Merge branch 'main' into release

Cut patch release for 0.5.0

.devcontainer/Dockerfile

@@ -1,82 +0,0 @@
-FROM ubuntu:22.04
-RUN \
-  apt-get update && \
-  apt-get install -y bash ca-certificates gnupg make curl vim sudo jq && \
-  curl -sL https://deb.nodesource.com/setup_18.x -o nodesource_setup.sh && \
-  mkdir -p /etc/apt/keyrings && \
-  curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
-  echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | sudo tee /etc/apt/sources.list.d/nodesource.list && \
-  apt-get update && \
-  apt-get install -y nodejs && \
-  apt-get clean && \
-  curl -o /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.35.2/yq_linux_amd64 && \
-  chmod +x /usr/local/bin/yq
-RUN \
-  curl -q -l -o /tmp/go.tgz "https://dl.google.com/go/go1.21.4.linux-amd64.tar.gz" && \
-  cd /usr/local && \
-  tar -xvf /tmp/go.tgz && \
-  rm -f /tmp/go.tgz && \
-  cd /
-RUN \
-  curl -L -o /usr/local/bin/minikube https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 && \
-  chmod +x /usr/local/bin/minikube && \
-  curl -L -o /usr/local/bin/kubectl "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \
-  chmod +x /usr/local/bin/kubectl
-
-RUN \
-  curl -fsSL -o /tmp/get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && \
-  chmod +x /tmp/get_helm.sh && \
-  /tmp/get_helm.sh && \
-  rm /tmp/get_helm.sh
-
-RUN \
-  groupadd -g 10001 dev && \
-  useradd --uid 10001 -g 10001 -m dev && \
-  echo 'dev ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/dev && \
-  chmod 400 /etc/sudoers.d/dev
-
-ENV PATH /usr/local/go/bin:$PATH
-
-RUN \
-  npm install -g "@bitnami/readme-generator-for-helm@2.6.0"
-
-RUN \
-  go install github.com/onsi/ginkgo/v2/ginkgo@latest
-
-RUN \
-  apt-get install -y git zsh strace lsof graphviz && \
-  mv /root/go/bin/ginkgo /usr/local/bin
-
-RUN \
-  curl -L -o /tmp/ct.tar.gz https://github.com/helm/chart-testing/releases/download/v3.8.0/chart-testing_3.8.0_linux_amd64.tar.gz && \
-  cd /usr/local/bin && \
-  tar -xvf /tmp/ct.tar.gz ct && \
-  cd / && \
-  tar -xvf /tmp/ct.tar.gz etc && \
-  mkdir /etc/ct && \
-  mv /etc/chart_schema.yaml /etc/ct/ && \
-  mv /etc/lintconf.yaml /etc/ct/ && \
-  curl -o /tmp/gh.tar.gz https://github.com/cli/cli/releases/download/v2.40.0/gh_2.40.0_linux_amd64.tar.gz -L && \
-  cd && \
-  cd /tmp && \
-  tar -zxvf gh.tar.gz && \
-  mv gh_*_linux_amd64/bin/* /usr/local/bin && \
-  mkdir -p /usr/local/share/main/man1/ && \
-  mv gh_*_linux_amd64/share/man/man1/* /usr/local/share/main/man1/ && \
-  cd
-
-RUN \
-  cd /tmp && \
-  git clone https://github.com/devcontainers/features && \
-  cd features/src/docker-in-docker && \
-  export MOBY=true && \
-  export INSTALLDOCKERBUILDX=false && \
-  ./install.sh && \
-  cd ../../../ && \
-  rm -rf features
-
-RUN \
-  usermod -a -G docker dev
-
-USER dev
-

.devcontainer/devcontainer.json

@@ -1,30 +0,0 @@
-{
-	"name": "spiffe-helm-charts-hardened",
-	"image": "ghcr.io/spiffe/helm-charts-hardened-devcontainer:latest",
-	"features": {
-		"ghcr.io/devcontainers/features/docker-in-docker:2": {
-			"version": "latest",
-			"moby": true,
-			"installDockerBuildx": false
-		}
-	},
-	"customizations": {
-		"vscode": {
-			"extensions": [
-				"ms-kubernetes-tools.vscode-kubernetes-tools"
-			],
-			"settings": {
-				"terminal.integrated.defaultProfile.linux": "bash",
-				"terminal.integrated.profiles.linux": {
-					"zsh": { "path": "/bin/zsh" },
-					"bash": { "path": "/bin/bash" }
-				}
-			}
-		}
-	},
-	"postStartCommand": "minikube start && helm upgrade --install -n spire-server spire-crds charts/spire-crds --create-namespace && kubectl version",
-	"hostRequirements": {
-		"cpus": 1
-	},
-	"remoteUser": "dev"
-}

.editorconfig

@@ -8,8 +8,3 @@ indent_size = 2
 tab_width = 2
 trim_trailing_whitespace = true
 insert_final_newline = true
-
-[Makefile,*.go,*.mod]
-indent_style = tab
-indent_size = 4
-tab_width = 4

.github/dependabot.yaml

@@ -12,18 +12,3 @@ updates:
     schedule:
       interval: "daily"
     open-pull-requests-limit: 5
-
-  - package-ecosystem: gomod
-    directory: "/tests"
-    schedule:
-      interval: daily
-    open-pull-requests-limit: 5
-
-  - package-ecosystem: pip
-    directory: "/.github/scripts"
-    schedule:
-      interval: daily
-    groups:
-      python-packages:
-        patterns:
-          - "*"

.github/kind/conf/kind-config.yaml

@@ -15,6 +15,3 @@ kubeadmConfigPatches:
         # admission-control-config-file: /etc/kubernetes/pki/admctrl/admission-control.yaml
 nodes:
   - role: control-plane
-  - role: worker
-  - role: worker
-  - role: worker

.github/scripts/edit-yaml.py

@@ -1,24 +0,0 @@
-#!/usr/bin/env python3
-
-import os
-import sys
-from dict_deep import deep_set
-import ruamel.yaml
-
-def represent_none(self, data):
-    return self.represent_scalar(u'tag:yaml.org,2002:null', u'null')
-
-y = ruamel.yaml.YAML()
-y.indent(mapping=2, sequence=4, offset=2)
-# Dont wrap long lines
-y.width = 4096
-y.preserve_quotes = True
-y.representer.add_representer(type(None), represent_none)
-
-d = y.load(open(os.environ['VALUES']))
-
-tagquery = os.environ['QUERY'] + '.tag'
-
-deep_set(d, tagquery, os.environ['LATEST_VERSION']);
-
-y.dump(d, sys.stdout)

.github/scripts/parse-versions.sh

@@ -1,14 +0,0 @@
-#!/usr/bin/env bash
-
-TESTS_PATH="$(dirname "${BASH_SOURCE[0]}")/../tests"
-
-# Set repo and version env variables
-REPOS=$(jq -r '.[] | "export " + ("HELM_REPO_" + .name | ascii_upcase | gsub("-";"_")) + "=" + .repo' "${TESTS_PATH}/charts.json")
-VERSIONS=$(jq -r '.[] | "export " + ("VERSION_" + .name | ascii_upcase | gsub("-";"_")) + "=" + .version' "${TESTS_PATH}/charts.json")
-eval "$REPOS"
-eval "$VERSIONS"
-
-REGISTRIES=$(jq -r '.[] | "export " + ("HELM_REGISTRY_" + .name | ascii_upcase | gsub("-";"_")) + "=oci://" + .registry' "${TESTS_PATH}/oci-charts.json")
-VERSIONS=$(jq -r '.[] | "export " + ("VERSION_" + .name | ascii_upcase | gsub("-";"_")) + "=" + .version' "${TESTS_PATH}/oci-charts.json")
-eval "$REGISTRIES"
-eval "$VERSIONS"

.github/scripts/requirements.txt

@@ -1,2 +0,0 @@
-ruamel.yaml
-dict_deep

.github/scripts/update-tags.sh

@@ -1,74 +0,0 @@
-#!/usr/bin/env bash
-
-SCRIPT="$(readlink -f "$0")"
-SCRIPTPATH="$(dirname "${SCRIPT}")"
-
-IMAGEJSON="${SCRIPTPATH}/../tests/images.json"
-
-if ! command -v crane &> /dev/null; then
-  echo Please install crane
-  exit 1
-fi
-
-if ! command -v jq &> /dev/null; then
-  echo Please install jq
-  exit 1
-fi
-
-if ! command -v yq &> /dev/null; then
-  echo Please install yq
-  exit 1
-fi
-
-if ! command -v npm &> /dev/null; then
-  echo Please install npm
-  exit 1
-fi
-
-if ! command -v python3 -c 'import ruamel.yaml' &> /dev/null; then
-  echo Please install python3 with the ruamel.yaml module
-  exit 1
-fi
-
-if ! command -v python3 -c 'import dict_deep' &> /dev/null; then
-  echo Please install python3 with the dict_deep module
-  exit 1
-fi
-
-jq -r '. | keys[]' "$IMAGEJSON" | while read -r CHART; do
-  jq -r ".\"${CHART}\" | keys[]" "$IMAGEJSON" | while read -r IDX; do
-    QUERY=$(jq -r ".\"${CHART}\"[${IDX}].query" "$IMAGEJSON")
-    FILTER=$(jq -r ".\"${CHART}\"[${IDX}].filter" "$IMAGEJSON")
-
-    OLD_IFS=${IFS}
-    SORTFLAGS=()
-    while IFS='' read -r value; do
-      SORTFLAGS+=("$value")
-    done < <(jq -r ".\"${CHART}\"[${IDX}].\"sort-flags\" | .[]" "$IMAGEJSON")
-    IFS=${OLD_IFS}
-
-    VALUES="${SCRIPTPATH}/../../charts/spire/charts/${CHART}"
-    REGISTRY=$(yq e ".${QUERY}.registry" "$VALUES")
-    REPOSITORY=$(yq e ".${QUERY}.repository" "$VALUES")
-    VERSION=$(yq e ".${QUERY}.tag" "$VALUES")
-    if [[ "$REGISTRY" != "" ]]; then
-      REGISTRY="$REGISTRY/"
-    fi
-    if [[ "$FILTER" == "LATESTSHA" ]]; then
-      LATEST_VERSION="latest@"$(crane digest "${REGISTRY}${REPOSITORY}:latest")
-    else
-      LATEST_VERSION=$(crane ls "${REGISTRY}${REPOSITORY}" | grep "${FILTER}" | sort "${SORTFLAGS[@]}" | tail -n 1)
-    fi
-
-    export QUERY
-    export VALUES
-    export LATEST_VERSION
-
-    if [ "${VERSION}" != "${LATEST_VERSION}" ]; then
-      echo "New image version found: ${REGISTRY}${REPOSITORY}:${LATEST_VERSION}"
-      "${SCRIPTPATH}/edit-yaml.py" > /tmp/$$
-      mv /tmp/$$ "${VALUES}"
-    fi
-  done
-done
-"${SCRIPTPATH}/../../helm-docs.sh" || true

.github/scripts/update-versions.sh

@@ -22,21 +22,3 @@ jq -r ".[].name" "${CHARTJSON}" | while read -r CHART; do
     mv /tmp/$$ "${CHARTJSON}"
   fi
 done
-
-CHARTJSON="${SCRIPTPATH}/../tests/oci-charts.json"
-
-jq -r ".[].name" "${CHARTJSON}" | while read -r NAME; do
-  ENTRYQUERY='.[] | select(.name == "'$NAME'")'
-  REGISTRY="$(jq -r "$ENTRYQUERY | .registry" "${CHARTJSON}")"
-  VERSION="$(jq -r "$ENTRYQUERY | .version" "${CHARTJSON}")"
-  echo Processing: "${NAME}"
-  echo "  chart: ${REGISTRY}"
-  echo "  current version: ${VERSION}"
-  LATEST_VERSION=$(crane ls "$REGISTRY" | grep 'v\?[0-9]*\.[0-9]*\.[0-9]\.*$' | sort -V -r | head -n 1)
-  echo "  latest version: ${LATEST_VERSION}"
-  if [ "x${VERSION}" != "x${LATEST_VERSION}" ]; then
-    echo "  New version found!"
-    jq "(${ENTRYQUERY}).version |= \"${LATEST_VERSION}\"" "${CHARTJSON}" > /tmp/$$
-    mv /tmp/$$ "${CHARTJSON}"
-  fi
-done

.github/tests/charts.json

@@ -2,16 +2,26 @@
   {
     "name": "kube-prometheus-stack",
     "repo": "https://prometheus-community.github.io/helm-charts",
-    "version": "75.15.1"
+    "version": "45.29.0"
   },
   {
     "name": "cert-manager",
     "repo": "https://charts.jetstack.io",
-    "version": "v1.18.2"
+    "version": "v1.12.0"
   },
   {
     "name": "ingress-nginx",
     "repo": "https://kubernetes.github.io/ingress-nginx",
-    "version": "4.13.0"
+    "version": "4.6.1"
+  },
+  {
+    "name": "mysql",
+    "repo": "https://charts.bitnami.com/bitnami",
+    "version": "9.10.1"
+  },
+  {
+    "name": "postgresql",
+    "repo": "https://charts.bitnami.com/bitnami",
+    "version": "12.5.3"
   }
 ]

.github/tests/charts.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+REPOS=$(jq -r '.[] | "export " + ("HELM_REPO_" + .name | ascii_upcase | gsub("-";"_")) + "=" + .repo' .github/tests/charts.json)
+VERSIONS=$(jq -r '.[] | "export " + ("VERSION_" + .name | ascii_upcase | gsub("-";"_")) + "=" + .version' .github/tests/charts.json)
+eval "$REPOS"
+eval "$VERSIONS"

