Merge branch 'main' into validatingpolicy

spiffe · Oct 24, 2024 · b74c62b · b74c62b
2 parents 7274fa4 + fe5464b
commit b74c62b
Showing 1 changed file with 26 additions and 2 deletions.
diff --git a/charts/spire/README.md b/charts/spire/README.md
@@ -90,8 +90,32 @@ We only support upgrading one major/minor version at a time. Version skipping is
 
 ### 0.24.X
 
-We have added the remaining options needed for the SPIRE Server SQL data store plugin. We have removed `spire-server.dataStore.sql.plugin_data` section as it is no longer needed. If you are using it, please migrate
-your settings to the ones under `spire-server.dataStore.sql`.
+- You must upgrade [spire-crds](https://artifacthub.io/packages/helm/spiffe/spire-crds) to 0.5.0+ before performing this upgrade.
+
+- In order to make it easier to target specific SPIFFE IDs to workloads, a fallback feature was added to ClusterSPIFFEIDs so that a default ID will only apply when no others do. To change back to the previous behavior, use `spire-server.controllerManager.identities.clusterSPIFFEIDs.default.fallback=false`. The new default is unlikely to need changes.
+
+- We now set a hint of the ClusterSPIFFEID name on each entry created by default. This can be undone by setting the `hint=""` property on the ClusterSPIFFEID. The new default is unlikely to need changes.
+
+- We have added the remaining options needed for the SPIRE Server SQL data store plugin as native values. We have removed `spire-server.dataStore.sql.plugin_data` section as it is no longer needed. If you are using it, please migrate your settings to the ones under `spire-server.dataStore.sql`.
+
+- For users of `spire-server.upstreamAuthority.certManager`, a bug was discovered with templates not honoring `global.spire.caSubject.*`. It has been fixed, but may change values if you are not careful. Please double check the new settings are what you need them to be before completing the upgrade.
+
+- Lastly, as we approach 1.0.0, we would like to ensure all the values follow the same convention. We have made a bunch of minor changes to the values in this version to make sure they are all camel cased and properly capitalized. If you are upgrading from a previous version, please look though this list carefully to see if a value you are using is impacted:
+
+    - `spire-server.federation.bundleEndpoint.refresh_hint` -> `spire-server.federation.bundleEndpoint.refreshHint`
+    - `spire-server.nodeAttestor.k8sPsat` -> `spire-server.nodeAttestor.k8sPSAT`
+    - `spire-server.nodeAttestor.externalK8sPsat` -> `spire-server.nodeAttestor.ExternalK8sPSAT`
+    - `spire-server.notifier.k8sbundle` -> `spire-server.notifier.k8sBundle`
+    - `spire-server.ca_subject` -> `spire-server.caSubject`
+    - `spire-server.ca_subject.common_name -> `spire-server.caSubject.commonName`
+    - `spire-server.upstreamAuthority.certManager.issuer_name` -> `spire-server.upstreamAuthority.certManager.issuerName`
+    - `spire-server.upstreamAuthority.certManager.issuer_kind` -> `spire-server.upstreamAuthority.certManager.issuerKind`
+    - `spire-server.upstreamAuthority.certManager.issuer_group` -> `spire-server.upstreamAuthority.certManager.issuerGroup`
+    - `spire-server.upstreamAuthority.certManager.kube_config_file` -> `spire-server.upstreamAuthority.certManager.kubeConfigFile`
+    - `spire-agent.sds.defaultSvidName` -> `spire-agent.sds.defaultSVIDName`
+    - `spire-agent.sds.disableSpiffeCertValidation` -> `spire-agent.sds.disableSPIFFECertValidation`
+    - `spire-agent.sds.defaultSvidName` -> `spire-agent.sds.defaultSVIDName`
+    - `spire-agent.nodeAttestor.k8sPsat` -> `spire-agent.nodeAttestor.k8sPSAT`
 
 ### 0.23.X