spiffe · faisal-memon · Oct 26, 2024 · Oct 23, 2024 · Oct 23, 2024 · Oct 23, 2024
@@ -30,9 +30,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
 
     steps:
       - run: 'echo "Skipping tests"'
@@ -74,9 +74,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
         example:
           - ${{ fromJson(needs.build-matrix.outputs.examples) }}
 
@@ -92,9 +92,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
         example:
           - ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}
 
@@ -110,9 +110,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
 
     steps:
       - run: 'echo "Skipping upgrade-test"'
@@ -21,9 +21,9 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  HELM_VERSION: v3.12.0
+  HELM_VERSION: v3.16.2
   PYTHON_VERSION: 3.11.3
-  KIND_VERSION: v0.19.0
+  KIND_VERSION: v0.24.0
   CHART_TESTING_VERSION: v3.8.0
 
 jobs:
@@ -130,9 +130,9 @@ jobs:
         # Kubernetes, but can go back farther as long as we don't need heroics
         # to pull it off (i.e. kubectl version juggling).
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
 
     steps:
       - name: Checkout
@@ -218,9 +218,9 @@ jobs:
       fail-fast: false
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
         example:
           - ${{ fromJson(needs.build-matrix.outputs.examples) }}
 
@@ -243,7 +243,7 @@ jobs:
         # Only build a kind cluster if there are chart changes to test.
         with:
           version: ${{ env.KIND_VERSION }}
-          node_image: kindest/node:v1.26.4
+          node_image: kindest/node:${{ matrix.k8s }}
           config: .github/kind/conf/kind-config.yaml
           verbosity: 1
 
@@ -256,6 +256,7 @@ jobs:
             kubectl create namespace spire-server
             helm install -n spire-server spire-crds charts/spire-crds
           fi
+          export K8S="${{ matrix.k8s }}"
           ${{ matrix.example }}/run-tests.sh
 
   integration-test:
@@ -269,9 +270,9 @@ jobs:
       fail-fast: false
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
         integrationtest:
           - ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}
 
@@ -294,7 +295,7 @@ jobs:
         # Only build a kind cluster if there are chart changes to test.
         with:
           version: ${{ env.KIND_VERSION }}
-          node_image: kindest/node:v1.26.4
+          node_image: kindest/node:${{ matrix.k8s }}
           config: .github/kind/conf/kind-config.yaml
           verbosity: 1
 
@@ -314,9 +315,9 @@ jobs:
       fail-fast: false
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
 
     steps:
       - name: Checkout
@@ -337,7 +338,7 @@ jobs:
         # Only build a kind cluster if there are chart changes to test.
         with:
           version: ${{ env.KIND_VERSION }}
-          node_image: kindest/node:v1.26.4
+          node_image: kindest/node:${{ matrix.k8s }}
           config: .github/kind/conf/kind-config.yaml
           verbosity: 1
 

@@ -40,6 +40,23 @@ Allow the release namespace to be overridden for multi-namespace deployments in
   {{- end -}}
 {{- end -}}
 
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "spiffe-csi-driver.server-namespace" -}}
+  {{- if .Values.serverNamespaceOverride -}}
+    {{- .Values.serverNamespaceOverride -}}
+  {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
+    {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
+      {{- .Values.global.spire.namespaces.server.name }}
+    {{- else }}
+      {{- printf "spire-server" }}
+    {{- end }}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}

@@ -0,0 +1,37 @@
+{{- $upstream := eq .Values.pluginName "upstream.csi.spiffe.io" }}
+{{- $detectedValidation := semverCompare ">=1.30-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- $policyEnabled := .Values.validatingAdmissionPolicy.enabled | toString }}
+{{- $auto := eq $policyEnabled "auto" }}
+{{- if or (eq $policyEnabled "true") (and $auto $upstream $detectedValidation) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: {{ .Values.pluginName | quote }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+  validations:
+  - expression: |
+      !object.spec.volumes.exists(c, has(c.csi) && has(c.csi.driver) && c.csi.driver == {{ .Values.pluginName | quote }})
+    message: 'you may not use the upstream.csi.spiffe.io csi driver'
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: {{ .Values.pluginName | quote }}
+spec:
+  policyName: {{ .Values.pluginName | quote }}
+  validationActions: ["Deny"]
+  matchResources:
+    namespaceSelector:
+      matchExpressions:
+      - key: "kubernetes.io/metadata.name"
+        operator: NotIn
+        values:
+        - {{ include "spiffe-csi-driver.server-namespace" . | quote }}
+{{- end }}
@@ -60,6 +60,13 @@ nameOverride: ""
 ## @param namespaceOverride Namespace to install spiffe-csi-driver
 namespaceOverride: ""
 
+## @param serverNamespaceOverride Override the namespace that the spire-server is installed into
+serverNamespaceOverride: ""
+
+validatingAdmissionPolicy:
+  ## @param validatingAdmissionPolicy.enabled When set to auto, the validatingAdmissionPolicy will be enabled when the pluginName == "upstream.csi.spiffe.io" and k8s >= 1.30.0. Valid options are [auto, true, false]
+  enabled: auto
+
 ## @param fullnameOverride Full name override for spiffe-csi-driver
 fullnameOverride: ""
 

@@ -5,4 +5,3 @@
 
 tags:
   nestedChildFull: true
-
@@ -71,7 +71,9 @@ kubectl rollout status -n kube-system -w --timeout=1m deploy/coredns
 for cluster in child other; do
   KC="${SCRIPTPATH}/kubeconfig-${cluster}"
 
-  kind create cluster --name "${cluster}" --kubeconfig "${SCRIPTPATH}/kubeconfig-${cluster}" --config "${SCRIPTPATH}/.test-files/${cluster}-kind-config.yaml"
+  kind create cluster --name "${cluster}" --kubeconfig "${SCRIPTPATH}/kubeconfig-${cluster}" --config "${SCRIPTPATH}/.test-files/${cluster}-kind-config.yaml" --image "kindest/node:${K8S}"
+
+  kubectl version --kubeconfig "${SCRIPTPATH}/kubeconfig-${cluster}"
   md5sum "${KC}"
   wc -l "${KC}"
 

@@ -73,7 +73,7 @@ kubectl rollout status -n kube-system -w --timeout=1m deploy/coredns
 for cluster in child; do
   KC="${SCRIPTPATH}/kubeconfig-${cluster}"
 
-  kind create cluster --name "${cluster}" --kubeconfig "${SCRIPTPATH}/kubeconfig-${cluster}" --config "${SCRIPTPATH}/.test-files/${cluster}-kind-config.yaml"
+  kind create cluster --name "${cluster}" --kubeconfig "${SCRIPTPATH}/kubeconfig-${cluster}" --config "${SCRIPTPATH}/.test-files/${cluster}-kind-config.yaml" --image "kindest/node:${K8S}"
   md5sum "${KC}"
   wc -l "${KC}"
 
@@ -102,6 +102,7 @@ helm upgrade --install --create-namespace --namespace spire-mgmt --values "${COM
 # The check is being too pedantic.
 # shellcheck shell=bash disable=SC2043
 for cluster in child; do
+  kubectl version --kubeconfig "${SCRIPTPATH}/kubeconfig-${cluster}"
   KC="${SCRIPTPATH}/kubeconfig-${cluster}"
   kubectl --kubeconfig "${KC}" get configmap -n spire-system spire-bundle-upstream -o yaml
   kubectl --kubeconfig "${KC}" rollout restart daemonset spire-agent-downstream -n spire-system