Bump test chart dependencies (#641 )

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: marcofranssen <694733+marcofranssen@users.noreply.github.com> Co-authored-by: kfox1111 <Kevin.Fox@pnnl.gov>
Add Datadog as telemetry option (#639 )
2025-08-07 07:27:41 -07:00 · 2025-08-07 07:03:15 -07:00 · 2025-08-05 03:27:50 -07:00 · 2025-07-28 12:42:44 -07:00 · 2025-07-28 12:30:10 -07:00 · 2025-07-28 07:19:58 -07:00
299 changed files with 18615 additions and 1295 deletions
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@ -0,0 +1,82 @@
 FROM ubuntu:22.04
 RUN \
  apt-get update && \
  apt-get install -y bash ca-certificates gnupg make curl vim sudo jq && \
  curl -sL https://deb.nodesource.com/setup_18.x -o nodesource_setup.sh && \
  mkdir -p /etc/apt/keyrings && \
  curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
  echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | sudo tee /etc/apt/sources.list.d/nodesource.list && \
  apt-get update && \
  apt-get install -y nodejs && \
  apt-get clean && \
  curl -o /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.35.2/yq_linux_amd64 && \
  chmod +x /usr/local/bin/yq
 RUN \
  curl -q -l -o /tmp/go.tgz "https://dl.google.com/go/go1.21.4.linux-amd64.tar.gz" && \
  cd /usr/local && \
  tar -xvf /tmp/go.tgz && \
  rm -f /tmp/go.tgz && \
  cd /
 RUN \
  curl -L -o /usr/local/bin/minikube https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 && \
  chmod +x /usr/local/bin/minikube && \
  curl -L -o /usr/local/bin/kubectl "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \
  chmod +x /usr/local/bin/kubectl
 RUN \
  curl -fsSL -o /tmp/get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && \
  chmod +x /tmp/get_helm.sh && \
  /tmp/get_helm.sh && \
  rm /tmp/get_helm.sh
 RUN \
  groupadd -g 10001 dev && \
  useradd --uid 10001 -g 10001 -m dev && \
  echo 'dev ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/dev && \
  chmod 400 /etc/sudoers.d/dev
 ENV PATH /usr/local/go/bin:$PATH
 RUN \
  npm install -g "@bitnami/readme-generator-for-helm@2.6.0"
 RUN \
  go install github.com/onsi/ginkgo/v2/ginkgo@latest
 RUN \
  apt-get install -y git zsh strace lsof graphviz && \
  mv /root/go/bin/ginkgo /usr/local/bin
 RUN \
  curl -L -o /tmp/ct.tar.gz https://github.com/helm/chart-testing/releases/download/v3.8.0/chart-testing_3.8.0_linux_amd64.tar.gz && \
  cd /usr/local/bin && \
  tar -xvf /tmp/ct.tar.gz ct && \
  cd / && \
  tar -xvf /tmp/ct.tar.gz etc && \
  mkdir /etc/ct && \
  mv /etc/chart_schema.yaml /etc/ct/ && \
  mv /etc/lintconf.yaml /etc/ct/ && \
  curl -o /tmp/gh.tar.gz https://github.com/cli/cli/releases/download/v2.40.0/gh_2.40.0_linux_amd64.tar.gz -L && \
  cd && \
  cd /tmp && \
  tar -zxvf gh.tar.gz && \
  mv gh_*_linux_amd64/bin/* /usr/local/bin && \
  mkdir -p /usr/local/share/main/man1/ && \
  mv gh_*_linux_amd64/share/man/man1/* /usr/local/share/main/man1/ && \
  cd
 RUN \
  cd /tmp && \
  git clone https://github.com/devcontainers/features && \
  cd features/src/docker-in-docker && \
  export MOBY=true && \
  export INSTALLDOCKERBUILDX=false && \
  ./install.sh && \
  cd ../../../ && \
  rm -rf features
 RUN \
  usermod -a -G docker dev
 USER dev
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@ -0,0 +1,30 @@
 {
 	"name": "spiffe-helm-charts-hardened",
 	"image": "ghcr.io/spiffe/helm-charts-hardened-devcontainer:latest",
 	"features": {
 		"ghcr.io/devcontainers/features/docker-in-docker:2": {
 			"version": "latest",
 			"moby": true,
 			"installDockerBuildx": false
 		}
 	},
 	"customizations": {
 		"vscode": {
 			"extensions": [
 				"ms-kubernetes-tools.vscode-kubernetes-tools"
 			],
 			"settings": {
 				"terminal.integrated.defaultProfile.linux": "bash",
 				"terminal.integrated.profiles.linux": {
 					"zsh": { "path": "/bin/zsh" },
 					"bash": { "path": "/bin/bash" }
 				}
 			}
 		}
 	},
 	"postStartCommand": "minikube start && helm upgrade --install -n spire-server spire-crds charts/spire-crds --create-namespace && kubectl version",
 	"hostRequirements": {
 		"cpus": 1
 	},
 	"remoteUser": "dev"
 }
--- a/.editorconfig
+++ b/.editorconfig
@ -8,3 +8,8 @@ indent_size = 2
 tab_width = 2
 trim_trailing_whitespace = true
 insert_final_newline = true
 [Makefile,*.go,*.mod]
 indent_style = tab
 indent_size = 4
 tab_width = 4
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@ -12,3 +12,18 @@ updates:
    schedule:
      interval: "daily"
    open-pull-requests-limit: 5
  - package-ecosystem: gomod
    directory: "/tests"
    schedule:
      interval: daily
    open-pull-requests-limit: 5
  - package-ecosystem: pip
    directory: "/.github/scripts"
    schedule:
      interval: daily
    groups:
      python-packages:
        patterns:
          - "*"
--- a/.github/kind/conf/kind-config.yaml
+++ b/.github/kind/conf/kind-config.yaml
