helm docs update (#1022)

* changelog update Signed-off-by: Volkan Özçelik <[email protected]> * 📚 docs(VSecM): helm docs update Signed-off-by: Volkan Özçelik <[email protected]> --------- Signed-off-by: Volkan Özçelik <[email protected]>
vmware-tanzu · Jun 29, 2024 · 49ae83f · 49ae83f
1 parent 8ba7d54
commit 49ae83f
Show file tree

Hide file tree

Showing 6 changed files with 71 additions and 42 deletions.
diff --git a/docs/content/documentation/operations/release-management.md b/docs/content/documentation/operations/release-management.md
@@ -266,7 +266,12 @@ first.
 
 For example `make k8s-manifests-update VERSION=0.22.4`
 
-### 10. Release Helm Charts
+### 10. Update Helm Documentation
+
+If you have updated inline documentation in helm charts, make sure to reflect
+the changes by running `./hack/helm-docs.sh`.
+
+### 11. Release Helm Charts
 
 > **Pull Recent `gh-pages` Changes**
 >
@@ -300,11 +305,6 @@ the `gh-pages` branch.
 > `main` branch. Older versions should be snapshotted in the `gh-pages` branch
 > using the workflow described above.
 
-### 11. Update Helm Documentation
-
-If you have updated inline documentation in helm charts, make sure to reflect
-the changes by running `./hack/helm-docs.sh`.
-
 ### 12. Add a Snapshot of the Current Documentation
 
 The `docs` branch contains a snapshot of each documentation in versioned

diff --git a/helm-charts/0.26.0/README.md b/helm-charts/0.26.0/README.md
@@ -118,20 +118,23 @@ The sections below are autogenerated from chart source code:
 | global.images.spireControllerManager | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-controller-manager","tag":"0.5.0"}` | Container registry details of SPIRE Controller Manager. |
 | global.images.spireServer | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.9.4"}` | Container registry details of SPIRE Server. |
 | global.registry | string | `"vsecm"` | Registry url. Defaults to "vsecm", which points to the public vsecm DockerHub registry: <https://hub.docker.com/u/vsecm>. |
-| global.spire | object | `{"logLevel":"DEBUG","namespace":"spire-system","serverPort":8081,"trustDomain":"vsecm.com"}` | SPIRE-related global configuration. |
+| global.spire | object | `{"logLevel":"DEBUG","namespace":"spire-system","serverAddress":"spire-server.spire-server.svc.cluster.local","serverNamespace":"spire-server","serverPort":8081,"trustDomain":"vsecm.com"}` | SPIRE-related global configuration. |
 | global.spire.logLevel | string | `"DEBUG"` | The log level of the SPIRE components. This is useful for debugging. |
 | global.spire.namespace | string | `"spire-system"` | This is the namespace where the SPIRE components will be deployed. |
+| global.spire.serverAddress | string | `"spire-server.spire-server.svc.cluster.local"` | The SPIRE Server address. This is the address where the SPIRE Server that the agents will connect to. This address is in the form of <service-name>.<namespace>.svc.cluster.local unless you have a custom setup. |
+| global.spire.serverNamespace | string | `"spire-server"` | It is best to keep the SPIRE server namespace separate from other SPIRE components for an added layer of security. |
 | global.spire.serverPort | int | `8081` | The SPIRE Server port. This is the port where the SPIRE Server will listen for incoming connections. |
-| global.spire.trustDomain | string | `"vsecm.com"` | The trust domain is the root of the SPIFFE ID hierarchy. It is used to identify the trust domain of a workload. If you use anything other than the default `vsecm.com`, you must also update the relevant environment variables that does SPIFFE ID validation.  To prevent accidental collisions (two trust domains select identical names), operators are advised to select trust domain names which are highly likely to be globally unique. Even though a trust domain name is not a DNS name, using a registered domain name as a suffix of a trust domain name, when available, will reduce chances of an accidental collision; for example, if a trust domain operator owns the domain name `example.com`, then using a trust domain name such as `apps.example.com` would likely not produce a collision. When trust domain names are automatically generated without operator input, randomly generating a unique name (such as a UUID) is strongly advised. |
+| global.spire.trustDomain | string | `"vsecm.com"` | The trust domain is the root of the SPIFFE ID hierarchy. It is used to identify the trust domain of a workload. If you use anything other than the default `vsecm.com`, you must also update the relevant environment variables that does SPIFFE ID validation.  To prevent accidental collisions (two trust domains select identical names), operators are advised to select trust domain names which are highly likely to be globally unique. Even though a trust domain name is not a DNS name, using a registered domain name as a suffix of a trust domain name, when available, will reduce chances of an accidental collision; for example, if a trust domain operator owns the domain name `example.com`, then using a trust domain name such as `apps.example.com` would likely not produce a collision. When trust domain names are automatically generated without operator input, randomly generating a unique name (such as a UUID) is strongly advised.  All SPIFFE IDs shall be prefixed with `spiffe://<trustDomain>` unless you have an advanced custom setup. |
 | global.useClusterSpiffeIds | bool | `true` | Setting this `false` will skip ClusterSPIFFEID creation for VSecM  components. All ClusterSPIFFEID templates will merely be ignored during helm installation. Keeping this `true`, while `deploySpireControllerManager` is `false` will cause the helm installation to fail. |
 | global.vsecm.keystoneSpiffeIdTemplate | string | `"spiffe://vsecm.com/workload/vsecm-keystone/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }}"` |  |
 | global.vsecm.namespace | string | `"vsecm-system"` |  |
 | global.vsecm.safeEndpointUrl | string | `"https://vsecm-safe.vsecm-system.svc.cluster.local:8443/"` |  |
-| global.vsecm.safeSpiffeIdPrefix | string | `"spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/"` |  |
+| global.vsecm.safeSpiffeIdPrefix | string | `"^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$"` |  |
 | global.vsecm.safeSpiffeIdTemplate | string | `"spiffe://vsecm.com/workload/vsecm-safe/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }}"` |  |
-| global.vsecm.sentinelSpiffeIdPrefix | string | `"spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/"` |  |
+| global.vsecm.sentinelSpiffeIdPrefix | string | `"^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$"` |  |
 | global.vsecm.sentinelSpiffeIdTemplate | string | `"spiffe://vsecm.com/workload/vsecm-sentinel/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}/n/{{ .PodMeta.Name }}"` |  |
-| global.vsecm.workloadSpiffeIdPrefix | string | `"spiffe://vsecm.com/workload/"` |  |
+| global.vsecm.workloadNameRegExp | string | `"^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$"` |  |
+| global.vsecm.workloadSpiffeIdPrefix | string | `"^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$"` |  |
 
