spire-0.13.0

A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.

What's Changed

• Federation test by @drewwells in #423
• Bump helm.sh/helm/v3 from 3.11.3 to 3.12.3 in /tests by @dependabot in #462
• Scan for updates to new images by @kfox1111 in #466
• Split steps in check-versions wf for easier debugging by @marcofranssen in #467
• support datastore password secret created by external resources by @grameshtwilio in #464
• Bump github.com/onsi/ginkgo/v2 from 2.11.0 to 2.12.0 in /tests by @dependabot in #468
• Add customPlugins and unsupportedBuiltInPlugins sections to spire-server by @kfox1111 in #198
• Bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in #469
• ingress-nginx production tests and spiffe-oidc-discovery-provider example by @kfox1111 in #136
• Switch mysql and postgresql tests to HA Production configs by @kfox1111 in #471
• Bump sigstore/cosign-installer from 3.1.1 to 3.1.2 by @dependabot in #473
• Bump actions/checkout from 3.6.0 to 4.0.0 by @dependabot in #474
• fix(charts/spire/spire-agent): podmonitor templating by @simonostendorf in #478
• Migrate to readme-generator for helm maintained by bitnami by @krishnakv in #431
• Cleanup leftover docs old documentation tool by @krishnakv in #482
• option to configure agent sds by @grameshtwilio in #479
• Allow configuration of priorityClassName on spire-server statefulset by @InverseIntegral in #480
• Bump docker/login-action from 2 to 3 by @dependabot in #483
• Add support for Vault UpstreamAuthority plugin - K8s Auth by @LaithLite in #415
• Bump spire Helm Chart version from 0.12.0 to 0.13.0 by @marcofranssen in #484

New Contributors

• @simonostendorf made their first contribution in #478
• @krishnakv made their first contribution in #431
• @InverseIntegral made their first contribution in #480

Full Changelog: spire-0.12.0...spire-0.13.0

spire-0.12.0

A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.

What's Changed

• Bump helm/kind-action from 1.7.0 to 1.8.0 by @dependabot in #396
• Bump actions/checkout from 3.5.2 to 3.5.3 by @dependabot in #395
• Add persistence type flag by @kfox1111 in #315
• Bump test chart dependencies by @github-actions in #401
• Add aws_pca to the spire-server by @PetrMc in #404
• support annotations so oidc can be annotated by @drewwells in #391
• Bump test chart dependencies by @github-actions in #416
• Change Tornjak backend default port by @mrsabath in #436
• Fix jwtIssuer to allow for Uris including scheme by @drewwells in #425
• Bump test chart dependencies by @github-actions in #426
• Bump actions/setup-go from 4.0.1 to 4.1.0 by @dependabot in #438
• option to set KeyManager memory in spire server by @grameshtwilio in #444
• Add a FAQ and switch rare issue from README to it by @kfox1111 in #437
• Bump test chart dependencies by @github-actions in #445
• Fix chainguard image references as per issue 442 by @kfox1111 in #443
• Bypass example-test for docs only changes by @faisal-memon in #449
• Improve Tornjak documentation by @mrsabath in #439
• Support Nested Spire with External Agent by @kfox1111 in #117
• Array spacing in values is incorrect in a file. by @kfox1111 in #451
• Update spire bits to 1.7.2 by @kfox1111 in #452
• Clarify project issues identified with nesting document by @kfox1111 in #450
• Allow job hooks to be disabled by @faisal-memon in #434
• Cron job to check for and update images by @kfox1111 in #249
• Adds AWS KMS KeyManager support by @mchurichi in #435
• Fix annotation for spire-oidc deployment by @marcofranssen in #457
• Bump actions/setup-go from 4.0.0 to 4.1.0 by @dependabot in #459
• Bump imjasonh/setup-crane from 0.1 to 0.3 by @dependabot in #460
• Fix dependabot + include Go dependencies in dependabot by @marcofranssen in #456
• Bump github.com/onsi/gomega from 1.27.6 to 1.27.10 in /tests by @dependabot in #461
• Fix initContainers spire-server statefulset by @marcofranssen in #458
• Bump spire Helm Chart version from 0.11.1 to 0.12.0 by @marcofranssen in #455

New Contributors

• @PetrMc made their first contribution in #404
• @grameshtwilio made their first contribution in #444
• @mchurichi made their first contribution in #435

Full Changelog: spire-0.11.1...spire-0.12.0

spire-0.11.1

A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.

What's Changed

• issuer naming should respect issuer_name override by @drewwells in #378
• support annotations so oidc can be annotated by @drewwells in #391
• Add support for disabling container selectors by @faisal-memon in #399
• Remove misadded lockfile by @kfox1111 in #400
• Update spire to 1.7.1 by @kfox1111 in #412
• Bump spire Helm Chart version from 0.11.0 to 0.11.1 by @faisal-memon in #419

Full Changelog: spire-0.11.0...spire-0.11.1

spire-0.11.0

A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.

