Skip to content
This repository has been archived by the owner on Mar 22, 2024. It is now read-only.

Migrate to readme-generator for helm maintained by bitnami #431

Merged
merged 21 commits into from
Sep 8, 2023
Merged

Migrate to readme-generator for helm maintained by bitnami #431

Show file tree
Hide file tree
Changes from 16 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
66090e9
Updated default values.yaml with available options
Jul 17, 2023
209dcb1
Merge branch 'spiffe:main' into main
krishnakv Jul 24, 2023
2a4dd2f
Merge branch 'spiffe:main' into main
krishnakv Aug 8, 2023
cd1a011
created values and README with readme-generator
Aug 8, 2023
d271e14
merge from main branch changes
Aug 18, 2023
ef17b1a
Add latest value changes in main branch here
Aug 18, 2023
aa64f68
Create readme-gen script for readme-generator install
Aug 21, 2023
17ce988
Add code to generate values tables for subcharts README files
Aug 21, 2023
61338fe
Change values files for readme-gen syntax
Aug 25, 2023
fe5c44b
Modify values.yaml and README.md files to readme-generator format
Aug 25, 2023
9dc5c1c
Renamed readme-gen.sh back to helm-docs.sh
Aug 25, 2023
cf54cb4
Ensure npm is installed in helm-docs.sh script
Aug 25, 2023
474e97a
Merge with latest changes and fix values.yaml for readme-generator
Aug 28, 2023
3509a1c
Fix @params lines and blocks in values files
Aug 30, 2023
0e1a9fb
Modify github workflows to use the readme-generator tool.
Aug 31, 2023
e436d80
Merge branch 'main' into feature/readme-generator-current-values
krishnakv Sep 2, 2023
8563e24
Fix shellcheck and helm test errors
Sep 5, 2023
aa49133
Merge branch 'main' into feature/readme-generator-current-values
krishnakv Sep 5, 2023
4037e52
Fixed typos in values and removed Parameters in README
Sep 7, 2023
91f8f4c
Fix changes in sprire chart README file
Sep 7, 2023
c581625
Fix docs after update of some doc strings
marcofranssen Sep 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/scripts/update-tags.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,11 @@ if ! command -v yq &> /dev/null; then
exit 1
fi

if ! command -v npm &> /dev/null; then
marcofranssen marked this conversation as resolved.
Show resolved Hide resolved
echo Please install npm
exit 1
fi

if ! command -v python3 -c 'import ruamel.yaml' &> /dev/null; then
echo Please install python3 with the ruamel.yaml module
exit 1
Expand Down
6 changes: 3 additions & 3 deletions CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,14 +48,14 @@ Another approach to testing the chart is by installing one of the examples in yo

## Generating documentation

Any changes to Chart.yaml or values.yaml require an update of the README.md. This update can easily be generated using [helm-docs][].
Any changes to Chart.yaml or values.yaml require an update of the README.md. This update can easily be generated using [readme-generator](https://github.com/bitnami-labs/readme-generator-for-helm).

```shell
./helm-docs.sh charts/«chart-name»
./helm-docs.sh
```

## Bumping Chart version

In contrary to many other Helm repositories we do NOT require contributors to increate the Chart version. We have customized our release pipeline so we can bundle various PRs in a single release. Maintainers of the helm-charts in this repo will take care of the semantic versioning.

[helm-docs]: https://github.com/norwoodj/helm-docs "Generate documentation for your Helm chart."
[readme-generator]: https://github.com/bitnami-labs/readme-generator-for-helm "Auto generate READMEs for Helm Charts."
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,3 +38,5 @@ This project is licensed under [Apache License, Version 2.0](LICENSE).
## Reporting a Vulnerability

Vulnerabilities can be reported by sending an email to [email protected]. A confirmation email will be sent to acknowledge the report within 72 hours. A second acknowledgement will be sent within 7 days when the vulnerability has been positively or negatively confirmed.

## Parameters
marcofranssen marked this conversation as resolved.
Show resolved Hide resolved
104 changes: 98 additions & 6 deletions charts/spire/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,29 @@ A Helm chart for deploying the complete Spire stack including: spire-server, spi

> **Note**: For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden.

## FAQ
For any issues see our [FAQ](../../FAQ.md)…
## Prerequisites

Please note this chart requires `Projected Service Account Tokens` which has to be enabled on your k8s api server.

