diff --git a/.github/scripts/update-tags.sh b/.github/scripts/update-tags.sh index 7bba7d531..916222616 100755 --- a/.github/scripts/update-tags.sh +++ b/.github/scripts/update-tags.sh @@ -20,6 +20,11 @@ if ! command -v yq &> /dev/null; then exit 1 fi +if ! command -v npm &> /dev/null; then + echo Please install npm + exit 1 +fi + if ! command -v python3 -c 'import ruamel.yaml' &> /dev/null; then echo Please install python3 with the ruamel.yaml module exit 1 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 11f1c1c95..005d03cf4 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -48,14 +48,14 @@ Another approach to testing the chart is by installing one of the examples in yo ## Generating documentation -Any changes to Chart.yaml or values.yaml require an update of the README.md. This update can easily be generated using [helm-docs][]. +Any changes to Chart.yaml or values.yaml require an update of the README.md. This update can easily be generated using [readme-generator](https://github.com/bitnami-labs/readme-generator-for-helm). ```shell -./helm-docs.sh charts/«chart-name» +./helm-docs.sh ``` ## Bumping Chart version In contrary to many other Helm repositories we do NOT require contributors to increate the Chart version. We have customized our release pipeline so we can bundle various PRs in a single release. Maintainers of the helm-charts in this repo will take care of the semantic versioning. -[helm-docs]: https://github.com/norwoodj/helm-docs "Generate documentation for your Helm chart." +[readme-generator]: https://github.com/bitnami-labs/readme-generator-for-helm "Auto generate READMEs for Helm Charts." diff --git a/charts/spire/README.md b/charts/spire/README.md index f7610473a..f3f996b1b 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -85,6 +85,81 @@ Now you can interact with the Spire agent socket from your own application. The | file://./charts/spire-server | spire-server | 0.1.0 | | file://./charts/tornjak-frontend | tornjak-frontend | 0.1.0 | +## Parameters + +### Global parameters + +| Name | Description | Value | +| --------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ---------------------------- | +| `global.k8s.clusterDomain` | Cluster domain name configured for Spire install | `cluster.local` | +| `global.spire.bundleConfigMap` | A configmap containing the Spire bundle | `""` | +| `global.spire.clusterName` | The name of the k8s cluster for Spire install | `example-cluster` | +| `global.spire.jwtIssuer` | The issuer for Spire JWT tokens | `oidc-discovery.example.org` | +| `global.spire.trustDomain` | The trust domain for Spire install | `example.org` | +| `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` | +| `global.spire.image.registry` | Override all Spire image registries at once | `""` | +| `global.installAndUpgradeHooks.enabled` | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | +| `global.deleteHooks.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` | + +### Spire server parameters + +| Name | Description | Value | +| ---------------------------------------- | --------------------------------------------- | -------- | +| `spire-server.enabled` | Flag to enable Spire server | `true` | +| `spire-server.nameOverride` | Overrides the name of Spire server pods | `server` | +| `spire-server.controllerManager.enabled` | Enable controller manager and provision CRD's | `true` | + +### Spire agent parameters + +| Name | Description | Value | +| -------------------------- | -------------------------------------- | ------- | +| `spire-agent.enabled` | Flag to enable Spire agent | `true` | +| `spire-agent.nameOverride` | Overrides the name of Spire agent pods | `agent` | + +### Upstream Spire agent and CSI driver configuration + +| Name | Description | Value | +| ------------------ | ---------------------------------------------------------- | ------- | +| `upstream.enabled` | Enable upstream agent and driver for use with nested spire | `false` | + +### Upstream Spire agent parameters + +| Name | Description | Value | +| ------------------------------------------------ | -------------------------------------------------- | ---------------------------------------------------- | +| `upstream-spire-agent.upstream` | Flag for enabling upstream Spire agent | `true` | +| `upstream-spire-agent.nameOverride` | Name override for upstream Spire agent | `agent-upstream` | +| `upstream-spire-agent.bundleConfigMap` | The configmap name for upstream Spire agent bundle | `spire-bundle-upstream` | +| `upstream-spire-agent.socketPath` | Socket path where Spire agent socket is mounted | `/run/spire/agent-sockets-upstream/spire-agent.sock` | +| `upstream-spire-agent.serviceAccount.name` | Service account name for upstream Spire agent | `spire-agent-upstream` | +| `upstream-spire-agent.healthChecks.port` | Health check port number for upstream Spire agent | `9981` | +| `upstream-spire-agent.telemetry.prometheus.port` | The port where prometheus metrics are available | `9989` | + +### SPIFFE CSI Driver parameters + +| Name | Description | Value | +| --------------------------- | ------------------------------------------------ | ------ | +| `spiffe-csi-driver.enabled` | Flag to enable spiffe-csi-driver for the cluster | `true` | + +### Upstream SPIFFE CSI Driver parameters + +| Name | Description | Value | +| ---------------------------------------------- | ----------------------------------------------------------- | ---------------------------------------------------- | +| `upstream-spiffe-csi-driver.pluginName` | The plugin name for configuring upstream Spiffe CSI driver | `upstream.csi.spiffe.io` | +| `upstream-spiffe-csi-driver.agentSocketPath` | The socket path where Spiffe CSI driver mounts agent socket | `/run/spire/agent-sockets-upstream/spire-agent.sock` | +| `upstream-spiffe-csi-driver.healthChecks.port` | The port where Spiffe CSI driver health checks are exposed | `9810` | + +### SPIFFE oidc discovery provider parameters + +| Name | Description | Value | +| ---------------------------------------- | ------------------------------------------------------------- | ------- | +| `spiffe-oidc-discovery-provider.enabled` | Flag to enable spiffe-oidc-discovery-provider for the cluster | `false` | + +### Tornjak frontend parameters + +| Name | Description | Value | +| -------------------------- | -------------------------------------------------------------- | ------- | +| `tornjak-frontend.enabled` | Enables deployment of Tornjak frontend/UI (Not for production) | `false` | + ## Values | Key | Type | Default | Description | @@ -587,5 +662,3 @@ Now you can interact with the Spire agent socket from your own application. The | upstream-spire-agent.workloadAttestors.k8s.disableContainerSelectors | bool | `false` | Set to true if using holdApplicationUntilProxyStarts in Istio | | upstream-spire-agent.workloadAttestors.k8s.skipKubeletVerification | bool | `true` | If true, kubelet certificate verification is skipped | | upstream-spire-agent.workloadAttestors.unix.enabled | bool | `false` | enables the Unix workload attestor | - ----------------------------------------------- diff --git a/charts/spire/charts/spiffe-csi-driver/README.md b/charts/spire/charts/spiffe-csi-driver/README.md index 2cf643db3..64774b2ba 100644 --- a/charts/spire/charts/spiffe-csi-driver/README.md +++ b/charts/spire/charts/spiffe-csi-driver/README.md @@ -24,41 +24,41 @@ A Helm chart to install the SPIFFE CSI driver. * -## Values +## Parameters -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| agentSocketPath | string | `"/run/spire/agent-sockets/spire-agent.sock"` | The unix socket path to the spire-agent | -| fullnameOverride | string | `""` | | -| healthChecks.port | int | `9809` | | -| image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | -| image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | -| image.repository | string | `"spiffe/spiffe-csi-driver"` | The repository within the registry | -| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | -| image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | -| imagePullSecrets | list | `[]` | | -| kubeletPath | string | `"/var/lib/kubelet"` | | -| livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe | -| livenessProbe.timeoutSeconds | int | `5` | Timeout value in seconds for livenessProbe | -| nameOverride | string | `""` | | -| namespaceOverride | string | `""` | | -| nodeDriverRegistrar.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | -| nodeDriverRegistrar.image.registry | string | `"registry.k8s.io"` | The OCI registry to pull the image from | -| nodeDriverRegistrar.image.repository | string | `"sig-storage/csi-node-driver-registrar"` | The repository within the registry | -| nodeDriverRegistrar.image.tag | string | `"v2.8.0"` | Overrides the image tag | -| nodeDriverRegistrar.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | -| nodeDriverRegistrar.resources | object | `{}` | | -| nodeSelector | object | `{}` | | -| pluginName | string | `"csi.spiffe.io"` | Set the csi driver name deployed to Kubernetes. | -| podAnnotations | object | `{}` | | -| podSecurityContext | object | `{}` | | -| priorityClassName | string | `""` | Priority class assigned to daemonset pods | -| resources | object | `{}` | | -| securityContext.privileged | bool | `true` | | -| securityContext.readOnlyRootFilesystem | bool | `true` | | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | -| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | -| tolerations | list | `[]` | | +### SPIFFE CSI Driver Chart parameters ----------------------------------------------- +| Name | Description | Value | +| ---------------------------------------- | ------------------------------------------------------------------------------------------- | ------------------------------------------- | +| `pluginName` | Set the csi driver name deployed to Kubernetes. | `csi.spiffe.io` | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/spiffe-csi-driver` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `resources` | Resource requests and limits for spiffe-csi-driver | `{}` | +| `healthChecks.port` | The healthcheck port for spiffe-csi-driver | `9809` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | +| `livenessProbe.timeoutSeconds` | Timeout value in seconds for livenessProbe | `5` | +| `imagePullSecrets` | Image pull secret details for spiffe-csi-driver | `[]` | +| `nameOverride` | Name override for spiffe-csi-driver | `""` | +| `namespaceOverride` | Namespace to install spiffe-csi-driver | `""` | +| `fullnameOverride` | Full name override for spiffe-csi-driver | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | +| `podAnnotations` | Pod annotations for spiffe-csi-driver | `{}` | +| `podSecurityContext` | Security context for CSI driver pods | `{}` | +| `securityContext.readOnlyRootFilesystem` | Flag for read only root filesystem | `true` | +| `securityContext.privileged` | Flag for specifying privileged mode | `true` | +| `nodeSelector` | Node selector for CSI driver pods | `{}` | +| `tolerations` | Tolerations for CSI driver pods | `[]` | +| `nodeDriverRegistrar.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` | +| `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` | +| `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `nodeDriverRegistrar.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.8.0` | +| `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` | +| `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | +| `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` | +| `priorityClassName` | Priority class assigned to daemonset pods | `""` | diff --git a/charts/spire/charts/spiffe-csi-driver/values.yaml b/charts/spire/charts/spiffe-csi-driver/values.yaml index b200827a9..a6dc54ce2 100644 --- a/charts/spire/charts/spiffe-csi-driver/values.yaml +++ b/charts/spire/charts/spiffe-csi-driver/values.yaml @@ -1,20 +1,28 @@ -# @ignored +# Default configuration for SPIFFE CSI Driver chart +# SPDX-License-Identifier: APACHE-2.0 + +## @skip global global: {} -# -- Set the csi driver name deployed to Kubernetes. +## @section SPIFFE CSI Driver Chart parameters +## +## @param pluginName Set the csi driver name deployed to Kubernetes. pluginName: csi.spiffe.io +## @param image.registry The OCI registry to pull the image from +## @param image.repository The repository within the registry +## @param image.pullPolicy The image pull policy +## @param image.version This value is deprecated in favor of tag. (Will be removed in a future release) +## @param image.tag Overrides the image tag whose default is the chart appVersion +## image: - # -- The OCI registry to pull the image from registry: ghcr.io - # -- The repository within the registry repository: spiffe/spiffe-csi-driver - # -- The image pull policy pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag whose default is the chart appVersion tag: "" + +## @param resources [object] Resource requests and limits for spiffe-csi-driver resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -28,33 +36,47 @@ resources: {} # memory: 64Mi healthChecks: + ## @param healthChecks.port The healthcheck port for spiffe-csi-driver port: 9809 +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout value in seconds for livenessProbe +## livenessProbe: - # -- Initial delay seconds for livenessProbe initialDelaySeconds: 5 - # -- Timeout value in seconds for livenessProbe timeoutSeconds: 5 +## @param imagePullSecrets Image pull secret details for spiffe-csi-driver imagePullSecrets: [] + +## @param nameOverride Name override for spiffe-csi-driver nameOverride: "" + +## @param namespaceOverride Namespace to install spiffe-csi-driver namespaceOverride: "" + +## @param fullnameOverride Full name override for spiffe-csi-driver fullnameOverride: "" +## @param serviceAccount.create Specifies whether a service account should be created +## @param serviceAccount.annotations Annotations to add to the service account +## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated. +## serviceAccount: - # -- Specifies whether a service account should be created create: true - # -- Annotations to add to the service account annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template name: "" +## @param podAnnotations [object] Pod annotations for spiffe-csi-driver podAnnotations: {} +## @param podSecurityContext [object] Security context for CSI driver pods podSecurityContext: {} # fsGroup: 2000 +## @param securityContext.readOnlyRootFilesystem Flag for read only root filesystem +## @param securityContext.privileged Flag for specifying privileged mode +## securityContext: readOnlyRootFilesystem: true privileged: true @@ -64,22 +86,26 @@ securityContext: # drop: # - ALL +## @param nodeSelector [object] Node selector for CSI driver pods nodeSelector: {} +## @param tolerations [array] Tolerations for CSI driver pods tolerations: [] nodeDriverRegistrar: + ## @param nodeDriverRegistrar.image.registry The OCI registry to pull the image from + ## @param nodeDriverRegistrar.image.repository The repository within the registry + ## @param nodeDriverRegistrar.image.pullPolicy The image pull policy + ## @param nodeDriverRegistrar.image.version This value is deprecated in favor of tag. (Will be removed in a future release) + ## @param nodeDriverRegistrar.image.tag Overrides the image tag + ## image: - # -- The OCI registry to pull the image from registry: registry.k8s.io - # -- The repository within the registry repository: sig-storage/csi-node-driver-registrar - # -- The image pull policy pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag tag: v2.8.0 + ## @param nodeDriverRegistrar.resources Resource requests and limits for CSI driver pods resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -92,10 +118,11 @@ nodeDriverRegistrar: # cpu: 100m # memory: 64Mi -# -- The unix socket path to the spire-agent +## @param agentSocketPath The unix socket path to the spire-agent agentSocketPath: /run/spire/agent-sockets/spire-agent.sock +## @param kubeletPath Path to kubelet file kubeletPath: /var/lib/kubelet -# -- Priority class assigned to daemonset pods +## @param priorityClassName Priority class assigned to daemonset pods priorityClassName: "" diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md index 74ef3aa52..3c2991e0b 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md @@ -25,84 +25,105 @@ A Helm chart to install the SPIFFE OIDC discovery provider. * -## Values +## Parameters -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | | -| agentSocketName | string | `"spire-agent.sock"` | The name of the spire-agent unix socket | -| annotations | object | `{}` | Annotations for the deployment | -| autoscaling.enabled | bool | `false` | | -| autoscaling.maxReplicas | int | `5` | | -| autoscaling.minReplicas | int | `1` | | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | | -| autoscaling.targetMemoryUtilizationPercentage | int | `80` | | -| clusterDomain | string | `"cluster.local"` | | -| config.acme.cacheDir | string | `"/run/spire"` | | -| config.acme.directoryUrl | string | `"https://acme-v02.api.letsencrypt.org/directory"` | | -| config.acme.emailAddress | string | `"letsencrypt@example.org"` | | -| config.acme.tosAccepted | bool | `false` | | -| config.additionalDomains | list | `["localhost"]` | Add additional domains that can be used for oidc discovery | -| config.logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" | -| configMap.annotations | object | `{}` | Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap | -| deleteHook.enabled | bool | `true` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | -| fullnameOverride | string | `""` | | -| image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | -| image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | -| image.repository | string | `"spiffe/oidc-discovery-provider"` | The repository within the registry | -| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | -| image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | -| imagePullSecrets | list | `[]` | | -| ingress.annotations | object | `{}` | | -| ingress.className | string | `""` | | -| ingress.enabled | bool | `false` | | -| ingress.hosts[0].host | string | `"oidc-discovery.example.org"` | | -| ingress.hosts[0].paths[0].path | string | `"/"` | | -| ingress.hosts[0].paths[0].pathType | string | `"Prefix"` | | -| ingress.tls | list | `[]` | | -| insecureScheme.enabled | bool | `false` | | -| insecureScheme.nginx.