Merge branch 'main' into production-ingress-nginx

charts/spire/README.md

@@ -111,6 +111,7 @@ Kubernetes: `>=1.21.0-0`
 | global.k8s.clusterDomain | string | `"cluster.local"` |  |
 | global.spire.bundleConfigMap | string | `""` | Override all instances of bundleConfigMap |
 | global.spire.clusterName | string | `"example-cluster"` | Set the name of the Kubernetes cluster |
+| global.spire.image.registry | string | `""` | Override all Spire image registries at once |
 | global.spire.trustDomain | string | `"example.org"` | Set the trust domain to use for the spiffe identifiers |
 | spiffe-csi-driver.enabled | bool | `true` |  |
 | spiffe-oidc-discovery-provider.enabled | bool | `false` |  |

charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml

@@ -31,7 +31,7 @@ spec:
       containers:
         # This is the container which runs the SPIFFE CSI driver.
         - name: {{ .Chart.Name }}
-          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image) }}
+          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args: [
             "-workload-api-socket-dir", "/spire-agent-socket",
@@ -71,7 +71,7 @@ spec:
         # of all the little details required to register a CSI driver with
         # the kubelet.
         - name: node-driver-registrar
-          image: {{ template "spire-lib.image" .Values.nodeDriverRegistrar }}
+          image: {{ template "spire-lib.image" (dict "image" .Values.nodeDriverRegistrar.image "global" .Values.global) }}
           imagePullPolicy: {{ .Values.nodeDriverRegistrar.image.pullPolicy }}
           args: [
             "-csi-address", "/spiffe-csi/csi.sock",

charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml

@@ -34,7 +34,7 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image) }}
+          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
             - -config
@@ -75,7 +75,7 @@ spec:
         - name: nginx
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: {{ template "spire-lib.image" .Values.insecureScheme.nginx }}
+          image: {{ template "spire-lib.image" (dict "image" .Values.insecureScheme.nginx.image "global" .Values.global) }}
           imagePullPolicy: {{ .Values.insecureScheme.nginx.image.pullPolicy }}
           ports:
             - containerPort: 8080
@@ -97,7 +97,7 @@ spec:
         - name: nginx-exporter
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: {{ template "spire-lib.image" .Values.telemetry.prometheus.nginxExporter }}
+          image: {{ template "spire-lib.image" (dict "image" .Values.telemetry.prometheus.nginxExporter.image "global" .Values.global) }}
           imagePullPolicy: {{ .Values.telemetry.prometheus.nginxExporter.image.pullPolicy }}
           args:
           - -nginx.scrape-uri=http://127.0.0.1:8080/stub_status

charts/spire/charts/spire-agent/templates/daemonset.yaml

@@ -38,7 +38,7 @@ spec:
           # This is a small image with wait-for-it, choose whatever image
           # you prefer that waits for a service to be up. This image is built
           # from https://github.com/vishnubob/wait-for-it
-          image: {{ template "spire-lib.image" .Values.waitForIt }}
+          image: {{ template "spire-lib.image" (dict "image" .Values.waitForIt.image "global" .Values.global) }}
           imagePullPolicy: {{ .Values.waitForIt.image.pullPolicy }}
           args: ["-t", "30", "-h", "{{ include "spire-agent.server-address" . | trim }}", "-p", {{ .Values.server.port | quote }}]
           resources:
@@ -48,7 +48,7 @@ spec:
         {{- end }}
       containers:
         - name: {{ .Chart.Name }}
-          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image) }}
+          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args: ["-config", "/run/spire/config/agent.conf"]
           ports:

charts/spire/charts/spire-server/templates/post-install-hook.yaml

@@ -63,7 +63,7 @@ spec:
       - name: post-install-job
         securityContext:
           {{- toYaml .Values.securityContext | nindent 10 }}
-        image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image) }}
+        image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image "global" .Values.global) }}
         command:
         - /bin/sh
         - -c

charts/spire/charts/spire-server/templates/post-upgrade-hook.yaml

@@ -63,7 +63,7 @@ spec:
       - name: post-upgrade-job
         securityContext:
           {{- toYaml .Values.securityContext | nindent 10 }}
-        image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image) }}
+        image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image "global" .Values.global) }}
         command:
         - /bin/sh
         - -c

charts/spire/charts/spire-server/templates/pre-upgrade-hook.yaml

@@ -63,7 +63,7 @@ spec:
       - name: post-install-job
         securityContext:
           {{- toYaml .Values.securityContext | nindent 10 }}
-        image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image) }}
+        image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image "global" .Values.global) }}
         command:
         - /bin/sh
         - -c

charts/spire/charts/spire-server/templates/statefulset.yaml

@@ -43,7 +43,7 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image) }}
+          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
             - -config
@@ -108,7 +108,7 @@ spec:
         - name: spire-controller-manager
           securityContext:
             {{- toYaml .Values.controllerManager.securityContext | nindent 12 }}
-          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.image) }}
+          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.image "global" .Values.global) }}
           imagePullPolicy: {{ .Values.controllerManager.image.pullPolicy }}
           args:
             - --config=controller-manager-config.yaml

charts/spire/templates/_spire-lib.tpl

@@ -30,14 +30,23 @@
 {{- end }}
 {{- end }}
 
+{{- define "spire-lib.registry" }}
+{{- if ne (len (dig "spire" "image" "registry" "" .global)) 0 }}
+{{- .global.spire.image.registry }}
+{{- else }}
+{{- .image.registry }}
+{{- end }}
+{{- end }}
+
 {{- define "spire-lib.image" -}}
+{{- $registry := include "spire-lib.registry" . }}
 {{- if eq (substr 0 7 .image.version) "sha256:" -}}
-{{- printf "%s/%s@%s" .image.registry .image.repository .image.version -}}
+{{- printf "%s/%s@%s" $registry .image.repository .image.version -}}
 {{- else if .appVersion -}}
-{{- printf "%s/%s:%s" .image.registry .image.repository (default .appVersion .image.version) -}}
+{{- printf "%s/%s:%s" $registry .image.repository (default .appVersion .image.version) -}}
 {{- else if .image.version -}}
-{{- printf "%s/%s:%s" .image.registry .image.repository .image.version -}}
+{{- printf "%s/%s:%s" $registry .image.repository .image.version -}}
 {{- else -}}
-{{- printf "%s/%s" .image.registry .image.repository -}}
+{{- printf "%s/%s" $registry .image.repository -}}
 {{- end -}}
 {{- end }}

charts/spire/values.yaml

@@ -11,6 +11,10 @@ global:
     # -- Override all instances of bundleConfigMap
     bundleConfigMap: ""
 
+    image:
+      # -- Override all Spire image registries at once
+      registry: ""
+
 #  telemetry:
 #    prometheus:
 #      enabled: true