@ -15,3 +15,6 @@ kubeadmConfigPatches:
        # admission-control-config-file: /etc/kubernetes/pki/admctrl/admission-control.yaml
 nodes:
  - role: control-plane
  - role: worker
  - role: worker
  - role: worker
--- a/.github/scripts/edit-yaml.py
+++ b/.github/scripts/edit-yaml.py
@ -0,0 +1,24 @@
 #!/usr/bin/env python3
 import os
 import sys
 from dict_deep import deep_set
 import ruamel.yaml
 def represent_none(self, data):
    return self.represent_scalar(u'tag:yaml.org,2002:null', u'null')
 y = ruamel.yaml.YAML()
 y.indent(mapping=2, sequence=4, offset=2)
 # Dont wrap long lines
 y.width = 4096
 y.preserve_quotes = True
 y.representer.add_representer(type(None), represent_none)
 d = y.load(open(os.environ['VALUES']))
 tagquery = os.environ['QUERY'] + '.tag'
 deep_set(d, tagquery, os.environ['LATEST_VERSION']);
 y.dump(d, sys.stdout)
--- a/.github/scripts/parse-versions.sh
+++ b/.github/scripts/parse-versions.sh
@ -0,0 +1,14 @@
 #!/usr/bin/env bash
 TESTS_PATH="$(dirname "${BASH_SOURCE[0]}")/../tests"
 # Set repo and version env variables
 REPOS=$(jq -r '.[] | "export " + ("HELM_REPO_" + .name | ascii_upcase | gsub("-";"_")) + "=" + .repo' "${TESTS_PATH}/charts.json")
 VERSIONS=$(jq -r '.[] | "export " + ("VERSION_" + .name | ascii_upcase | gsub("-";"_")) + "=" + .version' "${TESTS_PATH}/charts.json")
 eval "$REPOS"
 eval "$VERSIONS"
 REGISTRIES=$(jq -r '.[] | "export " + ("HELM_REGISTRY_" + .name | ascii_upcase | gsub("-";"_")) + "=oci://" + .registry' "${TESTS_PATH}/oci-charts.json")
 VERSIONS=$(jq -r '.[] | "export " + ("VERSION_" + .name | ascii_upcase | gsub("-";"_")) + "=" + .version' "${TESTS_PATH}/oci-charts.json")
 eval "$REGISTRIES"
 eval "$VERSIONS"
--- a/.github/scripts/requirements.txt
+++ b/.github/scripts/requirements.txt
@ -0,0 +1,2 @@
 ruamel.yaml
 dict_deep
--- a/.github/scripts/update-tags.sh
+++ b/.github/scripts/update-tags.sh
@ -0,0 +1,74 @@
 #!/usr/bin/env bash
 SCRIPT="$(readlink -f "$0")"
 SCRIPTPATH="$(dirname "${SCRIPT}")"
 IMAGEJSON="${SCRIPTPATH}/../tests/images.json"
 if ! command -v crane &> /dev/null; then
  echo Please install crane
  exit 1
 fi
 if ! command -v jq &> /dev/null; then
  echo Please install jq
  exit 1
 fi
 if ! command -v yq &> /dev/null; then
  echo Please install yq
  exit 1
 fi
 if ! command -v npm &> /dev/null; then
  echo Please install npm
  exit 1
 fi
 if ! command -v python3 -c 'import ruamel.yaml' &> /dev/null; then
  echo Please install python3 with the ruamel.yaml module
  exit 1
 fi
 if ! command -v python3 -c 'import dict_deep' &> /dev/null; then
  echo Please install python3 with the dict_deep module
  exit 1
 fi
 jq -r '. | keys[]' "$IMAGEJSON" | while read -r CHART; do
  jq -r ".\"${CHART}\" | keys[]" "$IMAGEJSON" | while read -r IDX; do
    QUERY=$(jq -r ".\"${CHART}\"[${IDX}].query" "$IMAGEJSON")
    FILTER=$(jq -r ".\"${CHART}\"[${IDX}].filter" "$IMAGEJSON")
    OLD_IFS=${IFS}
    SORTFLAGS=()
    while IFS='' read -r value; do
      SORTFLAGS+=("$value")
    done < <(jq -r ".\"${CHART}\"[${IDX}].\"sort-flags\" | .[]" "$IMAGEJSON")
    IFS=${OLD_IFS}
    VALUES="${SCRIPTPATH}/../../charts/spire/charts/${CHART}"
    REGISTRY=$(yq e ".${QUERY}.registry" "$VALUES")
    REPOSITORY=$(yq e ".${QUERY}.repository" "$VALUES")
    VERSION=$(yq e ".${QUERY}.tag" "$VALUES")
    if [[ "$REGISTRY" != "" ]]; then
      REGISTRY="$REGISTRY/"
    fi
    if [[ "$FILTER" == "LATESTSHA" ]]; then
      LATEST_VERSION="latest@"$(crane digest "${REGISTRY}${REPOSITORY}:latest")
    else
      LATEST_VERSION=$(crane ls "${REGISTRY}${REPOSITORY}" | grep "${FILTER}" | sort "${SORTFLAGS[@]}" | tail -n 1)
    fi
    export QUERY
    export VALUES
    export LATEST_VERSION
    if [ "${VERSION}" != "${LATEST_VERSION}" ]; then
      echo "New image version found: ${REGISTRY}${REPOSITORY}:${LATEST_VERSION}"
      "${SCRIPTPATH}/edit-yaml.py" > /tmp/$$
      mv /tmp/$$ "${VALUES}"
    fi
  done
 done
 "${SCRIPTPATH}/../../helm-docs.sh" || true
--- a/.github/scripts/update-versions.sh
+++ b/.github/scripts/update-versions.sh
@ -0,0 +1,42 @@
 #!/usr/bin/env bash
 SCRIPT="$(readlink -f "$0")"
 SCRIPTPATH="$(dirname "${SCRIPT}")"
 CHARTJSON="${SCRIPTPATH}/../tests/charts.json"
 jq -r ".[].name" "${CHARTJSON}" | while read -r CHART; do
  ENTRYQUERY='.[] | select(.name == "'$CHART'")'
  REPO_URL="$(jq -r "$ENTRYQUERY | .repo" "${CHARTJSON}")"
  VERSION="$(jq -r "$ENTRYQUERY | .version" "${CHARTJSON}")"
  echo Processing: "${CHART}"
  echo "  repo: ${REPO_URL}"
  echo "  current version: ${VERSION}"
  helm repo add "${CHART}" "${REPO_URL}" > /dev/null
  helm repo update "${CHART}" > /dev/null
  LATEST_VERSION=$(helm search repo --regexp "${CHART}/${CHART}\v" -o json | jq -r '.[0].version')
  echo "  latest version: ${LATEST_VERSION}"
  if [ "x${VERSION}" != "x${LATEST_VERSION}" ]; then
    echo "  New version found!"
