diff --git a/README.md b/README.md index a7b212f4..83cafec9 100644 --- a/README.md +++ b/README.md @@ -79,14 +79,6 @@ at: . [You can also build **VMware Secrets Manager** from the source][build]. -## The Roadmap - -[We publicly track all **VMware Secrets Manager** plans on this -roadmap page][roadmap]. - -You can check it out to get a glimpse of the current planned features and how -the future of **VMware Secrets Manager** looks like. - ## Status of This Software **VMware Secrets Manager** is under dynamic and progressive development. @@ -235,11 +227,6 @@ There are special long-living branches that the project maintains. You can find the changelog and migration/upgrade instructions (*if any*) on [**VMware Secrets Manager**'s Changelog Page][changelog]. -## What's Coming Up Next? - -You can see the project's progress [in this **VMware Secrets Manager** -roadmap][roadmap]. - ## Code Of Conduct [Be a nice citizen](CODE_OF_CONDUCT.md). @@ -287,7 +274,6 @@ We'd love to have them. [pkg-go-dev]: https://pkg.go.dev/github.com/vmware-tanzu/secrets-manager "VSecM Go Docs" [production]: https://vsecm.com/documentation/production/overview/ "VSecM Production Deployment" [quickstart]: https://vsecm.com/documentation/getting-started/overview/ "VSecM Quickstart" -[roadmap]: https://vsecm.com/timeline/roadmap/ "VSecM Roadmap" [sdk]: https://vsecm.com/documentation/usage/sdk/ "VSecM Developer SDK" [slack-invite]: https://join.slack.com/t/a-101-103-105-s/shared_invite/zt-287dbddk7-GCX495NK~FwO3bh_DAMAtQ "Join VSecM Slack" [spire]: https://spiffe.io/ "SPIFFE: Secure Production Identity Framework for Everyone" diff --git a/app/scout/cmd/main.go b/app/scout/cmd/main.go index ecae7c9f..ed72eaf1 100644 --- a/app/scout/cmd/main.go +++ b/app/scout/cmd/main.go @@ -25,10 +25,11 @@ func main() { http.HandleFunc("/webhook", nets.Webhook) - // Has side effect of initializing jwt token if provided. - tlsConfig := nets.TlsConfig() - if env.ScoutTlsEnabled() { + log.InfoLn(&id, "scout: TLS enabled") + + tlsConfig := nets.TlsConfig() + server := &http.Server{ Addr: env.ScoutHttpPort(), TLSConfig: tlsConfig, @@ -43,6 +44,8 @@ func main() { } return + } else { + log.InfoLn(&id, "scout: TLS disabled") } log.InfoLn(&id, "Server is running on", env.ScoutHttpPort()) diff --git a/app/scout/internal/net/tls.go b/app/scout/internal/net/tls.go index 29042b48..425b648e 100644 --- a/app/scout/internal/net/tls.go +++ b/app/scout/internal/net/tls.go @@ -7,7 +7,6 @@ import ( "fmt" "github.com/spiffe/vsecm-sdk-go/sentry" "log" - "strings" ) var ( @@ -37,17 +36,23 @@ func TlsConfig() *tls.Config { value := secret["value"].(string) switch name { + // do this initialization elsewhere + // also you might need a lock since jwtsecret is a shared resource. //case "raw:vsecm-scout-jwt-secret": // jwtSecret = value case "raw:vsecm-scout-crt": serverCert = value case "raw:vsecm-scout-key": serverKey = value - default: - if strings.HasPrefix(name, "raw:") && - !strings.HasPrefix(name, "raw:vsecm-scout") { - secretsToServe[strings.TrimPrefix(name, "raw:")] = value - } + + // This is not related to TLS config. Move it elsewhere. + // Ideally, update it in a loop. Also, `secretsToServe` is a shared + // resource; so you might want a thread-safe map for it. + //default: + // if strings.HasPrefix(name, "raw:") && + // !strings.HasPrefix(name, "raw:vsecm-scout") { + // secretsToServe[strings.TrimPrefix(name, "raw:")] = value + // } } } diff --git a/docs/content/community/contributor-hours.md b/docs/content/community/contributor-hours.md deleted file mode 100644 index e10d7095..00000000 --- a/docs/content/community/contributor-hours.md +++ /dev/null @@ -1,78 +0,0 @@ -+++ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -title = "VSecM Contributor Hour" -weight = 2 -+++ - -> **Welcome 👋** -> -> Welcome to the **VMware Secrets Manager** Contributor Hour, a monthly