From bf179e759a9f2e18a5657f33aaff8d8cc278e3b1 Mon Sep 17 00:00:00 2001 From: Ken Huffman Date: Thu, 8 Dec 2022 02:50:40 -0500 Subject: [PATCH] adding annotations and resources (#81) Co-authored-by: Marco Franssen --- .github/helm-docs.sh | 25 ++++++++++++------- charts/spire/Chart.yaml | 2 +- charts/spire/README.md | 7 +++++- charts/spire/templates/agent-daemonset.yaml | 12 ++++++--- charts/spire/templates/server-service.yaml | 4 +++ .../spire/templates/server-statefulset.yaml | 6 +++++ .../templates/workload-registrar-service.yaml | 4 +++ charts/spire/values.yaml | 10 ++++++++ 8 files changed, 56 insertions(+), 14 deletions(-) diff --git a/.github/helm-docs.sh b/.github/helm-docs.sh index 1334b5ed..0044aca8 100755 --- a/.github/helm-docs.sh +++ b/.github/helm-docs.sh @@ -5,35 +5,42 @@ set -euo pipefail SCRIPTPATH=$(dirname "$0") HELM_DOCS_VERSION="1.11.0" -function install_helm_docs { - case "$(uname -s)" in +case "$(uname -s)" in Linux*) machine=Linux shasum=sha256sum + exe=helm-docs ;; Darwin*) machine=Darwin shasum=shasum + exe=helm-docs + ;; + MINGW64*) + machine=Windows + shasum=sha256sum + exe=helm-docs.exe ;; - esac +esac +function install_helm_docs { curl -LO https://github.com/norwoodj/helm-docs/releases/download/v"${HELM_DOCS_VERSION}"/helm-docs_"${HELM_DOCS_VERSION}"_${machine}_x86_64.tar.gz curl -L --output /tmp/checksums_helm-docs.txt https://github.com/norwoodj/helm-docs/releases/download/v${HELM_DOCS_VERSION}/checksums.txt grep helm-docs_${HELM_DOCS_VERSION}_${machine}_x86_64.tar.gz /tmp/checksums_helm-docs.txt | $shasum -c - mkdir -p "$SCRIPTPATH/bin" - tar -xf helm-docs_"${HELM_DOCS_VERSION}"_${machine}_x86_64.tar.gz helm-docs - mv helm-docs "$SCRIPTPATH/bin/" + tar -xf helm-docs_"${HELM_DOCS_VERSION}"_${machine}_x86_64.tar.gz ${exe} + mv ${exe} "$SCRIPTPATH/bin/" rm helm-docs_"${HELM_DOCS_VERSION}"_${machine}_x86_64.tar.gz } -if [ ! -f "$SCRIPTPATH/bin/helm-docs" ] ; then +if [ ! -f "$SCRIPTPATH/bin/${exe}" ] ; then install_helm_docs -elif [[ ! "$("$SCRIPTPATH/bin/helm-docs" --version)" =~ .*"$HELM_DOCS_VERSION".* ]] ; then +elif [[ ! "$("$SCRIPTPATH/bin/${exe}" --version)" =~ .*"$HELM_DOCS_VERSION".* ]] ; then install_helm_docs else - echo "Using '$("$SCRIPTPATH/bin/helm-docs" --version)'" + echo "Using '$("$SCRIPTPATH/bin/${exe}" --version)'" fi # validate docs -"$SCRIPTPATH/bin/helm-docs" -t "$SCRIPTPATH/README.md.tmpl" +"$SCRIPTPATH/bin/${exe}" -t "$SCRIPTPATH/README.md.tmpl" git diff --exit-code diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml index 1847f3c9..9624d615 100644 --- a/charts/spire/Chart.yaml +++ b/charts/spire/Chart.yaml @@ -27,7 +27,7 @@ description: | - --service-account-signing-key-file=/run/config/pki/sa.key ``` type: application -version: 0.7.2 +version: 0.7.3 appVersion: "1.5.2" keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"] home: https://github.com/philips-labs/helm-charts/charts/spire diff --git a/charts/spire/README.md b/charts/spire/README.md index e79218f6..57916560 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -2,7 +2,7 @@ -![Version: 0.7.2](https://img.shields.io/badge/Version-0.7.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.2](https://img.shields.io/badge/AppVersion-1.5.2-informational?style=flat-square) +![Version: 0.7.3](https://img.shields.io/badge/Version-0.7.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.2](https://img.shields.io/badge/AppVersion-1.5.2-informational?style=flat-square) A Helm chart for deploying spire-server and spire-agent. @@ -58,6 +58,7 @@ Kubernetes: `>=1.21.0-0` | agent.image.version | string | `""` | | | agent.nodeSelector."kubernetes.io/arch" | string | `"amd64"` | | | agent.resources | object | `{}` | | +| agent.service.annotations | object | `{}` | | | csiDriver.image.pullPolicy | string | `"IfNotPresent"` | | | csiDriver.image.registry | string | `"ghcr.io"` | | | csiDriver.image.repository | string | `"spiffe/spiffe-csi-driver"` | | @@ -119,8 +120,10 @@ Kubernetes: `>=1.21.0-0` | server.replicaCount | int | `1` | | | server.resources | object | `{}` | | | server.securityContext | object | `{}` | | +| server.service.annotations | object | `{}` | | | server.service.port | int | `8081` | | | server.service.type | string | `"ClusterIP"` | | +| server.topologySpreadConstraints | list | `[]` | | | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `true` | | | serviceAccount.name | string | `""` | | @@ -130,8 +133,10 @@ Kubernetes: `>=1.21.0-0` | waitForIt.image.registry | string | `"gcr.io"` | | | waitForIt.image.repository | string | `"spiffe-io/wait-for-it"` | | | waitForIt.image.version | string | `""` | | +| waitForIt.resources | object | `{}` | | | workloadRegistrar.image.pullPolicy | string | `"IfNotPresent"` | | | workloadRegistrar.image.registry | string | `"gcr.io"` | | | workloadRegistrar.image.repository | string | `"spiffe-io/k8s-workload-registrar"` | | | workloadRegistrar.image.version | string | `""` | | | workloadRegistrar.resources | object | `{}` | | +| workloadRegistrar.service.annotations | object | `{}` | | diff --git a/charts/spire/templates/agent-daemonset.yaml b/charts/spire/templates/agent-daemonset.yaml index c3971049..895fa2b2 100644 --- a/charts/spire/templates/agent-daemonset.yaml +++ b/charts/spire/templates/agent-daemonset.yaml @@ -13,6 +13,10 @@ spec: type: RollingUpdate template: metadata: + {{- with .Values.agent.service.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} labels: {{- include "spire.agent.selectorLabels" . | nindent 8 }} spec: @@ -28,6 +32,8 @@ spec: image: {{ template "spire.image" .Values.waitForIt }} imagePullPolicy: {{ .Values.waitForIt.image.pullPolicy }} args: ["-t", "30", "{{ include "spire.fullname" . }}-server:8081"] + resources: + {{- toYaml .Values.waitForIt.resources | nindent 12 }} {{- with .Values.agent.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -45,7 +51,7 @@ spec: mountPath: /run/spire/bundle readOnly: true - name: spire-agent-socket-dir - mountPath: /run/spire/agent-sockets + mountPath: {{ dir .Values.agent.config.socketPath }} readOnly: false - name: spire-token mountPath: /var/run/secrets/tokens @@ -135,7 +141,7 @@ spec: name: {{ include "spire.fullname" . }}-bundle - name: spire-agent-sockets hostPath: - path: /run/spire/agent-sockets + path: {{ dir .Values.agent.config.socketPath }} type: DirectoryOrCreate - name: spire-token projected: @@ -146,7 +152,7 @@ spec: audience: spire-server - name: spire-agent-socket-dir hostPath: - path: /run/spire/agent-sockets + path: {{ dir .Values.agent.config.socketPath }} type: DirectoryOrCreate # This volume is where the socket for kubelet->driver communication lives - name: spiffe-csi-socket-dir diff --git a/charts/spire/templates/server-service.yaml b/charts/spire/templates/server-service.yaml index a3a5d06d..006bfc05 100644 --- a/charts/spire/templates/server-service.yaml +++ b/charts/spire/templates/server-service.yaml @@ -3,6 +3,10 @@ kind: Service metadata: name: {{ include "spire.fullname" . }}-server namespace: {{ .Release.Namespace }} + {{- with .Values.server.service.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} labels: {{- include "spire.server.labels" . | nindent 4 }} spec: diff --git a/charts/spire/templates/server-statefulset.yaml b/charts/spire/templates/server-statefulset.yaml index 5618c7dd..b7e09c9a 100644 --- a/charts/spire/templates/server-statefulset.yaml +++ b/charts/spire/templates/server-statefulset.yaml @@ -93,6 +93,8 @@ spec: - name: spire-workload-registrar-config mountPath: /run/spire/k8s-workload-registrar/config readOnly: true + resources: + {{- toYaml .Values.workloadRegistrar.resources | nindent 12 }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -105,6 +107,10 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} volumes: - name: spire-workload-registrar-config configMap: diff --git a/charts/spire/templates/workload-registrar-service.yaml b/charts/spire/templates/workload-registrar-service.yaml index 5e8722af..0588e905 100644 --- a/charts/spire/templates/workload-registrar-service.yaml +++ b/charts/spire/templates/workload-registrar-service.yaml @@ -3,6 +3,10 @@ kind: Service metadata: name: {{ include "spire.fullname" . }}-k8s-workload-registrar namespace: {{ .Release.Namespace }} + {{- with .Values.workloadRegistrar.service.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} labels: {{- include "spire.server.labels" . | nindent 4 }} spec: diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 1e78ebc5..ca38ff04 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -7,6 +7,7 @@ waitForIt: repository: spiffe-io/wait-for-it pullPolicy: IfNotPresent version: "" + resources: {} workloadRegistrar: image: @@ -28,6 +29,9 @@ workloadRegistrar: # cpu: 100m # memory: 64Mi + service: + annotations: {} + server: replicaCount: 1 image: @@ -63,6 +67,7 @@ server: service: type: ClusterIP port: 8081 + annotations: {} podSecurityContext: {} # fsGroup: 2000 @@ -75,6 +80,8 @@ server: # runAsNonRoot: true # runAsUser: 1000 + topologySpreadConstraints: [] + config: logLevel: info socketPath: /run/spire/server-sockets/spire-server.sock @@ -110,6 +117,9 @@ agent: # cpu: 100m # memory: 128Mi + service: + annotations: {} + config: logLevel: info socketPath: /run/spire/agent-sockets/spire-agent.sock