update spire server port to 443

helm-charts/0.26.1/charts/spire/templates/crd-rbac/hook-preinstall_leader_election_role.yaml

@@ -14,6 +14,8 @@ kind: Role
 metadata:
   name: leader-election-role
   namespace: {{ .Values.global.spire.serverNamespace }}
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}
 rules:
   - apiGroups: [""]
     resources: ["configmaps"]

helm-charts/0.26.1/charts/spire/templates/crd-rbac/hook-preinstall_role.yaml

@@ -12,6 +12,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: spire-server-spire-controller-manager
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}
 rules:
   - apiGroups: [ "" ]
     resources: [ "endpoints" ]

helm-charts/0.26.1/charts/spire/templates/crd-rbac/leader_election_role_binding.yaml

@@ -13,6 +13,8 @@ kind: RoleBinding
 metadata:
   name: leader-election-rolebinding
   namespace: {{ .Values.global.spire.serverNamespace }}
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

helm-charts/0.26.1/charts/spire/templates/crd-rbac/role_binding.yaml

@@ -12,6 +12,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: spire-server-spire-controller-manager
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

helm-charts/0.26.1/charts/spire/templates/hook-preinstall_spiffe-csi-driver.yaml

@@ -14,6 +14,8 @@ metadata:
   name: "csi.spiffe.io"
   annotations:
     "helm.sh/hook": pre-install
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}
 spec:
   # We only support ephemeral, inline volumes. We don't need a controller to
   # provision and attach volumes.

helm-charts/0.26.1/charts/spire/templates/hook-preinstall_spire-namespace.yaml

@@ -16,3 +16,4 @@ metadata:
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/warn: privileged
+    {{- include "spire.labels" . | nindent 4 }}

helm-charts/0.26.1/charts/spire/templates/hook-preinstall_spire-server-namespace.yaml

@@ -16,3 +16,4 @@ metadata:
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/warn: privileged
+    {{- include "spire.labels" . | nindent 4 }}

helm-charts/0.26.1/charts/spire/templates/spire-agent-cluster-role-binding.yaml

@@ -13,6 +13,8 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: spire-agent
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}
 subjects:
   - kind: ServiceAccount
     name: spire-agent

helm-charts/0.26.1/charts/spire/templates/spire-agent-cluster-role.yaml

@@ -13,6 +13,8 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: spire-agent
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}
 rules:
   - apiGroups: [""]
     resources:

helm-charts/0.26.1/charts/spire/templates/spire-agent-config-map.yaml

@@ -16,6 +16,8 @@ kind: ConfigMap
 metadata:
   name: spire-agent
   namespace: {{ .Values.global.spire.namespace }}
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}
 data:
   agent.conf: |
     {

helm-charts/0.26.1/charts/spire/templates/spire-agent-daemonset.yaml

@@ -15,6 +15,7 @@ metadata:
   namespace: {{ .Values.global.spire.namespace }}
   labels:
     app: spire-agent
+    {{- include "spire.labels" . | nindent 4 }}
   annotations: {{ .Values.spireAgent.annotations | toYaml | nindent 4 }}
 spec:
   selector:

helm-charts/0.26.1/charts/spire/templates/spire-agent-service-account.yaml

@@ -14,3 +14,5 @@ kind: ServiceAccount
 metadata:
   name: spire-agent
   namespace: {{ .Values.global.spire.namespace }}
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}

helm-charts/0.26.1/charts/spire/templates/spire-controller-manager-config.yaml

@@ -13,6 +13,8 @@ kind: ConfigMap
 metadata:
   name: spire-controller-manager-config
   namespace: {{ .Values.global.spire.serverNamespace }}
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}
 data:
   spire-controller-manager-config.yaml: |
     apiVersion: spire.spiffe.io/v1alpha1

helm-charts/0.26.1/charts/spire/templates/spire-controller-manager-webhook.yaml

@@ -12,6 +12,8 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: spire-controller-manager-webhook
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}
 webhooks:
   - admissionReviewVersions: ["v1"]
     clientConfig:

helm-charts/0.26.1/charts/spire/templates/spire-server-bundle-config-map.yaml

@@ -17,3 +17,5 @@ kind: ConfigMap
 metadata:
   name: spire-bundle
   namespace: {{ .Values.global.spire.namespace }}
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}

helm-charts/0.26.1/charts/spire/templates/spire-server-bundle-endpoint.yaml

@@ -14,6 +14,8 @@ kind: Service
 metadata:
   name: spire-server-bundle-endpoint
   namespace: {{ .Values.global.spire.serverNamespace }}
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}
 spec:
   type: {{ .Values.bundleEndpoint.type }}
   ports:

