Merge spire 0.27.1

.github/tests/charts.json

@@ -2,16 +2,16 @@
   {
     "name": "kube-prometheus-stack",
     "repo": "https://prometheus-community.github.io/helm-charts",
-    "version": "75.6.1"
+    "version": "79.7.1"
   },
   {
     "name": "cert-manager",
     "repo": "https://charts.jetstack.io",
-    "version": "v1.18.1"
+    "version": "v1.19.1"
   },
   {
     "name": "ingress-nginx",
     "repo": "https://kubernetes.github.io/ingress-nginx",
-    "version": "4.12.3"
+    "version": "4.14.0"
   }
 ]

.github/tests/dependencies/mysql.yaml

@@ -1,3 +1,4 @@
+fullnameOverride: mysql
 primary:
   containerSecurityContext:
     allowPrivilegeEscalation: false

.github/tests/images.json

@@ -7,8 +7,8 @@
     },
     {
       "query": "chown.image",
-      "filter": "LATESTSHA",
-      "sort-flags": []
+      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
+      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
     },
     {
       "query": "tools.busybox.image",
@@ -38,6 +38,11 @@
       "query": "nodeDriverRegistrar.image",
       "filter": "^v",
       "sort-flags": []
+    },
+    {
+      "query": "selinux.image",
+      "filter": "^[0-9]\\+\\.[0-9]\\+-[0-9]\\+$",
+      "sort-flags": []
     }
   ],
   "spiffe-oidc-discovery-provider/values.yaml": [

.github/tests/oci-charts.json

@@ -1,17 +1,17 @@
 [
   {
-    "name": "mysql",
-    "registry": "docker.io/bitnamicharts/mysql",
-    "version": "13.0.2"
+    "name": "mariadb",
+    "registry": "docker.io/bitnamicharts/mariadb",
+    "version": "23.2.4"
   },
   {
     "name": "postgresql",
     "registry": "docker.io/bitnamicharts/postgresql",
-    "version": "16.7.9"
+    "version": "18.1.9"
   },
   {
     "name": "envoy-gateway",
     "registry": "docker.io/envoyproxy/gateway-helm",
-    "version": "v1.4.1"
+    "version": "v1.6.0"
   }
 ]

.github/tests/pre-install.sh

@@ -37,7 +37,7 @@ kubectl wait --namespace ingress-nginx --for=condition=ready --timeout 60s pod -
 # external database
 
 # mysql
-"${helm_install[@]}" mysql "${HELM_REGISTRY_MYSQL}" --version "$VERSION_MYSQL" \
+"${helm_install[@]}" mysql "${HELM_REGISTRY_MARIADB}" --version "$VERSION_MARIADB" \
   --namespace mysql \
   --values "${DEPS}/mysql.yaml" \
   --wait

charts/spiffe-step-ssh/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.1.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/spiffe-step-ssh/values.yaml

@@ -123,8 +123,8 @@ kubectl:
   ## @param kubectl.image.tag Overrides the image tag whose default is the chart appVersion
   ##
   image:
-    registry: docker.io
-    repository: rancher/kubectl
+    registry: registry.k8s.io
+    repository: kubectl
     pullPolicy: IfNotPresent
     tag: ""
 

charts/spire-nested/Chart.yaml

@@ -3,8 +3,8 @@ name: spire-nested
 description: >
   A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 type: application
-version: 0.26.0
-appVersion: "1.12.4"
+version: 0.27.1
+appVersion: "1.13.2"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:

charts/spire-nested/README.md

@@ -1,6 +1,6 @@
 # spire
 
-![Version: 0.26.0](https://img.shields.io/badge/Version-0.26.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.12.4](https://img.shields.io/badge/AppVersion-1.12.4-informational?style=flat-square)
+![Version: 0.27.1](https://img.shields.io/badge/Version-0.27.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.13.2](https://img.shields.io/badge/AppVersion-1.13.2-informational?style=flat-square)
 [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
 
