names), - # operators are advised to select trust domain names which are highly likely - # to be globally unique. Even though a trust domain name is not a DNS name, - # using a registered domain name as a suffix of a trust domain name, when - # available, will reduce chances of an accidental collision; for example, - # if a trust domain operator owns the domain name `example.com`, - # then using a trust domain name such as `apps.example.com` would likely - # not produce a collision. When trust domain names are automatically generated - # without operator input, randomly generating a unique name (such as a UUID) - # is strongly advised. - # - # All SPIFFE IDs shall be prefixed with `spiffe://` unless - # you have an advanced custom setup. - trustDomain: "vsecm.com" - # -- The SPIRE CA common name. - caCommonName: "vsecm.com" - # -- The SPIRE CA country. - caCountry: "US" - # -- The SPIRE CA organization. - caOrganization: "vsecm.com" - # -- This is the namespace where the SPIRE components will be deployed. - namespace: spire-system - # -- It is best to keep the SPIRE server namespace separate from other - # SPIRE components for an added layer of security. - serverNamespace: spire-server - # -- The SPIRE Server address. This is the address where the SPIRE Server - # that the agents will connect to. - # This address is in the form of ..svc.cluster.local - # unless you have a custom setup. - serverAddress: "spire-server.spire-server.svc.cluster.local" - # -- The log level of the SPIRE components. This is useful for debugging. - logLevel: DEBUG - # -- The SPIRE Server port. This is the port where the SPIRE Server will - # listen for incoming connections. - # This is the port of the SPIRE server k8s Service. - serverPort: 443 diff --git a/helm-charts/0.27.1/README.md b/helm-charts/0.27.1/README.md index 920c2bcc..bfafc59c 100644 --- a/helm-charts/0.27.1/README.md +++ b/helm-charts/0.27.1/README.md @@ -5,7 +5,7 @@ that your sensitive data is always secure and protected. VSecM is perfect for securely storing arbitrary configuration information at a central location and securely dispatching it to workloads. -![Version: 0.27.0](https://img.shields.io/badge/Version-0.27.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.0](https://img.shields.io/badge/AppVersion-0.27.0-informational?style=flat-square) +![Version: 0.27.1](https://img.shields.io/badge/Version-0.27.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.1](https://img.shields.io/badge/AppVersion-0.27.1-informational?style=flat-square) [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/vsecm)](https://artifacthub.io/packages/helm/vsecm/vsecm) @@ -28,7 +28,7 @@ To use VMware Secrets Manager, follow the steps below: 3. Install VMware Secrets Manager using Helm: ```bash - helm install vsecm vsecm/vsecm --version 0.27.0 + helm install vsecm vsecm/vsecm --version 0.27.1 ``` ## Options @@ -47,7 +47,7 @@ and `global.baseImage` respectively. Here's an example command with the above options: ```bash -helm install vsecm vsecm/helm-charts --version 0.27.0 \ +helm install vsecm vsecm/helm-charts --version 0.27.1 \ --set global.deploySpire=true --set global.baseImage=distroless ``` @@ -65,7 +65,7 @@ These environment variable configurations are expose through subcharts. You can modify them as follows: ```bash -helm install vsecm vsecm/helm-charts --version 0.27.0 \ +helm install vsecm vsecm/helm-charts --version 0.27.1 \ --set safe.environments.VSECM_LOG_LEVEL="6" --set sentinel.environments.VSECM_LOGL_LEVEL="5" # You can update other environment variables too. @@ -97,10 +97,10 @@ The sections below are autogenerated from chart source code: | Repository | Name | Version | |------------|------|---------| -| file://charts/keystone | keystone | 0.27.0 | -| file://charts/safe | safe | 0.27.0 | -| file://charts/sentinel | sentinel | 0.27.0 | -| file://charts/spire | spire | 0.27.0 | +| file://charts/keystone | keystone | 0.27.1 | +| file://charts/safe | safe | 0.27.1 | +| file://charts/sentinel | sentinel | 0.27.1 | +| file://charts/spire | spire | 0.27.1 | ## Values @@ -111,7 +111,7 @@ The sections below are autogenerated from chart source code: | global.deploySentinel | bool | `true` | Deploy VSecM Sentinel. VSecM Sentinel is the only admin interface where you can register secrets. For best security, you might want to disable the initial deployment of it. This way, you can deploy VSecM Sentinel off-cycle later when you need it. | | global.deploySpire | bool | `true` | Deploy SPIRE components. If set to false, SPIRE components will not be deployed. This is useful when SPIRE is already deployed in the cluster. | | global.enableOpenShift | bool | `false` | Set it to true for OpenShift deployments. This will add necessary annotations to the SPIRE components to make them work on OpenShift. | -| global.images | object | `{"initContainer":{"repository":"vsecm-ist-init-container","tag":"0.27.0"},"keystone":{"distrolessFipsRepository":"vsecm-ist-fips-keystone","distrolessRepository":"vsecm-ist-keystone","pullPolicy":"IfNotPresent","tag":"0.27.0"},"nodeDriverRegistrar":{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-node-driver-registrar","tag":"v2.10.0"},"openShiftHelperUbi9":{"pullPolicy":"IfNotPresent","repository":"registry.access.redhat.com/ubi9","tag":"latest"},"safe":{"distrolessFipsRepository":"vsecm-ist-fips-safe","distrolessRepository":"vsecm-ist-safe","pullPolicy":"IfNotPresent","tag":"0.27.0"},"sentinel":{"distrolessFipsRepository":"vsecm-ist-fips-sentinel","distrolessRepository":"vsecm-ist-sentinel","pullPolicy":"IfNotPresent","tag":"0.27.0"},"spiffeCsiDriver":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spiffe-csi-driver","tag":"0.2.6"},"spireAgent":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.9.6"},"spireControllerManager":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-controller-manager","tag":"0.5.0"},"spireHelperBash":{"pullPolicy":"IfNotPresent","repository":"cgr.dev/chainguard/bash","tag":"latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d"},"spireHelperKubectl":{"pullPolicy":"IfNotPresent","repository":"docker.io/rancher/kubectl","tag":"v1.28.0"},"spireServer":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.9.6"}}` | Where