To enable Projected Service Account Tokens on Docker for Mac/Windows run the following
command to SSH into the Docker Desktop K8s VM.

```bash
docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
```

Then add the following to `/etc/kubernetes/manifests/kube-apiserver.yaml`

```yaml
spec:
containers:
- command:
- kube-apiserver
- --api-audiences=api,spire-server
- --service-account-issuer=api,spire-agent
- --service-account-key-file=/run/config/pki/sa.pub
- --service-account-signing-key-file=/run/config/pki/sa.key
```
marcofranssen marked this conversation as resolved.
Show resolved Hide resolved

## Usage

Expand Down Expand Up @@ -78,13 +99,86 @@ Now you can interact with the Spire agent socket from your own application. The
| Repository | Name | Version |
|------------|------|---------|
| file://./charts/spiffe-csi-driver | spiffe-csi-driver | 0.1.0 |
| file://./charts/spiffe-csi-driver | upstream-spiffe-csi-driver(spiffe-csi-driver) | 0.1.0 |
| file://./charts/spiffe-oidc-discovery-provider | spiffe-oidc-discovery-provider | 0.1.0 |
| file://./charts/spire-agent | spire-agent | 0.1.0 |
| file://./charts/spire-agent | upstream-spire-agent(spire-agent) | 0.1.0 |
marcofranssen marked this conversation as resolved.
Show resolved Hide resolved
| file://./charts/spire-server | spire-server | 0.1.0 |
| file://./charts/tornjak-frontend | tornjak-frontend | 0.1.0 |

## Parameters

### Global parameters

| Name | Description | Value |
| --------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ---------------------------- |
| `global.k8s.clusterDomain` | Cluster domain name configured for Spire install | `cluster.local` |
| `global.spire.bundleConfigMap` | A configmap containing the Spire bundle | `""` |
| `global.spire.clusterName` | The name of the k8s cluster for Spire install | `example-cluster` |
| `global.spire.jwtIssuer` | The issuer for Spire JWT tokens | `oidc-discovery.example.org` |
| `global.spire.trustDomain` | The trust domain for Spire install | `example.org` |
| `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` |
| `global.spire.image.registry` | Override all Spire image registries at once | `""` |
| `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` |
| `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` |

### Spire server parameters

| Name | Description | Value |
| ---------------------------------------- | --------------------------------------------- | -------- |
| `spire-server.enabled` | Flag to enable Spire server | `true` |
| `spire-server.nameOverride` | Overrides the name of Spire server pods | `server` |
| `spire-server.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` |

### Spire agent parameters

| Name | Description | Value |
| -------------------------- | -------------------------------------- | ------- |
| `spire-agent.enabled` | Flag to enable Spire agent | `true` |
| `spire-agent.nameOverride` | Overrides the name of Spire agent pods | `agent` |

### Upstream Spire agent and CSI driver configuration

| Name | Description | Value |
| ------------------ | ---------------------------------------------------------- | ------- |
| `upstream.enabled` | Enable upstream agent and driver for use with nested spire | `false` |

### Upstream Spire agent parameters

| Name | Description | Value |
| ------------------------------------------------ | -------------------------------------------------- | ---------------------------------------------------- |
| `upstream-spire-agent.upstream` | Flag for enabling upstream Spire agent | `true` |
| `upstream-spire-agent.nameOverride` | Name override for upstream Spire agent | `agent-upstream` |
| `upstream-spire-agent.bundleConfigMap` | The configmap name for upstream Spire agent bundle | `spire-bundle-upstream` |
| `upstream-spire-agent.socketPath` | Socket path where Spire agent socket is mounted | `/run/spire/agent-sockets-upstream/spire-agent.sock` |
| `upstream-spire-agent.serviceAccount.name` | Service account name for upstream Spire agent | `spire-agent-upstream` |
| `upstream-spire-agent.healthChecks.port` | Health check port number for upstream Spire agent | `9981` |
| `upstream-spire-agent.telemetry.prometheus.port` | The port where prometheus metrics are available | `9989` |

### Spire CSI Driver parameters

| Name | Description | Value |
| --------------------------- | ------------------------------------------------ | ------ |
| `spiffe-csi-driver.enabled` | Flag to enable spiffe-csi-driver for the cluster | `true` |

### Upstream Spire CSI Driver parameters

| Name | Description | Value |
| ---------------------------------------------- | ----------------------------------------------------------- | ---------------------------------------------------- |
| `upstream-spiffe-csi-driver.pluginName` | The plugin name for configuring upstream Spiffe CSI driver | `upstream.csi.spiffe.io` |
| `upstream-spiffe-csi-driver.agentSocketPath` | The socket path where Spiffe CSI driver mounts agent socket | `/run/spire/agent-sockets-upstream/spire-agent.sock` |
| `upstream-spiffe-csi-driver.healthChecks.port` | The port where Spiffe CSI driver health checks are exposed | `9810` |

### SPIFFE oidc discovery provider parameters

| Name | Description | Value |
| ---------------------------------------- | ------------------------------------------------------------- | ------- |
| `spiffe-oidc-discovery-provider.enabled` | Flag to enable spiffe-oidc-discovery-provider for the cluster | `false` |

