Skip to content
This repository has been archived by the owner on Mar 22, 2024. It is now read-only.

Commit

Permalink
Merge branch 'main' into release
Browse files Browse the repository at this point in the history
  • Loading branch information
marcofranssen committed Apr 4, 2023
2 parents 545059c + 2a2615b commit 3f044af
Show file tree
Hide file tree
Showing 50 changed files with 849 additions and 118 deletions.
8 changes: 4 additions & 4 deletions .github/tests/extras/values.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
spire-agent:
initContainers:
- name: extra-init
image: busybox
image: cgr.dev/chainguard/busybox:latest-glibc
command:
- sh
- -xec
Expand All @@ -12,7 +12,7 @@ spire-agent:
mountPath: /extra
extraContainers:
- name: extra
image: busybox
image: cgr.dev/chainguard/busybox:latest-glibc
command:
- sh
- -xec
Expand All @@ -32,7 +32,7 @@ spire-agent:
spire-server:
initContainers:
- name: extra-init
image: busybox
image: cgr.dev/chainguard/busybox:latest-glibc
command:
- sh
- -xec
Expand All @@ -43,7 +43,7 @@ spire-server:
mountPath: /extra
extraContainers:
- name: extra
image: busybox
image: cgr.dev/chainguard/busybox:latest-glibc
command:
- sh
- -xec
Expand Down
3 changes: 3 additions & 0 deletions .github/tests/federation-bundle-endpoint/values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
spire-server:
federation:
enabled: true
1 change: 0 additions & 1 deletion .github/tests/lockdown/.env

This file was deleted.

5 changes: 0 additions & 5 deletions .github/tests/lockdown/pre-install.sh

This file was deleted.

5 changes: 0 additions & 5 deletions .github/tests/lockdown/values.yaml

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,29 @@ set -x
SCRIPT=$(readlink -f "$0")
SCRIPTPATH=$(dirname "$SCRIPT")

k_wait=(kubectl wait --for condition=available --timeout 30s --namespace)
k_rollout_status=(kubectl rollout status --watch --timeout 30s --namespace)
k_wait () {
kubectl wait --for condition=available --timeout 30s --namespace "$1" "$2" "$3" | tail -n 1
}

k_rollout_status () {
kubectl rollout status --watch --timeout 30s --namespace "$1" "$2" "$3" | tail -n 1
}

RELEASE=$(helm ls --no-headers -n "${scenario}" | awk '{print $1}' | grep 'spire-[^-]*$')

cat <<EOF >>"$GITHUB_STEP_SUMMARY"
### release
| release |
| ------- |
| $RELEASE |
### spire
| workload | Status |
| -------- | ------ |
| spire-server | $("${k_rollout_status[@]}" spire-server statefulset spire-server) |
| spire-spiffe-csi-driver | $("${k_rollout_status[@]}" spire-system daemonset spire-spiffe-csi-driver) |
| spire-agent | $("${k_rollout_status[@]}" spire-system daemonset spire-agent) |
| spire-spiffe-oidc-discovery-provider | $("${k_wait[@]}" spire-server deployments.apps spire-spiffe-oidc-discovery-provider) |
| spire-server | <pre>$(k_rollout_status spire-server statefulset "${RELEASE}-server")</pre> |
| spire-spiffe-csi-driver | <pre>$(k_rollout_status spire-system daemonset "${RELEASE}-spiffe-csi-driver")</pre> |
| spire-agent | <pre>$(k_rollout_status spire-system daemonset "${RELEASE}-agent")</pre> |
| spire-spiffe-oidc-discovery-provider | <pre>$(k_wait spire-server deployments.apps "${RELEASE}-spiffe-oidc-discovery-provider")</pre> |
EOF

if [ $1 -ne 0 ]; then
Expand Down
3 changes: 3 additions & 0 deletions .github/tests/namespace-override/pre-install.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/bin/bash
kubectl create namespace "spire-system"
kubectl create namespace "spire-server"
26 changes: 26 additions & 0 deletions .github/tests/namespace-override/values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
spiffe-oidc-discovery-provider:
enabled: true
namespaceOverride: spire-server
insecureScheme:
enabled: true

spire-server:
namespaceOverride: spire-server
nodeAttestor:
k8sPsat:
serviceAccountAllowList: ["spire-system:spire-agent"]
notifier:
k8sbundle:
namespace: spire-system

spiffe-csi-driver:
enabled: true
namespaceOverride: spire-system

spire-agent:
enabled: true
namespaceOverride: spire-system
serviceAccount:
name: spire-agent
server:
namespaceOverride: spire-server
13 changes: 13 additions & 0 deletions .github/tests/production-example/install.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#!/usr/bin/env bash