to find the dependent images of VSecM. Normally, you would not need to modify this. | +| global.images | object | `{"initContainer":{"repository":"vsecm-ist-init-container","tag":"0.27.1"},"keystone":{"distrolessFipsRepository":"vsecm-ist-fips-keystone","distrolessRepository":"vsecm-ist-keystone","pullPolicy":"IfNotPresent","tag":"0.27.1"},"nodeDriverRegistrar":{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-node-driver-registrar","tag":"v2.10.0"},"openShiftHelperUbi9":{"pullPolicy":"IfNotPresent","repository":"registry.access.redhat.com/ubi9","tag":"latest"},"safe":{"distrolessFipsRepository":"vsecm-ist-fips-safe","distrolessRepository":"vsecm-ist-safe","pullPolicy":"IfNotPresent","tag":"0.27.1"},"sentinel":{"distrolessFipsRepository":"vsecm-ist-fips-sentinel","distrolessRepository":"vsecm-ist-sentinel","pullPolicy":"IfNotPresent","tag":"0.27.1"},"spiffeCsiDriver":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spiffe-csi-driver","tag":"0.2.6"},"spireAgent":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.9.6"},"spireControllerManager":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-controller-manager","tag":"0.5.0"},"spireHelperBash":{"pullPolicy":"IfNotPresent","repository":"cgr.dev/chainguard/bash","tag":"latest@sha256:8c9e5cbb641ced8112c637eb3611dab29bf65448a9d884a03938baf1b352dc4d"},"spireHelperKubectl":{"pullPolicy":"IfNotPresent","repository":"docker.io/rancher/kubectl","tag":"v1.28.0"},"spireServer":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.9.6"}}` | Where to find the dependent images of VSecM. Normally, you would not need to modify this. | | global.images.nodeDriverRegistrar | object | `{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-node-driver-registrar","tag":"v2.10.0"}` | Container registry details of SPIFFE CSI Node Driver Registrar. | | global.images.spiffeCsiDriver | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spiffe-csi-driver","tag":"0.2.6"}` | Container registry details of SPIFFE CSI Driver. | | global.images.spireAgent | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.9.6"}` | Container registry details of SPIRE Agent. | diff --git a/helm-charts/0.27.1/charts/keystone/Chart.yaml b/helm-charts/0.27.1/charts/keystone/Chart.yaml index 361bf563..0ab0df23 100644 --- a/helm-charts/0.27.1/charts/keystone/Chart.yaml +++ b/helm-charts/0.27.1/charts/keystone/Chart.yaml @@ -25,10 +25,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.27.0 +version: 0.27.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.27.0" +appVersion: "0.27.1" diff --git a/helm-charts/0.27.1/charts/keystone/README.md b/helm-charts/0.27.1/charts/keystone/README.md index 09c6ffb0..3f805871 100644 --- a/helm-charts/0.27.1/charts/keystone/README.md +++ b/helm-charts/0.27.1/charts/keystone/README.md @@ -1,6 +1,6 @@ # keystone -![Version: 0.27.0](https://img.shields.io/badge/Version-0.27.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.0](https://img.shields.io/badge/AppVersion-0.27.0-informational?style=flat-square) +![Version: 0.27.1](https://img.shields.io/badge/Version-0.27.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.1](https://img.shields.io/badge/AppVersion-0.27.1-informational?style=flat-square) Helm chart for keystone diff --git a/helm-charts/0.27.1/charts/safe/README.md b/helm-charts/0.27.1/charts/safe/README.md index 54f16731..d1709a19 100644 --- a/helm-charts/0.27.1/charts/safe/README.md +++ b/helm-charts/0.27.1/charts/safe/README.md @@ -1,6 +1,6 @@ # safe -![Version: 0.27.0](https://img.shields.io/badge/Version-0.27.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.0](https://img.shields.io/badge/AppVersion-0.27.0-informational?style=flat-square) +![Version: 0.27.1](https://img.shields.io/badge/Version-0.27.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.1](https://img.shields.io/badge/AppVersion-0.27.1-informational?style=flat-square) Helm chart for VMware Secrets Manager (VSecM) Safe diff --git a/helm-charts/0.27.1/charts/sentinel/README.md b/helm-charts/0.27.1/charts/sentinel/README.md index 97c8a01d..a4d3f608 100644 --- a/helm-charts/0.27.1/charts/sentinel/README.md +++ b/helm-charts/0.27.1/charts/sentinel/README.md @@ -1,6 +1,6 @@ # sentinel -![Version: 0.27.0](https://img.shields.io/badge/Version-0.27.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.0](https://img.shields.io/badge/AppVersion-0.27.0-informational?style=flat-square) +![Version: 0.27.1](https://img.shields.io/badge/Version-0.27.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.1](https://img.shields.io/badge/AppVersion-0.27.1-informational?style=flat-square) Helm chart for sentinel diff --git a/helm-charts/0.27.1/charts/spire/README.md b/helm-charts/0.27.1/charts/spire/README.md index a732e77a..3af5f07b 100644 --- a/helm-charts/0.27.1/charts/spire/README.md +++ b/helm-charts/0.27.1/charts/spire/README.md @@ -1,6 +1,6 @@ # spire -![Version: 0.27.0](https://img.shields.io/badge/Version-0.27.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.0](https://img.shields.io/badge/AppVersion-0.27.0-informational?style=flat-square) +![Version: 0.27.1](https://img.shields.io/badge/Version-0.27.