adding annotations and resources (#81)

Co-authored-by: Marco Franssen <[email protected]>
philips-labs · Dec 8, 2022 · bf179e7 · bf179e7
1 parent c9b1e22
commit bf179e7
Show file tree

Hide file tree

Showing 8 changed files with 56 additions and 14 deletions.
diff --git a/.github/helm-docs.sh b/.github/helm-docs.sh
@@ -5,35 +5,42 @@ set -euo pipefail
 SCRIPTPATH=$(dirname "$0")
 HELM_DOCS_VERSION="1.11.0"
 
-function install_helm_docs {
-  case "$(uname -s)" in
+case "$(uname -s)" in
     Linux*)
       machine=Linux
       shasum=sha256sum
+      exe=helm-docs
       ;;
     Darwin*)
       machine=Darwin
       shasum=shasum
+      exe=helm-docs
+      ;;
+    MINGW64*)
+      machine=Windows
+      shasum=sha256sum
+      exe=helm-docs.exe
       ;;
-    esac
+esac
 
+function install_helm_docs {
     curl -LO https://github.com/norwoodj/helm-docs/releases/download/v"${HELM_DOCS_VERSION}"/helm-docs_"${HELM_DOCS_VERSION}"_${machine}_x86_64.tar.gz
     curl -L --output /tmp/checksums_helm-docs.txt https://github.com/norwoodj/helm-docs/releases/download/v${HELM_DOCS_VERSION}/checksums.txt
     grep helm-docs_${HELM_DOCS_VERSION}_${machine}_x86_64.tar.gz /tmp/checksums_helm-docs.txt | $shasum -c -
     mkdir -p "$SCRIPTPATH/bin"
-    tar -xf helm-docs_"${HELM_DOCS_VERSION}"_${machine}_x86_64.tar.gz helm-docs
-    mv helm-docs "$SCRIPTPATH/bin/"
+    tar -xf helm-docs_"${HELM_DOCS_VERSION}"_${machine}_x86_64.tar.gz ${exe}
+    mv ${exe} "$SCRIPTPATH/bin/"
     rm helm-docs_"${HELM_DOCS_VERSION}"_${machine}_x86_64.tar.gz
 }
 
-if [ ! -f "$SCRIPTPATH/bin/helm-docs" ] ; then
+if [ ! -f "$SCRIPTPATH/bin/${exe}" ] ; then
   install_helm_docs
-elif [[ ! "$("$SCRIPTPATH/bin/helm-docs" --version)" =~ .*"$HELM_DOCS_VERSION".* ]] ; then
+elif [[ ! "$("$SCRIPTPATH/bin/${exe}" --version)" =~ .*"$HELM_DOCS_VERSION".* ]] ; then
   install_helm_docs
 else
-  echo "Using '$("$SCRIPTPATH/bin/helm-docs" --version)'"
+  echo "Using '$("$SCRIPTPATH/bin/${exe}" --version)'"
 fi
 