    jq "(${ENTRYQUERY}).version |= \"${LATEST_VERSION}\"" "${CHARTJSON}" > /tmp/$$
    mv /tmp/$$ "${CHARTJSON}"
  fi
 done
 CHARTJSON="${SCRIPTPATH}/../tests/oci-charts.json"
 jq -r ".[].name" "${CHARTJSON}" | while read -r NAME; do
  ENTRYQUERY='.[] | select(.name == "'$NAME'")'
  REGISTRY="$(jq -r "$ENTRYQUERY | .registry" "${CHARTJSON}")"
  VERSION="$(jq -r "$ENTRYQUERY | .version" "${CHARTJSON}")"
  echo Processing: "${NAME}"
  echo "  chart: ${REGISTRY}"
  echo "  current version: ${VERSION}"
  LATEST_VERSION=$(crane ls "$REGISTRY" | grep 'v\?[0-9]*\.[0-9]*\.[0-9]\.*$' | sort -V -r | head -n 1)
  echo "  latest version: ${LATEST_VERSION}"
  if [ "x${VERSION}" != "x${LATEST_VERSION}" ]; then
    echo "  New version found!"
    jq "(${ENTRYQUERY}).version |= \"${LATEST_VERSION}\"" "${CHARTJSON}" > /tmp/$$
    mv /tmp/$$ "${CHARTJSON}"
  fi
 done
--- a/.github/tests/charts.json
+++ b/.github/tests/charts.json
@ -0,0 +1,17 @@
 [
  {
    "name": "kube-prometheus-stack",
    "repo": "https://prometheus-community.github.io/helm-charts",
    "version": "75.15.1"
  },
  {
    "name": "cert-manager",
    "repo": "https://charts.jetstack.io",
    "version": "v1.18.2"
  },
  {
    "name": "ingress-nginx",
    "repo": "https://kubernetes.github.io/ingress-nginx",
    "version": "4.13.0"
  }
 ]
--- a/.github/tests/common.sh
+++ b/.github/tests/common.sh
@ -0,0 +1,113 @@
 #!/usr/bin/env bash
 GITHUB_STEP_SUMMARY="${GITHUB_STEP_SUMMARY:-/tmp/summary}"
 get_namespace_details () {
 cat <<EOF >>"$GITHUB_STEP_SUMMARY"
 ### Namespace $1
 #### Events
 \`\`\`shell
 $(kubectl --request-timeout=30s get events --output wide --namespace "$1")
 \`\`\`
 #### Pods
 \`\`\`shell
 $(kubectl --request-timeout=30s describe pods --namespace "$1")
 \`\`\`
 #### Logs
 \`\`\`shell
 $(kubectl get pods -o name -n "$1" | while read -r line; do echo logs for "${line}"; kubectl logs -n "$1" "${line}" --prefix --all-containers=true --ignore-errors=true; done)
 $( ([[ -n "$2" ]] && kubectl get pods -o name -n "$2") | while read -r line; do echo logs for "${line}"; kubectl logs -n "$2" "${line}" --all-containers=true --ignore-errors=true; done)
 \`\`\`
 EOF
 }
 k_wait () {
  kubectl wait --for condition=available --timeout 30s --namespace "$1" "$2" "$3" | tail -n 1
 }
 k_rollout_status () {
  kubectl rollout status --watch --timeout 30s --namespace "$1" "$2" "$3" | tail -n 1
 }
 get_spire_release_name () {
  helm ls -A | grep '^spire' | grep -v spire-crds | awk '{print $1}'
 }
 print_spire_workload_status () {
  local ns1
  local ns2
  ns1="$1"
  ns2="${2:-$1}"
  release_name="$(get_spire_release_name)"
  cat <<EOF >>"$GITHUB_STEP_SUMMARY"
 ### Spire
 | Namespace | Workload                                       | Status |
 | --------- | ---------------------------------------------- | ------ |
 | ${ns1}    | ${release_name}-server                         | <pre>$(k_rollout_status "${ns1}" statefulset "${release_name}-server")</pre> |
 | ${ns1}    | ${release_name}-server                         | <pre>$(k_rollout_status "${ns1}" deployments.apps "${release_name}-server")</pre> |
 | ${ns2}    | ${release_name}-spiffe-csi-driver              | <pre>$(k_rollout_status "${ns2}" daemonset "${release_name}-spiffe-csi-driver")</pre> |
 | ${ns2}    | ${release_name}-agent                          | <pre>$(k_rollout_status "${ns2}" daemonset "${release_name}-agent")</pre> |
 | ${ns1}    | ${release_name}-spiffe-oidc-discovery-provider | <pre>$(k_rollout_status "${ns1}" deployments.apps "${release_name}-spiffe-oidc-discovery-provider")</pre> |
 EOF
 }
 print_helm_releases () {
  cat <<EOF >>"$GITHUB_STEP_SUMMARY"
 ### Releases
 $(helm ls -A | sed 's/\t/ | /g' | sed 's/^/| /' | sed 's/$/ |/' | sed '/^| NAME.*/a| - | - | - | - | - | - | - |')
 EOF
 }
 common_test_url () (
 count=10
 while true; do
        if curl "$1"; then exit 0; fi
        sleep 2
        count=$((count-1))
        [ $count -le 0 ] && exit 1
 done
 )
 common_test_file_exists () (
 count=20
 while true; do
        if [ -f "$1" ]; then exit 0; fi
        sleep 2
        count=$((count-1))
        [ $count -le 0 ] && exit 1
 done
 )