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.27.1](https://img.shields.io/badge/AppVersion-0.27.1-informational?style=flat-square) Helm chart for spire @@ -11,6 +11,7 @@ Helm chart for spire | data | object | `{"persistent":true,"persistentVolumeClaim":{"accessMode":"ReadWriteOnce","size":"1Gi","storageClass":""}}` | Persistence settings for the SPIRE Server. | | data.persistent | bool | `true` | Persistence is enabled by default. However, you are recommended to provide your own storage class if you are using a cloud provider or a storage solution that supports dynamic provisioning. | | data.persistentVolumeClaim | object | `{"accessMode":"ReadWriteOnce","size":"1Gi","storageClass":""}` | Define the PVC if `persistent` is true. | +| enableSpireMintedDefaultClusterSpiffeIds | bool | `false` | SPIRE assigns a default Cluster SPIFFE ID to all workloads in the cluster. The SPIFFEID SPIRE assigns by default is not aligned with the SPIFFE ID format that VSecM Safe expects. Also, you might not want SPIRE to assign SPIFFE IDs to every single workload you have in your cluster if you are not using SPIRE to attest those workloads. Therefore, this option is set to false by default. If you set this to true, make sure you update `safeSpiffeIdTemplate` `sentinelSpiffeIdTemplate`, `keystoneSpiffeIdTemplate`, `workloadNameRegExp`, `workloadSpiffeIdPrefix`, `safeSpiffeIdPrefix`, `sentinelSpiffeIdPrefix` and other relevant configurations to match with what SPIRE assigns. | | experimental | object | `{"eventsBasedCache":false}` | Experimental settings. | | experimental.eventsBasedCache | bool | `false` | eventsBasedCache is known to significantly improve SPIRE Server performance. It is set to `false` by default, just in case. | | fullnameOverride | string | `""` | The fullname override of the chart. | diff --git a/helm-charts/0.27.1/values-custom.yaml b/helm-charts/0.27.1/values-custom.yaml index fa8571b1..f44de928 100644 --- a/helm-charts/0.27.1/values-custom.yaml +++ b/helm-charts/0.27.1/values-custom.yaml @@ -46,21 +46,21 @@ global: keystone: distrolessRepository: vsecm-ist-keystone distrolessFipsRepository: vsecm-ist-fips-keystone - tag: 0.27.0 + tag: 0.27.1 pullPolicy: IfNotPresent safe: distrolessRepository: vsecm-ist-safe distrolessFipsRepository: vsecm-ist-fips-safe - tag: 0.27.0 + tag: 0.27.1 pullPolicy: IfNotPresent sentinel: distrolessRepository: vsecm-ist-sentinel distrolessFipsRepository: vsecm-ist-fips-sentinel - tag: 0.27.0 + tag: 0.27.1 pullPolicy: IfNotPresent initContainer: repository: vsecm-ist-init-container - tag: 0.27.0 + tag: 0.27.1 spireAgent: repository: ghcr.io/spiffe/spire-agent tag: 1.9.4 diff --git a/helm-charts/0.27.1/values.yaml b/helm-charts/0.27.1/values.yaml index 26ce06b6..8f8eb621 100644 --- a/helm-charts/0.27.1/values.yaml +++ b/helm-charts/0.27.1/values.yaml @@ -41,24 +41,24 @@ global: keystone: distrolessRepository: vsecm-ist-keystone distrolessFipsRepository: vsecm-ist-fips-keystone - tag: 0.27.0 + tag: 0.27.1 pullPolicy: IfNotPresent # - Container registry details for VSecM Safe. safe: distrolessRepository: vsecm-ist-safe distrolessFipsRepository: vsecm-ist-fips-safe - tag: 0.27.0 + tag: 0.27.1 pullPolicy: IfNotPresent # - Container registry details for VSecM Sentinel. sentinel: distrolessRepository: vsecm-ist-sentinel distrolessFipsRepository: vsecm-ist-fips-sentinel - tag: 0.27.0 + tag: 0.27.1 pullPolicy: IfNotPresent # - Container registry details of VSecM Init Container. initContainer: repository: vsecm-ist-init-container - tag: 0.27.0 + tag: 0.27.1 # -- Container registry details of SPIRE Agent. spireAgent: diff --git a/k8s/0.27.0/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml b/k8s/0.27.0/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml deleted file mode 100644 index 658617dd..00000000 --- a/k8s/0.27.0/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml +++ /dev/null @@ -1,100 +0,0 @@ -# Source: spire-crds/templates/spire.spiffe.io_clusterfederatedtrustdomains.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - helm.sh/resource-policy: keep - creationTimestamp: null - name: clusterfederatedtrustdomains.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterFederatedTrustDomain - listKind: ClusterFederatedTrustDomainList - plural: clusterfederatedtrustdomains - singular: clusterfederatedtrustdomain - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.trustDomain - name: Trust Domain - type: string - - jsonPath: .spec.bundleEndpointURL - name: Endpoint URL - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterFederatedTrustDomainSpec defines the desired state - of ClusterFederatedTrustDomain - properties: - bundleEndpointProfile: - description: BundleEndpointProfile is the profile for the bundle endpoint. - properties: - endpointSPIFFEID: - description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. - It is required for the "https_spiffe" profile. - type: string - type: - description: Type is the type of the bundle endpoint profile. - enum: - - https_spiffe - - https_web - type: string - required: - - type - type: object - bundleEndpointURL: - description: BundleEndpointURL is the URL of the bundle endpoint. - It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). - type: string - className: - description: Set the class of controller to handle this object. - type: string - trustDomain: - description: TrustDomain is the name of the trust domain to federate - with (e.g. example.org) - pattern: '[a-z0-9._-]{1,255}' - type: string - trustDomainBundle: - description: TrustDomainBundle is the contents of the bundle for the - referenced trust domain. This field is optional when the resource - is created. - type: string - required: - - bundleEndpointProfile - - bundleEndpointURL - - trustDomain - type: object - status: - description: ClusterFederatedTrustDomainStatus defines the observed state - of ClusterFederatedTrustDomain - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/k8s/0.27.0/crds/spire.spiffe.io_clusterspiffeids.yaml b/k8s/0.27.0/crds/spire.spiffe.io_clusterspiffeids.yaml deleted file mode 100644 index 597b2b08..00000000 --- a/k8s/0.27.0/crds/spire.spiffe.io_clusterspiffeids.yaml +++ /dev/null @@ -1,239 +0,0 @@ -# Source: spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - helm.sh/resource-policy: keep - creationTimestamp: null - name: clusterspiffeids.