meeting -> dedicated to the **VMware Secrets Manager** (*VSecM*). - -This meeting serves as a platform for contributors, maintainers, and anyone -interested in the project to come together and discuss key aspects of -**VMware Secrets Manager**'s future. - -* **Date/Time**: Every last Thursday on every month @ 08:00am Pacific -* [**Calendar ICS**](https://calendar.google.com/calendar/ical/0ef770e47ae11cea2b00a743eed3812768cc3f9c2a45fee6207f4c9c8b0dc5ce%40group.calendar.google.com/public/basic.ics) -* [**Meetings Notes**](https://docs.google.com/document/d/19Al-IEEdvrcted9HdXCYyiHRCJSJs2Di9uYPZ_ssygs) -* [**Zoom Meeting**](https://us06web.zoom.us/j/82734769083?pwd=NDJBR2RIZjR6KzhhK2pNL1ZsRzRJZz09) - -## Goals - -* Discuss **VMware Secrets Manager** project direction and roadmap. -* Provide a high-bandwidth forum in which the community can voice needs and - make proposals. -* Achieve maintainer consensus on architectural decisions related to major - **VMware Secrets Manager** features. - -## Non-Goals - -* **VMware Secrets Manager** maintenance. -* Triaging, troubleshooting, and resolving issues. - -## Meeting Recordings - - - -### VMware Secrets Manager Contributor Sync 004 -- 2024-08-29 - -
- -### VMware Secrets Manager Contributor Sync 003 -- 2024-03-28 - -
- -### VMware Secrets Manager Contributor Sync 002 -- 2024-01-25 - -
- -### VMware Secrets Manager Contributor Sync 001 -- 2023-09-29 - -
- -{{ edit() }} diff --git a/docs/content/community/hello.md b/docs/content/community/hello.md index 2407f7e6..b7274836 100644 --- a/docs/content/community/hello.md +++ b/docs/content/community/hello.md @@ -13,18 +13,6 @@ title = "VSecM Community" weight = 1 +++ - - > **Hi 👋** > > Thank you for wanting to be part of the community ❤️. @@ -62,36 +50,6 @@ channel, rather than dispersing them across multiple platforms. [kampus]: https://discord.gg/kampus "Join Kampus Discord Server" -## Join Our Public Meetings - -> **We Are Stronger Together** -> -> **VMware Secrets Manager** meetings are open for everyone, you are more than -> welcome to join. - - -### VSecM Contributor Sync - -* **Date/Time**: Every last Thursday on every month @ 08:00am Pacific -* [**Calendar ICS**](https://calendar.google.com/calendar/ical/0ef770e47ae11cea2b00a743eed3812768cc3f9c2a45fee6207f4c9c8b0dc5ce%40group.calendar.google.com/public/basic.ics) -* [**Meetings Notes**](https://docs.google.com/document/d/19Al-IEEdvrcted9HdXCYyiHRCJSJs2Di9uYPZ_ssygs) -* [**Zoom Meeting**](https://us06web.zoom.us/j/82734769083?pwd=NDJBR2RIZjR6KzhhK2pNL1ZsRzRJZz09) - -#### Goals - -* Discuss **VMware Secrets Manager** project direction and roadmap. -* Provide a high-bandwidth forum in which the community can voice needs and make proposals. -* Achieve maintainer consensus on architectural decisions related to major - **VMware Secrets Manager** features. - -#### Non-Goals - -* **VMware Secrets Manager** maintenance. -* Triaging, troubleshooting, and resolving issues. - -[contributing]: https://github.com/vmware-tanzu/secrets-manager/blob/main/CONTRIBUTING.md -[code-of-conduct]: https://github.com/vmware-tanzu/secrets-manager/blob/main/CODE_OF_CONDUCT.md - ## Thank You ❤️ Thanks so much for your interest: It means a lot 🙏. diff --git a/docs/content/timeline/_index.md b/docs/content/timeline/_index.md index b539c537..4923e067 100644 --- a/docs/content/timeline/_index.md +++ b/docs/content/timeline/_index.md @@ -12,7 +12,7 @@ title = "Timeline" weight = 3 sort_by = "weight" -redirect_to = "timeline/roadmap" +redirect_to = "timeline/changelog" insert_anchor_links = "left" +++ diff --git a/docs/content/timeline/roadmap.md b/docs/content/timeline/roadmap.md deleted file mode 100644 index f615a3c4..00000000 --- a/docs/content/timeline/roadmap.md +++ /dev/null @@ -1,388 +0,0 @@ -+++ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -title = "VSecM Roadmap" -weight = 10 -+++ - -## Introduction - -This is a page where we publish our approximate roadmap for **VMware Secrets -Manager** for Cloud-Native Apps. Note that this is not a commitment to deliver -any of the features listed here, and that the roadmap is subject to change at -any time without notice. - -Whenever we release a new version of **VMware Secrets Manager**, we will update -this page, and also [the changelog](@/timeline/changelog.md) to reflect the changes. - -> **One-Year Window** -> -> This page will only contain information about the next 12 months of the -> project. We will update the roadmap every release, and remove the completed -> items from the list, and add a new iteration at the end of the list. - -## Active Iterations - -### VSecM v0.29.0 (*codename: Indus*) - -**Oct 16, 2024 - Jan, 31, 2025** - -This iteration focuses on several enhancements and fixes aimed at improving -flexibility and security. Key areas include: - -* Introducing secret kind ‘raw’ for external operators. -* Enhancements to VSecM Sentinel with nested encryption. -* Removing autoscaling from Helm charts. -* Configuring sleep intervals for better resource control. -* Improving PostgreSQL table configurations via environment variables. -* Utilizing Web Crypto API for secure secret relay. -* Additionally, we are addressing good first issues like increasing test - coverage and optimizing the landing page CSS. - -[Here is a list of issues that are candidate for VSecM vIndus](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.29.0-candidate+). - -### VSecM v0.30.0 (*codename: Lupus*) - -**Feb 01, 2025 - Feb 28, 2025** - -This iteration focuses on several key features and enhancements: - -* Fetching data in the GoLang SDK using a `jq` filter. -* Better support for secret versioning. -* A new hub-spoke secrets relay architecture. -* Adding multi-tenancy capabilities. -* Integration tests and in-memory persistence improvements. -* New video tutorials and updated documentation for clarity. - -The goal is to solidify multi-tenancy, streamline secret handling, and -improve system stability through better testing and documentation. - -[Here is a list of issues that are candidate for VSecM -vLupus](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.30.0-candidate+). - -### VSecM v0.31.0 (*codename: Mensa*) - -**Mar 01, 2025 - Apr 11, 2025** - -This iteration focuses on enhancing security and user-requested features: - -* Audit logging and log streaming. -* Rate limiting to control access. -* Hierarchical secrets management and better root key support from external users. -* A `/purge` API to remove orphaned secret backups. -* Features like secret versioning, ACL for secret access, and storing large - Kubeconfig files. -* Several CLI enhancements for improved usability. -* Enhanced support for Java SDK, alongside multi-tenancy and operator-specific - encryption capabilities. - -[Here is a list of issues that are candidate for VSecM -vMensa](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.31.0-candidate+). - -### VSecM v0.32.0 (*codename: Norma*) - -**Apr 12, 2025 - May 09, 2025** - -This iteration brings major enhancements for system security and SDK expansion: - -* Development of a UI for VSecM Sentinel leveraging OIDC functionality. -* Introduction of user auditing capabilities in Sentinel. -* New SDKs in Rust and Python. -* Enhancements for SPIRE Helm charts, supporting x509 node attestation. -* Optional support for AWS KMS for master key storage. -* Consideration of Redis as a memory backing store for VSecM Safe. - -These improvements focus on expanding SDKs, improving audit capabilities, and -integrating new storage options. - -[Here is a list of issues that are candidate for VSecM vNorma](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.32.0-candidate+). - -### VSecM v0.33.0 (*codename: Orion*) - -**May 10, 2025 - Jun 06, 