 # Used just for testing. You should provide your own values as described in the install instructions.
 common_test_your_values () {
 cat > /tmp/$$.example-your-values.yaml <<EOF
 global:
  spire:
    recommendations:
      enabled: true
    clusterName: production
    trustDomain: production.other
    caSubject:
      country: US
      organization: Production
      commonName: production.other
 EOF
 echo "/tmp/$$.example-your-values.yaml"
 }
 COMMON_TEST_YOUR_VALUES="$(common_test_your_values)"
 export COMMON_TEST_YOUR_VALUES
--- a/.github/tests/upstream-authority-disk/create-cert.sh
+++ b/.github/tests/upstream-authority-disk/create-cert.sh
--- a/.github/tests/dependencies/mysql.yaml
+++ b/.github/tests/dependencies/mysql.yaml
@ -0,0 +1,12 @@
 primary:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop: [ALL]
    seccompProfile:
      type: RuntimeDefault
 auth:
  database: spire-server
  username: spire
  password: sp1ff3Test
  rootPassword: sp1ff3TestPassword
--- a/.github/tests/dependencies/postgresql.yaml
+++ b/.github/tests/dependencies/postgresql.yaml
@ -0,0 +1,13 @@
 primary:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    runAsNonRoot: true
    capabilities:
      drop: [ALL]
    seccompProfile:
      type: RuntimeDefault
 auth:
  database: spire-server
  username: spire
  password: sp1ff3Test
  postgresPassword: sp1ff3TestPassword
--- a/.github/tests/dependencies/testcert.yaml
+++ b/.github/tests/dependencies/testcert.yaml
@ -0,0 +1,52 @@
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: selfsigned-issuer
 spec:
  selfSigned: {}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: demo-selfsigned-ca
 spec:
  isCA: true
  commonName: demo-selfsigned-ca
  secretName: root-secret
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned-issuer
    kind: Issuer
    group: cert-manager.io
  subject:
    countries:
    - US
    organizations:
    - test
    organizationalUnits:
    - test
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: demo-ca
 spec:
  ca:
    secretName: root-secret
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: oidc
 spec:
  dnsNames:
    - oidc-discovery.production.other
    - spire-server-federation.production.other
  secretName: tls-cert
  issuerRef:
    name: demo-ca
    kind: Issuer
    group: cert-manager.io
--- a/.github/tests/upstream-authority-disk/example-org.key
+++ b/.github/tests/upstream-authority-disk/example-org.key
--- a/.github/tests/upstream-authority-disk/example-org.pem
+++ b/.github/tests/upstream-authority-disk/example-org.pem
--- a/.github/tests/images.json
+++ b/.github/tests/images.json
@ -0,0 +1,85 @@
 {
  "spire-server/values.yaml": [
    {
      "query": "tests.bash.image",
      "filter": "LATESTSHA",
      "sort-flags": []
    },
    {
      "query": "chown.image",
      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
    },
    {
      "query": "tools.busybox.image",
      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
    }
  ],
  "spire-agent/values.yaml": [
    {
      "query": "socketAlternate.image",
      "filter": "LATESTSHA",
      "sort-flags": []
    },
    {
      "query": "hostCert.image",
      "filter": "LATESTSHA",
      "sort-flags": []
    },
    {
      "query": "fsGroupFix.image",
      "filter": "LATESTSHA",
      "sort-flags": []
    }
  ],
  "spiffe-csi-driver/values.yaml": [
    {
      "query": "nodeDriverRegistrar.image",
      "filter": "^v",
      "sort-flags": []
    }
  ],
  "spiffe-oidc-discovery-provider/values.yaml": [
    {
      "query": "insecureScheme.nginx.image",
      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-alpine$",
      "sort-flags": []
    }, {
      "query": "telemetry.prometheus.nginxExporter.image",
      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$",
      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
    }, {
      "query": "tests.step.image",
      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$",
      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
    },
    {
      "query": "tests.bash.image",
      "filter": "LATESTSHA",
      "sort-flags": []
    },
    {
      "query": "tests.toolkit.image",
      "filter": "LATESTSHA",
      "sort-flags": []
    },
    {
      "query": "tests.busybox.image",
      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
    },
    {
      "query": "spiffeHelper.image",
      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$",
      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
    }
  ],
  "tornjak-frontend/values.yaml": [
    {
      "query": "tests.bash.image",