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterSPIFFEID - listKind: ClusterSPIFFEIDList - plural: clusterspiffeids - singular: clusterspiffeid - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSPIFFEID is the Schema for the clusterspiffeids API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID - properties: - admin: - description: Admin indicates whether or not the SVID can be used to - access the SPIRE administrative APIs. Extra care should be taken - to only apply this SPIFFE ID to admin workloads. - type: boolean - autoPopulateDNSNames: - description: AutoPopulateDNSNames indicates whether or not to auto - populate service DNS names. - type: boolean - dnsNameTemplates: - description: DNSNameTemplate represents templates for extra DNS names - that are applicable to SVIDs minted for this ClusterSPIFFEID. The - node and pod spec are made available to the template under .NodeSpec, - .PodSpec respectively. - items: - type: string - type: array - downstream: - description: Downstream indicates that the entry describes a downstream - SPIRE server. - type: boolean - className: - description: Set the class of controller to handle this object. - type: string - federatesWith: - description: FederatesWith is a list of trust domain names that workloads - that obtain this SPIFFE ID will federate with. - items: - type: string - type: array - jwtTtl: - description: JWTTTL indicates an upper-bound time-to-live for JWT - SVIDs minted for this ClusterSPIFFEID. - type: string - namespaceSelector: - description: NamespaceSelector selects the namespaces that are targeted - by this CRD. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: PodSelector selects the pods that are targeted by this - CRD. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - spiffeIDTemplate: - description: SPIFFEID is the SPIFFE ID template. The node and pod - spec are made available to the template under .NodeSpec, .PodSpec - respectively. - type: string - ttl: - description: TTL indicates an upper-bound time-to-live for X509 SVIDs - minted for this ClusterSPIFFEID. If unset, a default will be chosen. - type: string - workloadSelectorTemplates: - description: WorkloadSelectorTemplates are templates to produce arbitrary - workload selectors that apply to a given workload before it will - receive this SPIFFE ID. The rendered value is interpreted by SPIRE - and are of the form type:value, where the value may, and often does, - contain semicolons, .e.g., k8s:container-image:docker/hello-world - The node and pod spec are made available to the template under .NodeSpec, - .PodSpec respectively. - items: - type: string - type: array - required: - - spiffeIDTemplate - type: object - status: - description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID - properties: - stats: - description: Stats produced by the last entry reconciliation run - properties: - entriesMasked: - description: How many entries were masked by entries for other - ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs - produce an entry for the same pod with the same set of workload - selectors. - type: integer - entriesToSet: - description: How many entries are to be set for this ClusterSPIFFEID. - In nominal conditions, this should reflect the number of pods - selected, but not always if there were problems encountered - rendering an entry for the pod (RenderFailures) or entries are - masked (EntriesMasked). - type: integer - entryFailures: - description: How many entries were unable to be set due to failures - to create or update the entries via the SPIRE Server API. - type: integer - namespacesIgnored: - description: How many (selected) namespaces were ignored (based - on configuration). - type: integer - namespacesSelected: - description: How many namespaces were selected. - type: integer - podEntryRenderFailures: - description: How many failures were encountered rendering an entry - selected pods. This could be due to either a bad template in - the ClusterSPIFFEID or Pod metadata that when applied to the - template did not produce valid entry values. - type: integer - podsSelected: - description: How many pods were selected out of the namespaces. - type: integer - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] \ No newline at end of file diff --git a/k8s/0.27.0/crds/spire.spiffe.io_clusterstaticentries.yaml b/k8s/0.27.0/crds/spire.spiffe.io_clusterstaticentries.yaml deleted file mode 100644 index c19df220..00000000 --- a/k8s/0.27.0/crds/spire.spiffe.io_clusterstaticentries.yaml +++ /dev/null @@ -1,103 +0,0 @@ -# Source: spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - helm.sh/resource-policy: keep - creationTimestamp: null - name: clusterstaticentries.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterStaticEntry - listKind: ClusterStaticEntryList - plural: clusterstaticentries - singular: clusterstaticentry - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterStaticEntry is the Schema for the clusterstaticentries - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry - properties: - admin: - type: boolean - className: - description: Set the class of controller to handle this object. - type: string - dnsNames: - items: - type: string - type: array - downstream: - type: boolean - federatesWith: - items: - type: string - type: array - hint: - type: string - jwtSVIDTTL: - type: string - parentID: - type: string - selectors: - items: - type: string - type: array - spiffeID: - type: string - storeSVID: - type: boolean - x509SVIDTTL: - type: string - required: - - parentID - - selectors - - spiffeID - type: object - status: - description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry - properties: - masked: - description: If the static entry was masked by another entry. - type: boolean - rendered: - description: If the static entry rendered properly. - type: boolean - set: - description: If the static entry was successfully created/updated. - type: boolean - required: - - masked - - rendered - - set - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] \ No newline at end of file diff --git a/k8s/0.27.0/crds/spire.spiffe.io_controllermanagerconfigs.yaml b/k8s/0.27.0/crds/spire.spiffe.io_controllermanagerconfigs.yaml deleted file mode 100644 index 538ac974..00000000 --- a/k8s/0.27.0/crds/spire.spiffe.io_controllermanagerconfigs.yaml +++ /dev/null @@ -1,68 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: controllermanagerconfigs.