feat: use Cofide SPIRE server v1.12.4-cofide.0

This change switches to use the Cofide SPIRE server instead of upstream,
initially at version v1.12.4-cofide.0.

The image repository is set, but the registry is not. The registry must
be requested from Cofide.

Author: markgoddard

.github/tests/common.sh

@@ -93,6 +93,7 @@ done
 )
 
 # Used just for testing. You should provide your own values as described in the install instructions.
+# NOTE(Cofide upgrade): The tag used here must be in sync with the upstream Chart.yaml.
 common_test_your_values () {
 cat > /tmp/$$.example-your-values.yaml <<EOF
 global:
@@ -105,6 +106,11 @@ global:
       country: US
       organization: Production
       commonName: production.other
+spire-server:
+  image:
+    registry: ghcr.io
+    repository: spire-server
+    tag: 1.12.4
 EOF
 echo "/tmp/$$.example-your-values.yaml"
 }

charts/spire/Chart.yaml

@@ -4,7 +4,7 @@ description: >
   A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 type: application
 version: 0.26.0-cofide.0
-appVersion: "1.12.4"
+appVersion: "1.12.4-cofide.0"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:

charts/spire/charts/spire-server/Chart.yaml

@@ -3,7 +3,7 @@ name: spire-server
 description: A Helm chart to install the SPIRE server.
 type: application
 version: 0.1.0
-appVersion: "1.12.4"
+appVersion: "1.12.4-cofide.0"
 keywords: ["spiffe", "spire-server", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:

charts/spire/charts/spire-server/README.md

@@ -82,8 +82,8 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | Name                                                                                         | Description                                                                                                                                                                                                                                                                                                                                                          | Value                                                                                          |
 | -------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- |
 | `replicaCount`                                                                               | SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database.                                                                                                                                                                                                                                   | `1`                                                                                            |
-| `image.registry`                                                                             | The OCI registry to pull the image from                                                                                                                                                                                                                                                                                                                              | `ghcr.io`                                                                                      |
-| `image.repository`                                                                           | The repository within the registry                                                                                                                                                                                                                                                                                                                                   | `spiffe/spire-server`                                                                          |
+| `image.registry`                                                                             | The OCI registry to pull the image from. Request from Cofide.                                                                                                                                                                                                                                                                                                        | ``                                                                                             |
+| `image.repository`                                                                           | The repository within the registry                                                                                                                                                                                                                                                                                                                                   | `cofide/spire-server`                                                                          |
 | `image.pullPolicy`                                                                           | The image pull policy                                                                                                                                                                                                                                                                                                                                                | `IfNotPresent`                                                                                 |
 | `image.tag`                                                                                  | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                                                                                                                                                        | `""`                                                                                           |
 | `kind`                                                                                       | Define SPIRE server deployment type. Can be statefulset/deployment. Defaults to statefulset if not set. This feature is experimental.                                                                                                                                                                                                                                | `statefulset`                                                                                  |

charts/spire/charts/spire-server/templates/server-resource.yaml

@@ -64,6 +64,9 @@
 {{-     fail "clientKeyPath can only be set with database type mysql or aws_mysql." }}
 {{-   end }}
 {{- end }}
+{{- if eq .Values.image.registry "" }}
+{{-   fail "image.registry must be set." }}
+{{- end }}
 {{- if not .Values.externalServer }}
 apiVersion: apps/v1
 {{- if eq .Values.kind "statefulset" }}

charts/spire/charts/spire-server/values.yaml

@@ -15,8 +15,8 @@ replicaCount: 1
 ## @param image.tag Overrides the image tag whose default is the chart appVersion
 ##
 image:
-  registry: ghcr.io
-  repository: spiffe/spire-server
+  registry: ""
+  repository: cofide/spire-server
   pullPolicy: IfNotPresent
   tag: ""