Merge spire 0.27.1

[alec-w]

Part of https://github.com/cofide/cofide-spire/issues/155

Conflicts resolved:

• spire-server readme - conflicts around datastore docs, fixed and then run helm-docs.sh to ensure fix was correct.
• spire-server configmap - additions on both sides to the logic on whether node attestor config is included, conditions are all or'd together so made sure all conditions from both sides were included.
• top level Chart.yaml, version needed cofide suffix and home url needed switching back to this repo

[gemini-code-assist]

Summary of Changes

Hello @alec-w, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request merges the latest upstream changes for SPIRE version 0.27.1, bringing a suite of updates across the Helm charts. The primary goal is to ensure compatibility with the newest SPIRE features and security enhancements, while also integrating new cloud-specific node attestors and telemetry options. The changes encompass dependency upgrades, refined configurations for various components, and the addition of new examples to demonstrate advanced integrations.

Highlights

• SPIRE Version Update: The core SPIRE charts (spire-nested, spire, spire-agent, spire-server, spiffe-oidc-discovery-provider, spike-keeper, spike-nexus, spike-pilot) have been updated to chart version 0.27.1 and appVersion 1.13.2, aligning with the latest SPIRE release.
• New Node Attestor Support: Introduced support for the AWS IID Node Attestor on both SPIRE Agent and Server, enabling instances to be automatically verified using AWS's Instance Metadata API and Instance Identity Document. This includes new configuration parameters and an example deployment.
• GCP Cloud SQL IAM Authentication: Added support for GCP MySQL IAM authentication for the SPIRE Server, allowing it to connect to Google Cloud SQL databases using IAM instead of traditional passwords. A new example demonstrates this integration with Cloud SQL Proxy.
• Telemetry Enhancements: Datadog telemetry has been integrated into both SPIRE Agent and Server, providing new configuration options to enable and configure metrics reporting to Datadog.
• Dependency and Image Updates: Numerous external Helm chart dependencies and container image tags have been updated to their latest versions, including kube-prometheus-stack, cert-manager, ingress-nginx, mariadb (replacing mysql), postgresql, envoy-gateway, kubectl, spiffe-helper, nginx, nginx-prometheus-exporter, and various test utility images.
• SPIRE Agent and Server Configuration Improvements: The SPIRE Agent now supports disk-based key management, configurable log formats, and rebootstrap behavior. The SPIRE Server's controller manager gained new parameters for entry ID prefixing, garbage collection interval, and log level, along with experimental OPA policy engine support.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .github/tests/charts.json
  • Updated versions for kube-prometheus-stack, cert-manager, and ingress-nginx.
• .github/tests/dependencies/mysql.yaml
  • Added fullnameOverride for MySQL dependency.
• .github/tests/images.json
  • Updated chown.image filter and sort flags.
  • Added selinux.image query with filter and sort flags.
• .github/tests/oci-charts.json
  • Updated mariadb (formerly mysql), postgresql, and envoy-gateway chart versions.
• .github/tests/pre-install.sh
  • Switched Helm installation from mysql to mariadb.
• charts/spiffe-step-ssh/Chart.yaml
  • Updated chart version to 0.1.1.
• charts/spiffe-step-ssh/values.yaml
  • Updated kubectl image registry from docker.io/rancher/kubectl to registry.k8s.io/kubectl.
• charts/spire-nested/Chart.yaml
  • Updated chart version to 0.27.1 and app version to 1.13.2.
• charts/spire-nested/README.md
  • Updated version and appVersion badges.
• charts/spire/Chart.yaml
  • Updated chart version to 0.27.1-cofide.0 and app version to 1.13.2.
  • Added spire-controller-manager to keywords.
• charts/spire/README.md
  • Updated version and appVersion badges.
  • Removed outdated note and commented-out section regarding rancher/kubectl image.
• charts/spire/charts/spiffe-csi-driver/README.md
  • Updated description for resources to include initContainers.
  • Removed nodeDriverRegistrar.resources parameter.
  • Updated selinux.image.pullPolicy to IfNotPresent and tag to 9.7-1763340522.
• charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml
  • Added resource allocation for the main container and node driver registrar using .Values.resources.
• charts/spire/charts/spiffe-csi-driver/values.yaml