.github/tests/common.sh

@@ -1,7 +1,5 @@
 #!/usr/bin/env bash
 
-GITHUB_STEP_SUMMARY="${GITHUB_STEP_SUMMARY:-/tmp/summary}"
-
 get_namespace_details () {
 cat <<EOF >>"$GITHUB_STEP_SUMMARY"
 ### Namespace $1
@@ -21,8 +19,7 @@ $(kubectl --request-timeout=30s describe pods --namespace "$1")
 #### Logs
 
 \`\`\`shell
-$(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --prefix --all-containers=true --ignore-errors=true; done)
-$( ([[ -n "$2" ]] && kubectl get pods -o name -n "$2") | while read -r line; do echo logs for "${line}"; kubectl logs -n "$2" "${line}" --all-containers=true --ignore-errors=true; done)
+$(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --all-containers=true --ignore-errors=true; done)
 \`\`\`
 
 EOF
@@ -37,7 +34,7 @@ k_rollout_status () {
 }
 
 get_spire_release_name () {
-  helm ls -A | grep '^spire' | grep -v spire-crds | awk '{print $1}'
+  helm ls -A | grep '^spire' | awk '{print $1}'
 }
 
 print_spire_workload_status () {
@@ -55,7 +52,6 @@ print_spire_workload_status () {
 | Namespace | Workload                                       | Status |
 | --------- | ---------------------------------------------- | ------ |
 | ${ns1}    | ${release_name}-server                         | <pre>$(k_rollout_status "${ns1}" statefulset "${release_name}-server")</pre> |
-| ${ns1}    | ${release_name}-server                         | <pre>$(k_rollout_status "${ns1}" deployments.apps "${release_name}-server")</pre> |
 | ${ns2}    | ${release_name}-spiffe-csi-driver              | <pre>$(k_rollout_status "${ns2}" daemonset "${release_name}-spiffe-csi-driver")</pre> |
 | ${ns2}    | ${release_name}-agent                          | <pre>$(k_rollout_status "${ns2}" daemonset "${release_name}-agent")</pre> |
 | ${ns1}    | ${release_name}-spiffe-oidc-discovery-provider | <pre>$(k_rollout_status "${ns1}" deployments.apps "${release_name}-spiffe-oidc-discovery-provider")</pre> |
@@ -71,43 +67,3 @@ $(helm ls -A | sed 's/\t/ | /g' | sed 's/^/| /' | sed 's/$/ |/' | sed '/^| NAME.
 
 EOF
 }
-
-common_test_url () (
-count=10
-while true; do
-        if curl "$1"; then exit 0; fi
-        sleep 2
-        count=$((count-1))
-        [ $count -le 0 ] && exit 1
-done
-)
-
-common_test_file_exists () (
-count=20
-while true; do
-        if [ -f "$1" ]; then exit 0; fi
-        sleep 2
-        count=$((count-1))
-        [ $count -le 0 ] && exit 1
-done
-)
-
-# Used just for testing. You should provide your own values as described in the install instructions.
-common_test_your_values () {
-cat > /tmp/$$.example-your-values.yaml <<EOF
-global:
-  spire:
-    recommendations:
-      enabled: true
-    clusterName: production
-    trustDomain: production.other
-    caSubject:
-      country: US
-      organization: Production
-      commonName: production.other
-EOF
-echo "/tmp/$$.example-your-values.yaml"
-}
-
-COMMON_TEST_YOUR_VALUES="$(common_test_your_values)"
-export COMMON_TEST_YOUR_VALUES

.github/tests/extras/post-install.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -x
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
+
+# shellcheck source=/dev/null
+source "${SCRIPTPATH}/../common.sh"
+
+print_helm_releases
+print_spire_workload_status "${scenario}"
+
+if [[ "$1" -ne 0 ]]; then
+  get_namespace_details "${scenario}"
+fi

.github/tests/federation-bundle-endpoint/post-install.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -x
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
+
+# shellcheck source=/dev/null
+source "${SCRIPTPATH}/../common.sh"
+
+print_helm_releases
+print_spire_workload_status "${scenario}"
+
+if [[ "$1" -ne 0 ]]; then
+  get_namespace_details "${scenario}"
+fi

.github/tests/images.json

@@ -1,85 +0,0 @@
-{
-  "spire-server/values.yaml": [
-    {
-      "query": "tests.bash.image",
-      "filter": "LATESTSHA",
-      "sort-flags": []
-    },
-    {
-      "query": "chown.image",
-      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
-      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
-    },
-    {
-      "query": "tools.busybox.image",
-      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
-      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
-    }
-  ],
-  "spire-agent/values.yaml": [
-    {
-      "query": "socketAlternate.image",
-      "filter": "LATESTSHA",
-      "sort-flags": []
-    },
-    {
-      "query": "hostCert.image",
-      "filter": "LATESTSHA",
-      "sort-flags": []
-    },
-    {
-      "query": "fsGroupFix.image",
-      "filter": "LATESTSHA",
-      "sort-flags": []
-    }
-  ],
-  "spiffe-csi-driver/values.yaml": [
-    {
-      "query": "nodeDriverRegistrar.image",
-      "filter": "^v",
-      "sort-flags": []
-    }
-  ],
-  "spiffe-oidc-discovery-provider/values.yaml": [
-    {
-      "query": "insecureScheme.nginx.image",
-      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-alpine$",
-      "sort-flags": []
-    }, {
-      "query": "telemetry.prometheus.nginxExporter.image",
-      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$",
-      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
-    }, {
-      "query": "tests.step.image",
-      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$",
-      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
-    },
-    {
-      "query": "tests.bash.image",
-      "filter": "LATESTSHA",
-      "sort-flags": []
-    },
-    {
-      "query": "tests.toolkit.image",
-      "filter": "LATESTSHA",
-      "sort-flags": []
-    },
-    {
-      "query": "tests.busybox.image",
-      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
-      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
-    },
-    {
-      "query": "spiffeHelper.image",
-      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$",
-      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
-    }
-  ],
-  "tornjak-frontend/values.yaml": [
-    {
-      "query": "tests.bash.image",
-      "filter": "LATESTSHA",
-      "sort-flags": []
-    }
-  ]
-}

.github/tests/namespace-override/post-install.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+set -x
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
+
+# shellcheck source=/dev/null
+source "${SCRIPTPATH}/../common.sh"
+
+print_helm_releases
+print_spire_workload_status spire-server spire-system
+
+if [[ "$1" -ne 0 ]]; then
+  get_namespace_details spire-server
+  get_namespace_details spire-systen
+fi
+

.github/tests/namespace-override/pre-install.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+
+kubectl create namespace "spire-system"
+kubectl create namespace "spire-server"

.github/tests/namespace-override/values.yaml

@@ -1,17 +1,16 @@
 spiffe-oidc-discovery-provider:
   enabled: true
   namespaceOverride: spire-server
-  tls:
-    spire:
-      enabled: false
+  insecureScheme:
+    enabled: true
 
 spire-server:
   namespaceOverride: spire-server
   nodeAttestor:
-    k8sPSAT:
+    k8sPsat:
       serviceAccountAllowList: ["spire-system:spire-agent"]
   notifier:
-    k8sBundle:
+    k8sbundle:
       namespace: spire-system
 
 spiffe-csi-driver:

.github/tests/no-spire-controller-manager/post-install.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -x
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
+
+# shellcheck source=/dev/null
+source "${SCRIPTPATH}/../common.sh"
+
+print_helm_releases
+print_spire_workload_status "${scenario}"
+
+if [[ "$1" -ne 0 ]]; then
+  get_namespace_details "${scenario}"
+fi

.github/tests/no-spire-controller-manager/values.yaml

@@ -1,5 +1,3 @@
 spire-server:
   controllerManager:
     enabled: false
-spiffe-oidc-discovery-provider:
-  enabled: false

.github/tests/oci-charts.json

@@ -1,17 +0,0 @@
-[
-  {
-    "name": "mysql",
-    "registry": "docker.io/bitnamicharts/mysql",
-    "version": "14.0.0"
-  },
-  {
-    "name": "postgresql",
-    "registry": "docker.io/bitnamicharts/postgresql",
-    "version": "16.7.9"
-  },
-  {
-    "name": "envoy-gateway",
-    "registry": "docker.io/envoyproxy/gateway-helm",
-    "version": "v1.4.2"
-  }
-]

.github/tests/post-install.sh

@@ -1,11 +0,0 @@
-#!/usr/bin/env bash
-
-set -x
-
-SCRIPT="$(readlink -f "$0")"
-SCRIPTPATH="$(dirname "${SCRIPT}")"
-
-# shellcheck source=/dev/null
-source "${SCRIPTPATH}/common.sh"
-
-print_helm_releases

.github/tests/pre-install.sh

@@ -1,49 +0,0 @@
-#!/usr/bin/env bash
-
-set -xe
-
-SCRIPT="$(readlink -f "$0")"
-SCRIPTPATH="$(dirname "${SCRIPT}")"
-DEPS="${SCRIPTPATH}/dependencies"
-
-# shellcheck source=/dev/null
-source "${SCRIPTPATH}/../scripts/parse-versions.sh"
-
-helm_install=(helm upgrade --install --create-namespace)
-
-# namespace override
-kubectl create namespace spire-system || true
-kubectl create namespace spire-server || true
-
-# nginx ingress
-"${helm_install[@]}" ingress-nginx ingress-nginx --version "${VERSION_INGRESS_NGINX}" --repo "${HELM_REPO_INGRESS_NGINX}" \
-  --namespace ingress-nginx \
-  --set controller.extraArgs.enable-ssl-passthrough=
-kubectl wait --namespace ingress-nginx --for=condition=ready --timeout 60s pod --selector=app.kubernetes.io/component=controller
-
-# prometheus
-"${helm_install[@]}" kube-prometheus-stack kube-prometheus-stack \
-  --namespace prometheus \
-  --version "${VERSION_KUBE_PROMETHEUS_STACK}" \
-  --repo "${HELM_REPO_KUBE_PROMETHEUS_STACK}" \
-  --wait
-
-# cert-manager
-"${helm_install[@]}" cert-manager cert-manager --version "$VERSION_CERT_MANAGER" --repo "$HELM_REPO_CERT_MANAGER" \
-  --namespace cert-manager \
-  --set installCRDs=true \
-  --wait
-
-# external database
-
-# mysql
-"${helm_install[@]}" mysql "${HELM_REGISTRY_MYSQL}" --version "$VERSION_MYSQL" \
-  --namespace mysql \
-  --values "${DEPS}/mysql.yaml" \
-  --wait
-
-# postgres
-"${helm_install[@]}" postgresql "${HELM_REGISTRY_POSTGRESQL}" --version "$VERSION_POSTGRESQL" \
-  --namespace postgresql \
-  --values "${DEPS}/postgresql.yaml" \
-  --wait

.github/tests/production-example/install.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -xe
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+
+helm install \
+  --namespace spire-server \
+  --values "${SCRIPTPATH}/../../../examples/production/values.yaml" \
+  spire charts/spire --wait
+
+helm test spire --namespace spire-server

.github/tests/production-example/post-install.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+set -x
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
+
+# shellcheck source=/dev/null
+source "${SCRIPTPATH}/../common.sh"
+
+print_helm_releases
+print_spire_workload_status spire-server spire-system
+
+if [[ "$1" -ne 0 ]]; then
+  get_namespace_details spire-server
+  get_namespace_details spire-system
+fi

.github/tests/production-example/pre-install.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+kubectl create namespace spire-system
+kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged
+kubectl create namespace spire-server
+kubectl label namespace spire-server pod-security.kubernetes.io/enforce=restricted

.github/tests/production-external-mysql/install.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+set -xe
+
+SCRIPT=$(readlink -f "$0")
+SCRIPTPATH=$(dirname "$SCRIPT")
+
+DB=spire
+DBUSER=spire
+DBPW=$(uuidgen)
+DBROOTPW=$(uuidgen)
+
+# Generate random settings to make sure things come up with random settings.
+cat <<EOF > /tmp/$$-db-values.yaml
+auth:
+  database: ${DB}
+  username: ${DBUSER}
+  password: ${DBPW}
+  rootPassword: ${DBROOTPW}
+EOF
+
+cat <<EOF > /tmp/$$-spire-values.yaml
+spire-server:
+  dataStore:
+    sql:
+      databaseType: mysql
+      databaseName: ${DB}
+      username: ${DBUSER}
+      password: ${DBPW}
+      host: mysql
+      port: 3306
+      options:
+      - parseTime: true
+EOF
+
+helm install mysql mysql --namespace "spire-server" --version "$VERSION_MYSQL" --repo "$HELM_REPO_MYSQL" \
+  --values "${SCRIPTPATH}/mysql-values.yaml" \
+  --values /tmp/$$-db-values.yaml --wait
+
+helm install \
+  --namespace "spire-server" \
+  --values /tmp/$$-spire-values.yaml \
+  --values "${SCRIPTPATH}/../../../examples/production/values.yaml" \
+  spire charts/spire --wait
+
+helm test spire --namespace "spire-server"

.github/tests/production-external-mysql/mysql-values.yaml

@@ -5,8 +5,3 @@ primary:
       drop: [ALL]
     seccompProfile:
       type: RuntimeDefault
-auth:
-  database: spire-server
-  username: spire
-  password: sp1ff3Test
-  rootPassword: sp1ff3TestPassword

.github/tests/production-external-mysql/post-install.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+set -x
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
+
+# shellcheck source=/dev/null
+source "${SCRIPTPATH}/../common.sh"
+
+print_helm_releases
+print_spire_workload_status spire-server spire-system
+
+if [[ "$1" -ne 0 ]]; then
+  get_namespace_details spire-server
+  get_namespace_details spire-system
+fi

.github/tests/production-external-mysql/pre-install.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+kubectl create namespace spire-system
+kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged
+kubectl create namespace spire-server
+kubectl label namespace spire-server pod-security.kubernetes.io/enforce=restricted

.github/tests/production-external-postgresql/install.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+set -xe
+
+SCRIPT=$(readlink -f "$0")
+SCRIPTPATH=$(dirname "$SCRIPT")
+
+DB=$(uuidgen)
+DBUSER=$(uuidgen)
+DBPW=$(uuidgen)
+DBPGPW=$(uuidgen)
+
+# Generate random settings to make sure things come up with random settings.
+cat > /tmp/$$-db-values.yaml <<EOF
+auth:
+  database: ${DB}
+  username: ${DBUSER}
+  password: ${DBPW}
+  postgresPassword: ${DBPGPW}
+EOF
+
+cat > /tmp/$$-spire-values.yaml <<EOF
+spire-server:
+  dataStore:
+    sql:
+      databaseType: postgres
+      databaseName: ${DB}
+      username: ${DBUSER}
+      password: ${DBPW}
+      host: postgresql
+      port: 5432
+      options:
+      - sslmode: disable
+EOF
+
+helm install postgresql postgresql --namespace "spire-server" --version "$VERSION_POSTGRESQL" --repo "$HELM_REPO_POSTGRESQL" \
+  --values "${SCRIPTPATH}/postgresql-values.yaml" \
+  --values /tmp/$$-db-values.yaml --wait
+
+helm install \
+  --namespace "spire-server" \
+  --values /tmp/$$-spire-values.yaml \
+  --values "${SCRIPTPATH}/../../../examples/production/values.yaml" \
+  spire charts/spire --wait
+
+helm test spire --namespace "spire-server"

.github/tests/production-external-postgresql/post-install.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+set -x
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
+
+# shellcheck source=/dev/null
+source "${SCRIPTPATH}/../common.sh"
+
+print_helm_releases
+print_spire_workload_status spire-server spire-system
+
+if [[ "$1" -ne 0 ]]; then
+  get_namespace_details spire-server
+  get_namespace_details spire-system
+fi

.github/tests/production-external-postgresql/postgresql-values.yaml

@@ -6,8 +6,3 @@ primary:
       drop: [ALL]
     seccompProfile:
       type: RuntimeDefault
-auth:
-  database: spire-server
-  username: spire
-  password: sp1ff3Test
-  postgresPassword: sp1ff3TestPassword

.github/tests/production-external-postgresql/pre-install.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+kubectl create namespace spire-system
+kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged
+kubectl create namespace spire-server
+kubectl label namespace spire-server pod-security.kubernetes.io/enforce=restricted

.github/tests/prometheus/post-install.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -x
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
+
+# shellcheck source=/dev/null
+source "${SCRIPTPATH}/../common.sh"
+
+print_helm_releases
+print_spire_workload_status "${scenario}"
+
+if [[ "$1" -ne 0 ]]; then
+  get_namespace_details "${scenario}"
+fi

.github/tests/prometheus/pre-install.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
+
+helm install kube-prometheus-stack kube-prometheus-stack \
+  --version "${VERSION_KUBE_PROMETHEUS_STACK}" \
+  --repo "${HELM_REPO_KUBE_PROMETHEUS_STACK}" \
+  -n "${scenario}" \
+  --wait

.github/tests/prometheus/values.yaml

@@ -9,6 +9,5 @@ global:
 
 spiffe-oidc-discovery-provider:
   enabled: true
-  tls:
-    spire:
-      enabled: false
+  insecureScheme:
+    enabled: true

.github/tests/spire-oidc-insecure/post-install.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -x
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
+
+# shellcheck source=/dev/null
+source "${SCRIPTPATH}/../common.sh"
+
+print_helm_releases
+print_spire_workload_status "${scenario}"
+
+if [[ "$1" -ne 0 ]]; then
+  get_namespace_details "${scenario}"
+fi

.github/tests/spire-oidc-insecure/pre-install.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
+
+helm install ingress-nginx ingress-nginx --version "${VERSION_INGRESS_NGINX}" --repo "${HELM_REPO_INGRESS_NGINX}" -n "$scenario" --set controller.extraArgs.enable-ssl-passthrough=
+kubectl wait --namespace ingress-nginx   --for=condition=ready pod   --selector=app.kubernetes.io/component=controller -n "$scenario"

.github/tests/spire-oidc-insecure/values.yaml

@@ -8,27 +8,25 @@ spire-server:
       nginx.ingress.kubernetes.io/ssl-redirect: "true"
       nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
     hosts:
-    - host: ingress-nginx-controller.ingress-nginx
+    - host: ingress-nginx-controller.spire-oidc-insecure
       paths:
         - path: /
           pathType: Prefix
 
 spire-agent:
   server:
-    address: ingress-nginx-controller.ingress-nginx
+    address: ingress-nginx-controller.spire-oidc-insecure
     port: 443
 
 spiffe-oidc-discovery-provider:
   enabled: true
 
-  tls:
-    spire:
-      enabled: false
+  insecureScheme:
+    enabled: true
 
   config:
-    additionalDomains:
-      - ingress-nginx-controller.ingress-nginx
-      - ingress-nginx-controller.ingress-nginx.svc.cluster.local
+    domains:
+      - ingress-nginx-controller
 
     acme:
       tosAccepted: false
@@ -37,7 +35,7 @@ spiffe-oidc-discovery-provider:
     enabled: true
     className: nginx
     hosts:
-      - host: ingress-nginx-controller.ingress-nginx.svc.cluster.local
-        paths:
-          - path: /
-            pathType: Prefix
+    - host: ingress-nginx-controller
+      paths:
+        - path: /
+          pathType: Prefix

.github/tests/tornjak/install.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -x
+
+SCRIPT=$(readlink -f "$0")
+SCRIPTPATH=$(dirname "$SCRIPT")
+
+helm install \
+  --namespace spire-server \
+  --values "${SCRIPTPATH}/../../../examples/production/values.yaml" \
+  --values "${SCRIPTPATH}/../../../examples/tornjak/values.yaml" \
+  spire charts/spire --wait
+helm test spire -n spire-server

.github/tests/tornjak/post-install.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -x
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
+
+# shellcheck source=/dev/null
+source "${SCRIPTPATH}/../common.sh"
+
+print_helm_releases
+print_spire_workload_status spire-server spire-system
+
+kubectl rollout status --watch --timeout 180s --namespace spire-server deployments.apps spire-tornjak-frontend
+kubectl -n spire-server get deploy spire-tornjak-frontend
+kubectl -n spire-server get service spire-tornjak-frontend
+
+
+if [[ "$1" -ne 0 ]]; then
+  get_namespace_details spire-server
+  get_namespace_details spire-system
+fi

.github/tests/tornjak/pre-install.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+kubectl create namespace spire-system
+kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged
+kubectl create namespace spire-server
+kubectl label namespace spire-server pod-security.kubernetes.io/enforce=restricted

.github/tests/upstream-authority-cert-manager/cert-manager-ca.yaml

@@ -21,13 +21,6 @@ spec:
     name: selfsigned-issuer
     kind: Issuer
     group: cert-manager.io
-  subject:
-    countries:
-    - US
-    organizations:
-    - test
-    organizationalUnits:
-    - test
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
@@ -36,17 +29,3 @@ metadata:
 spec:
   ca:
     secretName: root-secret
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: oidc
-spec:
-  dnsNames:
-    - oidc-discovery.production.other
-    - spire-server-federation.production.other
-  secretName: tls-cert
-  issuerRef:
-    name: demo-ca
-    kind: Issuer
-    group: cert-manager.io

.github/tests/upstream-authority-cert-manager/post-install.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -x
+
+SCRIPT=$(readlink -f "$0")
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
+
+# shellcheck source=/dev/null
+source "${SCRIPTPATH}/../common.sh"
+
+print_helm_releases
+print_spire_workload_status "${scenario}"
+
+if [ "$1" != '0' ]; then
+  get_namespace_details "${scenario}"
+fi

.github/tests/upstream-authority-cert-manager/pre-install.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+SCRIPT="$(readlink -f "$0")"
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
+
+helm install cert-manager cert-manager --namespace cert-manager --create-namespace --version "$VERSION_CERT_MANAGER" --set installCRDs=true --repo "$HELM_REPO_CERT_MANAGER" --wait
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+kubectl apply -f "${SCRIPT_DIR}/cert-manager-ca.yaml" -n "$scenario"

.github/tests/upstream-authority-cert-manager/values.yaml

@@ -2,5 +2,4 @@ spire-server:
   upstreamAuthority:
     certManager:
       enabled: true
-      ca:
-        create: true
+      issuer_name: "demo-ca"

.github/tests/upstream-authority-disk/post-install.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -x
+
+SCRIPT=$(readlink -f "$0")
+SCRIPTPATH="$(dirname "${SCRIPT}")"
+scenario="${scenario:-$(basename "${SCRIPTPATH}")}"
+
+# shellcheck source=/dev/null
+source "${SCRIPTPATH}/../common.sh"
+
+print_helm_releases
+print_spire_workload_status "${scenario}"
+
+if [ "$1" != '0' ]; then
+  get_namespace_details "${scenario}"
+fi

.github/workflows/check-versions.yaml

@@ -20,57 +20,23 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v3.5.0
 
       - name: Set up Helm
         uses: azure/setup-helm@v3.5
         with:
           version: ${{ env.HELM_VERSION }}
 
-      - name: Setup crane
-        uses: imjasonh/setup-crane@v0.3
-
       - name: Update test chart versions
         run: |
           ./.github/scripts/update-versions.sh
           git diff
 
-      - name: Setup go
-        uses: actions/setup-go@v5.0.0
-        with:
-          go-version: '1.21'
-          cache: false
-
-      - uses: actions/setup-python@v5
-        with:
-          python-version: '3.9'
-
-      - name: Install ubuntu packages
-        run: sudo apt-get install wget apt-transport-https gnupg lsb-release
-
-      - name: Install yq
-        run: go install github.com/mikefarah/yq/v4@latest
-
-      - name: Install python dependencies
-        run: pip install -r .github/scripts/requirements.txt
-
-      - name: Update image tags
-        run: |
-          ./.github/scripts/update-tags.sh
-          git diff
-
-      - name: Generate Token
-        uses: tibdex/github-app-token@v2.1.0
-        id: generate-token
-        with:
-          app_id: ${{ vars.APP_ID }}
-          private_key: ${{ secrets.APP_PRIVATE_KEY }}
-
       - name: Create Pull Request
         id: cpr
-        uses: peter-evans/create-pull-request@v6.0.2
+        uses: peter-evans/create-pull-request@v5.0.1
         with:
-          token: ${{ steps.generate-token.outputs.token }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           title: Bump test chart dependencies
           branch: bump-test-chart-deps
           commit-message: Bump test chart dependencies
@@ -78,7 +44,6 @@ jobs:
           signoff: true
           add-paths: |
             .github/tests
-            charts
 
       - name: Check outputs
         if: ${{ steps.cpr.outputs.pull-request-number }}

.github/workflows/helm-chart-ci-ignore.yaml

@@ -24,95 +24,37 @@ jobs:
     steps:
       - run: 'echo "Skipping checks"'
 
-  test:
-    runs-on: ubuntu-22.04
-
-    strategy:
-      matrix:
-        k8s:
-          - v1.31.1
-          - v1.30.4
-          - v1.29.8
-
-    steps:
-      - run: 'echo "Skipping tests"'
-
   build-matrix:
     name: Build matrix
     runs-on: ubuntu-22.04
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v3.5.2
 
-      - id: set-matrix-example
-        name: Collect all examples
+      - id: set-matrix
+        name: Collect all tests
         run: |
-          examples="$(find examples -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
-          examples_json="$(echo "$examples" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
-          echo "${examples_json}"
-          echo "examples=$examples_json" >>"$GITHUB_OUTPUT"
-
-      - id: set-matrix-integration
-        name: Collect all integration tests
-        run: |
-          integrationtests="$(find tests/integration -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
-          integrationtests_json="$(echo "$integrationtests" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
-          echo "${integrationtests_json}"
-          echo "integrationtests=$integrationtests_json" >>"$GITHUB_OUTPUT"
+          tests="$(echo -e "default\n$(find .github/tests -maxdepth 1 -type d | grep -Ev 'tests$' | xargs -I % basename % | sort | uniq)")"
+          tests_json="$(echo "$tests" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
+          echo "tests=$tests_json" >> $GITHUB_OUTPUT
 
     outputs:
-      examples: ${{ steps.set-matrix-example.outputs.examples }}
-      integrationtests: ${{ steps.set-matrix-integration.outputs.integrationtests }}
+      tests: ${{ steps.set-matrix.outputs.tests }}
 
-  example-test:
+  test:
     runs-on: ubuntu-22.04
-
     needs:
       - build-matrix
 
     strategy:
       matrix:
         k8s:
-          - v1.31.1
-          - v1.30.4
-          - v1.29.8
-        example:
-          - ${{ fromJson(needs.build-matrix.outputs.examples) }}
+          - v1.27.2
+          - v1.26.4
+          - v1.25.9
+        values:
+          - ${{ fromJson(needs.build-matrix.outputs.tests) }}
 
     steps:
-      - run: 'echo "Skipping example-test"'
-
-  integration-test:
-    runs-on: ubuntu-22.04
-
-    needs:
-      - build-matrix
-
-    strategy:
-      matrix:
-        k8s:
-          - v1.31.1
-          - v1.30.4
-          - v1.29.8
-        example:
-          - ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}
-
-    steps:
-      - run: 'echo "Skipping integration-test"'
-
-  upgrade-test:
-    runs-on: ubuntu-22.04
-
-    needs:
-      - build-matrix
-
-    strategy:
-      matrix:
-        k8s:
-          - v1.31.1
-          - v1.30.4
-          - v1.29.8
-
-    steps:
-      - run: 'echo "Skipping upgrade-test"'
+      - run: 'echo "Skipping tests"'

.github/workflows/helm-chart-ci.yaml

@@ -12,8 +12,6 @@ on:
       - '.github/tests/**/*.sh'
       - '.github/tests/**/*.json'
       - 'examples/**/*.yaml'
-      - 'examples/**/*.sh'
-      - 'tests/**/*'
       - 'helm-docs.sh'
 
 concurrency:
@@ -21,9 +19,8 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  HELM_VERSION: v3.16.2
+  HELM_VERSION: v3.12.0
   PYTHON_VERSION: 3.11.3
-  KIND_VERSION: v0.24.0
   CHART_TESTING_VERSION: v3.8.0
 
 jobs:
@@ -32,7 +29,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v3.5.2
 
       - name: Verify Docs updated
         run: ./helm-docs.sh
@@ -59,7 +56,7 @@ jobs:
           set -o pipefail
           # Look for image: definitions that are not templated. If we find none, exit is not 0 and we invert the error code to get the
           # test to pass. Ignore tests for now...
-          grep -r "image:" charts/spire  | grep "templates/" | grep -v 'image: {{ template "' > /tmp/findings
+          grep "image:" charts/spire/charts/*/templates/*.* | grep -v 'image: {{ template "' > /tmp/findings
           res=$?
           if [ $res -eq 0 ]; then
             {
@@ -72,29 +69,12 @@ jobs:
             exit 1
           fi
 
-      - name: Setup Go
-        uses: actions/setup-go@v5.0.0
-        with:
-          go-version-file: tests/go.mod
-          cache-dependency-path: tests/go.sum
-          check-latest: true
-
-      - name: Install do dependencies
-        run: |
-          go mod download
-          go install github.com/onsi/ginkgo/v2/ginkgo@latest
-        working-directory: ./tests/unit
-
-      - name: Run Unit Tests
-        run: ginkgo
-        working-directory: ./tests/unit
-
   lint-chart:
     runs-on: ubuntu-22.04
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v3.5.2
         with:
           fetch-depth: 0
 
@@ -104,23 +84,49 @@ jobs:
           version: ${{ env.HELM_VERSION }}
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
       - name: Setup chart-testing
-        uses: helm/chart-testing-action@v2.6.1
+        uses: helm/chart-testing-action@v2.4.0
         with:
           version: ${{ env.CHART_TESTING_VERSION }}
 
       - name: Run chart-testing (lint)
-        run: TARGET_BRANCH=${{ github.base_ref }} make lint${{ github.base_ref == 'release' && '-release' || '' }}
+        run: |
+          ct lint --debug ${{ github.base_ref != 'release' && '--check-version-increment=false' || '' }} \
+            --target-branch ${{ github.base_ref }}
+
+    outputs:
+      changed: ${{ steps.list-changed.outputs.changed }}
+
+  build-matrix:
+    name: Build matrix
+    runs-on: ubuntu-22.04
+
+    needs: [lint-chart]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3.5.2
+
+      - id: set-matrix
+        name: Collect all tests
+        run: |
+          tests="$(echo -e "default\n$(find .github/tests -maxdepth 1 -type d | grep -Ev 'tests$' | xargs -I % basename % | sort | uniq)")"
+          tests_json="$(echo "$tests" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
+          echo "tests=$tests_json" >> $GITHUB_OUTPUT
+
+    outputs:
+      tests: ${{ steps.set-matrix.outputs.tests }}
 
   test:
     runs-on: ubuntu-22.04
 
     needs:
       - lint-chart
+      - build-matrix
 
     strategy:
       fail-fast: false
@@ -130,13 +136,18 @@ jobs:
         # Kubernetes, but can go back farther as long as we don't need heroics
         # to pull it off (i.e. kubectl version juggling).
         k8s:
-          - v1.31.1
-          - v1.30.4
-          - v1.29.8
+          - v1.27.2
+          - v1.26.4
+          - v1.25.9
+          - v1.24.13
+          - v1.23.17
+          - v1.22.17
+        values:
+          - ${{ fromJson(needs.build-matrix.outputs.tests) }}
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v3.5.2
         with:
           fetch-depth: 0
 
@@ -146,201 +157,52 @@ jobs:
           version: ${{ env.HELM_VERSION }}
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
       - name: Setup chart-testing
-        uses: helm/chart-testing-action@v2.6.1
+        uses: helm/chart-testing-action@v2.4.0
         with:
           version: ${{ env.CHART_TESTING_VERSION }}
 
       - name: Create kind ${{ matrix.k8s }} cluster
-        uses: helm/kind-action@v1.9.0
+        uses: helm/kind-action@v1.7.0
         # Only build a kind cluster if there are chart changes to test.
         with:
-          version: ${{ env.KIND_VERSION }}
+          version: v0.18.0
           node_image: kindest/node:${{ matrix.k8s }}
           config: .github/kind/conf/kind-config.yaml
           verbosity: 1
 
-      - name: Setup Test dependencies
-        run: ./pre-install.sh
-        working-directory: .github/tests
-
       - name: Run chart-testing (install)
         run: |
-          helm install -n spire-server spire-crds charts/spire-crds
-          ct install --config ct.yaml --excluded-charts spire-crds,spiffe-step-ssh \
-            --target-branch ${{ github.base_ref }}
+          post-install() {
+            [ -x "${TEST_DIR}/post-install.sh" ] && "${TEST_DIR}/post-install.sh" $1
+            exit $1
+          }
 
-      - name: Test summary
-        if: always()
-        run: ./post-install.sh
-        working-directory: .github/tests
+          trap 'post-install $? $LINENO' EXIT
 
-  build-matrix:
-    name: Build matrix
-    runs-on: ubuntu-22.04
+          export scenario="$(basename "${TEST_DIR}")"
+          export EXTRA_HELM_ARGS=""
 
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4.1.1
+          source .github/tests/charts.sh
 
-      - id: set-matrix-example
-        name: Collect all examples
-        run: |
-          examples="$(find examples -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
-          examples_json="$(echo "$examples" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
-          echo "${examples_json}"
-          echo "examples=$examples_json" >>"$GITHUB_OUTPUT"
+          [ "${scenario}" != "default" ] && kubectl create namespace "${scenario}"
+          [ -x "${TEST_DIR}/pre-install.sh" ] && "${TEST_DIR}/pre-install.sh"
+          [ -f "${TEST_DIR}/.env" ] && source "${TEST_DIR}/.env"
 
-      - id: set-matrix-integration
-        name: Collect all integration tests
-        run: |
-          integrationtests="$(find tests/integration -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
-          integrationtests_json="$(echo "$integrationtests" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
-          echo "${integrationtests_json}"
-          echo "integrationtests=$integrationtests_json" >>"$GITHUB_OUTPUT"
-
-    outputs:
-      examples: ${{ steps.set-matrix-example.outputs.examples }}
-      integrationtests: ${{ steps.set-matrix-integration.outputs.integrationtests }}
-
-  example-test:
-    runs-on: ubuntu-22.04
-
-    needs:
-      - lint-chart
-      - build-matrix
-
-    strategy:
-      fail-fast: false
-      matrix:
-        k8s:
-          - v1.31.1
-          - v1.30.4
-          - v1.29.8
-        example:
-          - ${{ fromJson(needs.build-matrix.outputs.examples) }}
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4.1.1
-
-      - name: Set up Helm
-        uses: azure/setup-helm@v3.5
-        with:
-          version: ${{ env.HELM_VERSION }}
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-
-      - name: Create kind cluster
-        uses: helm/kind-action@v1.9.0
-        # Only build a kind cluster if there are chart changes to test.
-        with:
-          version: ${{ env.KIND_VERSION }}
-          node_image: kindest/node:${{ matrix.k8s }}
-          config: .github/kind/conf/kind-config.yaml
-          verbosity: 1
-
-      - name: Install and test example
-        run: |
-          if [ "${{ matrix.example }}" = "examples/federation" -o "${{ matrix.example }}" = "examples/nested-full" -o "${{ matrix.example }}" = "examples/nested-security" ]; then
-            kubectl create namespace spire-mgmt
-            helm install -n spire-mgmt spire-crds charts/spire-crds
+          if [ -x "${TEST_DIR}/install.sh" ]; then
+            "${TEST_DIR}/install.sh"
           else
-            kubectl create namespace spire-server
-            helm install -n spire-server spire-crds charts/spire-crds
+            ct install --debug \
+              --charts "charts/spire" \
+              --namespace "${scenario}" \
+              --target-branch ${{ github.base_ref }} \
+              --exclude-deprecated \
+              --skip-clean-up \
+              ${{ (matrix.values != 'default' && '--helm-extra-set-args "--values=${TEST_DIR}/values.yaml ${EXTRA_HELM_ARGS}"') || '' }}
           fi
-          export K8S="${{ matrix.k8s }}"
-          ${{ matrix.example }}/run-tests.sh
-
-  integration-test:
-    runs-on: ubuntu-22.04
-
-    needs:
-      - lint-chart
-      - build-matrix
-
-    strategy:
-      fail-fast: false
-      matrix:
-        k8s:
-          - v1.31.1
-          - v1.30.4
-          - v1.29.8
-        integrationtest:
-          - ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4.1.1
-
-      - name: Set up Helm
-        uses: azure/setup-helm@v3.5
-        with:
-          version: ${{ env.HELM_VERSION }}
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-
-      - name: Create kind cluster
-        uses: helm/kind-action@v1.9.0
-        # Only build a kind cluster if there are chart changes to test.
-        with:
-          version: ${{ env.KIND_VERSION }}
-          node_image: kindest/node:${{ matrix.k8s }}
-          config: .github/kind/conf/kind-config.yaml
-          verbosity: 1
-
-      - name: Install and test integration
-        run: |
-          helm install --create-namespace -n spire-mgmt spire-crds charts/spire-crds
-          ${{ matrix.integrationtest }}/run-tests.sh
-
-  upgrade-test:
-    runs-on: ubuntu-22.04
-
-    needs:
-      - lint-chart
-      - build-matrix
-
-    strategy:
-      fail-fast: false
-      matrix:
-        k8s:
-          - v1.31.1
-          - v1.30.4
-          - v1.29.8
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4.1.1
-
-      - name: Set up Helm
-        uses: azure/setup-helm@v3.5
-        with:
-          version: ${{ env.HELM_VERSION }}
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-
-      - name: Create kind cluster
-        uses: helm/kind-action@v1.9.0
-        # Only build a kind cluster if there are chart changes to test.
-        with:
-          version: ${{ env.KIND_VERSION }}
-          node_image: kindest/node:${{ matrix.k8s }}
-          config: .github/kind/conf/kind-config.yaml
-          verbosity: 1
-
-      - name: Install and test example
-        run: tests/integration/production/run-tests.sh -u
+        env:
+          TEST_DIR: .github/tests/${{ matrix.values }}

.github/workflows/helm-release.yaml

@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v3.5.2
         with:
           fetch-depth: 0
 
@@ -29,9 +29,9 @@ jobs:
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
       - name: Setup cosign
-        uses: sigstore/cosign-installer@v3.4.0
+        uses: sigstore/cosign-installer@v3.0.5
         with:
-          cosign-release: v2.2.3
+          cosign-release: v2.0.2
 
       - name: Set up Helm
         uses: azure/setup-helm@v3.5
@@ -39,12 +39,12 @@ jobs:
           version: v3.10.3
 
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.6.0
+        uses: helm/chart-releaser-action@v1.5.0
         env:
           CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3.1.0
+        uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -66,5 +66,3 @@ jobs:
             digest="$(awk -F "[, ]+" '/Digest/{print $NF}' < .digest)"
             cosign sign ghcr.io/"${GITHUB_REPOSITORY_OWNER}"/helm-charts/"${name}"@"${digest}"
           done
-        env:
-          COSIGN_YES: true

.github/workflows/shellcheck.yaml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v3.5.2
 
       - name: Run Shellcheck
         uses: ludeeus/action-shellcheck@2.0.0

.github/workflows/update-devcontainer-image.yaml

@@ -1,44 +0,0 @@
-name: Update devcontainer image
-
-on:
-  schedule:
-    - cron: '0 8 * * 1'
-
-  # Allows you to run this workflow manually from the Actions tab
-  workflow_dispatch:
-
-env:
-  HELM_VERSION: v3.11.1
-
-jobs:
-  build-and-push-devcontainer-image:
-    runs-on: ubuntu-20.04
-    permissions:
-      contents: read
-      id-token: write
-      packages: write
-
-    env:
-      COSIGN_EXPERIMENTAL: 1
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Install cosign
-        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
-        with:
-          cosign-release: v2.2.3
-      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
-      - name: Log in to GHCR
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build / Push images
-        run: |
-          set -e
-          cd .devcontainer/
-          docker build -t ghcr.io/spiffe/helm-charts-hardened-devcontainer:latest .
-          docker push ghcr.io/spiffe/helm-charts-hardened-devcontainer:latest

.gitignore

@@ -1,6 +1,3 @@
 bin/
 .idea/
-.vscode/
 *.swp
-charts/**/*.tgz
-.DS_Store

CODE-OF-CONDUCT.md

@@ -1,19 +0,0 @@
-# Contributor Code of Conduct
-
-We follow the [CNCF Contributor Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md). Additionally, we commit to the following guidelines as detailed on the [Linkerd Code of Conduct](https://github.com/linkerd/linkerd/wiki/Linkerd-code-of-conduct):
-
-## Community Guidelines
-
-- Our goal is to foster an inclusive and diverse community of technology enthusiasts.
-
-- Try to be your best self. Treat your fellow community members with kindness and empathy. We welcome disagreements when they are conducted respectfully and without personal attacks.
-
-- We ask that you keep unstructured critique to a minimum. Disparaging remarks about the project are unnecessary and a drain on community morale. Feedback should be constructive and relevant. Having passionately held opinions on what should improve is encouraged! We hope you will use that enthusiasm to roll up your sleeves and get involved by submitting pull requests. We have additional guidelines on [how to ask constructive questions](https://github.com/linkerd/linkerd/wiki/How-To-Ask-Questions-in-Slack).
-
-- We don't tolerate insults, spamming, trolling, flaming, baiting, or harassment. We don't tolerate sexual language, imagery, or unwanted advances. Private harassment is also unacceptable.
-
-- We do our best to avoid [subtle-isms](https://www.recurse.com/manual#sub-sec-social-rules): small actions that make others feel uncomfortable. If you witness a subtle-ism, you may respectfully point it out to the person publicly or privately, or you may ask a moderator to say something. Accidentally saying something biased is common, expected, and readily forgiven. It is not in and of itself a bannable offense.
-
-## Moderation
-
-- If you feel any of SPIFFE's communication channels require moderation, please e-mail the [SPIFFE Steering Committee (SSC)](mailto:ssc@spiffe.io).

CODEOWNERS

@@ -1,7 +1,7 @@
 # These owners will be the default owners for everything in
 # the repo. Unless a later match takes precedence,
-# they will be requested for review when someone opens a
+# they will be requested for review when someone opens a 
 # pull request.
-*       @marcofranssen @Kfox1111 @dfeldman @faisal-memon @mrsabath @edwbuck
+*       @marcofranssen @Kfox1111 @developer-guy @dfeldman @faisal-memon @mrsabath @edwbuck
 
 # See CODEOWNERS syntax here: https://help.github.com/articles/about-codeowners/#codeowners-syntax

CONTRIBUTING.md

@@ -34,33 +34,16 @@ git checkout «your-branch»
 git rebase main
 ```
 
-## Testing
-
-Our CI pipeline takes care of the majority of the testing of this Chart. Other ways for you to test are by running `make test` locally using:
-
-> [!Warning]
-> Ensure to run the test on a dedicated k8s cluster that does not have Spire installed yet.
-
-```shell
-make test
-```
-
-Another approach to testing the chart is by installing one of the examples in your own cluster to verify your contributed changes work before issueing your PR.
-
 ## Generating documentation
 
-Any changes to Chart.yaml or values.yaml require an update of the README.md. This update can easily be generated using [readme-generator][].
+Any changes to Chart.yaml or values.yaml require an update of the README.md. This update can easily be generated using [helm-docs][].
 