      "filter": "LATESTSHA",
      "sort-flags": []
    }
  ]
 }
--- a/.github/tests/oci-charts.json
+++ b/.github/tests/oci-charts.json
@ -0,0 +1,17 @@
 [
  {
    "name": "mysql",
    "registry": "docker.io/bitnamicharts/mysql",
    "version": "14.0.0"
  },
  {
    "name": "postgresql",
    "registry": "docker.io/bitnamicharts/postgresql",
    "version": "16.7.9"
  },
  {
    "name": "envoy-gateway",
    "registry": "docker.io/envoyproxy/gateway-helm",
    "version": "v1.4.2"
  }
 ]
--- a/.github/tests/post-install.sh
+++ b/.github/tests/post-install.sh
@ -0,0 +1,11 @@
 #!/usr/bin/env bash
 set -x
 SCRIPT="$(readlink -f "$0")"
 SCRIPTPATH="$(dirname "${SCRIPT}")"
 # shellcheck source=/dev/null
 source "${SCRIPTPATH}/common.sh"
 print_helm_releases
--- a/.github/tests/pre-install.sh
+++ b/.github/tests/pre-install.sh
@ -0,0 +1,49 @@
 #!/usr/bin/env bash
 set -xe
 SCRIPT="$(readlink -f "$0")"
 SCRIPTPATH="$(dirname "${SCRIPT}")"
 DEPS="${SCRIPTPATH}/dependencies"
 # shellcheck source=/dev/null
 source "${SCRIPTPATH}/../scripts/parse-versions.sh"
 helm_install=(helm upgrade --install --create-namespace)
 # namespace override
 kubectl create namespace spire-system || true
 kubectl create namespace spire-server || true
 # nginx ingress
 "${helm_install[@]}" ingress-nginx ingress-nginx --version "${VERSION_INGRESS_NGINX}" --repo "${HELM_REPO_INGRESS_NGINX}" \
  --namespace ingress-nginx \
  --set controller.extraArgs.enable-ssl-passthrough=
 kubectl wait --namespace ingress-nginx --for=condition=ready --timeout 60s pod --selector=app.kubernetes.io/component=controller
 # prometheus
 "${helm_install[@]}" kube-prometheus-stack kube-prometheus-stack \
  --namespace prometheus \
  --version "${VERSION_KUBE_PROMETHEUS_STACK}" \
  --repo "${HELM_REPO_KUBE_PROMETHEUS_STACK}" \
  --wait
 # cert-manager
 "${helm_install[@]}" cert-manager cert-manager --version "$VERSION_CERT_MANAGER" --repo "$HELM_REPO_CERT_MANAGER" \
  --namespace cert-manager \
  --set installCRDs=true \
  --wait
 # external database
 # mysql
 "${helm_install[@]}" mysql "${HELM_REGISTRY_MYSQL}" --version "$VERSION_MYSQL" \
  --namespace mysql \
  --values "${DEPS}/mysql.yaml" \
  --wait
 # postgres
 "${helm_install[@]}" postgresql "${HELM_REGISTRY_POSTGRESQL}" --version "$VERSION_POSTGRESQL" \
  --namespace postgresql \
  --values "${DEPS}/postgresql.yaml" \
  --wait
--- a/.github/tests/spire-oidc-insecure/values.yaml
+++ b/.github/tests/spire-oidc-insecure/values.yaml
@ -1,12 +0,0 @@
 spiffe-oidc-discovery-provider:
  enabled: true
  insecureScheme:
    enabled: true
  config:
    domains:
      - oidc-discovery.example.org
    acme:
      tosAccepted: false
--- a/.github/workflows/check-versions.yaml
+++ b/.github/workflows/check-versions.yaml
@ -0,0 +1,85 @@
 name: Check versions
 on:
  schedule:
    - cron: '0 8 * * 1'
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:
 env:
  HELM_VERSION: v3.11.1
 jobs:
  check-helm-chart-versions:
    runs-on: ubuntu-22.04
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4.1.1
      - name: Set up Helm
        uses: azure/setup-helm@v3.5
        with:
          version: ${{ env.HELM_VERSION }}
      - name: Setup crane
        uses: imjasonh/setup-crane@v0.3
      - name: Update test chart versions
        run: |
          ./.github/scripts/update-versions.sh
          git diff
      - name: Setup go
        uses: actions/setup-go@v5.0.0
        with:
          go-version: '1.21'
          cache: false
      - uses: actions/setup-python@v5
        with:
          python-version: '3.9'
      - name: Install ubuntu packages
        run: sudo apt-get install wget apt-transport-https gnupg lsb-release
      - name: Install yq
        run: go install github.com/mikefarah/yq/v4@latest
      - name: Install python dependencies
        run: pip install -r .github/scripts/requirements.txt
      - name: Update image tags
        run: |
          ./.github/scripts/update-tags.sh
          git diff
      - name: Generate Token
        uses: tibdex/github-app-token@v2.1.0
        id: generate-token
        with:
          app_id: ${{ vars.APP_ID }}
          private_key: ${{ secrets.APP_PRIVATE_KEY }}
      - name: Create Pull Request
        id: cpr
        uses: peter-evans/create-pull-request@v6.0.2
        with:
          token: ${{ steps.generate-token.outputs.token }}
          title: Bump test chart dependencies
          branch: bump-test-chart-deps
          commit-message: Bump test chart dependencies
          body: Bump the Helm charts used in test scenarios to latest available versions.
