Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helm Changes and OpenShift Support #1047

Merged
merged 44 commits into from
Jul 8, 2024
Merged

Helm Changes and OpenShift Support #1047

merged 44 commits into from
Jul 8, 2024

Conversation

v0lkan
Copy link
Contributor

@v0lkan v0lkan commented Jul 8, 2024
edited
Loading

Title of the Pull Request

Helm Changes and OpenShift Support

This PR introduces necessary changes to align VSecM SPIRE charts with the official helm-charts-hardened SPIFFE charts; adds necessary changes to enable OpenShift support, and revamps current SPIRE helm charts.

I will annotate important changes as usual.

Changes

  • The Entire ./spire folder in the helm charts template has been rewritten.
  • Necessary code changes to make the new charts work.
  • CRD updates.
  • ClusterSPIFFEID changes. Most significantly, ClusterSPIFFEIDs now have a className field.
  • Removed bundle endpoint from the charts; we are not doing federation, so we don't immediately need it right now.

Test Policy Compliance

  • I have added or updated unit tests for my changes.
  • I have included integration tests where applicable.
  • All new and existing tests pass successfully.

Code Quality

  • I have followed the coding standards for this project.
  • I have performed a self-review of my code.
  • My code is well-commented, particularly in areas that may be difficult
    to understand.

Documentation

We may need to update documentation and add instructions for OpenShift. I’ll do that separately.

Checklist

Before you submit this PR, please make sure:

  • You have read the contributing guidelines and
    especially the test policy.
  • You have thoroughly tested your changes.
  • You have followed all the contributing guidelines for this project.
  • You understand and agree that your contributions will be publicly available
    under the project's license.

By submitting this pull request, you confirm that my contribution is made under
the terms of the project's license and that you have the authority to grant
these rights.

Thank you for your contribution to VMware Secrets Manager
🐢⚡️!

v0lkan added 30 commits July 6, 2024 07:55
@v0lkan
testing
6196330 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
added security context
93a783b 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
manifest changes
b0c3607 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
change root file system
f60fc80 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
move restricted to priveleged
a9e45f5 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
remove security context annotations
ab5f345 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
remove security context
a91b8f8 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
add one more context
749a14d 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
test
4e4549e 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
run as root
f07f48b 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
restricted
4ca1a90 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
policy test
0ba3867 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
add seccomp profile
9e04af2 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
scm
e1d52ce 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
disable readonly fs
3707aab 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
drop all
8681aa3 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
server drop all
1563f98 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
more security
0869c4a 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
lastworking
844ef87 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
lastworking
f93e023 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
yaml change
3d54952 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
add crds
0d3f44a 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
add class names to cluster spiffe ids
9361878 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
clusterspiffeid exceptions
b70fd5a 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
remove oidc
ba78f0c 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
new SPIRE helm charts (phase 1)
3cb6051 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
remove hooks
a2c1550 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
create namespaces first
7af03af 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
save config
dce7c4b 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
remove test connection pod
1685229 
Signed-off-by: Volkan Özçelik <[email protected]>
v0lkan added 12 commits July 6, 2024 23:25
@v0lkan
image pull secrets
1f5e148 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
changes
826e519 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
added custom className for spire controller manager
b5fa685 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
manifest update
ad4042d 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
manifest update
e807e47 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
enable openshift
dcebec6 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
add diagnostics
402c0be 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
ignore default namespace
5b2628a 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
add more debug
f144e10 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
remove debugs
6678c57 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
enable openshift support
363232e 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
Helm docs update
e09162a 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan v0lkan requested a review from BulldromeQ as a code owner July 8, 2024 06:25
v0lkan added 2 commits July 7, 2024 23:26
@v0lkan
delete spire backups
56fc076 
Signed-off-by: Volkan Özçelik <[email protected]>
@v0lkan
remove redundant code
6140065 
Signed-off-by: Volkan Özçelik <[email protected]>
v0lkan
v0lkan commented Jul 8, 2024
View reviewed changes
examples/multiple_secrets/k8s-eks/Identity.yaml
@@ -13,6 +13,7 @@ kind: ClusterSPIFFEID
metadata:
name: example
spec:
className: "vsecm"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This className is important because that’s how SPIRE manages its internal ClusterSPIFFEIDs too.

@v0lkan v0lkan self-assigned this Jul 8, 2024
@v0lkan v0lkan merged commit 9f68c36 into main Jul 8, 2024
@v0lkan v0lkan deleted the ovolkan/privileged-3 branch July 8, 2024 07:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@st96d045 st96d045 Awaiting requested review from st96d045

@abhishek44sharma abhishek44sharma Awaiting requested review from abhishek44sharma

@ats0stv ats0stv Awaiting requested review from ats0stv

@farhan-pasha farhan-pasha Awaiting requested review from farhan-pasha

@BulldromeQ BulldromeQ Awaiting requested review from BulldromeQ BulldromeQ is a code owner

Assignees

@v0lkan v0lkan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@v0lkan