  • Updated description for resources to include initContainers.
  • Removed nodeDriverRegistrar.resources section.
  • Updated selinux.image.pullPolicy to IfNotPresent and tag to 9.7-1763340522.
• charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml
  • Updated app version to 1.13.2.
• charts/spire/charts/spiffe-oidc-discovery-provider/README.md
  • Added labels parameter for deployment.
  • Updated spiffeHelper.image.tag to 0.11.0.
  • Added service.loadBalancerIP parameter.
  • Updated insecureScheme.nginx.image.tag to 1.29.2-alpine.
  • Added config.serverPathPrefix parameter.
  • Updated telemetry.prometheus.nginxExporter.image.tag to 1.5.1.
  • Updated various test image tags (tests.bash.image.tag, tests.toolkit.image.tag, tests.step.image.tag).
  • Updated tools.kubectl image registry and repository.
• charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml
  • Added server_path_prefix to the configuration if specified.
• charts/spire/charts/spiffe-oidc-discovery-provider/templates/service.yaml
  • Added loadBalancerIP to the service definition for LoadBalancer type services.
• charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml
  • Added labels parameter with example usage.
  • Updated spiffeHelper.image.tag to 0.11.0.
  • Added service.loadBalancerIP parameter.
  • Updated insecureScheme.nginx.image.tag to 1.29.2-alpine.
  • Added config.serverPathPrefix parameter.
  • Updated telemetry.prometheus.nginxExporter.image.tag to 1.5.1.
  • Updated various test image tags (tests.bash.image.tag, tests.toolkit.image.tag, tests.step.image.tag).
  • Updated tools.kubectl image registry and repository.
• charts/spire/charts/spike-keeper/Chart.yaml
  • Updated app version to 0.4.2.
• charts/spire/charts/spike-nexus/Chart.yaml
  • Updated app version to 0.4.2.
• charts/spire/charts/spike-nexus/README.md
  • Added backendStore parameter description.
• charts/spire/charts/spike-nexus/templates/statefulset.yaml
  • Added SPIKE_NEXUS_BACKEND_STORE environment variable.
• charts/spire/charts/spike-nexus/values.yaml
  • Added backendStore parameter with default sqlite.
• charts/spire/charts/spike-pilot/Chart.yaml
  • Updated app version to 0.4.2.
• charts/spire/charts/spire-agent/Chart.yaml
  • Updated app version to 1.13.2.
• charts/spire/charts/spire-agent/README.md
  • Updated resources description to include initContainers.
  • Added logFormat, rebootstrapMode, rebootstrapDelay parameters.
  • Updated fsGroupFix.image.pullPolicy to IfNotPresent and tag.
  • Removed fsGroupFix.resources parameter.
  • Added keyManager.disk.enabled parameter.
  • Added nodeAttestor.awsIID.enabled parameter.
  • Added telemetry.datadog parameters.
  • Updated socketAlternate.image.pullPolicy to IfNotPresent and tag.
  • Removed socketAlternate.resources parameter.
  • Updated hostCert.image.tag.
  • Removed hostCert.resources parameter.
  • Updated tools.kubectl image registry and repository.
• charts/spire/charts/spire-agent/templates/configmap.yaml
  • Added validation for keyManager.disk.enabled requiring persistence.type to be hostPath.
  • Corrected typo from 'direcotry' to 'directory' in error message.
  • Added log_format, rebootstrap_mode, and rebootstrap_delay to agent configuration.
  • Added aws_iid node attestor plugin configuration.
  • Added disk key manager plugin configuration.
  • Added Datadog telemetry configuration.
• charts/spire/charts/spire-agent/templates/daemonset.yaml
  • Added validation for keyManager.disk.enabled requiring persistence.type to be hostPath.
  • Added resource allocation for hostCert init container.
  • Added resource allocation for tpmDirect init container.
  • Changed conditional check for socketAlternateNames from gt (len ...) to simply $socketAlternateNames.
  • Updated resource allocation for ensure-alternate-names init container to use .Values.resources.
  • Updated resource allocation for fsGroupFix init container to use .Values.resources.
  • Added volume mount for spire-key-manager when keyManager.disk.enabled is true.
• charts/spire/charts/spire-agent/values.yaml
  • Updated resources description to include initContainers.
  • Added logFormat parameter.
  • Added rebootstrapMode and rebootstrapDelay parameters.
  • Updated fsGroupFix.image.pullPolicy to IfNotPresent and tag.
  • Removed fsGroupFix.resources parameter.
  • Added keyManager.disk.enabled parameter.
  • Added nodeAttestor.awsIID.enabled parameter.
  • Added telemetry.datadog parameters.
  • Updated socketAlternate.image.pullPolicy to IfNotPresent and tag.