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ControllerManagerConfig - listKind: ControllerManagerConfigList - plural: controllermanagerconfigs - singular: controllermanagerconfig - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ControllerManagerConfig is the Schema for the controllermanagerconfigs - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ControllerManagerConfigSpec defines the desired state of - ControllerManagerConfig - properties: - foo: - description: Foo is an example field of ControllerManagerConfig. Edit - controllermanagerconfig_types.go to deletion/update - type: string - type: object - status: - description: ControllerManagerConfigStatus defines the observed state - of ControllerManagerConfig - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/helm-charts/0.27.0/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml b/k8s/0.27.1/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml similarity index 100% rename from helm-charts/0.27.0/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml rename to k8s/0.27.1/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml diff --git a/helm-charts/0.27.0/crds/spire.spiffe.io_clusterspiffeids.yaml b/k8s/0.27.1/crds/spire.spiffe.io_clusterspiffeids.yaml similarity index 100% rename from helm-charts/0.27.0/crds/spire.spiffe.io_clusterspiffeids.yaml rename to k8s/0.27.1/crds/spire.spiffe.io_clusterspiffeids.yaml diff --git a/helm-charts/0.27.0/crds/spire.spiffe.io_clusterstaticentries.yaml b/k8s/0.27.1/crds/spire.spiffe.io_clusterstaticentries.yaml similarity index 100% rename from helm-charts/0.27.0/crds/spire.spiffe.io_clusterstaticentries.yaml rename to k8s/0.27.1/crds/spire.spiffe.io_clusterstaticentries.yaml diff --git a/helm-charts/0.27.0/crds/spire.spiffe.io_controllermanagerconfigs.yaml b/k8s/0.27.1/crds/spire.spiffe.io_controllermanagerconfigs.yaml similarity index 100% rename from helm-charts/0.27.0/crds/spire.spiffe.io_controllermanagerconfigs.yaml rename to k8s/0.27.1/crds/spire.spiffe.io_controllermanagerconfigs.yaml diff --git a/k8s/0.27.0/eks/vsecm-distroless-fips.yaml b/k8s/0.27.1/eks/vsecm-distroless-fips.yaml similarity index 97% rename from k8s/0.27.0/eks/vsecm-distroless-fips.yaml rename to k8s/0.27.1/eks/vsecm-distroless-fips.yaml index 70ddab25..ef809560 100644 --- a/k8s/0.27.0/eks/vsecm-distroless-fips.yaml +++ b/k8s/0.27.1/eks/vsecm-distroless-fips.yaml @@ -32,11 +32,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.0 + helm.sh/chart: keystone-0.27.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -57,11 +57,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm annotations: kubernetes.io/enforce-mountable-secrets: "true" @@ -87,11 +87,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm annotations: kubernetes.io/enforce-mountable-secrets: "true" @@ -117,11 +117,11 @@ metadata: name: vsecm-root-key namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm annotations: @@ -148,11 +148,11 @@ metadata: name: vsecm-sentinel-init-secret namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm annotations: @@ -340,11 +340,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP @@ -375,11 +375,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.0 + helm.sh/chart: keystone-0.27.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -403,7 +403,7 @@ spec: initContainers: - name: init-container - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.27.0" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.27.1" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -476,7 +476,7 @@ spec: value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-keystone:0.27.0" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-keystone:0.27.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -524,11 +524,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -552,7 +552,7 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-sentinel:0.27.0" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-sentinel:0.27.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -717,11 +717,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: serviceName: vsecm-safe @@ -746,7 +746,7 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-safe:0.27.0" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-fips-safe:0.27.1" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 @@ -966,11 +966,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-keystone labels: - helm.sh/chart: keystone-0.27.0 + helm.sh/chart: keystone-0.27.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" @@ -999,11 +999,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-safe labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" @@ -1032,11 +1032,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-sentinel labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" diff --git a/k8s/0.27.0/eks/vsecm-distroless.yaml b/k8s/0.27.1/eks/vsecm-distroless.yaml similarity index 96% rename from k8s/0.27.0/eks/vsecm-distroless.yaml rename to k8s/0.27.1/eks/vsecm-distroless.yaml index 634f84ef..03919a93 100644 --- a/k8s/0.27.0/eks/vsecm-distroless.yaml +++ b/k8s/0.27.1/eks/vsecm-distroless.yaml @@ -32,11 +32,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.0 + helm.sh/chart: keystone-0.27.