 A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.

charts/spire/Chart.yaml

@@ -3,9 +3,9 @@ name: spire
 description: >
   A Helm chart for deploying the complete Cofide SPIRE stack including: spire-server, spire-agent, spiffe-csi-driver, and spiffe-oidc-discovery-provider.
 type: application
-version: 0.26.0-cofide.12
-appVersion: "1.12.4"
-keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"]
+version: 0.27.1-cofide.0
+appVersion: "1.13.2"
+keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
 home: https://github.com/cofide/spiffe-helm-charts-hardened/tree/main/charts/spire
 sources:
   - https://github.com/cofide/spiffe-helm-charts-hardened/tree/main/charts/spire

charts/spire/README.md

@@ -1,6 +1,6 @@
 # spire
 
-![Version: 0.26.0](https://img.shields.io/badge/Version-0.26.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.12.4](https://img.shields.io/badge/AppVersion-1.12.4-informational?style=flat-square)
+![Version: 0.27.1](https://img.shields.io/badge/Version-0.27.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.13.2](https://img.shields.io/badge/AppVersion-1.13.2-informational?style=flat-square)
 [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
 
 A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
@@ -24,11 +24,6 @@ Preparing a production deployment requires a few steps.
 
 1. Save the following to your-values.yaml, ideally in your git repo.
 
-> [!NOTE]
-> Please note that `rancher/kubectl` image does not always correspond to the most
-> recent version of Kubernetes. In order to find the most up-to-date version,
-> please visit their [releases](https://github.com/rancher/kubectl/releases) page.
-
 ```yaml
 global:
   openshift: false # If running on openshift, set to true
@@ -45,10 +40,6 @@ global:
       country: ARPA
       organization: Example
       commonName: example.org
-# If rancher/kubectl doesn't have a version that matches your cluster, uncomment and update:
-#    tools:
-#       kubectl:
-#         tag: "v1.23.3"
 ```
 
 2. If you need a non default storageClass, append the following to the global.spire section and update:

charts/spire/charts/spiffe-csi-driver/README.md

@@ -32,7 +32,7 @@ A Helm chart to install the SPIFFE CSI driver.
 | `image.repository`                            | The repository within the registry                                                                                                                                       | `spiffe/spiffe-csi-driver`                  |
 | `image.pullPolicy`                            | The image pull policy                                                                                                                                                    | `IfNotPresent`                              |
 | `image.tag`                                   | Overrides the image tag whose default is the chart appVersion                                                                                                            | `""`                                        |
-| `resources`                                   | Resource requests and limits for spiffe-csi-driver                                                                                                                       | `{}`                                        |
+| `resources`                                   | Resource requests and limits for spiffe-csi-driver and its initContainers                                                                                                | `{}`                                        |
 | `extraEnvVars`                                | Extra environment variables to be added to the spiffe-csi-driver container                                                                                               | `[]`                                        |
 | `healthChecks.port`                           | The healthcheck port for spiffe-csi-driver                                                                                                                               | `9809`                                      |
 | `updateStrategy.type`                         | The update strategy to use to replace existing DaemonSet pods with new pods. Can be RollingUpdate or OnDelete.                                                           | `RollingUpdate`                             |
@@ -61,7 +61,6 @@ A Helm chart to install the SPIFFE CSI driver.
 | `nodeDriverRegistrar.image.repository`        | The repository within the registry                                                                                                                                       | `sig-storage/csi-node-driver-registrar`     |
 | `nodeDriverRegistrar.image.pullPolicy`        | The image pull policy                                                                                                                                                    | `IfNotPresent`                              |
 | `nodeDriverRegistrar.image.tag`               | Overrides the image tag                                                                                                                                                  | `v2.9.4`                                    |
-| `nodeDriverRegistrar.resources`               | Resource requests and limits for CSI driver pods                                                                                                                         | `{}`                                        |
 | `nodeDriverRegistrar.extraEnvVars`            | Extra environment variables to be added to the nodeDriverRegistrar container                                                                                             | `[]`                                        |
 | `agentSocketPath`                             | The unix socket path to the spire-agent                                                                                                                                  | `/run/spire/agent-sockets/spire-agent.sock` |
 | `kubeletPath`                                 | Path to kubelet file                                                                                                                                                     | `/var/lib/kubelet`                          |
@@ -73,6 +72,6 @@ A Helm chart to install the SPIFFE CSI driver.
 | `selinux.context`                             | Which selinux context to use                                                                                                                                             | `container_file_t`                          |
 | `selinux.image.registry`                      | The OCI registry to pull the image from                                                                                                                                  | `registry.access.redhat.com`                |
 | `selinux.image.repository`                    | The repository within the registry                                                                                                                                       | `ubi9`                                      |
-| `selinux.image.pullPolicy`                    | The image pull policy                                                                                                                                                    | `Always`                                    |
-| `selinux.image.tag`                           | Overrides the image tag whose default is the chart appVersion                                                                                                            | `latest`                                    |
+| `selinux.image.pullPolicy`                    | The image pull policy                                                                                                                                                    | `IfNotPresent`                              |
+| `selinux.image.tag`                           | Overrides the image tag whose default is the chart appVersion                                                                                                            | `9.7-1763340522`                            |
 

charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml

@@ -68,6 +68,8 @@ spec:
               mountPath: /spire-agent-socket
           terminationMessagePolicy: File
           terminationMessagePath: /dev/termination-log
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
       {{- end }}
       {{- if gt (len .Values.initContainers) 0 }}
         {{- toYaml .Values.initContainers | nindent 8 }}
@@ -147,7 +149,7 @@ spec:
               port: healthz
             {{- toYaml .Values.livenessProbe | nindent 12 }}
           resources:
-            {{- toYaml .Values.nodeDriverRegistrar.resources | nindent 12 }}
+            {{- toYaml .Values.resources | nindent 12 }}
       volumes:
         - name: spire-agent-socket-dir
           hostPath:

charts/spire/charts/spiffe-csi-driver/values.yaml

@@ -20,7 +20,7 @@ image:
   pullPolicy: IfNotPresent
   tag: ""
 
-## @param resources [object] Resource requests and limits for spiffe-csi-driver
+## @param resources [object] Resource requests and limits for spiffe-csi-driver and its initContainers
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
@@ -127,18 +127,6 @@ nodeDriverRegistrar:
     repository: sig-storage/csi-node-driver-registrar
     pullPolicy: IfNotPresent
     tag: v2.9.4
-  ## @param nodeDriverRegistrar.resources Resource requests and limits for CSI driver pods
-  resources: {}
-    # We usually recommend not to specify default resources and to leave this as a conscious
-    # choice for the user. This also increases chances charts run on environments with little
-    # resources, such as Minikube. If you do want to specify resources, uncomment the following
-    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-    # requests:
-    #   cpu: 50m
-    #   memory: 32Mi
-    # limits:
-    #   cpu: 100m
-    #   memory: 64Mi
   ## @param nodeDriverRegistrar.extraEnvVars [array] Extra environment variables to be added to the nodeDriverRegistrar container
   extraEnvVars: []
 
@@ -172,5 +160,5 @@ selinux:
   image:
     registry: registry.access.redhat.com
     repository: ubi9
-    pullPolicy: Always
-    tag: latest
+    pullPolicy: IfNotPresent
+    tag: 9.7-1763340522

charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml

@@ -3,7 +3,7 @@ name: spiffe-oidc-discovery-provider
 description: A Helm chart to install the SPIFFE OIDC discovery provider.
 type: application
 version: 0.1.0
-appVersion: "1.12.4"
+appVersion: "1.13.2"
 keywords: ["spiffe", "oidc"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources: