Skip to content
This repository has been archived by the owner on Mar 22, 2024. It is now read-only.

Commit

Permalink
Merge branch 'main' into production-ingress-nginx
Browse files Browse the repository at this point in the history
  • Loading branch information
kfox1111 authored Mar 22, 2023
2 parents 8d91d8d + b25dc77 commit 0dc5a4d
Show file tree
Hide file tree
Showing 13 changed files with 110 additions and 13 deletions.
1 change: 0 additions & 1 deletion .github/tests/lockdown/.env

This file was deleted.

5 changes: 0 additions & 5 deletions .github/tests/lockdown/pre-install.sh

This file was deleted.

5 changes: 0 additions & 5 deletions .github/tests/lockdown/values.yaml

This file was deleted.

3 changes: 3 additions & 0 deletions .github/tests/namespace-override/pre-install.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/bin/bash
kubectl create namespace "spire-system"
kubectl create namespace "spire-server"
26 changes: 26 additions & 0 deletions .github/tests/namespace-override/values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
spiffe-oidc-discovery-provider:
enabled: true
namespaceOverride: spire-server
insecureScheme:
enabled: true

spire-server:
namespaceOverride: spire-server
nodeAttestor:
k8sPsat:
serviceAccountAllowList: ["spire-system:spire-agent"]
notifier:
k8sbundle:
namespace: spire-system

spiffe-csi-driver:
enabled: true
namespaceOverride: spire-system

spire-agent:
enabled: true
namespaceOverride: spire-system
serviceAccount:
name: spire-agent
server:
namespaceOverride: spire-server
11 changes: 11 additions & 0 deletions .github/tests/production-example/install.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#!/usr/bin/env bash

set -x

SCRIPT=$(readlink -f "$0")
SCRIPTPATH=$(dirname "$SCRIPT")

helm install \
--namespace spire-server \
--values "${SCRIPTPATH}/../../../examples/production/values.yaml" \
spire charts/spire
51 changes: 51 additions & 0 deletions .github/tests/production-example/post-install.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
#!/usr/bin/env bash

set -x

SCRIPT=$(readlink -f "$0")
SCRIPTPATH=$(dirname "$SCRIPT")

k_wait=(kubectl wait --for condition=available --timeout 30s --namespace)
k_rollout_status=(kubectl rollout status --watch --timeout 30s --namespace)

function get_namespace_details {
cat <<EOF >>"$GITHUB_STEP_SUMMARY"
### Namespace $1
#### Events
\`\`\`shell
$(kubectl --request-timeout=30s get events --output wide --namespace "$1")
\`\`\`
#### Pods
\`\`\`shell
$(kubectl --request-timeout=30s describe pods --namespace "$1")
\`\`\`
#### Logs
\`\`\`shell
$(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --all-containers=true --ignore-errors=true; done)
\`\`\`
EOF
}
cat <<EOF >>"$GITHUB_STEP_SUMMARY"
### spire
| workload | Status |
| ------------------------------------ | ------ |
| spire-server | "$("${k_rollout_status[@]}" spire-server statefulset spire-server)" |
| spire-controller-manager | "$("${k_rollout_status[@]}" spire-server statefulset spire-controller-manager)" |
| spire-spiffe-oidc-discovery-provider | "$("${k_wait[@]}" spire-server deployments.apps spire-spiffe-oidc-discovery-provider)" |
| spire-spiffe-csi-driver | "$("${k_rollout_status[@]}" spire-system daemonset spire-spiffe-csi-driver)" |
| spire-agent | "$("${k_rollout_status[@]}" spire-system daemonset spire-agent)" |
EOF
if [ $1 -ne 0 ]; then
get_namespace_details spire-server
get_namespace_details spire-systen
fi
6 changes: 6 additions & 0 deletions .github/tests/production-example/pre-install.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/usr/bin/env bash

kubectl create namespace spire-system
kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged
kubectl create namespace spire-server
kubectl label namespace spire-server pod-security.kubernetes.io/enforce=restricted
1 change: 1 addition & 0 deletions .github/workflows/helm-chart-ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ on:
- '.github/kind/conf/kind-config.yaml'
- '.github/tests/**/*.yaml'
- '.github/tests/**/*.sh'
- 'examples/**/*.yaml'
- 'helm-docs.sh'

concurrency:
Expand Down
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
# SPIFFE Helm Charts

[![Apache 2.0 License](https://img.shields.io/github/license/spiffe/helm-charts?style=for-the-badge)](https://opensource.org/licenses/Apache-2.0)
[![Apache 2.0 License](https://img.shields.io/github/license/spiffe/helm-charts)](https://opensource.org/licenses/Apache-2.0)
[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)

A suite of [Helm Charts](https://helm.sh/docs) for standardized installations of SPIRE components in Kubernetes environments.

Expand Down
7 changes: 6 additions & 1 deletion examples/production/README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
Install with something similar to:
# Recommended production setup

Too install Spire with the least privileges possible we deploy spire accross 2 namespaces.

```shell
kubectl create namespace "spire-system"
kubectl label namespace "spire-system" pod-security.kubernetes.io/enforce=privileged
kubectl create namespace "spire-server"
Expand All @@ -14,3 +17,5 @@ following to the end of the helm upgrade example:
```
-f values-export-ingress-nginx.yaml
```
See [values.yaml](./values.yaml) for more details on the chart configurations to achieve this setup.
4 changes: 4 additions & 0 deletions examples/production/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ spiffe-oidc-discovery-provider:
podSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
Expand All @@ -29,6 +31,8 @@ spire-server:
podSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
Expand Down

0 comments on commit 0dc5a4d

Please sign in to comment.