Bump test chart dependencies (#641)

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: marcofranssen <694733+marcofranssen@users.noreply.github.com>
Co-authored-by: kfox1111 <Kevin.Fox@pnnl.gov>

.github/scripts/parse-versions.sh

@@ -7,3 +7,8 @@ REPOS=$(jq -r '.[] | "export " + ("HELM_REPO_" + .name | ascii_upcase | gsub("-"
 VERSIONS=$(jq -r '.[] | "export " + ("VERSION_" + .name | ascii_upcase | gsub("-";"_")) + "=" + .version' "${TESTS_PATH}/charts.json")
 eval "$REPOS"
 eval "$VERSIONS"
+
+REGISTRIES=$(jq -r '.[] | "export " + ("HELM_REGISTRY_" + .name | ascii_upcase | gsub("-";"_")) + "=oci://" + .registry' "${TESTS_PATH}/oci-charts.json")
+VERSIONS=$(jq -r '.[] | "export " + ("VERSION_" + .name | ascii_upcase | gsub("-";"_")) + "=" + .version' "${TESTS_PATH}/oci-charts.json")
+eval "$REGISTRIES"
+eval "$VERSIONS"

.github/scripts/update-versions.sh

@@ -22,3 +22,21 @@ jq -r ".[].name" "${CHARTJSON}" | while read -r CHART; do
     mv /tmp/$$ "${CHARTJSON}"
   fi
 done
+
+CHARTJSON="${SCRIPTPATH}/../tests/oci-charts.json"
+
+jq -r ".[].name" "${CHARTJSON}" | while read -r NAME; do
+  ENTRYQUERY='.[] | select(.name == "'$NAME'")'
+  REGISTRY="$(jq -r "$ENTRYQUERY | .registry" "${CHARTJSON}")"
+  VERSION="$(jq -r "$ENTRYQUERY | .version" "${CHARTJSON}")"
+  echo Processing: "${NAME}"
+  echo "  chart: ${REGISTRY}"
+  echo "  current version: ${VERSION}"
+  LATEST_VERSION=$(crane ls "$REGISTRY" | grep 'v\?[0-9]*\.[0-9]*\.[0-9]\.*$' | sort -V -r | head -n 1)
+  echo "  latest version: ${LATEST_VERSION}"
+  if [ "x${VERSION}" != "x${LATEST_VERSION}" ]; then
+    echo "  New version found!"
+    jq "(${ENTRYQUERY}).version |= \"${LATEST_VERSION}\"" "${CHARTJSON}" > /tmp/$$
+    mv /tmp/$$ "${CHARTJSON}"
+  fi
+done

.github/tests/charts.json

@@ -2,26 +2,16 @@
   {
     "name": "kube-prometheus-stack",
     "repo": "https://prometheus-community.github.io/helm-charts",
-    "version": "56.20.0"
+    "version": "75.15.1"
   },
   {
     "name": "cert-manager",
     "repo": "https://charts.jetstack.io",
-    "version": "v1.14.3"
+    "version": "v1.18.2"
   },
   {
     "name": "ingress-nginx",
     "repo": "https://kubernetes.github.io/ingress-nginx",
-    "version": "4.10.0"
-  },
-  {
-    "name": "mysql",
-    "repo": "https://charts.bitnami.com/bitnami",
-    "version": "9.22.0"
-  },
-  {
-    "name": "postgresql",
-    "repo": "https://charts.bitnami.com/bitnami",
-    "version": "14.2.3"
+    "version": "4.13.0"
   }
 ]

.github/tests/common.sh

@@ -21,7 +21,7 @@ $(kubectl --request-timeout=30s describe pods --namespace "$1")
 #### Logs
 
 \`\`\`shell
-$(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --all-containers=true --ignore-errors=true; done)
+$(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --prefix --all-containers=true --ignore-errors=true; done)
 $( ([[ -n "$2" ]] && kubectl get pods -o name -n "$2") | while read -r line; do echo logs for "${line}"; kubectl logs -n "$2" "${line}" --all-containers=true --ignore-errors=true; done)
 \`\`\`
 
@@ -55,6 +55,7 @@ print_spire_workload_status () {
 | Namespace | Workload                                       | Status |
 | --------- | ---------------------------------------------- | ------ |
 | ${ns1}    | ${release_name}-server                         | <pre>$(k_rollout_status "${ns1}" statefulset "${release_name}-server")</pre> |
+| ${ns1}    | ${release_name}-server                         | <pre>$(k_rollout_status "${ns1}" deployments.apps "${release_name}-server")</pre> |
 | ${ns2}    | ${release_name}-spiffe-csi-driver              | <pre>$(k_rollout_status "${ns2}" daemonset "${release_name}-spiffe-csi-driver")</pre> |
 | ${ns2}    | ${release_name}-agent                          | <pre>$(k_rollout_status "${ns2}" daemonset "${release_name}-agent")</pre> |
 | ${ns1}    | ${release_name}-spiffe-oidc-discovery-provider | <pre>$(k_rollout_status "${ns1}" deployments.apps "${release_name}-spiffe-oidc-discovery-provider")</pre> |
@@ -70,3 +71,43 @@ $(helm ls -A | sed 's/\t/ | /g' | sed 's/^/| /' | sed 's/$/ |/' | sed '/^| NAME.
 
 EOF
 }
+
+common_test_url () (
+count=10
+while true; do
+        if curl "$1"; then exit 0; fi
+        sleep 2
+        count=$((count-1))
+        [ $count -le 0 ] && exit 1
+done
+)
+
+common_test_file_exists () (
+count=20
+while true; do
+        if [ -f "$1" ]; then exit 0; fi
+        sleep 2
+        count=$((count-1))
+        [ $count -le 0 ] && exit 1
+done
+)
+
+# Used just for testing. You should provide your own values as described in the install instructions.
+common_test_your_values () {
+cat > /tmp/$$.example-your-values.yaml <<EOF
+global:
+  spire:
+    recommendations:
+      enabled: true
+    clusterName: production
+    trustDomain: production.other
+    caSubject:
+      country: US
+      organization: Production
+      commonName: production.other
+EOF
+echo "/tmp/$$.example-your-values.yaml"
+}
+
+COMMON_TEST_YOUR_VALUES="$(common_test_your_values)"
+export COMMON_TEST_YOUR_VALUES

.github/tests/dependencies/spire-root-server-values.yaml

@@ -1,45 +0,0 @@
-global:
-  spire:
-    clusterName: production
-    trustDomain: production.other
-
-spire-server:
-  controllerManager:
-    identities:
-      clusterSPIFFEIDs:
-        default:
-          type: raw
-          spiffeIDTemplate: spiffe://{{ .TrustDomain }}/k8s/{{ .ClusterName }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}
-          namespaceSelector:
-            matchExpressions:
-            - key: "kubernetes.io/metadata.name"
-              operator: In
-              values: [spire-server]
-          podSelector:
-            matchLabels:
-              release: spire
-              release-namespace: spire-server
-              component: server
-          downstream: true
-        oidc-discovery-provider:
-          enabled: false
-        test-keys:
-          enabled: false
-  nodeAttestor:
-    k8sPsat:
-      serviceAccountAllowList:
-        - spire-system:spire-agent-upstream
-  bundleConfigMap: spire-bundle-upstream
-  notifier:
-    k8sbundle:
-      namespace: spire-system
-
-spiffe-oidc-discovery-provider:
-  enabled: false
-
-spire-agent:
-  enabled: false
-
-spiffe-csi-driver:
-  enabled: false
-

.github/tests/images.json

@@ -4,16 +4,26 @@
       "query": "tests.bash.image",
       "filter": "LATESTSHA",
       "sort-flags": []
+    },
+    {
+      "query": "chown.image",
+      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
+      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
+    },
+    {
+      "query": "tools.busybox.image",
+      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
+      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
     }
   ],
   "spire-agent/values.yaml": [
     {
-      "query": "waitForIt.image",
+      "query": "socketAlternate.image",
       "filter": "LATESTSHA",
       "sort-flags": []
     },
     {
-      "query": "socketAlternate.image",
+      "query": "hostCert.image",
       "filter": "LATESTSHA",
       "sort-flags": []
     },
@@ -58,6 +68,11 @@
       "query": "tests.busybox.image",
       "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
       "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
+    },
+    {
+      "query": "spiffeHelper.image",
+      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$",
+      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
     }
   ],
   "tornjak-frontend/values.yaml": [

.github/tests/oci-charts.json

@@ -0,0 +1,17 @@
+[
+  {
+    "name": "mysql",
+    "registry": "docker.io/bitnamicharts/mysql",
+    "version": "14.0.0"
+  },
+  {
+    "name": "postgresql",
+    "registry": "docker.io/bitnamicharts/postgresql",
+    "version": "16.7.9"
+  },
+  {
+    "name": "envoy-gateway",
+    "registry": "docker.io/envoyproxy/gateway-helm",
+    "version": "v1.4.2"
+  }
+]

.github/tests/pre-install.sh

@@ -37,13 +37,13 @@ kubectl wait --namespace ingress-nginx --for=condition=ready --timeout 60s pod -
 # external database
 
 # mysql
-"${helm_install[@]}" mysql mysql --version "$VERSION_MYSQL" --repo "$HELM_REPO_MYSQL" \
+"${helm_install[@]}" mysql "${HELM_REGISTRY_MYSQL}" --version "$VERSION_MYSQL" \
   --namespace mysql \
   --values "${DEPS}/mysql.yaml" \
   --wait
 
 # postgres
-"${helm_install[@]}" postgresql postgresql --version "$VERSION_POSTGRESQL" --repo "$HELM_REPO_POSTGRESQL" \
+"${helm_install[@]}" postgresql "${HELM_REGISTRY_POSTGRESQL}" --version "$VERSION_POSTGRESQL" \
   --namespace postgresql \
   --values "${DEPS}/postgresql.yaml" \
   --wait

.github/workflows/check-versions.yaml

@@ -27,6 +27,9 @@ jobs:
         with:
           version: ${{ env.HELM_VERSION }}
 
+      - name: Setup crane
+        uses: imjasonh/setup-crane@v0.3
+
       - name: Update test chart versions
         run: |
           ./.github/scripts/update-versions.sh
@@ -38,9 +41,6 @@ jobs:
           go-version: '1.21'
           cache: false
 
-      - name: Setup crane
-        uses: imjasonh/setup-crane@v0.3
-
       - uses: actions/setup-python@v5
         with:
           python-version: '3.9'
@@ -59,11 +59,18 @@ jobs:
           ./.github/scripts/update-tags.sh
           git diff
 
+      - name: Generate Token
+        uses: tibdex/github-app-token@v2.1.0
+        id: generate-token
+        with:
+          app_id: ${{ vars.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: Create Pull Request
         id: cpr
-        uses: peter-evans/create-pull-request@v6.0.1
+        uses: peter-evans/create-pull-request@v6.0.2
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.generate-token.outputs.token }}
           title: Bump test chart dependencies
           branch: bump-test-chart-deps
           commit-message: Bump test chart dependencies

.github/workflows/helm-chart-ci-ignore.yaml

@@ -30,9 +30,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
 
     steps:
       - run: 'echo "Skipping tests"'
@@ -74,9 +74,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
         example:
           - ${{ fromJson(needs.build-matrix.outputs.examples) }}
 
@@ -92,9 +92,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
         example:
           - ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}
 
@@ -110,9 +110,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
 
     steps:
       - run: 'echo "Skipping upgrade-test"'

.github/workflows/helm-chart-ci.yaml

@@ -21,9 +21,9 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  HELM_VERSION: v3.12.0
+  HELM_VERSION: v3.16.2
   PYTHON_VERSION: 3.11.3
-  KIND_VERSION: v0.19.0
+  KIND_VERSION: v0.24.0
   CHART_TESTING_VERSION: v3.8.0
 
 jobs:
@@ -130,9 +130,9 @@ jobs:
         # Kubernetes, but can go back farther as long as we don't need heroics
         # to pull it off (i.e. kubectl version juggling).
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
 
     steps:
       - name: Checkout
@@ -171,7 +171,7 @@ jobs:
       - name: Run chart-testing (install)
         run: |
           helm install -n spire-server spire-crds charts/spire-crds
-          ct install --config ct.yaml --excluded-charts spire-crds \
+          ct install --config ct.yaml --excluded-charts spire-crds,spiffe-step-ssh \
             --target-branch ${{ github.base_ref }}
 
       - name: Test summary
@@ -218,9 +218,9 @@ jobs:
       fail-fast: false
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
         example:
           - ${{ fromJson(needs.build-matrix.outputs.examples) }}
 
@@ -243,19 +243,20 @@ jobs:
         # Only build a kind cluster if there are chart changes to test.
         with:
           version: ${{ env.KIND_VERSION }}
-          node_image: kindest/node:v1.26.4
+          node_image: kindest/node:${{ matrix.k8s }}
           config: .github/kind/conf/kind-config.yaml
           verbosity: 1
 
       - name: Install and test example
         run: |
-          if [ "${{ matrix.example }}" = "examples/federation" ]; then
+          if [ "${{ matrix.example }}" = "examples/federation" -o "${{ matrix.example }}" = "examples/nested-full" -o "${{ matrix.example }}" = "examples/nested-security" ]; then
             kubectl create namespace spire-mgmt
             helm install -n spire-mgmt spire-crds charts/spire-crds
           else
             kubectl create namespace spire-server
             helm install -n spire-server spire-crds charts/spire-crds
           fi
+          export K8S="${{ matrix.k8s }}"
           ${{ matrix.example }}/run-tests.sh
 
   integration-test:
@@ -269,9 +270,9 @@ jobs:
       fail-fast: false
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
         integrationtest:
           - ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}
 
@@ -294,14 +295,13 @@ jobs:
         # Only build a kind cluster if there are chart changes to test.
         with:
           version: ${{ env.KIND_VERSION }}
-          node_image: kindest/node:v1.26.4
+          node_image: kindest/node:${{ matrix.k8s }}
           config: .github/kind/conf/kind-config.yaml
           verbosity: 1
 
       - name: Install and test integration
         run: |
-          kubectl create namespace spire-server
-          helm install -n spire-server spire-crds charts/spire-crds
+          helm install --create-namespace -n spire-mgmt spire-crds charts/spire-crds
           ${{ matrix.integrationtest }}/run-tests.sh
 
   upgrade-test:
@@ -315,9 +315,9 @@ jobs:
       fail-fast: false
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
 
     steps:
       - name: Checkout
@@ -338,9 +338,9 @@ jobs:
         # Only build a kind cluster if there are chart changes to test.
         with:
           version: ${{ env.KIND_VERSION }}
-          node_image: kindest/node:v1.26.4
+          node_image: kindest/node:${{ matrix.k8s }}
           config: .github/kind/conf/kind-config.yaml
           verbosity: 1
 
       - name: Install and test example
-        run: examples/production/run-tests.sh -u
+        run: tests/integration/production/run-tests.sh -u

.github/workflows/helm-release.yaml

@@ -44,7 +44,7 @@ jobs:
           CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v3.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/update-devcontainer-image.yaml

@@ -31,7 +31,7 @@ jobs:
       - name: Install regctl
         uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
       - name: Log in to GHCR
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

charts/spiffe-step-ssh/Chart.yaml

@@ -0,0 +1,42 @@
+apiVersion: v2
+name: spiffe-step-ssh
+description: sshd signed host certificates using SPIFFE for trust and step CA
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
+
+keywords: ["spiffe", "step", "step-ca", "ssh"]
+home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spiffe-step-ssh
+sources:
+  - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spiffe-step-ssh
+icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
+maintainers:
+  - name: kfox1111
+    email: Kevin.Fox@pnnl.gov
+
+dependencies:
+  - name: spire-lib
+    repository: file://../spire/charts/spire-lib
+    version: 0.1.0
+  - name: step-certificates
+    alias: step
+    repository: https://smallstep.github.io/helm-charts/
+    version: 1.27.4

charts/spiffe-step-ssh/README.md

@@ -0,0 +1,65 @@
+spire-values.yaml
+```
+spire-server:
+  nodeAttestor:
+    httpChallenge:
+      enabled: true
+  controllerManager:
+    identities:
+      clusterSPIFFEIDs:
+        spiffe-step-ssh-config:
+          type: raw
+          namespaceSelector:
+            matchLabels:
+              "kubernetes.io/metadata.name": default
+          podSelector:
+            matchLabels:
+              app: spiffe-step-ssh
+              component: config
+        spiffe-step-ssh-fetchca:
+          type: raw
+          namespaceSelector:
+            matchLabels:
+              "kubernetes.io/metadata.name": default
+          podSelector:
+            matchLabels:
+              app: spiffe-step-ssh
+              component: fetchca
+          dnsNameTemplates:
+          - "spiffe-step-ssh-fetchca.{{ .TrustDomain }}"
+```
+
+```shell
+helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
+helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ -f spire-values.yaml --set global.spire.ingressControllerType=ingress-nginx,spire-server.ingress.enabled=true
+```
+
+```shell
+helm upgrade --install ingress-nginx ingress-nginx -n ingress-nginx --create-namespace --repo https://kubernetes.github.io/ingress-nginx --set controller.service.type=ClusterIP,controller.service.externalIPs[0]=$(minikube ip) --set controller.watchIngressWithoutClass=true --set controller.extraArgs.enable-ssl-passthrough=
+```
+
+```shell
+PASSWORD=$(openssl rand -base64 48)
+echo "$PASSWORD" > spiffe-step-ssh-password.txt
+step ca init --helm --deployment-type=Standalone --name='My CA' --dns spiffe-step-ssh.example.org --ssh --address :8443 --provisioner default --password-file spiffe-step-ssh-password.txt > spiffe-step-ssh-values.yaml
+```
+
+ingress-values.yaml
+```yaml
+global:
+  spiffe:
+    ingressControllerType: ingress-nginx
+stepIngress:
+  enabled: true
+fetchCA:
+  ingress:
+    enabled: true
+```
+
+```shell
+helm upgrade --install spiffe-step-ssh . --set caPassword=`cat spiffe-step-ssh-password.txt` -f spiffe-step-ssh-values.yaml -f ingress-values.yaml --set trustDomain=example.org
+```
+
+<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
+
+## Parameters

charts/spiffe-step-ssh/ci/default-values.yaml

@@ -0,0 +1 @@
+trustDomain: example.org

charts/spiffe-step-ssh/files/ssh_x5c.tpl

@@ -0,0 +1,13 @@
+{{- if eq (len .AuthorizationCrt.URIs) 1 }}
+{{-   $san := printf "%s" (index .AuthorizationCrt.URIs 0) }}
+{{-   if hasPrefix "spiffe://@TRUST_DOMAIN@/@PREFIX@/" $san }}
+{{-     $name := trimPrefix "spiffe://@TRUST_DOMAIN@/@PREFIX@/" $san }}
+{
+  "type": {{ toJson .Type }},
+  "keyId": {{ toJson $name }},
+  "principals": [{{ toJson $name }}],
+  "extensions": {{ toJson .Extensions }},
+  "criticalOptions": {{ toJson .CriticalOptions }}
+}
+{{-   end }}
+{{- end }}

charts/spiffe-step-ssh/templates/NOTES.txt

@@ -0,0 +1,5 @@
+Installed {{ .Chart.Name }}…
+
+Configure your ssh clients with known_hosts file with:
+
+@cert-authority *.{{ .Values.trustDomain }} {{ .Values.inject.certificates.ssh_host_ca }}

charts/spiffe-step-ssh/templates/_helpers.tpl

@@ -0,0 +1,83 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "spiffe-step-ssh.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "spiffe-step-ssh.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "spiffe-step-ssh.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "spiffe-step-ssh.labels" -}}
+helm.sh/chart: {{ include "spiffe-step-ssh.chart" . }}
+{{ include "spiffe-step-ssh.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "spiffe-step-ssh.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "spiffe-step-ssh.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "spiffe-step-ssh.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "spiffe-step-ssh.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/* Takes in a dictionary with keys:
+ * global - the standard global object
+ * ingress - a standard format ingress config object
+*/}}
+{{- define "spiffe-step-ssh.ingress-controller-type" }}
+{{-   $type := "" }}
+{{-   if ne (len (dig "spiffe" "ingressControllerType" "" .global)) 0 }}
+{{-     $type = .global.spiffe.ingressControllerType }}
+{{-   else if ne .ingress.controllerType "" }}
+{{-     $type = .ingress.controllerType }}
+{{-   else if (dig "openshift" false .global) }}
+{{-     $type = "openshift" }}
+{{-   else }}
+{{-     $type = "other" }}
+{{-   end }}
+{{-   if not (has $type (list "ingress-nginx" "openshift" "other")) }}
+{{-     fail "Unsupported ingress controller type specified. Must be one of [ingress-nginx, openshift, other]" }}
+{{-   end }}
+{{-   $type }}
+{{- end }}

charts/spiffe-step-ssh/templates/config-configmap.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-config-deployment
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  spiffe-helper.conf: |
+    agent_address = "/spiffe-workload-api/spire-agent.sock"
+    cmd = "sh"
+    cmd_args = "/config-deployment/update.sh"
+    cert_dir = "/certs"
+    svid_file_name = "tls.crt"
+    svid_key_file_name = "tls.key"
+    svid_bundle_file_name = "ca.pem"
+    add_intermediates_to_bundle = false
+  update.sh: |
+    #!/bin/sh
+    export ROOTS=$(base64 /certs/ca.pem | tr '\n' ' ' | sed 's/ //g')
+    echo Updating Roots to "$ROOTS"
+    cat /config/ca.json > /work/ca.json
+    yq e -i -ojson '.authority.provisioners |= map(select(.name == "x5c@spiffe").roots = env(ROOTS))' /work/ca.json
+    /helper/kubectl create configmap {{ include "spiffe-step-ssh.fullname" . }}-config -n "{{ .Release.Namespace }}" --from-file=/work/ca.json --from-file=/config/defaults.json --from-file=/config/ssh_x5c.tpl --dry-run=client -o yaml | /helper/kubectl apply -f -
+    /helper/kubectl rollout restart statefulset {{ include "spiffe-step-ssh.fullname" . }} -n "{{ .Release.Namespace }}"
+    echo $?

charts/spiffe-step-ssh/templates/config-deployment.yaml

@@ -0,0 +1,143 @@
+{{- $configSum := (include (print $.Template.BasePath "/config-configmap.yaml") . | sha256sum) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-config
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+    app: spiffe-step-ssh
+    component: config
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "spiffe-step-ssh.selectorLabels" . | nindent 6 }}
+      app: spiffe-step-ssh
+      component: config
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ $configSum }}
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      labels:
+        {{- include "spiffe-step-ssh.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        app: spiffe-step-ssh
+        component: config
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "spiffe-step-ssh.serviceAccountName" . }}-svc-config
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      initContainers:
+      - name: setup-volume-p1
+        image: {{ template "spire-lib.image" (dict "image" .Values.busybox.image "global" .Values.global) }}
+        imagePullPolicy: {{ .Values.busybox.image.pullPolicy }}
+        command:
+        - sh
+        - -c
+        - 'cp -a /bin/busybox /helper'
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+        volumeMounts:
+        - name: spiffe-helper
+          mountPath: /helper
+        resources:
+          {{- toYaml .Values.config.resources | nindent 12 }}
+      - name: setup-volume-p2
+        image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }}
+        imagePullPolicy: {{ .Values.kubectl.image.pullPolicy }}
+        command:
+        - /helper/busybox
+        - sh
+        - -c
+        - '/helper/busybox cp -a /bin/kubectl /helper'
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+        volumeMounts:
+        - name: spiffe-helper
+          mountPath: /helper
+        resources:
+          {{- toYaml .Values.config.resources | nindent 12 }}
+      - name: setup-volume-p3
+        image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
+        imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
+        command:
+        - /helper/busybox
+        - sh
+        - -c
+        - '/helper/busybox cp -a /spiffe-helper /helper && /helper/busybox rm -f /helper/busybox'
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+        volumeMounts:
+        - name: spiffe-helper
+          mountPath: /helper
+        resources:
+          {{- toYaml .Values.config.resources | nindent 12 }}
+      containers:
+      - name: {{ .Chart.Name }}
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+        image: {{ template "spire-lib.image" (dict "image" .Values.yq.image "global" .Values.global) }}
+        imagePullPolicy: {{ .Values.yq.image.pullPolicy }}
+        command:
+        - /helper/spiffe-helper
+        - -config
+        - /config-deployment/spiffe-helper.conf
+        resources:
+          {{- toYaml .Values.config.resources | nindent 12 }}
+        volumeMounts:
+        - name: spiffe-helper
+          mountPath: /helper
+          readOnly: true
+        - name: config
+          mountPath: /config
+          readOnly: true
+        - name: config-deployment
+          mountPath: /config-deployment
+          readOnly: true
+        - name: certdir
+          mountPath: /certs
+        - name: spiffe-workload-api
+          mountPath: /spiffe-workload-api
+          readOnly: true
+        - name: workdir
+          mountPath: /work
+      volumes:
+      - name: spiffe-workload-api
+        csi:
+          driver: {{ .Values.csiDriver | quote }}
+          readOnly: true
+      - name: config-deployment
+        configMap:
+          name: {{ include "spiffe-step-ssh.fullname" . }}-config-deployment
+      - name: config
+        configMap:
+          name: {{ include "spiffe-step-ssh.fullname" . }}-config-raw
+      - name: certdir
+        emptyDir: {}
+      - name: spiffe-helper-config
+        emptyDir: {}
+      - name: spiffe-helper
+        emptyDir: {}
+      - name: workdir
+        emptyDir: {}
+      {{- with .Values.config.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.config.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.config.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/spiffe-step-ssh/templates/config-role.yaml

@@ -0,0 +1,41 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
+rules:
+  - apiGroups: [""]
+    resources: [configmaps]
+    verbs:
+      - create
+  - apiGroups: [""]
+    resources: [configmaps]
+    resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}-config]
+    verbs:
+      - get
+      - update
+      - patch
+  - apiGroups: ["apps"]
+    resources: [statefulsets]
+    resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}]
+    verbs:
+      - get
+      - patch
+  - apiGroups: ["apps"]
+    resources: [deployments]
+    resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}-fetchca]
+    verbs:
+      - get
+      - patch
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
+  apiGroup: rbac.authorization.k8s.io

charts/spiffe-step-ssh/templates/config-serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "spiffe-step-ssh.serviceAccountName" . }}-svc-config
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+    component: config
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/spiffe-step-ssh/templates/fetchca-configmap.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  spiffe-helper-init.conf: |
+    agent_address = "/spiffe-workload-api/spire-agent.sock"
+    cmd = ""
+    cmd_args = ""
+    cert_dir = "/certs"
+    svid_file_name = "tls.crt"
+    svid_key_file_name = "tls.key"
+    svid_bundle_file_name = "ca.pem"
+    add_intermediates_to_bundle = false
+  spiffe-helper-sidecar.conf: |
+    agent_address = "/spiffe-workload-api/spire-agent.sock"
+    cmd = "/busybox/busybox"
+    cmd_args = "sh /update.sh"
+    cert_dir = "/certs"
+    svid_file_name = "tls.crt"
+    svid_key_file_name = "tls.key"
+    svid_bundle_file_name = "ca.pem"
+    add_intermediates_to_bundle = false
+  update.sh: |
+    #!/bin/sh
+    /busybox/busybox kill -HUP `/busybox/busybox busybox cat /pid/pid`

charts/spiffe-step-ssh/templates/fetchca-deployment.yaml

@@ -0,0 +1,182 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+    app: spiffe-step-ssh
+    component: fetchca
+spec:
+  {{- if not .Values.fetchCA.autoscaling.enabled }}
+  replicas: {{ .Values.fetchCA.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "spiffe-step-ssh.selectorLabels" . | nindent 6 }}
+      app: spiffe-step-ssh
+      component: fetchca
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "spiffe-step-ssh.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        app: spiffe-step-ssh
+        component: fetchca
+    spec:
+      shareProcessNamespace: true
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "spiffe-step-ssh.serviceAccountName" . }}-fetchca
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      initContainers:
+        - name: busybox-volume
+          image: {{ template "spire-lib.image" (dict "image" .Values.busybox.image "global" .Values.global) }}
+          imagePullPolicy: {{ .Values.busybox.image.pullPolicy }}
+          command:
+          - sh
+          - -c
+          - 'cp -a /bin/busybox /busybox'
+          volumeMounts:
+          - name: busybox
+            mountPath: /busybox
+          resources:
+            {{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }}
+        - name: init-tls
+          image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
+          imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
+          command:
+          - /spiffe-helper
+          - -config
+          - /etc/spiffe-helper.conf
+          - -daemon-mode=false
+          volumeMounts:
+          - name: spiffe-workload-api
+            mountPath: /spiffe-workload-api
+            readOnly: true
+          - name: config
+            mountPath: /etc/spiffe-helper.conf
+            subPath: spiffe-helper-init.conf
+            readOnly: true
+          - name: certs
+            mountPath: /certs
+          resources:
+            {{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }}
+      containers:
+        - name: {{ .Chart.Name }}-fetchca
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: {{ template "spire-lib.image" (dict "image" .Values.nginx.image "global" .Values.global) }}
+          imagePullPolicy: {{ .Values.nginx.image.pullPolicy }}
+          command:
+          - /bin/sh
+          - -c
+          - |
+            echo $$$$ > /pid/pid
+            cat > /etc/nginx/conf.d/ssl.conf <<EOF
+            server {
+                listen       8443 ssl;
+                server_name  localhost;
+                ssl_certificate     /certs/tls.crt;
+                ssl_certificate_key /certs/tls.key;
+                location / {
+                    root   /usr/share/nginx/html;
+                    index  root_ca.crt index.html index.htm;
+                }
+                error_page   500 502 503 504  /50x.html;
+                location = /50x.html {
+                    root   /usr/share/nginx/html;
+                }
+            }
+            EOF
+            exec nginx -g "daemon off;"
+          ports:
+            - name: http
+              containerPort: 8443
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+              scheme: HTTPS
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+              scheme: HTTPS
+          resources:
+            {{- toYaml .Values.fetchCA.resources | nindent 12 }}
+          volumeMounts:
+          - name: certs
+            mountPath: /certs
+            readOnly: true
+          - name: pid
+            mountPath: /pid
+          - name: share
+            mountPath: /usr/share/nginx/html
+        - name: update-tls
+          image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
+          imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
+          command:
+          - /spiffe-helper
+          - -config
+          - /etc/spiffe-helper.conf
+          volumeMounts:
+          - name: certs
+            mountPath: /certs
+          - name: spiffe-workload-api
+            mountPath: /spiffe-workload-api
+            readOnly: true
+          - name: config
+            mountPath: /etc/spiffe-helper.conf
+            subPath: spiffe-helper-sidecar.conf
+            readOnly: true
+          - name: config
+            mountPath: /update.sh
+            subPath: update.sh
+            readOnly: true
+          - name: pid
+            mountPath: /pid
+            readOnly: true
+          - name: busybox
+            mountPath: /busybox
+            readOnly: true
+          resources:
+            {{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }}
+      volumes:
+      - name: certs
+        emptyDir: {}
+      - name: pid
+        emptyDir: {}
+      - name: busybox
+        emptyDir: {}
+      - name: config
+        configMap:
+          name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
+      - name: spiffe-workload-api
+        csi:
+          driver: {{ .Values.csiDriver | quote }}
+          readOnly: true
+      - name: share
+        configMap:
+          name: {{ include "spiffe-step-ssh.fullname" . }}-certs
+      {{- with .Values.fetchCA.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.fetchCA.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.fetchCA.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/spiffe-step-ssh/templates/fetchca-hpa.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.fetchCA.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchCA
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
+  minReplicas: {{ .Values.fetchCA.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.fetchCA.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.fetchCA.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.fetchCA.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.fetchCA.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.fetchCA.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}

charts/spiffe-step-ssh/templates/fetchca-ingress.yaml

@@ -0,0 +1,31 @@
+{{- if .Values.fetchCA.ingress.enabled -}}
+{{- $ingressControllerType := include "spiffe-step-ssh.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.fetchCA.ingress) }}
+{{- $fullName := printf "%s-fetchca" (include "spiffe-step-ssh.fullname" .) -}}
+{{- $path := "/" }}
+{{- $pathType := "Prefix" }}
+{{- $tlsSection := true }}
+{{- $annotations := deepCopy .Values.fetchCA.ingress.annotations }}
+{{- if eq $ingressControllerType "ingress-nginx" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
+{{- else if eq $ingressControllerType "openshift" }}
+{{-   $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
+{{-   $path = "" }}
+{{-   $pathType = "ImplementationSpecific" }}
+{{-   $tlsSection = false }}
+{{- end }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{ include "spiffe-step-ssh.labels" . | nindent 4}}
+  {{- with $annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.fetchCA.ingress "svcName" $fullName "port" .Values.fetchCA.service.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
+{{- end }}

charts/spiffe-step-ssh/templates/fetchca-service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+    app: spiffe-step-ssh
+    component: fetchca
+spec:
+  type: {{ .Values.fetchCA.service.type }}
+  ports:
+    - port: {{ .Values.fetchCA.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "spiffe-step-ssh.selectorLabels" . | nindent 4 }}

charts/spiffe-step-ssh/templates/fetchca-serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "spiffe-step-ssh.serviceAccountName" . }}-fetchca
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/spiffe-step-ssh/templates/ssh-certificate-issuer-password-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-certificate-issuer-password
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  password: {{ .Values.caPassword | b64enc }}

charts/spiffe-step-ssh/templates/step-ca-password-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-ca-password
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  password: {{ .Values.caPassword | b64enc }}

charts/spiffe-step-ssh/templates/step-certs-configmap.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-certs
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  "root_ca.crt": |
+    {{- .Values.inject.certificates.root_ca | nindent 4}}
+  "intermediate_ca.crt": |
+    {{ .Values.inject.certificates.intermediate_ca | nindent 4}}
+  "ssh_host_ca_key.pub": |
+    {{ .Values.inject.certificates.ssh_host_ca | nindent 4 }}
+  "ssh_user_ca_key.pub": |
+    {{ .Values.inject.certificates.ssh_user_ca | nindent 4 }}

charts/spiffe-step-ssh/templates/step-config.yaml

@@ -0,0 +1,32 @@
+{{- define "spiffe-step-ssh.config-provisioners" }}
+type: X5C
+name: "x5c@spiffe"
+roots: ""
+claims:
+  maxTLSCertDuration: {{ .Values.maxTLSCertDuration | quote }}
+  defaultTLSCertDuration: {{ .Values.defaultTLSCertDuration | quote }}
+  disableRenewal: true
+  enableSSHCA: true
+disableCustomSANs: true
+options:
+ ssh:
+   templateFile: /home/step/config/ssh_x5c.tpl
+{{- end }}
+{{ $ca := deepCopy (index .Values.inject.config.files "ca.json") }}
+{{ $_ := set $ca.authority "provisioners" (list (include "spiffe-step-ssh.config-provisioners" . | fromYaml )) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-config-raw
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  "ca.json": |
+    {{- $ca | toPrettyJson | nindent 4 }}
+  "defaults.json": |
+    {{- index .Values.inject.config.files "defaults.json" | toPrettyJson | nindent 4 }}
+{{- if eq .Values.trustDomain "" }}
+{{-   fail "You must set trustDomain" }}
+{{- end }}
+  "ssh_x5c.tpl": |
+    {{- .Files.Get "files/ssh_x5c.tpl" | replace "@TRUST_DOMAIN@" .Values.trustDomain | replace "@PREFIX@" .Values.prefix | nindent 4}}

