update helm charts for performance, mark it to use podPriority and other attributes; do this by first creating a sample helm-charts-hardened yaml and then comparing it with what we have.

[v0lkan]

quote:
https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire#production

quote from Kevin (Fox) (wrt helm-charts-hardened)
"I think the helm chart has a rather large featureset above the from scratch manifests at this point. Lots and lots more testing. we should consider not recommending folks use the static manifests soon I think because of it. There are a lot of features such as k8s priorityClass's and pod security standards that a lot of folks don't know even exists that we support/test and enables a better experience out of the box."

More braindump from our Slack:

"""
Best to share this in an n-way chat.
I’m discussing why we might be having the SPIFFE driver issue with the SPIRE experts, and
1.
As far as I can tell, the csi driver doesn't actually do anything but make the directory available, so it shouldn't matter what state the socket is in?
2.
Kevin Fox
3 minutes ago
I've seen weird things like that when resource contained.
long story short, it looks like a resource contention issue. It’s likely not related to SPIRE version.
Also (referring to the SPIRE helm-charts-hardened project);
are you using the chart? We tried to set things up so that it would still function properly when resource constrained. not sure the static manifests do.

it should mark the most important pods with appropriate higher priority flags to keep them alive and on the node during contention.
also from charts:

@param global.spire.recommendations.priorityClassName Set to true to use recommended values for Pod Priority Class Names
I think the best course forward is to create a SPIRE yaml with helm-charts-hardened ; compare with what we have, and adjust accordingly.
I’m pretty sure we are not setting "any" priorityclass for example 🙂 .

2:23
ref: https://github.com/spiffe/helm-charts-hardened/blob/fafed66866533549c319713f3897a6b08875e9c8/charts/spire/values.yaml#L39

values.yaml
@param global.spire.recommendations.priorityClassName Set to true to use recommended values for Pod Priority Class Names
https://github.com/spiffe/helm-charts-hardened|spiffe/helm-charts-hardenedspiffe/helm-charts-hardened | Added by https://vmware.slack.com/services/B01UWS06EEM

kind of having that conversation over here too: spiffe/spiffe.io#283 (comment)

4 minutes ago
spiffe/spiffe.io#290 is looking pretty close to merging too.

"""

[v0lkan]

Try it with openshift support too

global.openshift  and restrictedScc.enabled .

it may create a separate list of values that we might want to templetize.

[v0lkan]

Done.