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | -| insecureScheme.nginx.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | -| insecureScheme.nginx.image.repository | string | `"nginxinc/nginx-unprivileged"` | The repository within the registry | -| insecureScheme.nginx.image.tag | string | `"1.24.0-alpine"` | Overrides the image tag | -| insecureScheme.nginx.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | -| insecureScheme.nginx.resources | object | `{}` | | -| jwtIssuer | string | `"https://oidc-discovery.example.org"` | | -| livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe | -| livenessProbe.periodSeconds | int | `5` | Period seconds for livenessProbe | -| nameOverride | string | `""` | | -| namespaceOverride | string | `""` | | -| nodeSelector | object | `{}` | | -| podAnnotations | object | `{}` | | -| podSecurityContext | object | `{}` | | -| readinessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for readinessProbe | -| readinessProbe.periodSeconds | int | `5` | Period seconds for readinessProbe | -| replicaCount | int | `1` | | -| resources | object | `{}` | | -| securityContext | object | `{}` | | -| service.annotations | object | `{}` | | -| service.port | int | `80` | | -| service.type | string | `"ClusterIP"` | | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | -| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | -| telemetry.prometheus.enabled | bool | `false` | | -| telemetry.prometheus.nginxExporter.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | -| telemetry.prometheus.nginxExporter.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | -| telemetry.prometheus.nginxExporter.image.repository | string | `"nginx/nginx-prometheus-exporter"` | The repository within the registry | -| telemetry.prometheus.nginxExporter.image.tag | string | `"0.11.0"` | Overrides the image tag | -| telemetry.prometheus.nginxExporter.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | -| telemetry.prometheus.nginxExporter.resources | object | `{}` | | -| telemetry.prometheus.podMonitor.enabled | bool | `false` | | -| telemetry.prometheus.podMonitor.labels | object | `{}` | | -| telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spiffe-oidc-discovery-provider | -| telemetry.prometheus.port | int | `9988` | | -| tolerations | list | `[]` | | -| tools.kubectl.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | -| tools.kubectl.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | -| tools.kubectl.image.repository | string | `"rancher/kubectl"` | The repository within the registry | -| tools.kubectl.image.tag | string | `""` | Overrides the image tag | -| tools.kubectl.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | -| trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers | +### Chart parameters ----------------------------------------------- +| Name | Description | Value | +| ----------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | +| `agentSocketName` | The name of the spire-agent unix socket | `spire-agent.sock` | +| `replicaCount` | Replica count | `1` | +| `namespaceOverride` | Namespace override | `""` | +| `annotations` | Annotations for the deployment | `{}` | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/oidc-discovery-provider` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `resources` | Resource requests and limits | `{}` | +| `service.type` | Service type | `ClusterIP` | +| `service.port` | Service port | `80` | +| `service.annotations` | Annotations for service resource | `{}` | +| `configMap.annotations` | Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap | `{}` | +| `podSecurityContext` | Pod security context for OIDC discovery provider pods | `{}` | +| `securityContext` | Security context for OIDC discovery provider deployment | `{}` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `podAnnotations` | Pod annotations for Spire OIDC discovery provider | `{}` | +| `insecureScheme.enabled` | Flag to enable insecure schema | `false` | +| `insecureScheme.nginx.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `insecureScheme.nginx.image.repository` | The repository within the registry | `nginxinc/nginx-unprivileged` | +| `insecureScheme.nginx.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `insecureScheme.nginx.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `insecureScheme.nginx.image.tag` | Overrides the image tag whose default is the chart appVersion | `1.24.0-alpine` | +| `insecureScheme.nginx.resources` | Resource requests and limits | `{}` | +| `jwtIssuer` | Path to JWT issuer | `https://oidc-discovery.example.org` | +| `config.logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | +| `config.additionalDomains` | Add additional domains that can be used for oidc discovery | `[]` | +| `config.acme.tosAccepted` | Flag for Terms of Service acceptance | `false` | +| `config.acme.cacheDir` | Path for cache directory | `/run/spire` | +| `config.acme.directoryUrl` | URL for acme directory | `https://acme-v02.api.letsencrypt.org/directory` | +| `config.acme.emailAddress` | Email address for registration | `letsencrypt@example.org` | +| `imagePullSecrets` | Image pull secret names | `[]` | +| `nameOverride` | Name override | `""` | +| `fullnameOverride` | Full name override | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | +| `deleteHook.enabled` | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) | `true` | +| `autoscaling.enabled` | Flag to enable autoscaling | `false` | +| `autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | +| `autoscaling.maxReplicas` | Maximum replicas for autoscaling | `5` | +| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utlization that triggers autoscaling | `80` | +| `autoscaling.targetMemoryUtilizationPercentage` | Target Memory utlization that triggers autoscaling | `80` | +| `nodeSelector` | Node selector | `{}` | +| `tolerations` | iist of tolerations | `[]` | +| `affinity` | Node affinity | `{}` | +| `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` | +| `clusterDomain` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `cluster.local` | +| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | +| `telemetry.prometheus.port` | Port for prometheus metrics | `9988` | +| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | +| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the helm release | `""` | +| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | +| `telemetry.prometheus.nginxExporter.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry | `nginx/nginx-prometheus-exporter` | +| `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `telemetry.prometheus.nginxExporter.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `telemetry.prometheus.nginxExporter.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.11.0` | +| `telemetry.prometheus.nginxExporter.resources` | Resource requests and limits | `{}` | +| `ingress.enabled` | Flag to enable ingress | `false` | +| `ingress.className` | Ingress class name | `""` | +| `ingress.annotations` | Annotations for ingress object | `{}` | +| `ingress.hosts` | Host paths for ingress object | `[]` | +| `ingress.tls` | Secrets containining TLS certs to enable https on ingress | `[]` | +| `tests.hostAliases` | List of host aliases for testing | `[]` | +| `tests.tls.enabled` | Flag for enabling tls for tests | `false` | +| `tests.tls.customCA` | Custom CA value for tests | `""` | +| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | +| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4` | +| `tests.toolkit.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `tests.toolkit.image.repository` | The repository within the registry | `chainguard/slim-toolkit-debug` | +| `tests.toolkit.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.toolkit.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `tests.toolkit.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:d717d0a2c88518f8e36d9cfe1571639a40617e8c4291e34876d46bdeefb1ab5a` | +| `tests.busybox.image.registry` | The OCI registry to pull the image from | `""` | +| `tests.busybox.image.repository` | The repository within the registry | `busybox` | +| `tests.busybox.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.busybox.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `tests.busybox.image.tag` | Overrides the image tag whose default is the chart appVersion | `uclibc@sha256:3e516f71d8801b0ce6c3f8f8e4f11093ec04e168177a90f1da4498014ee06b6b` | +| `tests.agent.image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `tests.agent.image.repository` | The repository within the registry | `spiffe/spire-agent` | +| `tests.agent.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.agent.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `tests.agent.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | +| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tools.kubectl.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml index c3eb2462c..1d3be3a49 100644 --- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml +++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml @@ -1,32 +1,37 @@ -# Default values for spiffe-oidc-discovery-provider. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. +# Default configuration for Spire OIDC Provider chart +# SPDX-License-Identifier: APACHE-2.0 -# @ignored +## @skip global global: {} -# -- The name of the spire-agent unix socket +## @section Chart parameters +## +## @param agentSocketName The name of the spire-agent unix socket agentSocketName: spire-agent.sock +## @param replicaCount Replica count replicaCount: 1 +## @param namespaceOverride Namespace override namespaceOverride: "" -# -- Annotations for the deployment +## @param annotations [object] Annotations for the deployment annotations: {} image: - # -- The OCI registry to pull the image from + ## @param image.registry The OCI registry to pull the image from + ## @param image.repository The repository within the registry + ## @param image.pullPolicy The image pull policy + ## @param image.version This value is deprecated in favor of tag. (Will be removed in a future release) + ## @param image.tag Overrides the image tag whose default is the chart appVersion + ## registry: ghcr.io - # -- The repository within the registry repository: spiffe/oidc-discovery-provider - # -- The image pull policy pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag whose default is the chart appVersion tag: "" +## @param resources [object] Resource requests and limits resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -39,19 +44,25 @@ resources: {} # cpu: 100m # memory: 64Mi +## @param service.type Service type +## @param service.port Service port +## @param service.annotations Annotations for service resource +## service: type: ClusterIP port: 80 annotations: {} - # external-dns.alpha.kubernetes.io/hostname: oidc-discovery.example.org + # external-dns.alpha.kubernetes.io/hostname: oidc-discovery.example.org configMap: - # -- Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap + ## @param configMap.annotations [object] Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap annotations: {} +## @param podSecurityContext [object] Pod security context for OIDC discovery provider pods podSecurityContext: {} # fsGroup: 2000 +## @param securityContext [object] Security context for OIDC discovery provider deployment securityContext: {} # capabilities: # drop: @@ -60,41 +71,48 @@ securityContext: {} # runAsNonRoot: true # runAsUser: 1000 +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## readinessProbe: - # -- Initial delay seconds for readinessProbe initialDelaySeconds: 5 - # -- Period seconds for readinessProbe periodSeconds: 5 +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## livenessProbe: - # -- Initial delay seconds for livenessProbe initialDelaySeconds: 5 - # -- Period seconds for livenessProbe periodSeconds: 5 +## @param podAnnotations [object] Pod annotations for Spire OIDC discovery provider podAnnotations: {} insecureScheme: + ## @param insecureScheme.enabled Flag to enable insecure schema enabled: false nginx: + ## @param insecureScheme.nginx.image.registry The OCI registry to pull the image from + ## @param insecureScheme.nginx.image.repository The repository within the registry + ## @param insecureScheme.nginx.image.pullPolicy The image pull policy + ## @param insecureScheme.nginx.image.version This value is deprecated in favor of tag. (Will be removed in a future release) + ## @param insecureScheme.nginx.image.tag Overrides the image tag whose default is the chart appVersion + ## Example: + ## chainguard image does not support the templates feature + ## https://github.com/chainguard-images/nginx/issues/43 + ## registry: cgr.dev + ## repository: chainguard/nginx + ## pullPolicy: IfNotPresent + ## tag: "1.23.2" + ## image: - # -- The OCI registry to pull the image from registry: docker.io - # -- The repository within the registry repository: nginxinc/nginx-unprivileged - # -- The image pull policy pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag tag: 1.24.0-alpine - # chainguard image does not support the templates feature - # https://github.com/chainguard-images/nginx/issues/43 - # registry: cgr.dev - # repository: chainguard/nginx - # pullPolicy: IfNotPresent - # tag: "1.23.2" + ## @param insecureScheme.nginx.resources Resource requests and limits resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -107,38 +125,54 @@ insecureScheme: # cpu: 100m # memory: 64Mi +## @param jwtIssuer Path to JWT issuer jwtIssuer: https://oidc-discovery.example.org config: - # -- The log level, valid values are "debug", "info", "warn", and "error" + ## @param config.logLevel The log level, valid values are "debug", "info", "warn", and "error" logLevel: info - # -- Add additional domains that can be used for oidc discovery + ## @param config.additionalDomains [array] Add additional domains that can be used for oidc discovery additionalDomains: - localhost acme: + ## @param config.acme.tosAccepted Flag for Terms of Service acceptance tosAccepted: false + ## @param config.acme.cacheDir Path for cache directory cacheDir: /run/spire + ## @param config.acme.directoryUrl URL for acme directory directoryUrl: https://acme-v02.api.letsencrypt.org/directory + ## @param config.acme.emailAddress Email address for registration emailAddress: letsencrypt@example.org +## @param imagePullSecrets [array] Image pull secret names imagePullSecrets: [] + +## @param nameOverride Name override nameOverride: "" + +## @param fullnameOverride Full name override fullnameOverride: "" +## @param serviceAccount.create Specifies whether a service account should be created +## @param serviceAccount.annotations Annotations to add to the service account +## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated. +## serviceAccount: - # -- Specifies whether a service account should be created create: true - # -- Annotations to add to the service account annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template name: "" deleteHook: - # -- Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) + ## @param deleteHook.enabled Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) enabled: true +## @param autoscaling.enabled Flag to enable autoscaling +## @param autoscaling.minReplicas Minimum replicas for autoscaling +## @param autoscaling.maxReplicas Maximum replicas for autoscaling +## @param autoscaling.targetCPUUtilizationPercentage Target CPU utlization that triggers autoscaling +## @param autoscaling.targetMemoryUtilizationPercentage Target Memory utlization that triggers autoscaling +## autoscaling: enabled: false minReplicas: 1 @@ -146,40 +180,50 @@ autoscaling: targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: 80 +## @param nodeSelector [object] Node selector nodeSelector: {} +## @param tolerations [array] iist of tolerations tolerations: [] +## @param affinity [object] Node affinity affinity: {} -# -- Set the trust domain to be used for the SPIFFE identifiers +## @param trustDomain Set the trust domain to be used for the SPIFFE identifiers trustDomain: example.org -# -- The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) + +## @param clusterDomain The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) clusterDomain: cluster.local telemetry: prometheus: + ## @param telemetry.prometheus.enabled Flag to enable prometheus monitoring enabled: false + ## @param telemetry.prometheus.port Port for