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -57,11 +57,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm annotations: kubernetes.io/enforce-mountable-secrets: "true" @@ -87,11 +87,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm annotations: kubernetes.io/enforce-mountable-secrets: "true" @@ -117,11 +117,11 @@ metadata: name: vsecm-root-key namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm annotations: @@ -148,11 +148,11 @@ metadata: name: vsecm-sentinel-init-secret namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm annotations: @@ -340,11 +340,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP @@ -375,11 +375,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.0 + helm.sh/chart: keystone-0.27.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -403,7 +403,7 @@ spec: initContainers: - name: init-container - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.27.0" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.27.1" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -476,7 +476,7 @@ spec: value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-keystone:0.27.0" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-keystone:0.27.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -524,11 +524,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -552,7 +552,7 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-sentinel:0.27.0" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-sentinel:0.27.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -717,11 +717,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: serviceName: vsecm-safe @@ -746,7 +746,7 @@ spec: containers: - name: main - image: "public.ecr.aws/h8y1n7y7/vsecm-ist-safe:0.27.0" + image: "public.ecr.aws/h8y1n7y7/vsecm-ist-safe:0.27.1" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 @@ -966,11 +966,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-keystone labels: - helm.sh/chart: keystone-0.27.0 + helm.sh/chart: keystone-0.27.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" @@ -999,11 +999,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-safe labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" @@ -1032,11 +1032,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-sentinel labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" diff --git a/k8s/0.27.0/local/vsecm-distroless-fips.yaml b/k8s/0.27.1/local/vsecm-distroless-fips.yaml similarity index 96% rename from k8s/0.27.0/local/vsecm-distroless-fips.yaml rename to k8s/0.27.1/local/vsecm-distroless-fips.yaml index e1384efa..2317a3ec 100644 --- a/k8s/0.27.0/local/vsecm-distroless-fips.yaml +++ b/k8s/0.27.1/local/vsecm-distroless-fips.yaml @@ -32,11 +32,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.0 + helm.sh/chart: keystone-0.27.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -57,11 +57,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm annotations: kubernetes.io/enforce-mountable-secrets: "true" @@ -87,11 +87,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm annotations: kubernetes.io/enforce-mountable-secrets: "true" @@ -117,11 +117,11 @@ metadata: name: vsecm-root-key namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm annotations: @@ -148,11 +148,11 @@ metadata: name: vsecm-sentinel-init-secret namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm annotations: @@ -340,11 +340,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP @@ -375,11 +375,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.0 + helm.sh/chart: keystone-0.27.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -403,7 +403,7 @@ spec: initContainers: - name: init-container - image: "localhost:5000/vsecm-ist-init-container:0.27.0" + image: "localhost:5000/vsecm-ist-init-container:0.27.1" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -476,7 +476,7 @@ spec: value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" containers: - name: main - image: "localhost:5000/vsecm-ist-fips-keystone:0.27.0" + image: "localhost:5000/vsecm-ist-fips-keystone:0.27.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -524,11 +524,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -552,7 +552,7 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-fips-sentinel:0.27.0" + image: "localhost:5000/vsecm-ist-fips-sentinel:0.27.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -717,11 +717,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: serviceName: vsecm-safe @@ -746,7 +746,7 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-fips-safe:0.27.0" + image: "localhost:5000/vsecm-ist-fips-safe:0.27.1" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 @@ -966,11 +966,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-keystone labels: - helm.sh/chart: keystone-0.27.0 + helm.sh/chart: keystone-0.27.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" @@ -999,11 +999,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-safe labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" @@ -1032,11 +1032,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-sentinel labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" diff --git a/k8s/0.27.0/local/vsecm-distroless.yaml b/k8s/0.27.1/local/vsecm-distroless.yaml similarity index 96% rename from k8s/0.27.0/local/vsecm-distroless.yaml rename to k8s/0.27.1/local/vsecm-distroless.yaml index 3013625f..08dcf39b 100644 --- a/k8s/0.27.0/local/vsecm-distroless.yaml +++ b/k8s/0.27.1/local/vsecm-distroless.yaml @@ -32,11 +32,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.0 + helm.sh/chart: keystone-0.27.