charts/spiffe-step-ssh/templates/step-ingress.yaml

@@ -0,0 +1,31 @@
+{{- if .Values.stepIngress.enabled -}}
+{{- $ingressControllerType := include "spiffe-step-ssh.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.stepIngress) }}
+{{- $fullName := printf "%s" (include "spiffe-step-ssh.fullname" .) -}}
+{{- $path := "/" }}
+{{- $pathType := "Prefix" }}
+{{- $tlsSection := true }}
+{{- $annotations := deepCopy .Values.stepIngress.annotations }}
+{{- if eq $ingressControllerType "ingress-nginx" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
+{{- else if eq $ingressControllerType "openshift" }}
+{{-   $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
+{{-   $path = "" }}
+{{-   $pathType = "ImplementationSpecific" }}
+{{-   $tlsSection = false }}
+{{- end }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{ include "spiffe-step-ssh.labels" . | nindent 4}}
+  {{- with $annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.stepIngress "svcName" $fullName "port" .Values.step.service.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
+{{- end }}

charts/spiffe-step-ssh/templates/step-secret.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-secrets
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  root_ca_key: {{ .Values.inject.secrets.x509.root_ca_key | b64enc }}
+  intermediate_ca_key: {{ .Values.inject.secrets.x509.intermediate_ca_key | b64enc }}
+  ssh_host_ca_key: {{ .Values.inject.secrets.ssh.host_ca_key | b64enc }}
+  ssh_user_ca_key: {{ .Values.inject.secrets.ssh.user_ca_key | b64enc }}

charts/spiffe-step-ssh/templates/step-ssh-host-ca-password-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-ssh-host-ca-password
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  password: {{ .Values.caPassword | b64enc }}

charts/spiffe-step-ssh/templates/step-ssh-user-ca-password-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-ssh-user-ca-password
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  password: {{ .Values.caPassword | b64enc }}

charts/spiffe-step-ssh/values.yaml

@@ -0,0 +1,292 @@
+# Default values for spiffe-step-ssh.
+# SPDX-License-Identifier: APACHE-2.0
+
+global:
+  spiffe:
+    ## @param global.spiffe.ingressControllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
+    ingressControllerType: ""
+
+## @param trustDomain The trust domain for SPIRE
+trustDomain: ""
+## @param caPassword Password securing the SSH CA
+caPassword: ""
+## @param maxTLSCertDuration The maximum duration the X5C traded cert is valid for.
+maxTLSCertDuration: 24h
+## @param defaultTLSCertDuration The default duration the X5C traded cert is valid for.
+defaultTLSCertDuration: 1h
+## @param prefix Prefix where hosts show up that are allowed to get ssh host certs
+prefix: sshd
+## @param csiDriver The csi driver to use
+csiDriver: csi.spiffe.io
+
+## @skip inject
+## These will be generated by the step-ca tool
+inject:
+  secrets:
+    x509:
+      root_ca_key: ""
+      intermediate_ca_key: ""
+    ssh:
+      host_ca_key: ""
+      user_ca_key: ""
+  config:
+    files:
+      ca.json:
+        authority: {}
+  certificates:
+    root_ca: ""
+    intermediate_ca: ""
+    ssh_host_ca: ""
+    ssh_user_ca: ""
+
+stepIngress:
+  ## @param stepIngress.enabled Flag to enable ingress
+  enabled: false
+  ## @param stepIngress.className Ingress class name
+  className: ""
+  ## @param stepIngress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
+  controllerType: ""
+  ## @param stepIngress.annotations [object] Annotations for the ingress object
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+    # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    # If Profile Type == https_spiffe:
+    # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+
+  ## @param stepIngress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
+  host: "spiffe-step-ssh"
+
+  ## @param stepIngress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
+  tlsSecret: ""
+
+  ## @param stepIngress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
+  hosts: []
+  #  - host: spiffe-step-ssh.example.org
+  #    paths:
+  #      - path: /
+  #        pathType: Prefix
+
+  ## @param stepIngress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
+  tls: []
+  #  - hosts:
+  #      - spiffe-step-ssh.example.org
+
+## @skip step
+step:
+  service:
+    port: 443
+    targetPort: 8443
+  inject:
+    enabled: false
+  bootstrap:
+    enabled: false
+    configmaps: false
+    secrets: false
+  existingSecrets:
+    enabled: true
+    ca: true
+    issuer: true
+    certsAsSecret: false
+    configAsSecret: false
+    sshHostCa: true
+    sshUserCa: true
+
+spiffeHelper:
+  ## @param spiffeHelper.image.registry The OCI registry to pull the image from
+  ## @param spiffeHelper.image.repository The repository within the registry
+  ## @param spiffeHelper.image.pullPolicy The image pull policy
+  ## @param spiffeHelper.image.tag Overrides the image tag whose default is the chart appVersion
+  ##
+  image:
+    registry: ghcr.io
+    repository: spiffe/spiffe-helper
+    pullPolicy: IfNotPresent
+    tag: 0.8.0
+
+nginx:
+  ## @param nginx.image.registry The OCI registry to pull the image from
+  ## @param nginx.image.repository The repository within the registry
+  ## @param nginx.image.pullPolicy The image pull policy
+  ## @param nginx.image.tag Overrides the image tag whose default is the chart appVersion
+  ##
+  image:
+    registry: docker.io
+    repository: nginxinc/nginx-unprivileged
+    pullPolicy: IfNotPresent
+    tag: 1.25.3-alpine
+
+kubectl:
+  ## @param kubectl.image.registry The OCI registry to pull the image from
+  ## @param kubectl.image.repository The repository within the registry
+  ## @param kubectl.image.pullPolicy The image pull policy
+  ## @param kubectl.image.tag Overrides the image tag whose default is the chart appVersion
+  ##
+  image:
+    registry: registry.k8s.io
+    repository: kubectl
+    pullPolicy: IfNotPresent
+    tag: ""
+
+yq:
+  ## @param yq.image.registry The OCI registry to pull the image from
+  ## @param yq.image.repository The repository within the registry
+  ## @param yq.image.pullPolicy The image pull policy
+  ## @param yq.image.tag Overrides the image tag whose default is the chart appVersion
+  ##
+  image:
+    registry: docker.io
+    repository: mikefarah/yq
+    pullPolicy: IfNotPresent
+    tag: "4.40.5"
+
+busybox:
+  ## @param busybox.image.registry The OCI registry to pull the image from
+  ## @param busybox.image.repository The repository within the registry
+  ## @param busybox.image.pullPolicy The image pull policy
+  ## @param busybox.image.tag Overrides the image tag whose default is the chart appVersion
+  ##
+  image:
+    registry: docker.io
+    repository: busybox
+    pullPolicy: IfNotPresent
+    tag: "1.36.1-uclibc"
+
+## @param imagePullSecrets [array] Pull secrets for images
+imagePullSecrets: []
+
+## @param nameOverride Name override
+nameOverride: ""
+
+## @param fullnameOverride Fullname override
+fullnameOverride: ""
+
+## @param serviceAccount.create Specifies whether a service account should be created
+## @param serviceAccount.annotations [object] Annotations to add to the service account
+## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
+##
+serviceAccount:
+  create: true
+  annotations: {}
+  name: ""
+
+## @param podAnnotations [object] Additional pod annotations to add
+podAnnotations: {}
+## @param podLabels [object] Additional pod labels to add
+podLabels: {}
+
+## @param podSecurityContext [object} Specify pod security context settings
+podSecurityContext: {}
+  # fsGroup: 2000
+
+## @param securityContext [object] Specify container security context settings
+securityContext:
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+  # FIXME
+  runAsUser: 0
+
+fetchCA:
+  ## @param fetchCA.replicaCount Number of replicas to launch
+  replicaCount: 1
+
+  ## @param fetchCA.service.type The type of service to deploy
+  ## @param fetchCA.service.port The port number of the service port
+  service:
+    type: ClusterIP
+    port: 443
+
+  ingress:
+    ## @param fetchCA.ingress.enabled Flag to enable ingress
+    enabled: false
+    ## @param fetchCA.ingress.className Ingress class name
+    className: ""
+    ## @param fetchCA.ingress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
+    controllerType: ""
+    ## @param fetchCA.ingress.annotations [object] Annotations for the ingress object
+    annotations: {}
+      # kubernetes.io/ingress.class: nginx
+      # kubernetes.io/tls-acme: "true"
+      # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+      # If Profile Type == https_spiffe:
+      # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+
+    ## @param fetchCA.ingress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
+    host: "spiffe-step-ssh-fetchca"
+
+    ## @param fetchCA.ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
+    tlsSecret: ""
+
+    ## @param fetchCA.ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
+    hosts: []
+    #  - host: spiffe-step-ssh-fetchca.example.org
+    #    paths:
+    #      - path: /
+    #        pathType: Prefix
+
+    ## @param fetchCA.ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
+    tls: []
+    #  - hosts:
+    #      - spiffe-step-ssh-fetchca.example.org
+
+  ## @param fetchCA.autoscaling.enabled Enable autoscaling
+  ## @param fetchCA.autoscaling.minReplicas Minimum number of replicas to deploy
+  ## @param fetchCA.autoscaling.maxReplicas Maximum number of replicas to deploy
+  ## @param fetchCA.autoscaling.targetCPUUtilizationPercentage Target CPU utilization to use for autoscaling
+  autoscaling:
+    enabled: false
+    minReplicas: 1
+    maxReplicas: 100
+    targetCPUUtilizationPercentage: 80
+    # targetMemoryUtilizationPercentage: 80
+
+  ## @param fetchCA.resources [object] Specify resources
+  resources: {}
+    # limits:
+    #   cpu: 100m
+    #   memory: 128Mi
+    # requests:
+    #   cpu: 100m
+    #   memory: 128Mi
+
+  spiffeHelper:
+    ## @param fetchCA.spiffeHelper.resources [object] Specify resources for the SPIFFE helper
+    resources: {}
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+      # requests:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+  ## @param fetchCA.nodeSelector [object] Specify node selector
+  nodeSelector: {}
+
+  ## @param fetchCA.tolerations [array] Specify tolerations
+  tolerations: []
+
+  ## @param fetchCA.affinity [object] Specify affinity
+  affinity: {}
+
+config:
+  ## @param config.resources [object] Specify resources
+  resources: {}
+    # limits:
+    #   cpu: 100m
+    #   memory: 128Mi
+    # requests:
+    #   cpu: 100m
+    #   memory: 128Mi
+
+  ## @param config.nodeSelector [object] Specify node selector
+  nodeSelector: {}
+
+  ## @param config.tolerations [array] Specify tolerations
+  tolerations: []
+
+  ## @param config.affinity [object] Specify affinity
+  affinity: {}

charts/spire-crds/Chart.yaml

@@ -3,7 +3,7 @@ name: spire-crds
 description: >
   A Helm chart for deploying the Spire CRDS
 type: application
-version: 0.3.0
+version: 0.5.0
 appVersion: "0.0.1"
 keywords: ["spire-crds"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire

charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml

@@ -45,6 +45,11 @@ spec:
                 description: AutoPopulateDNSNames indicates whether or not to auto
                   populate service DNS names.
                 type: boolean
+              fallback:
+                description: |-
+                  Apply this ID only if there are no other matching non fallback
+                  ClusterSPIFFEIDs
+                type: boolean
               dnsNameTemplates:
                 description: DNSNameTemplate represents templates for extra DNS names
                   that are applicable to SVIDs minted for this ClusterSPIFFEID. The
@@ -66,6 +71,9 @@ spec:
                 items:
                   type: string
                 type: array
+              hint:
+                description: Set the entry hint
+                type: string
               jwtTtl:
                 description: JWTTTL indicates an upper-bound time-to-live for JWT
                   SVIDs minted for this ClusterSPIFFEID.

charts/spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml

@@ -64,6 +64,8 @@ spec:
                 type: array
               spiffeID:
                 type: string
+              storeSVID:
+                type: boolean
               x509SVIDTTL:
                 type: string
             required:

charts/spire-nested/.helmignore

@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+ci/

charts/spire-nested/Chart.yaml

@@ -0,0 +1,116 @@
+apiVersion: v2
+name: spire-nested
+description: >
+  A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
+type: application
+version: 0.26.1
+appVersion: "1.12.4"
+keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
+home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
+sources:
+  - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
+icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
+maintainers:
+  - name: marcofranssen
+    email: marco.franssen@gmail.com
+    url: https://marcofranssen.nl
+  - name: kfox1111
+    email: Kevin.Fox@pnnl.gov
+  - name: faisal-memon
+    email: fymemon@yahoo.com
+kubeVersion: ">=1.21.0-0"
+dependencies:
+  - name: spire-lib
+    repository: file://../spire/charts/spire-lib
+    version: 0.1.0
+  - name: spire-server
+    alias: root-spire-server
+    condition: root-spire-server.enabled
+    tags:
+    - nestedRoot
+    repository: file://../spire/charts/spire-server
+    version: 0.1.0
+  - name: spire-server
+    alias: external-root-spire-server-full
+    condition: external-root-spire-server-full.enabled
+    tags:
+    - nestedChildFull
+    repository: file://../spire/charts/spire-server
+    version: 0.1.0
+  - name: spire-server
+    alias: external-root-spire-server-security
+    condition: external-root-spire-server-security.enabled
+    tags:
+    - nestedChildSecurity
+    repository: file://../spire/charts/spire-server
+    version: 0.1.0
+  - name: spire-server
+    alias: internal-spire-server
+    condition: internal-spire-server.enabled
+    tags:
+    - nestedRoot
+    - nestedChildFull
+    repository: file://../spire/charts/spire-server
+    version: 0.1.0
+  - name: spire-server
+    alias: external-spire-server
+    condition: external-spire-server.enabled
+    tags:
+    - nestedRoot
+    repository: file://../spire/charts/spire-server
+    version: 0.1.0
+  - name: spire-agent
+    alias: downstream-spire-agent-full
+    condition: downstream-spire-agent-full.enabled
+    tags:
+    - nestedRoot
+    - nestedChildFull
+    repository: file://../spire/charts/spire-agent
+    version: 0.1.0
+  - name: spire-agent
+    alias: downstream-spire-agent-security
+    condition: downstream-spire-agent-security.enabled
+    tags:
+    - nestedChildSecurity
+    repository: file://../spire/charts/spire-agent
+    version: 0.1.0
+  - name: spire-agent
+    alias: upstream-spire-agent
+    condition: upstream-spire-agent.enabled
+    tags:
+    - nestedRoot
+    - nestedChildFull
+    repository: file://../spire/charts/spire-agent
+    version: 0.1.0
+  - name: spiffe-csi-driver
+    alias: downstream-spiffe-csi-driver
+    condition: downstream-spiffe-csi-driver.enabled
+    tags:
+    - nestedRoot
+    - nestedChildFull
+    - nestedChildSecurity
+    repository: file://../spire/charts/spiffe-csi-driver
+    version: 0.1.0
+  - name: spiffe-csi-driver
+    alias: upstream-spiffe-csi-driver
+    condition: upstream-spiffe-csi-driver.enabled
+    tags:
+    - nestedRoot
+    - nestedChildFull
+    repository: file://../spire/charts/spiffe-csi-driver
+    version: 0.1.0
+  - name: spiffe-oidc-discovery-provider
+    condition: spiffe-oidc-discovery-provider.enabled
+    tags:
+    - nestedRoot
+    - nestedChildFull
+    - nestedChildSecurity
+    repository: file://../spire/charts/spiffe-oidc-discovery-provider
+    version: 0.1.0
+  - name: tornjak-frontend
+    condition: tornjak-frontend.enabled
+    repository: file://../spire/charts/tornjak-frontend
+    version: 0.1.0
+annotations:
+  artifacthub.io/category: security
+  artifacthub.io/license: Apache-2.0

charts/spire-nested/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

charts/spire-nested/README.md

@@ -0,0 +1,355 @@
+# spire
+
+![Version: 0.26.1](https://img.shields.io/badge/Version-0.26.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.12.4](https://img.shields.io/badge/AppVersion-1.12.4-informational?style=flat-square)
+[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
+
+A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
+
+**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
+
+## Install Instructions
+
+### Non Production
+To do a quick install suitable for testing in something like minikube:
+
+```shell
+helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
+helm upgrade --install -n spire-server spire spire-nested --repo https://spiffe.github.io/helm-charts-hardened/
+```
+
+### Production
+
+Preparing a production deployment requires a few steps.
+
+1. Save the following to your-values.yaml, ideally in your git repo.
+```yaml
+global:
+  openshift: false # If running on openshift, set to true
+  spire:
+    recommendations:
+      enabled: true
+    namespaces:
+      create: true
+    ingressControllerType: "" # If not openshift, and want to expose services, set to a supported option [ingress-nginx]
+    # Update these
+    clusterName: example-cluster
+    trustDomain: example.org
+    caSubject:
+      country: ARPA
+      organization: Example
+      commonName: example.org
+```
+
+2. If you need a non default storageClass, append the following to the spire-server section and update:
+```
+  persistence:
+    storageClass: your-storage-class
+```
+
+3. If your Kubernetes cluster is OpenShift based, use the output of the following command to update the trustDomain setting:
+```shell
+oc get cm -n openshift-config-managed  console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//'
+```
+
+4. Find any additional values you might want to set based on the documentation below or using the [examples](https://github.com/spiffe/helm-charts-hardened/tree/main/examples)
+
+In particular, consider using an external database.
+
+5. Deploy
+
+```shell
+helm upgrade --install -n spire-mgmt spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
+helm upgrade --install -n spire-mgmt spire spire-nested --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml
+```
+
+## Clean up
+
+```shell
+helm -n spire-mgmt uninstall spire-crds
+helm -n spire-mgmt uninstall spire
+kubectl -n spire-server delete pvc -l app.kubernetes.io/instance=spire
+kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeids.spire.spiffe.io clusterstaticentries.spire.spiffe.io
+```
+
+## Upgrade notes
+
+We only support upgrading one major version at a time. Version skipping isn't supported.
+
+### 0.17.X
+
+- If you set spire-server.replicaCount > 1, update it to 1 before upgrading and after upgrade you can set it back to its previous value.
+- The SPIFFE OIDC Discovery Provider now has many new TLS options and defaults to using SPIRE to issue its certificate.
+- The `spiffe-oidc-discovery-provider.insecureScheme.enabled` flag was removed. If you previously set that flag, remove the setting from your values.yaml and see if the new default of using a SPIRE issued certificate is suitable for your deployment. If it isn't, please consider one of the other options under `spiffe-oidc-discovery-provider.tls`. If all other options are still unsuitable, you can still enable the previous mode by disabling TLS. (`spiffe-oidc-discovery-provider.tls.spire.enabled=false`)
+
+- The SPIFFE OIDC Discovery Provider is now enabled by default. If you previously chose to have it off, you can disable it explicitly with `spiffe-oidc-discovery-provider.enabled=false`.
+
+### 0.16.X
+
+The settings under "spire-server.controllerManager.identities" have all been moved under "spire-server.controllerManager.identities.clusterSPIFFEIDs.default". If you have changed any from the defaults, please update them to the new location during upgrade.
+
+### 0.15.X
+
+The spire-crds chart has been updated. Please ensure you have upgraded spire-crds before upgrading the spire chart.
+
+The chart now supports multiple parallel installs of spire-controller-manager. Each install will handle all custom resources with a matching `className` field.  By default this is set to `Release.Namespace-Release.Name` and the controller manager will only pick up custom resources with this `className`.
+
+If you have not loaded any SPIRE custom resources yourself, the upgrade process will be transparent. If you have loaded your own SPIRE custom resources, set `spire-server.controllerManager.watchClassless=true` until you can update your SPIRE custom resources to have the `className` for the instance specified.
+
+### 0.14.X
+
+If coming from a chart version before 0.14.0, you must relabel your crds to switch to using the new spire-crds chart. To migrate to the spire-crds chart
+run the following:
+
+Replace the spire-server namespace in the commands below with the namespace you want to install the spire-crds chart in.
+
+```shell
+kubectl label crd "clusterfederatedtrustdomains.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm"
+kubectl annotate crd "clusterfederatedtrustdomains.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds"
+kubectl annotate crd "clusterfederatedtrustdomains.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server"
+kubectl label crd "clusterspiffeids.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm"
+kubectl annotate crd "clusterspiffeids.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds"
+kubectl annotate crd "clusterspiffeids.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server"
+kubectl label crd "controllermanagerconfigs.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm"
+kubectl annotate crd "controllermanagerconfigs.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds"
+kubectl annotate crd "controllermanagerconfigs.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server"
+helm install -n spire-server spire-crds charts/spire-crds
+```
+
+## Version support
+
+> [!Warning]
+> This Chart is still in development and still subject to change the API (`values.yaml`).
+> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
+> we do aim for as much stability as possible.
+
+| Dependency | Supported Versions |
+|:-----------|:-------------------|
+| Helm       | `3.x`              |
+| Kubernetes | `1.22+`            |
+
+> [!Note]
+> For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden.
+
+## FAQ
+
+For any issues see our [FAQ](../../FAQ.md)…
+
+## Usage
+
+To utilize Spire in your own workloads you should add the following to your workload:
+
+```diff
+ apiVersion: v1
+ kind: Pod
+ metadata:
+   name: my-app
+ spec:
+   containers:
+     - name: my-app
+       image: "my-app:latest"
+       imagePullPolicy: Always
++      volumeMounts:
++        - name: spiffe-workload-api
++          mountPath: /spiffe-workload-api
++          readOnly: true
+       resources:
+         requests:
+           cpu: 200m
+           memory: 32Mi
+         limits:
+           cpu: 500m
+           memory: 64Mi
++  volumes:
++    - name: spiffe-workload-api
++      csi:
++        driver: "csi.spiffe.io"
++        readOnly: true
+```
+
+Now you can interact with the Spire agent socket from your own application. The socket is mounted on `/spiffe-workload-api/spire-agent.sock`.
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| marcofranssen | <marco.franssen@gmail.com> | <https://marcofranssen.nl> |
+| kfox1111 | <Kevin.Fox@pnnl.gov> |  |
+| faisal-memon | <fymemon@yahoo.com> |  |
+| edwbuck | <edwbuck@gmail.com> |  |
+
+## Source Code
+
+* <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| file://./charts/spiffe-csi-driver | spiffe-csi-driver | 0.1.0 |
+| file://./charts/spiffe-csi-driver | upstream-spiffe-csi-driver(spiffe-csi-driver) | 0.1.0 |
+| file://./charts/spiffe-oidc-discovery-provider | spiffe-oidc-discovery-provider | 0.1.0 |
+| file://./charts/spire-agent | spire-agent | 0.1.0 |
+| file://./charts/spire-agent | upstream-spire-agent(spire-agent) | 0.1.0 |
+| file://./charts/spire-server | spire-server | 0.1.0 |
+| file://./charts/tornjak-frontend | tornjak-frontend | 0.1.0 |
+
+<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
+
+## Parameters
+
+### Global parameters
+
+| Name                                             | Description                                                                                                                                                                                                                            | Value             |
+| ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- |
+| `global.k8s.clusterDomain`                       | Cluster domain name configured for Spire install                                                                                                                                                                                       | `cluster.local`   |
+| `global.spire.clusterName`                       | The name of the k8s cluster for Spire install                                                                                                                                                                                          | `example-cluster` |
+| `global.spire.jwtIssuer`                         | The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset                                                                                                                                                      | `""`              |
+| `global.spire.trustDomain`                       | The trust domain for Spire install                                                                                                                                                                                                     | `example.org`     |
+| `global.spire.caSubject.country`                 | Country for Spire server CA                                                                                                                                                                                                            | `""`              |
+| `global.spire.caSubject.organization`            | Organization for Spire server CA                                                                                                                                                                                                       | `""`              |
+| `global.spire.caSubject.commonName`              | Common Name for Spire server CA                                                                                                                                                                                                        | `""`              |
+| `global.spire.recommendations.enabled`           | Use recommended settings for production deployments. Default is off.                                                                                                                                                                   | `false`           |
+| `global.spire.recommendations.namespaceLayout`   | Set to true to use recommended values for installing across namespaces                                                                                                                                                                 | `true`            |
+| `global.spire.recommendations.namespacePSS`      | When chart namespace creation is enabled, label them with preffered Pod Security Standard labels                                                                                                                                       | `true`            |
+| `global.spire.recommendations.priorityClassName` | Set to true to use recommended values for Pod Priority Class Names                                                                                                                                                                     | `true`            |
+| `global.spire.recommendations.strictMode`        | Check values, such as trustDomain, are overridden with a suitable value for production.                                                                                                                                                | `true`            |
+| `global.spire.recommendations.securityContexts`  | Set to true to use recommended values for Pod and Container Security Contexts                                                                                                                                                          | `true`            |
+| `global.spire.recommendations.prometheus`        | Enable prometheus exporters for monitoring                                                                                                                                                                                             | `true`            |
+| `global.spire.image.registry`                    | Override all Spire image registries at once                                                                                                                                                                                            | `""`              |
+| `global.spire.namespaces.create`                 | Set to true to Create all namespaces. If this or either of the namespace specific create flags is set, the namespace will be created.                                                                                                  | `false`           |
+| `global.spire.namespaces.system.name`            | Name of the Spire system Namespace.                                                                                                                                                                                                    | `spire-system`    |
+| `global.spire.namespaces.system.create`          | Create a Namespace for Spire system resources.                                                                                                                                                                                         | `false`           |
+| `global.spire.namespaces.system.annotations`     | Annotations to apply to the Spire system Namespace.                                                                                                                                                                                    | `{}`              |
+| `global.spire.namespaces.system.labels`          | Labels to apply to the Spire system Namespace.                                                                                                                                                                                         | `{}`              |
+| `global.spire.namespaces.server.name`            | Name of the Spire server Namespace.                                                                                                                                                                                                    | `spire-server`    |
+| `global.spire.namespaces.server.create`          | Create a Namespace for Spire server resources.                                                                                                                                                                                         | `false`           |
+| `global.spire.namespaces.server.annotations`     | Annotations to apply to the Spire server Namespace.                                                                                                                                                                                    | `{}`              |
+| `global.spire.namespaces.server.labels`          | Labels to apply to the Spire server Namespace.                                                                                                                                                                                         | `{}`              |
+| `global.spire.strictMode`                        | Check values, such as trustDomain, are overridden with a suitable value for production.                                                                                                                                                | `false`           |
+| `global.spire.ingressControllerType`             | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""`              |
+| `global.spire.tools.kubectl.tag`                 | Set to force the tag to use for all kubectl instances                                                                                                                                                                                  | `""`              |
+| `global.installAndUpgradeHooks.enabled`          | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`)                                                                                                                             | `true`            |
+| `global.deleteHooks.enabled`                     | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`)                                                                                                                                      | `true`            |
+| `tags.nestedRoot`                                | Set the chart architecture to root nested                                                                                                                                                                                              | `false`           |
+| `tags.nestedChildFull`                           | Set the chart mode to a child cluster with its own nested server                                                                                                                                                                       | `false`           |
+| `tags.nestedChildSecurity`                       | Set the chart mode to a child cluster for use with a security cluster                                                                                                                                                                  | `false`           |
+
+### Spire agent parameters
+
+| Name                                               | Description                                                    | Value                                 |
+| -------------------------------------------------- | -------------------------------------------------------------- | ------------------------------------- |
+| `downstream-spire-agent-full.nameOverride`         | Overrides the name of Spire agent pods                         | `agent-downstream`                    |
+| `downstream-spire-agent-full.server.nameOverride`  | The name override setting of the internal SPIRE server         | `internal-server`                     |
+| `downstream-spire-agent-full.bundleConfigMap`      | The name of the configmap that contains the downstream bundle  | `spire-bundle-downstream`             |
+| `downstream-spire-agent-full.persistence.hostPath` | Which path to use on the host when persistence.type = hostPath | `/var/lib/spire/k8s/downstream-agent` |
+
+### Spire agent parameters
+
+| Name                                                   | Description                                                    | Value                                 |
+| ------------------------------------------------------ | -------------------------------------------------------------- | ------------------------------------- |
+| `downstream-spire-agent-security.nameOverride`         | Overrides the name of Spire agent pods                         | `agent-downstream`                    |
+| `downstream-spire-agent-security.bundleConfigMap`      | The name of the configmap that contains the downstream bundle  | `spire-bundle-upstream`               |
+| `downstream-spire-agent-security.serviceAccount.name`  | The name of the service account to use                         | `spire-agent-upstream`                |
+| `downstream-spire-agent-security.persistence.hostPath` | Which path to use on the host when persistence.type = hostPath | `/var/lib/spire/k8s/downstream-agent` |
+
+### Upstream Spire agent parameters
+
+| Name                                             | Description                                                    | Value                                                |
+| ------------------------------------------------ | -------------------------------------------------------------- | ---------------------------------------------------- |
+| `upstream-spire-agent.upstream`                  | Flag for enabling upstream Spire agent                         | `true`                                               |
+| `upstream-spire-agent.nameOverride`              | Name override for upstream Spire agent                         | `agent-upstream`                                     |
+| `upstream-spire-agent.bundleConfigMap`           | The configmap name for upstream Spire agent bundle             | `spire-bundle-upstream`                              |
+| `upstream-spire-agent.socketPath`                | Socket path where Spire agent socket is mounted                | `/run/spire/agent-sockets-upstream/spire-agent.sock` |
+| `upstream-spire-agent.serviceAccount.name`       | Service account name for upstream Spire agent                  | `spire-agent-upstream`                               |
+| `upstream-spire-agent.healthChecks.port`         | Health check port number for upstream Spire agent              | `9981`                                               |
+| `upstream-spire-agent.telemetry.prometheus.port` | The port where prometheus metrics are available                | `9989`                                               |
+| `upstream-spire-agent.server.nameOverride`       | The name override setting of the root SPIRE server             | `root-server`                                        |
+| `upstream-spire-agent.persistence.hostPath`      | Which path to use on the host when persistence.type = hostPath | `/var/lib/spire/k8s/upstream-agent`                  |
+
+### SPIFFE CSI Driver parameters
+
+| Name                                            | Description       | Value                          |
+| ----------------------------------------------- | ----------------- | ------------------------------ |
+| `downstream-spiffe-csi-driver.fullnameOverride` | Fullname override | `spiffe-csi-driver-downstream` |
+
+### Upstream SPIFFE CSI Driver parameters
+
+| Name                                           | Description                                                 | Value                                                |
+| ---------------------------------------------- | ----------------------------------------------------------- | ---------------------------------------------------- |
+| `upstream-spiffe-csi-driver.fullnameOverride`  | Fullname override                                           | `spiffe-csi-driver-upstream`                         |
+| `upstream-spiffe-csi-driver.pluginName`        | The plugin name for configuring upstream Spiffe CSI driver  | `upstream.csi.spiffe.io`                             |
+| `upstream-spiffe-csi-driver.agentSocketPath`   | The socket path where Spiffe CSI driver mounts agent socket | `/run/spire/agent-sockets-upstream/spire-agent.sock` |
+| `upstream-spiffe-csi-driver.healthChecks.port` | The port where Spiffe CSI driver health checks are exposed  | `9810`                                               |
+
+### SPIFFE oidc discovery provider parameters
+
+| Name                                              | Description       | Value                            |
+| ------------------------------------------------- | ----------------- | -------------------------------- |
+| `spiffe-oidc-discovery-provider.fullnameOverride` | Fullname override | `spiffe-oidc-discovery-provider` |
+
+### Tornjak frontend parameters
+
+| Name                                                                                                            | Description                                                                                                                                       | Value                        |
+| --------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- |
+| `tornjak-frontend.enabled`                                                                                      | Enables deployment of Tornjak frontend/UI (Not for production)                                                                                    | `false`                      |
+| `root-spire-server.nameOverride`                                                                                | Name override                                                                                                                                     | `root-server`                |
+| `root-spire-server.crNameOverride`                                                                              | Custom Resource name override                                                                                                                     | `root`                       |
+| `root-spire-server.controllerManager.enabled`                                                                   | Enable controller manager and provision CRD's                                                                                                     | `true`                       |
+| `root-spire-server.controllerManager.externalControllerManagers.enabled`                                        | Flag to enable external controller managers                                                                                                       | `true`                       |
+| `root-spire-server.controllerManager.validatingWebhookConfiguration.enabled`                                    | Disable only when you have another instance on the k8s cluster with webhooks enabled.                                                             | `false`                      |
+| `root-spire-server.controllerManager.className`                                                                 | specify to use an explicit class name.                                                                                                            | `spire-mgmt-root-server`     |
+| `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled`                         | Enable child servers                                                                                                                              | `true`                       |
+| `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.default.enabled`                               | Enable the default cluster spiffe id                                                                                                              | `false`                      |
+| `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled`               | Enable the test-keys identity                                                                                                                     | `false`                      |
+| `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled`                             | Enable the test-keys identity                                                                                                                     | `false`                      |
+| `root-spire-server.externalControllerManagers.enabled`                                                          | Flag to enable external controller managers                                                                                                       | `true`                       |
+| `root-spire-server.nodeAttestor.k8sPSAT.serviceAccountAllowList`                                                | Allowed service accounts for PSAT nodeattestor                                                                                                    | `[]`                         |
+| `root-spire-server.bundleConfigMap`                                                                             | The name of the configmap to store the upstream bundle                                                                                            | `spire-bundle-upstream`      |
+| `external-root-spire-server-full.externalServer`                                                                | Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers. | `true`                       |
+| `external-root-spire-server-full.nameOverride`                                                                  | Name override                                                                                                                                     | `root-server`                |
+| `external-root-spire-server-full.crNameOverride`                                                                | Custom Resource name override                                                                                                                     | `root`                       |
+| `external-root-spire-server-full.controllerManager.enabled`                                                     | Enable controller manager and provision CRD's                                                                                                     | `true`                       |
+| `external-root-spire-server-full.controllerManager.validatingWebhookConfiguration.enabled`                      | Disable only when you have another instance on the k8s cluster with webhooks enabled.                                                             | `false`                      |
+| `external-root-spire-server-full.controllerManager.className`                                                   | specify to use an explicit class name.                                                                                                            | `spire-mgmt-external-server` |
+| `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled`           | Enable child servers                                                                                                                              | `true`                       |
+| `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.default.enabled`                 | Enable the default cluster spiffe id                                                                                                              | `false`                      |
+| `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled` | Enable the test-keys identity                                                                                                                     | `false`                      |
+| `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled`               | Enable the test-keys identity                                                                                                                     | `false`                      |
+| `external-root-spire-server-full.nodeAttestor.k8sPSAT.serviceAccountAllowList`                                  | Allowed service accounts for PSAT nodeattestor                                                                                                    | `[]`                         |
+| `external-root-spire-server-full.bundleConfigMap`                                                               | The name of the configmap to store the upstream bundle                                                                                            | `spire-bundle-upstream`      |
+| `external-root-spire-server-security.externalServer`                                                            | Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers. | `true`                       |
+| `external-root-spire-server-security.nameOverride`                                                              | Name override                                                                                                                                     | `root-server`                |
+| `external-root-spire-server-security.crNameOverride`                                                            | Custom Resource name override                                                                                                                     | `root`                       |
+| `external-root-spire-server-security.controllerManager.enabled`                                                 | Enable controller manager and provision CRD's                                                                                                     | `true`                       |
+| `external-root-spire-server-security.controllerManager.validatingWebhookConfiguration.enabled`                  | Disable only when you have another instance on the k8s cluster with webhooks enabled.                                                             | `false`                      |
+| `external-root-spire-server-security.controllerManager.className`                                               | specify to use an explicit class name.                                                                                                            | `spire-mgmt-external-server` |
+| `external-root-spire-server-security.nodeAttestor.k8sPSAT.serviceAccountAllowList`                              | Allowed service accounts for PSAT nodeattestor                                                                                                    | `[]`                         |
+| `external-root-spire-server-security.bundleConfigMap`                                                           | The name of the configmap to store the upstream bundle                                                                                            | `spire-bundle-upstream`      |
+
+### Spire server parameters
+
+| Name                                                                                                               | Description                                                                           | Value                        |
+| ------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------- | ---------------------------- |
+| `internal-spire-server.nameOverride`                                                                               | Overrides the name of Spire server pods                                               | `internal-server`            |
+| `internal-spire-server.controllerManager.enabled`                                                                  | Enable controller manager and provision CRD's                                         | `true`                       |
+| `internal-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.autoPopulateDNSNames` | Auto populate dns entries                                                             | `false`                      |
+| `internal-spire-server.externalControllerManagers.enabled`                                                         | Flag to enable external controller managers                                           | `true`                       |
+| `internal-spire-server.upstreamAuthority.spire.enabled`                                                            | Enable upstream SPIRE server                                                          | `true`                       |
+| `internal-spire-server.upstreamAuthority.spire.upstreamDriver`                                                     | Use an upstream driver for authentication                                             | `upstream.csi.spiffe.io`     |
+| `internal-spire-server.upstreamAuthority.spire.server.nameOverride`                                                | The name override setting of the root SPIRE server                                    | `root-server`                |
+| `internal-spire-server.bundleConfigMap`                                                                            | The name of the configmap to store the downstream bundle                              | `spire-bundle-downstream`    |
+| `external-spire-server.nameOverride`                                                                               | Overrides the name of Spire server pods                                               | `external-server`            |
+| `external-spire-server.crNameOverride`                                                                             | Custom Resource name override                                                         | `external`                   |
+| `external-spire-server.controllerManager.enabled`                                                                  | Enable controller manager and provision CRD's                                         | `true`                       |
+| `external-spire-server.controllerManager.validatingWebhookConfiguration.enabled`                                   | Disable only when you have another instance on the k8s cluster with webhooks enabled. | `false`                      |
+| `external-spire-server.controllerManager.className`                                                                | specify to use an explicit class name.                                                | `spire-mgmt-external-server` |
+| `external-spire-server.controllerManager.identities.clusterSPIFFEIDs.default.enabled`                              | Enable the default identity                                                           | `false`                      |
+| `external-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled`              | Enable the oidc-discovery-provider identity                                           | `false`                      |
+| `external-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled`                            | Enable the test-keys identity                                                         | `false`                      |
+| `external-spire-server.externalControllerManagers.enabled`                                                         | Flag to enable external controller managers                                           | `true`                       |
+| `external-spire-server.upstreamAuthority.spire.enabled`                                                            | Enable upstream SPIRE server                                                          | `true`                       |
+| `external-spire-server.upstreamAuthority.spire.upstreamDriver`                                                     | Use an upstream driver for authentication                                             | `upstream.csi.spiffe.io`     |
+| `external-spire-server.upstreamAuthority.spire.server.nameOverride`                                                | The name override setting of the root SPIRE server                                    | `root-server`                |
+| `external-spire-server.bundlePublisher.k8sConfigMap.enabled`                                                       | Enable local k8s bundle uploader                                                      | `false`                      |
+| `external-spire-server.nodeAttestor.k8sPSAT.enabled`                                                               | Enable PSAT k8s nodeattestor                                                          | `false`                      |
+| `external-spire-server.nodeAttestor.joinToken.enabled`                                                             | Enable the join_token nodeattestor                                                    | `true`                       |