prometheus metrics port: 9988 podMonitor: + ## @param telemetry.prometheus.podMonitor.enabled Enable podMonitor for prometheus enabled: false - # -- Override where to install the podMonitor, if not set will use the same namespace as the spiffe-oidc-discovery-provider + ## @param telemetry.prometheus.podMonitor.namespace Override where to install the podMonitor, if not set will use the same namespace as the helm release namespace: "" + ## @param telemetry.prometheus.podMonitor.labels [object] Pod labels to filter for prometheus monitoring labels: {} nginxExporter: + ## @param telemetry.prometheus.nginxExporter.image.registry The OCI registry to pull the image from + ## @param telemetry.prometheus.nginxExporter.image.repository The repository within the registry + ## @param telemetry.prometheus.nginxExporter.image.pullPolicy The image pull policy + ## @param telemetry.prometheus.nginxExporter.image.version This value is deprecated in favor of tag. (Will be removed in a future release) + ## @param telemetry.prometheus.nginxExporter.image.tag Overrides the image tag whose default is the chart appVersion + ## image: - # -- The OCI registry to pull the image from registry: docker.io - # -- The repository within the registry repository: nginx/nginx-prometheus-exporter - # -- The image pull policy pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag tag: "0.11.0" + ## @param telemetry.prometheus.nginxExporter.resources [object] Resource requests and limits resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -193,90 +237,104 @@ telemetry: # memory: 64Mi ingress: + ## @param ingress.enabled Flag to enable ingress enabled: false + ## @param ingress.className Ingress class name className: "" + ## @param ingress.annotations [object] Annotations for ingress object annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" # nginx.ingress.kubernetes.io/ssl-redirect: "true" # nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + + ## @param ingress.hosts [array] Host paths for ingress object hosts: - host: oidc-discovery.example.org paths: - path: / pathType: Prefix + ## @param ingress.tls [array] Secrets containining TLS certs to enable https on ingress tls: [] # - secretName: chart-example-tls # hosts: # - oidc-discovery.example.org -# @ignored tests: + ## @param tests.hostAliases [array] List of host aliases for testing hostAliases: [] tls: + ## @param tests.tls.enabled Flag for enabling tls for tests enabled: false + ## @param tests.tls.customCA Custom CA value for tests customCA: "" bash: + ## @param tests.bash.image.registry The OCI registry to pull the image from + ## @param tests.bash.image.repository The repository within the registry + ## @param tests.bash.image.pullPolicy The image pull policy + ## @param tests.bash.image.version This value is deprecated in favor of tag. (Will be removed in a future release) + ## @param tests.bash.image.tag Overrides the image tag whose default is the chart appVersion + ## image: - # -- The OCI registry to pull the tests image from registry: cgr.dev - # -- The repository within the registry repository: chainguard/bash - # -- The tests image pull policy pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag tag: latest@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4 toolkit: + ## @param tests.toolkit.image.registry The OCI registry to pull the image from + ## @param tests.toolkit.image.repository The repository within the registry + ## @param tests.toolkit.image.pullPolicy The image pull policy + ## @param tests.toolkit.image.version This value is deprecated in favor of tag. (Will be removed in a future release) + ## @param tests.toolkit.image.tag Overrides the image tag whose default is the chart appVersion + ## image: - # -- The OCI registry to pull the tests image from registry: cgr.dev - # -- The repository within the registry repository: chainguard/slim-toolkit-debug - # -- The tests image pull policy pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag tag: latest@sha256:d717d0a2c88518f8e36d9cfe1571639a40617e8c4291e34876d46bdeefb1ab5a busybox: + ## @param tests.busybox.image.registry The OCI registry to pull the image from + ## @param tests.busybox.image.repository The repository within the registry + ## @param tests.busybox.image.pullPolicy The image pull policy + ## @param tests.busybox.image.version This value is deprecated in favor of tag. (Will be removed in a future release) + ## @param tests.busybox.image.tag Overrides the image tag whose default is the chart appVersion + ## image: - # -- The OCI registry to pull the image from registry: "" - # -- The repository within the registry repository: busybox - # -- The image pull policy pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag tag: uclibc@sha256:3e516f71d8801b0ce6c3f8f8e4f11093ec04e168177a90f1da4498014ee06b6b + agent: + ## @param tests.agent.image.registry The OCI registry to pull the image from + ## @param tests.agent.image.repository The repository within the registry + ## @param tests.agent.image.pullPolicy The image pull policy + ## @param tests.agent.image.version This value is deprecated in favor of tag. (Will be removed in a future release) + ## @param tests.agent.image.tag Overrides the image tag whose default is the chart appVersion + ## image: - # -- The OCI registry to pull the image from registry: ghcr.io - # -- The repository within the registry repository: spiffe/spire-agent - # -- The image pull policy pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag tag: "" tools: kubectl: + ## @param tools.kubectl.image.registry The OCI registry to pull the image from + ## @param tools.kubectl.image.repository The repository within the registry + ## @param tools.kubectl.image.pullPolicy The image pull policy + ## @param tools.kubectl.image.version This value is deprecated in favor of tag. (Will be removed in a future release) + ## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion + ## image: - # -- The OCI registry to pull the image from registry: docker.io - # -- The repository within the registry repository: rancher/kubectl - # -- The image pull policy pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag tag: "" diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 54861c55e..a6f00eb33 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -25,69 +25,69 @@ A Helm chart to install the SPIRE agent. * -## Values +## Parameters -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| bundleConfigMap | string | `"spire-bundle"` | | -| clusterName | string | `"example-cluster"` | | -| configMap.annotations | object | `{}` | Annotations to add to the SPIRE Agent ConfigMap | -| extraContainers | list | `[]` | | -| extraVolumeMounts | list | `[]` | | -| extraVolumes | list | `[]` | | -| fsGroupFix.image.pullPolicy | string | `"Always"` | The image pull policy | -| fsGroupFix.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from | -| fsGroupFix.image.repository | string | `"chainguard/bash"` | The repository within the registry | -| fsGroupFix.image.tag | string | `"latest@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4"` | Overrides the image tag | -| fsGroupFix.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | -| fsGroupFix.resources | object | `{}` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | -| fullnameOverride | string | `""` | | -| healthChecks.port | int | `9980` | override the host port used for health checking | -| hostAliases | list | `[]` | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ | -| image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | -| image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | -| image.repository | string | `"spiffe/spire-agent"` | The repository within the registry | -| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | -| image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | -| imagePullSecrets | list | `[]` | | -| initContainers | list | `[]` | | -| livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe | -| livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe | -| logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" | -| nameOverride | string | `""` | | -| namespaceOverride | string | `""` | | -| nodeSelector | object | `{}` | | -| podAnnotations | object | `{}` | | -| podSecurityContext | object | `{}` | | -| priorityClassName | string | `""` | Priority class assigned to daemonset pods | -| readinessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for readinessProbe | -| readinessProbe.periodSeconds | int | `60` | Period seconds for readinessProbe | -| resources | object | `{}` | | -| securityContext | object | `{}` | | -| server.address | string | `""` | | -| server.namespaceOverride | string | `""` | | -| server.port | int | `8081` | | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | -| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | -| socketPath | string | `"/run/spire/agent-sockets/spire-agent.sock"` | The unix socket path to the spire-agent | -| telemetry.prometheus.enabled | bool | `false` | | -| telemetry.prometheus.podMonitor.enabled | bool | `false` | | -| telemetry.prometheus.podMonitor.labels | object | `{}` | | -| telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | -| telemetry.prometheus.port | int | `9988` | | -| tolerations | list | `[]` | | -| trustBundleFormat | string | `"pem"` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | -| trustBundleURL | string | `""` | If set, obtain trust bundle from url instead of Kubernetes ConfigMap | -| trustDomain | string | `"example.org"` | The trust domain to be used for the SPIFFE identifiers | -| waitForIt.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | -| waitForIt.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from | -| waitForIt.image.repository | string | `"chainguard/wait-for-it"` | The repository within the registry | -| waitForIt.image.tag | string | `"latest@sha256:deeaccb164a67a4d7f585c4d416641b1f422c029911a29d72beae28221f823df"` | Overrides the image tag | -| waitForIt.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | -| waitForIt.resources | object | `{}` | | -| workloadAttestors.k8s.disableContainerSelectors | bool | `false` | Set to true if using holdApplicationUntilProxyStarts in Istio | -| workloadAttestors.k8s.skipKubeletVerification | bool | `true` | If true, kubelet certificate verification is skipped | -| workloadAttestors.unix.enabled | bool | `false` | enables the Unix workload attestor | +### Chart parameters ----------------------------------------------- +| Name | Description | Value | +| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/spire-agent` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `imagePullSecrets` | Pull secrets for images | `[]` | +| `nameOverride` | Name override | `""` | +| `namespaceOverride` | Namespace override | `""` | +| `fullnameOverride` | Fullname override | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. | `""` | +| `configMap.annotations` | Annotations to add to the SPIRE Agent ConfigMap | `{}` | +| `podAnnotations` | Annotations to add to pods | `{}` | +| `podSecurityContext` | Pod security context | `{}` | +| `securityContext` | Security context | `{}` | +| `resources` | Resource requests and limits | `{}` | +| `nodeSelector` | Node selector | `{}` | +| `tolerations` | List of tolerations | `[]` | +| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | +| `clusterName` | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) | `example-cluster` | +| `trustDomain` | The trust domain to be used for the SPIFFE identifiers | `example.org` | +| `trustBundleURL` | If set, obtain trust bundle from url instead of Kubernetes ConfigMap | `""` | +| `trustBundleFormat` | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" | `pem` | +| `bundleConfigMap` | Configmap name for Spire bundle | `spire-bundle` | +| `server.address` | Address for Spire server | `""` | +| `server.port` | Port number for Spire server | `8081` | +| `server.namespaceOverride` | Override the namespace for Spire server | `""` | +| `healthChecks.port` | override the host port used for health checking | `9980` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for probe | `15` | +| `livenessProbe.periodSeconds` | Period seconds for probe | `60` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for probe | `15` | +| `readinessProbe.periodSeconds` | Period seconds for probe | `60` | +| `waitForIt.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `waitForIt.image.repository` | The repository within the registry | `chainguard/wait-for-it` | +| `waitForIt.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `waitForIt.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `waitForIt.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:deeaccb164a67a4d7f585c4d416641b1f422c029911a29d72beae28221f823df` | +| `waitForIt.resources` | Resource requests and limits | `{}` | +| `fsGroupFix.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `fsGroupFix.image.repository` | The repository within the registry | `chainguard/bash` | +| `fsGroupFix.image.pullPolicy` | The image pull policy | `Always` | +| `fsGroupFix.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `fsGroupFix.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4` | +| `fsGroupFix.resources` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | `{}` | +| `workloadAttestors.unix.enabled` | Enables the Unix workload attestor | `false` | +| `workloadAttestors.k8s.skipKubeletVerification` | If true, kubelet certificate verification is skipped | `true` | +| `workloadAttestors.k8s.disableContainerSelectors` | Set to true if using holdApplicationUntilProxyStarts in Istio | `false` | +| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | +| `telemetry.prometheus.port` | Port for prometheus metrics | `9988` | +| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | +| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | +| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | +| `socketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` | +| `priorityClassName` | Priority class assigned to daemonset pods | `""` | +| `extraVolumes` | Extra volumes to be mounted on Spire Agent pods | `[]` | +| `extraVolumeMounts` | Extra volume mounts for Spire Agent pods | `[]` | +| `extraContainers` | Additional containers to create with Spire Agent pods | `[]` | +| `initContainers` | Additional init containers to create with Spire Agent pods | `[]` | +| `hostAliases` | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ | `[]` | diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 9ee7e278a..f44ec468f 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -1,45 +1,57 @@ -# Default values for spire-agent. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. +# Default configuration for Spire Agent +# SPDX-License-Identifier: APACHE-2.0 -# @ignored +## @skip global global: {} +## @section Chart parameters +## +## @param image.registry The OCI registry to pull the image from +## @param image.repository The repository within the registry +## @param image.pullPolicy The image pull policy +## @param image.version This value is deprecated in favor of tag. (Will be removed in a future release) +## @param image.tag Overrides the image tag whose default is the chart appVersion +## image: - # -- The OCI registry to pull the image from registry: ghcr.io - # -- The repository within the registry repository: spiffe/spire-agent - # -- The image pull policy pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag whose default is the chart appVersion. tag: "" +## @param imagePullSecrets [array] Pull secrets for images imagePullSecrets: [] + +## @param nameOverride Name override nameOverride: "" + +## @param namespaceOverride Namespace override namespaceOverride: "" + +## @param fullnameOverride Fullname override fullnameOverride: "" serviceAccount: - # -- Specifies whether a service account should be created + ## @param serviceAccount.create Specifies whether a service account should be created create: true - # -- Annotations to add to the service account + ## @param serviceAccount.annotations [object] Annotations to add to the service account annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template + ## @param serviceAccount.name The name of the service account to use. + ## If not set and create is true, a name is generated using the fullname template name: "" configMap: - # -- Annotations to add to the SPIRE Agent ConfigMap + ## @param configMap.annotations [object] Annotations to add to the SPIRE Agent ConfigMap annotations: {} +## @param podAnnotations [object] Annotations to add to pods podAnnotations: {} +## @param podSecurityContext [object] Pod security context podSecurityContext: {} # fsGroup: 2000 +## @param securityContext [object] Security context securityContext: {} # capabilities: # drop: @@ -48,6 +60,7 @@ securityContext: {} # runAsNonRoot: true # runAsUser: 1000 +## @param resources [object] Resource requests and limits resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -60,109 +73,133 @@ resources: {} # cpu: 100m # memory: 128Mi +## @param nodeSelector [object] Node selector nodeSelector: {} +## @param tolerations [array] List of tolerations tolerations: [] -# -- The log level, valid values are "debug", "info", "warn", and "error" +## @param logLevel The log level, valid values are "debug", "info", "warn", and "error" logLevel: info -# -- The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) +## @param clusterName