What's Changed

• Fix missing spiffe-csi-driver imagePullSecrets template by @LaithLite in #376
• Bump test chart dependencies by @github-actions in #377
• Add additional domains to JWT issued items. by @kfox1111 in #230
• Add namespace to spiffe-oidc-discovery-provider RBAC definitions by @drewwells in #379
• Add missing tolerations config to daemonsets by @kfox1111 in #381
• Bump helm/kind-action from 1.7.0 to 1.8.0 by @dependabot in #384
• Fix oidc provider config change not rolling out by @kfox1111 in #383
• Bump test chart dependencies by @github-actions in #382
• Bump test chart dependencies by @github-actions in #386
• Add TLS/mTLS support for Tornjak by @mrsabath in #338
• Align tornjak clientCA naming convention by @marcofranssen in #393
• Improve tornjak service API to have object structure by @marcofranssen in #392
• Add basic unit test framework by @kfox1111 in #390
• Refactor testing to leverage core chart-testing capabilities and enable multiple root level charts by @marcofranssen in #324
• Bump spire Helm Chart version from 0.10.1 to 0.11.0 by @marcofranssen in #394

New Contributors

• @LaithLite made their first contribution in #376

Full Changelog: spire-0.10.1...spire-0.11.0

spire-0.10.1

A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.

Note: Since the 0.10.0 release we also capture our release in rekor.

Verify the signed OCI artifact

cosign verify
    --certificate-identity "https://github.com/spiffe/helm-charts/.github/workflows/helm-release.yaml@refs/heads/release" \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --output text \
    ghcr.io/spiffe/helm-charts/spire:0.10.1

Install Helm chart via OCI

helm upgrade --namespace spire-system --install --create-namespace spire ghcr.io/spiffe/helm-charts/spire:0.10.1

What's Changed

• Bump test chart dependencies by @github-actions in #370
• Fix bug in cert-manager upstream authority by @marcofranssen in #374
• Bump spire Helm Chart version from 0.10.0 to 0.10.1 by @marcofranssen in #375

Full Changelog: spire-0.10.0...spire-0.10.1

spire-0.10.0

A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.

Note: Since this release we also capture our release in rekor.

Verify the signed OCI artifact

$ cosign verify
    --certificate-identity "https://github.com/spiffe/helm-charts/.github/workflows/helm-release.yaml@refs/heads/release" \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --output text \
    ghcr.io/spiffe/helm-charts/spire:0.10.0

Verification for ghcr.io/spiffe/helm-charts/spire:0.10.0 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
Certificate subject: https://github.com/spiffe/helm-charts/.github/workflows/helm-release.yaml@refs/heads/release
Certificate issuer URL: https://token.actions.githubusercontent.com
GitHub Workflow Trigger: push
GitHub Workflow SHA: 8b5f9703ffef3afeb71e0971afe63fba1a39d9c0
GitHub Workflow Name: Release Helm Charts
GitHub Workflow Repository: spiffe/helm-charts
GitHub Workflow Ref: refs/heads/release
{"critical":{"identity":{"docker-reference":"ghcr.io/spiffe/helm-charts/spire"},"image":{"docker-manifest-digest":"sha256:01a5a119401f3f5e60967f9a7e884e1985f0c6f3a0c2e020297b007f8c7e1e11"},"type":"cosign container image signature"},"optional":null}

Install Helm chart via OCI

helm upgrade --namespace spire-system --install --create-namespace spire ghcr.io/spiffe/helm-charts/spire:0.10.0

What's Changed

• add missing federatesWith option by @drewwells in #361
• Bump spire-controller-manager from 0.2.2 to 0.2.3 by @marcofranssen in #367
• Bump sigstore/cosign-installer from 3.0.5 to 3.1.0 by @dependabot in #368
• Ensure the released OCI artifact is also captured in rekor by @marcofranssen in #369
• Bump sigstore/cosign-installer from 3.1.0 to 3.1.1 by @dependabot in #373
• Bump spire Helm Chart version from 0.9.1 to 0.10.0 by @marcofranssen in #371

Full Changelog: spire-0.9.1...spire-0.10.0

spire-0.9.1

A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.

What's Changed

• Bump test chart dependencies by @github-actions in #358
• Always add parseTime=true for mysql query string by @faisal-memon in #352
• Fix missing template by @drewwells in #362
• Fix init container flags of spire-server statefulset by @kfox1111 in #366
• Bump spire Helm Chart version from 0.9.0 to 0.9.1 by @marcofranssen in #365

Full Changelog: spire-0.9.0...spire-0.9.1

spire-0.9.0

A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.