 ```shell
-./helm-docs.sh
+./helm-docs.sh charts/«chart-name»
 ```
 
 ## Bumping Chart version
 
 In contrary to many other Helm repositories we do NOT require contributors to increate the Chart version. We have customized our release pipeline so we can bundle various PRs in a single release. Maintainers of the helm-charts in this repo will take care of the semantic versioning.
 
-[readme-generator]: https://github.com/bitnami-labs/readme-generator-for-helm "Auto generate READMEs for Helm Charts."
-
-## devcontainer support
-
-We have a usable devcontainer with all the dev tools preinstalled to make contributions easier. You should be able to use it via Codespaces (https://github.com/codespaces/), Visual Studio Code (https://code.visualstudio.com/), DevPod (https://devpod.sh), etc. Please consult the documentation for those tools for how to use them.
+[helm-docs]: https://github.com/norwoodj/helm-docs "Generate documentation for your Helm chart."

FAQ.md

@@ -1,83 +0,0 @@
-# Frequently Asked Questions
-
-- [How does this repo relate to the helm-charts repo?](#how-does-this-repo-relate-to-the-helm-charts-repo)
-- [How do I migrate my changeset from the old helm-charts repo to this one?](#how-do-i-migrate-my-changeset-from-the-old-helm-charts-repo-to-this-one)
-- [How do I update my helm registry to point to this one?](#how-do-i-update-my-helm-registry-to-point-to-this-one)
-- [Pods are stuck terminating after uninstall. How do I fix it?](#pods-are-stuck-terminating-after-uninstall-how-do-i-fix-it)
-- [Uninstall is stuck. How do I fix it?](#uninstall-is-stuck-how-do-i-fix-it)
-- [The PSAT plugin is not working](#the-psat-plugin-is-not-working)
-
-## How does this repo relate to the helm-charts repo?
-
-The helm-charts repo has been archived. This repo has all the commit history and releases copied over from that repo and is continuing development to provide a SPIRE helm chart for the community to use and contribute to.
-
-## How do I migrate my changeset from the old helm-charts repo to this one?
-
-Run one of these commands to switch to the new repo:
-
-- If working off a branch (maintainers with write access): `git remote set-url origin git@github.com:spiffe/helm-charts-hardened.git`
-- If working off a fork:
-    1. Create a new fork of helm-charts-hardened
-    1. In your local clone of your old fork of helm-charts: `git remote set-url origin https://github.com/<your new fork>/helm-charts-hardened.git`
-
-Then just `git push` your branches. Git history has been migrated over so you can just push your existing branches without issues.
-
-## How do I update my helm registry to point to this one?
-
-Assuming you named the repo `spiffe`:
-
-``` bash
-helm repo remove spiffe
-helm repo add spiffe https://spiffe.github.io/helm-charts-hardened
-```
-
-## Pods are stuck terminating after uninstall. How do I fix it?
-
-If you uninstall the SPIRE chart before all users of the CSI driver are removed, Pods will get stuck in a terminating state waiting for the driver, that no longer is installed, to unmount the volumes for the Pod. In order to fix this, reinstall the chart and remove all affected workloads that are not part of the SPIRE helm chart itself, before attempting to remove SPIRE again.
-
-You can discover Pods that use the driver with the following command:
-
-```shell
-kubectl get pods --all-namespaces -o go-template='{{range .items}}{{$nn := printf "%s %s" .metadata.namespace .metadata.name}}{{range .spec.volumes}}{{if .csi.driver}}{{if eq .csi.driver "csi.spiffe.io"}}{{printf "%s\n" $nn}}{{end}}{{end}}{{end}}{{end}}'
-```
-
-## Uninstall is stuck. How do I fix it?
-
-If you uninstall the SPIFFE CSI driver manually before removing the chart, Pods can still be using the driver and are unable to unmount the CSI volume.
-
-To resolve, reinstall the chart before trying to remove it again.
-
-## The PSAT plugin is not working
-
-The chart requires `Projected Service Account Tokens` which has to be enabled on your Kubernetes API server. In most cases this is already done for you.
-
-> [!Note]
-> This is enabled by default with newer versions as shown by the existence of:
->
-> ```yaml
->        - --service-account-issuer
->        - --service-account-key-file
->        - --service-account-signing-key-file
-> ```
-
-See [Service Account Token Volume Projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) in the Kubernetes docs for more details.
-
-To enable Projected Service Account Tokens on Docker for Mac/Windows run the following
-command to SSH into the Docker Desktop K8s VM.
-
-```bash
-docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
-```
-
-Then add the following to `/etc/kubernetes/manifests/kube-apiserver.yaml`
-
-```yaml
-spec:
-  containers:
-    - command:
-        - kube-apiserver
-        - --api-audiences=api,spire-server
-        - --service-account-issuer=api,spire-agent
-        - --service-account-key-file=/run/config/pki/sa.pub
-        - --service-account-signing-key-file=/run/config/pki/sa.key
-```

Makefile

@@ -1,70 +0,0 @@
-TARGET_BRANCH ?= main
-
-.PHONY: help
-help: ## Display this help.
-	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
-
-##@ Linting:
-
-.PHONY: lint
-lint: ## Lint the charts using chart-testing
-	@echo Linting charts…
-	@ct lint --config ct.yaml --target-branch $(TARGET_BRANCH) --check-version-increment=false
-
-lint-release: ## Lint the charts using chart-testing for release
-	@echo Linting charts…
-	@ct lint --config ct.yaml --target-branch $(TARGET_BRANCH)
-
-##@ Testing: (ensure to run on dedicated test cluster)
-
-.PHONY: clean-test-leftovers
-clean-test-leftovers: ## Cleans up any lingering resources in case tests fail massively
-	@echo Cleanup potential leftovers…
-	@-kubectl delete csidrivers.storage.k8s.io csi.spiffe.io \
-		&>/dev/null || true
-	@-kubectl delete ns \
-		$$(kubectl get ns -o json | jq -r '.items[] | .metadata.name' | grep spire) \
-		&>/dev/null || true
-	@-kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io \
-		$$(kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io -o json | jq -r '.items[] | .metadata.name' | grep spire) \
-		&>/dev/null || true
-
-.PHONY: test
-test: install-test-deps test-charts test-examples ## Run all chart tests and example tests
-
-.PHONY: install-test-deps
-install-test-deps: ## Install test dependency resources
-	@echo Installing test dependencies…
-	@.github/tests/pre-install.sh
-
-.PHONY: test-charts
-test-charts: ## Run tests on charts using Helm chart-testing
-	@echo Running tests…
-	@ct install --config ct.yaml
-
-.PHONY: cleanup-test-deps
-cleanup-test-deps: ## Cleans up all test dependencies resources
-	@echo Uninstalling test dependencies…
-	@helm uninstall -n cert-manager cert-manager 2>/dev/null || true
-	@kubectl delete ns cert-manager 2>/dev/null || true
-	@helm uninstall -n prometheus kube-prometheus-stack 2>/dev/null || true
-	@kubectl delete ns prometheus 2>/dev/null || true
-	@helm uninstall -n mysql mysql 2>/dev/null|| true
-	@kubectl delete ns mysql 2>/dev/null || true
-	@helm uninstall -n postgresql postgresql 2>/dev/null || true
-	@kubectl delete ns postgresql 2>/dev/null || true
-	@helm uninstall -n ingress-nginx ingress-nginx 2>/dev/null || true
-	@kubectl delete ns ingress-nginx 2>/dev/null || true
-
-test-example-%:
-	@echo Running tests for $* example…
-	@examples/$*/run-tests.sh
-	@echo
-
-.PHONY: test-examples
-test-examples: $(patsubst examples/%/values.yaml,test-example-%,$(wildcard examples/*/values.yaml)) ## Run `helm install` and `helm test` for all the examples containing `run-tests.sh`
-
-.PHONY: diagrams
-diagrams: ## Builds diagrams
-	@dot -Tpng examples/nested/singlehardened.dot > examples/nested/singlehardened.png
-	@dot -Tpng examples/nested/multicluster.dot > examples/nested/multicluster.png

README.md

@@ -1,7 +1,4 @@
->  **Note**
-> Things to consider:
-> 1. We do not support running out of the git main branch. This is where development happens. Please use released versions via the published repo or git tags.
-> 2. All the helm charts in this repo are beta. We encourage you to try them out and contribute. The API may change as we move towards a production ready release.
+> **Note**: All the helm charts in this repo are beta. We encourage you to try them out and contribute. The API may change as we move towards a production ready release.
 
 # SPIFFE Helm Charts
 
@@ -11,10 +8,24 @@
 
 A suite of [Helm Charts](https://helm.sh/docs) for standardized installations of SPIRE components in Kubernetes environments.
 
-## How to install or upgrade
+## Add Helm repository
 
-You most likely want to do an integrated setup based on the spire chart.
-See the [Instructions](https://artifacthub.io/packages/helm/spiffe/spire#install-instructions).
+```bash
+helm repo add spiffe https://spiffe.github.io/helm-charts/
+helm repo update
+```
+
+## Dependencies and Version Compatibility
+
+Unless otherwise noted in an application chart README, the following dependencies will follow these prescribed version compatibility rules.
+
+| Dependency | Supported Versions |
+|:-----------|:-------------------|
+| SPIRE      | `1.5.3`+, `1.6.x`  |
+| Helm       | `3.x`              |
+| Kubernetes | `1.22+`            |
+
+> **Note**: For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden. *The first version we tested this chart with is `1.22`.*
 
 ## Contributing
 

charts/spiffe-step-ssh/Chart.yaml

@@ -1,42 +0,0 @@
-apiVersion: v2
-name: spiffe-step-ssh
-description: sshd signed host certificates using SPIFFE for trust and step CA
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.1
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"
-
-keywords: ["spiffe", "step", "step-ca", "ssh"]
-home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spiffe-step-ssh
-sources:
-  - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spiffe-step-ssh
-icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
-maintainers:
-  - name: kfox1111
-    email: Kevin.Fox@pnnl.gov
-
-dependencies:
-  - name: spire-lib
-    repository: file://../spire/charts/spire-lib
-    version: 0.1.0
-  - name: step-certificates
-    alias: step
-    repository: https://smallstep.github.io/helm-charts/
-    version: 1.27.4

charts/spiffe-step-ssh/README.md

@@ -1,65 +0,0 @@
-spire-values.yaml
-```
-spire-server:
-  nodeAttestor:
-    httpChallenge:
-      enabled: true
-  controllerManager:
-    identities:
-      clusterSPIFFEIDs:
-        spiffe-step-ssh-config:
-          type: raw
-          namespaceSelector:
-            matchLabels:
-              "kubernetes.io/metadata.name": default
-          podSelector:
-            matchLabels:
-              app: spiffe-step-ssh
-              component: config
-        spiffe-step-ssh-fetchca:
-          type: raw
-          namespaceSelector:
-            matchLabels:
-              "kubernetes.io/metadata.name": default
-          podSelector:
-            matchLabels:
-              app: spiffe-step-ssh
-              component: fetchca
-          dnsNameTemplates:
-          - "spiffe-step-ssh-fetchca.{{ .TrustDomain }}"
-```
-
-```shell
-helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
-helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ -f spire-values.yaml --set global.spire.ingressControllerType=ingress-nginx,spire-server.ingress.enabled=true
-```
-
-```shell
-helm upgrade --install ingress-nginx ingress-nginx -n ingress-nginx --create-namespace --repo https://kubernetes.github.io/ingress-nginx --set controller.service.type=ClusterIP,controller.service.externalIPs[0]=$(minikube ip) --set controller.watchIngressWithoutClass=true --set controller.extraArgs.enable-ssl-passthrough=
-```
-
-```shell
-PASSWORD=$(openssl rand -base64 48)
-echo "$PASSWORD" > spiffe-step-ssh-password.txt
-step ca init --helm --deployment-type=Standalone --name='My CA' --dns spiffe-step-ssh.example.org --ssh --address :8443 --provisioner default --password-file spiffe-step-ssh-password.txt > spiffe-step-ssh-values.yaml
-```
-
-ingress-values.yaml
-```yaml
-global:
-  spiffe:
-    ingressControllerType: ingress-nginx
-stepIngress:
-  enabled: true
-fetchCA:
-  ingress:
-    enabled: true
-```
-
-```shell
-helm upgrade --install spiffe-step-ssh . --set caPassword=`cat spiffe-step-ssh-password.txt` -f spiffe-step-ssh-values.yaml -f ingress-values.yaml --set trustDomain=example.org
-```
-
-<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
-
-## Parameters

charts/spiffe-step-ssh/ci/default-values.yaml

@@ -1 +0,0 @@
-trustDomain: example.org

charts/spiffe-step-ssh/files/ssh_x5c.tpl

@@ -1,13 +0,0 @@
-{{- if eq (len .AuthorizationCrt.URIs) 1 }}
-{{-   $san := printf "%s" (index .AuthorizationCrt.URIs 0) }}
-{{-   if hasPrefix "spiffe://@TRUST_DOMAIN@/@PREFIX@/" $san }}
-{{-     $name := trimPrefix "spiffe://@TRUST_DOMAIN@/@PREFIX@/" $san }}
-{
-  "type": {{ toJson .Type }},
-  "keyId": {{ toJson $name }},
-  "principals": [{{ toJson $name }}],
-  "extensions": {{ toJson .Extensions }},
-  "criticalOptions": {{ toJson .CriticalOptions }}
-}
-{{-   end }}
-{{- end }}

charts/spiffe-step-ssh/templates/NOTES.txt

@@ -1,5 +0,0 @@
-Installed {{ .Chart.Name }}…
-
-Configure your ssh clients with known_hosts file with:
-
-@cert-authority *.{{ .Values.trustDomain }} {{ .Values.inject.certificates.ssh_host_ca }}

charts/spiffe-step-ssh/templates/_helpers.tpl

@@ -1,83 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "spiffe-step-ssh.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "spiffe-step-ssh.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "spiffe-step-ssh.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "spiffe-step-ssh.labels" -}}
-helm.sh/chart: {{ include "spiffe-step-ssh.chart" . }}
-{{ include "spiffe-step-ssh.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "spiffe-step-ssh.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "spiffe-step-ssh.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "spiffe-step-ssh.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "spiffe-step-ssh.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
-
-{{/* Takes in a dictionary with keys:
- * global - the standard global object
- * ingress - a standard format ingress config object
-*/}}
-{{- define "spiffe-step-ssh.ingress-controller-type" }}
-{{-   $type := "" }}
-{{-   if ne (len (dig "spiffe" "ingressControllerType" "" .global)) 0 }}
-{{-     $type = .global.spiffe.ingressControllerType }}
-{{-   else if ne .ingress.controllerType "" }}
-{{-     $type = .ingress.controllerType }}
-{{-   else if (dig "openshift" false .global) }}
-{{-     $type = "openshift" }}
-{{-   else }}
-{{-     $type = "other" }}
-{{-   end }}
-{{-   if not (has $type (list "ingress-nginx" "openshift" "other")) }}
-{{-     fail "Unsupported ingress controller type specified. Must be one of [ingress-nginx, openshift, other]" }}
-{{-   end }}
-{{-   $type }}
-{{- end }}

charts/spiffe-step-ssh/templates/config-configmap.yaml

@@ -1,25 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "spiffe-step-ssh.fullname" . }}-config-deployment
-  labels:
-    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
-data:
-  spiffe-helper.conf: |
-    agent_address = "/spiffe-workload-api/spire-agent.sock"
-    cmd = "sh"
-    cmd_args = "/config-deployment/update.sh"
-    cert_dir = "/certs"
-    svid_file_name = "tls.crt"
-    svid_key_file_name = "tls.key"
-    svid_bundle_file_name = "ca.pem"
-    add_intermediates_to_bundle = false
-  update.sh: |
-    #!/bin/sh
-    export ROOTS=$(base64 /certs/ca.pem | tr '\n' ' ' | sed 's/ //g')
-    echo Updating Roots to "$ROOTS"
-    cat /config/ca.json > /work/ca.json
-    yq e -i -ojson '.authority.provisioners |= map(select(.name == "x5c@spiffe").roots = env(ROOTS))' /work/ca.json
-    /helper/kubectl create configmap {{ include "spiffe-step-ssh.fullname" . }}-config -n "{{ .Release.Namespace }}" --from-file=/work/ca.json --from-file=/config/defaults.json --from-file=/config/ssh_x5c.tpl --dry-run=client -o yaml | /helper/kubectl apply -f -
-    /helper/kubectl rollout restart statefulset {{ include "spiffe-step-ssh.fullname" . }} -n "{{ .Release.Namespace }}"
-    echo $?

charts/spiffe-step-ssh/templates/config-deployment.yaml

@@ -1,143 +0,0 @@
-{{- $configSum := (include (print $.Template.BasePath "/config-configmap.yaml") . | sha256sum) }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "spiffe-step-ssh.fullname" . }}-config
-  labels:
-    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
-    app: spiffe-step-ssh
-    component: config
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      {{- include "spiffe-step-ssh.selectorLabels" . | nindent 6 }}
-      app: spiffe-step-ssh
-      component: config
-  template:
-    metadata:
-      annotations:
-        checksum/config: {{ $configSum }}
-        {{- with .Values.podAnnotations }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-      labels:
-        {{- include "spiffe-step-ssh.labels" . | nindent 8 }}
-        {{- with .Values.podLabels }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-        app: spiffe-step-ssh
-        component: config
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "spiffe-step-ssh.serviceAccountName" . }}-svc-config
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      initContainers:
-      - name: setup-volume-p1
-        image: {{ template "spire-lib.image" (dict "image" .Values.busybox.image "global" .Values.global) }}
-        imagePullPolicy: {{ .Values.busybox.image.pullPolicy }}
-        command:
-        - sh
-        - -c
-        - 'cp -a /bin/busybox /helper'
-        securityContext:
-          {{- toYaml .Values.securityContext | nindent 12 }}
-        volumeMounts:
-        - name: spiffe-helper
-          mountPath: /helper
-        resources:
-          {{- toYaml .Values.config.resources | nindent 12 }}
-      - name: setup-volume-p2
-        image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }}
-        imagePullPolicy: {{ .Values.kubectl.image.pullPolicy }}
-        command:
-        - /helper/busybox
-        - sh
-        - -c
-        - '/helper/busybox cp -a /bin/kubectl /helper'
-        securityContext:
-          {{- toYaml .Values.securityContext | nindent 12 }}
-        volumeMounts:
-        - name: spiffe-helper
-          mountPath: /helper
-        resources:
-          {{- toYaml .Values.config.resources | nindent 12 }}
-      - name: setup-volume-p3
-        image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
-        imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
-        command:
-        - /helper/busybox
-        - sh
-        - -c
-        - '/helper/busybox cp -a /spiffe-helper /helper && /helper/busybox rm -f /helper/busybox'
-        securityContext:
-          {{- toYaml .Values.securityContext | nindent 12 }}
-        volumeMounts:
-        - name: spiffe-helper
-          mountPath: /helper
-        resources:
-          {{- toYaml .Values.config.resources | nindent 12 }}
-      containers:
-      - name: {{ .Chart.Name }}
-        securityContext:
-          {{- toYaml .Values.securityContext | nindent 12 }}
-        image: {{ template "spire-lib.image" (dict "image" .Values.yq.image "global" .Values.global) }}
-        imagePullPolicy: {{ .Values.yq.image.pullPolicy }}
-        command:
-        - /helper/spiffe-helper
-        - -config
-        - /config-deployment/spiffe-helper.conf
-        resources:
-          {{- toYaml .Values.config.resources | nindent 12 }}
-        volumeMounts:
-        - name: spiffe-helper
-          mountPath: /helper
-          readOnly: true
-        - name: config
-          mountPath: /config
-          readOnly: true
-        - name: config-deployment
-          mountPath: /config-deployment
-          readOnly: true
-        - name: certdir
-          mountPath: /certs
-        - name: spiffe-workload-api
-          mountPath: /spiffe-workload-api
-          readOnly: true
-        - name: workdir
-          mountPath: /work
-      volumes:
-      - name: spiffe-workload-api
-        csi:
-          driver: {{ .Values.csiDriver | quote }}
-          readOnly: true
-      - name: config-deployment
-        configMap:
-          name: {{ include "spiffe-step-ssh.fullname" . }}-config-deployment
-      - name: config
-        configMap:
-          name: {{ include "spiffe-step-ssh.fullname" . }}-config-raw
-      - name: certdir
-        emptyDir: {}
-      - name: spiffe-helper-config
-        emptyDir: {}
-      - name: spiffe-helper
-        emptyDir: {}
-      - name: workdir
-        emptyDir: {}
-      {{- with .Values.config.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.config.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.config.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}

charts/spiffe-step-ssh/templates/config-role.yaml

@@ -1,41 +0,0 @@
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
-rules:
-  - apiGroups: [""]
-    resources: [configmaps]
-    verbs:
-      - create
-  - apiGroups: [""]
-    resources: [configmaps]
-    resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}-config]
-    verbs:
-      - get
-      - update
-      - patch
-  - apiGroups: ["apps"]
-    resources: [statefulsets]
-    resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}]
-    verbs:
-      - get
-      - patch
-  - apiGroups: ["apps"]
-    resources: [deployments]
-    resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}-fetchca]
-    verbs:
-      - get
-      - patch
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
-    namespace: {{ .Release.Namespace }}
-roleRef:
-  kind: Role
-  name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
-  apiGroup: rbac.authorization.k8s.io

charts/spiffe-step-ssh/templates/config-serviceaccount.yaml

@@ -1,13 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "spiffe-step-ssh.serviceAccountName" . }}-svc-config
-  labels:
-    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
-    component: config
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

charts/spiffe-step-ssh/templates/fetchca-configmap.yaml

@@ -1,28 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
-  labels:
-    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
-data:
-  spiffe-helper-init.conf: |
-    agent_address = "/spiffe-workload-api/spire-agent.sock"
-    cmd = ""
-    cmd_args = ""
-    cert_dir = "/certs"
-    svid_file_name = "tls.crt"
-    svid_key_file_name = "tls.key"
-    svid_bundle_file_name = "ca.pem"
-    add_intermediates_to_bundle = false
-  spiffe-helper-sidecar.conf: |
-    agent_address = "/spiffe-workload-api/spire-agent.sock"
-    cmd = "/busybox/busybox"
-    cmd_args = "sh /update.sh"
-    cert_dir = "/certs"
-    svid_file_name = "tls.crt"
-    svid_key_file_name = "tls.key"
-    svid_bundle_file_name = "ca.pem"
-    add_intermediates_to_bundle = false
-  update.sh: |
-    #!/bin/sh
-    /busybox/busybox kill -HUP `/busybox/busybox busybox cat /pid/pid`

charts/spiffe-step-ssh/templates/fetchca-deployment.yaml

@@ -1,182 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
-  labels:
-    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
-    app: spiffe-step-ssh
-    component: fetchca
-spec:
-  {{- if not .Values.fetchCA.autoscaling.enabled }}
-  replicas: {{ .Values.fetchCA.replicaCount }}
-  {{- end }}
-  selector:
-    matchLabels:
-      {{- include "spiffe-step-ssh.selectorLabels" . | nindent 6 }}
-      app: spiffe-step-ssh
-      component: fetchca
-  template:
-    metadata:
-      {{- with .Values.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        {{- include "spiffe-step-ssh.labels" . | nindent 8 }}
-        {{- with .Values.podLabels }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-        app: spiffe-step-ssh
-        component: fetchca
-    spec:
-      shareProcessNamespace: true
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "spiffe-step-ssh.serviceAccountName" . }}-fetchca
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      initContainers:
-        - name: busybox-volume
-          image: {{ template "spire-lib.image" (dict "image" .Values.busybox.image "global" .Values.global) }}
-          imagePullPolicy: {{ .Values.busybox.image.pullPolicy }}
-          command:
-          - sh
-          - -c
-          - 'cp -a /bin/busybox /busybox'
-          volumeMounts:
-          - name: busybox
-            mountPath: /busybox
-          resources:
-            {{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }}
-        - name: init-tls
-          image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
-          imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
-          command:
-          - /spiffe-helper
-          - -config
-          - /etc/spiffe-helper.conf
-          - -daemon-mode=false
-          volumeMounts:
-          - name: spiffe-workload-api
-            mountPath: /spiffe-workload-api
-            readOnly: true
-          - name: config
-            mountPath: /etc/spiffe-helper.conf
-            subPath: spiffe-helper-init.conf
-            readOnly: true
-          - name: certs
-            mountPath: /certs
-          resources:
-            {{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }}
-      containers:
-        - name: {{ .Chart.Name }}-fetchca
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: {{ template "spire-lib.image" (dict "image" .Values.nginx.image "global" .Values.global) }}
-          imagePullPolicy: {{ .Values.nginx.image.pullPolicy }}
-          command:
-          - /bin/sh
-          - -c
-          - |
-            echo $$$$ > /pid/pid
-            cat > /etc/nginx/conf.d/ssl.conf <<EOF
-            server {
-                listen       8443 ssl;
-                server_name  localhost;
-                ssl_certificate     /certs/tls.crt;
-                ssl_certificate_key /certs/tls.key;
-                location / {
-                    root   /usr/share/nginx/html;
-                    index  root_ca.crt index.html index.htm;
-                }
-                error_page   500 502 503 504  /50x.html;
-                location = /50x.html {
-                    root   /usr/share/nginx/html;
-                }
-            }
-            EOF
-            exec nginx -g "daemon off;"
-          ports:
-            - name: http
-              containerPort: 8443
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /
-              port: http
-              scheme: HTTPS
-          readinessProbe:
-            httpGet:
-              path: /
-              port: http
-              scheme: HTTPS
-          resources:
-            {{- toYaml .Values.fetchCA.resources | nindent 12 }}
-          volumeMounts:
-          - name: certs
-            mountPath: /certs
-            readOnly: true
-          - name: pid
-            mountPath: /pid
-          - name: share
-            mountPath: /usr/share/nginx/html
-        - name: update-tls
-          image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
-          imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
-          command:
-          - /spiffe-helper
-          - -config
-          - /etc/spiffe-helper.conf
-          volumeMounts:
-          - name: certs
-            mountPath: /certs
-          - name: spiffe-workload-api
-            mountPath: /spiffe-workload-api
-            readOnly: true
-          - name: config
-            mountPath: /etc/spiffe-helper.conf
-            subPath: spiffe-helper-sidecar.conf
-            readOnly: true
-          - name: config
-            mountPath: /update.sh
-            subPath: update.sh
-            readOnly: true
-          - name: pid
-            mountPath: /pid
-            readOnly: true
-          - name: busybox
-            mountPath: /busybox
-            readOnly: true
-          resources:
-            {{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }}
-      volumes:
-      - name: certs
-        emptyDir: {}
-      - name: pid
-        emptyDir: {}
-      - name: busybox
-        emptyDir: {}
-      - name: config
-        configMap:
-          name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
-      - name: spiffe-workload-api
-        csi:
-          driver: {{ .Values.csiDriver | quote }}
-          readOnly: true
-      - name: share
-        configMap:
-          name: {{ include "spiffe-step-ssh.fullname" . }}-certs
-      {{- with .Values.fetchCA.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.fetchCA.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.fetchCA.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}

charts/spiffe-step-ssh/templates/fetchca-hpa.yaml

@@ -1,32 +0,0 @@
-{{- if .Values.fetchCA.autoscaling.enabled }}
-apiVersion: autoscaling/v2
-kind: HorizontalPodAutoscaler
-metadata:
-  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchCA
-  labels:
-    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
-spec:
-  scaleTargetRef:
-    apiVersion: apps/v1
-    kind: Deployment
-    name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
-  minReplicas: {{ .Values.fetchCA.autoscaling.minReplicas }}
-  maxReplicas: {{ .Values.fetchCA.autoscaling.maxReplicas }}
-  metrics:
-    {{- if .Values.fetchCA.autoscaling.targetCPUUtilizationPercentage }}
-    - type: Resource
-      resource:
-        name: cpu
-        target:
-          type: Utilization
-          averageUtilization: {{ .Values.fetchCA.autoscaling.targetCPUUtilizationPercentage }}
-    {{- end }}
-    {{- if .Values.fetchCA.autoscaling.targetMemoryUtilizationPercentage }}
-    - type: Resource
-      resource:
-        name: memory
-        target:
-          type: Utilization
-          averageUtilization: {{ .Values.fetchCA.autoscaling.targetMemoryUtilizationPercentage }}
-    {{- end }}
-{{- end }}

charts/spiffe-step-ssh/templates/fetchca-ingress.yaml

@@ -1,31 +0,0 @@
-{{- if .Values.fetchCA.ingress.enabled -}}
-{{- $ingressControllerType := include "spiffe-step-ssh.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.fetchCA.ingress) }}
-{{- $fullName := printf "%s-fetchca" (include "spiffe-step-ssh.fullname" .) -}}
-{{- $path := "/" }}
-{{- $pathType := "Prefix" }}
-{{- $tlsSection := true }}
-{{- $annotations := deepCopy .Values.fetchCA.ingress.annotations }}
-{{- if eq $ingressControllerType "ingress-nginx" }}
-{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
-{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
-{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
-{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
-{{- else if eq $ingressControllerType "openshift" }}
-{{-   $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
-{{-   $path = "" }}
-{{-   $pathType = "ImplementationSpecific" }}
-{{-   $tlsSection = false }}
-{{- end }}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ $fullName }}
-  labels:
-    {{ include "spiffe-step-ssh.labels" . | nindent 4}}
-  {{- with $annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.fetchCA.ingress "svcName" $fullName "port" .Values.fetchCA.service.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
-{{- end }}

charts/spiffe-step-ssh/templates/fetchca-service.yaml

@@ -1,17 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
-  labels:
-    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
-    app: spiffe-step-ssh
-    component: fetchca
-spec:
-  type: {{ .Values.fetchCA.service.type }}
-  ports:
-    - port: {{ .Values.fetchCA.service.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    {{- include "spiffe-step-ssh.selectorLabels" . | nindent 4 }}

charts/spiffe-step-ssh/templates/fetchca-serviceaccount.yaml

@@ -1,12 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "spiffe-step-ssh.serviceAccountName" . }}-fetchca
-  labels:
-    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

charts/spiffe-step-ssh/templates/ssh-certificate-issuer-password-secret.yaml

@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "spiffe-step-ssh.fullname" . }}-certificate-issuer-password
-  labels:
-    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
-data:
-  password: {{ .Values.caPassword | b64enc }}

charts/spiffe-step-ssh/templates/step-ca-password-secret.yaml

@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "spiffe-step-ssh.fullname" . }}-ca-password
-  labels:
-    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
-data:
-  password: {{ .Values.caPassword | b64enc }}

charts/spiffe-step-ssh/templates/step-certs-configmap.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "spiffe-step-ssh.fullname" . }}-certs
-  labels:
-    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
-data:
-  "root_ca.crt": |
-    {{- .Values.inject.certificates.root_ca | nindent 4}}
-  "intermediate_ca.crt": |
-    {{ .Values.inject.certificates.intermediate_ca | nindent 4}}
-  "ssh_host_ca_key.pub": |
-    {{ .Values.inject.certificates.ssh_host_ca | nindent 4 }}
-  "ssh_user_ca_key.pub": |
-    {{ .Values.inject.certificates.ssh_user_ca | nindent 4 }}

charts/spiffe-step-ssh/templates/step-config.yaml

@@ -1,32 +0,0 @@
-{{- define "spiffe-step-ssh.config-provisioners" }}
-type: X5C
-name: "x5c@spiffe"
-roots: ""
-claims:
-  maxTLSCertDuration: {{ .Values.maxTLSCertDuration | quote }}
-  defaultTLSCertDuration: {{ .Values.defaultTLSCertDuration | quote }}
-  disableRenewal: true
-  enableSSHCA: true
-disableCustomSANs: true
-options:
- ssh:
-   templateFile: /home/step/config/ssh_x5c.tpl
-{{- end }}
-{{ $ca := deepCopy (index .Values.inject.config.files "ca.json") }}
-{{ $_ := set $ca.authority "provisioners" (list (include "spiffe-step-ssh.config-provisioners" . | fromYaml )) }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "spiffe-step-ssh.fullname" . }}-config-raw
-  labels:
-    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
-data:
-  "ca.json": |
-    {{- $ca | toPrettyJson | nindent 4 }}
-  "defaults.json": |
-    {{- index .Values.inject.config.files "defaults.json" | toPrettyJson | nindent 4 }}
-{{- if eq .Values.trustDomain "" }}
-{{-   fail "You must set trustDomain" }}
-{{- end }}
-  "ssh_x5c.tpl": |
-    {{- .Files.Get "files/ssh_x5c.tpl" | replace "@TRUST_DOMAIN@" .Values.trustDomain | replace "@PREFIX@" .Values.prefix | nindent 4}}

charts/spiffe-step-ssh/templates/step-ingress.yaml

@@ -1,31 +0,0 @@
-{{- if .Values.stepIngress.enabled -}}
-{{- $ingressControllerType := include "spiffe-step-ssh.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.stepIngress) }}
-{{- $fullName := printf "%s" (include "spiffe-step-ssh.fullname" .) -}}
-{{- $path := "/" }}
-{{- $pathType := "Prefix" }}
-{{- $tlsSection := true }}
-{{- $annotations := deepCopy .Values.stepIngress.annotations }}
-{{- if eq $ingressControllerType "ingress-nginx" }}
-{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
-{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
-{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
-{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
-{{- else if eq $ingressControllerType "openshift" }}
-{{-   $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
-{{-   $path = "" }}
-{{-   $pathType = "ImplementationSpecific" }}
-{{-   $tlsSection = false }}
-{{- end }}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ $fullName }}
-  labels:
-    {{ include "spiffe-step-ssh.labels" . | nindent 4}}
-  {{- with $annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.stepIngress "svcName" $fullName "port" .Values.step.service.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
-{{- end }}

charts/spiffe-step-ssh/templates/step-secret.yaml