The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) clusterName: example-cluster -# -- The trust domain to be used for the SPIFFE identifiers +## @param trustDomain The trust domain to be used for the SPIFFE identifiers trustDomain: example.org -# -- If set, obtain trust bundle from url instead of Kubernetes ConfigMap +## @param trustBundleURL If set, obtain trust bundle from url instead of Kubernetes ConfigMap trustBundleURL: "" -# -- If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" +## @param trustBundleFormat If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe" trustBundleFormat: pem +## @param bundleConfigMap Configmap name for Spire bundle bundleConfigMap: spire-bundle -# @ignored +## @skip upstream upstream: false +## @param server.address Address for Spire server +## @param server.port Port number for Spire server +## @param server.namespaceOverride Override the namespace for Spire server +## server: address: "" port: 8081 namespaceOverride: "" healthChecks: - # -- override the host port used for health checking + ## @param healthChecks.port override the host port used for health checking port: 9980 +## @param livenessProbe.initialDelaySeconds Initial delay seconds for probe +## @param livenessProbe.periodSeconds Period seconds for probe +## livenessProbe: - # -- Initial delay seconds for livenessProbe initialDelaySeconds: 15 - # -- Period seconds for livenessProbe periodSeconds: 60 +## @param readinessProbe.initialDelaySeconds Initial delay seconds for probe +## @param readinessProbe.periodSeconds Period seconds for probe +## readinessProbe: - # -- Initial delay seconds for readinessProbe initialDelaySeconds: 15 - # -- Period seconds for readinessProbe periodSeconds: 60 waitForIt: + ## @param waitForIt.image.registry The OCI registry to pull the image from + ## @param waitForIt.image.repository The repository within the registry + ## @param waitForIt.image.pullPolicy The image pull policy + ## @param waitForIt.image.version This value is deprecated in favor of tag. (Will be removed in a future release) + ## @param waitForIt.image.tag Overrides the image tag whose default is the chart appVersion + ## image: - # -- The OCI registry to pull the image from registry: cgr.dev - # -- The repository within the registry repository: chainguard/wait-for-it - # -- The image pull policy pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag tag: latest@sha256:deeaccb164a67a4d7f585c4d416641b1f422c029911a29d72beae28221f823df + + ## @param waitForIt.resources [object] Resource requests and limits resources: {} # When running as non root, needed to ensure the socket path has the correct permissions. # Set runAsUser to a non-zero value in podSecurityContext to run as non-root user. fsGroupFix: + ## @param fsGroupFix.image.registry The OCI registry to pull the image from + ## @param fsGroupFix.image.repository The repository within the registry + ## @param fsGroupFix.image.pullPolicy The image pull policy + ## @param fsGroupFix.image.version This value is deprecated in favor of tag. (Will be removed in a future release) + ## @param fsGroupFix.image.tag Overrides the image tag whose default is the chart appVersion + ## image: - # -- The OCI registry to pull the image from registry: cgr.dev - # -- The repository within the registry repository: chainguard/bash - # -- The image pull policy pullPolicy: Always - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag tag: latest@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4 - # -- Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + + ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} # workloadAttestors determine a workload's properties and then generate a set of selectors associated with it. workloadAttestors: # unix is a workload attestor which generates unix-based selectors like 'uid' and 'gid'. unix: - # -- enables the Unix workload attestor + ## @param workloadAttestors.unix.enabled Enables the Unix workload attestor enabled: false k8s: - # -- If true, kubelet certificate verification is skipped + ## @param workloadAttestors.k8s.skipKubeletVerification If true, kubelet certificate verification is skipped skipKubeletVerification: true - # -- Set to true if using holdApplicationUntilProxyStarts in Istio + ## @param workloadAttestors.k8s.disableContainerSelectors Set to true if using holdApplicationUntilProxyStarts in Istio disableContainerSelectors: false telemetry: prometheus: + ## @param telemetry.prometheus.enabled Flag to enable prometheus monitoring enabled: false + ## @param telemetry.prometheus.port Port for prometheus metrics port: 9988 podMonitor: + ## @param telemetry.prometheus.podMonitor.enabled Enable podMonitor for prometheus enabled: false - # -- Override where to install the podMonitor, if not set will use the same namespace as the spire-agent + ## @param telemetry.prometheus.podMonitor.namespace Override where to install the podMonitor, if not set will use the same namespace as the spire-agent namespace: "" + ## @param telemetry.prometheus.podMonitor.labels [object] Pod labels to filter for prometheus monitoring labels: {} -# -- The unix socket path to the spire-agent +## @param socketPath The unix socket path to the spire-agent socketPath: /run/spire/agent-sockets/spire-agent.sock -# -- Priority class assigned to daemonset pods +## @param priorityClassName Priority class assigned to daemonset pods priorityClassName: "" +## @param extraVolumes [array] Extra volumes to be mounted on Spire Agent pods extraVolumes: [] + +## @param extraVolumeMounts [array] Extra volume mounts for Spire Agent pods extraVolumeMounts: [] + +## @param extraContainers [array] Additional containers to create with Spire Agent pods extraContainers: [] +## @param initContainers [array] Additional init containers to create with Spire Agent pods initContainers: [] -# -- Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ +## @param hostAliases [array] Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ hostAliases: [] diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 24adf7935..e2d541f6d 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -81,191 +81,196 @@ curl --cacert CA/rootCA.crt --key client.key --cert client.crt https://localhos In order to run Tornjak with simple HTTP Connection only, make sure you don't create any `Secrets` or `ConfigMaps` listed above. -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | | -| autoscaling.enabled | bool | `false` | | -| autoscaling.maxReplicas | int | `100` | | -| autoscaling.minReplicas | int | `1` | | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | | -| bundleConfigMap | string | `"spire-bundle"` | | -| caKeyType | string | `"rsa-2048"` | The CA key type to use, possible values are rsa-2048, rsa-4096, ec-p256, ec-p384 (AWS requires the use of RSA. EC cryptography is not supported) | -| caTTL | string | `"24h"` | | -| ca_subject.common_name | string | `"example.org"` | | -| ca_subject.country | string | `"NL"` | | -| ca_subject.organization | string | `"Example"` | | -| clusterDomain | string | `"cluster.local"` | | -| clusterName | string | `"example-cluster"` | | -| configMap.annotations | object | `{}` | Annotations to add to the SPIRE Server ConfigMap | -| controllerManager.configMap.annotations | object | `{}` | Annotations to add to the Controller Manager ConfigMap | -| controllerManager.deleteHook.enabled | bool | `true` | Enable Helm hook to autofix common delete issues (should be disabled when using `helm template`) | -| controllerManager.enabled | bool | `false` | | -| controllerManager.identities.dnsNameTemplates | list | `[]` | | -| controllerManager.identities.enabled | bool | `true` | | -| controllerManager.identities.federatesWith | list | `[]` | | -| controllerManager.identities.namespaceSelector | object | `{}` | | -| controllerManager.identities.podSelector | object | `{}` | | -| controllerManager.identities.spiffeIDTemplate | string | `"spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"` | | -| controllerManager.ignoreNamespaces[0] | string | `"kube-system"` | | -| controllerManager.ignoreNamespaces[1] | string | `"kube-public"` | | -| controllerManager.ignoreNamespaces[2] | string | `"local-path-storage"` | | -| controllerManager.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | -| controllerManager.image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | -| controllerManager.image.repository | string | `"spiffe/spire-controller-manager"` | The repository within the registry | -| controllerManager.image.tag | string | `"0.2.3"` | Overrides the image tag | -| controllerManager.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | -| controllerManager.installAndUpgradeHook.enabled | bool | `true` | Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) | -| controllerManager.resources | object | `{}` | | -| controllerManager.securityContext | object | `{}` | | -| controllerManager.service.annotations | object | `{}` | | -| controllerManager.service.port | int | `443` | | -| controllerManager.service.type | string | `"ClusterIP"` | | -| controllerManager.validatingWebhookConfiguration.failurePolicy | string | `"Fail"` | | -| customPlugins.keyManager | object | `{}` | | -| customPlugins.nodeAttestor | object | `{}` | | -| customPlugins.notifier | object | `{}` | | -| customPlugins.upstreamAuthority | object | `{}` | | -| dataStore.sql.databaseName | string | `"spire"` | Only used by "postgres" or "mysql" | -| dataStore.sql.databaseType | string | `"sqlite3"` | Other supported databases are "postgres" and "mysql" | -| dataStore.sql.externalSecret | object | `{"enabled":false,"key":"","name":""}` | When an external source creates the secret. The secret should reside in the same namespace as the spire server | -| dataStore.sql.externalSecret.key | string | `""` | The key of the secret object whose value is the dataStore.sql password | -| dataStore.sql.externalSecret.name | string | `""` | The name of the secret object | -| dataStore.sql.host | string | `""` | Only used by "postgres" or "mysql" | -| dataStore.sql.options | list | `[]` | Only used by "postgres" or "mysql" | -| dataStore.sql.password | string | `""` | Only used by "postgres" or "mysql" | -| dataStore.sql.plugin_data | object | `{}` | Settings from https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md go in this section | -| dataStore.sql.port | int | `0` | If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases. | -| dataStore.sql.username | string | `"spire"` | Only used by "postgres" or "mysql" | -| defaultJwtSvidTTL | string | `"1h"` | | -| defaultX509SvidTTL | string | `"4h"` | | -| extraContainers | list | `[]` | | -| extraVolumeMounts | list | `[]` | | -| extraVolumes | list | `[]` | | -| federation.bundleEndpoint.address | string | `"0.0.0.0"` | | -| federation.bundleEndpoint.port | int | `8443` | | -| federation.enabled | bool | `false` | | -| federation.ingress.annotations | object | `{}` | | -| federation.ingress.className | string | `""` | | -| federation.ingress.enabled | bool | `false` | | -| federation.ingress.hosts[0].host | string | `"spire-server-federation.example.org"` | | -| federation.ingress.hosts[0].paths[0].path | string | `"/"` | | -| federation.ingress.hosts[0].paths[0].pathType | string | `"Prefix"` | | -| federation.ingress.tls | list | `[]` | | -| fullnameOverride | string | `""` | | -| image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | -| image.registry | string | `"ghcr.io"` | The OCI registry to pull the image from | -| image.repository | string | `"spiffe/spire-server"` | The repository within the registry | -| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | -| image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | -| imagePullSecrets | list | `[]` | | -| ingress.annotations | object | `{}` | | -| ingress.className | string | `""` | | -| ingress.enabled | bool | `false` | | -| ingress.hosts[0].host | string | `"spire-server.example.org"` | | -| ingress.hosts[0].paths[0].path | string | `"/"` | | -| ingress.hosts[0].paths[0].pathType | string | `"Prefix"` | | -| ingress.tls | list | `[]` | | -| initContainers | list | `[]` | | -| jwtIssuer | string | `"https://oidc-discovery.example.org"` | The JWT issuer domain | -| keyManager.awsKMS.accessKeyID | Optional | `""` | Access key ID for the AWS account. It's recommended to use an IAM role instead. See [here](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) to learn how to annotate your SPIRE Server Service Account to assume an IAM role. | -| keyManager.awsKMS.enabled | bool | `false` | | -| keyManager.awsKMS.keyPolicy | object | `{"existingConfigMap":"","policy":""}` | Policy to use when creating keys. If no policy is specified, a default policy will be used. | -| keyManager.awsKMS.keyPolicy.existingConfigMap | Optional | `""` | Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. | -| keyManager.awsKMS.keyPolicy.policy | Optional | `""` | Key policy in JSON format. | -| keyManager.awsKMS.region | string | `""` | | -| keyManager.awsKMS.secretAccessKey | Optional | `""` | Secret access key for the AWS account. | -| keyManager.disk.enabled | bool | `true` | | -| keyManager.memory.enabled | bool | `false` | | -| livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe | -| livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe | -| livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe | -| livenessProbe.timeoutSeconds | int | `3` | Timeout in seconds for livenessProbe | -| logLevel | string | `"info"` | The log level, valid values are "debug", "info", "warn", and "error" | -| nameOverride | string | `""` | | -| namespaceOverride | string | `""` | | -| nodeAttestor.k8sPsat.enabled | bool | `true` | | -| nodeAttestor.k8sPsat.serviceAccountAllowList | list | `[]` | | -| nodeSelector | object | `{}` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | -| notifier.k8sbundle.namespace | string | `""` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | -| persistence.accessMode | string | `"ReadWriteOnce"` | | -| persistence.hostPath | string | `""` | Which path to use on the host when type = hostPath | -| persistence.size | string | `"1Gi"` | | -| persistence.storageClass | string | `nil` | | -| persistence.type | string | `"pvc"` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | -| podAnnotations | object | `{}` | | -| podSecurityContext | object | `{}` | | -| readinessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for readinessProbe | -| readinessProbe.periodSeconds | int | `5` | Period seconds for readinessProbe | -| replicaCount | int | `1` | SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. | -| resources | object | `{}` | | -| securityContext | object | `{}` | | -| service.annotations | object | `{}` | | -| service.port | int | `8081` | | -| service.type | string | `"ClusterIP"` | | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | -| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | -| telemetry.prometheus.enabled | bool | `false` | | -| telemetry.prometheus.podMonitor.enabled | bool | `false` | | -| telemetry.prometheus.podMonitor.labels | object | `{}` | | -| telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spire-server | -| tolerations | list | `[]` | | -| tools.kubectl.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | -| tools.kubectl.image.registry | string | `"docker.io"` | The OCI registry to pull the image from | -| tools.kubectl.image.repository | string | `"rancher/kubectl"` | The repository within the registry | -| tools.kubectl.image.tag | string | `""` | Overrides the image tag | -| tools.kubectl.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | -| topologySpreadConstraints | list | `[]` | | -| tornjak.config.clientCA.name | string | `"tornjak-client-ca"` | | -| tornjak.config.clientCA.type | string | `"Secret"` | Type of delivery for the user CA for mTLS client verification options are `Secret` or `ConfigMap` (required for `mtls` connectionType) | -| tornjak.config.dataStore | object | `{"driver":"sqlite3","file":"/run/spire/data/tornjak.sqlite3"}` | Persistent DB for storing Tornjak specific information | -| tornjak.config.tlsSecret | string | `"tornjak-tls-secret"` | Name of the secret containing server side key and certificate for TLS verification (required for `tls` or `mtls` connectionType) | -| tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) (Not for production) | -| tornjak.image.pullPolicy | string | `"IfNotPresent"` | The Tornjak image pull policy | -| tornjak.image.registry | string | `"ghcr.io"` | The OCI registry to pull the Tornjak image from | -| tornjak.image.repository | string | `"spiffe/tornjak-backend"` | The repository within the registry | -| tornjak.image.tag | string | `"v1.2.2"` | Overrides the image tag | -| tornjak.