### Tornjak frontend parameters

| Name | Description | Value |
| -------------------------- | ------------------------------- | ------- |
| `tornjak-frontend.enabled` | Flag to enable Tronjak frontend | `false` |
=======
## Values

| Key | Type | Default | Description |
Expand Down Expand Up @@ -587,5 +681,3 @@ Now you can interact with the Spire agent socket from your own application. The
| upstream-spire-agent.workloadAttestors.k8s.disableContainerSelectors | bool | `false` | Set to true if using holdApplicationUntilProxyStarts in Istio |
| upstream-spire-agent.workloadAttestors.k8s.skipKubeletVerification | bool | `true` | If true, kubelet certificate verification is skipped |
| upstream-spire-agent.workloadAttestors.unix.enabled | bool | `false` | enables the Unix workload attestor |

----------------------------------------------
72 changes: 36 additions & 36 deletions charts/spire/charts/spiffe-csi-driver/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,41 +24,41 @@ A Helm chart to install the SPIFFE CSI driver.

* <https://github.com/spiffe/helm-charts/tree/main/charts/spire>

## Values
## Parameters

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| agentSocketPath | string | `"/run/spire/agent-sockets/spire-agent.sock"` | The unix socket path to the spire-agent |
| fullnameOverride | string | `""` | |
| healthChecks.port | int | `9809` | |
| image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
| image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from |
| image.repository | string | `"spiffe/spiffe-csi-driver"` | The repository within the registry |
| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion |
| image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
| imagePullSecrets | list | `[]` | |
| kubeletPath | string | `"/var/lib/kubelet"` | |
| livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe |
| livenessProbe.timeoutSeconds | int | `5` | Timeout value in seconds for livenessProbe |
| nameOverride | string | `""` | |
| namespaceOverride | string | `""` | |
| nodeDriverRegistrar.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
| nodeDriverRegistrar.image.registry | string | `"registry.k8s.io"` | The OCI registry to pull the image from |
| nodeDriverRegistrar.image.repository | string | `"sig-storage/csi-node-driver-registrar"` | The repository within the registry |
| nodeDriverRegistrar.image.tag | string | `"v2.8.0"` | Overrides the image tag |
| nodeDriverRegistrar.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
| nodeDriverRegistrar.resources | object | `{}` | |
| nodeSelector | object | `{}` | |
| pluginName | string | `"csi.spiffe.io"` | Set the csi driver name deployed to Kubernetes. |
| podAnnotations | object | `{}` | |
| podSecurityContext | object | `{}` | |
| priorityClassName | string | `""` | Priority class assigned to daemonset pods |
| resources | object | `{}` | |
| securityContext.privileged | bool | `true` | |
| securityContext.readOnlyRootFilesystem | bool | `true` | |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| tolerations | list | `[]` | |
### SPIFFE CSI Driver Chart parameters

----------------------------------------------
| Name | Description | Value |
| ---------------------------------------- | ------------------------------------------------------------------------------------------- | ------------------------------------------- |
| `pluginName` | Set the csi driver name deployed to Kubernetes. | `csi.spiffe.io` |
| `image.registry` | The OCI registry to pull the image from | `ghcr.io` |
| `image.repository` | The repository within the registry | `spiffe/spiffe-csi-driver` |
| `image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
| `resources` | Resource requests and limits for spiffe-csi-driver | `{}` |
| `healthChecks.port` | The healthcheck port for spiffe-csi-driver | `9809` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` |
| `livenessProbe.timeoutSeconds` | Timeout value in seconds for livenessProbe | `5` |
| `imagePullSecrets` | Image pull secret details for spiffe-csi-driver | `[]` |
| `nameOverride` | Name override for spiffe-csi-driver | `""` |
| `namespaceOverride` | Namespace to install spiffe-csi-driver | `""` |
| `fullnameOverride` | Full name override for spiffe-csi-driver | `""` |
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` |
| `podAnnotations` | Pod annotations for spiffe-csi-driver | `{}` |
| `podSecurityContext` | Security context for CSI driver pods | `{}` |
| `securityContext.readOnlyRootFilesystem` | Flag for read only root filesystem | `true` |
| `securityContext.privileged` | Flag for specifying privileged mode | `true` |
| `nodeSelector` | Node selector for CSI driver pods | `{}` |
| `tolerations` | Tolerations for CSI driver pods | `[]` |
| `nodeDriverRegistrar.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` |
| `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` |
| `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `nodeDriverRegistrar.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.8.0` |
| `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` |
| `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` |
| `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` |
| `priorityClassName` | Priority class assigned to daemonset pods | `""` |
Loading