2025** - -This iteration focuses on improving security, scalability, and coverage: - -* ClusterSPIFFEID management added to Sentinel. -* RBAC/ABAC policy support for enhanced access control. -* Scalability improvements with multiple VSecM Safe instances. -* 60% test coverage target across the project. -* New hashing of log lines to prevent tampering and increase security. -* Documentation on federating identity control planes for VSecM. - -These enhancements aim to solidify security, scalability, and manageability -while enhancing project test coverage. - -[Here is a list of issues that are candidate for VSecM vOrion](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.33.0-candidate+). - -### VSecM v0.34.0 (*codename: Perseus*) - -**Jun 07, 2025 - Jul 04, 2025** - -This iteration emphasizes enhancements around Helm charts and key management for SPIRE: - -* Support for key rotation. -* Expanded Helm chart capabilities, including customizing node attestors, - key managers, and data stores for both SPIRE server and agent. -* Configurable options for telemetry and federation in SPIRE. -* Key storage on persistent volumes (PVs) and custom upstream authorities. -* Focus on integrating SSH node attestation and improving system resilience via - retry logic. -* These changes aim to enhance flexibility, security, and scalability in managing - SPIRE deployments. - -[Here is a list of issues that are candidate for VSecM -vPerseus](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.34.0-candidate+). - -### VSecM v0.35.0 (*codename: Reticulum*) - -**Jul 05, 2025 - Aug 01, 2025** - -This release emphasizes improved flexibility and synchronization for key and -secret management: - -* Support for VSecM Safe as an alternative to the in-memory store, with two-way - sync. -* Integration with cloud KMS and databases for secret backups, root key storage, - and versioning. -* New `/stats` and `/health` endpoints for VSecM Safe. -* Persistent root key storage across cloud KMS and persistent volumes, with - automatic updates to VSecM memory. - -These features enhance resilience and scalability across various storage backends. - -[Here is a list of issues that are candidate for VSecM -vReticulum](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.35.0-candidate+). - -### VSecM v0.36.0 (*codename: Sagittarius*) - -**Aug 02, 2025 - Aug 29, 2025** - -This release continues to enhance security and storage capabilities: - -* Use a separate VSecM Safe to store root keys, improving security by avoiding - reliance on Kubernetes secrets. -* Focus on workflows and improving overall security measures within VSecM - infrastructure. - -These updates aim to bolster the system’s integrity by leveraging dedicated, -secure storage solutions for critical keys. - -[Here is a list of issues that are candidate for VSecM -vSagittarius](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.36.0-candidate+). - -### VSecM v0.37.0 (*codename: Telescopium*) - -**Aug 30, 2025 - Nov 03 2025** - -This iteration focuses on demonstrating key features through extensive video -tutorials: - -* Demos on key management, secret decryption, root key changes, and large file - encryption. -* Showcasing integrations with tools like Keycloak and Cassandra. -* Use cases for federated SPIRE, three-way federation, and GitOps. -* Secrets handling across multiple VSecM instances, namespaces, and workloads. -* Deploying VSecM on Kubernetes clusters and EKS. - -* These video demonstrations enhance understanding of VSecM’s advanced features - and integrations. - -[Here is a list of issues that are candidate for VSecM -vTelescopium](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.37.0-candidate+). - -### VSecM v0.38.0 (*codename: Ursa*) - -**Nov 04, 2025 - Dec 01 2025** - -This release focuses on improving automated testing and security demos: - -* Achieve 90% test