charts/spire-nested/templates/namespaces.yaml

@@ -0,0 +1,3 @@
+{{- include "spire-lib.namespace.system" . }}
+---
+{{- include "spire-lib.namespace.server" . }}

charts/spire-nested/values.yaml

@@ -0,0 +1,397 @@
+# Default configuration for Spire chart
+# SPDX-License-Identifier: APACHE-2.0
+
+## @section Global parameters
+## Note: the parameter values specified here will override the chart level values for these parameters.
+##
+global:
+  k8s:
+    ## @param global.k8s.clusterDomain Cluster domain name configured for Spire install
+    clusterDomain: cluster.local
+
+  spire:
+    ## @param global.spire.clusterName The name of the k8s cluster for Spire install
+    clusterName: example-cluster
+    ## @param global.spire.jwtIssuer The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset
+    jwtIssuer: ""
+    ## @param global.spire.trustDomain The trust domain for Spire install
+    trustDomain: example.org
+
+    ## @param global.spire.caSubject.country Country for Spire server CA
+    ## @param global.spire.caSubject.organization Organization for Spire server CA
+    ## @param global.spire.caSubject.commonName Common Name for Spire server CA
+    caSubject:
+      country: ""
+      organization: ""
+      commonName: ""
+
+    ## @param global.spire.recommendations.enabled Use recommended settings for production deployments. Default is off.
+    ## @param global.spire.recommendations.namespaceLayout Set to true to use recommended values for installing across namespaces
+    ## @param global.spire.recommendations.namespacePSS When chart namespace creation is enabled, label them with preffered Pod Security Standard labels
+    ## @param global.spire.recommendations.priorityClassName Set to true to use recommended values for Pod Priority Class Names
+    ## @param global.spire.recommendations.strictMode Check values, such as trustDomain, are overridden with a suitable value for production.
+    ## @param global.spire.recommendations.securityContexts Set to true to use recommended values for Pod and Container Security Contexts
+    ## @param global.spire.recommendations.prometheus Enable prometheus exporters for monitoring
+    recommendations:
+      enabled: false
+      namespaceLayout: true
+      namespacePSS: true
+      priorityClassName: true
+      strictMode: true
+      securityContexts: true
+      prometheus: true
+
+    image:
+      ## @param global.spire.image.registry Override all Spire image registries at once
+      registry: ""
+
+    namespaces:
+      ## @param global.spire.namespaces.create Set to true to Create all namespaces. If this or either of the namespace specific create flags is set, the namespace will be created.
+      create: false
+      system:
+        ## @param global.spire.namespaces.system.name Name of the Spire system Namespace.
+        name: "spire-system"
+        ## @param global.spire.namespaces.system.create Create a Namespace for Spire system resources.
+        create: false
+        ## @param global.spire.namespaces.system.annotations [object] Annotations to apply to the Spire system Namespace.
+        annotations: {}
+        ## @param global.spire.namespaces.system.labels [object] Labels to apply to the Spire system Namespace.
+        labels: {}
+      server:
+        ## @param global.spire.namespaces.server.name Name of the Spire server Namespace.
+        name: "spire-server"
+        ## @param global.spire.namespaces.server.create Create a Namespace for Spire server resources.
+        create: false
+        ## @param global.spire.namespaces.server.annotations [object] Annotations to apply to the Spire server Namespace.
+        annotations: {}
+        ## @param global.spire.namespaces.server.labels [object] Labels to apply to the Spire server Namespace.
+        labels: {}
+
+    ## @param global.spire.strictMode Check values, such as trustDomain, are overridden with a suitable value for production.
+    strictMode: false
+
+    ## @param global.spire.ingressControllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
+    ingressControllerType: ""
+
+    tools:
+      kubectl:
+        ## @param global.spire.tools.kubectl.tag Set to force the tag to use for all kubectl instances
+        tag: ""
+
+  installAndUpgradeHooks:
+    ## @param global.installAndUpgradeHooks.enabled Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`)
+    enabled: true
+  deleteHooks:
+    ## @param global.deleteHooks.enabled Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`)
+    enabled: true
+
+#  telemetry:
+#    prometheus:
+#      enabled: true
+#      podMonitor:
+#        enabled: true
+#        # -- Allows to install the PodMonitor in another namespace then the spire components are installed into.
+#        namespace: "kube-prometheus-system"
+#        labels: {}
+
+tags:
+  ## @param tags.nestedRoot Set the chart architecture to root nested
+  nestedRoot: false
+  ## @param tags.nestedChildFull Set the chart mode to a child cluster with its own nested server
+  nestedChildFull: false
+  ## @param tags.nestedChildSecurity Set the chart mode to a child cluster for use with a security cluster
+  nestedChildSecurity: false
+
+## subcharts
+
+## @section Spire agent parameters
+## Parameter values for Spire agent
+##
+# Used with tags [nestedRoot, nestedChildFull]
+downstream-spire-agent-full:
+  # enabled: true
+  ## @param downstream-spire-agent-full.nameOverride Overrides the name of Spire agent pods
+  nameOverride: agent-downstream
+  server:
+    ## @param downstream-spire-agent-full.server.nameOverride The name override setting of the internal SPIRE server
+    nameOverride: internal-server
+  ## @param downstream-spire-agent-full.bundleConfigMap The name of the configmap that contains the downstream bundle
+  bundleConfigMap: spire-bundle-downstream
+  ## @param downstream-spire-agent-full.persistence.hostPath Which path to use on the host when persistence.type = hostPath
+  persistence:
+    hostPath: /var/lib/spire/k8s/downstream-agent
+
+## @section Spire agent parameters
+## Parameter values for Spire agent
+##
+# Used with tags [nestedChildSecurity]
+downstream-spire-agent-security:
+  # enabled: true
+  ## @param downstream-spire-agent-security.nameOverride Overrides the name of Spire agent pods
+  nameOverride: agent-downstream
+  ## @param downstream-spire-agent-security.bundleConfigMap The name of the configmap that contains the downstream bundle
+  bundleConfigMap: spire-bundle-upstream
+  serviceAccount:
+    ## @param downstream-spire-agent-security.serviceAccount.name The name of the service account to use
+    name: spire-agent-upstream
+  ## @param downstream-spire-agent-security.persistence.hostPath Which path to use on the host when persistence.type = hostPath
+  persistence:
+    hostPath: /var/lib/spire/k8s/downstream-agent
+
+## @section Upstream Spire agent parameters
+## Parameter values for upstream Spire agent
+##
+# Used with tags [nestedRoot, nestedChildFull]
+upstream-spire-agent:
+  # enabled: true
+  ## @param upstream-spire-agent.upstream Flag for enabling upstream Spire agent
+  upstream: true
+  ## @param upstream-spire-agent.nameOverride Name override for upstream Spire agent
+  nameOverride: agent-upstream
+  ## @param upstream-spire-agent.bundleConfigMap The configmap name for upstream Spire agent bundle
+  bundleConfigMap: spire-bundle-upstream
+  ## @param upstream-spire-agent.socketPath Socket path where Spire agent socket is mounted
+  socketPath: /run/spire/agent-sockets-upstream/spire-agent.sock
+  serviceAccount:
+    ## @param upstream-spire-agent.serviceAccount.name Service account name for upstream Spire agent
+    name: spire-agent-upstream
+  healthChecks:
+    ## @param upstream-spire-agent.healthChecks.port Health check port number for upstream Spire agent
+    port: 9981
+  telemetry:
+    prometheus:
+      ## @param upstream-spire-agent.telemetry.prometheus.port The port where prometheus metrics are available
+      port: 9989
+  server:
+    ## @param upstream-spire-agent.server.nameOverride The name override setting of the root SPIRE server
+    nameOverride: root-server
+  ## @param upstream-spire-agent.persistence.hostPath Which path to use on the host when persistence.type = hostPath
+  persistence:
+    hostPath: /var/lib/spire/k8s/upstream-agent
+
+## @section SPIFFE CSI Driver parameters
+## Parameter values for spiffe-csi-driver
+##
+# Used with tags [nestedRoot, nestedChildFull, nestedChildSecurity]
+downstream-spiffe-csi-driver:
+  # enabled: true
+  ## @param downstream-spiffe-csi-driver.fullnameOverride Fullname override
+  fullnameOverride: spiffe-csi-driver-downstream
+
+## @section Upstream SPIFFE CSI Driver parameters
+## Parameter values for upstream spiffe-csi-driver
+##
+# Used with tags [nestedRoot, nestedChildFull]
+upstream-spiffe-csi-driver:
+  # enabled: true
+  ## @param upstream-spiffe-csi-driver.fullnameOverride Fullname override
+  fullnameOverride: spiffe-csi-driver-upstream
+  ## @param upstream-spiffe-csi-driver.pluginName The plugin name for configuring upstream Spiffe CSI driver
+  pluginName: upstream.csi.spiffe.io
+  ## @param upstream-spiffe-csi-driver.agentSocketPath The socket path where Spiffe CSI driver mounts agent socket
+  agentSocketPath: /run/spire/agent-sockets-upstream/spire-agent.sock
+  healthChecks:
+    ## @param upstream-spiffe-csi-driver.healthChecks.port The port where Spiffe CSI driver health checks are exposed
+    port: 9810
+
+## @section SPIFFE oidc discovery provider parameters
+## Parameter values for spiffe-oidc-discovery-provider
+##
+# Used with tags [nestedRoot, nestedChildFull, nestedChildSecurity]
+spiffe-oidc-discovery-provider:
+  # enabled: true
+  ## @param spiffe-oidc-discovery-provider.fullnameOverride Fullname override
+  fullnameOverride: spiffe-oidc-discovery-provider
+
+## @section Tornjak frontend parameters
+## Parameter values for Tornjak frontend
+##
+tornjak-frontend:
+  ## @param tornjak-frontend.enabled Enables deployment of Tornjak frontend/UI (Not for production)
+  enabled: false
+
+# Used with tags [nestedRoot]
+root-spire-server:
+  # enabled: true
+  ## @param root-spire-server.nameOverride Name override
+  nameOverride: root-server
+  ## @param root-spire-server.crNameOverride Custom Resource name override
+  crNameOverride: root
+  controllerManager:
+    ## @param root-spire-server.controllerManager.enabled Enable controller manager and provision CRD's
+    enabled: true
+    externalControllerManagers:
+      ## @param root-spire-server.controllerManager.externalControllerManagers.enabled Flag to enable external controller managers
+      enabled: true
+    validatingWebhookConfiguration:
+      ## @param root-spire-server.controllerManager.validatingWebhookConfiguration.enabled Disable only when you have another instance on the k8s cluster with webhooks enabled.
+      enabled: false
+    ## @param root-spire-server.controllerManager.className specify to use an explicit class name.
+    className: spire-mgmt-root-server
+    identities:
+      clusterSPIFFEIDs:
+        child-servers:
+          ## @param root-spire-server.controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled Enable child servers
+          enabled: true
+        default:
+          ## @param root-spire-server.controllerManager.identities.clusterSPIFFEIDs.default.enabled Enable the default cluster spiffe id
+          enabled: false
+        oidc-discovery-provider:
+          ## @param root-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled Enable the test-keys identity
+          enabled: false
+        test-keys:
+          ## @param root-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled Enable the test-keys identity
+          enabled: false
+  externalControllerManagers:
+    ## @param root-spire-server.externalControllerManagers.enabled Flag to enable external controller managers
+    enabled: true
+  nodeAttestor:
+    k8sPSAT:
+      ## @param root-spire-server.nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor
+      serviceAccountAllowList:
+        - spire-agent-upstream
+  ## @param root-spire-server.bundleConfigMap The name of the configmap to store the upstream bundle
+  bundleConfigMap: spire-bundle-upstream
+
+# Used with tags [nestedChildFull]
+external-root-spire-server-full:
+  ## @param external-root-spire-server-full.externalServer Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers.
+  externalServer: true
+  ## @param external-root-spire-server-full.nameOverride Name override
+  nameOverride: root-server
+  ## @param external-root-spire-server-full.crNameOverride Custom Resource name override
+  crNameOverride: root
+  controllerManager:
+    ## @param external-root-spire-server-full.controllerManager.enabled Enable controller manager and provision CRD's
+    enabled: true
+    validatingWebhookConfiguration:
+      ## @param external-root-spire-server-full.controllerManager.validatingWebhookConfiguration.enabled Disable only when you have another instance on the k8s cluster with webhooks enabled.
+      enabled: false
+    ## @param external-root-spire-server-full.controllerManager.className specify to use an explicit class name.
+    className: spire-mgmt-external-server
+    identities:
+      clusterSPIFFEIDs:
+        child-servers:
+          ## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled Enable child servers
+          enabled: true
+        default:
+          ## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.default.enabled Enable the default cluster spiffe id
+          enabled: false
+        oidc-discovery-provider:
+          ## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled Enable the test-keys identity
+          enabled: false
+        test-keys:
+          ## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled Enable the test-keys identity
+          enabled: false
+  nodeAttestor:
+    k8sPSAT:
+      ## @param external-root-spire-server-full.nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor
+      serviceAccountAllowList:
+        - spire-agent-upstream
+  ## @param external-root-spire-server-full.bundleConfigMap The name of the configmap to store the upstream bundle
+  bundleConfigMap: spire-bundle-upstream
+
+# Used with tags [nestedChildSecurity]
+external-root-spire-server-security:
+  ## @param external-root-spire-server-security.externalServer Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers.
+  externalServer: true
+  ## @param external-root-spire-server-security.nameOverride Name override
+  nameOverride: root-server
+  ## @param external-root-spire-server-security.crNameOverride Custom Resource name override
+  crNameOverride: root
+  controllerManager:
+    ## @param external-root-spire-server-security.controllerManager.enabled Enable controller manager and provision CRD's
+    enabled: true
+    validatingWebhookConfiguration:
+      ## @param external-root-spire-server-security.controllerManager.validatingWebhookConfiguration.enabled Disable only when you have another instance on the k8s cluster with webhooks enabled.
+      enabled: false
+    ## @param external-root-spire-server-security.controllerManager.className specify to use an explicit class name.
+    className: spire-mgmt-external-server
+  nodeAttestor:
+    k8sPSAT:
+      ## @param external-root-spire-server-security.nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor
+      serviceAccountAllowList:
+        - spire-agent-upstream
+  ## @param external-root-spire-server-security.bundleConfigMap The name of the configmap to store the upstream bundle
+  bundleConfigMap: spire-bundle-upstream
+
+## @section Spire server parameters
+## Parameter values for Spire server
+##
+# Used with tags [nestedRoot, nestedChildFull]
+internal-spire-server:
+  # enabled: true
+  ## @param internal-spire-server.nameOverride Overrides the name of Spire server pods
+  nameOverride: internal-server
+  controllerManager:
+    ## @param internal-spire-server.controllerManager.enabled Enable controller manager and provision CRD's
+    enabled: true
+    identities:
+      clusterSPIFFEIDs:
+        oidc-discovery-provider:
+          ## @param internal-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.autoPopulateDNSNames Auto populate dns entries
+          autoPopulateDNSNames: false
+  externalControllerManagers:
+    ## @param internal-spire-server.externalControllerManagers.enabled Flag to enable external controller managers
+    enabled: true
+  upstreamAuthority:
+    spire:
+      ## @param internal-spire-server.upstreamAuthority.spire.enabled Enable upstream SPIRE server
+      enabled: true
+      ## @param internal-spire-server.upstreamAuthority.spire.upstreamDriver Use an upstream driver for authentication
+      upstreamDriver: upstream.csi.spiffe.io
+      server:
+        ## @param internal-spire-server.upstreamAuthority.spire.server.nameOverride The name override setting of the root SPIRE server
+        nameOverride: root-server
+  ## @param internal-spire-server.bundleConfigMap The name of the configmap to store the downstream bundle
+  bundleConfigMap: spire-bundle-downstream
+
+# Used with tags [nestedRoot]
+external-spire-server:
+  # enabled: true
+  ## @param external-spire-server.nameOverride Overrides the name of Spire server pods
+  nameOverride: external-server
+  ## @param external-spire-server.crNameOverride Custom Resource name override
+  crNameOverride: external
+  controllerManager:
+    ## @param external-spire-server.controllerManager.enabled Enable controller manager and provision CRD's
+    enabled: true
+    validatingWebhookConfiguration:
+      ## @param external-spire-server.controllerManager.validatingWebhookConfiguration.enabled Disable only when you have another instance on the k8s cluster with webhooks enabled.
+      enabled: false
+    ## @param external-spire-server.controllerManager.className specify to use an explicit class name.
+    className: spire-mgmt-external-server
+    identities:
+      clusterSPIFFEIDs:
+        default:
+          ## @param external-spire-server.controllerManager.identities.clusterSPIFFEIDs.default.enabled Enable the default identity
+          enabled: false
+        oidc-discovery-provider:
+          ## @param external-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled Enable the oidc-discovery-provider identity
+          enabled: false
+        test-keys:
+          ## @param external-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled Enable the test-keys identity
+          enabled: false
+  externalControllerManagers:
+    ## @param external-spire-server.externalControllerManagers.enabled Flag to enable external controller managers
+    enabled: true
+  upstreamAuthority:
+    spire:
+      ## @param external-spire-server.upstreamAuthority.spire.enabled Enable upstream SPIRE server
+      enabled: true
+      ## @param external-spire-server.upstreamAuthority.spire.upstreamDriver Use an upstream driver for authentication
+      upstreamDriver: upstream.csi.spiffe.io
+      server:
+        ## @param external-spire-server.upstreamAuthority.spire.server.nameOverride The name override setting of the root SPIRE server
+        nameOverride: root-server
+  bundlePublisher:
+    k8sConfigMap:
+      ## @param external-spire-server.bundlePublisher.k8sConfigMap.enabled Enable local k8s bundle uploader
+      enabled: false
+  nodeAttestor:
+    k8sPSAT:
+      ## @param external-spire-server.nodeAttestor.k8sPSAT.enabled Enable PSAT k8s nodeattestor
+      enabled: false
+    joinToken:
+      ## @param external-spire-server.nodeAttestor.joinToken.enabled Enable the join_token nodeattestor
+      enabled: true

charts/spire/Chart.yaml

@@ -3,8 +3,8 @@ name: spire
 description: >
   A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 type: application
-version: 0.18.0
-appVersion: "1.9.0"
+version: 0.26.1
+appVersion: "1.12.4"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:
@@ -22,6 +22,9 @@ maintainers:
     email: edwbuck@gmail.com
 kubeVersion: ">=1.21.0-0"
 dependencies:
+  - name: spire-lib
+    repository: file://./charts/spire-lib
+    version: 0.1.0
   - name: spire-server
     condition: spire-server.enabled
     repository: file://./charts/spire-server
@@ -52,6 +55,18 @@ dependencies:
     condition: tornjak-frontend.enabled
     repository: file://./charts/tornjak-frontend
     version: 0.1.0
+  - name: spike-keeper
+    condition: spike-keeper.enabled
+    repository: file://./charts/spike-keeper
+    version: 0.1.0
+  - name: spike-nexus
+    condition: spike-nexus.enabled
+    repository: file://./charts/spike-nexus
+    version: 0.1.0
+  - name: spike-pilot
+    condition: spike-pilot.enabled
+    repository: file://./charts/spike-pilot
+    version: 0.1.0
 annotations:
   artifacthub.io/category: security
   artifacthub.io/license: Apache-2.0

charts/spire/README.md

@@ -1,6 +1,6 @@
 # spire
 
-![Version: 0.18.0](https://img.shields.io/badge/Version-0.18.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.0](https://img.shields.io/badge/AppVersion-1.9.0-informational?style=flat-square)
+![Version: 0.26.1](https://img.shields.io/badge/Version-0.26.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.12.4](https://img.shields.io/badge/AppVersion-1.12.4-informational?style=flat-square)
 [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
 
 A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
@@ -10,6 +10,7 @@ A Helm chart for deploying the complete Spire stack including: spire-server, spi
 ## Install Instructions
 