@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "spiffe-step-ssh.fullname" . }}-secrets
-  labels:
-    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
-data:
-  root_ca_key: {{ .Values.inject.secrets.x509.root_ca_key | b64enc }}
-  intermediate_ca_key: {{ .Values.inject.secrets.x509.intermediate_ca_key | b64enc }}
-  ssh_host_ca_key: {{ .Values.inject.secrets.ssh.host_ca_key | b64enc }}
-  ssh_user_ca_key: {{ .Values.inject.secrets.ssh.user_ca_key | b64enc }}

charts/spiffe-step-ssh/templates/step-ssh-host-ca-password-secret.yaml

@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "spiffe-step-ssh.fullname" . }}-ssh-host-ca-password
-  labels:
-    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
-data:
-  password: {{ .Values.caPassword | b64enc }}

charts/spiffe-step-ssh/templates/step-ssh-user-ca-password-secret.yaml

@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "spiffe-step-ssh.fullname" . }}-ssh-user-ca-password
-  labels:
-    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
-data:
-  password: {{ .Values.caPassword | b64enc }}

charts/spiffe-step-ssh/values.yaml

@@ -1,292 +0,0 @@
-# Default values for spiffe-step-ssh.
-# SPDX-License-Identifier: APACHE-2.0
-
-global:
-  spiffe:
-    ## @param global.spiffe.ingressControllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
-    ingressControllerType: ""
-
-## @param trustDomain The trust domain for SPIRE
-trustDomain: ""
-## @param caPassword Password securing the SSH CA
-caPassword: ""
-## @param maxTLSCertDuration The maximum duration the X5C traded cert is valid for.
-maxTLSCertDuration: 24h
-## @param defaultTLSCertDuration The default duration the X5C traded cert is valid for.
-defaultTLSCertDuration: 1h
-## @param prefix Prefix where hosts show up that are allowed to get ssh host certs
-prefix: sshd
-## @param csiDriver The csi driver to use
-csiDriver: csi.spiffe.io
-
-## @skip inject
-## These will be generated by the step-ca tool
-inject:
-  secrets:
-    x509:
-      root_ca_key: ""
-      intermediate_ca_key: ""
-    ssh:
-      host_ca_key: ""
-      user_ca_key: ""
-  config:
-    files:
-      ca.json:
-        authority: {}
-  certificates:
-    root_ca: ""
-    intermediate_ca: ""
-    ssh_host_ca: ""
-    ssh_user_ca: ""
-
-stepIngress:
-  ## @param stepIngress.enabled Flag to enable ingress
-  enabled: false
-  ## @param stepIngress.className Ingress class name
-  className: ""
-  ## @param stepIngress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
-  controllerType: ""
-  ## @param stepIngress.annotations [object] Annotations for the ingress object
-  annotations: {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
-    # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
-    # If Profile Type == https_spiffe:
-    # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
-
-  ## @param stepIngress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
-  host: "spiffe-step-ssh"
-
-  ## @param stepIngress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
-  tlsSecret: ""
-
-  ## @param stepIngress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
-  hosts: []
-  #  - host: spiffe-step-ssh.example.org
-  #    paths:
-  #      - path: /
-  #        pathType: Prefix
-
-  ## @param stepIngress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
-  tls: []
-  #  - hosts:
-  #      - spiffe-step-ssh.example.org
-
-## @skip step
-step:
-  service:
-    port: 443
-    targetPort: 8443
-  inject:
-    enabled: false
-  bootstrap:
-    enabled: false
-    configmaps: false
-    secrets: false
-  existingSecrets:
-    enabled: true
-    ca: true
-    issuer: true
-    certsAsSecret: false
-    configAsSecret: false
-    sshHostCa: true
-    sshUserCa: true
-
-spiffeHelper:
-  ## @param spiffeHelper.image.registry The OCI registry to pull the image from
-  ## @param spiffeHelper.image.repository The repository within the registry
-  ## @param spiffeHelper.image.pullPolicy The image pull policy
-  ## @param spiffeHelper.image.tag Overrides the image tag whose default is the chart appVersion
-  ##
-  image:
-    registry: ghcr.io
-    repository: spiffe/spiffe-helper
-    pullPolicy: IfNotPresent
-    tag: 0.8.0
-
-nginx:
-  ## @param nginx.image.registry The OCI registry to pull the image from
-  ## @param nginx.image.repository The repository within the registry
-  ## @param nginx.image.pullPolicy The image pull policy
-  ## @param nginx.image.tag Overrides the image tag whose default is the chart appVersion
-  ##
-  image:
-    registry: docker.io
-    repository: nginxinc/nginx-unprivileged
-    pullPolicy: IfNotPresent
-    tag: 1.25.3-alpine
-
-kubectl:
-  ## @param kubectl.image.registry The OCI registry to pull the image from
-  ## @param kubectl.image.repository The repository within the registry
-  ## @param kubectl.image.pullPolicy The image pull policy
-  ## @param kubectl.image.tag Overrides the image tag whose default is the chart appVersion
-  ##
-  image:
-    registry: registry.k8s.io
-    repository: kubectl
-    pullPolicy: IfNotPresent
-    tag: ""
-
-yq:
-  ## @param yq.image.registry The OCI registry to pull the image from
-  ## @param yq.image.repository The repository within the registry
-  ## @param yq.image.pullPolicy The image pull policy
-  ## @param yq.image.tag Overrides the image tag whose default is the chart appVersion
-  ##
-  image:
-    registry: docker.io
-    repository: mikefarah/yq
-    pullPolicy: IfNotPresent
-    tag: "4.40.5"
-
-busybox:
-  ## @param busybox.image.registry The OCI registry to pull the image from
-  ## @param busybox.image.repository The repository within the registry
-  ## @param busybox.image.pullPolicy The image pull policy
-  ## @param busybox.image.tag Overrides the image tag whose default is the chart appVersion
-  ##
-  image:
-    registry: docker.io
-    repository: busybox
-    pullPolicy: IfNotPresent
-    tag: "1.36.1-uclibc"
-
-## @param imagePullSecrets [array] Pull secrets for images
-imagePullSecrets: []
-
-## @param nameOverride Name override
-nameOverride: ""
-
-## @param fullnameOverride Fullname override
-fullnameOverride: ""
-
-## @param serviceAccount.create Specifies whether a service account should be created
-## @param serviceAccount.annotations [object] Annotations to add to the service account
-## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
-##
-serviceAccount:
-  create: true
-  annotations: {}
-  name: ""
-
-## @param podAnnotations [object] Additional pod annotations to add
-podAnnotations: {}
-## @param podLabels [object] Additional pod labels to add
-podLabels: {}
-
-## @param podSecurityContext [object} Specify pod security context settings
-podSecurityContext: {}
-  # fsGroup: 2000
-
-## @param securityContext [object] Specify container security context settings
-securityContext:
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
-  # FIXME
-  runAsUser: 0
-
-fetchCA:
-  ## @param fetchCA.replicaCount Number of replicas to launch
-  replicaCount: 1
-
-  ## @param fetchCA.service.type The type of service to deploy
-  ## @param fetchCA.service.port The port number of the service port
-  service:
-    type: ClusterIP
-    port: 443
-
-  ingress:
-    ## @param fetchCA.ingress.enabled Flag to enable ingress
-    enabled: false
-    ## @param fetchCA.ingress.className Ingress class name
-    className: ""
-    ## @param fetchCA.ingress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
-    controllerType: ""
-    ## @param fetchCA.ingress.annotations [object] Annotations for the ingress object
-    annotations: {}
-      # kubernetes.io/ingress.class: nginx
-      # kubernetes.io/tls-acme: "true"
-      # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
-      # If Profile Type == https_spiffe:
-      # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
-
-    ## @param fetchCA.ingress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
-    host: "spiffe-step-ssh-fetchca"
-
-    ## @param fetchCA.ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
-    tlsSecret: ""
-
-    ## @param fetchCA.ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
-    hosts: []
-    #  - host: spiffe-step-ssh-fetchca.example.org
-    #    paths:
-    #      - path: /
-    #        pathType: Prefix
-
-    ## @param fetchCA.ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
-    tls: []
-    #  - hosts:
-    #      - spiffe-step-ssh-fetchca.example.org
-
-  ## @param fetchCA.autoscaling.enabled Enable autoscaling
-  ## @param fetchCA.autoscaling.minReplicas Minimum number of replicas to deploy
-  ## @param fetchCA.autoscaling.maxReplicas Maximum number of replicas to deploy
-  ## @param fetchCA.autoscaling.targetCPUUtilizationPercentage Target CPU utilization to use for autoscaling
-  autoscaling:
-    enabled: false
-    minReplicas: 1
-    maxReplicas: 100
-    targetCPUUtilizationPercentage: 80
-    # targetMemoryUtilizationPercentage: 80
-
-  ## @param fetchCA.resources [object] Specify resources
-  resources: {}
-    # limits:
-    #   cpu: 100m
-    #   memory: 128Mi
-    # requests:
-    #   cpu: 100m
-    #   memory: 128Mi
-
-  spiffeHelper:
-    ## @param fetchCA.spiffeHelper.resources [object] Specify resources for the SPIFFE helper
-    resources: {}
-      # limits:
-      #   cpu: 100m
-      #   memory: 128Mi
-      # requests:
-      #   cpu: 100m
-      #   memory: 128Mi
-
-  ## @param fetchCA.nodeSelector [object] Specify node selector
-  nodeSelector: {}
-
-  ## @param fetchCA.tolerations [array] Specify tolerations
-  tolerations: []
-
-  ## @param fetchCA.affinity [object] Specify affinity
-  affinity: {}
-
-config:
-  ## @param config.resources [object] Specify resources
-  resources: {}
-    # limits:
-    #   cpu: 100m
-    #   memory: 128Mi
-    # requests:
-    #   cpu: 100m
-    #   memory: 128Mi
-
-  ## @param config.nodeSelector [object] Specify node selector
-  nodeSelector: {}
-
-  ## @param config.tolerations [array] Specify tolerations
-  tolerations: []
-
-  ## @param config.affinity [object] Specify affinity
-  affinity: {}

charts/spire-crds/.helmignore

@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/

charts/spire-crds/Chart.yaml

@@ -1,22 +0,0 @@
-apiVersion: v2
-name: spire-crds
-description: >
-  A Helm chart for deploying the Spire CRDS
-type: application
-version: 0.5.0
-appVersion: "0.0.1"
-keywords: ["spire-crds"]
-home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
-sources:
-  - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
-icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
-maintainers:
-  - name: marcofranssen
-    email: marco.franssen@gmail.com
-    url: https://marcofranssen.nl
-  - name: kfox1111
-    email: Kevin.Fox@pnnl.gov
-  - name: faisal-memon
-    email: fymemon@yahoo.com
-  - name: edwbuck
-    email: edwbuck@gmail.com

charts/spire-crds/README.md

@@ -1,24 +0,0 @@
-# spire-crds
-
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square)
-
-A Helm chart to install the SPIRE CRDS.
-
-**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
-
-## Maintainers
-
-| Name | Email | Url |
-| ---- | ------ | --- |
-| marcofranssen | <marco.franssen@gmail.com> | <https://marcofranssen.nl> |
-| kfox1111 | <Kevin.Fox@pnnl.gov> |  |
-| faisal-memon | <fymemon@yahoo.com> |  |
-| edwbuck | <edwbuck@gmail.com> |  |
-
-## Source Code
-
-* <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire-crds>
-
-<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
-
-## Parameters

charts/spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml

@@ -1,103 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-    {{- .Values.annotations | toYaml | nindent 4 }}
-  creationTimestamp: null
-  name: clusterstaticentries.spire.spiffe.io
-spec:
-  group: spire.spiffe.io
-  names:
-    kind: ClusterStaticEntry
-    listKind: ClusterStaticEntryList
-    plural: clusterstaticentries
-    singular: clusterstaticentry
-  scope: Cluster
-  versions:
-  - name: v1alpha1
-    schema:
-      openAPIV3Schema:
-        description: ClusterStaticEntry is the Schema for the clusterstaticentries
-          API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry
-            properties:
-              admin:
-                type: boolean
-              className:
-                description: Set the class of controller to handle this object.
-                type: string
-              dnsNames:
-                items:
-                  type: string
-                type: array
-              downstream:
-                type: boolean
-              federatesWith:
-                items:
-                  type: string
-                type: array
-              hint:
-                type: string
-              jwtSVIDTTL:
-                type: string
-              parentID:
-                type: string
-              selectors:
-                items:
-                  type: string
-                type: array
-              spiffeID:
-                type: string
-              storeSVID:
-                type: boolean
-              x509SVIDTTL:
-                type: string
-            required:
-            - parentID
-            - selectors
-            - spiffeID
-            type: object
-          status:
-            description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry
-            properties:
-              masked:
-                description: If the static entry was masked by another entry.
-                type: boolean
-              rendered:
-                description: If the static entry rendered properly.
-                type: boolean
-              set:
-                description: If the static entry was successfully created/updated.
-                type: boolean
-            required:
-            - masked
-            - rendered
-            - set
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []

charts/spire-crds/values.yaml

@@ -1,3 +0,0 @@
-annotations:
-  ## @param annotations.helm.sh/resource-policy keep the crds after chart deletion
-  helm.sh/resource-policy: keep

charts/spire-nested/.helmignore

@@ -1,24 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
-ci/

charts/spire-nested/Chart.yaml

@@ -1,116 +0,0 @@
-apiVersion: v2
-name: spire-nested
-description: >
-  A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
-type: application
-version: 0.26.1
-appVersion: "1.12.4"
-keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
-home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
-sources:
-  - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
-icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
-maintainers:
-  - name: marcofranssen
-    email: marco.franssen@gmail.com
-    url: https://marcofranssen.nl
-  - name: kfox1111
-    email: Kevin.Fox@pnnl.gov
-  - name: faisal-memon
-    email: fymemon@yahoo.com
-kubeVersion: ">=1.21.0-0"
-dependencies:
-  - name: spire-lib
-    repository: file://../spire/charts/spire-lib
-    version: 0.1.0
-  - name: spire-server
-    alias: root-spire-server
-    condition: root-spire-server.enabled
-    tags:
-    - nestedRoot
-    repository: file://../spire/charts/spire-server
-    version: 0.1.0
-  - name: spire-server
-    alias: external-root-spire-server-full
-    condition: external-root-spire-server-full.enabled
-    tags:
-    - nestedChildFull
-    repository: file://../spire/charts/spire-server
-    version: 0.1.0
-  - name: spire-server
-    alias: external-root-spire-server-security
-    condition: external-root-spire-server-security.enabled
-    tags:
-    - nestedChildSecurity
-    repository: file://../spire/charts/spire-server
-    version: 0.1.0
-  - name: spire-server
-    alias: internal-spire-server
-    condition: internal-spire-server.enabled
-    tags:
-    - nestedRoot
-    - nestedChildFull
-    repository: file://../spire/charts/spire-server
-    version: 0.1.0
-  - name: spire-server
-    alias: external-spire-server
-    condition: external-spire-server.enabled
-    tags:
-    - nestedRoot
-    repository: file://../spire/charts/spire-server
-    version: 0.1.0
-  - name: spire-agent
-    alias: downstream-spire-agent-full
-    condition: downstream-spire-agent-full.enabled
-    tags:
-    - nestedRoot
-    - nestedChildFull
-    repository: file://../spire/charts/spire-agent
-    version: 0.1.0
-  - name: spire-agent
-    alias: downstream-spire-agent-security
-    condition: downstream-spire-agent-security.enabled
-    tags:
-    - nestedChildSecurity
-    repository: file://../spire/charts/spire-agent
-    version: 0.1.0
-  - name: spire-agent
-    alias: upstream-spire-agent
-    condition: upstream-spire-agent.enabled
-    tags:
-    - nestedRoot
-    - nestedChildFull
-    repository: file://../spire/charts/spire-agent
-    version: 0.1.0
-  - name: spiffe-csi-driver
-    alias: downstream-spiffe-csi-driver
-    condition: downstream-spiffe-csi-driver.enabled
-    tags:
-    - nestedRoot
-    - nestedChildFull
-    - nestedChildSecurity
-    repository: file://../spire/charts/spiffe-csi-driver
-    version: 0.1.0
-  - name: spiffe-csi-driver
-    alias: upstream-spiffe-csi-driver
-    condition: upstream-spiffe-csi-driver.enabled
-    tags:
-    - nestedRoot
-    - nestedChildFull
-    repository: file://../spire/charts/spiffe-csi-driver
-    version: 0.1.0
-  - name: spiffe-oidc-discovery-provider
-    condition: spiffe-oidc-discovery-provider.enabled
-    tags:
-    - nestedRoot
-    - nestedChildFull
-    - nestedChildSecurity
-    repository: file://../spire/charts/spiffe-oidc-discovery-provider
-    version: 0.1.0
-  - name: tornjak-frontend
-    condition: tornjak-frontend.enabled
-    repository: file://../spire/charts/tornjak-frontend
-    version: 0.1.0
-annotations:
-  artifacthub.io/category: security
-  artifacthub.io/license: Apache-2.0