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -57,11 +57,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm annotations: kubernetes.io/enforce-mountable-secrets: "true" @@ -87,11 +87,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm annotations: kubernetes.io/enforce-mountable-secrets: "true" @@ -117,11 +117,11 @@ metadata: name: vsecm-root-key namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm annotations: @@ -148,11 +148,11 @@ metadata: name: vsecm-sentinel-init-secret namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm annotations: @@ -340,11 +340,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP @@ -375,11 +375,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.0 + helm.sh/chart: keystone-0.27.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -403,7 +403,7 @@ spec: initContainers: - name: init-container - image: "localhost:5000/vsecm-ist-init-container:0.27.0" + image: "localhost:5000/vsecm-ist-init-container:0.27.1" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -476,7 +476,7 @@ spec: value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" containers: - name: main - image: "localhost:5000/vsecm-ist-keystone:0.27.0" + image: "localhost:5000/vsecm-ist-keystone:0.27.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -524,11 +524,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -552,7 +552,7 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-sentinel:0.27.0" + image: "localhost:5000/vsecm-ist-sentinel:0.27.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -717,11 +717,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: serviceName: vsecm-safe @@ -746,7 +746,7 @@ spec: containers: - name: main - image: "localhost:5000/vsecm-ist-safe:0.27.0" + image: "localhost:5000/vsecm-ist-safe:0.27.1" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 @@ -966,11 +966,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-keystone labels: - helm.sh/chart: keystone-0.27.0 + helm.sh/chart: keystone-0.27.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" @@ -999,11 +999,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-safe labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" @@ -1032,11 +1032,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-sentinel labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" diff --git a/k8s/0.27.0/remote/vsecm-distroless-fips.yaml b/k8s/0.27.1/remote/vsecm-distroless-fips.yaml similarity index 96% rename from k8s/0.27.0/remote/vsecm-distroless-fips.yaml rename to k8s/0.27.1/remote/vsecm-distroless-fips.yaml index 8d871380..30f656f0 100644 --- a/k8s/0.27.0/remote/vsecm-distroless-fips.yaml +++ b/k8s/0.27.1/remote/vsecm-distroless-fips.yaml @@ -32,11 +32,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.0 + helm.sh/chart: keystone-0.27.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -57,11 +57,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm annotations: kubernetes.io/enforce-mountable-secrets: "true" @@ -87,11 +87,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm annotations: kubernetes.io/enforce-mountable-secrets: "true" @@ -117,11 +117,11 @@ metadata: name: vsecm-root-key namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm annotations: @@ -148,11 +148,11 @@ metadata: name: vsecm-sentinel-init-secret namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm annotations: @@ -340,11 +340,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP @@ -375,11 +375,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.0 + helm.sh/chart: keystone-0.27.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -403,7 +403,7 @@ spec: initContainers: - name: init-container - image: "vsecm/vsecm-ist-init-container:0.27.0" + image: "vsecm/vsecm-ist-init-container:0.27.1" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -476,7 +476,7 @@ spec: value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" containers: - name: main - image: "vsecm/vsecm-ist-fips-keystone:0.27.0" + image: "vsecm/vsecm-ist-fips-keystone:0.27.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -524,11 +524,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -552,7 +552,7 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-fips-sentinel:0.27.0" + image: "vsecm/vsecm-ist-fips-sentinel:0.27.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -717,11 +717,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: serviceName: vsecm-safe @@ -746,7 +746,7 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-fips-safe:0.27.0" + image: "vsecm/vsecm-ist-fips-safe:0.27.1" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 @@ -966,11 +966,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-keystone labels: - helm.sh/chart: keystone-0.27.0 + helm.sh/chart: keystone-0.27.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" @@ -999,11 +999,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-safe labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" @@ -1032,11 +1032,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-sentinel labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" diff --git a/k8s/0.27.0/remote/vsecm-distroless.yaml b/k8s/0.27.1/remote/vsecm-distroless.yaml similarity index 96% rename from k8s/0.27.0/remote/vsecm-distroless.yaml rename to k8s/0.27.1/remote/vsecm-distroless.yaml index a01d6dcc..0b76d500 100644 --- a/k8s/0.27.0/remote/vsecm-distroless.yaml +++ b/k8s/0.27.1/remote/vsecm-distroless.yaml @@ -32,11 +32,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.0 + helm.sh/chart: keystone-0.27.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false --- @@ -57,11 +57,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm annotations: kubernetes.io/enforce-mountable-secrets: "true" @@ -87,11 +87,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm annotations: kubernetes.io/enforce-mountable-secrets: "true" @@ -117,11 +117,11 @@ metadata: name: vsecm-root-key namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm annotations: @@ -148,11 +148,11 @@ metadata: name: vsecm-sentinel-init-secret namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm annotations: @@ -340,11 +340,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP @@ -375,11 +375,11 @@ metadata: name: vsecm-keystone namespace: vsecm-system labels: - helm.sh/chart: keystone-0.27.0 + helm.sh/chart: keystone-0.27.