 ### Non Production
+
 To do a quick install suitable for testing in something like minikube:
 
 ```shell
@@ -22,6 +23,7 @@ helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.
 Preparing a production deployment requires a few steps.
 
 1. Save the following to your-values.yaml, ideally in your git repo.
+
 ```yaml
 global:
   openshift: false # If running on openshift, set to true
@@ -40,13 +42,15 @@ global:
       commonName: example.org
 ```
 
-2. If you need a non default storageClass, append the following to the spire-server section and update:
+2. If you need a non default storageClass, append the following to the global.spire section and update:
+
 ```
-  persistence:
-    storageClass: your-storage-class
+    persistence:
+      storageClass: your-storage-class
 ```
 
 3. If your Kubernetes cluster is OpenShift based, use the output of the following command to update the trustDomain setting:
+
 ```shell
 oc get cm -n openshift-config-managed  console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//'
 ```
@@ -73,12 +77,75 @@ kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeid
 
 ## Upgrade notes
 
-We only support upgrading one major version at a time. Version skipping isn't supported.
+We only support upgrading one major/minor version at a time. Version skipping isn't supported. Please see <https://spiffe.io/docs/latest/spire-helm-charts-hardened-about/upgrading/> for details.
 
-### 0.18.x
+### 0.26.X
 
-- SPIRE no longer emits x509UniqueIdentifiers in x509-SVIDS by default. The old behavior can be reenabled with spire-server.credentialComposer.uniqueID.enabled=true. See https://github.com/spiffe/spire/pull/4862 for details.
-- SPIRE agents will now automatically reattest when they can. The old behavior can be reenabled with spire-agent.disableReattestToRenew=true. See https://github.com/spiffe/spire/pull/4791 for details.
+- The notifier.k8sBundle plugin has been deprecated in favor of bundlePublisher.k8sConfigMap. The only features it does not provide are the settings `apiServiceLabel` and `webhookLabel`. If you are using either of these two features, set the chart to use the notifier.k8sBundle plugin again, and let us know. We don't think anyone is using these features.
+- The default trust bundle format has been changed to `spiffe`. This switch should be transparent unless you ware fetching the bundle from the configmap manually, or have a nested setup and dont upgrade the root, then child clusters in short order.
+
+### 0.24.X
+
+- You must upgrade [spire-crds](https://artifacthub.io/packages/helm/spiffe/spire-crds) to 0.5.0+ before performing this upgrade.
+
+- SPIRE changed the default in 1.11.0 from `spire-agent.workloadAttestors.k8s.useNewContainerLocator=false` to `spire-agent.workloadAttestors.k8s.useNewContainerLocator=true`
+
+- In order to make it easier to target specific SPIFFE IDs to workloads, a fallback feature was added to ClusterSPIFFEIDs so that a default ID will only apply when no others do. To change back to the previous behavior, use `spire-server.controllerManager.identities.clusterSPIFFEIDs.default.fallback=false`. The new default is unlikely to need changes.
+
+- We now set a hint of the ClusterSPIFFEID name on each entry created by default. This can be undone by setting the `hint=""` property on the ClusterSPIFFEID. The new default is unlikely to need changes.
+
+- We have added the remaining options needed for the SPIRE Server SQL data store plugin as native values. We have removed `spire-server.dataStore.sql.plugin_data` section as it is no longer needed. If you are using it, please migrate your settings to the ones under `spire-server.dataStore.sql`.
+
+- For users of `spire-server.upstreamAuthority.certManager`, a bug was discovered with templates not honoring `global.spire.caSubject.*`. It has been fixed, but may change values if you are not careful. Please double check the new settings are what you need them to be before completing the upgrade.
+
+- Lastly, as we approach 1.0.0, we would like to ensure all the values follow the same convention. We have made a bunch of minor changes to the values in this version to make sure they are all camel cased and properly capitalized. If you are upgrading from a previous version, please look though this list carefully to see if a value you are using is impacted:
+
+    - `spire-server.federation.bundleEndpoint.refresh_hint` -> `spire-server.federation.bundleEndpoint.refreshHint`
+    - `spire-server.nodeAttestor.k8sPsat` -> `spire-server.nodeAttestor.k8sPSAT`
+    - `spire-server.nodeAttestor.externalK8sPsat` -> `spire-server.nodeAttestor.ExternalK8sPSAT`
+    - `spire-server.notifier.k8sbundle` -> `spire-server.notifier.k8sBundle`
+    - `spire-server.ca_subject` -> `spire-server.caSubject`
+    - `spire-server.ca_subject.common_name -> `spire-server.caSubject.commonName`
+    - `spire-server.upstreamAuthority.certManager.issuer_name` -> `spire-server.upstreamAuthority.certManager.issuerName`
+    - `spire-server.upstreamAuthority.certManager.issuer_kind` -> `spire-server.upstreamAuthority.certManager.issuerKind`
+    - `spire-server.upstreamAuthority.certManager.issuer_group` -> `spire-server.upstreamAuthority.certManager.issuerGroup`
+    - `spire-server.upstreamAuthority.certManager.kube_config_file` -> `spire-server.upstreamAuthority.certManager.kubeConfigFile`
+    - `spire-agent.sds.defaultSvidName` -> `spire-agent.sds.defaultSVIDName`
+    - `spire-agent.sds.disableSpiffeCertValidation` -> `spire-agent.sds.disableSPIFFECertValidation`
+    - `spire-agent.sds.defaultSvidName` -> `spire-agent.sds.defaultSVIDName`
+    - `spire-agent.nodeAttestor.k8sPsat` -> `spire-agent.nodeAttestor.k8sPSAT`
+
+### 0.23.X
+
+In previous versions, the setting spire-agent.workloadAttestors.k8s.skipKubeletVerification was set to true by default. Starting in 0.23.x, we removed that setting and replaced it with
+spire-agent.workloadAttestors.k8s.verification.type. It defaults to "skip" which will have the same behavior as before. In a future version, it will be set to "auto". Please try
+setting it to this with your deployment and let us know if you run into any problems so we can fix it before we change the default for everyone.
+
+### 0.21.X
+
+- In previous versions, spire-server.upstreamAuthority.certManager.issuer_name would incorrectly have '-ca' appended. Starting with this version, that is no longer the case. If you previously set this
+value, you likely want to update your value to include the '-ca' suffix in the value to have your deployment continue to function properly.
+
+- The default value of spire-server.controllerManager.entryIDPrefixCleanup changed from "" to false. Prior to this release upgrades cleaned up old entries in the database. After upgrading to 0.21.X, manual entries will not be overridden by the spire-controller-manager. Skipping over chart releases (unsupported), requires manual setting of this value to "" to trigger the cleanup.
+
+### 0.20.X
+
+- The default service port for the spire-server was changed to be port 443 to allow easier switching between internal access and external access through an ingress controller. For most users, this will be a transparent
+change.
+
+- This release configures the entries managed by the spire-controller-manager to move into their own managed space within SPIRE. This should be transparent. In a future release, we will
+disable cleanup by default of the old space. This release lays the groundwork for future support for manually created entries in the SPIRE database without the spire-controller-manager
+destroying them. It is supported in this release by manually setting spire-server.controllerManager.entryIDPrefixCleanup=false after successfully upgrading to the chart without the
+setting and waiting for a spire-controller-manager sync.
+
+### 0.19.X
+
+- The spire-agent daemonset gained a new label. For those disabling the upgrade hooks, you need to delete the spire-agent daemonset before issuing the helm upgrade.
+
+### 0.18.X
+
+- SPIRE no longer emits x509UniqueIdentifiers in x509-SVIDS by default. The old behavior can be reenabled with spire-server.credentialComposer.uniqueID.enabled=true. See <https://github.com/spiffe/spire/pull/4862> for details.
+- SPIRE agents will now automatically reattest when they can. The old behavior can be reenabled with spire-agent.disableReattestToRenew=true. See <https://github.com/spiffe/spire/pull/4791> for details.
 
 ### 0.17.X
 
@@ -215,6 +282,7 @@ Now you can interact with the Spire agent socket from your own application. The
 | `global.spire.caSubject.country`                 | Country for Spire server CA                                                                                                                                                                                                            | `""`              |
 | `global.spire.caSubject.organization`            | Organization for Spire server CA                                                                                                                                                                                                       | `""`              |
 | `global.spire.caSubject.commonName`              | Common Name for Spire server CA                                                                                                                                                                                                        | `""`              |
+| `global.spire.persistence.storageClass`          | What storage class to use for persistence                                                                                                                                                                                              | `nil`             |
 | `global.spire.recommendations.enabled`           | Use recommended settings for production deployments. Default is off.                                                                                                                                                                   | `false`           |
 | `global.spire.recommendations.namespaceLayout`   | Set to true to use recommended values for installing across namespaces                                                                                                                                                                 | `true`            |
 | `global.spire.recommendations.namespacePSS`      | When chart namespace creation is enabled, label them with preffered Pod Security Standard labels                                                                                                                                       | `true`            |
@@ -236,15 +304,19 @@ Now you can interact with the Spire agent socket from your own application. The
 | `global.spire.ingressControllerType`             | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""`              |
 | `global.spire.tools.kubectl.tag`                 | Set to force the tag to use for all kubectl instances                                                                                                                                                                                  | `""`              |
 | `global.installAndUpgradeHooks.enabled`          | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`)                                                                                                                             | `true`            |
+| `global.installAndUpgradeHooks.resources`        | Resource requests and limits for installAndUpgradeHooks                                                                                                                                                                                | `{}`              |
 | `global.deleteHooks.enabled`                     | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`)                                                                                                                                      | `true`            |
+| `global.deleteHooks.resources`                   | Resource requests and limits for deleteHooks                                                                                                                                                                                           | `{}`              |
 
 ### Spire server parameters
 
-| Name                                     | Description                                   | Value    |
-| ---------------------------------------- | --------------------------------------------- | -------- |
-| `spire-server.enabled`                   | Flag to enable Spire server                   | `true`   |
-| `spire-server.nameOverride`              | Overrides the name of Spire server pods       | `server` |
-| `spire-server.controllerManager.enabled` | Enable controller manager and provision CRD's | `true`   |
+| Name                                              | Description                                                               | Value         |
+| ------------------------------------------------- | ------------------------------------------------------------------------- | ------------- |
+| `spire-server.enabled`                            | Flag to enable Spire server                                               | `true`        |
+| `spire-server.nameOverride`                       | Overrides the name of Spire server pods                                   | `server`      |
+| `spire-server.kind`                               | Run spire server as deployment/statefulset. This feature is experimental. | `statefulset` |
+| `spire-server.controllerManager.enabled`          | Enable controller manager and provision CRD's                             | `true`        |
+| `spire-server.externalControllerManagers.enabled` | Enable external controller manager support                                | `true`        |
 
 ### Spire agent parameters
 
@@ -261,15 +333,16 @@ Now you can interact with the Spire agent socket from your own application. The
 
 ### Upstream Spire agent parameters
 
-| Name                                             | Description                                        | Value                                                |
-| ------------------------------------------------ | -------------------------------------------------- | ---------------------------------------------------- |
-| `upstream-spire-agent.upstream`                  | Flag for enabling upstream Spire agent             | `true`                                               |
-| `upstream-spire-agent.nameOverride`              | Name override for upstream Spire agent             | `agent-upstream`                                     |
-| `upstream-spire-agent.bundleConfigMap`           | The configmap name for upstream Spire agent bundle | `spire-bundle-upstream`                              |
-| `upstream-spire-agent.socketPath`                | Socket path where Spire agent socket is mounted    | `/run/spire/agent-sockets-upstream/spire-agent.sock` |
-| `upstream-spire-agent.serviceAccount.name`       | Service account name for upstream Spire agent      | `spire-agent-upstream`                               |
-| `upstream-spire-agent.healthChecks.port`         | Health check port number for upstream Spire agent  | `9981`                                               |
-| `upstream-spire-agent.telemetry.prometheus.port` | The port where prometheus metrics are available    | `9989`                                               |
+| Name                                             | Description                                                    | Value                                                |
+| ------------------------------------------------ | -------------------------------------------------------------- | ---------------------------------------------------- |
+| `upstream-spire-agent.upstream`                  | Flag for enabling upstream Spire agent                         | `true`                                               |
+| `upstream-spire-agent.nameOverride`              | Name override for upstream Spire agent                         | `agent-upstream`                                     |
+| `upstream-spire-agent.bundleConfigMap`           | The configmap name for upstream Spire agent bundle             | `spire-bundle-upstream`                              |
+| `upstream-spire-agent.socketPath`                | Socket path where Spire agent socket is mounted                | `/run/spire/agent-sockets-upstream/spire-agent.sock` |
+| `upstream-spire-agent.serviceAccount.name`       | Service account name for upstream Spire agent                  | `spire-agent-upstream`                               |
+| `upstream-spire-agent.healthChecks.port`         | Health check port number for upstream Spire agent              | `9981`                                               |
+| `upstream-spire-agent.telemetry.prometheus.port` | The port where prometheus metrics are available                | `9989`                                               |
+| `upstream-spire-agent.persistence.hostPath`      | Which path to use on the host when persistence.type = hostPath | `/var/lib/spire/k8s/upstream-agent`                  |
 
 ### SPIFFE CSI Driver parameters
 
@@ -296,3 +369,21 @@ Now you can interact with the Spire agent socket from your own application. The
 | Name                       | Description                                                    | Value   |
 | -------------------------- | -------------------------------------------------------------- | ------- |
 | `tornjak-frontend.enabled` | Enables deployment of Tornjak frontend/UI (Not for production) | `false` |
+
+### SPIKE Keeper parameters
+
+| Name                   | Description                                             | Value   |
+| ---------------------- | ------------------------------------------------------- | ------- |
+| `spike-keeper.enabled` | Enables deployment of SPIKE Keeper (Not for production) | `false` |
+
+### SPIKE Nexus parameters
+
+| Name                  | Description                                            | Value   |
+| --------------------- | ------------------------------------------------------ | ------- |
+| `spike-nexus.enabled` | Enables deployment of SPIKE Nexus (Not for production) | `false` |
+
+### SPIKE Pilot parameters
+
+| Name                  | Description                                            | Value   |
+| --------------------- | ------------------------------------------------------ | ------- |
+| `spike-pilot.enabled` | Enables deployment of SPIKE Pilot (Not for production) | `false` |

charts/spire/charts/spiffe-csi-driver/Chart.yaml

@@ -3,7 +3,7 @@ name: spiffe-csi-driver
 description: A Helm chart to install the SPIFFE CSI driver.
 type: application
 version: 0.1.0
-appVersion: "0.2.3"
+appVersion: "0.2.7"
 keywords: ["spiffe", "csi-driver"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:

charts/spire/charts/spiffe-csi-driver/README.md

@@ -1,6 +1,6 @@
 # spiffe-csi-driver
 
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square)
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.7](https://img.shields.io/badge/AppVersion-0.2.7-informational?style=flat-square)
 
 A Helm chart to install the SPIFFE CSI driver.
 
@@ -25,50 +25,54 @@ A Helm chart to install the SPIFFE CSI driver.
 
 ### SPIFFE CSI Driver Chart parameters
 
-| Name                                          | Description                                                                                                    | Value                                       |
-| --------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------- |
-| `pluginName`                                  | Set the csi driver name deployed to Kubernetes.                                                                | `csi.spiffe.io`                             |
-| `image.registry`                              | The OCI registry to pull the image from                                                                        | `ghcr.io`                                   |
-| `image.repository`                            | The repository within the registry                                                                             | `spiffe/spiffe-csi-driver`                  |
-| `image.pullPolicy`                            | The image pull policy                                                                                          | `IfNotPresent`                              |
-| `image.tag`                                   | Overrides the image tag whose default is the chart appVersion                                                  | `""`                                        |
-| `resources`                                   | Resource requests and limits for spiffe-csi-driver                                                             | `{}`                                        |
-| `healthChecks.port`                           | The healthcheck port for spiffe-csi-driver                                                                     | `9809`                                      |
-| `updateStrategy.type`                         | The update strategy to use to replace existing DaemonSet pods with new pods. Can be RollingUpdate or OnDelete. | `RollingUpdate`                             |
-| `updateStrategy.rollingUpdate.maxUnavailable` | Max unavailable pods during update. Can be a number or a percentage.                                           | `1`                                         |
-| `livenessProbe.initialDelaySeconds`           | Initial delay seconds for livenessProbe                                                                        | `5`                                         |
-| `livenessProbe.timeoutSeconds`                | Timeout value in seconds for livenessProbe                                                                     | `5`                                         |
-| `imagePullSecrets`                            | Image pull secret details for spiffe-csi-driver                                                                | `[]`                                        |
-| `nameOverride`                                | Name override for spiffe-csi-driver                                                                            | `""`                                        |
-| `namespaceOverride`                           | Namespace to install spiffe-csi-driver                                                                         | `""`                                        |
-| `fullnameOverride`                            | Full name override for spiffe-csi-driver                                                                       | `""`                                        |
-| `csiDriverLabels`                             | Labels to apply to the CSIDriver                                                                               | `{}`                                        |
-| `initContainers`                              | Init Containers to apply to the CSI Driver DaemonSet                                                           | `[]`                                        |
-| `serviceAccount.create`                       | Specifies whether a service account should be created                                                          | `true`                                      |
-| `serviceAccount.annotations`                  | Annotations to add to the service account                                                                      | `{}`                                        |
-| `serviceAccount.name`                         | The name of the service account to use. If not set and create is true, a name is generated.                    | `""`                                        |
-| `podAnnotations`                              | Pod annotations for spiffe-csi-driver                                                                          | `{}`                                        |
-| `podSecurityContext`                          | Security context for CSI driver pods                                                                           | `{}`                                        |
-| `securityContext.readOnlyRootFilesystem`      | Flag for read only root filesystem                                                                             | `true`                                      |
-| `securityContext.privileged`                  | Flag for specifying privileged mode                                                                            | `true`                                      |
-| `nodeSelector`                                | Node selector for CSI driver pods                                                                              | `{}`                                        |
-| `tolerations`                                 | Tolerations for CSI driver pods                                                                                | `[]`                                        |
-| `affinity`                                    | Node affinity                                                                                                  | `{}`                                        |
-| `nodeDriverRegistrar.image.registry`          | The OCI registry to pull the image from                                                                        | `registry.k8s.io`                           |
-| `nodeDriverRegistrar.image.repository`        | The repository within the registry                                                                             | `sig-storage/csi-node-driver-registrar`     |
-| `nodeDriverRegistrar.image.pullPolicy`        | The image pull policy                                                                                          | `IfNotPresent`                              |
-| `nodeDriverRegistrar.image.tag`               | Overrides the image tag                                                                                        | `v2.9.3`                                    |
-| `nodeDriverRegistrar.resources`               | Resource requests and limits for CSI driver pods                                                               | `{}`                                        |
-| `agentSocketPath`                             | The unix socket path to the spire-agent                                                                        | `/run/spire/agent-sockets/spire-agent.sock` |
-| `kubeletPath`                                 | Path to kubelet file                                                                                           | `/var/lib/kubelet`                          |
-| `priorityClassName`                           | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName.      | `""`                                        |
-| `restrictedScc.enabled`                       | Enables the creation of a SecurityContextConstraint based on the restricted SCC with CSI volume support        | `false`                                     |
-| `restrictedScc.name`                          | Set the name of the restricted SCC with CSI support                                                            | `""`                                        |
-| `restrictedScc.version`                       | Version of the restricted SCC                                                                                  | `2`                                         |
-| `selinux.enabled`                             | Enable selinux support                                                                                         | `false`                                     |
-| `selinux.context`                             | Which selinux context to use                                                                                   | `container_file_t`                          |
-| `selinux.image.registry`                      | The OCI registry to pull the image from                                                                        | `registry.access.redhat.com`                |
-| `selinux.image.repository`                    | The repository within the registry                                                                             | `ubi9`                                      |
-| `selinux.image.pullPolicy`                    | The image pull policy                                                                                          | `Always`                                    |
-| `selinux.image.tag`                           | Overrides the image tag whose default is the chart appVersion                                                  | `latest`                                    |
+| Name                                          | Description                                                                                                                                                              | Value                                       |
+| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------- |
+| `pluginName`                                  | Set the csi driver name deployed to Kubernetes.                                                                                                                          | `csi.spiffe.io`                             |
+| `image.registry`                              | The OCI registry to pull the image from                                                                                                                                  | `ghcr.io`                                   |
+| `image.repository`                            | The repository within the registry                                                                                                                                       | `spiffe/spiffe-csi-driver`                  |
+| `image.pullPolicy`                            | The image pull policy                                                                                                                                                    | `IfNotPresent`                              |
+| `image.tag`                                   | Overrides the image tag whose default is the chart appVersion                                                                                                            | `""`                                        |
+| `resources`                                   | Resource requests and limits for spiffe-csi-driver                                                                                                                       | `{}`                                        |
+| `extraEnvVars`                                | Extra environment variables to be added to the spiffe-csi-driver container                                                                                               | `[]`                                        |
+| `healthChecks.port`                           | The healthcheck port for spiffe-csi-driver                                                                                                                               | `9809`                                      |
+| `updateStrategy.type`                         | The update strategy to use to replace existing DaemonSet pods with new pods. Can be RollingUpdate or OnDelete.                                                           | `RollingUpdate`                             |
+| `updateStrategy.rollingUpdate.maxUnavailable` | Max unavailable pods during update. Can be a number or a percentage.                                                                                                     | `1`                                         |
+| `livenessProbe.initialDelaySeconds`           | Initial delay seconds for livenessProbe                                                                                                                                  | `5`                                         |
+| `livenessProbe.timeoutSeconds`                | Timeout value in seconds for livenessProbe                                                                                                                               | `5`                                         |
+| `imagePullSecrets`                            | Image pull secret details for spiffe-csi-driver                                                                                                                          | `[]`                                        |
+| `nameOverride`                                | Name override for spiffe-csi-driver                                                                                                                                      | `""`                                        |
+| `namespaceOverride`                           | Namespace to install spiffe-csi-driver                                                                                                                                   | `""`                                        |
+| `serverNamespaceOverride`                     | Override the namespace that the spire-server is installed into                                                                                                           | `""`                                        |
+| `validatingAdmissionPolicy.enabled`           | When set to auto, the validatingAdmissionPolicy will be enabled when the pluginName == "upstream.csi.spiffe.io" and k8s >= 1.30.0. Valid options are [auto, true, false] | `auto`                                      |
+| `fullnameOverride`                            | Full name override for spiffe-csi-driver                                                                                                                                 | `""`                                        |
+| `csiDriverLabels`                             | Labels to apply to the CSIDriver                                                                                                                                         | `{}`                                        |
+| `initContainers`                              | Init Containers to apply to the CSI Driver DaemonSet                                                                                                                     | `[]`                                        |
+| `serviceAccount.create`                       | Specifies whether a service account should be created                                                                                                                    | `true`                                      |
+| `serviceAccount.annotations`                  | Annotations to add to the service account                                                                                                                                | `{}`                                        |
+| `serviceAccount.name`                         | The name of the service account to use. If not set and create is true, a name is generated.                                                                              | `""`                                        |
+| `podAnnotations`                              | Pod annotations for spiffe-csi-driver                                                                                                                                    | `{}`                                        |
+| `podSecurityContext`                          | Security context for CSI driver pods                                                                                                                                     | `{}`                                        |
+| `securityContext.readOnlyRootFilesystem`      | Flag for read only root filesystem                                                                                                                                       | `true`                                      |
+| `securityContext.privileged`                  | Flag for specifying privileged mode                                                                                                                                      | `true`                                      |
+| `nodeSelector`                                | Node selector for CSI driver pods                                                                                                                                        | `{}`                                        |
+| `tolerations`                                 | Tolerations for CSI driver pods                                                                                                                                          | `[]`                                        |
+| `affinity`                                    | Node affinity                                                                                                                                                            | `{}`                                        |
+| `nodeDriverRegistrar.image.registry`          | The OCI registry to pull the image from                                                                                                                                  | `registry.k8s.io`                           |
+| `nodeDriverRegistrar.image.repository`        | The repository within the registry                                                                                                                                       | `sig-storage/csi-node-driver-registrar`     |
+| `nodeDriverRegistrar.image.pullPolicy`        | The image pull policy                                                                                                                                                    | `IfNotPresent`                              |
+| `nodeDriverRegistrar.image.tag`               | Overrides the image tag                                                                                                                                                  | `v2.9.4`                                    |
+| `nodeDriverRegistrar.resources`               | Resource requests and limits for CSI driver pods                                                                                                                         | `{}`                                        |
+| `nodeDriverRegistrar.extraEnvVars`            | Extra environment variables to be added to the nodeDriverRegistrar container                                                                                             | `[]`                                        |
+| `agentSocketPath`                             | The unix socket path to the spire-agent                                                                                                                                  | `/run/spire/agent-sockets/spire-agent.sock` |
+| `kubeletPath`                                 | Path to kubelet file                                                                                                                                                     | `/var/lib/kubelet`                          |
+| `priorityClassName`                           | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName.                                                                | `""`                                        |
+| `restrictedScc.enabled`                       | Enables the creation of a SecurityContextConstraint based on the restricted SCC with CSI volume support                                                                  | `false`                                     |
+| `restrictedScc.name`                          | Set the name of the restricted SCC with CSI support                                                                                                                      | `""`                                        |
+| `restrictedScc.version`                       | Version of the restricted SCC                                                                                                                                            | `2`                                         |
+| `selinux.enabled`                             | Enable selinux support                                                                                                                                                   | `false`                                     |
+| `selinux.context`                             | Which selinux context to use                                                                                                                                             | `container_file_t`                          |
+| `selinux.image.registry`                      | The OCI registry to pull the image from                                                                                                                                  | `registry.access.redhat.com`                |
+| `selinux.image.repository`                    | The repository within the registry                                                                                                                                       | `ubi9`                                      |
+| `selinux.image.pullPolicy`                    | The image pull policy                                                                                                                                                    | `Always`                                    |
+| `selinux.image.tag`                           | Overrides the image tag whose default is the chart appVersion                                                                                                            | `latest`                                    |
 

charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl

@@ -40,6 +40,23 @@ Allow the release namespace to be overridden for multi-namespace deployments in
   {{- end -}}
 {{- end -}}
 
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "spiffe-csi-driver.server-namespace" -}}
+  {{- if .Values.serverNamespaceOverride -}}
+    {{- .Values.serverNamespaceOverride -}}
+  {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
+    {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
+      {{- .Values.global.spire.namespaces.server.name }}
+    {{- else }}
+      {{- printf "spire-server" }}
+    {{- end }}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}

charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml

@@ -90,6 +90,9 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
+          {{- with .Values.extraEnvVars }}
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
           volumeMounts:
             # The volume containing the SPIRE agent socket. The SPIFFE CSI
             # driver will mount this directory into containers.
@@ -123,6 +126,10 @@ spec:
             "-kubelet-registration-path", "{{ .Values.kubeletPath }}/plugins/{{ .Values.pluginName }}/csi.sock",
             "-health-port", "{{ .Values.healthChecks.port }}"
           ]
+          env:
+          {{- with .Values.nodeDriverRegistrar.extraEnvVars }}
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
           volumeMounts:
             # The registrar needs access to the SPIFFE CSI driver socket
             - mountPath: /spiffe-csi

charts/spire/charts/spiffe-csi-driver/templates/policy.yaml

@@ -0,0 +1,37 @@
+{{- $upstream := eq .Values.pluginName "upstream.csi.spiffe.io" }}
+{{- $detectedValidation := semverCompare ">=1.30-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- $policyEnabled := .Values.validatingAdmissionPolicy.enabled | toString }}
+{{- $auto := eq $policyEnabled "auto" }}
+{{- if or (eq $policyEnabled "true") (and $auto $upstream $detectedValidation) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: {{ .Values.pluginName | quote }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+  validations:
+  - expression: |
+      !object.spec.volumes.exists(c, has(c.csi) && has(c.csi.driver) && c.csi.driver == {{ .Values.pluginName | quote }})
+    message: 'you may not use the upstream.csi.spiffe.io csi driver'
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: {{ .Values.pluginName | quote }}
+spec:
+  policyName: {{ .Values.pluginName | quote }}
+  validationActions: ["Deny"]
+  matchResources:
+    namespaceSelector:
+      matchExpressions:
+      - key: "kubernetes.io/metadata.name"
+        operator: NotIn
+        values:
+        - {{ include "spiffe-csi-driver.server-namespace" . | quote }}
+{{- end }}

charts/spire/charts/spiffe-csi-driver/templates/scc-spiffe-csi-driver.yaml

@@ -16,6 +16,7 @@ volumes:
   - configmap
   - hostPath
   - secret
+allowedCapabilities: null
 allowHostDirVolumePlugin: true
 allowHostIPC: false
 allowHostNetwork: false
@@ -23,8 +24,11 @@ allowHostPID: false
 allowHostPorts: false
 allowPrivilegeEscalation: true
 allowPrivilegedContainer: true
+defaultAddCapabilities: null
 fsGroup:
   type: RunAsAny
 groups: []
+priority: null
+requiredDropCapabilities: null
 
 {{ end }}

charts/spire/charts/spiffe-csi-driver/values.yaml

@@ -33,6 +33,9 @@ resources: {}
   #   cpu: 100m
   #   memory: 64Mi
 
+## @param extraEnvVars [array] Extra environment variables to be added to the spiffe-csi-driver container
+extraEnvVars: []
+
 healthChecks:
   ## @param healthChecks.port The healthcheck port for spiffe-csi-driver
   port: 9809
@@ -60,6 +63,13 @@ nameOverride: ""
 ## @param namespaceOverride Namespace to install spiffe-csi-driver
 namespaceOverride: ""
 
+## @param serverNamespaceOverride Override the namespace that the spire-server is installed into
+serverNamespaceOverride: ""
+
+validatingAdmissionPolicy:
+  ## @param validatingAdmissionPolicy.enabled When set to auto, the validatingAdmissionPolicy will be enabled when the pluginName == "upstream.csi.spiffe.io" and k8s >= 1.30.0. Valid options are [auto, true, false]
+  enabled: auto
+
 ## @param fullnameOverride Full name override for spiffe-csi-driver
 fullnameOverride: ""
 
@@ -116,7 +126,7 @@ nodeDriverRegistrar:
     registry: registry.k8s.io
     repository: sig-storage/csi-node-driver-registrar
     pullPolicy: IfNotPresent
-    tag: v2.9.3
+    tag: v2.9.4
   ## @param nodeDriverRegistrar.resources Resource requests and limits for CSI driver pods
   resources: {}
     # We usually recommend not to specify default resources and to leave this as a conscious
@@ -129,6 +139,8 @@ nodeDriverRegistrar:
     # limits:
     #   cpu: 100m
     #   memory: 64Mi
+  ## @param nodeDriverRegistrar.extraEnvVars [array] Extra environment variables to be added to the nodeDriverRegistrar container
+  extraEnvVars: []
 
 ## @param agentSocketPath The unix socket path to the spire-agent
 agentSocketPath: /run/spire/agent-sockets/spire-agent.sock

charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml

@@ -3,7 +3,7 @@ name: spiffe-oidc-discovery-provider
 description: A Helm chart to install the SPIFFE OIDC discovery provider.
 type: application
 version: 0.1.0
-appVersion: "1.9.0"
+appVersion: "1.12.4"
 keywords: ["spiffe", "oidc"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:

charts/spire/charts/spiffe-oidc-discovery-provider/README.md

@@ -25,114 +25,121 @@ A Helm chart to install the SPIFFE OIDC discovery provider.
 
 ### Chart parameters
 
-| Name                                                  | Description                                                                                                                                                                                                                            | Value                                                                             |
-| ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- |
-| `agentSocketName`                                     | The name of the spire-agent unix socket                                                                                                                                                                                                | `spire-agent.sock`                                                                |
-| `csiDriverName`                                       | The csi driver to use                                                                                                                                                                                                                  | `csi.spiffe.io`                                                                   |
-| `replicaCount`                                        | Replica count                                                                                                                                                                                                                          | `1`                                                                               |
-| `namespaceOverride`                                   | Namespace override                                                                                                                                                                                                                     | `""`                                                                              |
-| `annotations`                                         | Annotations for the deployment                                                                                                                                                                                                         | `{}`                                                                              |
-| `image.registry`                                      | The OCI registry to pull the image from                                                                                                                                                                                                | `ghcr.io`                                                                         |
-| `image.repository`                                    | The repository within the registry                                                                                                                                                                                                     | `spiffe/oidc-discovery-provider`                                                  |
-| `image.pullPolicy`                                    | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                    |
-| `image.tag`                                           | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `""`                                                                              |
-| `spiffeHelper.image.registry`                         | The OCI registry to pull the image from                                                                                                                                                                                                | `ghcr.io`                                                                         |
-| `spiffeHelper.image.repository`                       | The repository within the registry                                                                                                                                                                                                     | `spiffe/spiffe-helper`                                                            |
-| `spiffeHelper.image.pullPolicy`                       | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                    |
-| `spiffeHelper.image.tag`                              | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6` |
-| `spiffeHelper.resources`                              | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                              |
-| `resources`                                           | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                              |
-| `service.type`                                        | Service type                                                                                                                                                                                                                           | `ClusterIP`                                                                       |
-| `service.ports.http`                                  | Insecure port for the service                                                                                                                                                                                                          | `80`                                                                              |
-| `service.ports.https`                                 | Secure port for the service                                                                                                                                                                                                            | `443`                                                                             |
-| `service.annotations`                                 | Annotations for service resource                                                                                                                                                                                                       | `{}`                                                                              |
-| `configMap.annotations`                               | Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap                                                                                                                                                                     | `{}`                                                                              |
-| `podSecurityContext`                                  | Pod security context for OIDC discovery provider pods                                                                                                                                                                                  | `{}`                                                                              |
-| `securityContext`                                     | Security context for OIDC discovery provider deployment                                                                                                                                                                                | `{}`                                                                              |
-| `readinessProbe.initialDelaySeconds`                  | Initial delay seconds for readinessProbe                                                                                                                                                                                               | `5`                                                                               |
-| `readinessProbe.periodSeconds`                        | Period seconds for readinessProbe                                                                                                                                                                                                      | `5`                                                                               |
-| `livenessProbe.initialDelaySeconds`                   | Initial delay seconds for livenessProbe                                                                                                                                                                                                | `5`                                                                               |
-| `livenessProbe.periodSeconds`                         | Period seconds for livenessProbe                                                                                                                                                                                                       | `5`                                                                               |
-| `podAnnotations`                                      | Pod annotations for Spire OIDC discovery provider                                                                                                                                                                                      | `{}`                                                                              |
-| `tls.spire.enabled`                                   | Use spire to secure the oidc-discovery-provider                                                                                                                                                                                        | `true`                                                                            |
-| `tls.externalSecret.enabled`                          | Provide your own certificate/key via tls style Kubernetes Secret                                                                                                                                                                       | `false`                                                                           |
-| `tls.externalSecret.secretName`                       | Specify which Secret to use                                                                                                                                                                                                            | `""`                                                                              |
-| `tls.certManager.enabled`                             | Use certificateManager to create the certificate                                                                                                                                                                                       | `false`                                                                           |
-| `tls.certManager.issuer.create`                       | Create an issuer to use to issue the certificate                                                                                                                                                                                       | `true`                                                                            |
-| `tls.certManager.issuer.acme.email`                   | Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service                                                                                                                                     | `""`                                                                              |
-| `tls.certManager.issuer.acme.server`                  | Server to use to get certificate. Defaults to LetsEncrypt                                                                                                                                                                              | `https://acme-v02.api.letsencrypt.org/directory`                                  |
-| `tls.certManager.issuer.acme.solvers`                 | Configure the issuer solvers. Defaults to http01 via ingress.                                                                                                                                                                          | `{}`                                                                              |
-| `tls.certManager.certificate.dnsNames`                | Override the dnsNames on the certificate request. Defaults to the same settings as Ingress                                                                                                                                             | `[]`                                                                              |
-| `tls.certManager.certificate.issuerRef.group`         | If you are using an external plugin, specify the group for it here                                                                                                                                                                     | `""`                                                                              |
-| `tls.certManager.certificate.issuerRef.kind`          | Kind of the issuer reference. Override if you want to use a ClusterIssuer                                                                                                                                                              | `Issuer`                                                                          |
-| `tls.certManager.certificate.issuerRef.name`          | Name of the issuer to use. If unset, it will use the name of the built in issuer                                                                                                                                                       | `""`                                                                              |
-| `insecureScheme.nginx.image.registry`                 | The OCI registry to pull the image from. Only used when TLS is disabled.                                                                                                                                                               | `docker.io`                                                                       |
-| `insecureScheme.nginx.image.repository`               | The repository within the registry. Only used when TLS is disabled.                                                                                                                                                                    | `nginxinc/nginx-unprivileged`                                                     |
-| `insecureScheme.nginx.image.pullPolicy`               | The image pull policy.  Only used when TLS is disabled.                                                                                                                                                                                | `IfNotPresent`                                                                    |
-| `insecureScheme.nginx.image.tag`                      | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled.                                                                                                                                         | `1.25.4-alpine`                                                                   |
-| `insecureScheme.nginx.resources`                      | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                              |
-| `jwtIssuer`                                           | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset                                                                                                                                                                   | `""`                                                                              |
