spire-server v.1.10.0 breaks default chart.

[massaox]

Hi,

I have noticed that now the chart 0.21.1 uses the spire-server 1.10.0 which is set to run as the user 1000. Now if you deploy the chart with the default values you will get this:

time="2024-08-12T12:20:34Z" level=warning msg="Current umask 0022 is too permissive; setting umask 0027"
time="2024-08-12T12:20:34Z" level=info msg=Configured admin_ids="[]" data_dir=/run/spire/data launch_log_level=info
time="2024-08-12T12:20:34Z" level=info msg="Opening SQL database" db_type=sqlite3 subsystem_name=sql
time="2024-08-12T12:20:34Z" level=error msg="Fatal run error" error="datastore-sql: unable to open database file: no such file or directory"
time="2024-08-12T12:20:34Z" level=error msg="Server crashed" error="datastore-sql: unable to open database file: no such file or directory"

I had to add the following to the values.yaml to make it work.

spire-server:
  podSecurityContext:
    fsGroup: 1000

Chart version:

helm list -A
NAME      	NAMESPACE	REVISION	UPDATED                                	STATUS  	CHART           	APP VERSION
spire     	spire    	1       	2024-08-12 14:32:42.985943129 +0000 UTC	deployed	spire-0.21.1    	1.10.0

[kfox1111]

Hmm... Its passing our testing. How did you deploy it? Is it a fresh install, or is it an upgrade of an existing deployment?

[kfox1111]

Ok. I can confirm. Installation works ok. When trying to upgrade it though, its failing, as k8s doesn't know an id changed, so its not chowning the files automatically.

[kfox1111]

Filed #421

[massaox]

Hi. It was a fresh install, however, I have just tried again on a fresh GKE cluster. This are the exact command I run:

helm upgrade --install --create-namespace -n spire spire-crds spire-crds  --repo https://spiffe.github.io/helm-charts-hardened/
helm upgrade --install -n spire spire spire --repo https://spiffe.github.io/helm-charts-hardened/

And got the same error as before:

$ kubectl -n spire logs spire-server-0
time="2024-08-13T06:06:46Z" level=warning msg="Current umask 0022 is too permissive; setting umask 0027"
time="2024-08-13T06:06:46Z" level=info msg=Configured admin_ids="[]" data_dir=/run/spire/data launch_log_level=info
time="2024-08-13T06:06:46Z" level=info msg="Opening SQL database" db_type=sqlite3 subsystem_name=sql
time="2024-08-13T06:06:46Z" level=error msg="Fatal run error" error="datastore-sql: unable to open database file: no such file or directory"
time="2024-08-13T06:06:46Z" level=error msg="Server crashed" error="datastore-sql: unable to open database file: no such file or directory"

$ helm list -A
NAME      	NAMESPACE	REVISION	UPDATED                                	STATUS  	CHART           	APP VERSION
spire     	spire    	1       	2024-08-13 06:05:08.669709966 +0000 UTC	deployed	spire-0.21.1    	1.10.0
spire-crds	spire    	1       	2024-08-13 06:04:44.734769824 +0000 UTC	deployed	spire-crds-0.4.0	0.0.1