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | -| tornjak.resources | object | `{}` | | -| tornjak.service.annotations | object | `{}` | | -| tornjak.service.ports | object | `{"http":10000,"https":10443}` | Ports for tornjak | -| tornjak.service.type | string | `"ClusterIP"` | | -| tornjak.startupProbe.failureThreshold | int | `3` | | -| tornjak.startupProbe.initialDelaySeconds | int | `5` | Initial delay seconds for | -| tornjak.startupProbe.periodSeconds | int | `10` | | -| tornjak.startupProbe.successThreshold | int | `1` | | -| tornjak.startupProbe.timeoutSeconds | int | `5` | | -| trustDomain | string | `"example.org"` | Set the trust domain to be used for the SPIFFE identifiers | -| upstreamAuthority.awsPCA.assumeRoleARN | Optional | `""` | ARN of an IAM role to assume | -| upstreamAuthority.awsPCA.caSigningTemplateARN | string | `""` | See Using Templates (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html) for possible values. | -| upstreamAuthority.awsPCA.certificateAuthorityARN | string | `""` | ARN of the "upstream" CA certificate | -| upstreamAuthority.awsPCA.enabled | bool | `false` | | -| upstreamAuthority.awsPCA.endpoint | string | `""` | See AWS SDK Config docs (https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config) for more information. | -| upstreamAuthority.awsPCA.region | string | `""` | AWS Region to use | -| upstreamAuthority.awsPCA.signingAlgorithm | string | `""` | See Issue Certificate (https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) for possible values. | -| upstreamAuthority.awsPCA.supplementalBundlePath | Optional | `""` | Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle. | -| upstreamAuthority.certManager.ca.create | bool | `false` | Creates a Cert-Manager CA | -| upstreamAuthority.certManager.ca.duration | string | `"87600h"` | Duration of the CA. Defaults to 10 years. | -| upstreamAuthority.certManager.ca.privateKey.algorithm | string | `"ECDSA"` | | -| upstreamAuthority.certManager.ca.privateKey.rotationPolicy | string | `""` | | -| upstreamAuthority.certManager.ca.privateKey.size | int | `256` | | -| upstreamAuthority.certManager.ca.renewBefore | string | `""` | How long to wait before renewing the CA | -| upstreamAuthority.certManager.enabled | bool | `false` | | -| upstreamAuthority.certManager.issuer_group | string | `"cert-manager.io"` | | -| upstreamAuthority.certManager.issuer_kind | string | `"Issuer"` | | -| upstreamAuthority.certManager.issuer_name | string | `""` | Defaults to the release name, override if CA is provided outside of the chart | -| upstreamAuthority.certManager.kube_config_file | string | `""` | | -| upstreamAuthority.certManager.namespace | string | `""` | Specify to use a namespace other then the one the chart is installed into | -| upstreamAuthority.certManager.rbac.create | bool | `true` | | -| upstreamAuthority.disk.enabled | bool | `false` | | -| upstreamAuthority.disk.secret.create | bool | `true` | If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. | -| upstreamAuthority.disk.secret.data | object | `{"bundle":"","certificate":"","key":""}` | If secret creation is enabled, will create a secret with following certificate info | -| upstreamAuthority.disk.secret.name | string | `"spiffe-upstream-ca"` | If secret creation is disabled, the secret with this name will be used. | -| upstreamAuthority.spire.enabled | bool | `false` | | -| upstreamAuthority.spire.server.address | string | `""` | | -| upstreamAuthority.spire.server.port | int | `8081` | | -| upstreamAuthority.spire.upstreamDriver | string | `""` | | - ----------------------------------------------- +## Parameters + +### Chart parameters + +| Name | Description | Value | +| ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------- | +| `replicaCount` | SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. | `1` | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/spire-server` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `imagePullSecrets` | Pull secrets for images | `[]` | +| `nameOverride` | Name override | `""` | +| `namespaceOverride` | Namespace override | `""` | +| `fullnameOverride` | Fullname override | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | +| `podAnnotations` | Annotations to add to pods | `{}` | +| `podSecurityContext` | Pod security context | `{}` | +| `securityContext` | Security context | `{}` | +| `service.type` | Type of the Spire server service created | `ClusterIP` | +| `service.port` | Port for the created service | `8081` | +| `service.annotations` | Annotations to add to the service object | `{}` | +| `configMap.annotations` | Annotations to add to the SPIRE Server ConfigMap | `{}` | +| `resources` | Resource requests and limits | `{}` | +| `autoscaling.enabled` | Flag to enable autoscaling | `false` | +| `autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | +| `autoscaling.maxReplicas` | Maximum replicas for autoscaling | `100` | +| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utlization that triggers autoscaling | `80` | +| `nodeSelector` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | `{}` | +| `tolerations` | List of tolerations | `[]` | +| `affinity` | List of node affinities | `{}` | +| `topologySpreadConstraints` | Topology spread constraints for resilience | `[]` | +| `livenessProbe.failureThreshold` | Failure threshold count for livenessProbe | `2` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `60` | +| `livenessProbe.timeoutSeconds` | Timeout in seconds for livenessProbe | `3` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `persistence.type` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `pvc` | +| `persistence.size` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `1Gi` | +| `persistence.accessMode` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `ReadWriteOnce` | +| `persistence.storageClass` | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) | `nil` | +| `persistence.hostPath` | Which path to use on the host when type = hostPath | `""` | +| `dataStore.sql.databaseType` | Other supported databases are "postgres" and "mysql" | `sqlite3` | +| `dataStore.sql.databaseName` | Only used by "postgres" or "mysql" | `spire` | +| `dataStore.sql.host` | Only used by "postgres" or "mysql" | `""` | +| `dataStore.sql.port` | If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases. | `0` | +| `dataStore.sql.username` | Only used by "postgres" or "mysql" | `spire` | +| `dataStore.sql.password` | Only used by "postgres" or "mysql" | `""` | +| `dataStore.sql.options` | Only used by "postgres" or "mysql" | `[]` | +| `dataStore.sql.plugin_data` | Settings from https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md go in this section | `{}` | +| `dataStore.sql.externalSecret.enabled` | Enable external secret for datastore creds | `false` | +| `dataStore.sql.externalSecret.name` | The name of the secret object | `""` | +| `dataStore.sql.externalSecret.key` | The key of the secret object whose value is the dataStore.sql password | `""` | +| `logLevel` | The log level, valid values are "debug", "info", "warn", and "error" | `info` | +| `jwtIssuer` | The JWT issuer domain | `https://oidc-discovery.example.org` | +| `clusterName` | Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`) | `example-cluster` | +| `trustDomain` | Set the trust domain to be used for the SPIFFE identifiers | `example.org` | +| `bundleConfigMap` | Set the trust domain to be used for the SPIFFE identifiers | `spire-bundle` | +| `clusterDomain` | This is the value of your clusters `kubeadm init --service-dns-domain` flag | `cluster.local` | +| `federation.enabled` | Flag to enable federation | `false` | +| `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` | +| `federation.bundleEndpoint.address` | Address for trust bundle federation | `0.0.0.0` | +| `federation.ingress.enabled` | Flag to enable ingress for federation | `false` | +| `federation.ingress.className` | Ingress class name for federation | `""` | +| `federation.ingress.annotations` | Annotations for the ingress object | `{}` | +| `federation.ingress.hosts` | Host paths for ingress object | `[]` | +| `federation.ingress.tls` | Secrets containining TLS certs to enable https on ingress | `[]` | +| `ca_subject.country` | Country for Spire server CA | `NL` | +| `ca_subject.organization` | Organization for Spire server CA | `Example` | +| `ca_subject.common_name` | Common Name for Spire server CA | `example.org` | +| `keyManager.disk.enabled` | Flag to enable keyManager on disk | `true` | +| `keyManager.memory.enabled` | Flag to enable keyManager in memory | `false` | +| `keyManager.awsKMS.enabled` | Flag to enable keyManager in memory | `false` | +| `keyManager.awsKMS.region` | Specify the region for AWS KMS | `""` | +| `keyManager.awsKMS.keyPolicy` | Policy to use when creating keys. If no policy is specified, a default policy will be used. | | +| `keyManager.awsKMS.keyPolicy.policy` | Key policy in JSON format. | `""` | +| `keyManager.awsKMS.keyPolicy.existingConfigMap` | Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. | `""` | +| `keyManager.awsKMS.accessKeyID` | Access key ID for the AWS account. It's recommended to use an IAM role instead. See [here](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) to learn how to annotate your SPIRE Server Service Account to assume an IAM role. | `""` | +| `keyManager.awsKMS.secretAccessKey` | Secret access key for the AWS account. | `""` | +| `upstreamAuthority.disk.enabled` | Flag to enable upstream authority plugin on disk | `false` | +| `upstreamAuthority.disk.secret.create` | If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. | `true` | +| `upstreamAuthority.disk.secret.name` | If secret creation is disabled, the secret with this name will be used. | `spiffe-upstream-ca` | +| `upstreamAuthority.disk.secret.data` | If secret creation is enabled, will create a secret with following certificate info | | +| `upstreamAuthority.disk.secret.data.certificate` | Certificate to store within disk upstreamAuthority. | `""` | +| `upstreamAuthority.disk.secret.data.key` | Key corresponding to the upstreamAuthority. | `""` | +| `upstreamAuthority.disk.secret.data.bundle` | Trust bundle for upstreamAuthority. | `""` | +| `upstreamAuthority.awsPCA.enabled` | Flag to enable upstream authority plugin with AWS PCA | `false` | +| `upstreamAuthority.awsPCA.region` | AWS Region to use | `""` | +| `upstreamAuthority.awsPCA.certificateAuthorityARN` | ARN of the "upstream" CA certificate | `""` | +| `upstreamAuthority.awsPCA.assumeRoleARN` | (Optional) ARN of an IAM role to assume | `""` | +| `upstreamAuthority.awsPCA.caSigningTemplateARN` | (Optional) ARN of the signing template to use for the server's CA. Defaults to a signing template for end-entity certificates only. See Using Templates (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html) for possible values. | `""` | +| `upstreamAuthority.awsPCA.signingAlgorithm` | (Optional) Signing algorithm to use for the server's CA. Defaults to the CA's default. See Issue Certificate (https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) for possible values. | `""` | +| `upstreamAuthority.awsPCA.endpoint` | (Optional) Endpoint as hostname or fully-qualified URI that overrides the default endpoint. See AWS SDK Config docs (https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config) for more information. | `""` | +| `upstreamAuthority.awsPCA.supplementalBundlePath` | (Optional) Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle. | `""` | +| `upstreamAuthority.certManager.enabled` | Flag to enable upstream authority plugin with cert manager | `false` | +| `upstreamAuthority.certManager.rbac.create` | Flag to create RBAC roles | `true` | +| `upstreamAuthority.certManager.issuer_name` | Defaults to the release name, override if CA is provided outside of the chart | `""` | +| `upstreamAuthority.certManager.issuer_kind` | Defaults to "Issuer", override if CA is provided outside of the chart | `Issuer` | +| `upstreamAuthority.certManager.issuer_group` | Defaults to "cert-manager.io", override if CA is provided outside of the chart | `cert-manager.io` | +| `upstreamAuthority.certManager.namespace` | Specify to use a namespace other then the one the chart is installed into | `""` | +| `upstreamAuthority.certManager.kube_config_file` | Path to kube_config_file on node to setup cert manager | `""` | +| `upstreamAuthority.certManager.ca.create` | Creates a Cert-Manager CA | `false` | +| `upstreamAuthority.certManager.ca.duration` | Duration of the CA. Defaults to 10 years | `87600h` | +| `upstreamAuthority.certManager.ca.privateKey.algorithm` | Algorithm to generate private key for CA | `ECDSA` | +| `upstreamAuthority.certManager.ca.privateKey.size` | Size of generated private key for CA | `256` | +| `upstreamAuthority.certManager.ca.privateKey.rotationPolicy` | Rotation policy for generated private key | `""` | +| `upstreamAuthority.certManager.ca.renewBefore` | How long to wait before renewing the CA | `""` | +| `upstreamAuthority.spire.enabled` | Flag to use another Spire install as upstream CA | `false` | +| `upstreamAuthority.spire.upstreamDriver` | Driver for Spire as upstream CA | `""` | +| `upstreamAuthority.spire.server` | Server details for the Spire instance use as upstream CA | | +| `upstreamAuthority.spire.server.address` | Address for upstream Spire server | `""` | +| `upstreamAuthority.spire.server.port` | Port for upstream Spire server | `8081` | +| `notifier.k8sbundle.namespace` | Namespace to push the bundle into, if blank will default to SPIRE Server namespace | `""` | +| `controllerManager.enabled` | Flag to enable controller manager | `false` | +| `controllerManager.installAndUpgradeHook.enabled` | Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) | `true` | +| `controllerManager.deleteHook.enabled` | Enable Helm hook to autofix common delete issues (should be disabled when using `helm template`) | `true` | +| `controllerManager.image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `controllerManager.image.repository` | The repository within the registry | `spiffe/spire-controller-manager` | +| `controllerManager.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `controllerManager.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `controllerManager.image.tag` | Overrides the image tag whose default is the chart appVersion | `0.2.3` | +| `controllerManager.resources` | Resource requests and limits for controller manager | `{}` | +| `controllerManager.securityContext` | Security context | `{}` | +| `controllerManager.service.type` | Service type for controller manager | `ClusterIP` | +| `controllerManager.service.port` | Service port for controller manager | `443` | +| `controllerManager.service.annotations` | Annotations for service resource | `{}` | +| `controllerManager.configMap.annotations` | Annotations to add to the Controller Manager ConfigMap | `{}` | +| `controllerManager.ignoreNamespaces` | These namespaces are ignored by controller manager | `[]` | +| `controllerManager.identities.enabled` | Flag to enable default identities for controller manager | `true` | +| `controllerManager.identities.spiffeIDTemplate` | Spiffe ID template for identities | `spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}` | +| `controllerManager.identities.podSelector` | Selector for pods to issue identity | `{}` | +| `controllerManager.identities.namespaceSelector` | Selector for namespacs to issue identity | `{}` | +| `controllerManager.identities.dnsNameTemplates` | DNS name template for issued identities | `[]` | +| `controllerManager.identities.federatesWith` | Other Spire server URLs for identity federation | `[]` | +| `controllerManager.validatingWebhookConfiguration.failurePolicy` | Action when identity is not issued | `Fail` | +| `tools.kubectl.image.registry` | The OCI registry to pull the image from | `docker.io` | +| `tools.kubectl.image.repository` | The repository within the registry | `rancher/kubectl` | +| `tools.kubectl.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tools.kubectl.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `tools.kubectl.image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `telemetry.prometheus.enabled` | Flag to enable prometheus monitoring | `false` | +| `telemetry.prometheus.podMonitor.enabled` | Enable podMonitor for prometheus | `false` | +| `telemetry.prometheus.podMonitor.namespace` | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent | `""` | +| `telemetry.prometheus.podMonitor.labels` | Pod labels to filter for prometheus monitoring | `{}` | +| `ingress.enabled` | Flag to enable ingress | `false` | +| `ingress.className` | Ingress class name | `""` | +| `ingress.annotations` | Annotations for the ingress object | `{}` | +| `ingress.hosts` | Host paths for ingress object | `[]` | +| `ingress.tls` | Secrets containining TLS certs to enable https on ingress | `[]` | +| `extraVolumes` | Extra volumes to be mounted | `[]` | +| `extraVolumeMounts` | Extra volume mounts | `[]` | +| `extraContainers` | Additional containers to create | `[]` | +| `initContainers` | Additional init containers to create | `[]` | +| `caKeyType` | The CA key type to use, possible values are rsa-2048, rsa-4096, ec-p256, ec-p384 (AWS requires the use of RSA. EC cryptography is not supported) | `rsa-2048` | +| `caTTL` | TTL for CA | `24h` | +| `defaultX509SvidTTL` | TTL for X509 Svids | `4h` | +| `defaultJwtSvidTTL` | TTL for JWT Svids | `1h` | +| `nodeAttestor.k8sPsat.enabled` | Enable Psat k8s nodeattestor | `true` | +| `nodeAttestor.k8sPsat.serviceAccountAllowList` | Allowed service accounts for Psat nodeattestor | `[]` | +| `tornjak.enabled` | Deploys Tornjak API (backend) (Not for production) | `false` | +| `tornjak.image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `tornjak.image.repository` | The repository within the registry | `spiffe/tornjak-backend` | +| `tornjak.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tornjak.