-| `config.logLevel`                                     | The log level, valid values are "debug", "info", "warn", and "error"                                                                                                                                                                   | `info`                                                                            |
-| `config.additionalDomains`                            | Add additional domains that can be used for oidc discovery                                                                                                                                                                             | `[]`                                                                              |
-| `imagePullSecrets`                                    | Image pull secret names                                                                                                                                                                                                                | `[]`                                                                              |
-| `nameOverride`                                        | Name override                                                                                                                                                                                                                          | `""`                                                                              |
-| `fullnameOverride`                                    | Full name override                                                                                                                                                                                                                     | `""`                                                                              |
-| `serviceAccount.create`                               | Specifies whether a service account should be created                                                                                                                                                                                  | `true`                                                                            |
-| `serviceAccount.annotations`                          | Annotations to add to the service account                                                                                                                                                                                              | `{}`                                                                              |
-| `serviceAccount.name`                                 | The name of the service account to use. If not set and create is true, a name is generated.                                                                                                                                            | `""`                                                                              |
-| `deleteHook.enabled`                                  | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`)                                                                                                                                      | `true`                                                                            |
-| `autoscaling.enabled`                                 | Flag to enable autoscaling                                                                                                                                                                                                             | `false`                                                                           |
-| `autoscaling.minReplicas`                             | Minimum replicas for autoscaling                                                                                                                                                                                                       | `1`                                                                               |
-| `autoscaling.maxReplicas`                             | Maximum replicas for autoscaling                                                                                                                                                                                                       | `5`                                                                               |
-| `autoscaling.targetCPUUtilizationPercentage`          | Target CPU utlization that triggers autoscaling                                                                                                                                                                                        | `80`                                                                              |
-| `autoscaling.targetMemoryUtilizationPercentage`       | Target Memory utlization that triggers autoscaling                                                                                                                                                                                     | `80`                                                                              |
-| `nodeSelector`                                        | Node selector                                                                                                                                                                                                                          | `{}`                                                                              |
-| `tolerations`                                         | iist of tolerations                                                                                                                                                                                                                    | `[]`                                                                              |
-| `affinity`                                            | Node affinity                                                                                                                                                                                                                          | `{}`                                                                              |
-| `trustDomain`                                         | Set the trust domain to be used for the SPIFFE identifiers                                                                                                                                                                             | `example.org`                                                                     |
-| `clusterDomain`                                       | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`)                                                                                                                                                               | `cluster.local`                                                                   |
-| `telemetry.prometheus.enabled`                        | Flag to enable prometheus monitoring                                                                                                                                                                                                   | `false`                                                                           |
-| `telemetry.prometheus.port`                           | Port for prometheus metrics                                                                                                                                                                                                            | `9988`                                                                            |
-| `telemetry.prometheus.podMonitor.enabled`             | Enable podMonitor for prometheus                                                                                                                                                                                                       | `false`                                                                           |
-| `telemetry.prometheus.podMonitor.namespace`           | Override where to install the podMonitor, if not set will use the same namespace as the helm release                                                                                                                                   | `""`                                                                              |
-| `telemetry.prometheus.podMonitor.labels`              | Pod labels to filter for prometheus monitoring                                                                                                                                                                                         | `{}`                                                                              |
-| `telemetry.prometheus.nginxExporter.image.registry`   | The OCI registry to pull the image from                                                                                                                                                                                                | `docker.io`                                                                       |
-| `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry                                                                                                                                                                                                     | `nginx/nginx-prometheus-exporter`                                                 |
-| `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                    |
-| `telemetry.prometheus.nginxExporter.image.tag`        | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `1.1.0`                                                                           |
-| `telemetry.prometheus.nginxExporter.resources`        | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                              |
-| `ingress.enabled`                                     | Flag to enable ingress                                                                                                                                                                                                                 | `false`                                                                           |
-| `ingress.className`                                   | Ingress class name                                                                                                                                                                                                                     | `""`                                                                              |
-| `ingress.controllerType`                              | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""`                                                                              |
-| `ingress.annotations`                                 | Annotations for ingress object                                                                                                                                                                                                         | `{}`                                                                              |
-| `ingress.host`                                        | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.                                                       | `oidc-discovery`                                                                  |
-| `ingress.tlsSecret`                                   | Secret that has the certs. If blank will use default certs. Used with host var.                                                                                                                                                        | `""`                                                                              |
-| `ingress.hosts`                                       | Host paths for ingress object. If emtpy, rules will be built based on the host var.                                                                                                                                                    | `[]`                                                                              |
-| `ingress.tls`                                         | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars.                                                                                                         | `[]`                                                                              |
-| `tests.hostAliases`                                   | List of host aliases for testing                                                                                                                                                                                                       | `[]`                                                                              |
-| `tests.tls.enabled`                                   | Flag for enabling tls for tests                                                                                                                                                                                                        | `false`                                                                           |
-| `tests.tls.customCA`                                  | Custom CA value for tests                                                                                                                                                                                                              | `""`                                                                              |
-| `tests.bash.image.registry`                           | The OCI registry to pull the image from                                                                                                                                                                                                | `cgr.dev`                                                                         |
-| `tests.bash.image.repository`                         | The repository within the registry                                                                                                                                                                                                     | `chainguard/bash`                                                                 |
-| `tests.bash.image.pullPolicy`                         | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                    |
-| `tests.bash.image.tag`                                | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `latest@sha256:81f0b434b297453ff101de0b5f4f5cd8d4af1c015a1d34162e9ae9a4a9f38669`  |
-| `tests.toolkit.image.registry`                        | The OCI registry to pull the image from                                                                                                                                                                                                | `cgr.dev`                                                                         |
-| `tests.toolkit.image.repository`                      | The repository within the registry                                                                                                                                                                                                     | `chainguard/slim-toolkit-debug`                                                   |
-| `tests.toolkit.image.pullPolicy`                      | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                    |
-| `tests.toolkit.image.tag`                             | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `latest@sha256:606810cf1076a226dfb85fa4102ee0ed2d8e2b7c7a8a2a53f9788c65501ecca8`  |
-| `tests.step.image.registry`                           | The OCI registry to pull the image from                                                                                                                                                                                                | `docker.io`                                                                       |
-| `tests.step.image.repository`                         | The repository within the registry                                                                                                                                                                                                     | `smallstep/step-cli`                                                              |
-| `tests.step.image.pullPolicy`                         | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                    |
-| `tests.step.image.tag`                                | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `0.25.2`                                                                          |
-| `tests.busybox.image.registry`                        | The OCI registry to pull the image from                                                                                                                                                                                                | `""`                                                                              |
-| `tests.busybox.image.repository`                      | The repository within the registry                                                                                                                                                                                                     | `busybox`                                                                         |
-| `tests.busybox.image.pullPolicy`                      | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                    |
-| `tests.busybox.image.tag`                             | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `1.36.1-uclibc`                                                                   |
-| `tests.agent.image.registry`                          | The OCI registry to pull the image from                                                                                                                                                                                                | `ghcr.io`                                                                         |
-| `tests.agent.image.repository`                        | The repository within the registry                                                                                                                                                                                                     | `spiffe/spire-agent`                                                              |
-| `tests.agent.image.pullPolicy`                        | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                    |
-| `tests.agent.image.tag`                               | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `""`                                                                              |
-| `tools.kubectl.image.registry`                        | The OCI registry to pull the image from                                                                                                                                                                                                | `docker.io`                                                                       |
-| `tools.kubectl.image.repository`                      | The repository within the registry                                                                                                                                                                                                     | `rancher/kubectl`                                                                 |
-| `tools.kubectl.image.pullPolicy`                      | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                    |
-| `tools.kubectl.image.tag`                             | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `""`                                                                              |
+| Name                                                  | Description                                                                                                                                                                                                                            | Value                                                                            |
+| ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- |
+| `agentSocketName`                                     | The name of the spire-agent unix socket                                                                                                                                                                                                | `spire-agent.sock`                                                               |
+| `csiDriverName`                                       | The csi driver to use                                                                                                                                                                                                                  | `csi.spiffe.io`                                                                  |
+| `bundleSource`                                        | Configure where to fetch the trust bundle from. Must be CSI or ConfigMap.                                                                                                                                                              | `CSI`                                                                            |
+| `bundleConfigMap`                                     | ConfigMap name for SPIRE bundle when bundleSource is ConfigMap                                                                                                                                                                         | `spire-bundle`                                                                   |
+| `replicaCount`                                        | Replica count                                                                                                                                                                                                                          | `1`                                                                              |
+| `namespaceOverride`                                   | Namespace override                                                                                                                                                                                                                     | `""`                                                                             |
+| `annotations`                                         | Annotations for the deployment                                                                                                                                                                                                         | `{}`                                                                             |
+| `image.registry`                                      | The OCI registry to pull the image from                                                                                                                                                                                                | `ghcr.io`                                                                        |
+| `image.repository`                                    | The repository within the registry                                                                                                                                                                                                     | `spiffe/oidc-discovery-provider`                                                 |
+| `image.pullPolicy`                                    | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `image.tag`                                           | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `""`                                                                             |
+| `expandEnv`                                           | Set to true to enable environment variable substitution of config file options                                                                                                                                                         | `false`                                                                          |
+| `extraEnv`                                            | Extra environment variables to add to the spiffe oidc discovery provider                                                                                                                                                               | `[]`                                                                             |
+| `spiffeHelper.image.registry`                         | The OCI registry to pull the image from                                                                                                                                                                                                | `ghcr.io`                                                                        |
+| `spiffeHelper.image.repository`                       | The repository within the registry                                                                                                                                                                                                     | `spiffe/spiffe-helper`                                                           |
+| `spiffeHelper.image.pullPolicy`                       | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `spiffeHelper.image.tag`                              | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `0.10.1`                                                                         |
+| `spiffeHelper.resources`                              | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                             |
+| `resources`                                           | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                             |
+| `service.type`                                        | Service type                                                                                                                                                                                                                           | `ClusterIP`                                                                      |
+| `service.ports.http`                                  | Insecure port for the service                                                                                                                                                                                                          | `80`                                                                             |
+| `service.ports.https`                                 | Secure port for the service                                                                                                                                                                                                            | `443`                                                                            |
+| `service.annotations`                                 | Annotations for service resource                                                                                                                                                                                                       | `{}`                                                                             |
+| `configMap.annotations`                               | Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap                                                                                                                                                                     | `{}`                                                                             |
+| `podSecurityContext`                                  | Pod security context for OIDC discovery provider pods                                                                                                                                                                                  | `{}`                                                                             |
+| `securityContext`                                     | Security context for OIDC discovery provider deployment                                                                                                                                                                                | `{}`                                                                             |
+| `readinessProbe.initialDelaySeconds`                  | Initial delay seconds for readinessProbe                                                                                                                                                                                               | `5`                                                                              |
+| `readinessProbe.periodSeconds`                        | Period seconds for readinessProbe                                                                                                                                                                                                      | `5`                                                                              |
+| `livenessProbe.initialDelaySeconds`                   | Initial delay seconds for livenessProbe                                                                                                                                                                                                | `5`                                                                              |
+| `livenessProbe.periodSeconds`                         | Period seconds for livenessProbe                                                                                                                                                                                                       | `5`                                                                              |
+| `podAnnotations`                                      | Pod annotations for Spire OIDC discovery provider                                                                                                                                                                                      | `{}`                                                                             |
+| `tls.spire.enabled`                                   | Use spire to secure the oidc-discovery-provider                                                                                                                                                                                        | `true`                                                                           |
+| `tls.externalSecret.enabled`                          | Provide your own certificate/key via tls style Kubernetes Secret                                                                                                                                                                       | `false`                                                                          |
+| `tls.externalSecret.secretName`                       | Specify which Secret to use                                                                                                                                                                                                            | `""`                                                                             |
+| `tls.certManager.enabled`                             | Use certificateManager to create the certificate                                                                                                                                                                                       | `false`                                                                          |
+| `tls.certManager.issuer.create`                       | Create an issuer to use to issue the certificate                                                                                                                                                                                       | `true`                                                                           |
+| `tls.certManager.issuer.acme.email`                   | Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service                                                                                                                                     | `""`                                                                             |
+| `tls.certManager.issuer.acme.server`                  | Server to use to get certificate. Defaults to LetsEncrypt                                                                                                                                                                              | `https://acme-v02.api.letsencrypt.org/directory`                                 |
+| `tls.certManager.issuer.acme.solvers`                 | Configure the issuer solvers. Defaults to http01 via ingress.                                                                                                                                                                          | `{}`                                                                             |
+| `tls.certManager.certificate.dnsNames`                | Override the dnsNames on the certificate request. Defaults to the same settings as Ingress                                                                                                                                             | `[]`                                                                             |
+| `tls.certManager.certificate.issuerRef.group`         | If you are using an external plugin, specify the group for it here                                                                                                                                                                     | `""`                                                                             |
+| `tls.certManager.certificate.issuerRef.kind`          | Kind of the issuer reference. Override if you want to use a ClusterIssuer                                                                                                                                                              | `Issuer`                                                                         |
+| `tls.certManager.certificate.issuerRef.name`          | Name of the issuer to use. If unset, it will use the name of the built in issuer                                                                                                                                                       | `""`                                                                             |
+| `insecureScheme.nginx.image.registry`                 | The OCI registry to pull the image from. Only used when TLS is disabled.                                                                                                                                                               | `docker.io`                                                                      |
+| `insecureScheme.nginx.image.repository`               | The repository within the registry. Only used when TLS is disabled.                                                                                                                                                                    | `nginxinc/nginx-unprivileged`                                                    |
+| `insecureScheme.nginx.image.pullPolicy`               | The image pull policy.  Only used when TLS is disabled.                                                                                                                                                                                | `IfNotPresent`                                                                   |
+| `insecureScheme.nginx.image.tag`                      | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled.                                                                                                                                         | `1.29.0-alpine`                                                                  |
+| `insecureScheme.nginx.ipMode`                         | IP modes supported by the cluster. Must be one of [ipv4, ipv6, both]                                                                                                                                                                   | `both`                                                                           |
+| `insecureScheme.nginx.resources`                      | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                             |
+| `jwtIssuer`                                           | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset                                                                                                                                                                   | `""`                                                                             |
+| `config.logLevel`                                     | The log level, valid values are "debug", "info", "warn", and "error"                                                                                                                                                                   | `info`                                                                           |
+| `config.jwtDomain`                                    | The JWT domain. Defaults to oidc-discovery.$jwtIssuer URL-parsed host if unset                                                                                                                                                         | `""`                                                                             |
+| `config.jwksUri`                                      | The JWKS URI                                                                                                                                                                                                                           | `""`                                                                             |
+| `config.additionalDomains`                            | Add additional domains that can be used for oidc discovery                                                                                                                                                                             | `[]`                                                                             |
+| `imagePullSecrets`                                    | Image pull secret names                                                                                                                                                                                                                | `[]`                                                                             |
+| `nameOverride`                                        | Name override                                                                                                                                                                                                                          | `""`                                                                             |
+| `fullnameOverride`                                    | Full name override                                                                                                                                                                                                                     | `""`                                                                             |
+| `serviceAccount.create`                               | Specifies whether a service account should be created                                                                                                                                                                                  | `true`                                                                           |
+| `serviceAccount.annotations`                          | Annotations to add to the service account                                                                                                                                                                                              | `{}`                                                                             |
+| `serviceAccount.name`                                 | The name of the service account to use. If not set and create is true, a name is generated.                                                                                                                                            | `""`                                                                             |
+| `deleteHook.enabled`                                  | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`)                                                                                                                                      | `true`                                                                           |
+| `autoscaling.enabled`                                 | Flag to enable autoscaling                                                                                                                                                                                                             | `false`                                                                          |
+| `autoscaling.minReplicas`                             | Minimum replicas for autoscaling                                                                                                                                                                                                       | `1`                                                                              |
+| `autoscaling.maxReplicas`                             | Maximum replicas for autoscaling                                                                                                                                                                                                       | `5`                                                                              |
+| `autoscaling.targetCPUUtilizationPercentage`          | Target CPU utlization that triggers autoscaling                                                                                                                                                                                        | `80`                                                                             |
+| `autoscaling.targetMemoryUtilizationPercentage`       | Target Memory utlization that triggers autoscaling                                                                                                                                                                                     | `80`                                                                             |
+| `nodeSelector`                                        | Node selector                                                                                                                                                                                                                          | `{}`                                                                             |
+| `tolerations`                                         | iist of tolerations                                                                                                                                                                                                                    | `[]`                                                                             |
+| `affinity`                                            | Node affinity                                                                                                                                                                                                                          | `{}`                                                                             |
+| `trustDomain`                                         | Set the trust domain to be used for the SPIFFE identifiers                                                                                                                                                                             | `example.org`                                                                    |
+| `clusterDomain`                                       | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`)                                                                                                                                                               | `cluster.local`                                                                  |
+| `telemetry.prometheus.enabled`                        | Flag to enable prometheus monitoring                                                                                                                                                                                                   | `false`                                                                          |
+| `telemetry.prometheus.port`                           | Port for prometheus metrics                                                                                                                                                                                                            | `9988`                                                                           |
+| `telemetry.prometheus.podMonitor.enabled`             | Enable podMonitor for prometheus                                                                                                                                                                                                       | `false`                                                                          |
+| `telemetry.prometheus.podMonitor.namespace`           | Override where to install the podMonitor, if not set will use the same namespace as the helm release                                                                                                                                   | `""`                                                                             |
+| `telemetry.prometheus.podMonitor.labels`              | Pod labels to filter for prometheus monitoring                                                                                                                                                                                         | `{}`                                                                             |
+| `telemetry.prometheus.nginxExporter.image.registry`   | The OCI registry to pull the image from                                                                                                                                                                                                | `docker.io`                                                                      |
+| `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry                                                                                                                                                                                                     | `nginx/nginx-prometheus-exporter`                                                |
+| `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `telemetry.prometheus.nginxExporter.image.tag`        | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `1.4.2`                                                                          |
+| `telemetry.prometheus.nginxExporter.resources`        | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                             |
+| `ingress.enabled`                                     | Flag to enable ingress                                                                                                                                                                                                                 | `false`                                                                          |
+| `ingress.className`                                   | Ingress class name                                                                                                                                                                                                                     | `""`                                                                             |
+| `ingress.controllerType`                              | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""`                                                                             |
+| `ingress.annotations`                                 | Annotations for ingress object                                                                                                                                                                                                         | `{}`                                                                             |
+| `ingress.host`                                        | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.                                                       | `oidc-discovery`                                                                 |
+| `ingress.tlsSecret`                                   | Secret that has the certs. If blank will use default certs. Used with host var.                                                                                                                                                        | `""`                                                                             |
+| `ingress.hosts`                                       | Host paths for ingress object. If emtpy, rules will be built based on the host var.                                                                                                                                                    | `[]`                                                                             |
+| `ingress.tls`                                         | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars.                                                                                                         | `[]`                                                                             |
+| `tests.hostAliases`                                   | List of host aliases for testing                                                                                                                                                                                                       | `[]`                                                                             |
+| `tests.tls.enabled`                                   | Flag for enabling tls for tests                                                                                                                                                                                                        | `false`                                                                          |
+| `tests.tls.customCA`                                  | Custom CA value for tests                                                                                                                                                                                                              | `""`                                                                             |
+| `tests.bash.image.registry`                           | The OCI registry to pull the image from                                                                                                                                                                                                | `cgr.dev`                                                                        |
+| `tests.bash.image.repository`                         | The repository within the registry                                                                                                                                                                                                     | `chainguard/bash`                                                                |
+| `tests.bash.image.pullPolicy`                         | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `tests.bash.image.tag`                                | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
+| `tests.toolkit.image.registry`                        | The OCI registry to pull the image from                                                                                                                                                                                                | `cgr.dev`                                                                        |
+| `tests.toolkit.image.repository`                      | The repository within the registry                                                                                                                                                                                                     | `chainguard/min-toolkit-debug`                                                   |
+| `tests.toolkit.image.pullPolicy`                      | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `tests.toolkit.image.tag`                             | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53` |
+| `tests.step.image.registry`                           | The OCI registry to pull the image from                                                                                                                                                                                                | `docker.io`                                                                      |
+| `tests.step.image.repository`                         | The repository within the registry                                                                                                                                                                                                     | `smallstep/step-cli`                                                             |
+| `tests.step.image.pullPolicy`                         | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `tests.step.image.tag`                                | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `0.28.7`                                                                         |
+| `tests.busybox.image.registry`                        | The OCI registry to pull the image from                                                                                                                                                                                                | `""`                                                                             |
+| `tests.busybox.image.repository`                      | The repository within the registry                                                                                                                                                                                                     | `busybox`                                                                        |
+| `tests.busybox.image.pullPolicy`                      | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `tests.busybox.image.tag`                             | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `1.37.0-uclibc`                                                                  |
+| `tests.agent.image.registry`                          | The OCI registry to pull the image from                                                                                                                                                                                                | `ghcr.io`                                                                        |
+| `tests.agent.image.repository`                        | The repository within the registry                                                                                                                                                                                                     | `spiffe/spire-agent`                                                             |
+| `tests.agent.image.pullPolicy`                        | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `tests.agent.image.tag`                               | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `""`                                                                             |
+| `tools.kubectl.image.registry`                        | The OCI registry to pull the image from                                                                                                                                                                                                | `registry.k8s.io`                                                                |
+| `tools.kubectl.image.repository`                      | The repository within the registry                                                                                                                                                                                                     | `kubectl`                                                                        |
+| `tools.kubectl.image.pullPolicy`                      | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `tools.kubectl.image.tag`                             | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `""`                                                                             |

charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl

@@ -93,9 +93,23 @@ Create the name of the service account to use
 {{- end }}
 
 {{- define "spiffe-oidc-discovery-provider.tls-enabled" -}}
-{{-   if and .Values.enabled (or .Values.tls.spire.enabled .Values.tls.externalSecret.enabled .Values.tls.certManager.enabled) }}
+{{-   if or .Values.tls.spire.enabled .Values.tls.externalSecret.enabled .Values.tls.certManager.enabled }}
 {{-     true }}
 {{-   else }}
 {{-     false }}
 {{-   end }}
 {{- end }}
+
+{{- define "spiffe-oidc-discovery-provider.podSecurityContext" -}}
+{{-   $podSecurityContext := include "spire-lib.podsecuritycontext" . | fromYaml }}
+{{-   $openshift := ((.Values).global).openshift | default false }}
+{{-   if and .Values.tls.spire.enabled (not $openshift) }}
+{{-     if not (hasKey $podSecurityContext "runAsUser") }}
+{{-       $_ := set $podSecurityContext "runAsUser" 1000 }}
+{{-     end }}
+{{-     if not (hasKey $podSecurityContext "runAsGroup") }}
+{{-       $_ := set $podSecurityContext "runAsGroup" 1000 }}
+{{-     end }}
+{{-   end }}
+{{-   toYaml $podSecurityContext }}
+{{- end }}

charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml

@@ -1,3 +1,6 @@
+{{- if and (ne .Values.bundleSource "ConfigMap") (ne .Values.bundleSource "CSI") }}
+{{-   fail "Bundle source must be CSI or ConfigmMap" }}
+{{- end }}
 {{- $tlsCount := 0 }}
 {{- if and .Values.enabled .Values.tls.spire.enabled }}
 {{-   $tlsCount = add $tlsCount 1 }}
@@ -23,9 +26,12 @@ domains:
   - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}"
   - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}"
   - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}"
-  {{- $uri := urlParse (include "spire-lib.jwt-issuer" .) }}
-  {{- $jwtIssuer := (default $uri.path $uri.host) }}
-  {{- uniq (concat (list $jwtIssuer) .Values.config.additionalDomains) | toYaml | nindent 2 }}
+  {{- $jwtDomain := .Values.config.jwtDomain }}
+  {{- if not $jwtDomain }}
+    {{- $uri := urlParse (include "spire-lib.jwt-issuer" .) }}
+    {{- $jwtDomain = (default $uri.path $uri.host) }}
+  {{- end }}
+  {{- uniq (concat (list $jwtDomain) .Values.config.additionalDomains) | toYaml | nindent 2 }}
 
 {{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }}
 allow_insecure_scheme: true
@@ -37,9 +43,18 @@ serving_cert_file:
   addr: ':8443'
 {{- end }}
 
+{{- if .Values.config.jwksUri}}
+jwks_uri: {{ .Values.config.jwksUri | quote }}
+{{- end }}
+
+{{- if eq .Values.bundleSource "ConfigMap" }}
+file:
+  path: /bundle/bundle.spiffe
+{{- else }}
 workload_api:
   socket_path: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | quote }}
   trust_domain: {{ include "spire-lib.trust-domain" . | quote }}
+{{- end }}
 
 health_checks:
   bind_port: "8008"
@@ -66,8 +81,12 @@ data:
     }
 
     server {
+      {{- if or (eq .Values.insecureScheme.nginx.ipMode "ipv4") (eq .Values.insecureScheme.nginx.ipMode "both") }}
       listen            8080;
+      {{- end }}
+      {{- if or (eq .Values.insecureScheme.nginx.ipMode "ipv6") (eq .Values.insecureScheme.nginx.ipMode "both") }}
       listen       [::]:8080;
+      {{- end }}
 
       location / {
         proxy_pass http://oidc;

charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml

@@ -37,7 +37,7 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }}
       securityContext:
-        {{- include "spire-lib.podsecuritycontext" . | nindent 8 }}
+        {{- include "spiffe-oidc-discovery-provider.podSecurityContext" . | nindent 8 }}
       initContainers:
         {{- if .Values.tls.spire.enabled }}
         - name: init
@@ -50,7 +50,7 @@ spec:
           args:
             - -config
             - /etc/spiffe-helper.conf
-            - -exitWhenReady
+            - -daemon-mode=false
           volumeMounts:
             - name: spiffe-workload-api
               mountPath: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | dir }}
@@ -71,6 +71,13 @@ spec:
           args:
             - -config
             - /run/spire/oidc/config/oidc-discovery-provider.conf
+            {{- if .Values.expandEnv }}
+            - -expandEnv
+            {{- end }}
+          {{- with .Values.extraEnv }}
+          env:
+          {{- . | toYaml | nindent 12 }}
+          {{- end }}
           ports:
             - containerPort: 8008
               name: healthz
@@ -79,9 +86,15 @@ spec:
               name: https
           {{- end }}
           volumeMounts:
+            {{- if eq .Values.bundleSource "ConfigMap" }}
+            - name: spiffe-bundle
+              mountPath: /bundle
+              readOnly: true
+            {{- else }}
             - name: spiffe-workload-api
               mountPath: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | dir }}
               readOnly: true
+            {{- end }}
             - name: spire-oidc-sockets