set -xe

SCRIPT=$(readlink -f "$0")
SCRIPTPATH=$(dirname "$SCRIPT")

helm install \
--namespace spire-server \
--values "${SCRIPTPATH}/../../../examples/production/values.yaml" \
spire charts/spire --wait

helm test spire --namespace spire-server
51 changes: 51 additions & 0 deletions .github/tests/production-example/post-install.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
#!/usr/bin/env bash

set -x

SCRIPT=$(readlink -f "$0")
SCRIPTPATH=$(dirname "$SCRIPT")

k_wait=(kubectl wait --for condition=available --timeout 30s --namespace)
k_rollout_status=(kubectl rollout status --watch --timeout 30s --namespace)

function get_namespace_details {
cat <<EOF >>"$GITHUB_STEP_SUMMARY"
### Namespace $1
#### Events
\`\`\`shell
$(kubectl --request-timeout=30s get events --output wide --namespace "$1")
\`\`\`
#### Pods
\`\`\`shell
$(kubectl --request-timeout=30s describe pods --namespace "$1")
\`\`\`
#### Logs
\`\`\`shell
$(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --all-containers=true --ignore-errors=true; done)
\`\`\`
EOF
}
cat <<EOF >>"$GITHUB_STEP_SUMMARY"
### spire
| workload | Status |
| ------------------------------------ | ------ |
| spire-server | "$("${k_rollout_status[@]}" spire-server statefulset spire-server)" |
| spire-controller-manager | "$("${k_rollout_status[@]}" spire-server statefulset spire-controller-manager)" |
| spire-spiffe-oidc-discovery-provider | "$("${k_wait[@]}" spire-server deployments.apps spire-spiffe-oidc-discovery-provider)" |
| spire-spiffe-csi-driver | "$("${k_rollout_status[@]}" spire-system daemonset spire-spiffe-csi-driver)" |
| spire-agent | "$("${k_rollout_status[@]}" spire-system daemonset spire-agent)" |
EOF
if [ $1 -ne 0 ]; then
get_namespace_details spire-server
get_namespace_details spire-systen
fi
6 changes: 6 additions & 0 deletions .github/tests/production-example/pre-install.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/usr/bin/env bash

kubectl create namespace spire-system
kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged
kubectl create namespace spire-server
kubectl label namespace spire-server pod-security.kubernetes.io/enforce=restricted
3 changes: 3 additions & 0 deletions .github/tests/prometheus/pre-install.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/usr/bin/env bash

helm install kube-prometheus-stack kube-prometheus-stack --version 45.7.1 --repo https://prometheus-community.github.io/helm-charts -n "$scenario" --wait
9 changes: 9 additions & 0 deletions .github/tests/prometheus/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,12 @@ global:
telemetry:
prometheus:
enabled: true
podMonitor:
enabled: true
labels:
release: kube-prometheus-stack

spiffe-oidc-discovery-provider:
enabled: true
insecureScheme:
enabled: true
67 changes: 54 additions & 13 deletions .github/workflows/helm-chart-ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ on:
- '.github/kind/conf/kind-config.yaml'
- '.github/tests/**/*.yaml'
- '.github/tests/**/*.sh'
- 'examples/**/*.yaml'
- 'helm-docs.sh'

concurrency:
Expand All @@ -19,25 +20,60 @@ concurrency:
env:
HELM_VERSION: v3.11.1
PYTHON_VERSION: 3.11.2
CHART_TESTING_VERSION: v3.7.1
CHART_TESTING_VERSION: v3.8.0

jobs:
check-docs:
checks:
runs-on: ubuntu-22.04

steps:
- name: Checkout
uses: actions/checkout@v3.4.0
uses: actions/checkout@v3.5.0

- name: Verify Docs updated
run: ./helm-docs.sh

- name: Verify Spire appVersion
run: |
set +e
BASEVER=$(yq e .appVersion Chart.yaml)
for FILE in spiffe-oidc-discovery-provider spire-agent spire-server; do
VER=$(yq .appVersion charts/$FILE/Chart.yaml)
if [ "$VER" != "$BASEVER" ]; then
{
echo "## Version mismatch"
echo
echo "There is a mismatch between the chart version ($BASEVER) and subchart version ($VER). The issue may be in file $FILE. Please fix."
} >> "$GITHUB_STEP_SUMMARY"
exit 1
fi
done
- name: Check objects for images without overrides
run: |
set +e
set -o pipefail
# Look for image: definitions that are not templated. If we find none, exit is not 0 and we invert the error code to get the
# test to pass. Ignore tests for now...
grep "image:" charts/spire/charts/*/templates/*.* | grep -v 'image: {{ template "' > /tmp/findings
res=$?
if [ $res -eq 0 ]; then
{
echo "## Hardcoded images"
echo
echo ":x: These templates were found to be using statically defined images and not overridable ones. Please fix."
echo
cat /tmp/findings
} >> "$GITHUB_STEP_SUMMARY"
exit 1
fi
lint-chart:
runs-on: ubuntu-22.04

steps:
- name: Checkout
uses: actions/checkout@v3.4.0
uses: actions/checkout@v3.5.0
with:
fetch-depth: 0