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `tornjak.image.tag` | Overrides the image tag whose default is the chart appVersion | `v1.2.2` | +| `tornjak.service.type` | Type of service resource | `ClusterIP` | +| `tornjak.service.ports.http` | Insecure port for tornjak service | `10000` | +| `tornjak.service.ports.https` | Secure port for tornjak service | `10443` | +| `tornjak.service.annotations` | Annotations for the service | `{}` | +| `tornjak.startupProbe.failureThreshold` | Failure threshold count | `3` | +| `tornjak.startupProbe.initialDelaySeconds` | Initial delay seconds | `5` | +| `tornjak.startupProbe.periodSeconds` | Period seconds | `10` | +| `tornjak.startupProbe.successThreshold` | Success threshold count | `1` | +| `tornjak.startupProbe.timeoutSeconds` | Timeout in seconds | `5` | +| `tornjak.config.dataStore` | Persistent DB for storing Tornjak specific information | | +| `tornjak.config.dataStore.driver` | Database driver name | `sqlite3` | +| `tornjak.config.dataStore.file` | File path for sqlite3 file | `/run/spire/data/tornjak.sqlite3` | +| `tornjak.config.tlsSecret` | Name of the secret containing server side key and certificate for TLS verification (required for `tls` or `mtls` connectionType) | `tornjak-tls-secret` | +| `tornjak.config.clientCA.type` | Type of delivery for the user CA for TLS client verification. Options are `Secret` or `ConfigMap` (required for `mtls` connectionType) | `Secret` | +| `tornjak.config.clientCA.name` | Name of the resource secret or configMap with user CA for TLS | `tornjak-client-ca` | +| `tornjak.resources` | Resource requests and limits | `{}` | +| `tests.hostAliases` | List of host aliases for testing | `[]` | +| `tests.tls.enabled` | Flag for enabling tls for tests | `false` | +| `tests.tls.customCA` | Custom CA value for tests | `""` | +| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | +| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4` | diff --git a/charts/spire/charts/spire-server/README.md.gotmpl b/charts/spire/charts/spire-server/README.md.gotmpl deleted file mode 100644 index c66ec6f31..000000000 --- a/charts/spire/charts/spire-server/README.md.gotmpl +++ /dev/null @@ -1,81 +0,0 @@ -{{ template "chart.header" . }} - - - -{{ template "chart.deprecationWarning" . }} - -{{ template "chart.badgesSection" . }} - -{{ template "chart.description" . }} - -{{ template "chart.homepageLine" . }} - -> **Note**: Minimum Spire version is `1.5.3`. -> The recommended version is `1.6.0` to support arm64 nodes. If running with any -> prior version to `1.6.0` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`. -> -> The recommended spire-controller-manager version is `0.2.2` to support arm64 nodes. If running with any -> prior version to `0.2.2` you have to use a `nodeSelector` to limit to `kubernetes.io/arch: amd64`. - -{{ template "chart.maintainersSection" . }} - -{{ template "chart.sourcesSection" . }} - -{{ template "chart.requirementsSection" . }} - -## Tornjak - -Tornjak is the UI and Control Plane for SPIRE [https://github.com/spiffe/tornjak](https://github.com/spiffe/tornjak) and it is composed of two components: - -* Backend (this chart) - Tornjak APIs that extend SPIRE APIs with Control Plane functionality -* [Frontend](../tornjak-frontend/README.md) - Tornjak UI - -When Tornjak is enabled, it is exposed on both http and https (if TLS server certs are configured). Tornjak handles a permanent redirect from `http` to `https` to ensure users always use the https endpoint. - -In addition, you can configure a `client certificate authority`, this will make Tornjak backend verify Client certificates signed by this authority to enable mTLS authentication. - -**Warning**: For production, we recommend configuring TLS certificates and client CA to protect Tornjak from unauthorized access. - -### Tornjak with TLS Connection Type - -TLS connection requires Tornjak to have access to TLS key and certificate. -Complete instruction on creating your own TLS certificate can be found [here](https://github.com/spiffe/tornjak/blob/main/examples/tls_mtls/README.md). -TLS Certificate and the private key must be provided to Tornjak via *TLS Secret*. Prior to deploying this Helm chart, create TLS Secret in the deployment namespace (e.g. `spire-server`) - -```console -kubectl -n spire-server create secret tls tornjak-tls-secret --cert=client.crt --key=client.key -``` - -Once the charts are deployed, you can test the TLS connection with the following command (assuming localhost): - -```console -curl --cacert CA/rootCA.crt https://localhost:10443 -``` - -### Tornjak with mTLS Connection Type - -mTLS connection allows Tornjak server validation by client and Tornjak client validation by Tornjak server. The server validation is identical to above TLS. Follow the steps to create -TLS secret with key and the certificate. - -Additionally, you must provide the user CA to Tornjak server via `Secret` or `ConfigMap`. -Follow the steps to [create user CA for mTLS](https://github.com/spiffe/tornjak/blob/main/examples/tls_mtls/README.md), then create a *Secret* (or *ConfigMap*) prior to deploying this Helm chart. - -Here is an example using a *Secret* in `spire-server` namespace: - -```console -kubectl -n spire-server create secret generic tornjak-client-ca --from-file=ca.crt="CA/rootCA.crt" -``` - -Once the charts are deployed, you can test the mTLS connection with the following command (assuming localhost): - -```console -curl --cacert CA/rootCA.crt --key client.key --cert client.crt https://localhost:10443 -``` - -### Tornjak with HTTP Connection Type - -In order to run Tornjak with simple HTTP Connection only, make sure you don't create any `Secrets` or `ConfigMaps` listed above. - -{{ template "chart.valuesSection" . }} - ----------------------------------------------- diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 8fcf10a99..bf0fec67c 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -1,44 +1,56 @@ -# Default values for spire-server. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. +# Default configuration for Spire server +# SPDX-License-Identifier: APACHE-2.0 -# @ignored +## @skip global global: {} -# -- SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. +## @section Chart parameters +## +## @param replicaCount SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database. replicaCount: 1 +## @param image.registry The OCI registry to pull the image from +## @param image.repository The repository within the registry +## @param image.pullPolicy The image pull policy +## @param image.version This value is deprecated in favor of tag. (Will be removed in a future release) +## @param image.tag Overrides the image tag whose default is the chart appVersion +## image: - # -- The OCI registry to pull the image from registry: ghcr.io - # -- The repository within the registry repository: spiffe/spire-server - # -- The image pull policy pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag whose default is the chart appVersion. tag: "" +## @param imagePullSecrets [array] Pull secrets for images imagePullSecrets: [] + +## @param nameOverride Name override nameOverride: "" + +## @param namespaceOverride Namespace override namespaceOverride: "" + +## @param fullnameOverride Fullname override fullnameOverride: "" +## @param serviceAccount.create Specifies whether a service account should be created +## @param serviceAccount.annotations [object] Annotations to add to the service account +## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated. +## serviceAccount: - # -- Specifies whether a service account should be created create: true - # -- Annotations to add to the service account annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template name: "" +## @param podAnnotations [object] Annotations to add to pods podAnnotations: {} +## @param podSecurityContext [object] Pod security context podSecurityContext: {} # fsGroup: 2000 +## @param securityContext [object] Security context securityContext: {} # capabilities: # drop: @@ -47,15 +59,20 @@ securityContext: {} # runAsNonRoot: true # runAsUser: 1000 +## @param service.type Type of the Spire server service created +## @param service.port Port for the created service +## @param service.annotations [object] Annotations to add to the service object +## service: type: ClusterIP port: 8081 annotations: {} configMap: - # -- Annotations to add to the SPIRE Server ConfigMap + ## @param configMap.annotations [object] Annotations to add to the SPIRE Server ConfigMap annotations: {} +## @param resources [object] Resource requests and limits resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -68,6 +85,11 @@ resources: {} # cpu: 200m # memory: 256Mi +## @param autoscaling.enabled Flag to enable autoscaling +## @param autoscaling.minReplicas Minimum replicas for autoscaling +## @param autoscaling.maxReplicas Maximum replicas for autoscaling +## @param autoscaling.targetCPUUtilizationPercentage Target CPU utlization that triggers autoscaling +## autoscaling: enabled: false minReplicas: 1 @@ -75,103 +97,123 @@ autoscaling: targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 -# -- Select specific nodes to run on (currently only amd64 is supported by Tornjak) +## @param nodeSelector [object] Select specific nodes to run on (currently only amd64 is supported by Tornjak) nodeSelector: {} +## @param tolerations [array] List of tolerations tolerations: [] +## @param affinity [object] List of node affinities affinity: {} +## @param topologySpreadConstraints [array] Topology spread constraints for resilience topologySpreadConstraints: [] +## @param livenessProbe.failureThreshold Failure threshold count for livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout in seconds for livenessProbe +## livenessProbe: - # -- Failure threshold count for livenessProbe failureThreshold: 2 - # -- Initial delay seconds for livenessProbe initialDelaySeconds: 15 - # -- Period seconds for livenessProbe periodSeconds: 60 - # -- Timeout in seconds for livenessProbe timeoutSeconds: 3 +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## readinessProbe: - # -- Initial delay seconds for readinessProbe initialDelaySeconds: 5 - # -- Period seconds for readinessProbe periodSeconds: 5 +## @param persistence.type What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) +## @param persistence.size What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) +## @param persistence.accessMode What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) +## @param persistence.storageClass What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) +## @param persistence.hostPath Which path to use on the host when type = hostPath +## persistence: - # -- What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only) type: pvc size: 1Gi accessMode: ReadWriteOnce storageClass: null - # -- Which path to use on the host when type = hostPath hostPath: "" dataStore: sql: - # -- Other supported databases are "postgres" and "mysql" + ## @param dataStore.sql.databaseType Other supported databases are "postgres" and "mysql" databaseType: sqlite3 - # -- Only used by "postgres" or "mysql" + ## @param dataStore.sql.databaseName Only used by "postgres" or "mysql" databaseName: spire - # -- Only used by "postgres" or "mysql" + ## @param dataStore.sql.host Only used by "postgres" or "mysql" host: "" - # -- If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases. + ## @param dataStore.sql.port If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases. port: 0 - # -- Only used by "postgres" or "mysql" + ## @param dataStore.sql.username Only used by "postgres" or "mysql" username: spire - # -- Only used by "postgres" or "mysql" + ## @param dataStore.sql.password Only used by "postgres" or "mysql" password: "" - # -- Only used by "postgres" or "mysql" + ## @param dataStore.sql.options [array] Only used by "postgres" or "mysql" options: [] - # -- Settings from https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md go in this section + ## @param dataStore.sql.plugin_data [object] Settings from https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md go in this section plugin_data: {} - # -- When an external source creates the secret. The secret should reside in the same namespace as the spire server + ## When an external source creates the secret. The secret should reside in the same namespace as the spire server externalSecret: + ## @param dataStore.sql.externalSecret.enabled Enable external secret for datastore creds enabled: false - # -- The name of the secret object + ## @param dataStore.sql.externalSecret.name The name of the secret object name: "" - # -- The key of the secret object whose value is the dataStore.sql password + ## @param dataStore.sql.externalSecret.key The key of the secret object whose value is the dataStore.sql password key: "" -# -- The log level, valid values are "debug", "info", "warn", and "error" +## @param logLevel The log level, valid values are "debug", "info", "warn", and "error" logLevel: info -# -- The JWT issuer domain +## @param jwtIssuer The JWT issuer domain jwtIssuer: https://oidc-discovery.example.org -# -- Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`) +## @param clusterName Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`) clusterName: example-cluster -# -- Set the trust domain to be used for the SPIFFE identifiers +## @param trustDomain Set the trust domain to be used for the SPIFFE identifiers trustDomain: example.org +## @param bundleConfigMap Set the trust domain to be used for the SPIFFE identifiers bundleConfigMap: spire-bundle -# -- This is the value of your clusters `kubeadm init --service-dns-domain` flag +## @param clusterDomain This is the value of your clusters `kubeadm init --service-dns-domain` flag clusterDomain: cluster.local federation: + ## @param federation.enabled Flag to enable federation enabled: false bundleEndpoint: + ## @param federation.bundleEndpoint.port Port value for trust bundle federation port: 8443 + ## @param federation.bundleEndpoint.address Address for trust bundle federation address: "0.0.0.0" ingress: + ## @param federation.ingress.enabled Flag to enable ingress for federation enabled: false + ## @param federation.ingress.className Ingress class name for federation className: "" + ## @param federation.ingress.annotations [object] Annotations for the ingress object annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # If Profile Type == https_spiffe: # nginx.ingress.kubernetes.io/ssl-passthrough: "true" + ## @param federation.ingress.hosts [array] Host paths for ingress object hosts: - host: spire-server-federation.example.org paths: - path: / pathType: Prefix + + ## @param federation.ingress.tls [array] Secrets containining TLS certs to enable https on ingress tls: [] # - hosts: # - spire-server-federation.example.org @@ -179,117 +221,142 @@ federation: # secretName: spire-server-federation-tls ca_subject: + ## @param ca_subject.country Country for Spire server CA country: NL + ## @param ca_subject.organization Organization for Spire server CA organization: Example + ## @param ca_subject.common_name Common Name for Spire server CA common_name: example.org keyManager: disk: + ## @param keyManager.disk.enabled Flag to enable keyManager on disk enabled: true memory: + ## @param keyManager.memory.enabled Flag to enable keyManager in memory enabled: false awsKMS: + ## @param keyManager.awsKMS.enabled Flag to enable keyManager in memory enabled: false + ## @param keyManager.awsKMS.region Specify the region for AWS KMS region: "" - # -- Policy to use when creating keys. If no policy is specified, a default policy will be used. + ## @extra keyManager.awsKMS.keyPolicy Policy to use when creating keys. If no policy is specified, a default policy will be used. keyPolicy: - # -- (Optional) Key policy in JSON format. + ## @param keyManager.awsKMS.keyPolicy.policy [nullable] Key policy in JSON format. policy: "" - # -- (Optional) Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. + ## @param keyManager.awsKMS.keyPolicy.existingConfigMap [nullable] Name of a ConfigMap that has a `policy.json` file with the key policy in JSON format. existingConfigMap: "" - # -- (Optional) Access key ID for the AWS account. It's recommended to use an IAM role instead. See [here](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) to learn how to annotate your SPIRE Server Service Account to assume an IAM role. + ## @param keyManager.awsKMS.accessKeyID [nullable] Access key ID for the AWS account. It's recommended to use an IAM role instead. See [here](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) to learn how to annotate your SPIRE Server Service Account to assume an IAM role. accessKeyID: "" - # -- (Optional) Secret access key for the AWS account. + ## @param keyManager.awsKMS.secretAccessKey [nullable] Secret access key for the AWS account. secretAccessKey: "" upstreamAuthority: disk: + ## @param upstreamAuthority.disk.enabled Flag to enable upstream authority plugin on disk enabled: false secret: - # -- If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. + ## @param upstreamAuthority.disk.secret.create If disabled requires you to create a secret with the given keys (certificate, key and optional bundle) yourself. create: true - # -- If secret creation is disabled, the secret with this name will be used. + ## @param upstreamAuthority.disk.secret.name If secret creation is disabled, the secret with this name will be used. name: "spiffe-upstream-ca" - # -- If secret creation is enabled, will create a secret with following certificate info + ## @extra upstreamAuthority.disk.secret.data If