               mountPath: /run/spire/oidc-sockets
               readOnly: false
@@ -164,10 +177,17 @@ spec:
         {{- end }}
         {{- end }}
       volumes:
+        {{- if or .Values.tls.spire.enabled (eq .Values.bundleSource "CSI") }}
         - name: spiffe-workload-api
           csi:
             driver: "{{ .Values.csiDriverName }}"
             readOnly: true
+        {{- end }}
+        {{- if eq .Values.bundleSource "ConfigMap" }}
+        - name: spiffe-bundle
+          configMap:
+            name: {{ include "spire-lib.bundle-configmap" . }}
+        {{- end }}
         - name: spire-oidc-sockets
           emptyDir: {}
         - name: spire-oidc-config

charts/spire/charts/spiffe-oidc-discovery-provider/templates/pre-delete-hook.yaml

@@ -72,4 +72,8 @@ spec:
           - deployment
           - {{ include "spiffe-oidc-discovery-provider.fullname" . }}
           - --wait
+        {{- with (((.Values).global).deleteHooks).resources }}
+        resources:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
 {{- end }}

charts/spire/charts/spiffe-oidc-discovery-provider/templates/scc-spire-oidc-discovery-provider.yaml

@@ -22,6 +22,7 @@ volumes:
   - hostPath
   - projected
   - secret
+allowedCapabilities: null
 allowHostDirVolumePlugin: true
 allowHostIPC: true
 allowHostNetwork: true
@@ -29,9 +30,12 @@ allowHostPID: true
 allowHostPorts: true
 allowPrivilegeEscalation: true
 allowPrivilegedContainer: true
+defaultAddCapabilities: null
 fsGroup:
   type: RunAsAny
 groups: []
+priority: null
+requiredDropCapabilities: null
 seccompProfiles:
   - '*'
 

charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml

@@ -11,6 +11,12 @@ agentSocketName: spire-agent.sock
 ## @param csiDriverName The csi driver to use
 csiDriverName: csi.spiffe.io
 
+## @param bundleSource Configure where to fetch the trust bundle from. Must be CSI or ConfigMap.
+bundleSource: CSI
+
+## @param bundleConfigMap ConfigMap name for SPIRE bundle when bundleSource is ConfigMap
+bundleConfigMap: spire-bundle
+
 ## @param replicaCount Replica count
 replicaCount: 1
 
@@ -31,6 +37,12 @@ image:
   pullPolicy: IfNotPresent
   tag: ""
 
+## @param expandEnv Set to true to enable environment variable substitution of config file options
+expandEnv: false
+
+## @param extraEnv [array] Extra environment variables to add to the spiffe oidc discovery provider
+extraEnv: []
+
 spiffeHelper:
   image:
     ## @param spiffeHelper.image.registry The OCI registry to pull the image from
@@ -41,7 +53,7 @@ spiffeHelper:
     registry: ghcr.io
     repository: spiffe/spiffe-helper
     pullPolicy: IfNotPresent
-    tag: nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6
+    tag: 0.10.1
   ## @param spiffeHelper.resources [object] Resource requests and limits
   resources: {}
 
@@ -164,7 +176,9 @@ insecureScheme:
       registry: docker.io
       repository: nginxinc/nginx-unprivileged
       pullPolicy: IfNotPresent
-      tag: 1.25.4-alpine
+      tag: 1.29.0-alpine
+    ## @param insecureScheme.nginx.ipMode IP modes supported by the cluster. Must be one of [ipv4, ipv6, both]
+    ipMode: both
     ## @param insecureScheme.nginx.resources Resource requests and limits
     resources: {}
       # We usually recommend not to specify default resources and to leave this as a conscious
@@ -184,6 +198,10 @@ jwtIssuer: ""
 config:
   ## @param config.logLevel The log level, valid values are "debug", "info", "warn", and "error"
   logLevel: info
+  ## @param config.jwtDomain [string] The JWT domain. Defaults to oidc-discovery.$jwtIssuer URL-parsed host if unset
+  jwtDomain: ""
+  ## @param config.jwksUri [string] The JWKS URI
+  jwksUri: ""
   ## @param config.additionalDomains [array] Add additional domains that can be used for oidc discovery
   additionalDomains: []
   # - localhost
@@ -262,7 +280,7 @@ telemetry:
         registry: docker.io
         repository: nginx/nginx-prometheus-exporter
         pullPolicy: IfNotPresent
-        tag: "1.1.0"
+        tag: "1.4.2"
 
       ## @param telemetry.prometheus.nginxExporter.resources [object] Resource requests and limits
       resources: {}
@@ -328,7 +346,7 @@ tests:
       registry: cgr.dev
       repository: chainguard/bash
       pullPolicy: IfNotPresent
-      tag: latest@sha256:81f0b434b297453ff101de0b5f4f5cd8d4af1c015a1d34162e9ae9a4a9f38669
+      tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679
 
   toolkit:
     ## @param tests.toolkit.image.registry The OCI registry to pull the image from
@@ -338,9 +356,9 @@ tests:
     ##
     image:
       registry: cgr.dev
-      repository: chainguard/slim-toolkit-debug
+      repository: chainguard/min-toolkit-debug
       pullPolicy: IfNotPresent
-      tag: latest@sha256:606810cf1076a226dfb85fa4102ee0ed2d8e2b7c7a8a2a53f9788c65501ecca8
+      tag: latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53
 
   step:
     ## @param tests.step.image.registry The OCI registry to pull the image from
@@ -352,7 +370,7 @@ tests:
       registry: "docker.io"
       repository: smallstep/step-cli
       pullPolicy: IfNotPresent
-      tag: 0.25.2
+      tag: 0.28.7
 
   busybox:
     ## @param tests.busybox.image.registry The OCI registry to pull the image from
@@ -364,7 +382,7 @@ tests:
       registry: ""
       repository: busybox
       pullPolicy: IfNotPresent
-      tag: 1.36.1-uclibc
+      tag: 1.37.0-uclibc
 
   agent:
     ## @param tests.agent.image.registry The OCI registry to pull the image from
@@ -386,7 +404,7 @@ tools:
     ## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion
     ##
     image:
-      registry: docker.io
-      repository: rancher/kubectl
+      registry: registry.k8s.io
+      repository: kubectl
       pullPolicy: IfNotPresent
       tag: ""

charts/spire/charts/spike-keeper/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: spike-keeper
+description: A Helm chart to deploy SPIKE Keeper
+type: application
+version: 0.1.0
+appVersion: "0.4.2"
+home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
+sources:
+  - https://github.com/spiffe/spike
+icon: https://spike.ist/assets/spike-banner.png
+maintainers:
+  - name: kfox1111
+    email: Kevin.Fox@pnnl.gov

charts/spire/charts/spike-keeper/README.md

@@ -0,0 +1,72 @@
+# spike-keeper
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.1](https://img.shields.io/badge/AppVersion-v0.4.1-informational?style=flat-square)
+[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
+
+A Helm chart to deploy spike keepers
+
+**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
+
+## Version support
+
+> [!Note]
+> This Chart is still in development and still subject to change the API (`values.yaml`).
+> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
+> we do aim for as much stability as possible.
+
+| Dependency | Supported Versions |
+|:-----------|:-------------------|
+| Helm       | `3.x`              |
+
+## Source Code
+
+* <https://github.com/spiffe/spike>
+
+<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
+
+## Parameters
+
+### Chart parameters
+
+| Name                               | Description                                                                                                                                                                                                                             | Value                 |
+| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
+| `image.registry`                   | The OCI registry to pull the image from                                                                                                                                                                                                 | `ghcr.io`             |
+| `image.repository`                 | The repository within the registry                                                                                                                                                                                                      | `spiffe/spike-keeper` |
+| `image.pullPolicy`                 | The image pull policy                                                                                                                                                                                                                   | `IfNotPresent`        |
+| `image.tag`                        | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                           | `""`                  |
+| `replicas`                         | The number of keepers to launch                                                                                                                                                                                                         | `3`                   |
+| `trustRoot.nexus`                  | Override which trustRoot Nexus is in                                                                                                                                                                                                    | `""`                  |
+| `logLevel`                         | The log level, valid values are "debug", "info", "warn", and "error"                                                                                                                                                                    | `debug`               |
+| `agentSocketName`                  | The name of the spire-agent unix socket                                                                                                                                                                                                 | `spire-agent.sock`    |
+| `csiDriverName`                    | The csi driver to use                                                                                                                                                                                                                   | `csi.spiffe.io`       |
+| `imagePullSecrets`                 | Pull secrets for images                                                                                                                                                                                                                 | `[]`                  |
+| `nameOverride`                     | Name override                                                                                                                                                                                                                           | `""`                  |
+| `namespaceOverride`                | Namespace override                                                                                                                                                                                                                      | `""`                  |
+| `fullnameOverride`                 | Fullname override                                                                                                                                                                                                                       | `""`                  |
+| `serviceAccount.create`            | Specifies whether a service account should be created                                                                                                                                                                                   | `true`                |
+| `serviceAccount.annotations`       | Annotations to add to the service account                                                                                                                                                                                               | `{}`                  |
+| `serviceAccount.name`              | The name of the service account to use. If not set and create is true, a name is generated.                                                                                                                                             | `""`                  |
+| `labels`                           | Labels for pods                                                                                                                                                                                                                         | `{}`                  |
+| `podSecurityContext`               | Pod security context                                                                                                                                                                                                                    | `{}`                  |
+| `securityContext`                  | Security context                                                                                                                                                                                                                        | `{}`                  |
+| `service.type`                     | Service type                                                                                                                                                                                                                            | `ClusterIP`           |
+| `service.port`                     | Service port                                                                                                                                                                                                                            | `443`                 |
+| `service.annotations`              | Annotations for service resource                                                                                                                                                                                                        | `{}`                  |
+| `nodeSelector`                     | (Optional) Select specific nodes to run on.                                                                                                                                                                                             | `{}`                  |
+| `affinity`                         | Affinity rules                                                                                                                                                                                                                          | `{}`                  |
+| `tolerations`                      | List of tolerations                                                                                                                                                                                                                     | `[]`                  |
+| `topologySpreadConstraints`        | List of topology spread constraints for resilience                                                                                                                                                                                      | `[]`                  |
+| `startupProbe.enabled`             | Enable startupProbe                                                                                                                                                                                                                     | `true`                |
+| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe                                                                                                                                                                                                  | `5`                   |
+| `startupProbe.periodSeconds`       | Period seconds for startupProbe                                                                                                                                                                                                         | `10`                  |
+| `startupProbe.timeoutSeconds`      | Timeout seconds for startupProbe                                                                                                                                                                                                        | `5`                   |
+| `startupProbe.failureThreshold`    | Failure threshold count for startupProbe                                                                                                                                                                                                | `6`                   |
+| `startupProbe.successThreshold`    | Success threshold count for startupProbe                                                                                                                                                                                                | `1`                   |
+| `ingress.enabled`                  | Flag to enable ingress                                                                                                                                                                                                                  | `false`               |
+| `ingress.className`                | Ingress class name                                                                                                                                                                                                                      | `""`                  |
+| `ingress.controllerType`           | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""`                  |
+| `ingress.annotations`              | Annotations                                                                                                                                                                                                                             | `{}`                  |
+| `ingress.host`                     | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.                                                        | `keeper`              |
+| `ingress.tlsSecret`                | Secret that has the certs. If blank will use default certs. Used with host var.                                                                                                                                                         | `""`                  |
+| `ingress.hosts`                    | Host paths for ingress object. If empty, rules will be built based on the host var.                                                                                                                                                     | `[]`                  |
+| `ingress.tls`                      | Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.                                                                                                            | `[]`                  |

charts/spire/charts/spike-keeper/templates/NOTES.txt

@@ -0,0 +1 @@
+Installed {{ .Chart.Name }}…

charts/spire/charts/spike-keeper/templates/_helpers.tpl

@@ -0,0 +1,83 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "spike-keeper.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "spike-keeper.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "spike-keeper.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
+    {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
+      {{- .Values.global.spire.namespaces.server.name }}
+    {{- else }}
+      {{- printf "spire-server" }}
+    {{- end }}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "spike-keeper.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "spike-keeper.labels" -}}
+helm.sh/chart: {{ include "spike-keeper.chart" . }}
+{{ include "spike-keeper.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "spike-keeper.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "spike-keeper.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "spike-keeper.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "spike-keeper.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "spike-keeper.workload-api-socket-path" -}}
+{{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }}
+{{- end }}

charts/spire/charts/spike-keeper/templates/ingress.yaml

@@ -0,0 +1,44 @@
+{{- if .Values.ingress.enabled -}}
+{{ $root := . }}
+{{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.ingress) }}
+{{- $fullName := include "spike-keeper.fullname" . -}}
+{{- $tlsSection := true }}
+{{- $annotations := deepCopy .Values.ingress.annotations }}
+{{- if eq $ingressControllerType "ingress-nginx" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
+{{- else if eq $ingressControllerType "openshift" }}
+{{-   $path = "" }}
+{{-   $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
+{{-   $tlsSection = false }}
+{{- end }}
+{{ $last := sub (.Values.replicas | int) 1 | int }}
+{{ range (seq 0 ($last) | toString | split " ") }}
+{{ $i := . }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-{{ $i }}
+  namespace: {{ include "spike-keeper.namespace" $root }}
+  labels:
+    {{ include "spike-keeper.labels" $root | nindent 4}}
+  {{- with $annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- $host := $root.Values.ingress.host }}
+  {{- if contains "." $host }}
+  {{-   $hostParts := regexSplit "[.]" $host 2 }}
+  {{-   $host = printf "%s-%s.%s" (index $hostParts 0) $i (index $hostParts 1) }}
+  {{- else }}
+  {{-   $host = printf "%s-%s" $host $i }}
+  {{- end }}
+  {{ $ingress := deepCopy $root.Values.ingress }}
+  {{ $_ :=  set $ingress "host" $host }}
+  {{ include "spire-lib.ingress-spec" (dict "ingress" $ingress "svcName" (printf "%s-%s" $fullName $i) "port" $root.Values.service.port "path" "/" "pathType" "Prefix" "tlsSection" $tlsSection "Values" $root.Values) | nindent 2 }}
+{{- end }}
+{{- end }}

charts/spire/charts/spike-keeper/templates/service.yaml

@@ -0,0 +1,48 @@
+{{ $root := . }}
+{{ $last := sub (.Values.replicas | int) 1 | int }}
+{{ range (seq 0 ($last) | toString | split " ") }}
+{{ $i := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: {{ include "spike-keeper.namespace" $root }}
+  name: {{ include "spike-keeper.fullname" $root }}-{{ $i }}
+  {{- with $root.Values.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    apps.kubernetes.io/pod-index: {{ $i | quote }}
+    {{- include "spike-keeper.labels" $root | nindent 4 }}
+spec:
+  type: {{ $root.Values.service.type }}
+  selector:
+    apps.kubernetes.io/pod-index: {{ $i | quote }}
+    {{- include "spike-keeper.selectorLabels" $root | nindent 4 }}
+  ports:
+    - name: {{ include "spike-keeper.fullname" $root }}
+      port: {{ $root.Values.service.port }}
+      targetPort: http
+{{ end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: {{ include "spike-keeper.namespace" $root }}
+  name: {{ include "spike-keeper.fullname" $root }}-headless
+  {{- with $root.Values.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "spike-keeper.labels" $root | nindent 4 }}
+spec:
+  type: {{ $root.Values.service.type }}
+  clusterIP: None
+  selector:
+    {{- include "spike-keeper.selectorLabels" $root | nindent 4 }}
+  ports:
+    - name: {{ include "spike-keeper.fullname" $root }}
+      port: {{ $root.Values.service.port }}
+      targetPort: http

charts/spire/charts/spike-keeper/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "spike-keeper.serviceAccountName" . }}
+  namespace: {{ include "spike-keeper.namespace" . }}
+  labels:
+    {{- include "spike-keeper.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/spire/charts/spike-keeper/templates/statefulset.yaml

@@ -0,0 +1,84 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ include "spike-keeper.fullname" . }}
+  namespace: {{ include "spike-keeper.namespace" . }}
+  labels:
+    {{- include "spike-keeper.labels" . | nindent 4 }}
+spec:
+  serviceName: {{ include "spike-keeper.fullname" . }}-headless
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      {{- include "spike-keeper.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "spike-keeper.selectorLabels" . | nindent 8 }}
+        release: {{ .Release.Name }}
+        release-namespace: {{ .Release.Namespace }}
+        component: spike-keeper
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "spike-keeper.serviceAccountName" . }}
+      securityContext:
+        {{- include "spire-lib.podsecuritycontext" . | nindent 8 }}
+      containers:
+        - name:  {{ include "spike-keeper.fullname" . }}
+          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global "ubi" true) }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            {{- include "spire-lib.securitycontext" . | nindent 12 }}
+          ports:
+            - name: http
+              containerPort: 8443
+              protocol: TCP
+          env:
+            - name: SPIFFE_ENDPOINT_SOCKET
+              value: unix://{{ include "spike-keeper.workload-api-socket-path" . }}
+            - name: SPIKE_SYSTEM_LOG_LEVEL
+              value: {{ .Values.logLevel | upper }}
+            - name: SPIKE_TRUST_ROOT
+              value: {{ include "spire-lib.trust-domain" . }}
+            - name: SPIKE_TRUST_ROOT_NEXUS
+              value: {{if eq .Values.trustRoot.nexus "" }}{{ include "spire-lib.trust-domain" . }}{{ else }}{{.Values.trustRoot.nexus }}{{ end }}
+            - name: SPIKE_KEEPER_TLS_PORT
+              value: ":8443"
+          {{- if .Values.startupProbe.enabled }}
+          startupProbe:
+            tcpSocket:
+              port: 8443
+            failureThreshold: {{ .Values.startupProbe.failureThreshold }}
+            initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.startupProbe.periodSeconds }}
+            successThreshold: {{ .Values.startupProbe.successThreshold }}
+            timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
+          {{- end }}
+          volumeMounts:
+            - name: spiffe-workload-api
+              mountPath: {{ include "spike-keeper.workload-api-socket-path" . | dir }}
+              readOnly: true
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: spiffe-workload-api
+          csi:
+            driver: "{{ .Values.csiDriverName }}"
+            readOnly: true

charts/spire/charts/spike-keeper/values.yaml

@@ -0,0 +1,139 @@
+# Default configuration for SPIKE Keeper
+# SPDX-License-Identifier: APACHE-2.0
+
+## @skip global
+global: {}
+
+## @section Chart parameters
+##
+## @param image.registry The OCI registry to pull the image from
+## @param image.repository The repository within the registry
+## @param image.pullPolicy The image pull policy
+## @param image.tag Overrides the image tag whose default is the chart appVersion
+##
+image:
+  registry: ghcr.io
+  repository: spiffe/spike-keeper
+  pullPolicy: IfNotPresent
+  tag: ""
+
+## @param replicas The number of keepers to launch
+replicas: 3
+
+trustRoot:
+  ## @param trustRoot.nexus Override which trustRoot Nexus is in
+  nexus: ""
+
+## @param logLevel The log level, valid values are "debug", "info", "warn", and "error"
+logLevel: debug
+
+## @param agentSocketName The name of the spire-agent unix socket
+agentSocketName: spire-agent.sock
+## @param csiDriverName The csi driver to use
+csiDriverName: csi.spiffe.io
+
+## @param imagePullSecrets [array] Pull secrets for images
+imagePullSecrets: []
+
+## @param nameOverride Name override
+nameOverride: ""
+
+## @param namespaceOverride Namespace override
+namespaceOverride: ""
+
+## @param fullnameOverride Fullname override
+fullnameOverride: ""
+
+## @param serviceAccount.create Specifies whether a service account should be created
+## @param serviceAccount.annotations [object] Annotations to add to the service account
+## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
+##
+serviceAccount:
+  create: true
+  annotations: {}
+  name: ""
+
+## @param labels [object] Labels for pods
+labels: {}
+
+## @param podSecurityContext [object] Pod security context
+podSecurityContext: {}
+  # fsGroup: 2000
+
+## @param securityContext [object] Security context
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+## @param service.type Service type
+## @param service.port Service port
+## @param service.annotations Annotations for service resource
+##
+service:
+  type: ClusterIP
+  port: 443
+  annotations: {}
+
+## @param nodeSelector (Optional) Select specific nodes to run on.
+nodeSelector: {}
+
+## @param affinity [object] Affinity rules
+affinity: {}
+
+## @param tolerations [array] List of tolerations
+tolerations: []
+
+## @param topologySpreadConstraints [array] List of topology spread constraints for resilience
+topologySpreadConstraints: []
+
+## Provide minimal resources to prevent accidental crashes due to resource exhaustion
+# resources:
+#   requests:
+#     cpu: 50m
+#     memory: 128Mi
+#   limits:
+#     cpu: 100m
+#     memory: 512Mi
+
+## Configure extra options for startup probe
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
+## @param startupProbe.enabled Enable startupProbe
+## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
+## @param startupProbe.periodSeconds Period seconds for startupProbe
+## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
+## @param startupProbe.failureThreshold Failure threshold count for startupProbe
+## @param startupProbe.successThreshold Success threshold count for startupProbe
+##
+startupProbe:
+  enabled: true
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 6
+  successThreshold: 1
+
+## @param ingress.enabled Flag to enable ingress
+## @param ingress.className Ingress class name
+## @param ingress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
+## @param ingress.annotations [object] Annotations
+ingress:
+  enabled: false
+  className: ""
+  controllerType: ""
+  annotations: {}
+
+  ## @param ingress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
+  host: "keeper"
+
+  ## @param ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
+  tlsSecret: ""
+
+  ## @param ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
+  hosts: []
+
+  ## @param ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
+  tls: []

charts/spire/charts/spike-nexus/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: spike-nexus
+description: A Helm chart to deploy SPIKE Nexus
+type: application
+version: 0.1.0
+appVersion: "0.4.2"
+home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
+sources:
+  - https://github.com/spiffe/spike
+icon: https://spike.ist/assets/spike-banner.png
+maintainers:
+  - name: kfox1111
+    email: Kevin.Fox@pnnl.gov

charts/spire/charts/spike-nexus/README.md

@@ -0,0 +1,83 @@
+# spike-nexus
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.1](https://img.shields.io/badge/AppVersion-v0.4.1-informational?style=flat-square)
+[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
+
+A Helm chart to deploy spike nexus
+
+**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
+
+## Version support
+
+> [!Note]
+> This Chart is still in development and still subject to change the API (`values.yaml`).
+> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
+> we do aim for as much stability as possible.
+
+| Dependency | Supported Versions |
+|:-----------|:-------------------|
+| Helm       | `3.x`              |
+
+## Source Code
+
+* <https://github.com/spiffe/spike>
+
+<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
+
+## Parameters
+
+### Chart parameters
+
+| Name                               | Description                                                                                                                                                                                                                             | Value                |
+| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- |
+| `image.registry`                   | The OCI registry to pull the image from                                                                                                                                                                                                 | `ghcr.io`            |
+| `image.repository`                 | The repository within the registry                                                                                                                                                                                                      | `spiffe/spike-nexus` |
+| `image.pullPolicy`                 | The image pull policy                                                                                                                                                                                                                   | `IfNotPresent`       |
+| `image.tag`                        | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                           | `""`                 |
+| `backendStore`                     | The backend store to use. Must be one of [sqlite, memory, lite]                                                                                                                                                                         | `sqlite`             |
+| `replicas`                         | The number of keepers to launch                                                                                                                                                                                                         | `1`                  |
+| `shamir.shares`                    | How many shares to configure for shamir secrets                                                                                                                                                                                         | `3`                  |
+| `shamir.threshold`                 | How many shares needed to recover                                                                                                                                                                                                       | `2`                  |
+| `keeperPeers`                      | Keeper peer configuration. If blank, it will be autodetected                                                                                                                                                                            | `[]`                 |
+| `trustRoot.nexus`                  | Override which trustRoot Nexus is in                                                                                                                                                                                                    | `""`                 |
+| `trustRoot.keepers`                | Override which trustRoot Keepers are in                                                                                                                                                                                                 | `[]`                 |
+| `trustRoot.pilot`                  | Override which trustRoot Pilot is in                                                                                                                                                                                                    | `""`                 |
+| `logLevel`                         | The log level, valid values are "debug", "info", "warn", and "error"                                                                                                                                                                    | `debug`              |
+| `agentSocketName`                  | The name of the spire-agent unix socket                                                                                                                                                                                                 | `spire-agent.sock`   |
+| `csiDriverName`                    | The csi driver to use                                                                                                                                                                                                                   | `csi.spiffe.io`      |
+| `imagePullSecrets`                 | Pull secrets for images                                                                                                                                                                                                                 | `[]`                 |
+| `nameOverride`                     | Name override                                                                                                                                                                                                                           | `""`                 |
+| `namespaceOverride`                | Namespace override                                                                                                                                                                                                                      | `""`                 |
+| `fullnameOverride`                 | Fullname override                                                                                                                                                                                                                       | `""`                 |
+| `serviceAccount.create`            | Specifies whether a service account should be created                                                                                                                                                                                   | `true`               |
+| `serviceAccount.annotations`       | Annotations to add to the service account                                                                                                                                                                                               | `{}`                 |
+| `serviceAccount.name`              | The name of the service account to use. If not set and create is true, a name is generated.                                                                                                                                             | `""`                 |
+| `labels`                           | Labels for pods                                                                                                                                                                                                                         | `{}`                 |
+| `podSecurityContext`               | Pod security context                                                                                                                                                                                                                    | `{}`                 |
+| `securityContext`                  | Security context                                                                                                                                                                                                                        | `{}`                 |
+| `service.type`                     | Service type                                                                                                                                                                                                                            | `ClusterIP`          |
+| `service.port`                     | Service port                                                                                                                                                                                                                            | `443`                |
+| `service.annotations`              | Annotations for service resource                                                                                                                                                                                                        | `{}`                 |
+| `nodeSelector`                     | (Optional) Select specific nodes to run on.                                                                                                                                                                                             | `{}`                 |
+| `affinity`                         | Affinity rules                                                                                                                                                                                                                          | `{}`                 |
+| `tolerations`                      | List of tolerations                                                                                                                                                                                                                     | `[]`                 |
+| `topologySpreadConstraints`        | List of topology spread constraints for resilience                                                                                                                                                                                      | `[]`                 |
+| `startupProbe.enabled`             | Enable startupProbe                                                                                                                                                                                                                     | `true`               |
+| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe                                                                                                                                                                                                  | `5`                  |
+| `startupProbe.periodSeconds`       | Period seconds for startupProbe                                                                                                                                                                                                         | `10`                 |
+| `startupProbe.timeoutSeconds`      | Timeout seconds for startupProbe                                                                                                                                                                                                        | `5`                  |
+| `startupProbe.failureThreshold`    | Failure threshold count for startupProbe                                                                                                                                                                                                | `6`                  |
+| `startupProbe.successThreshold`    | Success threshold count for startupProbe                                                                                                                                                                                                | `1`                  |
+| `ingress.enabled`                  | Flag to enable ingress                                                                                                                                                                                                                  | `false`              |
+| `ingress.className`                | Ingress class name                                                                                                                                                                                                                      | `""`                 |
+| `ingress.controllerType`           | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""`                 |
+| `ingress.annotations`              | Annotations                                                                                                                                                                                                                             | `{}`                 |
+| `ingress.host`                     | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.                                                        | `nexus`              |
+| `ingress.tlsSecret`                | Secret that has the certs. If blank will use default certs. Used with host var.                                                                                                                                                         | `""`                 |
+| `ingress.hosts`                    | Host paths for ingress object. If empty, rules will be built based on the host var.                                                                                                                                                     | `[]`                 |
+| `ingress.tls`                      | Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.                                                                                                            | `[]`                 |
+| `persistence.type`                 | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only)                                                                                                                          | `pvc`                |
+| `persistence.size`                 | What size volume to use for persistence                                                                                                                                                                                                 | `1Gi`                |
+| `persistence.accessMode`           | What access mode to use for persistence. Valid options are ReadWriteOnce (recommended), ReadWriteOncePod, ReadWriteMany (not recommended)                                                                                               | `ReadWriteOnce`      |
+| `persistence.storageClass`         | What storage class to use for persistence                                                                                                                                                                                               | `nil`                |
+| `persistence.hostPath`             | Which path to use on the host when persistence.type = hostPath                                                                                                                                                                          | `""`                 |

charts/spire/charts/spike-nexus/templates/NOTES.txt

@@ -0,0 +1 @@
+Installed {{ .Chart.Name }}…

charts/spire/charts/spike-nexus/templates/_helpers.tpl

@@ -0,0 +1,83 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "spike-nexus.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "spike-nexus.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "spike-nexus.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
+    {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
+      {{- .Values.global.spire.namespaces.server.name }}
+    {{- else }}
+      {{- printf "spire-server" }}
+    {{- end }}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "spike-nexus.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "spike-nexus.labels" -}}
+helm.sh/chart: {{ include "spike-nexus.chart" . }}
+{{ include "spike-nexus.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "spike-nexus.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "spike-nexus.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "spike-nexus.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "spike-nexus.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "spike-nexus.workload-api-socket-path" -}}
+{{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }}
+{{- end }}

charts/spire/charts/spike-nexus/templates/ingress.yaml

@@ -0,0 +1,31 @@
+{{- if .Values.ingress.enabled -}}
+{{ $root := . }}
+{{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.ingress) }}
+{{- $fullName := include "spike-nexus.fullname" . -}}
+{{- $tlsSection := true }}
+{{- $annotations := deepCopy .Values.ingress.annotations }}
+{{- if eq $ingressControllerType "ingress-nginx" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
+{{- else if eq $ingressControllerType "openshift" }}
+{{-   $path = "" }}
+{{-   $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
+{{-   $tlsSection = false }}
+{{- end }}
+{{ $last := sub (.Values.replicas | int) 1 | int }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ include "spike-nexus.namespace" $root }}
+  labels:
+    {{ include "spike-nexus.labels" $root | nindent 4}}
+  {{- with $annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.ingress "svcName" $fullName "port" $root.Values.service.port "path" "/" "pathType" "Prefix" "tlsSection" $tlsSection "Values" $root.Values) | nindent 2 }}
+{{- end }}

charts/spire/charts/spike-nexus/templates/service.yaml

@@ -0,0 +1,20 @@
+{{ $root := . }}
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: {{ include "spike-nexus.namespace" $root }}
+  name: {{ include "spike-nexus.fullname" $root }}
+  {{- with $root.Values.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "spike-nexus.labels" $root | nindent 4 }}
+spec:
+  type: {{ $root.Values.service.type }}
+  selector:
+    {{- include "spike-nexus.selectorLabels" $root | nindent 4 }}
+  ports:
+    - name: {{ include "spike-nexus.fullname" $root }}
+      port: {{ $root.Values.service.port }}
+      targetPort: http

charts/spire/charts/spike-nexus/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "spike-nexus.serviceAccountName" . }}
+  namespace: {{ include "spike-nexus.namespace" . }}
+  labels:
+    {{- include "spike-nexus.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/spire/charts/spike-nexus/templates/statefulset.yaml

@@ -0,0 +1,114 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ include "spike-nexus.fullname" . }}
+  namespace: {{ include "spike-nexus.namespace" . }}
+  labels:
+    {{- include "spike-nexus.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      {{- include "spike-nexus.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "spike-nexus.selectorLabels" . | nindent 8 }}
+        release: {{ .Release.Name }}
+        release-namespace: {{ .Release.Namespace }}
+        component: spike-nexus
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "spike-nexus.serviceAccountName" . }}
+      securityContext:
+        {{- include "spire-lib.podsecuritycontext" . | nindent 8 }}
+      containers:
+        - name:  {{ include "spike-nexus.fullname" . }}
+          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global "ubi" true) }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            {{- include "spire-lib.securitycontext" . | nindent 12 }}
+          ports:
+            - name: http
+              containerPort: 8443
+              protocol: TCP
+          env:
+            - name: SPIKE_NEXUS_BACKEND_STORE
+              value: {{ .Values.backendStore | quote }}
+            - name: SPIKE_NEXUS_SHAMIR_SHARES
+              value: {{ .Values.shamir.shares | quote }}
+            - name: SPIKE_NEXUS_SHAMIR_THRESHOLD
+              value: {{ .Values.shamir.threshold | quote }}
+            # Note: IP will depend on the testbed.
+            - name: SPIKE_NEXUS_KEEPER_PEERS
+              {{- if gt (len .Values.keeperPeers) 0 }}
+              value: {{ .Values.keeperPeers | join "," | quote }}
+              {{- else }}
+              value: https://{{ .Release.Name }}-spike-keeper-0.{{ .Release.Name }}-spike-keeper-headless:8443,https://{{ .Release.Name }}-spike-keeper-1.{{ .Release.Name }}-spike-keeper-headless:8443,https://{{ .Release.Name }}-spike-keeper-2.{{ .Release.Name }}-spike-keeper-headless:8443
+              {{- end }}
+            - name: SPIFFE_ENDPOINT_SOCKET
+              value: unix://{{ include "spike-nexus.workload-api-socket-path" . }}
+            - name: SPIKE_SYSTEM_LOG_LEVEL
+              value: {{ .Values.logLevel | upper }}
+            - name: SPIKE_TRUST_ROOT
+              value: {{ include "spire-lib.trust-domain" . }}
+            - name: SPIKE_TRUST_ROOT_KEEPER
+              value: {{ if gt (len .Values.trustRoot.keepers) 0 }}{{ .Values.trustRoot.keepers | join "," | quote}}{{ else }}{{ include "spire-lib.trust-domain" . }}{{ end }}
+            - name: SPIKE_TRUST_ROOT_PILOT
+              value: {{if eq .Values.trustRoot.pilot "" }}{{ include "spire-lib.trust-domain" . }}{{ else }}{{.Values.trustRoot.pilot }}{{ end }}
+            - name: SPIKE_NEXUS_TLS_PORT
+              value: ":8443"
+          {{- if .Values.startupProbe.enabled }}
+          startupProbe:
+            tcpSocket:
+              port: 8443
+            failureThreshold: {{ .Values.startupProbe.failureThreshold }}
+            initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.startupProbe.periodSeconds }}
+            successThreshold: {{ .Values.startupProbe.successThreshold }}
+            timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
+          {{- end }}
+          volumeMounts:
+            - name: spiffe-workload-api
+              mountPath: {{ include "spike-nexus.workload-api-socket-path" . | dir }}
+              readOnly: true
+            - name: nexus-data
+              mountPath: /.spike
+      {{- with .Values.nodeSelector }}
+
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: spiffe-workload-api
+          csi:
+            driver: "{{ .Values.csiDriverName }}"
+            readOnly: true
+  volumeClaimTemplates:
+    - metadata:
+        name: nexus-data
+      spec:
+        accessModes:
+          - {{ .Values.persistence.accessMode | default "ReadWriteOnce" }}
+        resources:
+          requests:
+            storage: {{ .Values.persistence.size }}
+        {{- $storageClass := (dig "spire" "persistence" "storageClass" nil .Values.global) | default .Values.persistence.storageClass }}
+        {{- if $storageClass }}
+        storageClassName: {{ $storageClass }}
+        {{- end }}

charts/spire/charts/spike-nexus/values.yaml

@@ -0,0 +1,175 @@
+# Default configuration for SPIKE Keeper
+# SPDX-License-Identifier: APACHE-2.0
+
+## @skip global
+global: {}
+
+## @section Chart parameters
+##
+## @param image.registry The OCI registry to pull the image from
+## @param image.repository The repository within the registry
+## @param image.pullPolicy The image pull policy
+## @param image.tag Overrides the image tag whose default is the chart appVersion
+##
+image:
+  registry: ghcr.io
+  repository: spiffe/spike-nexus
+  pullPolicy: IfNotPresent
+  tag: ""
+
+## @param backendStore The backend store to use. Must be one of [sqlite, memory, lite]
+backendStore: sqlite
+
+## @param replicas The number of keepers to launch
+replicas: 1
+
+shamir:
+  ## @param shamir.shares How many shares to configure for shamir secrets
+  shares: 3
+  ## @param shamir.threshold How many shares needed to recover
+  threshold: 2
+
+## @param keeperPeers Keeper peer configuration. If blank, it will be autodetected
+keeperPeers: []
+
+trustRoot:
+  ## @param trustRoot.nexus Override which trustRoot Nexus is in
+  nexus: ""
+  ## @param trustRoot.keepers Override which trustRoot Keepers are in
+  keepers: []
+  ## @param trustRoot.pilot Override which trustRoot Pilot is in
+  pilot: ""
+
+## @param logLevel The log level, valid values are "debug", "info", "warn", and "error"
+logLevel: debug
+
+## @param agentSocketName The name of the spire-agent unix socket
+agentSocketName: spire-agent.sock
+## @param csiDriverName The csi driver to use
+csiDriverName: csi.spiffe.io
+
+## @param imagePullSecrets [array] Pull secrets for images
+imagePullSecrets: []
+
+## @param nameOverride Name override
+nameOverride: ""
+
+## @param namespaceOverride Namespace override
+namespaceOverride: ""
+
+## @param fullnameOverride Fullname override
+fullnameOverride: ""
+
+## @param serviceAccount.create Specifies whether a service account should be created
+## @param serviceAccount.annotations [object] Annotations to add to the service account
+## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
+##
+serviceAccount:
+  create: true
+  annotations: {}
+  name: ""
+
+## @param labels [object] Labels for pods
+labels: {}
+
+## @param podSecurityContext [object] Pod security context
+podSecurityContext: {}
+  # fsGroup: 2000
+
+## @param securityContext [object] Security context
+securityContext:
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
+
+## @param service.type Service type
+## @param service.port Service port
+## @param service.annotations Annotations for service resource
+##
+service:
+  type: ClusterIP
+  port: 443
+  annotations: {}
+
+## @param nodeSelector (Optional) Select specific nodes to run on.
+nodeSelector: {}
+
+## @param affinity [object] Affinity rules
+affinity: {}
+
+## @param tolerations [array] List of tolerations
+tolerations: []
+
+## @param topologySpreadConstraints [array] List of topology spread constraints for resilience
+topologySpreadConstraints: []
+
+## Provide minimal resources to prevent accidental crashes due to resource exhaustion
+# resources:
+#   requests:
+#     cpu: 50m
+#     memory: 128Mi
+#   limits:
+#     cpu: 100m
+#     memory: 512Mi
+
+## Configure extra options for startup probe
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
+## @param startupProbe.enabled Enable startupProbe
+## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
+## @param startupProbe.periodSeconds Period seconds for startupProbe
+## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
+## @param startupProbe.failureThreshold Failure threshold count for startupProbe
+## @param startupProbe.successThreshold Success threshold count for startupProbe
+##
+startupProbe:
+  enabled: true
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 6
+  successThreshold: 1
+
+## @param ingress.enabled Flag to enable ingress
+## @param ingress.className Ingress class name
+## @param ingress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
+## @param ingress.annotations [object] Annotations
+ingress:
+  enabled: false
+  className: ""
+  controllerType: ""
+  annotations: {}
+
+  ## @param ingress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
+  host: "nexus"
+
+  ## @param ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
+  tlsSecret: ""
+
+  ## @param ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
+  hosts: []
+  #   - host: nexus.example.org
+  #     paths:
+  #       - path: /
+  #         pathType: Prefix
+
+  ## @param ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - nexus.example.org
+
+## @param persistence.type What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only)
+## @param persistence.size What size volume to use for persistence
+## @param persistence.accessMode What access mode to use for persistence. Valid options are ReadWriteOnce (recommended), ReadWriteOncePod, ReadWriteMany (not recommended)
+## @param persistence.storageClass What storage class to use for persistence
+## @param persistence.hostPath Which path to use on the host when persistence.type = hostPath
+##
+persistence:
+  type: pvc
+  size: 1Gi
+  accessMode: ReadWriteOnce
+  storageClass: null
+  hostPath: ""

charts/spire/charts/spike-pilot/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: spike-pilot
+description: A Helm chart to deploy SPIKE Pilot
+type: application
+version: 0.1.0
+appVersion: "0.4.2"
+home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
+sources:
+  - https://github.com/spiffe/spike
+icon: https://spike.ist/assets/spike-banner.png
+maintainers:
+  - name: kfox1111
+    email: Kevin.Fox@pnnl.gov

charts/spire/charts/spike-pilot/README.md

@@ -0,0 +1,63 @@
+# spike-pilot
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.1](https://img.shields.io/badge/AppVersion-v0.4.1-informational?style=flat-square)
+[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
+
+A Helm chart to deploy spike pilot
+
+**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
+
+## Version support
+
+> [!Note]
+> This Chart is still in development and still subject to change the API (`values.yaml`).
+> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
+> we do aim for as much stability as possible.
+
+| Dependency | Supported Versions |
+|:-----------|:-------------------|
+| Helm       | `3.x`              |
+
+## Source Code
+
+* <https://github.com/spiffe/spike>
+
+<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
+
+## Parameters
+
+### Chart parameters
+
+| Name                             | Description                                                                                 | Value                |
+| -------------------------------- | ------------------------------------------------------------------------------------------- | -------------------- |
+| `image.registry`                 | The OCI registry to pull the image from                                                     | `ghcr.io`            |
+| `image.repository`               | The repository within the registry                                                          | `spiffe/spike-pilot` |
+| `image.pullPolicy`               | The image pull policy                                                                       | `IfNotPresent`       |
+| `image.tag`                      | Overrides the image tag whose default is the chart appVersion                               | `""`                 |
+| `shell.image.registry`           | The OCI registry to pull the image from                                                     | `""`                 |
+| `shell.image.repository`         | The repository within the registry                                                          | `busybox`            |
+| `shell.image.pullPolicy`         | The image pull policy                                                                       | `IfNotPresent`       |
+| `shell.image.tag`                | Overrides the image tag whose default is the chart appVersion                               | `1.37.0-uclibc`      |
+| `tools.busybox.image.registry`   | The OCI registry to pull the image from                                                     | `""`                 |
+| `tools.busybox.image.repository` | The repository within the registry                                                          | `busybox`            |
+| `tools.busybox.image.pullPolicy` | The image pull policy                                                                       | `IfNotPresent`       |
+| `tools.busybox.image.tag`        | Overrides the image tag whose default is the chart appVersion                               | `1.37.0-uclibc`      |
+| `replicas`                       | The number of keepers to launch                                                             | `1`                  |
+| `trustRoot.nexus`                | Override which trustRoot Nexus is in                                                        | `""`                 |
+| `logLevel`                       | The log level, valid values are "debug", "info", "warn", and "error"                        | `debug`              |
+| `agentSocketName`                | The name of the spire-agent unix socket                                                     | `spire-agent.sock`   |
+| `csiDriverName`                  | The csi driver to use                                                                       | `csi.spiffe.io`      |
+| `imagePullSecrets`               | Pull secrets for images                                                                     | `[]`                 |