 ## License
 

diff --git a/helm-charts/0.26.0/charts/keystone/README.md b/helm-charts/0.26.0/charts/keystone/README.md
@@ -13,11 +13,16 @@ Helm chart for keystone
 | environments[0] | object | `{"name":"VSECM_LOG_LEVEL","value":"7"}` | The log level. 0: Logs are off (only audit events will be logged) 7: TRACE level logging (maximum verbosity). |
 | fullnameOverride | string | `""` | The fullname override of the chart. |
 | imagePullSecrets | list | `[]` | Override it with an image pull secret that you need as follows: imagePullSecrets:  - name: my-registry-secret |
-| initEnvironments | list | `[{"name":"SPIFFE_ENDPOINT_SOCKET","value":"unix:///spire-agent-socket/agent.sock"},{"name":"VSECM_LOG_LEVEL","value":"7"},{"name":"VSECM_INIT_CONTAINER_POLL_INTERVAL","value":"5000"}]` | See https://vsecm.com/configuration for more information about these environment variables. |
+| initEnvironments | list | `[{"name":"SPIFFE_ENDPOINT_SOCKET","value":"unix:///spire-agent-socket/agent.sock"},{"name":"VSECM_BACKOFF_DELAY","value":"1000"},{"name":"VSECM_BACKOFF_MAX_RETRIES","value":"10"},{"name":"VSECM_BACKOFF_MAX_WAIT","value":"10000"},{"name":"VSECM_BACKOFF_MODE","value":"exponential"},{"name":"VSECM_INIT_CONTAINER_POLL_INTERVAL","value":"5000"},{"name":"VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT","value":"0"},{"name":"VSECM_LOG_LEVEL","value":"7"}]` | See https://vsecm.com/configuration for more information about these environment variables. |
 | initEnvironments[0] | object | `{"name":"SPIFFE_ENDPOINT_SOCKET","value":"unix:///spire-agent-socket/agent.sock"}` | The SPIFFE endpoint socket. This is used to communicate with the SPIRE  agent. If you change this, you will need to change the associated  volumeMount in the Deployment.yaml too. |
-| initEnvironments[1] | object | `{"name":"VSECM_LOG_LEVEL","value":"7"}` | The log level. 0: Logs are off (only audit events will be logged) 7: TRACE level logging (maximum verbosity). |
-| initEnvironments[2] | object | `{"name":"VSECM_INIT_CONTAINER_POLL_INTERVAL","value":"5000"}` | The interval (in milliseconds) that the VSecM Init Container will poll the VSecM Safe for secrets. |
-| livenessPort | int | `8081` |  |
+| initEnvironments[1] | object | `{"name":"VSECM_BACKOFF_DELAY","value":"1000"}` | The interval between retries (in milliseconds) for the default backoff strategy. |
+| initEnvironments[2] | object | `{"name":"VSECM_BACKOFF_MAX_RETRIES","value":"10"}` | The maximum number of retries for the default backoff strategy before it gives up. |
+| initEnvironments[3] | object | `{"name":"VSECM_BACKOFF_MAX_WAIT","value":"10000"}` | The maximum wait time (in milliseconds) for the default backoff strategy. |
+| initEnvironments[4] | object | `{"name":"VSECM_BACKOFF_MODE","value":"exponential"}` | The backoff mode. The default is "exponential". Allowed values: "exponential", "linear" |
+| initEnvironments[5] | object | `{"name":"VSECM_INIT_CONTAINER_POLL_INTERVAL","value":"5000"}` | The interval (in milliseconds) that the VSecM Init Container will poll the VSecM Safe for secrets. |
+| initEnvironments[6] | object | `{"name":"VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT","value":"0"}` | The time (in milliseconds) that the VSecM Init Container will wait before exiting and yielding the control to the main container. |
+| initEnvironments[7] | object | `{"name":"VSECM_LOG_LEVEL","value":"7"}` | The log level. 0: Logs are off (only audit events will be logged) 7: TRACE level logging (maximum verbosity). |
+| livenessPort | int | `8081` | The port of the liveness probe. |
 | nameOverride | string | `""` | The name override of the chart. |
 | podAnnotations | object | `{}` | Additional pod annotations. |
 | podSecurityContext | object | `{}` | Pod security context overrides. |
@@ -28,3 +33,5 @@ Helm chart for keystone
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
 | serviceAccount.name | string | `"vsecm-keystone"` | The name of the service account to use. If not set and 'create' is true, a name is generated using the fullname template. |
 
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)