Warning: The issuer_name for cert-manager on spire-server has changed to default to the name of the Helm release. Previously the default was spire-ca.

What's Changed

• Improve Tornjak frontend test by @mrsabath in #320
• Improve Tornjak backend test by @mrsabath in #321
• Add Makefile for local testing by @marcofranssen in #327
• Bump test chart dependencies by @github-actions in #322 #332
• Upgrade Tornjak to image v1.2.2 by @mrsabath in #328
• Initial submission of Helm Chart key naming conventions. by @edwbuck in #331
• Bump actions/checkout from 3.5.0 to 3.5.3 by @dependabot in #339
• Fix ingress annotations for federation by @kfox1111 in #337
• Update upstream-ca-secret.yaml by @drewwells in #341
• Dropping k8s versions in CI older than 3, as per readme by @drewwells in #344
• Add missing global values to charts by @kfox1111 in #311
• Allow overriding test images by @kfox1111 in #186
• Add missing metadata to subcharts by @kfox1111 in #347
• Bump peter-evans/create-pull-request from 5.0.1 to 5.0.2 by @dependabot in #349
• Fix bundle role/rolebinding naming conflict by @kfox1111 in #333
• Bump spire images to 1.7.0 by @kfox1111 in #348
• Ignore .DS_Store files by @faisal-memon in #350
• Add support to create a issuer and CA via cert-manager by @drewwells in #342
• Add configmap annotation to spire-bundle configmap by @faisal-memon in #351
• Allow contributors to run linting easily on local by @marcofranssen in #354
• Allow for SPIRE Agent to run as non root user by @kfox1111 in #209
• Implement pre-delete hook for graceful delete of spiffe-oidc-discovery-provider by @marcofranssen in #353
• Align the bash image version with other instances for spire-agent by @marcofranssen in #356
• Add SPIRE 1.7.0 to main readme by @faisal-memon in #357
• Bump spire Helm Chart version from 0.8.1 to 0.9.0 by @marcofranssen in #359

New Contributors

• @drewwells made their first contribution in #341

Full Changelog: spire-0.8.1...spire-0.9.0

spire-0.8.1

A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.

What's Changed

• Parametrize probes by @mrsabath in #310
• Allow for having no registry specified by @faisal-memon in #312
• Removed pull_request edited event from ci workflow by @marcofranssen in #318
• Bump k8s versions to latest patches by @marcofranssen in #317
• Emergency patch for Tornjak Frontend by @mrsabath in #319
• Bump spire Helm Chart version from 0.8.0 to 0.8.1 by @marcofranssen in #323
• Bump python + helm in CI workflow by @marcofranssen in #325

Full Changelog: spire-0.8.0...spire-0.8.1

spire-0.8.0

A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.

Warning: The support for Tornjak is still considered experimental.

What's Changed

• Switch the spire tests to always run by @kfox1111 in #250
• Add json to test path by @faisal-memon in #280
• Bump test chart dependencies by @github-actions in #279
• Skip tests for docs folders by @faisal-memon in #281
• Add maintainer's handbook. by @edwbuck in #265
• Add Tornjak by @mrsabath in #234
• Add nodeSelector for tornjak by @marcofranssen in #282
• Use the correct kubectl for the cluster by @kfox1111 in #248
• Add additional k8s native features to Tornjak frontend by @marcofranssen in #283
• Bump sigstore/cosign-installer from 3.0.3 to 3.0.4 by @dependabot in #286
• Bump helm/kind-action from 1.5.0 to 1.6.0 by @dependabot in #285
• Remove manual dispatch from dummy workflow by @marcofranssen in #288
• Cleanup maintainer handbook by @faisal-memon in #287
• Tornjak reuse spire-lib.cluster-domain macro by @marcofranssen in #292
• Fix Tornjak persistence issue by @kfox1111 in #294
• Switch image.version to image.tag by @kfox1111 in #245
• Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 by @dependabot in #295
• Bump helm/kind-action from 1.6.0 to 1.7.0 by @dependabot in #296
• Updated Tornjak documenation with Not-for-production labels by @mrsabath in #297
• Update images for cve's found by the cronjob by @kfox1111 in #290
• Fix the generated pr so that it runs jobs too by @kfox1111 in #303
• Bump test chart dependencies by @github-actions in #301
• Add support for spire-server ingress by @kfox1111 in #68
• Allow to use spire-server as an upstream authority by @kfox1111 in #304
• Fix hooks for K3s by @faisal-memon in #305
• Upgrade Tornjak to new image v1.2.1 by @mrsabath in #299
• Upgrade to spire 1.6.4 by @kfox1111 in #308
• Remove 1.21.x testing by @kfox1111 in #306
• Bump spire Helm Chart version from 0.7.0 to 0.8.0 by @marcofranssen in #313

Full Changelog: spire-0.7.0...spire-0.8.0