+| `nameOverride`                   | Name override                                                                               | `""`                 |
+| `namespaceOverride`              | Namespace override                                                                          | `""`                 |
+| `fullnameOverride`               | Fullname override                                                                           | `""`                 |
+| `serviceAccount.create`          | Specifies whether a service account should be created                                       | `true`               |
+| `serviceAccount.annotations`     | Annotations to add to the service account                                                   | `{}`                 |
+| `serviceAccount.name`            | The name of the service account to use. If not set and create is true, a name is generated. | `""`                 |
+| `labels`                         | Labels for pods                                                                             | `{}`                 |
+| `podSecurityContext`             | Pod security context                                                                        | `{}`                 |
+| `securityContext`                | Security context                                                                            | `{}`                 |
+| `nodeSelector`                   | (Optional) Select specific nodes to run on.                                                 | `{}`                 |
+| `affinity`                       | Affinity rules                                                                              | `{}`                 |
+| `tolerations`                    | List of tolerations                                                                         | `[]`                 |
+| `topologySpreadConstraints`      | List of topology spread constraints for resilience                                          | `[]`                 |

charts/spire/charts/spike-pilot/templates/NOTES.txt

@@ -0,0 +1 @@
+Installed {{ .Chart.Name }}…

charts/spire/charts/spike-pilot/templates/_helpers.tpl

@@ -0,0 +1,83 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "spike-pilot.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "spike-pilot.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "spike-pilot.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
+    {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
+      {{- .Values.global.spire.namespaces.server.name }}
+    {{- else }}
+      {{- printf "spire-server" }}
+    {{- end }}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "spike-pilot.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "spike-pilot.labels" -}}
+helm.sh/chart: {{ include "spike-pilot.chart" . }}
+{{ include "spike-pilot.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "spike-pilot.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "spike-pilot.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "spike-pilot.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "spike-pilot.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "spike-pilot.workload-api-socket-path" -}}
+{{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }}
+{{- end }}

charts/spire/charts/spike-pilot/templates/deployment.yaml

@@ -0,0 +1,96 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "spike-pilot.fullname" . }}
+  namespace: {{ include "spike-pilot.namespace" . }}
+  labels:
+    {{- include "spike-pilot.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      {{- include "spike-pilot.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "spike-pilot.selectorLabels" . | nindent 8 }}
+        release: {{ .Release.Name }}
+        release-namespace: {{ .Release.Namespace }}
+        component: spike-pilot
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "spike-pilot.serviceAccountName" . }}
+      securityContext:
+        {{- include "spire-lib.podsecuritycontext" . | nindent 8 }}
+      initContainers:
+        - name:  init
+          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.busybox.image "global" .Values.global "ubi" true) }}
+          imagePullPolicy: {{ .Values.tools.busybox.image.pullPolicy }}
+          command: ["/bin/sh", "-c", "cp -a /bin/busybox /data"]
+          securityContext:
+            {{- include "spire-lib.securitycontext" . | nindent 12 }}
+          volumeMounts:
+            - name: pilot
+              mountPath: /data
+        - name:  init2
+          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global "ubi" true) }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command: ["/data/busybox", "sh", "-c", "/data/busybox cp -a /usr/local/bin/spike /data && /data/busybox rm -f /data/busybox"]
+          securityContext:
+            {{- include "spire-lib.securitycontext" . | nindent 12 }}
+          volumeMounts:
+            - name: pilot
+              mountPath: /data
+      containers:
+        - name:  {{ include "spike-pilot.fullname" . }}
+          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.shell.image "global" .Values.global "ubi" true) }}
+          imagePullPolicy: {{ .Values.shell.image.pullPolicy }}
+          command: ["/bin/sh", "-c", "echo I live; while true; do sleep 1000; done"]
+          securityContext:
+            {{- include "spire-lib.securitycontext" . | nindent 12 }}
+          env:
+            #FIXME make this configurable
+            - name: SPIKE_NEXUS_API_URL
+              value: https://{{ .Release.Name }}-spike-nexus:443
+            - name: SPIFFE_ENDPOINT_SOCKET
+              value: unix://{{ include "spike-pilot.workload-api-socket-path" . }}
+            - name: SPIKE_SYSTEM_LOG_LEVEL
+              value: {{ .Values.logLevel | upper }}
+            - name: SPIKE_TRUST_ROOT
+              value: {{ include "spire-lib.trust-domain" . }}
+            - name: SPIKE_TRUST_ROOT_NEXUS
+              value: {{if eq .Values.trustRoot.Nexus "" }}{{ include "spire-lib.trust-domain" . }}{{ else }}{{.Values.trustRoot.Nexus }}{{ end }}
+          volumeMounts:
+            - name: spiffe-workload-api
+              mountPath: {{ include "spike-pilot.workload-api-socket-path" . | dir }}
+              readOnly: true
+            - name: pilot
+              mountPath: /bin/spike
+              subPath: spike
+              readOnly: true
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: pilot
+          emptyDir: {}
+        - name: spiffe-workload-api
+          csi:
+            driver: "{{ .Values.csiDriverName }}"
+            readOnly: true

charts/spire/charts/spike-pilot/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "spike-pilot.serviceAccountName" . }}
+  namespace: {{ include "spike-pilot.namespace" . }}
+  labels:
+    {{- include "spike-pilot.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/spire/charts/spike-pilot/values.yaml

@@ -0,0 +1,116 @@
+# Default configuration for SPIKE Keeper
+# SPDX-License-Identifier: APACHE-2.0
+
+## @skip global
+global: {}
+
+## @section Chart parameters
+##
+## @param image.registry The OCI registry to pull the image from
+## @param image.repository The repository within the registry
+## @param image.pullPolicy The image pull policy
+## @param image.tag Overrides the image tag whose default is the chart appVersion
+##
+image:
+  registry: ghcr.io
+  repository: spiffe/spike-pilot
+  pullPolicy: IfNotPresent
+  tag: ""
+
+shell:
+  ## @param shell.image.registry The OCI registry to pull the image from
+  ## @param shell.image.repository The repository within the registry
+  ## @param shell.image.pullPolicy The image pull policy
+  ## @param shell.image.tag Overrides the image tag whose default is the chart appVersion
+  ##
+  image:
+    registry: ""
+    repository: busybox
+    pullPolicy: IfNotPresent
+    tag: 1.37.0-uclibc
+
+tools:
+  busybox:
+    ## @param tools.busybox.image.registry The OCI registry to pull the image from
+    ## @param tools.busybox.image.repository The repository within the registry
+    ## @param tools.busybox.image.pullPolicy The image pull policy
+    ## @param tools.busybox.image.tag Overrides the image tag whose default is the chart appVersion
+    ##
+    image:
+      registry: ""
+      repository: busybox
+      pullPolicy: IfNotPresent
+      tag: 1.37.0-uclibc
+
+## @param replicas The number of keepers to launch
+replicas: 1
+
+trustRoot:
+  ## @param trustRoot.nexus Override which trustRoot Nexus is in
+  nexus: ""
+
+## @param logLevel The log level, valid values are "debug", "info", "warn", and "error"
+logLevel: debug
+
+## @param agentSocketName The name of the spire-agent unix socket
+agentSocketName: spire-agent.sock
+## @param csiDriverName The csi driver to use
+csiDriverName: csi.spiffe.io
+
+## @param imagePullSecrets [array] Pull secrets for images
+imagePullSecrets: []
+
+## @param nameOverride Name override
+nameOverride: ""
+
+## @param namespaceOverride Namespace override
+namespaceOverride: ""
+
+## @param fullnameOverride Fullname override
+fullnameOverride: ""
+
+## @param serviceAccount.create Specifies whether a service account should be created
+## @param serviceAccount.annotations [object] Annotations to add to the service account
+## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
+##
+serviceAccount:
+  create: true
+  annotations: {}
+  name: ""
+
+## @param labels [object] Labels for pods
+labels: {}
+
+## @param podSecurityContext [object] Pod security context
+podSecurityContext: {}
+  # fsGroup: 2000
+
+## @param securityContext [object] Security context
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+## @param nodeSelector (Optional) Select specific nodes to run on.
+nodeSelector: {}
+
+## @param affinity [object] Affinity rules
+affinity: {}
+
+## @param tolerations [array] List of tolerations
+tolerations: []
+
+## @param topologySpreadConstraints [array] List of topology spread constraints for resilience
+topologySpreadConstraints: []
+
+## Provide minimal resources to prevent accidental crashes due to resource exhaustion
+# resources:
+#   requests:
+#     cpu: 50m
+#     memory: 128Mi
+#   limits:
+#     cpu: 100m
+#     memory: 512Mi

charts/spire/charts/spire-agent/Chart.yaml

@@ -3,7 +3,7 @@ name: spire-agent
 description: A Helm chart to install the SPIRE agent.
 type: application
 version: 0.1.0
-appVersion: "1.9.0"
+appVersion: "1.12.4"
 keywords: ["spiffe", "spire-agent"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:

charts/spire/charts/spire-agent/README.md

@@ -25,107 +25,128 @@ A Helm chart to install the SPIRE agent.
 
 ### Chart parameters
 
-| Name                                              | Description                                                                                                                                                                                       | Value                                                                            |
-| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- |
-| `image.registry`                                  | The OCI registry to pull the image from                                                                                                                                                           | `ghcr.io`                                                                        |
-| `image.repository`                                | The repository within the registry                                                                                                                                                                | `spiffe/spire-agent`                                                             |
-| `image.pullPolicy`                                | The image pull policy                                                                                                                                                                             | `IfNotPresent`                                                                   |
-| `image.tag`                                       | Overrides the image tag whose default is the chart appVersion                                                                                                                                     | `""`                                                                             |
-| `imagePullSecrets`                                | Pull secrets for images                                                                                                                                                                           | `[]`                                                                             |
-| `nameOverride`                                    | Name override                                                                                                                                                                                     | `""`                                                                             |
-| `namespaceOverride`                               | Namespace override                                                                                                                                                                                | `""`                                                                             |
-| `fullnameOverride`                                | Fullname override                                                                                                                                                                                 | `""`                                                                             |
-| `serviceAccount.create`                           | Specifies whether a service account should be created                                                                                                                                             | `true`                                                                           |
-| `serviceAccount.annotations`                      | Annotations to add to the service account                                                                                                                                                         | `{}`                                                                             |
-| `serviceAccount.name`                             | The name of the service account to use.                                                                                                                                                           | `""`                                                                             |
-| `configMap.annotations`                           | Annotations to add to the SPIRE Agent ConfigMap                                                                                                                                                   | `{}`                                                                             |
-| `podAnnotations`                                  | Annotations to add to pods                                                                                                                                                                        | `{}`                                                                             |
-| `podLabels`                                       | Labels to add to pods                                                                                                                                                                             | `{}`                                                                             |
-| `podSecurityContext`                              | Pod security context                                                                                                                                                                              | `{}`                                                                             |
-| `securityContext`                                 | Security context                                                                                                                                                                                  | `{}`                                                                             |
-| `resources`                                       | Resource requests and limits                                                                                                                                                                      | `{}`                                                                             |
-| `nodeSelector`                                    | Node selector                                                                                                                                                                                     | `{}`                                                                             |
-| `tolerations`                                     | List of tolerations                                                                                                                                                                               | `[]`                                                                             |
-| `affinity`                                        | Node affinity                                                                                                                                                                                     | `{}`                                                                             |
-| `authorizedDelegates`                             | A list of the authorized delegates SPIFFE IDs. See Delegated Identity API for more information.                                                                                                   | `[]`                                                                             |
-| `logLevel`                                        | The log level, valid values are "debug", "info", "warn", and "error"                                                                                                                              | `info`                                                                           |
-| `clusterName`                                     | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`)                                                                                                                          | `example-cluster`                                                                |
-| `trustDomain`                                     | The trust domain to be used for the SPIFFE identifiers                                                                                                                                            | `example.org`                                                                    |
-| `trustBundleURL`                                  | If set, obtain trust bundle from url instead of Kubernetes ConfigMap                                                                                                                              | `""`                                                                             |
-| `trustBundleFormat`                               | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe"                                                                                                                   | `pem`                                                                            |
-| `bundleConfigMap`                                 | Configmap name for Spire bundle                                                                                                                                                                   | `spire-bundle`                                                                   |
-| `availabilityTarget`                              | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. | `""`                                                                             |
-| `disableReattestToRenew`                          | Deprecated: Allow agent to renew certificate when it expires rather than reattest                                                                                                                 | `false`                                                                          |
-| `server.address`                                  | Address for Spire server                                                                                                                                                                          | `""`                                                                             |
-| `server.port`                                     | Port number for Spire server                                                                                                                                                                      | `8081`                                                                           |
-| `server.namespaceOverride`                        | Override the namespace for Spire server                                                                                                                                                           | `""`                                                                             |
-| `healthChecks.port`                               | override the host port used for health checking                                                                                                                                                   | `9982`                                                                           |
-| `updateStrategy.type`                             | The update strategy to use to replace existing DaemonSet pods with new pods. Can be RollingUpdate or OnDelete.                                                                                    | `RollingUpdate`                                                                  |
-| `updateStrategy.rollingUpdate.maxUnavailable`     | Max unavailable pods during update. Can be a number or a percentage.                                                                                                                              | `1`                                                                              |
-| `livenessProbe.initialDelaySeconds`               | Initial delay seconds for probe                                                                                                                                                                   | `15`                                                                             |
-| `livenessProbe.periodSeconds`                     | Period seconds for probe                                                                                                                                                                          | `60`                                                                             |
-| `readinessProbe.initialDelaySeconds`              | Initial delay seconds for probe                                                                                                                                                                   | `10`                                                                             |
-| `readinessProbe.periodSeconds`                    | Period seconds for probe                                                                                                                                                                          | `30`                                                                             |
-| `waitForIt.image.registry`                        | The OCI registry to pull the image from                                                                                                                                                           | `cgr.dev`                                                                        |
-| `waitForIt.image.repository`                      | The repository within the registry                                                                                                                                                                | `chainguard/wait-for-it`                                                         |
-| `waitForIt.image.pullPolicy`                      | The image pull policy                                                                                                                                                                             | `IfNotPresent`                                                                   |
-| `waitForIt.image.tag`                             | Overrides the image tag whose default is the chart appVersion                                                                                                                                     | `latest@sha256:caead414307e81dbdd86d30662fdfe1b999dd4ce8a10fa667dab3438d0eed193` |
-| `waitForIt.resources`                             | Resource requests and limits                                                                                                                                                                      | `{}`                                                                             |
-| `fsGroupFix.image.registry`                       | The OCI registry to pull the image from                                                                                                                                                           | `cgr.dev`                                                                        |
-| `fsGroupFix.image.repository`                     | The repository within the registry                                                                                                                                                                | `chainguard/bash`                                                                |
-| `fsGroupFix.image.pullPolicy`                     | The image pull policy                                                                                                                                                                             | `Always`                                                                         |
-| `fsGroupFix.image.tag`                            | Overrides the image tag whose default is the chart appVersion                                                                                                                                     | `latest@sha256:81f0b434b297453ff101de0b5f4f5cd8d4af1c015a1d34162e9ae9a4a9f38669` |
-| `fsGroupFix.resources`                            | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/                                                                                      | `{}`                                                                             |
-| `keyManager.memory.enabled`                       | Enable the memory based Key Manager                                                                                                                                                               | `true`                                                                           |
-| `nodeAttestor.k8sPsat.enabled`                    | Enable Psat k8s Node Attestor                                                                                                                                                                     | `true`                                                                           |
-| `nodeAttestor.tpmDirect.enabled`                  | Enable the direct TPM node attestor, a 3rd party plugin by Boxboat. This plugin is experimental.                                                                                                  | `false`                                                                          |
-| `nodeAttestor.tpmDirect.plugin.image.registry`    | The OCI registry to pull the image from                                                                                                                                                           | `docker.io`                                                                      |
-| `nodeAttestor.tpmDirect.plugin.image.repository`  | The repository within the registry                                                                                                                                                                | `boxboat/spire-tpm-plugin-tpm-attestor-agent`                                    |
-| `nodeAttestor.tpmDirect.plugin.image.pullPolicy`  | The image pull policy                                                                                                                                                                             | `IfNotPresent`                                                                   |
-| `nodeAttestor.tpmDirect.plugin.image.tag`         | Overrides the image tag                                                                                                                                                                           | `v1.8.7`                                                                         |
-| `nodeAttestor.tpmDirect.plugin.checksum`          | The sha256 checksum of the plugin binary                                                                                                                                                          | `1d7c73ccac948ee86cbd78ddde2d30128a1838b403f7bb2100d38d916a252244`               |
-| `nodeAttestor.tpmDirect.plugin.path`              | The filename in the container of the plugin                                                                                                                                                       | `/app/tpm_attestor_agent`                                                        |
-| `nodeAttestor.tpmDirect.pubHash.enabled`          | Enable Psat k8s nodeattestor                                                                                                                                                                      | `true`                                                                           |
-| `nodeAttestor.tpmDirect.pubHash.image.registry`   | The OCI registry to pull the image from                                                                                                                                                           | `docker.io`                                                                      |
-| `nodeAttestor.tpmDirect.pubHash.image.repository` | The repository within the registry                                                                                                                                                                | `boxboat/spire-tpm-plugin-get-tpm-pubhash`                                       |
-| `nodeAttestor.tpmDirect.pubHash.image.pullPolicy` | The image pull policy                                                                                                                                                                             | `IfNotPresent`                                                                   |
-| `nodeAttestor.tpmDirect.pubHash.image.tag`        | Overrides the image tag                                                                                                                                                                           | `v1.8.7`                                                                         |
-| `workloadAttestors.unix.enabled`                  | Enables the Unix workload attestor                                                                                                                                                                | `false`                                                                          |
-| `workloadAttestors.k8s.enabled`                   | Enables the Kubernetes workload attestor                                                                                                                                                          | `true`                                                                           |
-| `workloadAttestors.k8s.skipKubeletVerification`   | If true, kubelet certificate verification is skipped                                                                                                                                              | `true`                                                                           |
-| `workloadAttestors.k8s.disableContainerSelectors` | Set to true if using holdApplicationUntilProxyStarts in Istio                                                                                                                                     | `false`                                                                          |
-| `sds.enabled`                                     | Enables Envoy SDS configuration                                                                                                                                                                   | `false`                                                                          |
-| `sds.defaultSvidName`                             | The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS                                                                                                                 | `default`                                                                        |
-| `sds.defaultBundleName`                           | The Validation Context resource name to use for the default X.509 bundle with Envoy SDS                                                                                                           | `ROOTCA`                                                                         |
-| `sds.defaultAllBundlesName`                       | The Validation Context resource name to use for all bundles (including federated) with Envoy SDS                                                                                                  | `ALL`                                                                            |
-| `sds.disableSpiffeCertValidation`                 | Disable Envoy SDS custom validation                                                                                                                                                               | `false`                                                                          |
-| `telemetry.prometheus.enabled`                    | Flag to enable prometheus monitoring                                                                                                                                                              | `false`                                                                          |
-| `telemetry.prometheus.port`                       | Port for prometheus metrics                                                                                                                                                                       | `9988`                                                                           |
-| `telemetry.prometheus.podMonitor.enabled`         | Enable podMonitor for prometheus                                                                                                                                                                  | `false`                                                                          |
-| `telemetry.prometheus.podMonitor.namespace`       | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent                                                                                               | `""`                                                                             |
-| `telemetry.prometheus.podMonitor.labels`          | Pod labels to filter for prometheus monitoring                                                                                                                                                    | `{}`                                                                             |
-| `kubeletConnectByHostname`                        | If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise.                                                      | `""`                                                                             |
-| `socketPath`                                      | The unix socket path to the spire-agent                                                                                                                                                           | `/run/spire/agent-sockets/spire-agent.sock`                                      |
-| `socketAlternate.names`                           | List of alternate names for the socket that workloads might expect to be able to access in the driver mount.                                                                                      | `["socket","spire-agent.sock","api.sock"]`                                       |
-| `socketAlternate.image.registry`                  | The OCI registry to pull the image from                                                                                                                                                           | `cgr.dev`                                                                        |
-| `socketAlternate.image.repository`                | The repository within the registry                                                                                                                                                                | `chainguard/bash`                                                                |
-| `socketAlternate.image.pullPolicy`                | The image pull policy                                                                                                                                                                             | `Always`                                                                         |
-| `socketAlternate.image.tag`                       | Overrides the image tag whose default is the chart appVersion                                                                                                                                     | `latest@sha256:81f0b434b297453ff101de0b5f4f5cd8d4af1c015a1d34162e9ae9a4a9f38669` |
-| `socketAlternate.resources`                       | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/                                                                                      | `{}`                                                                             |
-| `priorityClassName`                               | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName.                                                                                         | `""`                                                                             |
-| `extraEnvVars`                                    | Extra environment variables to be added to the Spire Agent container                                                                                                                              | `[]`                                                                             |
-| `extraVolumes`                                    | Extra volumes to be mounted on Spire Agent pods                                                                                                                                                   | `[]`                                                                             |
-| `extraVolumeMounts`                               | Extra volume mounts for Spire Agent pods                                                                                                                                                          | `[]`                                                                             |
-| `extraContainers`                                 | Additional containers to create with Spire Agent pods                                                                                                                                             | `[]`                                                                             |
-| `initContainers`                                  | Additional init containers to create with Spire Agent pods                                                                                                                                        | `[]`                                                                             |
-| `hostAliases`                                     | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/                                                                               | `[]`                                                                             |
-| `customPlugins.keyManager`                        | Custom plugins of type KeyManager are configured here                                                                                                                                             | `{}`                                                                             |
-| `customPlugins.nodeAttestor`                      | Custom plugins of type NodeAttestor are configured here                                                                                                                                           | `{}`                                                                             |
-| `customPlugins.svidStore`                         | Custom plugins of type SVIDStore are configured here                                                                                                                                              | `{}`                                                                             |
-| `customPlugins.workloadAttestor`                  | Custom plugins of type WorkloadAttestor are configured here                                                                                                                                       | `{}`                                                                             |
-| `experimental.enabled`                            | Allow configuration of experimental features                                                                                                                                                      | `false`                                                                          |
-| `experimental.syncInterval`                       | Sync interval with SPIRE server with exponential backoff                                                                                                                                          | `5s`                                                                             |
-| `experimental.featureFlags`                       | List of developer feature flags                                                                                                                                                                   | `[]`                                                                             |
-| `sockets.hostBasePath`                            | Path on which the agent socket is made available when admin.mountOnHost is true                                                                                                                   | `/run/spire/agent/sockets`                                                       |
-| `sockets.admin.enabled`                           | Enable the admin socket. Useful for admin tasks or the Delegated Identity API.                                                                                                                    | `false`                                                                          |
-| `sockets.admin.mountOnHost`                       | Enable the admin socket to be visible on the host.                                                                                                                                                | `false`                                                                          |
+| Name                                                   | Description                                                                                                                                                                                       | Value                                                                            |
+| ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- |
+| `image.registry`                                       | The OCI registry to pull the image from                                                                                                                                                           | `ghcr.io`                                                                        |
+| `image.repository`                                     | The repository within the registry                                                                                                                                                                | `spiffe/spire-agent`                                                             |
+| `image.pullPolicy`                                     | The image pull policy                                                                                                                                                                             | `IfNotPresent`                                                                   |
+| `image.tag`                                            | Overrides the image tag whose default is the chart appVersion                                                                                                                                     | `""`                                                                             |
+| `imagePullSecrets`                                     | Pull secrets for images                                                                                                                                                                           | `[]`                                                                             |
+| `nameOverride`                                         | Name override                                                                                                                                                                                     | `""`                                                                             |
+| `namespaceOverride`                                    | Namespace override                                                                                                                                                                                | `""`                                                                             |
+| `fullnameOverride`                                     | Fullname override                                                                                                                                                                                 | `""`                                                                             |
+| `serviceAccount.create`                                | Specifies whether a service account should be created                                                                                                                                             | `true`                                                                           |
+| `serviceAccount.annotations`                           | Annotations to add to the service account                                                                                                                                                         | `{}`                                                                             |
+| `serviceAccount.name`                                  | The name of the service account to use.                                                                                                                                                           | `""`                                                                             |
+| `configMap.annotations`                                | Annotations to add to the SPIRE Agent ConfigMap                                                                                                                                                   | `{}`                                                                             |
+| `podAnnotations`                                       | Annotations to add to pods                                                                                                                                                                        | `{}`                                                                             |
+| `podLabels`                                            | Labels to add to pods                                                                                                                                                                             | `{}`                                                                             |
+| `podSecurityContext`                                   | Pod security context                                                                                                                                                                              | `{}`                                                                             |
+| `securityContext`                                      | Security context                                                                                                                                                                                  | `{}`                                                                             |
+| `resources`                                            | Resource requests and limits                                                                                                                                                                      | `{}`                                                                             |
+| `nodeSelector`                                         | Node selector                                                                                                                                                                                     | `{}`                                                                             |
+| `tolerations`                                          | List of tolerations                                                                                                                                                                               | `[]`                                                                             |
+| `affinity`                                             | Node affinity                                                                                                                                                                                     | `{}`                                                                             |
+| `authorizedDelegates`                                  | A list of the authorized delegates SPIFFE IDs. See Delegated Identity API for more information.                                                                                                   | `[]`                                                                             |
+| `logLevel`                                             | The log level, valid values are "debug", "info", "warn", and "error"                                                                                                                              | `info`                                                                           |
+| `clusterName`                                          | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`)                                                                                                                          | `example-cluster`                                                                |
+| `trustDomain`                                          | The trust domain to be used for the SPIFFE identifiers                                                                                                                                            | `example.org`                                                                    |
+| `trustBundleURL`                                       | If set, obtain trust bundle from url instead of Kubernetes ConfigMap                                                                                                                              | `""`                                                                             |
+| `trustBundleFormat`                                    | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe"                                                                                                                   | `spiffe`                                                                         |
+| `trustBundleHostPath`                                  | If set, obtain trust bundle from a file on the host instead of from the ConfigMap                                                                                                                 | `""`                                                                             |
+| `bundleConfigMap`                                      | Configmap name for Spire bundle                                                                                                                                                                   | `spire-bundle`                                                                   |
+| `availabilityTarget`                                   | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. | `""`                                                                             |
+| `server.address`                                       | Address for Spire server                                                                                                                                                                          | `""`                                                                             |
+| `server.port`                                          | Port number for Spire server                                                                                                                                                                      | `443`                                                                            |
+| `server.namespaceOverride`                             | Override the namespace for Spire server                                                                                                                                                           | `""`                                                                             |
+| `server.nameOverride`                                  | Override the name for Spire server. Should only be changed when building your own nested chart to ensure names align.                                                                             | `""`                                                                             |
+| `healthChecks.port`                                    | override the host port used for health checking                                                                                                                                                   | `9982`                                                                           |
+| `updateStrategy.type`                                  | The update strategy to use to replace existing DaemonSet pods with new pods. Can be RollingUpdate or OnDelete.                                                                                    | `RollingUpdate`                                                                  |
+| `updateStrategy.rollingUpdate.maxUnavailable`          | Max unavailable pods during update. Can be a number or a percentage.                                                                                                                              | `1`                                                                              |
+| `livenessProbe.initialDelaySeconds`                    | Initial delay seconds for probe                                                                                                                                                                   | `15`                                                                             |
+| `livenessProbe.periodSeconds`                          | Period seconds for probe                                                                                                                                                                          | `60`                                                                             |
+| `readinessProbe.initialDelaySeconds`                   | Initial delay seconds for probe                                                                                                                                                                   | `10`                                                                             |
+| `readinessProbe.periodSeconds`                         | Period seconds for probe                                                                                                                                                                          | `30`                                                                             |
+| `fsGroupFix.image.registry`                            | The OCI registry to pull the image from                                                                                                                                                           | `cgr.dev`                                                                        |
+| `fsGroupFix.image.repository`                          | The repository within the registry                                                                                                                                                                | `chainguard/bash`                                                                |
+| `fsGroupFix.image.pullPolicy`                          | The image pull policy                                                                                                                                                                             | `Always`                                                                         |
+| `fsGroupFix.image.tag`                                 | Overrides the image tag whose default is the chart appVersion                                                                                                                                     | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
+| `fsGroupFix.resources`                                 | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/                                                                                      | `{}`                                                                             |
+| `keyManager.memory.enabled`                            | Enable the memory based Key Manager                                                                                                                                                               | `true`                                                                           |
+| `keyManager.disk.enabled`                              | Enable the disk based Key Manager (must have persistence.type set to hostPath when enabled)                                                                                                       | `false`                                                                          |
+| `nodeAttestor.k8sPSAT.enabled`                         | Enable PSAT k8s Node Attestor                                                                                                                                                                     | `true`                                                                           |
+| `nodeAttestor.httpChallenge.enabled`                   | Enable the http challenge Node Attestor                                                                                                                                                           | `false`                                                                          |
+| `nodeAttestor.httpChallenge.agentname`                 | Name of this agent. Useful if you have multiple agents bound to different spire servers on the same host and sharing the same port.                                                               | `default`                                                                        |
+| `nodeAttestor.httpChallenge.port`                      | The port to listen on. If 0, a random value will be used.                                                                                                                                         | `0`                                                                              |
+| `nodeAttestor.httpChallenge.advertisedPort`            | The port to tell the server to call back on. Set only if your using an http proxy on the hosts. If 0, will use the port setting.                                                                  | `0`                                                                              |
+| `nodeAttestor.tpmDirect.enabled`                       | Enable the direct TPM node attestor, a 3rd party plugin by Boxboat. This plugin is experimental.                                                                                                  | `false`                                                                          |
+| `nodeAttestor.tpmDirect.plugin.image.registry`         | The OCI registry to pull the image from                                                                                                                                                           | `ghcr.io`                                                                        |
+| `nodeAttestor.tpmDirect.plugin.image.repository`       | The repository within the registry                                                                                                                                                                | `spiffe/spire-tpm-plugin-tpm-attestor-agent`                                     |