coverage using FLOSS automated test suites. -* A demo showcasing the integration of OPA (Open Policy Agent) with VSecM. -* Further enhancements to the workflow and project infrastructure. - -* These updates are crucial for strengthening the project's testing capabilities -* and demonstrating VSecM's integration with modern policy management tools like OPA. - -[Here is a list of issues that are candidate for VSecM -vUrsa](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.38.0-candidate+). - -### VSecM v0.39.0 (*codename: Virgo*) - -**Dec 02, 2025 - Dec 29 2025** - -This release focuses on enhancing security, replication, and integration: - -* `ValidatingAdmissionWebhook` to ensure proper ClusterSPIFFEID templates. -* Secrets rotation demo with a sidecar. -* Replication support for multiple VSecM Safe instances. -* Improved audit logging with separation options. -* Kubernetes Operator for automating VSecM sidecar and init container injection. - -These enhancements aim to improve multi-cloud integration, security, and -cluster management capabilities. - -[Here is a list of issues that are candidate for VSecM -vVirgo](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.39.0-candidate+). - -### VSecM v0.40.0 (*codename: Antlia*) - -**Dec 30, 2025 - Jan 26 2026** - -This release enhances key integration and testing functionalities: - -* Expanded secrets rotation demo with sidecar integration. -* Sentinel OIDC Resource Server functionality included in integration tests. -* Documentation for VSecM Sentinel OIDC authentication. -* Replication support for multiple VSecM Safe instances. -* Exploration of minimal disruption secret refresh strategies. -* Customizable kubelet verification in Helm charts. -* Self-security assessment and independent security audit. - -This release focuses on improving authentication, replication, and security -testing. - -[Here is a list of issues that are candidate for VSecM -vAntlia](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.40.0-candidate+). - -### VSecM v0.41.0 (*codename: Bellatrix*) - -**Jan 27, 2026 - Feb 23 2026** - -This is a "*catch all*" that contains all remaining documented future plans. -We will create new iterations from it as the time gets closer. - -[Here is a list of issues that are candidate for VSecM -vBellatrix](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.41.0-candidate+). - -## Closed Iterations - -### VSecM v0.28.0 (*codename: Hydra*) - -**Dec 30, 2025 - Jan 26, 2026** - -This iteration was about increasing coverage. We will focus on unit tests. - -In addition, we are targeted to fix certain low-hanging bugs and improve -stability. - -[Here is a list of issues that were candidate for VSecM vHydra -](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.28.0-candidate+). - -### VSecM v0.27.0 (*codename: Gemini*) - -**May 23, 2024 - Jun 19, 2024** - -The sole focus of this iteration was increasing unit test coverage and adding -more integration tests. - -We also introduced improvements too; however, stability will be our main -focus. - -[Here is a list of issues that are candidate for VSecM vGemini -](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.27.0-candidate+). - -### VSecM v0.26.1 (*codename: Fornax*) - -**Apr 25, 2024 - May 22, 2024** - -This iteration will was about stability and documentation updates. - -We also introduced a lot of flexibility such as ability to use custom -namespaces, trust domains, and regex-based SPIFFEID validation. - -[Here is a list of issues that are candidate for VSecM vFornax -](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.26.1-candidate+). - -### VSecM v0.25.0 (*codename: Eridanus*) - -**Mar 28, 2023 - Apr 24, 2024** - -This iteration was mostly about security and stability. - -[Here is a list of issues that were closed in vEridanus](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.25.0-candidate+). - -### VSecM