          signoff: true
          add-paths: |
            .github/tests
            charts
      - name: Check outputs
        if: ${{ steps.cpr.outputs.pull-request-number }}
        run: 'echo "::notice title=PR #${{ steps.cpr.outputs.pull-request-number }}::${{ steps.cpr.outputs.pull-request-url }}"'
--- a/.github/workflows/helm-chart-ci-ignore.yaml
+++ b/.github/workflows/helm-chart-ci-ignore.yaml
@ -0,0 +1,118 @@
 name: Helm Chart CI
 on:
  pull_request:
    types: [synchronize, opened, reopened]
    paths-ignore:
      - 'charts/**'
      - '.github/workflows/helm-chart-ci.yaml'
      - '.github/kind/conf/kind-config.yaml'
      - '.github/tests/**/*.yaml'
      - '.github/tests/**/*.sh'
      - '.github/tests/**/*.json'
      - 'examples/**/*.yaml'
      - 'helm-docs.sh'
 jobs:
  lint-chart:
    runs-on: ubuntu-22.04
    steps:
      - run: 'echo "Skipping linter"'
  checks:
    runs-on: ubuntu-22.04
    steps:
      - run: 'echo "Skipping checks"'
  test:
    runs-on: ubuntu-22.04
    strategy:
      matrix:
        k8s:
          - v1.31.1
          - v1.30.4
          - v1.29.8
    steps:
      - run: 'echo "Skipping tests"'
  build-matrix:
    name: Build matrix
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4.1.1
      - id: set-matrix-example
        name: Collect all examples
        run: |
          examples="$(find examples -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
          examples_json="$(echo "$examples" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
          echo "${examples_json}"
          echo "examples=$examples_json" >>"$GITHUB_OUTPUT"
      - id: set-matrix-integration
        name: Collect all integration tests
        run: |
          integrationtests="$(find tests/integration -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
          integrationtests_json="$(echo "$integrationtests" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
          echo "${integrationtests_json}"
          echo "integrationtests=$integrationtests_json" >>"$GITHUB_OUTPUT"
    outputs:
      examples: ${{ steps.set-matrix-example.outputs.examples }}
      integrationtests: ${{ steps.set-matrix-integration.outputs.integrationtests }}
  example-test:
    runs-on: ubuntu-22.04
    needs:
      - build-matrix
    strategy:
      matrix:
        k8s:
          - v1.31.1
          - v1.30.4
          - v1.29.8
        example:
          - ${{ fromJson(needs.build-matrix.outputs.examples) }}
    steps:
      - run: 'echo "Skipping example-test"'
  integration-test:
    runs-on: ubuntu-22.04
    needs:
      - build-matrix
    strategy:
      matrix:
        k8s:
          - v1.31.1
          - v1.30.4
          - v1.29.8
        example:
          - ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}
    steps:
      - run: 'echo "Skipping integration-test"'
  upgrade-test:
    runs-on: ubuntu-22.04
    needs:
      - build-matrix
    strategy:
      matrix:
        k8s:
          - v1.31.1
          - v1.30.4
          - v1.29.8
    steps:
      - run: 'echo "Skipping upgrade-test"'
--- a/.github/workflows/helm-chart-ci.yaml
+++ b/.github/workflows/helm-chart-ci.yaml
@ -3,11 +3,17 @@ name: Helm Chart CI
 on:
  workflow_dispatch:
  pull_request:
    types: [synchronize, opened, reopened]
    paths:
      - 'charts/**'
      - '.github/workflows/helm-chart-ci.yaml'
      - '.github/kind/conf/kind-config.yaml'
      - '.github/tests/**/*.yaml'
      - '.github/tests/**/*.sh'
      - '.github/tests/**/*.json'
      - 'examples/**/*.yaml'
      - 'examples/**/*.sh'
      - 'tests/**/*'
      - 'helm-docs.sh'
 concurrency:
@ -15,27 +21,80 @@ concurrency:
  cancel-in-progress: true
 env:
-  HELM_VERSION: v3.11.1
+  HELM_VERSION: v3.16.2
-  PYTHON_VERSION: 3.11.2
+  PYTHON_VERSION: 3.11.3
-  CHART_TESTING_VERSION: v3.7.1
+  KIND_VERSION: v0.24.0
  CHART_TESTING_VERSION: v3.8.0
 jobs:
-  check-docs:
+  checks:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v3.3.0
+        uses: actions/checkout@v4.1.1
      - name: Verify Docs updated
        run: ./helm-docs.sh
      - name: Verify Spire appVersion
        run: |
          set +e
          BASEVER=$(yq e .appVersion Chart.yaml)
          for FILE in spiffe-oidc-discovery-provider spire-agent spire-server; do
            VER=$(yq .appVersion charts/$FILE/Chart.yaml)
            if [ "$VER" != "$BASEVER" ]; then
              {
                echo "## Version mismatch"
                echo
                echo "There is a mismatch between the chart version ($BASEVER) and subchart version ($VER). The issue may be in file $FILE. Please fix."
              } >> "$GITHUB_STEP_SUMMARY"
              exit 1
            fi
          done
      - name: Check objects for images without overrides
        run: |
          set +e
          set -o pipefail
          # Look for image: definitions that are not templated. If we find none, exit is not 0 and we invert the error code to get the
          # test to pass. Ignore tests for now...
          grep -r "image:" charts/spire  | grep "templates/" | grep -v 'image: {{ template "' > /tmp/findings
          res=$?
          if [ $res -eq 0 ]; then
            {
              echo "## Hardcoded images"
              echo
              echo ":x: These templates were found to be using statically defined images and not overridable ones. Please fix."