secret creation is enabled, will create a secret with following certificate info data: + ## @param upstreamAuthority.disk.secret.data.certificate Certificate to store within disk upstreamAuthority. certificate: "" + ## @param upstreamAuthority.disk.secret.data.key Key corresponding to the upstreamAuthority. key: "" + ## @param upstreamAuthority.disk.secret.data.bundle Trust bundle for upstreamAuthority. bundle: "" awsPCA: + ## @param upstreamAuthority.awsPCA.enabled Flag to enable upstream authority plugin with AWS PCA enabled: false - # -- AWS Region to use + ## @param upstreamAuthority.awsPCA.region AWS Region to use region: "" - # -- ARN of the "upstream" CA certificate + ## @param upstreamAuthority.awsPCA.certificateAuthorityARN ARN of the "upstream" CA certificate certificateAuthorityARN: "" - # -- (Optional) ARN of an IAM role to assume + ## @param upstreamAuthority.awsPCA.assumeRoleARN (Optional) ARN of an IAM role to assume assumeRoleARN: "" - # -- (Optional) ARN of the signing template to use for the server's CA. Defaults to a signing template for end-entity certificates only. - # -- See Using Templates (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html) for possible values. + ## @param upstreamAuthority.awsPCA.caSigningTemplateARN (Optional) ARN of the signing template to use for the server's CA. Defaults to a signing template for end-entity certificates only. See Using Templates (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html) for possible values. caSigningTemplateARN: "" - # -- (Optional) Signing algorithm to use for the server's CA. Defaults to the CA's default. - # -- See Issue Certificate (https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) for possible values. + ## @param upstreamAuthority.awsPCA.signingAlgorithm (Optional) Signing algorithm to use for the server's CA. Defaults to the CA's default. See Issue Certificate (https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) for possible values. signingAlgorithm: "" - # -- (Optional) Endpoint as hostname or fully-qualified URI that overrides the default endpoint. - # -- See AWS SDK Config docs (https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config) for more information. + ## @param upstreamAuthority.awsPCA.endpoint (Optional) Endpoint as hostname or fully-qualified URI that overrides the default endpoint. See AWS SDK Config docs (https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config) for more information. endpoint: "" - # -- (Optional) Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle. + ## @param upstreamAuthority.awsPCA.supplementalBundlePath (Optional) Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle. supplementalBundlePath: "" certManager: + ## @param upstreamAuthority.certManager.enabled Flag to enable upstream authority plugin with cert manager enabled: false + ## @param upstreamAuthority.certManager.rbac.create Flag to create RBAC roles rbac: create: true - # -- Defaults to the release name, override if CA is provided outside of the chart + ## @param upstreamAuthority.certManager.issuer_name Defaults to the release name, override if CA is provided outside of the chart issuer_name: "" + ## @param upstreamAuthority.certManager.issuer_kind Defaults to "Issuer", override if CA is provided outside of the chart issuer_kind: "Issuer" + ## @param upstreamAuthority.certManager.issuer_group Defaults to "cert-manager.io", override if CA is provided outside of the chart issuer_group: "cert-manager.io" - # -- Specify to use a namespace other then the one the chart is installed into + ## @param upstreamAuthority.certManager.namespace Specify to use a namespace other then the one the chart is installed into namespace: "" + ## @param upstreamAuthority.certManager.kube_config_file Path to kube_config_file on node to setup cert manager kube_config_file: "" ca: - # -- Creates a Cert-Manager CA + ## @param upstreamAuthority.certManager.ca.create Creates a Cert-Manager CA create: false - # -- Duration of the CA. Defaults to 10 years. + ## @param upstreamAuthority.certManager.ca.duration Duration of the CA. Defaults to 10 years duration: 87600h privateKey: + ## @param upstreamAuthority.certManager.ca.privateKey.algorithm Algorithm to generate private key for CA algorithm: ECDSA + ## @param upstreamAuthority.certManager.ca.privateKey.size Size of generated private key for CA size: 256 + ## @param upstreamAuthority.certManager.ca.privateKey.rotationPolicy Rotation policy for generated private key rotationPolicy: "" - # -- How long to wait before renewing the CA + ## @param upstreamAuthority.certManager.ca.renewBefore How long to wait before renewing the CA renewBefore: "" spire: + ## @param upstreamAuthority.spire.enabled Flag to use another Spire install as upstream CA enabled: false + ## @param upstreamAuthority.spire.upstreamDriver Driver for Spire as upstream CA upstreamDriver: "" + ## @extra upstreamAuthority.spire.server Server details for the Spire instance use as upstream CA server: + ## @param upstreamAuthority.spire.server.address Address for upstream Spire server address: "" + ## @param upstreamAuthority.spire.server.port Port for upstream Spire server port: 8081 notifier: k8sbundle: - # -- Namespace to push the bundle into, if blank will default to SPIRE Server namespace + ## @param notifier.k8sbundle.namespace Namespace to push the bundle into, if blank will default to SPIRE Server namespace namespace: "" controllerManager: + ## @param controllerManager.enabled Flag to enable controller manager enabled: false installAndUpgradeHook: - # -- Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) + ## @param controllerManager.installAndUpgradeHook.enabled Enable Helm hook to autofix common install/upgrade issues (should be disabled when using `helm template`) enabled: true deleteHook: - # -- Enable Helm hook to autofix common delete issues (should be disabled when using `helm template`) + ## @param controllerManager.deleteHook.enabled Enable Helm hook to autofix common delete issues (should be disabled when using `helm template`) enabled: true + ## @param controllerManager.image.registry The OCI registry to pull the image from + ## @param controllerManager.image.repository The repository within the registry + ## @param controllerManager.image.pullPolicy The image pull policy + ## @param controllerManager.image.version This value is deprecated in favor of tag. (Will be removed in a future release) + ## @param controllerManager.image.tag Overrides the image tag whose default is the chart appVersion + ## image: - # -- The OCI registry to pull the image from registry: ghcr.io - # -- The repository within the registry repository: spiffe/spire-controller-manager - # -- The image pull policy pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag tag: "0.2.3" + ## @param controllerManager.resources [object] Resource requests and limits for controller manager resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -302,6 +369,7 @@ controllerManager: # cpu: 100m # memory: 128Mi + ## @param controllerManager.securityContext [object] Security context securityContext: {} # capabilities: # drop: @@ -310,124 +378,166 @@ controllerManager: # runAsNonRoot: true # runAsUser: 1000 + ## @param controllerManager.service.type Service type for controller manager + ## @param controllerManager.service.port Service port for controller manager + ## @param controllerManager.service.annotations Annotations for service resource + ## service: type: ClusterIP port: 443 annotations: {} configMap: - # -- Annotations to add to the Controller Manager ConfigMap + ## @param controllerManager.configMap.annotations [object] Annotations to add to the Controller Manager ConfigMap annotations: {} + ## @param controllerManager.ignoreNamespaces [array] These namespaces are ignored by controller manager ignoreNamespaces: - kube-system - kube-public - local-path-storage identities: + ## @param controllerManager.identities.enabled Flag to enable default identities for controller manager enabled: true + ## @param controllerManager.identities.spiffeIDTemplate Spiffe ID template for identities spiffeIDTemplate: spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} + ## @param controllerManager.identities.podSelector [object] Selector for pods to issue identity podSelector: {} # matchLabels: # spiffe.io/spiffe-id: "true" + ## @param controllerManager.identities.namespaceSelector [object] Selector for namespacs to issue identity namespaceSelector: {} # matchLabels: # spiffe.io/spiffe-id: "true" + ## @param controllerManager.identities.dnsNameTemplates [array] DNS name template for issued identities dnsNameTemplates: [] # - '{{ index .PodMeta.Labels "app.kubernetes.io/name" }}.{{ .PodMeta.Namespace }}.svc.cluster.local' + ## @param controllerManager.identities.federatesWith [array] Other Spire server URLs for identity federation federatesWith: [] # - example.io # - example.ai validatingWebhookConfiguration: + ## @param controllerManager.validatingWebhookConfiguration.failurePolicy Action when identity is not issued failurePolicy: Fail tools: kubectl: + ## @param tools.kubectl.image.registry The OCI registry to pull the image from + ## @param tools.kubectl.image.repository The repository within the registry + ## @param tools.kubectl.image.pullPolicy The image pull policy + ## @param tools.kubectl.image.version This value is deprecated in favor of tag. (Will be removed in a future release) + ## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion + ## image: - # -- The OCI registry to pull the image from registry: docker.io - # -- The repository within the registry repository: rancher/kubectl - # -- The image pull policy pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag tag: "" telemetry: prometheus: + ## @param telemetry.prometheus.enabled Flag to enable prometheus monitoring enabled: false podMonitor: + ## @param telemetry.prometheus.podMonitor.enabled Enable podMonitor for prometheus enabled: false - # -- Override where to install the podMonitor, if not set will use the same namespace as the spire-server + ## @param telemetry.prometheus.podMonitor.namespace Override where to install the podMonitor, if not set will use the same namespace as the spire-agent namespace: "" + ## @param telemetry.prometheus.podMonitor.labels [object] Pod labels to filter for prometheus monitoring labels: {} ingress: + ## @param ingress.enabled Flag to enable ingress enabled: false + ## @param ingress.className Ingress class name className: "" + ## @param ingress.annotations [object] Annotations for the ingress object annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # nginx.ingress.kubernetes.io/ssl-passthrough: "true" + + ## @param ingress.hosts [array] Host paths for ingress object hosts: - host: spire-server.example.org paths: - path: / pathType: Prefix + ## @param ingress.tls [array] Secrets containining TLS certs to enable https on ingress tls: [] # - secretName: spire-server-tls # hosts: # - spire-server.example.org +## @param extraVolumes [array] Extra volumes to be mounted extraVolumes: [] + +## @param extraVolumeMounts [array] Extra volume mounts extraVolumeMounts: [] + +## @param extraContainers [array] Additional containers to create extraContainers: [] +## @param initContainers [array] Additional init containers to create initContainers: [] -# -- The CA key type to use, possible values are rsa-2048, rsa-4096, ec-p256, ec-p384 (AWS requires the use of RSA. EC cryptography is not supported) +## @param caKeyType The CA key type to use, possible values are rsa-2048, rsa-4096, ec-p256, ec-p384 (AWS requires the use of RSA. EC cryptography is not supported) caKeyType: rsa-2048 +## @param caTTL TTL for CA caTTL: 24h +## @param defaultX509SvidTTL TTL for X509 Svids defaultX509SvidTTL: 4h +## @param defaultJwtSvidTTL TTL for JWT Svids defaultJwtSvidTTL: 1h nodeAttestor: k8sPsat: + ## @param nodeAttestor.k8sPsat.enabled Enable Psat k8s nodeattestor enabled: true + ## @param nodeAttestor.k8sPsat.serviceAccountAllowList [array] Allowed service accounts for Psat nodeattestor serviceAccountAllowList: [] # tornjak - Tornjak default values tornjak: - # -- Deploys Tornjak API (backend) (Not for production) + ## @param tornjak.enabled Deploys Tornjak API (backend) (Not for production) enabled: false + ## @param tornjak.image.registry The OCI registry to pull the image from + ## @param tornjak.image.repository The repository within the registry + ## @param tornjak.image.pullPolicy The image pull policy + ## @param tornjak.image.version This value is deprecated in favor of tag. (Will be removed in a future release) + ## @param tornjak.image.tag Overrides the image tag whose default is the chart appVersion + ## image: - # -- The OCI registry to pull the Tornjak image from registry: ghcr.io - # -- The repository within the registry repository: spiffe/tornjak-backend - # -- The Tornjak image pull policy pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag tag: "v1.2.2" service: + ## @param tornjak.service.type Type of service resource type: ClusterIP - # -- Ports for tornjak ports: + ## @param tornjak.service.ports.http Insecure port for tornjak service http: 10000 + ## @param tornjak.service.ports.https Secure port for tornjak service https: 10443 + ## @param tornjak.service.annotations [object] Annotations for the service annotations: {} + ## @param tornjak.startupProbe.failureThreshold Failure threshold count + ## @param tornjak.startupProbe.initialDelaySeconds Initial delay seconds + ## @param tornjak.startupProbe.periodSeconds Period seconds + ## @param tornjak.startupProbe.successThreshold Success threshold count + ## @param tornjak.startupProbe.timeoutSeconds Timeout in seconds + ## startupProbe: failureThreshold: 3 - # -- Initial delay seconds for initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 @@ -435,9 +545,11 @@ tornjak: # tornjak - Tornjak default values config: - # -- Persistent DB for storing Tornjak specific information + ## @extra tornjak.config.dataStore [object] Persistent DB for storing Tornjak specific information dataStore: + ## @param tornjak.config.dataStore.driver Database driver name driver: "sqlite3" + ## @param tornjak.config.dataStore.file File path for sqlite3 file file: "/run/spire/data/tornjak.sqlite3" # Tornjak supports 3 connection types: `http`, `tls`, and `mtls`. @@ -446,16 +558,15 @@ tornjak: # When `tlsSecret` and `clientCA.tornjak-client-ca` are created in this chart namespace, the mTLS connection is started # When none of them are created, Tornjak starts with HTTP connection only - # -- Name of the secret containing server side key and certificate for TLS verification - # (required for `tls` or `mtls` connectionType) + ## @param tornjak.config.tlsSecret Name of the secret containing server side key and certificate for TLS verification (required for `tls` or `mtls` connectionType) tlsSecret: tornjak-tls-secret clientCA: - # -- Type of delivery for the user CA for mTLS client verification - # options are `Secret` or `ConfigMap` - # (required for `mtls` connectionType) + ## @param tornjak.config.clientCA.type Type of delivery for the user CA for TLS client verification. Options are `Secret` or `ConfigMap` (required for `mtls` connectionType) type: Secret + ## @param tornjak.config.clientCA.name Name of the resource secret or configMap with user CA for TLS name: tornjak-client-ca + ## @param tornjak.resources [object] Resource requests and limits resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -471,34 +582,38 @@ tornjak: # NOTE: This is unsupported and only to configure currently supported spire built in plugins but plugins unsupported by the chart. # Upgrades wont be tested for anything under this config. If you need this, please let the chart developers know your needs so we # can prioritize proper support. -# @ignored +## @skip unsupportedBuiltInPlugins unsupportedBuiltInPlugins: keyManager: {} nodeAttestor: {} upstreamAuthority: {} notifier: {} +## @skip customPlugins customPlugins: keyManager: {} nodeAttestor: {} upstreamAuthority: {} notifier: {} -# @ignored tests: + ## @param tests.hostAliases [array] List of host aliases for testing hostAliases: [] tls: + ## @param tests.tls.enabled Flag for enabling tls for tests enabled: false + ## @param tests.tls.customCA Custom CA value for tests customCA: "" bash: + ## @param tests.bash.image.registry The OCI registry to pull the image from + ## @param tests.bash.image.repository The repository within the registry + ## @param tests.bash.image.pullPolicy The image pull policy + ## @param tests.bash.image.version This value is deprecated in favor of tag. (Will be removed in a future release) + ## @param tests.bash.image.tag Overrides the image tag whose default is the chart appVersion + ## image: - # -- The OCI registry to pull the image from registry: cgr.dev - # -- The repository within the registry repository: chainguard/bash - # -- The image pull policy pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag tag: latest@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4 diff --git a/charts/spire/charts/tornjak-frontend/README.md b/charts/spire/charts/tornjak-frontend/README.md index 1105e4ce5..00e385746 100644 --- a/charts/spire/charts/tornjak-frontend/README.md +++ b/charts/spire/charts/tornjak-frontend/README.md @@ -52,38 +52,44 @@ port forwarding. See the chart NOTES output for more details. * -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | | -| apiServerURL | string | `"http://localhost:10000/"` | URL of the Tornjak APIs (backend) Since Tornjak Frontend runs in the browser, this URL must be accessible from the machine running a browser. | -| fullnameOverride | string | `""` | | -| image.pullPolicy | string | `"IfNotPresent"` | | -| image.registry | string | `"ghcr.io"` | | -| image.repository | string | `"spiffe/tornjak-frontend"` | | -| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | -| image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) | -| imagePullSecrets | list | `[]` | | -| labels | object | `{}` | | -| nameOverride | string | `""` | | -| namespaceOverride | string | `""` | | -| nodeSelector | object | `{"kubernetes.io/arch":"amd64"}` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | -| podSecurityContext | object | `{}` | | -| securityContext | object | `{}` | | -| service.annotations | object | `{}` | | -| service.port | int | `3000` | | -| service.type | string | `"ClusterIP"` | | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | -| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | -| spireHealthCheck.enabled | bool | `true` | Enables the SPIRE Healthchecker indicator | -| startupProbe.enabled | bool | `true` | Enable startupProbe on Tornjak frontend container | -| startupProbe.failureThreshold | int | `6` | Failure threshold count for startupProbe | -| startupProbe.initialDelaySeconds | int | `5` | Initial delay seconds for startupProbe | -| startupProbe.periodSeconds | int | `10` | Period seconds for startupProbe | -| startupProbe.successThreshold | int | `1` | Success threshold count for startupProbe | -| startupProbe.timeoutSeconds | int | `5` | Timeout seconds for startupProbe | -| tolerations | list | `[]` | | -| topologySpreadConstraints | list | `[]` | | ----------------------------------------------- +## Parameters + +### Chart parameters + +| Name | Description | Value | +| ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | +| `image.registry` | The OCI registry to pull the image from | `ghcr.io` | +| `image.repository` | The repository within the registry | `spiffe/tornjak-frontend` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` | +| `imagePullSecrets` | Pull secrets for images | `[]` | +| `nameOverride` | Name override | `""` | +| `namespaceOverride` | Namespace override | `""` | +| `fullnameOverride` | Fullname override | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` | +| `labels` | Labels for tornjak frontend pods | `{}` | +| `podSecurityContext` | Pod security context | `{}` | +| `securityContext` | Security context | `{}` | +| `service.type` | Service type | `ClusterIP` | +| `service.port` | Service port | `3000` | +| `service.annotations` | Annotations for service resource | `{}` | +| `nodeSelector` | Select specific nodes to run on (currently only amd64 is supported by Tornjak) | | +| `affinity` | Affinity rules | `{}` | +| `tolerations` | List of tolerations | `[]` | +| `topologySpreadConstraints` | List of topology spread constraints for resilience | `[]` | +| `apiServerURL` | URL of the Tornjak APIs (backend). Since Tornjak Frontend runs in the browser, this URL must be accessible from the machine running a browser. | `http://localhost:10000/` | +| `spireHealthCheck.enabled` | Enables the SPIRE Healthchecker indicator | `true` | +| `startupProbe.enabled` | Enable startupProbe on Tornjak frontend container | `true` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `startupProbe.failureThreshold` | Failure threshold count for startupProbe | `6` | +| `startupProbe.successThreshold` | Success threshold count for startupProbe | `1` | +| `tests.bash.image.registry` | The OCI registry to pull the image from | `cgr.dev` | +| `tests.bash.image.repository` | The repository within the registry | `chainguard/bash` | +| `tests.bash.image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `tests.bash.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` | +| `tests.bash.image.tag` | Overrides the image tag whose default is the chart appVersion | `latest@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4` | diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml index e947e7bf8..d39d8eed4 100644 --- a/charts/spire/charts/tornjak-frontend/values.yaml +++ b/charts/spire/charts/tornjak-frontend/values.yaml @@ -1,38 +1,53 @@ -# Default values for Tornjak UI (Frontend). -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. +# Default configuration for Tornjak UI (Frontend) +# SPDX-License-Identifier: APACHE-2.0 -# @ignored +## @skip global global: {} +## @section Chart parameters +## +## @param image.registry The OCI registry to pull the image from +## @param image.repository The repository within the registry +## @param image.pullPolicy The image pull policy +## @param image.version This value is deprecated in favor of tag. (Will be removed in a future release) +## @param image.tag Overrides the image tag whose default is the chart appVersion +## image: registry: ghcr.io repository: spiffe/tornjak-frontend pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag whose default is the chart appVersion. tag: "" +## @param imagePullSecrets [array] Pull secrets for images imagePullSecrets: [] + +## @param nameOverride Name override nameOverride: "" + +## @param namespaceOverride Namespace override namespaceOverride: "" + +## @param fullnameOverride Fullname override fullnameOverride: "" +## @param serviceAccount.create Specifies whether a service account should be created +## @param serviceAccount.annotations [object] Annotations to add to the service account +## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated. +## serviceAccount: - # -- Specifies whether a service account should be created create: true - # -- Annotations to add to the service account annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template name: "" +## @param labels [object] Labels for tornjak frontend pods labels: {} +## @param podSecurityContext [object] Pod security context podSecurityContext: {} # fsGroup: 2000 +## @param securityContext [object] Security context securityContext: {} # capabilities: # drop: @@ -41,22 +56,30 @@ securityContext: {} # runAsNonRoot: true # runAsUser: 1000 +## @param service.type Service type +## @param service.port Service port +## @param service.annotations Annotations for service resource +## service: type: ClusterIP port: 3000 annotations: {} -# -- Select specific nodes to run on (currently only amd64 is supported by Tornjak) +## @extra nodeSelector Select specific nodes to run on (currently only amd64 is supported by Tornjak) nodeSelector: + ## @skip nodeSelector.kubernetes.io/arch kubernetes.io/arch: amd64 +## @param affinity [object] Affinity rules affinity: {} +## @param tolerations [array] List of tolerations tolerations: [] +## @param topologySpreadConstraints [array] List of topology spread constraints for resilience topologySpreadConstraints: [] -# -- Provide minimal resources to prevent accidental crashes due to resource exhaustion +## Provide minimal resources to prevent accidental crashes due to resource exhaustion # resources: # requests: # cpu: 50m @@ -65,44 +88,42 @@ topologySpreadConstraints: [] # cpu: 100m # memory: 512Mi -# -- URL of the Tornjak APIs (backend) -# Since Tornjak Frontend runs in the browser, this URL must be accessible from -# the machine running a browser. +## @param apiServerURL URL of the Tornjak APIs (backend). Since Tornjak Frontend runs in the browser, this URL must be accessible from the machine running a browser. apiServerURL: "http://localhost:10000/" # 👈 Use it for minikube or kind # SPIRE Healthchecker indicator spireHealthCheck: - # -- Enables the SPIRE Healthchecker indicator + ## @param spireHealthCheck.enabled Enables the SPIRE Healthchecker indicator enabled: true ## Configure extra options for Tornjak frontend container's startup probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes +## @param startupProbe.enabled Enable startupProbe on Tornjak frontend container +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold count for startupProbe +## @param startupProbe.successThreshold Success threshold count for startupProbe ## startupProbe: - # -- Enable startupProbe on Tornjak frontend container enabled: true - # -- Initial delay seconds for startupProbe initialDelaySeconds: 5 - # -- Period seconds for startupProbe periodSeconds: 10 - # -- Timeout seconds for startupProbe timeoutSeconds: 5 - # -- Failure threshold count for startupProbe failureThreshold: 6 - # -- Success threshold count for startupProbe successThreshold: 1 -# @ignored tests: bash: + ## @param tests.bash.image.registry The OCI registry to pull the image from + ## @param tests.bash.image.repository The repository within the registry + ## @param tests.bash.image.pullPolicy The image pull policy + ## @param tests.bash.image.version This value is deprecated in favor of tag. (Will be removed in a future release) + ## @param tests.bash.image.tag Overrides the image tag whose default is the chart appVersion + ## image: - # -- The OCI registry to pull the image from registry: cgr.dev - # -- The repository within the registry repository: chainguard/bash - # -- The image pull policy pullPolicy: IfNotPresent - # -- This value is deprecated in favor of tag. (Will be removed in a future release) version: "" - # -- Overrides the image tag tag: latest@sha256:96ab1600d945b4a99c8610b5c8b31e346da63dc20573a26bb0777dd0190db5d4 diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 8b18fbc28..06493faba 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -1,30 +1,34 @@ -# You can enable config/features that affect all services here. +# Default configuration for Spire chart +# SPDX-License-Identifier: APACHE-2.0 + +## @section Global parameters +## Note: the parameter values specified here will override the chart level values for these parameters. +## global: k8s: - # -- This is the value of your clusters `kubeadm init --service-dns-domain` flag + ## @param global.k8s.clusterDomain Cluster domain name configured for Spire install clusterDomain: cluster.local spire: - # -- The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) + ## @param global.spire.bundleConfigMap A configmap containing the Spire bundle + bundleConfigMap: "" + ## @param global.spire.clusterName The name of the k8s cluster for Spire install clusterName: example-cluster - # -- The trust domain to be used for the SPIFFE identifiers + ## @param global.spire.jwtIssuer The issuer for Spire JWT tokens + jwtIssuer: oidc-discovery.example.org + ## @param global.spire.trustDomain The trust domain for Spire install trustDomain: example.org - # -- Set the jwt issuer - jwtIssuer: https://oidc-discovery.example.org - # -- Override all instances of bundleConfigMap - bundleConfigMap: "" - - # -- Set what address to use for the upstream server when using nested spire + ## @param global.spire.upstreamServerAddress Set what address to use for the upstream server when using nested spire upstreamServerAddress: "" image: - # -- Override all Spire image registries at once + ## @param global.spire.image.registry Override all Spire image registries at once registry: "" installAndUpgradeHooks: - # -- Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) + ## @param global.installAndUpgradeHooks.enabled Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`) enabled: true deleteHooks: - # -- Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) + ## @param global.deleteHooks.enabled Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`) enabled: true # telemetry: @@ -36,54 +40,88 @@ global: # namespace: "kube-prometheus-system" # labels: {} -# subcharts +## subcharts + +## @section Spire server parameters +## Parameter values for Spire server +## spire-server: - # -- Enables deployment of SPIRE Server + ## @param spire-server.enabled Flag to enable Spire server enabled: true + ## @param spire-server.nameOverride Overrides the name of Spire server pods nameOverride: server - controllerManager: - # -- Enables deployment of Controller Manager + ## @param spire-server.controllerManager.enabled Enable controller manager and provision CRD's enabled: true +## @section Spire agent parameters +## Parameter values for Spire agent +## spire-agent: - # -- Enables deployment of SPIRE Agent(s) + ## @param spire-agent.enabled Flag to enable Spire agent enabled: true + ## @param spire-agent.nameOverride Overrides the name of Spire agent pods nameOverride: agent +## @section Upstream Spire agent and CSI driver configuration +## Parameter values enabling upstream spire agent and CSI driver +## upstream: - # -- enable upstream agent and driver for use with nested spire. + ## @param upstream.enabled Enable upstream agent and driver for use with nested spire enabled: false +## @section Upstream Spire agent parameters +## Parameter values for upstream Spire agent +## upstream-spire-agent: - # @ignored + ## @param upstream-spire-agent.upstream Flag for enabling upstream Spire agent upstream: true + ## @param upstream-spire-agent.nameOverride Name override for upstream Spire agent nameOverride: agent-upstream + ## @param upstream-spire-agent.bundleConfigMap The configmap name for upstream Spire agent bundle bundleConfigMap: spire-bundle-upstream - + ## @param upstream-spire-agent.socketPath Socket path where Spire agent socket is mounted socketPath: /run/spire/agent-sockets-upstream/spire-agent.sock serviceAccount: + ## @param upstream-spire-agent.serviceAccount.name Service account name for upstream Spire agent name: spire-agent-upstream healthChecks: + ## @param upstream-spire-agent.healthChecks.port Health check port number for upstream Spire agent port: 9981 telemetry: prometheus: + ## @param upstream-spire-agent.telemetry.prometheus.port The port where prometheus metrics are available port: 9989 +## @section SPIFFE CSI Driver parameters +## Parameter values for spiffe-csi-driver +## spiffe-csi-driver: - # -- Enables deployment of CSI driver + ## @param spiffe-csi-driver.enabled Flag to enable spiffe-csi-driver for the cluster enabled: true +## @section Upstream SPIFFE CSI Driver parameters +## Parameter values for upstream spiffe-csi-driver +## upstream-spiffe-csi-driver: + ## @param upstream-spiffe-csi-driver.pluginName The plugin name for configuring upstream Spiffe CSI driver pluginName: upstream.csi.spiffe.io + ## @param upstream-spiffe-csi-driver.agentSocketPath The socket path where Spiffe CSI driver mounts agent socket agentSocketPath: /run/spire/agent-sockets-upstream/spire-agent.sock healthChecks: + ## @param upstream-spiffe-csi-driver.healthChecks.port The port where Spiffe CSI driver health checks are exposed port: 9810 +## @section SPIFFE oidc discovery provider parameters +## Parameter values for spiffe-oidc-discovery-provider +## spiffe-oidc-discovery-provider: - # -- Enables deployment of OIDC discovery provider + ## @param spiffe-oidc-discovery-provider.enabled Flag to enable spiffe-oidc-discovery-provider for the cluster enabled: false +## @section Tornjak frontend parameters +## Parameter values for Tornjak frontend +## tornjak-frontend: - # -- Enables deployment of Tornjak frontend/UI (Not for production) + ## @param tornjak-frontend.enabled Enables deployment of Tornjak frontend/UI (Not for production) enabled: false diff --git a/helm-docs.sh b/helm-docs.sh index 6c264d797..91cc2bb91 100755 --- a/helm-docs.sh +++ b/helm-docs.sh @@ -3,44 +3,21 @@ set -euo pipefail SCRIPTPATH=$(dirname "$0") -HELM_DOCS_VERSION="1.11.0" +README_GENERATOR_VERSION="2.5.1" +README_GENERATOR_EXE="readme-generator" -case "$(uname -s)" in - Linux*) - machine=Linux - shasum=sha256sum - exe=helm-docs - ;; - Darwin*) - machine=Darwin - shasum=shasum - exe=helm-docs - ;; - MINGW64*) - machine=Windows - shasum=sha256sum - exe=helm-docs.exe - ;; -esac - -function install_helm_docs { - curl -LO "https://github.com/norwoodj/helm-docs/releases/download/v${HELM_DOCS_VERSION}/helm-docs_${HELM_DOCS_VERSION}_${machine}_x86_64.tar.gz" - curl -L --output /tmp/checksums_helm-docs.txt "https://github.com/norwoodj/helm-docs/releases/download/v${HELM_DOCS_VERSION}/checksums.txt" - grep "helm-docs_${HELM_DOCS_VERSION}_${machine}_x86_64.tar.gz" /tmp/checksums_helm-docs.txt | $shasum -c - - mkdir -p "$SCRIPTPATH/bin" - tar -xf "helm-docs_${HELM_DOCS_VERSION}_${machine}_x86_64.tar.gz" "${exe}" - mv "${exe}" "$SCRIPTPATH/bin/" - rm "helm-docs_${HELM_DOCS_VERSION}_${machine}_x86_64.tar.gz" -} - -if [ ! -f "$SCRIPTPATH/bin/${exe}" ] ; then - install_helm_docs -elif [[ ! "$("$SCRIPTPATH/bin/${exe}" --version)" =~ .*"$HELM_DOCS_VERSION".* ]] ; then - install_helm_docs -else - echo "Using '$("$SCRIPTPATH/bin/${exe}" --version)'" +if ! hash "${README_GENERATOR_EXE}" 2>/dev/null; then + echo >&2 "readme-generator not installed. Installing..." + hash npm 2>/dev/null || { echo >&2 "npm is required to install ${README_GENERATOR_EXE}. Please install npm and rerun the script. Aborting."; exit 1; } + # platform agnostic npm install, also adds into the path + npm install -g "@bitnami/readme-generator-for-helm@${README_GENERATOR_VERSION}" fi -# validate docs -"$SCRIPTPATH/bin/${exe}" --document-dependency-values +# generate docs and show the diff +mapfile -t chart_paths < <(find "$SCRIPTPATH/charts" -type f -iname "Chart.yaml" -exec dirname {} +) +for cpath in "${chart_paths[@]}" +do + echo >&2 "Generating Chart documentation for ${cpath}…" + readme-generator --values="${cpath}/values.yaml" --readme="${cpath}/README.md" +done git diff --exit-code