v0.24.0 (*codename: Draco*) - -**Feb 29, 2023 - Mar 27, 2023** - -To automate things and be able to dynamically follow issues better, from -this point on we started labeling them and share the GitHub filter here. - -This iteration was mainly focused on demos and documentation. - -[Here is a list of issues that were closed in vDraco](https://github.com/vmware-tanzu/secrets-manager/issues?q=is%3Aissue+label%3Av0.24.0-candidate+). - -### VSecM v0.23.0 (*codename: Cassiopeia*) - -**Feb 01, 2024 - Feb 28, 2024** - -This iteration was focused on improving how **VMware Secrets Manager** -logs and reports errors. We will also focus on improving the performance of the -**VMware Secrets Manager** website. - -* `Secret`less VSecM: Ability to use VMware Secrets Manager **without** relying - on Kubernetes `Secret`s. This will allow users to use **VMware Secrets Manager** - without having to create Kubernetes `Secret`s at all--even for the root keys. -* Ability to use VSecM across clusters (*multi-cluster federation support*). -* More automation, and stability improvements. -* Ability to use an "*init command*" for **VSecM Sentinel** to run before the - world starts. -* Ability to generate pattern-based random secrets. -* The operator shall be able to export secrets in an encrypted format, and - can decrypt them, if they have the right permissions. -* A public ECR registry to share the untested "*edge*" versions of **VMware - Secrets Manager**, for those who like living dangerously. -* Focus on increasing test coverage. -* Ability to create Kubernetes `Secret`s without necessarily associating them - with a workload. -* Adding "invalid before" and "expires after" timestamps to secrets, to - help with secret rotation. -* Progress towards Open SSF Best Practices compliance; reaching 97% of the - requirements. - -### VSecM v0.22.0 (*codename: Boötes*) - -**Sep 12, 2023 - Jan 31, 2024** - -This was a relatively longer release because due to the "*time-stop*" effect of -the holiday season, the majority of the core contributors will be spending quality -time with their loved ones and recharging their batteries for the upcoming year. - -This release will be more about enhancing deployment workflows, testing automation -and CI/CD pipelines. We will also focus on improving the overall user experience. - -* Ability for an operator to export secrets (*by providing a public key*), - to use in other workflows. -* More documentation updates. -* More flexibility in SPIFFEID validation. -* Increased stability. -* Lots of documentation updates, especially around security and production - setup. -* Static code analysis. -* Website enhancement: Versioned snapshots of the documentation. -* Option for **VSecM** to run in-memory; without having to rely on any backing - store. -* Security: Ability to lock VSecM Safe. - -### VSecM v0.21.0 (*codename: Andromeda*) - -**Aug 15, 2023 - Sep, 11, 2023** - -This was a stability-focused release. We focused on fixing bugs, improving -stability, and improving workflows and CI/CD pipelines. We also created -missing documentation and generated new video tutorials that feature the current -version of **VMware Secrets Manager**. - -[Check out the release notes](/docs/changelog/) to learn more about what has -been added, changed, and fixed in this release. - -{{ edit() }} diff --git a/docs/templates/index.html b/docs/templates/index.html index 1c773159..aa7dd94b 100644 --- a/docs/templates/index.html +++ b/docs/templates/index.html @@ -64,31 +64,7 @@ VMware Secrets Manager documentation root. -
- Calendar Favorite 1 Streamline Icon: https://streamlinehq.com -  Mark Your Calendars: - The next - VSecM Contributor Sync - will be on... - 🎃 Thursday, 2024-10-31 🎃 - at 8:00am Pacific time. -