helm-charts/0.26.1/charts/spire/templates/spire-server-cluster-role-binding.yaml

@@ -13,6 +13,8 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: spire-server-spire-server
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}
 subjects:
   - kind: ServiceAccount
     name: spire-server

helm-charts/0.26.1/charts/spire/templates/spire-server-cluster-role.yaml

@@ -13,6 +13,8 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: spire-server-spire-server
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}
 rules:
   - apiGroups: [""]
     resources: ["nodes"]

helm-charts/0.26.1/charts/spire/templates/spire-server-config-map.yaml

@@ -14,13 +14,15 @@ kind: ConfigMap
 metadata:
   name: spire-server
   namespace: {{ .Values.global.spire.serverNamespace }}
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}
 data:
   server.conf: |
     {
       "server": {
         "audit_log_enabled": true,
         "bind_address": "0.0.0.0",
-        "bind_port": "8081",
+        "bind_port": {{ .Values.spireServer.containerPort}},
         "trust_domain": {{ .Values.global.spire.trustDomain | quote }},
         "data_dir": {{ .Values.spireServer.dataDir | quote }},
         "log_level": {{ .Values.global.spire.logLevel | quote }},

helm-charts/0.26.1/charts/spire/templates/spire-server-controller-manager-webhook-service.yaml

@@ -16,6 +16,8 @@ kind: Service
 metadata:
   name: spire-controller-manager-webhook-service
   namespace: {{ .Values.global.spire.serverNamespace }}
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}
 spec:
   ports:
     - port: 443

helm-charts/0.26.1/charts/spire/templates/spire-server-role-binding.yaml

@@ -15,6 +15,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: spire-server-role-binding
   namespace: {{ .Values.global.spire.namespace }}
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}
 subjects:
   - kind: ServiceAccount
     name: spire-server

helm-charts/0.26.1/charts/spire/templates/spire-server-role.yaml

@@ -14,6 +14,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: spire-server-role
   namespace: {{ .Values.global.spire.namespace }}
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}
 rules:
   # allow "get" access to pods (to resolve selectors for PSAT attestation)
   - apiGroups: [""]

helm-charts/0.26.1/charts/spire/templates/spire-server-service-account.yaml

@@ -14,3 +14,5 @@ kind: ServiceAccount
 metadata:
   name: spire-server
   namespace: {{ .Values.global.spire.serverNamespace }}
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}

helm-charts/0.26.1/charts/spire/templates/spire-server-service.yaml

@@ -14,12 +14,14 @@ kind: Service
 metadata:
   name: spire-server
   namespace: {{ .Values.global.spire.serverNamespace }}
+  labels:
+    {{- include "spire.labels" . | nindent 4 }}
 spec:
   type: {{ .Values.service.type }}
   ports:
-    - name: api
-      port: {{ .Values.service.port }}
-      targetPort: {{ .Values.service.port }}
+    - name: grpc
+      port: {{ .Values.global.spire.serverPort }}
+      targetPort: grpc
       protocol: TCP
   selector:
     app: spire-server

helm-charts/0.26.1/charts/spire/templates/spire-server-stateful-set.yaml

@@ -16,6 +16,7 @@ metadata:
   labels:
     app: spire-server
     app.kubernetes.io/component: server
+    {{- include "spire.labels" . | nindent 4 }}
 spec:
   serviceName: spire-server
   replicas: {{ .Values.replicaCount }}
@@ -47,8 +48,9 @@ spec:
               memory: {{ .Values.resources.agent.requests.memory }}
               cpu: {{ .Values.resources.agent.requests.cpu }}
           ports:
-            - containerPort: 8081
+            - containerPort: {{ .Values.spireServer.containerPort }}
               protocol: TCP
+              name: grpc
             - containerPort: 8080
               name: healthz
 

helm-charts/0.26.1/charts/spire/values.yaml

@@ -34,8 +34,6 @@ service:
   # Possible values are: ClusterIP, NodePort, LoadBalancer.
   # Defaults to `ClusterIP`.
   type: ClusterIP
-  # -- Service port.
-  port: 8081
   # -- Additional Service annotations.
   annotations: {}
 
@@ -85,6 +83,8 @@ spireServer:
   configDir: "/run/spire/server/config"
   # -- The private socket directory for the SPIRE Server.
   privateSocketDir: "/tmp/spire-server/private"
+  # -- The internal port that the server serves.
+  containerPort: "8081"
 
 # -- These are the default resources suitable for a moderate SPIRE usage.
 # Of course, it's best to do your own benchmarks and update these

helm-charts/0.26.1/values.yaml

@@ -176,4 +176,5 @@ global:
     logLevel: DEBUG
     # -- The SPIRE Server port. This is the port where the SPIRE Server will
     # listen for incoming connections.
-    serverPort: 8081
+    # This is the port of the SPIRE server k8s Service.
+    serverPort: 443