Merge branch 'fix-healthcheck'

philips-labs · Nov 6, 2022 · 911598c · 911598c
2 parents 4e92788 + 7ee84ce
commit 911598c
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 23 deletions.
diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml
@@ -27,7 +27,7 @@ description: |
           - --service-account-signing-key-file=/run/config/pki/sa.key
   ```
 type: application
-version: 0.5.5
+version: 0.5.6
 appVersion: "1.5.0"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"]
 home: https://github.com/philips-labs/helm-charts/charts/spire

diff --git a/charts/spire/README.md b/charts/spire/README.md
@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. -->
 
-![Version: 0.5.5](https://img.shields.io/badge/Version-0.5.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.0](https://img.shields.io/badge/AppVersion-1.5.0-informational?style=flat-square)
+![Version: 0.5.6](https://img.shields.io/badge/Version-0.5.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.0](https://img.shields.io/badge/AppVersion-1.5.0-informational?style=flat-square)
 
 A Helm chart for deploying spire-server and spire-agent.
 
@@ -118,9 +118,9 @@ Kubernetes: `>=1.21.0-0`
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.create | bool | `true` |  |
 | serviceAccount.name | string | `""` |  |
-| spire.agent.logLevel | string | `"INFO"` |  |
+| spire.agent.logLevel | string | `"info"` |  |
 | spire.clusterName | string | `"example-cluster"` |  |
-| spire.server.logLevel | string | `"INFO"` |  |
+| spire.server.logLevel | string | `"info"` |  |
 | spire.trustDomain | string | `"example.org"` |  |
 | tolerations | list | `[]` |  |
 | waitForIt.image.pullPolicy | string | `"IfNotPresent"` |  |

diff --git a/charts/spire/templates/oidc-deployment.yaml b/charts/spire/templates/oidc-deployment.yaml
@@ -40,8 +40,10 @@ spec:
           args:
             - -config
             - /run/spire/oidc/config/oidc-discovery-provider.conf
-          {{- if not .Values.oidc.insecureScheme.enabled }}
           ports:
+            - containerPort: 8008
+              name: health
+          {{- if not .Values.oidc.insecureScheme.enabled }}
             - containerPort: 443
               name: https
           {{- end }}
@@ -55,16 +57,19 @@ spec:
             - name: spire-oidc-config
               mountPath: /run/spire/oidc/config/
               readOnly: true
-          readinessProbe:
-            exec:
-              command: ["/bin/ps", "aux", "|", "grep", "oidc-discovery-provider -config /run/spire/oidc/config/oidc-discovery-provider.conf"]
-            initialDelaySeconds: 5
-            periodSeconds: 5
-          livenessProbe:
-            exec:
-              command: ["/bin/ps", "aux", "|", "grep", "oidc-discovery-provider -config /run/spire/oidc/config/oidc-discovery-provider.conf"]
-            initialDelaySeconds: 5
-            periodSeconds: 5
+          # Needs new release of spire to fix the http healthchecks
+          # readinessProbe:
+          #   httpGet:
+          #     path: /ready
+          #     port: health
+          #   initialDelaySeconds: 5
+          #   periodSeconds: 5
+          # livenessProbe:
+          #   httpGet:
+          #     path: /live
+          #     port: health
+          #   initialDelaySeconds: 5
+          #   periodSeconds: 5
           resources:
             {{- toYaml .Values.oidc.resources | nindent 12 }}
         {{- if .Values.oidc.insecureScheme.enabled }}

diff --git a/charts/spire/templates/oidc-dp-configmap.yaml b/charts/spire/templates/oidc-dp-configmap.yaml
@@ -17,16 +17,22 @@ data:
     listen_socket_path = "/run/spire/oidc-sockets/oidc-server.sock"
     {{- else }}
     acme {
-        directory_url = "{{ .Values.oidc.acme.directoryUrl }}"
-        cache_dir = "{{ .Values.oidc.acme.cacheDir }}"
-        tos_accepted = {{ .Values.oidc.acme.tosAccepted }}
-        email = "{{ .Values.oidc.acme.emailAddress }}"
+      directory_url = "{{ .Values.oidc.acme.directoryUrl }}"
+      cache_dir = "{{ .Values.oidc.acme.cacheDir }}"
+      tos_accepted = {{ .Values.oidc.acme.tosAccepted }}
+      email = "{{ .Values.oidc.acme.emailAddress }}"
     }
     {{- end }}
 
     workload_api {
-        socket_path = "/run/spire/agent-sockets/agent.sock"
-        trust_domain = "{{ .Values.spire.trustDomain }}"
+      socket_path = "/run/spire/agent-sockets/agent.sock"
+      trust_domain = "{{ .Values.spire.trustDomain }}"
+    }
+
+    health_checks {
+      bind_port = "8008"
+      ready_path = "/ready"
+      live_path = "/live"
     }
   {{- if .Values.oidc.insecureScheme.enabled }}
   default.conf.template: |

diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml
@@ -33,6 +33,8 @@ workloadRegistrar:
 
 server:
   image:
+    # registry: gcr.io
+    # repository: spiffe-io/spire-server
     registry: ghcr.io
     repository: spiffe/spire-server
     pullPolicy: IfNotPresent
@@ -104,6 +106,8 @@ oidc:
   enabled: false
 
   image:
+    # registry: gcr.io
+    # repository: spiffe-io/oidc-discovery-provider
     registry: ghcr.io
     repository: spiffe/spire-oidc-provider
     pullPolicy: IfNotPresent
@@ -158,6 +162,8 @@ oidc:
 
 agent:
   image:
+    # registry: gcr.io
+    # repository: spiffe-io/spire-agent
     registry: ghcr.io
     repository: spiffe/spire-agent
     pullPolicy: IfNotPresent
@@ -227,6 +233,6 @@ spire:
   clusterName: "example-cluster"
   trustDomain: "example.org"
   agent:
-    logLevel: INFO
+    logLevel: info
   server:
-    logLevel: INFO
+    logLevel: info