+| `nodeAttestor.tpmDirect.plugin.image.pullPolicy`       | The image pull policy                                                                                                                                                                             | `IfNotPresent`                                                                   |
+| `nodeAttestor.tpmDirect.plugin.image.tag`              | Overrides the image tag                                                                                                                                                                           | `v1.9.0`                                                                         |
+| `nodeAttestor.tpmDirect.plugin.checksum`               | The sha256 checksum of the plugin binary                                                                                                                                                          | `22f67063f1699330e70cdedc9b923e517688f5ae71085a26bd9b83b3060ee86e`               |
+| `nodeAttestor.tpmDirect.plugin.path`                   | The filename in the container of the plugin                                                                                                                                                       | `/app/tpm_attestor_agent`                                                        |
+| `nodeAttestor.tpmDirect.pubHash.enabled`               | Display pubhash in logs                                                                                                                                                                           | `true`                                                                           |
+| `nodeAttestor.tpmDirect.pubHash.image.registry`        | The OCI registry to pull the image from                                                                                                                                                           | `ghcr.io`                                                                        |
+| `nodeAttestor.tpmDirect.pubHash.image.repository`      | The repository within the registry                                                                                                                                                                | `spiffe/spire-tpm-plugin-get-tpm-pubhash`                                        |
+| `nodeAttestor.tpmDirect.pubHash.image.pullPolicy`      | The image pull policy                                                                                                                                                                             | `IfNotPresent`                                                                   |
+| `nodeAttestor.tpmDirect.pubHash.image.tag`             | Overrides the image tag                                                                                                                                                                           | `v1.9.0`                                                                         |
+| `nodeAttestor.awsIID.enabled`                          | Enable the aws_iid Node Attestor                                                                                                                                                                  | `false`                                                                          |
+| `workloadAttestors.unix.enabled`                       | Enables the Unix workload attestor                                                                                                                                                                | `false`                                                                          |
+| `workloadAttestors.k8s.enabled`                        | Enables the Kubernetes workload attestor                                                                                                                                                          | `true`                                                                           |
+| `workloadAttestors.k8s.verification.type`              | What kind of verification to do against kubelet. auto will first attempt to use hostCert, and then fall back to apiServerCA. Valid options are [auto, hostCert, apiServerCA, skip]                | `skip`                                                                           |
+| `workloadAttestors.k8s.verification.hostCert.basePath` | Path where kubelet places its certificates                                                                                                                                                        | `/var/lib/kubelet/pki`                                                           |
+| `workloadAttestors.k8s.verification.hostCert.fileName` | File name where kubelet places its certificates. If blank, it will be auto detected.                                                                                                              | `""`                                                                             |
+| `workloadAttestors.k8s.disableContainerSelectors`      | Set to true if using holdApplicationUntilProxyStarts in Istio                                                                                                                                     | `false`                                                                          |
+| `workloadAttestors.k8s.useNewContainerLocator`         | If true, enables the new container locator algorithm that has support for cgroups v2. Defaults to true                                                                                            | `true`                                                                           |
+| `workloadAttestors.k8s.verboseContainerLocatorLogs`    | If true, enables verbose logging of mountinfo and cgroup information used to locate containers. Defaults to false                                                                                 | `false`                                                                          |
+| `sds.enabled`                                          | Enables Envoy SDS configuration                                                                                                                                                                   | `false`                                                                          |
+| `sds.defaultSVIDName`                                  | The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS                                                                                                                 | `default`                                                                        |
+| `sds.defaultBundleName`                                | The Validation Context resource name to use for the default X.509 bundle with Envoy SDS                                                                                                           | `ROOTCA`                                                                         |
+| `sds.defaultAllBundlesName`                            | The Validation Context resource name to use for all bundles (including federated) with Envoy SDS                                                                                                  | `ALL`                                                                            |
+| `sds.disableSPIFFECertValidation`                      | Disable Envoy SDS custom validation                                                                                                                                                               | `false`                                                                          |
+| `telemetry.prometheus.enabled`                         | Flag to enable prometheus monitoring                                                                                                                                                              | `false`                                                                          |
+| `telemetry.prometheus.port`                            | Port for prometheus metrics                                                                                                                                                                       | `9988`                                                                           |
+| `telemetry.prometheus.podMonitor.enabled`              | Enable podMonitor for prometheus                                                                                                                                                                  | `false`                                                                          |
+| `telemetry.prometheus.podMonitor.namespace`            | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent                                                                                               | `""`                                                                             |
+| `telemetry.prometheus.podMonitor.labels`               | Pod labels to filter for prometheus monitoring                                                                                                                                                    | `{}`                                                                             |
+| `telemetry.datadog.enabled`                            | Flag to enable datadog monitoring                                                                                                                                                                 | `false`                                                                          |
+| `telemetry.datadog.address`                            | The address of the datadog service to send metrics to. The default URL for services are `<service-name>.<namespace>.svc`                                                                          | `datadog.kube-system.svc`                                                        |
+| `telemetry.datadog.port`                               | The port of the datadog service to send metrics to                                                                                                                                                | `8125`                                                                           |
+| `kubeletConnectByHostname`                             | If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise.                                                      | `""`                                                                             |
+| `socketPath`                                           | The unix socket path to the spire-agent                                                                                                                                                           | `/run/spire/agent-sockets/spire-agent.sock`                                      |
+| `socketAlternate.names`                                | List of alternate names for the socket that workloads might expect to be able to access in the driver mount.                                                                                      | `["socket","spire-agent.sock","api.sock"]`                                       |
+| `socketAlternate.image.registry`                       | The OCI registry to pull the image from                                                                                                                                                           | `cgr.dev`                                                                        |
+| `socketAlternate.image.repository`                     | The repository within the registry                                                                                                                                                                | `chainguard/bash`                                                                |
+| `socketAlternate.image.pullPolicy`                     | The image pull policy                                                                                                                                                                             | `Always`                                                                         |
+| `socketAlternate.image.tag`                            | Overrides the image tag whose default is the chart appVersion                                                                                                                                     | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
+| `socketAlternate.resources`                            | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/                                                                                      | `{}`                                                                             |
+| `hostCert.image.registry`                              | The OCI registry to pull the image from                                                                                                                                                           | `cgr.dev`                                                                        |
+| `hostCert.image.repository`                            | The repository within the registry                                                                                                                                                                | `chainguard/min-toolkit-debug`                                                   |
+| `hostCert.image.pullPolicy`                            | The image pull policy                                                                                                                                                                             | `IfNotPresent`                                                                   |
+| `hostCert.image.tag`                                   | Overrides the image tag whose default is the chart appVersion                                                                                                                                     | `latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53` |
+| `hostCert.resources`                                   | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/                                                                                      | `{}`                                                                             |
+| `priorityClassName`                                    | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName.                                                                                         | `""`                                                                             |
+| `extraEnvVars`                                         | Extra environment variables to be added to the Spire Agent container                                                                                                                              | `[]`                                                                             |
+| `extraVolumes`                                         | Extra volumes to be mounted on Spire Agent pods                                                                                                                                                   | `[]`                                                                             |
+| `extraVolumeMounts`                                    | Extra volume mounts for Spire Agent pods                                                                                                                                                          | `[]`                                                                             |
+| `extraContainers`                                      | Additional containers to create with Spire Agent pods                                                                                                                                             | `[]`                                                                             |
+| `initContainers`                                       | Additional init containers to create with Spire Agent pods                                                                                                                                        | `[]`                                                                             |
+| `hostAliases`                                          | Customize /etc/hosts file as described here https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/                                                                               | `[]`                                                                             |
+| `customPlugins.keyManager`                             | Custom plugins of type KeyManager are configured here                                                                                                                                             | `{}`                                                                             |
+| `customPlugins.nodeAttestor`                           | Custom plugins of type NodeAttestor are configured here                                                                                                                                           | `{}`                                                                             |
+| `customPlugins.svidStore`                              | Custom plugins of type SVIDStore are configured here                                                                                                                                              | `{}`                                                                             |
+| `customPlugins.workloadAttestor`                       | Custom plugins of type WorkloadAttestor are configured here                                                                                                                                       | `{}`                                                                             |
+| `experimental.enabled`                                 | Allow configuration of experimental features                                                                                                                                                      | `false`                                                                          |
+| `experimental.syncInterval`                            | Sync interval with SPIRE server with exponential backoff                                                                                                                                          | `5s`                                                                             |
+| `experimental.featureFlags`                            | List of developer feature flags                                                                                                                                                                   | `[]`                                                                             |
+| `agents`                                               | Configure multiple agent DaemonSets. Useful when you have different node types and nodeAttestors                                                                                                  | `{}`                                                                             |
+| `tools.kubectl.image.registry`                         | The OCI registry to pull the image from                                                                                                                                                           | `registry.k8s.io`                                                                |
+| `tools.kubectl.image.repository`                       | The repository within the registry                                                                                                                                                                | `kubectl`                                                                        |
+| `tools.kubectl.image.pullPolicy`                       | The image pull policy                                                                                                                                                                             | `IfNotPresent`                                                                   |
+| `tools.kubectl.image.tag`                              | Overrides the image tag whose default is the chart appVersion                                                                                                                                     | `""`                                                                             |
+| `sockets.hostBasePath`                                 | Path on which the agent socket is made available when admin.mountOnHost is true                                                                                                                   | `/run/spire/agent/sockets`                                                       |
+| `sockets.admin.enabled`                                | Enable the admin socket. Useful for admin tasks or the Delegated Identity API.                                                                                                                    | `false`                                                                          |
+| `sockets.admin.mountOnHost`                            | Enable the admin socket to be visible on the host.                                                                                                                                                | `false`                                                                          |
+| `persistence.type`                                     | What type of volume to use for persistence. Valid options emptyDir (reattestable node attestors) or hostPath (nonr-reattestable node attestors)                                                   | `emptyDir`                                                                       |
+| `persistence.hostPath`                                 | Which path to use on the host when persistence.type = hostPath                                                                                                                                    | `/var/lib/spire/k8s/agent`                                                       |

charts/spire/charts/spire-agent/templates/_helpers.tpl

@@ -75,20 +75,20 @@ Create chart name and version as used by the chart label.
 Common labels
 */}}
 {{- define "spire-agent.labels" -}}
-helm.sh/chart: {{ include "spire-agent.chart" . }}
+helm.sh/chart: {{ include "spire-agent.chart" . | quote }}
 {{ include "spire-agent.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
 {{- end }}
 
 {{/*
 Selector labels
 */}}
 {{- define "spire-agent.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "spire-agent.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/name: {{ include "spire-agent.name" . | quote }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
 {{- end }}
 
 {{/*
@@ -103,6 +103,8 @@ Create the name of the service account to use
 {{- print .Values.global.spire.upstreamSpireAddress }}
 {{- else if .Values.server.address }}
 {{- .Values.server.address }}
+{{- else if .Values.server.nameOverride }}
+{{ .Release.Name }}-{{ .Values.server.nameOverride }}.{{ include "spire-agent.server.namespace" . }}
 {{- else }}
 {{ .Release.Name }}-server.{{ include "spire-agent.server.namespace" . }}
 {{- end }}

charts/spire/charts/spire-agent/templates/configmap.yaml

@@ -1,3 +1,4 @@
+{{- define "spire-agent.check-config-values" -}}
 {{- include "spire-lib.check-strict-mode" (list . "clusterName must be set" (eq (include "spire-lib.cluster-name" .) "example-cluster"))}}
 {{- include "spire-lib.check-strict-mode" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}}
 {{- range $type, $tvals := .Values.customPlugins }}
@@ -18,31 +19,35 @@
 {{-     end }}
 {{-   end }}
 {{- end }}
+{{- if and .Values.keyManager.disk.enabled (ne .Values.persistence.type "hostPath") }}
+{{-   fail "keyManager.disk.enabled is true but persistence.type is not hostPath. Ensure persistence.type is hostPath when keyManager.disk.enabled is true." }}
+{{- end }}
 {{- if hasPrefix (.Values.socketPath | dir | clean) (.Values.sockets.hostBasePath | clean) }}
-{{- fail "The sockets.hostBasePath can not be located under the socketPath direcotry" }}
+{{- fail "The sockets.hostBasePath can not be located under the socketPath directory" }}
+{{- end }}
 {{- end }}
 {{- define "spire-agent.yaml-config" -}}
 agent:
-  {{- if .Values.disableReattestToRenew }}
-  disable_reattest_to_renew: true
-  {{- end }}
   {{- if .Values.sockets.admin.enabled }}
-  admin_socket_dir: /tmp/spire-agent/private/admin.sock
+  admin_socket_path: /tmp/spire-agent/private/admin.sock
   {{- end }}
   {{- with .Values.authorizedDelegates }}
   authorized_delegates:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  data_dir: "/run/spire"
+  data_dir: "/var/lib/spire"
   log_level: {{ .Values.logLevel | quote }}
+  retry_bootstrap: true
   server_address: {{ include "spire-agent.server-address" . | trim | quote }}
   server_port: {{ .Values.server.port | quote }}
   socket_path: /tmp/spire-agent/public/{{ include "spire-agent.socket-path" . | base }}
+  trust_bundle_format: {{ .Values.trustBundleFormat | quote }}
   {{- if ne (len .Values.trustBundleURL) 0 }}
   trust_bundle_url: {{ .Values.trustBundleURL | quote }}
-  trust_bundle_format: {{ .Values.trustBundleFormat | quote }}
+  {{- else if ne (len .Values.trustBundleHostPath) 0 }}
+  trust_bundle_path: {{ .Values.trustBundleHostPath | quote }}
   {{- else }}
-  trust_bundle_path: "/run/spire/bundle/bundle.crt"
+  trust_bundle_path: {{ printf "/run/spire/bundle/bundle.%s" (include "spire-lib.trust-bundle-ext" (dict "trustBundleFormat" .Values.trustBundleFormat)) | quote }}
   {{- end }}
   trust_domain: {{ include "spire-lib.trust-domain" . | quote }}
   {{- with .Values.availabilityTarget }}
@@ -50,16 +55,16 @@ agent:
   {{- end }}
   {{- if .Values.sds.enabled }}
   sds:
-    default_svid_name: {{ .Values.sds.defaultSvidName | quote }}
+    default_svid_name: {{ .Values.sds.defaultSVIDName | quote }}
     default_bundle_name: {{ .Values.sds.defaultBundleName | quote }}
     default_all_bundles_name: {{ .Values.sds.defaultAllBundlesName | quote }}
-    disable_spiffe_cert_validation: {{ .Values.sds.disableSpiffeCertValidation }}
+    disable_spiffe_cert_validation: {{ eq .Values.sds.disableSPIFFECertValidation true }}
   {{- end }}
 
   {{- with .Values.experimental }}
   {{- if eq (.enabled | toString) "true" }}
   experimental:
-  sync_interval: {{ .syncInterval | quote }}
+    sync_interval: {{ .syncInterval | quote }}
     {{- if gt (len .featureFlags) 0 }}
     feature_flags:
       {{- range .featureFlags }}
@@ -73,17 +78,38 @@ agent:
 {{- $keyManagerUsed := add (len .Values.customPlugins.keyManager) (len .Values.unsupportedBuiltInPlugins.keyManager) }}
 plugins:
   NodeAttestor:
-    {{- if .Values.nodeAttestor.k8sPsat.enabled }}
+    {{- if .Values.nodeAttestor.k8sPSAT.enabled }}
     k8s_psat:
       plugin_data:
         cluster: {{ include "spire-lib.cluster-name" . | quote }}
     {{- $nodeAttestorUsed = add1 $nodeAttestorUsed }}
     {{- end }}
+    {{- with .Values.nodeAttestor.httpChallenge }}
+    {{- if eq (.enabled | toString) "true" }}
+    http_challenge:
+      plugin_data:
+        agentname: {{ .agentname | quote }}
+        {{- if ne (int .port) 0 }}
+        port: {{ .port }}
+        {{- end }}
+        {{- if ne (int .advertisedPort) 0 }}
+        advertisedPort: {{ .advertisedPort }}
+        {{- end }}
+    {{- $nodeAttestorUsed = add1 $nodeAttestorUsed }}
+    {{- end }}
+    {{- end }}
     {{- with .Values.nodeAttestor.tpmDirect }}
     {{- if eq (.enabled | toString) "true" }}
     tpm:
       plugin_cmd: "/tpm/tpm_attestor_agent"
-      plugin_checksum: {{ .plugin.checksum }}
+      plugin_checksum: {{ .plugin.checksum | quote }}
+      plugin_data: {}
+    {{- $nodeAttestorUsed = add1 $nodeAttestorUsed }}
+    {{- end }}
+    {{- end }}
+  {{- with .Values.nodeAttestor.awsIID }}
+  {{- if eq (.enabled | toString) "true" }}
+    aws_iid:
       plugin_data: {}
     {{- $nodeAttestorUsed = add1 $nodeAttestorUsed }}
     {{- end }}
@@ -98,6 +124,12 @@ plugins:
       plugin_data:
     {{- $keyManagerUsed = add1 $keyManagerUsed }}
     {{- end }}
+    {{- if .Values.keyManager.disk.enabled }}
+    disk:
+      plugin_data:
+        directory: {{ .Values.persistence.hostPath }}
+    {{- $keyManagerUsed = add1 $keyManagerUsed }}
+    {{- end }}
 {{- if ne $keyManagerUsed 1 }}
 {{- fail (printf "You have to enable exactly one Key Manager. There are %d enabled." $keyManagerUsed) }}
 {{- end }}
@@ -106,11 +138,18 @@ plugins:
   {{- if .Values.workloadAttestors.k8s.enabled }}
     k8s:
       plugin_data:
-        # Defaults to the secure kubelet port by default.
-        # Minikube does not have a cert in the cluster CA bundle that
-        # can authenticate the kubelet cert, so skip validation.
-        skip_kubelet_verification: {{ .Values.workloadAttestors.k8s.skipKubeletVerification }}
-        disable_container_selectors: {{ .Values.workloadAttestors.k8s.disableContainerSelectors }}
+        {{- if or (eq .Values.workloadAttestors.k8s.verification.type "hostCert") (eq .Values.workloadAttestors.k8s.verification.type "auto") }}
+        kubelet_ca_path: /hostCert/kubelet.crt
+        {{- else if eq .Values.workloadAttestors.k8s.verification.type "apiServerCA" }}
+        kubelet_ca_path: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        {{- end }}
+        skip_kubelet_verification: {{ eq .Values.workloadAttestors.k8s.verification.type "skip" }}
+        disable_container_selectors: {{ eq .Values.workloadAttestors.k8s.disableContainerSelectors true}}
+        use_new_container_locator: {{ eq .Values.workloadAttestors.k8s.useNewContainerLocator true }}
+        verbose_container_locator_logs: {{ eq .Values.workloadAttestors.k8s.verboseContainerLocatorLogs true }}
+        {{- if eq (include "spire-agent.connect-by-hostname" .) "true" }}
+        node_name_env: "MY_NODE_NAME"
+        {{- end }}
   {{- end }}
 
   {{- if .Values.workloadAttestors.unix.enabled }}
@@ -131,12 +170,31 @@ telemetry:
       - host: "0.0.0.0"
         port: {{ .Values.telemetry.prometheus.port }}
 {{- end }}
+
+{{- if .Values.telemetry.datadog.enabled }}
+telemetry:
+  - DogStatsd:
+      - address: "{{ .Values.telemetry.datadog.address }}:{{ .Values.telemetry.datadog.port }}"
 {{- end }}
+
+{{- end }}
+{{- $root := . }}
+{{- range $name := (concat (list "default") (keys .Values.agents)) | uniq }}
+{{- with (dict "Release" $root.Release "Chart" $root.Chart "Values" (deepCopy $root.Values)) }}
+{{- $nameSuffix := "" }}
+{{- if ne $name "default" }}
+{{-   $nameSuffix = printf "-%s" $name }}
+{{- end }}
+{{- if hasKey $root.Values.agents $name }}
+{{-   $_ := set . "Values" (mergeOverwrite .Values (index $root.Values.agents $name)) }}
+{{- end }}
+{{- include "spire-agent.check-config-values" . }}
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ include "spire-agent.fullname" . }}
-  namespace: {{ include "spire-agent.namespace" . }}
+  name: {{ printf "%s%s" (include "spire-agent.fullname" .) $nameSuffix | quote }}
+  namespace: {{ include "spire-agent.namespace" . | quote }}
   {{- with .Values.configMap.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
@@ -144,3 +202,5 @@ metadata:
 data:
   agent.conf: |
     {{- include "spire-lib.reformat-and-yaml2json" (dict "config" (include "spire-agent.yaml-config" .) "root" .) | nindent 4 }}
+{{- end }}
+{{- end }}

charts/spire/charts/spire-agent/templates/daemonset.yaml

@@ -1,4 +1,26 @@
 {{- $configSum := (include (print $.Template.BasePath "/configmap.yaml") . | sha256sum) }}
+{{- $root := . }}
+{{- if hasKey .Values.nodeAttestor "k8sPsat" }}
+{{-   fail "k8sPsat was renamed to k8sPSAT. Please update your config." }}
+{{- end }}
+{{- if hasKey .Values.sds "defaultSvidName" }}
+{{-   fail "defaultSvidName was renamed to defaultSVIDName. Please update your config." }}
+{{- end }}
+{{- if hasKey .Values.sds "disableSpiffeCertValidation" }}
+{{-   fail "disableSpiffeCertValidation was renamed to disableSPIFFECertValidation. Please update your config." }}
+{{- end }}
+{{- if and .Values.keyManager.disk.enabled (ne .Values.persistence.type "hostPath") }}
+{{-   fail "keyManager.disk.enabled is true but persistence.type is not hostPath. Ensure persistence.type is hostPath when keyManager.disk.enabled is true." }}
+{{- end }}
+{{- range $name := (concat (list "default") (keys .Values.agents)) | uniq }}
+{{- with (dict "Release" $root.Release "Chart" $root.Chart "Values" (deepCopy $root.Values)) }}
+{{- $nameSuffix := "" }}
+{{- if ne $name "default" }}
+{{-   $nameSuffix = printf "-%s" $name }}
+{{- end }}
+{{- if hasKey $root.Values.agents $name }}
+{{-   $_ := set . "Values" (mergeOverwrite .Values (index $root.Values.agents $name)) }}
+{{- end }}
 {{- $podSecurityContext := fromYaml (include "spire-lib.podsecuritycontext" .) }}
 {{- $mainSecurityContext := deepCopy .Values.securityContext }}
 {{- if .Values.nodeAttestor.tpmDirect.enabled }}
@@ -8,17 +30,20 @@
 {{- $cbh := eq (include "spire-agent.connect-by-hostname" .) "true" }}
 {{- $socketAlternateNames := index (include "spire-agent.socket-alternate-names" . | fromYaml) "names" }}
 {{- $socketPath := include "spire-agent.socket-path" . }}
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  name: {{ include "spire-agent.fullname" . }}
-  namespace: {{ include "spire-agent.namespace" . }}
+  name: {{ printf "%s%s" (include "spire-agent.fullname" .) $nameSuffix | quote }}
+  namespace: {{ include "spire-agent.namespace" . | quote}}
   labels:
     {{- include "spire-agent.labels" . | nindent 4 }}
+    app.kubernetes.io/component: {{ $name | quote }}
 spec:
   selector:
     matchLabels:
       {{- include "spire-agent.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: {{ $name | quote }}
   {{- with .Values.updateStrategy }}
   updateStrategy:
     {{- if not (has .type (list "RollingUpdate" "OnDelete")) }}
@@ -34,12 +59,13 @@ spec:
     metadata:
       annotations:
         kubectl.kubernetes.io/default-container: spire-agent
-        checksum/config: {{ $configSum }}
+        checksum/config: {{ $configSum | quote }}
         {{- with .Values.podAnnotations }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
       labels:
         {{- include "spire-agent.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: {{ $name | quote }}
         {{- with .Values.podLabels }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -51,7 +77,7 @@ spec:
       hostPID: true
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
-      serviceAccountName: {{ include "spire-agent.serviceAccountName" . }}
+      serviceAccountName: {{ include "spire-agent.serviceAccountName" . | quote }}
       securityContext:
         {{- toYaml $podSecurityContext | nindent 8 }}
       {{- include "spire-lib.default_node_priority_class_name" . | nindent 6 }}
@@ -60,6 +86,58 @@ spec:
         {{- toYaml .Values.hostAliases | nindent 8 }}
       {{- end }}
       initContainers:
+        {{- if or (eq .Values.workloadAttestors.k8s.verification.type "hostCert") (eq .Values.workloadAttestors.k8s.verification.type "auto") }}
+        - name: gather-host-cert
+          securityContext:
+            {{- $mainSecurityContext | toYaml | nindent 12 }}
+          image: {{ template "spire-lib.image" (dict "image" .Values.hostCert.image "global" .Values.global) }}
+          imagePullPolicy: {{ .Values.hostCert.image.pullPolicy | quote }}
+          command: ["bash", "-xc"]
+          args:
+            - |
+              {{- if ne .Values.workloadAttestors.k8s.verification.hostCert.fileName "" }}
+              openssl x509 -in {{ printf "%s/%s" .Values.workloadAttestors.k8s.verification.hostCert.basePath .Values.workloadAttestors.k8s.verification.hostCert.fileName | quote }} -out /hostCert/kubelet.crt
+              {{- else }}
+              if [ -f "{{ .Values.workloadAttestors.k8s.verification.hostCert.basePath }}/kubelet-server-current.pem" ]; then
+                openssl x509 -in {{ printf "%s/kubelet-server-current.pem" .Values.workloadAttestors.k8s.verification.hostCert.basePath | quote }} -out /hostCert/kubelet.crt
+              elif [ -f "{{ .Values.workloadAttestors.k8s.verification.hostCert.basePath }}/kubelet.crt" ]; then
+                openssl x509 -in {{ printf "%s/kubelet.crt" .Values.workloadAttestors.k8s.verification.hostCert.basePath | quote }} -out /hostCert/kubelet.crt
+              else
+                {{- if eq .Values.workloadAttestors.k8s.verification.type "auto" }}
+                {{- if $cbh }}
+                URL="https://$NODE_NAME:10250/spec/"
+                {{- else }}
+                URL="https://localhost:10250/spec/"
+                {{- end }}
+                curl --capath /var/run/secrets/kubernetes.io/serviceaccount/ca.crt "$URL"
+                if [ $? -eq 0 ]; then
+                  echo Mode detected as apiServerCA.
+                  ln -s /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /hostCert/kubelet.crt
+                  exit 0
+                fi
+                {{- end }}
+                echo Could not find certificate.
+                exit 1
+              fi
+              {{- end }}
+              {{- if eq .Values.workloadAttestors.k8s.verification.type "auto" }}
+              echo Mode detected as hostCert.
+              {{- end }}
+              chmod 644 /hostCert/kubelet.crt
+          env:
+          {{- if $cbh }}
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+          {{- end }}
+          volumeMounts:
+          - name: host-cert-isolated
+            mountPath: /hostCert
+          - name: host-cert
+            mountPath: {{ .Values.workloadAttestors.k8s.verification.hostCert.basePath | quote }}
+            readOnly: true
+        {{- end }}
         {{- if .Values.nodeAttestor.tpmDirect.enabled }}
         {{- if .Values.nodeAttestor.tpmDirect.pubHash.enabled }}
         - name: fingerprint-tpm
@@ -84,7 +162,7 @@ spec:
               readOnly: true
             - name: kmsg
               mountPath: /dev/kmsg
-          imagePullPolicy: {{ .Values.nodeAttestor.tpmDirect.pubHash.image.pullPolicy }}
+          imagePullPolicy: {{ .Values.nodeAttestor.tpmDirect.pubHash.image.pullPolicy | quote }}
         {{- end }}
         - name: init-tpm-direct
           securityContext:
@@ -95,29 +173,16 @@ spec:
             - -ec
             - |
               # SPIRE must be able to fork the plugin directly within its container. Copy the plugin into a volume that can be mounted where SPIRE can execute it.
-              cp -a {{ .Values.nodeAttestor.tpmDirect.plugin.path }} /tpm/tpm_attestor_agent
+              cp -a {{ .Values.nodeAttestor.tpmDirect.plugin.path | quote }} /tpm/tpm_attestor_agent
           volumeMounts:
             - name: tpm-direct
               mountPath: /tpm
-          imagePullPolicy: {{ .Values.nodeAttestor.tpmDirect.plugin.image.pullPolicy }}
+          imagePullPolicy: {{ .Values.nodeAttestor.tpmDirect.plugin.image.pullPolicy | quote }}
         {{- end }}
-        - name: init
-          # This is a small image with wait-for-it, choose whatever image
-          # you prefer that waits for a service to be up. This image is built
-          # from https://github.com/vishnubob/wait-for-it
-          image: {{ template "spire-lib.image" (dict "image" .Values.waitForIt.image "global" .Values.global) }}
-          imagePullPolicy: {{ .Values.waitForIt.image.pullPolicy }}
-          args: ["-t", "30", "-h", "{{ include "spire-agent.server-address" . | trim }}", "-p", {{ .Values.server.port | quote }}]
-          securityContext:
-            {{- .Values.securityContext | toYaml | nindent 12 }}
-          resources:
-            {{- toYaml .Values.waitForIt.resources | nindent 12 }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
         {{- if gt (len $socketAlternateNames) 0 }}
         - name: ensure-alternate-names
           image: {{ template "spire-lib.image" (dict "image" .Values.socketAlternate.image "global" .Values.global) }}
-          imagePullPolicy: {{ .Values.socketAlternate.image.pullPolicy }}
+          imagePullPolicy: {{ .Values.socketAlternate.image.pullPolicy | quote }}
           command: ["bash", "-xc"]
           {{- /* 1. Look for symlinks pointing at the wrong place and remove them. 2. Make symlinks that don't exist. 3. If new socket is pointing at an existing symlink, remove old symlink. */}}
           args:
@@ -125,7 +190,7 @@ spec:
               cd {{ $socketPath | dir }}
               {{- range $socketAlternateNames }}
               L=`readlink {{ . }}`
-              [ "x$L" != "x{{ $socketPath | base}}" ] && rm -f {{ . }}
+              [ "x$L" != "x{{ $socketPath | base }}" ] && rm -f {{ . }}
               [ ! -L {{ . }} ] && ln -s {{ $socketPath | base }} {{ . }}
               {{- end }}
               [ -L {{ $socketPath | base }} ] && rm -f {{ $socketPath | base }}
@@ -142,15 +207,19 @@ spec:
         {{- if gt (int (dig "fsGroup" 0 $podSecurityContext)) 0 }}
         - name: fsgroupfix
           image: {{ template "spire-lib.image" (dict "image" .Values.fsGroupFix.image "global" .Values.global) }}
-          imagePullPolicy: {{ .Values.fsGroupFix.image.pullPolicy }}
+          imagePullPolicy: {{ .Values.fsGroupFix.image.pullPolicy | quote }}
           command: ["bash", "-c"]
           args:
-            - "chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} {{ $socketPath | dir }} /tmp/spire-agent/private"
+            - |
+              chown -R {{ printf "%v:%v" $podSecurityContext.runAsUser $podSecurityContext.fsGroup | quote }} {{ $socketPath | dir }} /tmp/spire-agent/private
+              chown -R {{ printf "%v:%v" $podSecurityContext.runAsUser $podSecurityContext.fsGroup | quote }} /var/lib/spire
           resources:
             {{- toYaml .Values.fsGroupFix.resources | nindent 12 }}
           volumeMounts:
             - name: spire-agent-socket-dir
               mountPath: {{ $socketPath | dir }}
+            - name: spire-agent-persistence
+              mountPath: /var/lib/spire
             - name: spire-agent-admin-socket-dir
               mountPath: /tmp/spire-agent/private
           securityContext:
@@ -161,9 +230,9 @@ spec:
         {{- toYaml .Values.initContainers | nindent 8 }}
         {{- end }}
       containers:
-        - name: {{ .Chart.Name }}
+        - name: {{ .Chart.Name | quote }}
           image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }}
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
           args: ["-config", "/opt/spire/conf/agent/agent.conf"]
           securityContext:
             {{- $mainSecurityContext | toYaml | nindent 12 }}
@@ -190,6 +259,13 @@ spec:
             - name: spire-config
               mountPath: /opt/spire/conf/agent
               readOnly: true
+            {{- if .Values.keyManager.disk.enabled }}
+            - name: spire-key-manager
+              mountPath: {{ .Values.persistence.hostPath }}
+              readOnly: false
+            {{- end }}
+            - name: spire-agent-persistence
+              mountPath: /var/lib/spire
             {{- if .Values.sockets.admin.enabled }}
             - name: spire-agent-admin-socket-dir
               mountPath: /tmp/spire-agent/private
@@ -197,8 +273,12 @@ spec:
             {{- end }}
             {{- if eq (len .Values.trustBundleURL) 0 }}
             - name: spire-bundle
-              mountPath: /run/spire/bundle
               readOnly: true
+            {{- if ne (len .Values.trustBundleHostPath) 0 }}
+              mountPath: {{ .Values.trustBundleHostPath | dir | quote }}
+            {{- else }}
+              mountPath: /run/spire/bundle
+            {{- end }}
             {{- end }}
             {{- if .Values.nodeAttestor.tpmDirect.enabled }}
             - name: tpm-direct
@@ -213,6 +293,11 @@ spec:
               readOnly: false
             - name: spire-token
               mountPath: /var/run/secrets/tokens
+            {{- if or (eq .Values.workloadAttestors.k8s.verification.type "hostCert") (eq .Values.workloadAttestors.k8s.verification.type "auto") }}
+            - name: host-cert-isolated
+              mountPath: /hostCert
+              readOnly: true
+            {{- end }}
             {{- if gt (len .Values.extraVolumeMounts) 0 }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
@@ -247,19 +332,47 @@ spec:
         - name: spire-config
           configMap:
             name: {{ include "spire-agent.fullname" . }}
+        {{- if .Values.keyManager.disk.enabled }}
+        - name: spire-key-manager
+          hostPath:
+            path: {{ .Values.persistence.hostPath }}
+            type: DirectoryOrCreate
+        {{- end }}
         {{- if .Values.sockets.admin.mountOnHost }}
         - name: spire-agent-admin-socket-dir
           hostPath:
-            hostPath: {{ .Values.sockets.hostBasePath }}/{{ if .Values.upstream }}upstream.csi.spiffe.io{{ else }}csi.spiffe.io{{ end }}/admin
+            {{- if .Values.upstream }}
+            path: {{ printf "%s/upstream.csi.spiffe.io/admin" .Values.sockets.hostBasePath | quote }}
+            {{- else }}
+            path: {{ printf "%s/csi.spiffe.io/admin" .Values.sockets.hostBasePath | quote }}
+            {{- end }}
             type: DirectoryOrCreate
         {{- else }}
         - name: spire-agent-admin-socket-dir
           emptyDir: {}
         {{- end }}
+        {{- if eq .Values.persistence.type "hostPath" }}
+        - name: spire-agent-persistence
+          hostPath:
+            {{- if .Values.upstream }}
+            path: {{ printf "%s/upstream.csi.spiffe.io" .Values.persistence.hostPath | quote }}
+            {{- else }}
+            path: {{ printf "%s/csi.spiffe.io" .Values.persistence.hostPath | quote }}
+            {{- end }}
+            type: DirectoryOrCreate
+        {{- else }}
+        - name: spire-agent-persistence
+          emptyDir: {}
+        {{- end }}
         {{- if eq (len .Values.trustBundleURL) 0 }}
         - name: spire-bundle
+        {{- if ne (len .Values.trustBundleHostPath) 0 }}
+          hostPath:
+            path: {{ .Values.trustBundleHostPath | dir | quote }}
+        {{- else }}
           configMap:
-            name: {{ include "spire-lib.bundle-configmap" . }}
+            name: {{ printf "%s%s" (include "spire-lib.bundle-configmap" .) $nameSuffix | quote }}
+        {{- end }}
         {{- end }}
         {{- if .Values.nodeAttestor.tpmDirect.enabled }}
         - name: tpm-direct
@@ -286,6 +399,15 @@ spec:
             path: /dev/kmsg
             type: CharDevice
         {{- end }}
+        {{- if or (eq .Values.workloadAttestors.k8s.verification.type "hostCert") (eq .Values.workloadAttestors.k8s.verification.type "auto") }}
+        - name: host-cert-isolated
+          emptyDir: {}
+        - name: host-cert
+          hostPath:
+            path: {{ .Values.workloadAttestors.k8s.verification.hostCert.basePath | quote }}
+        {{- end }}
         {{- if gt (len .Values.extraVolumes) 0 }}
         {{- toYaml .Values.extraVolumes | nindent 8 }}
         {{- end }}
+{{- end }}
+{{- end }}

charts/spire/charts/spire-agent/templates/podmonitor.yaml

@@ -5,7 +5,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
 metadata:
   name: {{ include "spire-agent.fullname" . }}
-  namespace: {{ $namespace }}
+  namespace: {{ $namespace | quote }}
   labels:
     {{- include "spire-agent.labels" . | nindent 4 }}
     {{- if ne (len (dig "telemetry" "prometheus" "podMonitor" "labels" (dict) .Values.global)) 0 }}
@@ -22,6 +22,6 @@ spec:
     - port: prom
   {{- if ne $namespace $podNamespace }}
   namespaceSelector:
-    kubernetes.io/metadata.name: {{ $podNamespace }}
+    kubernetes.io/metadata.name: {{ $podNamespace | quote }}
   {{- end }}  
 {{- end }}

charts/spire/charts/spire-agent/templates/roles.yaml

@@ -2,7 +2,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ include "spire-agent.fullname" . }}
+  name: {{ include "spire-agent.fullname" . | quote }}
 rules:
   - apiGroups: [""]
     resources:
@@ -15,12 +15,12 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ include "spire-agent.fullname" . }}
+  name: {{ include "spire-agent.fullname" . | quote }}
 subjects:
   - kind: ServiceAccount
-    name: {{ include "spire-agent.serviceAccountName" . }}
-    namespace: {{ include "spire-agent.namespace" . }}
+    name: {{ include "spire-agent.serviceAccountName" . | quote }}
+    namespace: {{ include "spire-agent.namespace" . | quote }}
 roleRef:
   kind: ClusterRole
-  name: {{ include "spire-agent.fullname" . }}
+  name: {{ include "spire-agent.fullname" . | quote }}
   apiGroup: rbac.authorization.k8s.io

charts/spire/charts/spire-agent/templates/scc-spire-agent.yaml

@@ -2,7 +2,7 @@
 apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
-  name: {{ include "spire-agent.fullname" . }}
+  name: {{ include "spire-agent.fullname" . | quote }}
 readOnlyRootFilesystem: true
 runAsUser:
   type: RunAsAny
@@ -11,13 +11,14 @@ seLinuxContext:
 supplementalGroups:
   type: RunAsAny
 users:
-  - system:serviceaccount:{{ include "spire-agent.namespace" . }}:{{ include "spire-agent.serviceAccountName" . }}
+  - {{ printf "system:serviceaccount:%s:%s" (include "spire-agent.namespace" .) (include "spire-agent.serviceAccountName" .) | quote }}
 volumes:
   - configMap
   - hostPath
   - projected
   - secret
   - emptyDir
+allowedCapabilities: null
 allowHostDirVolumePlugin: true
 allowHostIPC: true
 allowHostNetwork: true
@@ -25,8 +26,11 @@ allowHostPID: true
 allowHostPorts: true
 allowPrivilegeEscalation: true
 allowPrivilegedContainer: true
+defaultAddCapabilities: null
 fsGroup:
   type: RunAsAny
 groups: []
+priority: null
+requiredDropCapabilities: null
 
 {{ end }}

charts/spire/charts/spire-agent/templates/serviceaccount.yaml

@@ -2,8 +2,8 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "spire-agent.serviceAccountName" . }}
-  namespace: {{ include "spire-agent.namespace" . }}
+  name: {{ include "spire-agent.serviceAccountName" . | quote }}
+  namespace: {{ include "spire-agent.namespace" . | quote }}
   labels:
     {{- include "spire-agent.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}

charts/spire/charts/spire-agent/values.schema.json

@@ -0,0 +1,50 @@
+{
+  "$schema": "http://json-schema.org/schema#",
+  "type": "object",
+  "properties": {
+    "server": {
+      "type": "object",
+      "properties": {
+        "port": {
+          "type": "integer",
+          "minimum": 1
+        }
+      }
+    },
+    "healthChecks": {
+      "type": "object",
+      "properties": {
+        "port": {
+          "type": "integer",
+          "minimum": 1
+        }
+      }
+    },
+    "livenessProbe": {
+      "type": "object",
+      "properties": {
+        "initialDelaySeconds": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "periodSeconds": {
+          "type": "integer",
+          "minimum": 1
+        }
+      }
+    },
+    "readinessProbe": {
+      "type": "object",
+      "properties": {
+        "initialDelaySeconds": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "periodSeconds": {
+          "type": "integer",
+          "minimum": 1
+        }
+      }
+    }
+  }
+}

charts/spire/charts/spire-agent/values.yaml

@@ -94,26 +94,27 @@ trustDomain: example.org
 ## @param trustBundleURL If set, obtain trust bundle from url instead of Kubernetes ConfigMap
 trustBundleURL: ""
 ## @param trustBundleFormat If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe"
-trustBundleFormat: pem
+trustBundleFormat: spiffe
+## @param trustBundleHostPath If set, obtain trust bundle from a file on the host instead of from the ConfigMap
+trustBundleHostPath: ""
 ## @param bundleConfigMap Configmap name for Spire bundle
 bundleConfigMap: spire-bundle
 ## @param availabilityTarget The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h.
 availabilityTarget: ""
 
-## @param disableReattestToRenew Deprecated: Allow agent to renew certificate when it expires rather than reattest
-disableReattestToRenew: false
-
 ## @skip upstream
 upstream: false
 
 ## @param server.address Address for Spire server
 ## @param server.port Port number for Spire server
 ## @param server.namespaceOverride Override the namespace for Spire server
+## @param server.nameOverride Override the name for Spire server. Should only be changed when building your own nested chart to ensure names align.
 ##
 server:
   address: ""
-  port: 8081
+  port: 443
   namespaceOverride: ""
+  nameOverride: ""
 
 healthChecks:
   ## @param healthChecks.port override the host port used for health checking
@@ -140,21 +141,6 @@ readinessProbe:
   initialDelaySeconds: 10
   periodSeconds: 30
 
-waitForIt:
-  ## @param waitForIt.image.registry The OCI registry to pull the image from
-  ## @param waitForIt.image.repository The repository within the registry
-  ## @param waitForIt.image.pullPolicy The image pull policy
-  ## @param waitForIt.image.tag Overrides the image tag whose default is the chart appVersion
-  ##
-  image:
-    registry: cgr.dev
-    repository: chainguard/wait-for-it
-    pullPolicy: IfNotPresent
-    tag: latest@sha256:caead414307e81dbdd86d30662fdfe1b999dd4ce8a10fa667dab3438d0eed193
-
-  ## @param waitForIt.resources [object] Resource requests and limits
-  resources: {}
-
 # When running as non root, needed to ensure the socket path has the correct permissions.
 # Set runAsUser to a non-zero value in podSecurityContext to run as non-root user.
 fsGroupFix:
@@ -167,7 +153,7 @@ fsGroupFix:
     registry: cgr.dev
     repository: chainguard/bash
     pullPolicy: Always
-    tag: latest@sha256:81f0b434b297453ff101de0b5f4f5cd8d4af1c015a1d34162e9ae9a4a9f38669
+    tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679
 
   ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
   resources: {}
@@ -176,11 +162,23 @@ keyManager:
   memory:
     ## @param keyManager.memory.enabled Enable the memory based Key Manager
     enabled: true
+  disk:
+    ## @param keyManager.disk.enabled Enable the disk based Key Manager (must have persistence.type set to hostPath when enabled)
+    enabled: false
 
 nodeAttestor:
-  k8sPsat:
-    ## @param nodeAttestor.k8sPsat.enabled Enable Psat k8s Node Attestor
+  k8sPSAT:
+    ## @param nodeAttestor.k8sPSAT.enabled Enable PSAT k8s Node Attestor
     enabled: true
+  httpChallenge:
+    ## @param nodeAttestor.httpChallenge.enabled Enable the http challenge Node Attestor
+    enabled: false
+    ## @param nodeAttestor.httpChallenge.agentname Name of this agent. Useful if you have multiple agents bound to different spire servers on the same host and sharing the same port.
+    agentname: default
+    ## @param nodeAttestor.httpChallenge.port The port to listen on. If 0, a random value will be used.
+    port: 0
+    ## @param nodeAttestor.httpChallenge.advertisedPort The port to tell the server to call back on. Set only if your using an http proxy on the hosts. If 0, will use the port setting.
+    advertisedPort: 0
   tpmDirect:
     ## @param nodeAttestor.tpmDirect.enabled Enable the direct TPM node attestor, a 3rd party plugin by Boxboat. This plugin is experimental.
     enabled: false
@@ -191,16 +189,16 @@ nodeAttestor:
       ## @param nodeAttestor.tpmDirect.plugin.image.tag Overrides the image tag
       ##
       image:
-        registry: docker.io
-        repository: boxboat/spire-tpm-plugin-tpm-attestor-agent
+        registry: ghcr.io
+        repository: spiffe/spire-tpm-plugin-tpm-attestor-agent
         pullPolicy: IfNotPresent
-        tag: "v1.8.7"
+        tag: "v1.9.0"
       ## @param nodeAttestor.tpmDirect.plugin.checksum The sha256 checksum of the plugin binary
-      checksum: 1d7c73ccac948ee86cbd78ddde2d30128a1838b403f7bb2100d38d916a252244
+      checksum: 22f67063f1699330e70cdedc9b923e517688f5ae71085a26bd9b83b3060ee86e
       ## @param nodeAttestor.tpmDirect.plugin.path The filename in the container of the plugin
       path: /app/tpm_attestor_agent
     pubHash:
-      ## @param nodeAttestor.tpmDirect.pubHash.enabled Enable Psat k8s nodeattestor
+      ## @param nodeAttestor.tpmDirect.pubHash.enabled Display pubhash in logs
       enabled: true
       ## @param nodeAttestor.tpmDirect.pubHash.image.registry The OCI registry to pull the image from
       ## @param nodeAttestor.tpmDirect.pubHash.image.repository The repository within the registry
@@ -208,10 +206,13 @@ nodeAttestor:
       ## @param nodeAttestor.tpmDirect.pubHash.image.tag Overrides the image tag
       ##
       image:
-        registry: docker.io
-        repository: boxboat/spire-tpm-plugin-get-tpm-pubhash
+        registry: ghcr.io
+        repository: spiffe/spire-tpm-plugin-get-tpm-pubhash
         pullPolicy: IfNotPresent
-        tag: "v1.8.7"
+        tag: "v1.9.0"
+  awsIID:
+    ## @param nodeAttestor.awsIID.enabled Enable the aws_iid Node Attestor
+    enabled: false
 
 # workloadAttestors determine a workload's properties and then generate a set of selectors associated with it.
 workloadAttestors:
@@ -222,22 +223,32 @@ workloadAttestors:
   k8s:
     ## @param workloadAttestors.k8s.enabled Enables the Kubernetes workload attestor
     enabled: true
-    ## @param workloadAttestors.k8s.skipKubeletVerification If true, kubelet certificate verification is skipped
-    skipKubeletVerification: true
+    verification:
+      ## @param workloadAttestors.k8s.verification.type What kind of verification to do against kubelet. auto will first attempt to use hostCert, and then fall back to apiServerCA. Valid options are [auto, hostCert, apiServerCA, skip]
+      type: skip
+      hostCert:
+        ## @param workloadAttestors.k8s.verification.hostCert.basePath Path where kubelet places its certificates
+        basePath: /var/lib/kubelet/pki
+        ## @param workloadAttestors.k8s.verification.hostCert.fileName File name where kubelet places its certificates. If blank, it will be auto detected.
+        fileName: ""
     ## @param workloadAttestors.k8s.disableContainerSelectors Set to true if using holdApplicationUntilProxyStarts in Istio
     disableContainerSelectors: false
+    ## @param workloadAttestors.k8s.useNewContainerLocator If true, enables the new container locator algorithm that has support for cgroups v2. Defaults to true
+    useNewContainerLocator: true
+    ## @param workloadAttestors.k8s.verboseContainerLocatorLogs If true, enables verbose logging of mountinfo and cgroup information used to locate containers. Defaults to false
+    verboseContainerLocatorLogs: false
 
 sds:
   ## @param sds.enabled Enables Envoy SDS configuration
   enabled: false
-  ## @param sds.defaultSvidName The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS
-  defaultSvidName: "default"
+  ## @param sds.defaultSVIDName The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS
+  defaultSVIDName: "default"
   ## @param sds.defaultBundleName The Validation Context resource name to use for the default X.509 bundle with Envoy SDS
   defaultBundleName: "ROOTCA"
   ## @param sds.defaultAllBundlesName The Validation Context resource name to use for all bundles (including federated) with Envoy SDS
   defaultAllBundlesName: "ALL"
-  ## @param sds.disableSpiffeCertValidation Disable Envoy SDS custom validation
-  disableSpiffeCertValidation: false
+  ## @param sds.disableSPIFFECertValidation Disable Envoy SDS custom validation
+  disableSPIFFECertValidation: false
 
 telemetry:
   prometheus:
@@ -252,6 +263,13 @@ telemetry:
       namespace: ""
       ## @param telemetry.prometheus.podMonitor.labels [object] Pod labels to filter for prometheus monitoring
       labels: {}
+  datadog:
+    ## @param telemetry.datadog.enabled Flag to enable datadog monitoring
+    enabled: false
+    ## @param telemetry.datadog.address The address of the datadog service to send metrics to. The default URL for services are `<service-name>.<namespace>.svc`
+    address: "datadog.kube-system.svc"
+    ## @param telemetry.datadog.port The port of the datadog service to send metrics to
+    port: 8125
 
 ## @param kubeletConnectByHostname If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise.
 kubeletConnectByHostname: ""
@@ -275,11 +293,26 @@ socketAlternate:
     registry: cgr.dev
     repository: chainguard/bash
     pullPolicy: Always
-    tag: latest@sha256:81f0b434b297453ff101de0b5f4f5cd8d4af1c015a1d34162e9ae9a4a9f38669
+    tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679
 
   ## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
   resources: {}
 
+hostCert:
+  ## @param hostCert.image.registry The OCI registry to pull the image from
+  ## @param hostCert.image.repository The repository within the registry
+  ## @param hostCert.image.pullPolicy The image pull policy
+  ## @param hostCert.image.tag Overrides the image tag whose default is the chart appVersion
+  ##
+  image:
+    registry: cgr.dev
+    repository: chainguard/min-toolkit-debug
+    pullPolicy: IfNotPresent
+    tag: latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53
+
+  ## @param hostCert.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+  resources: {}
+
 ## @param priorityClassName Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName.
 priorityClassName: ""
 
@@ -328,6 +361,33 @@ experimental:
   ## @param experimental.featureFlags [array] List of developer feature flags
   featureFlags: []
 
+## @param agents Configure multiple agent DaemonSets. Useful when you have different node types and nodeAttestors
+agents: {}
+#  default:
+#   nodeSelector:
+#     tpm: without
+#  tpm:
+#    nodeSelector:
+#      tpm: with
+#    nodeAttestor:
+#      k8sPSAT:
+#        enabled: false
+#      tpmDirect:
+#        enabled: true
+
+tools:
+  kubectl:
+    ## @param tools.kubectl.image.registry The OCI registry to pull the image from
+    ## @param tools.kubectl.image.repository The repository within the registry
+    ## @param tools.kubectl.image.pullPolicy The image pull policy
+    ## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion
+    ##
+    image:
+      registry: registry.k8s.io
+      repository: kubectl
+      pullPolicy: IfNotPresent
+      tag: ""
+
 sockets:
   ## @param sockets.hostBasePath Path on which the agent socket is made available when admin.mountOnHost is true
   hostBasePath: /run/spire/agent/sockets
@@ -336,3 +396,10 @@ sockets:
   admin:
     enabled: false
     mountOnHost: false
+
+## @param persistence.type What type of volume to use for persistence. Valid options emptyDir (reattestable node attestors) or hostPath (nonr-reattestable node attestors)
+## @param persistence.hostPath Which path to use on the host when persistence.type = hostPath
+##
+persistence:
+  type: emptyDir
+  hostPath: /var/lib/spire/k8s/agent