diff --git a/hack/update-k8s-manifests.sh b/hack/update-k8s-manifests.sh index f41e83b0..8c788366 100755 --- a/hack/update-k8s-manifests.sh +++ b/hack/update-k8s-manifests.sh @@ -36,7 +36,7 @@ function produceK8sManifests() { echo "producing manifests for spire deployments" - helm template "$helmChartPath" $NAME_TEMPLATE $DEPLOY_KEYSTONE_FALSE $DEPLOY_SAFE_FALSE $DEPLOY_SENTINEL_FALSE > $k8sManifestsDirectory/spire.yaml || exit 1 + helm template "$helmChartPath" $NAME_TEMPLATE $DEPLOY_KEYSTONE_FALSE $DEPLOY_SAFE_FALSE $DEPLOY_SCOUT_FALSE $DEPLOY_SENTINEL_FALSE > $k8sManifestsDirectory/spire.yaml || exit 1 echo "producing manifests for vsecm local deployments" helm template "$helmChartPath" $NAME_TEMPLATE $LOCAL_REGISTRY $DISTROLESSS_IMAGE $DEPLOY_SPIRE_FALSE > $localManifests/vsecm-distroless.yaml || exit 1 diff --git a/helm-charts/0.28.1/charts/safe/templates/ServiceAccount.yaml b/helm-charts/0.28.1/charts/safe/templates/ServiceAccount.yaml index 549cdcab..66fe4f87 100644 --- a/helm-charts/0.28.1/charts/safe/templates/ServiceAccount.yaml +++ b/helm-charts/0.28.1/charts/safe/templates/ServiceAccount.yaml @@ -9,7 +9,7 @@ # */ {{- if .Values.serviceAccount.create -}} - +# apiVersion: v1 kind: ServiceAccount metadata: diff --git a/helm-charts/0.28.1/charts/scout/templates/Deployment.yaml b/helm-charts/0.28.1/charts/scout/templates/Deployment.yaml index 5ac3a2f4..24432554 100644 --- a/helm-charts/0.28.1/charts/scout/templates/Deployment.yaml +++ b/helm-charts/0.28.1/charts/scout/templates/Deployment.yaml @@ -17,23 +17,23 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} labels: - {{- include "scout.selectorLabels" | nindent 8 }} + {{- include "scout.selectorLabels" . | nindent 8 }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ include "scout.serviceAccountName" }} + serviceAccountName: {{ include "scout.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: name - image: "{{ .Values.global.registry }}/{{- include "scout.repository" }}:{{ .Values.global.images.scout.tag }}" + image: "{{ .Values.global.registry }}/{{- include "scout.repository" . }}:{{ .Values.global.images.scout.tag }}" env: - name: SPIFFE_ENDPOINT_SOCKET value: "unix:///spire-agent-socket/spire-agent.sock" - name: VSECM_SCOUT_TLS_ENABLED - value: {{ .Values.service.tlsEnabled }} + value: {{ .Values.service.tlsEnabled | quote }} - name: VSECM_SCOUT_HTTP_PORT value: ":{{ .Values.service.httpPort }}" - name: VSECM_SCOUT_TLS_PORT @@ -46,7 +46,7 @@ spec: - containerPort: {{ .Values.service.tlsPort }} {{- else }} - containerPort: {{ .Values.service.httpPort }} - {{-end }} + {{- end }} volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/helm-charts/0.28.1/charts/scout/templates/Identity.yaml b/helm-charts/0.28.1/charts/scout/templates/Identity.yaml index 21d7c865..88b7a90d 100644 --- a/helm-charts/0.28.1/charts/scout/templates/Identity.yaml +++ b/helm-charts/0.28.1/charts/scout/templates/Identity.yaml @@ -11,7 +11,7 @@ apiVersion: spire.spiffe.io/v1alpha1 kind: ClusterSPIFFEID metadata: - name: {{ include "scout.fullname" }} + name: {{ include "scout.fullname" . }} spec: className: {{ .Values.global.spire.controllerManagerClassName | quote }} spiffeIDTemplate: {{ .Values.global.vsecm.scoutSpiffeIdTemplate }} diff --git a/helm-charts/0.28.1/charts/scout/templates/ServiceAccount.yaml b/helm-charts/0.28.1/charts/scout/templates/ServiceAccount.yaml index f8eded7e..e837da28 100644 --- a/helm-charts/0.28.1/charts/scout/templates/ServiceAccount.yaml +++ b/helm-charts/0.28.1/charts/scout/templates/ServiceAccount.yaml @@ -9,7 +9,7 @@ # */ {{- if .Values.serviceAccount.create }} - +# apiVersion: v1 kind: ServiceAccount metadata: @@ -17,8 +17,8 @@ metadata: namespace: {{ .Values.global.vsecm.namespace }} labels: {{- include "scout.labels" . | nindent 4 }} - annotations: {{- with .Values.serviceAccount.annotations }} + annotations: {{- toYaml . | nindent 4 }} {{- end }} automountServiceAccountToken: false diff --git