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -403,7 +403,7 @@ spec: initContainers: - name: init-container - image: "vsecm/vsecm-ist-init-container:0.27.0" + image: "vsecm/vsecm-ist-init-container:0.27.1" imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /spire-agent-socket @@ -476,7 +476,7 @@ spec: value: "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$" containers: - name: main - image: "vsecm/vsecm-ist-keystone:0.27.0" + image: "vsecm/vsecm-ist-keystone:0.27.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -524,11 +524,11 @@ metadata: name: vsecm-sentinel namespace: vsecm-system labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -552,7 +552,7 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-sentinel:0.27.0" + image: "vsecm/vsecm-ist-sentinel:0.27.1" imagePullPolicy: IfNotPresent volumeMounts: - name: spire-agent-socket @@ -717,11 +717,11 @@ metadata: name: vsecm-safe namespace: vsecm-system labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: serviceName: vsecm-safe @@ -746,7 +746,7 @@ spec: containers: - name: main - image: "vsecm/vsecm-ist-safe:0.27.0" + image: "vsecm/vsecm-ist-safe:0.27.1" imagePullPolicy: IfNotPresent ports: - containerPort: 8443 @@ -966,11 +966,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-keystone labels: - helm.sh/chart: keystone-0.27.0 + helm.sh/chart: keystone-0.27.1 app.kubernetes.io/name: vsecm-keystone app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" @@ -999,11 +999,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-safe labels: - helm.sh/chart: safe-0.27.0 + helm.sh/chart: safe-0.27.1 app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" @@ -1032,11 +1032,11 @@ kind: ClusterSPIFFEID metadata: name: vsecm-sentinel labels: - helm.sh/chart: sentinel-0.27.0 + helm.sh/chart: sentinel-0.27.1 app.kubernetes.io/name: vsecm-sentinel app.kubernetes.io/instance: vsecm app.kubernetes.io/part-of: vsecm-system - app.kubernetes.io/version: "0.27.0" + app.kubernetes.io/version: "0.27.1" app.kubernetes.io/managed-by: Helm spec: className: "vsecm" diff --git a/k8s/0.27.0/spire.yaml b/k8s/0.27.1/spire.yaml similarity index 99% rename from k8s/0.27.0/spire.yaml rename to k8s/0.27.1/spire.yaml index 1e2de137..75b6ea45 100644 --- a/k8s/0.27.0/spire.yaml +++ b/k8s/0.27.1/spire.yaml @@ -16,7 +16,7 @@ metadata: name: spire-agent namespace: spire-system labels: - helm.sh/chart: spire-0.27.0 + helm.sh/chart: spire-0.27.1 app.kubernetes.io/name: agent app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -39,7 +39,7 @@ metadata: name: spire-server namespace: spire-server labels: - helm.sh/chart: spire-0.27.0 + helm.sh/chart: spire-0.27.1 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -62,7 +62,7 @@ metadata: name: spire-spiffe-csi-driver namespace: spire-system labels: - helm.sh/chart: spire-0.27.0 + helm.sh/chart: spire-0.27.1 app.kubernetes.io/name: spiffe-csi-driver app.kubernetes.io/instance: spire app.kubernetes.io/version: "0.2.3" @@ -188,7 +188,7 @@ data: name: spire-controller-manager namespace: spire-server labels: - helm.sh/chart: spire-0.27.0 + helm.sh/chart: spire-0.27.1 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -657,7 +657,7 @@ metadata: name: spire-controller-manager-webhook namespace: spire-server labels: - helm.sh/chart: spire-0.27.0 + helm.sh/chart: spire-0.27.1 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -690,7 +690,7 @@ metadata: name: spire-server namespace: spire-server labels: - helm.sh/chart: spire-0.27.0 + helm.sh/chart: spire-0.27.1 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -723,7 +723,7 @@ metadata: name: spire-agent namespace: spire-system labels: - helm.sh/chart: spire-0.27.0 + helm.sh/chart: spire-0.27.1 app.kubernetes.io/name: agent app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -879,7 +879,7 @@ metadata: name: spire-spiffe-csi-driver namespace: spire-system labels: - hhelm.sh/chart: spire-0.27.0 + hhelm.sh/chart: spire-0.27.1 app.kubernetes.io/name: spiffe-csi-driver app.kubernetes.io/instance: spire app.kubernetes.io/version: "0.2.3" @@ -1010,7 +1010,7 @@ metadata: name: spire-server namespace: spire-server labels: - helm.sh/chart: spire-0.27.0 + helm.sh/chart: spire-0.27.1 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -1340,7 +1340,7 @@ metadata: name: spire-server-post-install namespace: spire-server labels: - helm.sh/chart: spire-0.27.0 + helm.sh/chart: spire-0.27.1 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -1366,7 +1366,7 @@ metadata: name: spire-server-post-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.0 + helm.sh/chart: spire-0.27.1 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -1392,7 +1392,7 @@ metadata: name: spire-server-pre-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.0 + helm.sh/chart: spire-0.27.1 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -1571,7 +1571,7 @@ metadata: name: spire-server-post-install namespace: spire-server labels: - helm.sh/chart: spire-0.27.0 + helm.sh/chart: spire-0.27.1 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -1643,7 +1643,7 @@ metadata: name: spire-server-post-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.0 + helm.sh/chart: spire-0.27.1 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6" @@ -1714,7 +1714,7 @@ metadata: name: spire-server-pre-upgrade namespace: spire-server labels: - helm.sh/chart: spire-0.27.0 + helm.sh/chart: spire-0.27.1 app.kubernetes.io/name: server app.kubernetes.io/instance: spire app.kubernetes.io/version: "1.9.6"