Expand All @@ -52,7 +88,7 @@ jobs:
python-version: ${{ env.PYTHON_VERSION }}

- name: Setup chart-testing
uses: helm/chart-testing-action@v2.3.1
uses: helm/chart-testing-action@v2.4.0
with:
version: ${{ env.CHART_TESTING_VERSION }}

Expand Down Expand Up @@ -82,7 +118,7 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v3.4.0
uses: actions/checkout@v3.5.0

- id: set-matrix
name: Collect all tests
Expand Down Expand Up @@ -122,7 +158,7 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v3.4.0
uses: actions/checkout@v3.5.0
with:
fetch-depth: 0

Expand All @@ -137,7 +173,7 @@ jobs:
python-version: ${{ env.PYTHON_VERSION }}

- name: Setup chart-testing
uses: helm/chart-testing-action@v2.3.1
uses: helm/chart-testing-action@v2.4.0
with:
version: ${{ env.CHART_TESTING_VERSION }}

Expand All @@ -152,23 +188,28 @@ jobs:

- name: Run chart-testing (install)
run: |
export scenario="$(basename "${TEST_DIR}")"
export EXTRA_HELM_ARGS=""
[ "${scenario}" != "default" ] && kubectl create namespace "${scenario}"
post-install() {
[ -x "${TEST_DIR}/post-install.sh" ] && "${TEST_DIR}/post-install.sh" $1
exit $1
}
trap 'post-install $? $LINENO' EXIT
export scenario="$(basename "${TEST_DIR}")"
export EXTRA_HELM_ARGS=""
[ "${scenario}" != "default" ] && kubectl create namespace "${scenario}"
[ -x "${TEST_DIR}/pre-install.sh" ] && "${TEST_DIR}/pre-install.sh"
[ -f "${TEST_DIR}/.env" ] && source "${TEST_DIR}/.env"
if [ -x {${TEST_DIR}/install.sh ]; then
./${TEST_DIR}/install.sh
if [ -x "${TEST_DIR}/install.sh" ]; then
"${TEST_DIR}/install.sh"
else
ct install --debug \
--namespace "${scenario}" \
--target-branch ${{ github.base_ref }} \
--exclude-deprecated \
--skip-clean-up \
${{ (matrix.values != 'default' && '--helm-extra-set-args "--values=${TEST_DIR}/values.yaml ${EXTRA_HELM_ARGS}"') || '' }}
fi
env:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/helm-release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v3.4.0
uses: actions/checkout@v3.5.0
with:
fetch-depth: 0

Expand Down
2 changes: 1 addition & 1 deletion CODEOWNERS
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,6 @@
# the repo. Unless a later match takes precedence,
# they will be requested for review when someone opens a
# pull request.
* @marcofranssen @Kfox1111 @developer-guy @dennisgove @dfeldman @faisal-memon @mrsabath
* @marcofranssen @Kfox1111 @developer-guy @dfeldman @faisal-memon @mrsabath

# See CODEOWNERS syntax here: https://help.github.com/articles/about-codeowners/#codeowners-syntax
7 changes: 5 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
# SPIFFE Helm Charts

[![Apache 2.0 License](https://img.shields.io/github/license/spiffe/helm-charts?style=for-the-badge)](https://opensource.org/licenses/Apache-2.0)
[![Apache 2.0 License](https://img.shields.io/github/license/spiffe/helm-charts)](https://opensource.org/licenses/Apache-2.0)
[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/spiffe)](https://artifacthub.io/packages/search?repo=spiffe)

A suite of [Helm Charts](https://helm.sh/docs) for standardized installations of SPIRE components in Kubernetes environments.

Expand All @@ -21,8 +23,9 @@ Unless otherwise noted in an application chart README, the following dependencie
|:-----------|:-------------------|
| SPIRE | `1.5.3`+, `1.6.x` |
| Helm | `3.x` |
| Kubernetes | `1.21+` |

For Kubernetes we will officially try to support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions).
> **Note**: For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden. *The first version we tested this chart with is `1.21`.*
## Contributing

Expand Down
Loading

0 comments on commit 3f044af

Please sign in to comment.