  • Removed socketAlternate.resources parameter.
  • Updated hostCert.image.tag.
  • Removed hostCert.resources parameter.
  • Updated tools.kubectl image registry and repository.
• charts/spire/charts/spire-server/Chart.yaml
  • Updated app version to 1.13.2.
• charts/spire/charts/spire-server/README.md
  • Added service.loadBalancerIP parameter.
  • Updated dataStore.sql.databaseType description to include gcp_mysql_sa_iam.
  • Added controllerManager.addEntryIDPrefix, gcInterval, and logLevel parameters.
  • Added agentTTL parameter.
  • Added nodeAttestor.awsIID.enabled and assumeRole parameters.
  • Updated chown.image details to use busybox and IfNotPresent pull policy.
  • Added experimental.authOpaPolicyEngine parameters for local policy data and Rego.
• charts/spire/charts/spire-server/templates/_helpers.tpl
  • Extended MySQL database type conditions to include gcp_mysql_sa_iam.
  • Adjusted connection string formatting for MySQL to handle cases without passwords (e.g., IAM authentication).
• charts/spire/charts/spire-server/templates/configmap.yaml
  • Added agentTTL to server configuration.
  • Added auth_opa_policy_engine configuration for experimental OPA policy engine.
  • Extended node attestor conditions to include awsIID.
  • Added aws_iid plugin configuration with assume_role.
  • Added Datadog telemetry configuration.
• charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml
  • Added gcInterval and logLevel to controller manager configuration.
  • Added conditional entryIDPrefix based on controllerManager.addEntryIDPrefix.
• charts/spire/charts/spire-server/templates/secret.yaml
  • Modified condition for creating database secrets to exclude gcp_mysql_sa_iam.
• charts/spire/charts/spire-server/templates/server-resource.yaml
  • Changed chown init container command from bash to sh.
  • Modified condition for database password environment variables to exclude gcp_mysql_sa_iam.
• charts/spire/charts/spire-server/values.yaml
  • Added service.loadBalancerIP parameter.
  • Updated dataStore.sql.databaseType options to include gcp_mysql_sa_iam.
  • Added controllerManager.addEntryIDPrefix, gcInterval, and logLevel parameters.
  • Updated tools.kubectl image registry and repository.
  • Added telemetry.datadog parameters.
  • Added agentTTL parameter.
  • Added nodeAttestor.awsIID parameters.
  • Updated chown.image details to use busybox and IfNotPresent pull policy.
  • Added experimental.authOpaPolicyEngine parameters.
• charts/spire/charts/tornjak-frontend/README.md
  • Updated tests.bash.image.tag.
• charts/spire/charts/tornjak-frontend/values.yaml
  • Updated tests.bash.image.tag.
• examples/aws-iid/README.md
  • Added new file documenting AWS IID Node Attestor configuration and IAM policy.
• examples/cloud-sql-proxy-gcp/README.md
  • Added new file documenting Cloud SQL Proxy with GCP IAM authentication setup.
• examples/cloud-sql-proxy-gcp/main.tf
  • Added new Terraform file for setting up GCP Cloud SQL instance, service accounts, and Workload Identity.
• examples/cloud-sql-proxy-gcp/values.yaml
  • Added new values file for configuring SPIRE Server with GCP Cloud SQL Proxy and IAM authentication.
• examples/external-mysql/run-tests.sh
  • Switched Helm installation from mysql to mariadb.
• examples/mysql-using-spire/mysql-values.yaml
  • Changed spiffe-helper image pullPolicy to IfNotPresent.
• examples/mysql-using-spire/mysqlclient-statefulset.yaml
  • Changed spiffe-helper image pullPolicy to IfNotPresent for init and refresh containers.
• examples/stateless-server/run-tests.sh
  • Switched Helm installation from mysql to mariadb.
• tests/go.mod
  • Updated Go module dependencies for ginkgo, gomega, and helm.sh/helm/v3.
• tests/go.sum
  • Updated Go module checksums to reflect dependency changes.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request merges changes from spire 0.27.1, including numerous dependency updates, version bumps, and configuration changes across various Helm charts. It also adds new features such as the AWS IID node attestor, GCP IAM authentication for Cloud SQL, and Datadog telemetry support. A security audit identified several instances of potential YAML injection in Kubernetes templates where values from values.yaml are embedded without proper quoting, which could lead to configuration manipulation or deployment failures. It is recommended to apply suggested quoting to ensure robust and secure manifests. Additionally, a few minor issues related to file formatting were found in the new example files.