 # validate docs
-"$SCRIPTPATH/bin/helm-docs" -t "$SCRIPTPATH/README.md.tmpl"
+"$SCRIPTPATH/bin/${exe}" -t "$SCRIPTPATH/README.md.tmpl"
 git diff --exit-code
diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml
@@ -27,7 +27,7 @@ description: |
           - --service-account-signing-key-file=/run/config/pki/sa.key
   ```
 type: application
-version: 0.7.2
+version: 0.7.3
 appVersion: "1.5.2"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"]
 home: https://github.com/philips-labs/helm-charts/charts/spire

diff --git a/charts/spire/README.md b/charts/spire/README.md
@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. -->
 
-![Version: 0.7.2](https://img.shields.io/badge/Version-0.7.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.2](https://img.shields.io/badge/AppVersion-1.5.2-informational?style=flat-square)
+![Version: 0.7.3](https://img.shields.io/badge/Version-0.7.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.2](https://img.shields.io/badge/AppVersion-1.5.2-informational?style=flat-square)
 
 A Helm chart for deploying spire-server and spire-agent.
 
@@ -58,6 +58,7 @@ Kubernetes: `>=1.21.0-0`
 | agent.image.version | string | `""` |  |
 | agent.nodeSelector."kubernetes.io/arch" | string | `"amd64"` |  |
 | agent.resources | object | `{}` |  |
+| agent.service.annotations | object | `{}` |  |
 | csiDriver.image.pullPolicy | string | `"IfNotPresent"` |  |
 | csiDriver.image.registry | string | `"ghcr.io"` |  |
 | csiDriver.image.repository | string | `"spiffe/spiffe-csi-driver"` |  |
@@ -119,8 +120,10 @@ Kubernetes: `>=1.21.0-0`
 | server.replicaCount | int | `1` |  |
 | server.resources | object | `{}` |  |
 | server.securityContext | object | `{}` |  |
+| server.service.annotations | object | `{}` |  |
 | server.service.port | int | `8081` |  |
 | server.service.type | string | `"ClusterIP"` |  |
+| server.topologySpreadConstraints | list | `[]` |  |
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.create | bool | `true` |  |
 | serviceAccount.name | string | `""` |  |
@@ -130,8 +133,10 @@ Kubernetes: `>=1.21.0-0`
 | waitForIt.image.registry | string | `"gcr.io"` |  |
 | waitForIt.image.repository | string | `"spiffe-io/wait-for-it"` |  |
 | waitForIt.image.version | string | `""` |  |
+| waitForIt.resources | object | `{}` |  |
 | workloadRegistrar.image.pullPolicy | string | `"IfNotPresent"` |  |
 | workloadRegistrar.image.registry | string | `"gcr.io"` |  |
 | workloadRegistrar.image.repository | string | `"spiffe-io/k8s-workload-registrar"` |  |
 | workloadRegistrar.image.version | string | `""` |  |
 | workloadRegistrar.resources | object | `{}` |  |
+| workloadRegistrar.service.annotations | object | `{}` |  |
diff --git a/charts/spire/templates/agent-daemonset.yaml b/charts/spire/templates/agent-daemonset.yaml
@@ -13,6 +13,10 @@ spec:
     type: RollingUpdate
   template:
     metadata:
+      {{- with .Values.agent.service.annotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       labels:
         {{- include "spire.agent.selectorLabels" . | nindent 8 }}
     spec:
@@ -28,6 +32,8 @@ spec:
           image: {{ template "spire.image" .Values.waitForIt }}
           imagePullPolicy: {{ .Values.waitForIt.image.pullPolicy }}
           args: ["-t", "30", "{{ include "spire.fullname" . }}-server:8081"]
+          resources:
+            {{- toYaml .Values.waitForIt.resources | nindent 12 }}
       {{- with .Values.agent.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -45,7 +51,7 @@ spec:
               mountPath: /run/spire/bundle
               readOnly: true
             - name: spire-agent-socket-dir
-              mountPath: /run/spire/agent-sockets
+              mountPath: {{ dir .Values.agent.config.socketPath }}
               readOnly: false
             - name: spire-token
               mountPath: /var/run/secrets/tokens
@@ -135,7 +141,7 @@ spec:
             name: {{ include "spire.fullname" . }}-bundle
         - name: spire-agent-sockets
           hostPath:
-            path: /run/spire/agent-sockets
+            path: {{ dir .Values.agent.config.socketPath }}
             type: DirectoryOrCreate
         - name: spire-token
           projected:
@@ -146,7 +152,7 @@ spec:
                 audience: spire-server
         - name: spire-agent-socket-dir
           hostPath:
-            path: /run/spire/agent-sockets
+            path: {{ dir .Values.agent.config.socketPath }}
             type: DirectoryOrCreate
         # This volume is where the socket for kubelet->driver communication lives
         - name: spiffe-csi-socket-dir

diff --git a/charts/spire/templates/server-service.yaml b/charts/spire/templates/server-service.yaml
@@ -3,6 +3,10 @@ kind: Service
 metadata:
   name: {{ include "spire.fullname" . }}-server
   namespace: {{ .Release.Namespace }}
+  {{- with .Values.server.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 8 }}
+  {{- end }}
   labels:
     {{- include "spire.server.labels" . | nindent 4 }}
 spec:

diff --git a/charts/spire/templates/server-statefulset.yaml b/charts/spire/templates/server-statefulset.yaml
@@ -93,6 +93,8 @@ spec:
             - name: spire-workload-registrar-config
               mountPath: /run/spire/k8s-workload-registrar/config
               readOnly: true
+          resources:
+            {{- toYaml .Values.workloadRegistrar.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -105,6 +107,10 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.server.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
         - name: spire-workload-registrar-config
           configMap:

diff --git a/charts/spire/templates/workload-registrar-service.yaml b/charts/spire/templates/workload-registrar-service.yaml
@@ -3,6 +3,10 @@ kind: Service
 metadata:
   name: {{ include "spire.fullname" . }}-k8s-workload-registrar
   namespace: {{ .Release.Namespace }}
+  {{- with .Values.workloadRegistrar.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 8 }}
+  {{- end }}
   labels:
     {{- include "spire.server.labels" . | nindent 4 }}
 spec:

diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml
@@ -7,6 +7,7 @@ waitForIt:
     repository: spiffe-io/wait-for-it
     pullPolicy: IfNotPresent
     version: ""
+  resources: {}
 
 workloadRegistrar:
   image:
@@ -28,6 +29,9 @@ workloadRegistrar:
     #   cpu: 100m
     #   memory: 64Mi
 
+  service:
+    annotations: {}
+
 server:
   replicaCount: 1
   image:
@@ -63,6 +67,7 @@ server:
   service:
     type: ClusterIP
     port: 8081
+    annotations: {}
 
   podSecurityContext: {}
     # fsGroup: 2000
@@ -75,6 +80,8 @@ server:
     # runAsNonRoot: true
     # runAsUser: 1000
 
+  topologySpreadConstraints: []
+
   config:
     logLevel: info
     socketPath: /run/spire/server-sockets/spire-server.sock
@@ -110,6 +117,9 @@ agent:
     #   cpu: 100m
     #   memory: 128Mi
 
+  service:
+    annotations: {}
+
   config:
     logLevel: info
     socketPath: /run/spire/agent-sockets/spire-agent.sock