a/helm-charts/0.28.1/values.yaml b/helm-charts/0.28.1/values.yaml index 9316f5c4..8ec2f67d 100644 --- a/helm-charts/0.28.1/values.yaml +++ b/helm-charts/0.28.1/values.yaml @@ -43,7 +43,7 @@ global: deploySentinel: true # -- Deploy VSecM Scout - deployScout: true + deployScout: false # -- Possible options for baseImage (distroless, distroless-fips). When in # doubt, stick with distroless. diff --git a/k8s/0.28.1/local/vsecm-distroless-fips.yaml b/k8s/0.28.1/local/vsecm-distroless-fips.yaml index 07f38d3a..91a88c1e 100644 --- a/k8s/0.28.1/local/vsecm-distroless-fips.yaml +++ b/k8s/0.28.1/local/vsecm-distroless-fips.yaml @@ -48,8 +48,7 @@ automountServiceAccountToken: false # >/ # <>/' Copyright 2023-present VMware Secrets Manager contributors. # >/' SPDX-License-Identifier: BSD-2-Clause -# */ - +# */# apiVersion: v1 kind: ServiceAccount metadata: @@ -348,10 +347,10 @@ metadata: spec: type: ClusterIP ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: http + - port: 8443 + targetPort: 8443 + protocol: TCP + name: http selector: app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm diff --git a/k8s/0.28.1/local/vsecm-distroless.yaml b/k8s/0.28.1/local/vsecm-distroless.yaml index 2c914e8a..eeedd95a 100644 --- a/k8s/0.28.1/local/vsecm-distroless.yaml +++ b/k8s/0.28.1/local/vsecm-distroless.yaml @@ -48,8 +48,7 @@ automountServiceAccountToken: false # >/ # <>/' Copyright 2023-present VMware Secrets Manager contributors. # >/' SPDX-License-Identifier: BSD-2-Clause -# */ - +# */# apiVersion: v1 kind: ServiceAccount metadata: @@ -348,10 +347,10 @@ metadata: spec: type: ClusterIP ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: http + - port: 8443 + targetPort: 8443 + protocol: TCP + name: http selector: app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm diff --git a/k8s/0.28.1/remote/vsecm-distroless-fips.yaml b/k8s/0.28.1/remote/vsecm-distroless-fips.yaml index 195b7ce8..32ffa865 100644 --- a/k8s/0.28.1/remote/vsecm-distroless-fips.yaml +++ b/k8s/0.28.1/remote/vsecm-distroless-fips.yaml @@ -48,8 +48,7 @@ automountServiceAccountToken: false # >/ # <>/' Copyright 2023-present VMware Secrets Manager contributors. # >/' SPDX-License-Identifier: BSD-2-Clause -# */ - +# */# apiVersion: v1 kind: ServiceAccount metadata: @@ -348,10 +347,10 @@ metadata: spec: type: ClusterIP ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: http + - port: 8443 + targetPort: 8443 + protocol: TCP + name: http selector: app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm diff --git a/k8s/0.28.1/remote/vsecm-distroless.yaml b/k8s/0.28.1/remote/vsecm-distroless.yaml index 2b679a51..de49df99 100644 --- a/k8s/0.28.1/remote/vsecm-distroless.yaml +++ b/k8s/0.28.1/remote/vsecm-distroless.yaml @@ -48,8 +48,7 @@ automountServiceAccountToken: false # >/ # <>/' Copyright 2023-present VMware Secrets Manager contributors. # >/' SPDX-License-Identifier: BSD-2-Clause -# */ - +# */# apiVersion: v1 kind: ServiceAccount metadata: @@ -348,10 +347,10 @@ metadata: spec: type: ClusterIP ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: http + - port: 8443 + targetPort: 8443 + protocol: TCP + name: http selector: app.kubernetes.io/name: vsecm-safe app.kubernetes.io/instance: vsecm diff --git a/makefiles/VSecMHelmUtils.mk b/makefiles/VSecMHelmUtils.mk index 8010c8d7..9e17876c 100644 --- a/makefiles/VSecMHelmUtils.mk +++ b/makefiles/VSecMHelmUtils.mk @@ -14,6 +14,7 @@ export DISTROLESSS_IMAGE := --set global.baseImage=distroless export DISTROLESSS_FIPS_IMAGE := --set global.baseImage=distroless-fips export HELM_CHART_PATH := "./helm-charts/${VERSION}" export NAME_TEMPLATE := --name-template vsecm +export DEPLOY_SCOUT_FALSE := --set global.deployScout=false export DEPLOY_SAFE_FALSE := --set global.deploySafe=false export DEPLOY_SENTINEL_FALSE := --set global.deploySentinel=false export DEPLOY_SPIRE_FALSE := --set global.deploySpire=false