              echo
              cat /tmp/findings
            } >> "$GITHUB_STEP_SUMMARY"
            exit 1
          fi
      - name: Setup Go
        uses: actions/setup-go@v5.0.0
        with:
          go-version-file: tests/go.mod
          cache-dependency-path: tests/go.sum
          check-latest: true
      - name: Install do dependencies
        run: |
          go mod download
          go install github.com/onsi/ginkgo/v2/ginkgo@latest
        working-directory: ./tests/unit
      - name: Run Unit Tests
        run: ginkgo
        working-directory: ./tests/unit
  lint-chart:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v3.3.0
+        uses: actions/checkout@v4.1.1
        with:
          fetch-depth: 0
@ -45,61 +104,23 @@ jobs:
          version: ${{ env.HELM_VERSION }}
      - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VERSION }}
      - name: Setup chart-testing
-        uses: helm/chart-testing-action@v2.3.1
+        uses: helm/chart-testing-action@v2.6.1
        with:
          version: ${{ env.CHART_TESTING_VERSION }}
      - name: Run chart-testing (list-changed)
        id: list-changed
        run: |
          changed=$(ct list-changed --target-branch main)
          if [[ -n "$changed" ]]; then
            echo "changed=true" >> $GITHUB_OUTPUT
          fi
      - name: Run chart-testing (lint)
-        run: |
+        run: TARGET_BRANCH=${{ github.base_ref }} make lint${{ github.base_ref == 'release' && '-release' || '' }}
          ct lint --debug \
            --target-branch main
    outputs:
      changed: ${{ steps.list-changed.outputs.changed }}
  build-matrix:
    name: Build matrix
    runs-on: ubuntu-22.04
    needs: [lint-chart]
    if: needs.lint-chart.outputs.changed == 'true'
    steps:
      - name: Checkout
        uses: actions/checkout@v3.2.0
      - id: set-matrix
        name: Collect all tests
        run: |
          tests="$(echo -e "default\n$(find .github/tests -maxdepth 1 -type d | grep -Ev 'tests$' | xargs -I % basename % | sort | uniq)")"
          tests_json="$(echo "$tests" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
          echo "tests=$tests_json" >> $GITHUB_OUTPUT
    outputs:
      tests: ${{ steps.set-matrix.outputs.tests }}
  test:
    runs-on: ubuntu-22.04
    needs:
      - lint-chart
      - build-matrix
    if: needs.lint-chart.outputs.changed == 'true'
    strategy:
      fail-fast: false
@ -109,17 +130,13 @@ jobs:
        # Kubernetes, but can go back farther as long as we don't need heroics
        # to pull it off (i.e. kubectl version juggling).
        k8s:
-          - v1.25.3
+          - v1.31.1
-          - v1.24.7
+          - v1.30.4
-          - v1.23.13
+          - v1.29.8
          - v1.22.15
          - v1.21.14
        values:
          - ${{ fromJson(needs.build-matrix.outputs.tests) }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v3.3.0
+        uses: actions/checkout@v4.1.1
        with:
          fetch-depth: 0
@ -129,29 +146,201 @@ jobs:
          version: ${{ env.HELM_VERSION }}
      - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VERSION }}
      - name: Setup chart-testing
-        uses: helm/chart-testing-action@v2.3.1
+        uses: helm/chart-testing-action@v2.6.1
        with:
          version: ${{ env.CHART_TESTING_VERSION }}
      - name: Create kind ${{ matrix.k8s }} cluster
-        uses: helm/kind-action@v1.5.0
+        uses: helm/kind-action@v1.9.0
        # Only build a kind cluster if there are chart changes to test.
        with:
-          version: v0.17.0
+          version: ${{ env.KIND_VERSION }}
          node_image: kindest/node:${{ matrix.k8s }}
          config: .github/kind/conf/kind-config.yaml
          verbosity: 1
      - name: Setup Test dependencies
        run: ./pre-install.sh
        working-directory: .github/tests
      - name: Run chart-testing (install)
        run: |
-          ct install --debug \
+          helm install -n spire-server spire-crds charts/spire-crds
-            --target-branch main \
+          ct install --config ct.yaml --excluded-charts spire-crds,spiffe-step-ssh \
-            --exclude-deprecated \
+            --target-branch ${{ github.base_ref }}
-            ${{ (matrix.values != 'default' && '--helm-extra-set-args "--values=.github/tests/$VALUES/values.yaml"') || '' }}
+
-        env:
+      - name: Test summary
-          VALUES: ${{ matrix.values }}
+        if: always()
        run: ./post-install.sh
        working-directory: .github/tests
  build-matrix:
    name: Build matrix
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4.1.1
      - id: set-matrix-example
        name: Collect all examples
        run: |
          examples="$(find examples -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
          examples_json="$(echo "$examples" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
          echo "${examples_json}"
          echo "examples=$examples_json" >>"$GITHUB_OUTPUT"
      - id: set-matrix-integration
        name: Collect all integration tests
        run: |
          integrationtests="$(find tests/integration -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
          integrationtests_json="$(echo "$integrationtests" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
          echo "${integrationtests_json}"
          echo "integrationtests=$integrationtests_json" >>"$GITHUB_OUTPUT"
    outputs:
      examples: ${{ steps.set-matrix-example.outputs.examples }}
      integrationtests: ${{ steps.set-matrix-integration.outputs.integrationtests }}
  example-test:
    runs-on: ubuntu-22.04
    needs:
      - lint-chart
      - build-matrix
    strategy:
      fail-fast: false
      matrix:
        k8s:
          - v1.31.1
          - v1.30.4
          - v1.29.8
        example:
          - ${{ fromJson(needs.build-matrix.outputs.examples) }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4.1.1
      - name: Set up Helm
        uses: azure/setup-helm@v3.5
        with:
          version: ${{ env.HELM_VERSION }}
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VERSION }}
      - name: Create kind cluster
        uses: helm/kind-action@v1.9.0
        # Only build a kind cluster if there are chart changes to test.
        with:
          version: ${{ env.KIND_VERSION }}
          node_image: kindest/node:${{ matrix.k8s }}
          config: .github/kind/conf/kind-config.yaml
          verbosity: 1
      - name: Install and test example
        run: |
          if [ "${{ matrix.example }}" = "examples/federation" -o "${{ matrix.example }}" = "examples/nested-full" -o "${{ matrix.example }}" = "examples/nested-security" ]; then
            kubectl create namespace spire-mgmt
            helm install -n spire-mgmt spire-crds charts/spire-crds
          else
            kubectl create namespace spire-server
            helm install -n spire-server spire-crds charts/spire-crds
          fi
          export K8S="${{ matrix.k8s }}"
          ${{ matrix.example }}/run-tests.sh
  integration-test:
    runs-on: ubuntu-22.04
    needs:
      - lint-chart
      - build-matrix
    strategy:
      fail-fast: false
      matrix:
        k8s:
          - v1.31.1
          - v1.30.4
          - v1.29.8
        integrationtest:
          - ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4.1.1
      - name: Set up Helm
        uses: azure/setup-helm@v3.5
        with:
          version: ${{ env.HELM_VERSION }}
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VERSION }}
      - name: Create kind cluster
        uses: helm/kind-action@v1.9.0
        # Only build a kind cluster if there are chart changes to test.
        with:
          version: ${{ env.KIND_VERSION }}
          node_image: kindest/node:${{ matrix.k8s }}
          config: .github/kind/conf/kind-config.yaml
          verbosity: 1
      - name: Install and test integration
        run: |
          helm install --create-namespace -n spire-mgmt spire-crds charts/spire-crds
          ${{ matrix.integrationtest }}/run-tests.sh
  upgrade-test:
    runs-on: ubuntu-22.04
    needs:
      - lint-chart
      - build-matrix
    strategy:
      fail-fast: false
      matrix:
        k8s:
          - v1.31.1
          - v1.30.4
          - v1.29.8
    steps:
      - name: Checkout
        uses: actions/checkout@v4.1.1
      - name: Set up Helm
        uses: azure/setup-helm@v3.5
        with:
          version: ${{ env.HELM_VERSION }}
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VERSION }}
      - name: Create kind cluster
        uses: helm/kind-action@v1.9.0
        # Only build a kind cluster if there are chart changes to test.
        with:
          version: ${{ env.KIND_VERSION }}
          node_image: kindest/node:${{ matrix.k8s }}
          config: .github/kind/conf/kind-config.yaml
          verbosity: 1
      - name: Install and test example
        run: tests/integration/production/run-tests.sh -u
--- a/.github/workflows/helm-release.yaml
+++ b/.github/workflows/helm-release.yaml
@ -3,7 +3,7 @@ name: Release Helm Charts
 on:
  push:
    branches:
-      - main
+      - release
    paths:
      - '.github/workflows/helm-release.yml'
      - 'charts/**'
@ -19,7 +19,7 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@v3.3.0
+        uses: actions/checkout@v4.1.1
        with:
          fetch-depth: 0
@ -29,9 +29,9 @@ jobs:
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
      - name: Setup cosign
-        uses: sigstore/cosign-installer@v2.8.1
+        uses: sigstore/cosign-installer@v3.4.0
        with:
-          version: v1.13.1
+          cosign-release: v2.2.3
      - name: Set up Helm
        uses: azure/setup-helm@v3.5
@ -39,12 +39,12 @@ jobs:
          version: v3.10.3
      - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.5.0
+        uses: helm/chart-releaser-action@v1.6.0
        env:
          CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3.1.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@ -67,4 +67,4 @@ jobs:
            cosign sign ghcr.io/"${GITHUB_REPOSITORY_OWNER}"/helm-charts/"${name}"@"${digest}"
          done
        env:
-          COSIGN_EXPERIMENTAL: 1
+          COSIGN_YES: true
--- a/.github/workflows/shellcheck.yaml
+++ b/.github/workflows/shellcheck.yaml
@ -0,0 +1,30 @@
 name: Shellcheck
 on:
  workflow_dispatch:
  pull_request:
    types: [synchronize, opened, reopened, edited]
    paths:
      - .github/workflows/shellcheck.yaml
      - '**/*.sh'
 concurrency:
  group: ${{ github.ref }}-shellcheck
  cancel-in-progress: true
 env:
  SHELLCHECK_VERSION: v0.9.0
 jobs:
  checks:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4.1.1
      - name: Run Shellcheck
        uses: ludeeus/action-shellcheck@2.0.0
        with:
          format: gcc
          version: ${{ env.SHELLCHECK_VERSION }}
--- a/.github/workflows/update-devcontainer-image.yaml
+++ b/.github/workflows/update-devcontainer-image.yaml
@ -0,0 +1,44 @@
 name: Update devcontainer image
 on:
  schedule:
    - cron: '0 8 * * 1'
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:
 env:
  HELM_VERSION: v3.11.1
 jobs:
  build-and-push-devcontainer-image:
    runs-on: ubuntu-20.04
    permissions:
      contents: read
      id-token: write
      packages: write
    env:
      COSIGN_EXPERIMENTAL: 1
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Install cosign
        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
        with:
          cosign-release: v2.2.3
      - name: Install regctl
        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
      - name: Log in to GHCR
        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build / Push images
        run: |
          set -e
          cd .devcontainer/
          docker build -t ghcr.io/spiffe/helm-charts-hardened-devcontainer:latest .
          docker push ghcr.io/spiffe/helm-charts-hardened-devcontainer:latest
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,6 @@
 bin/
 .idea/
 .vscode/
 *.swp
 charts/**/*.tgz
 .DS_Store
--- a/CODE-OF-CONDUCT.md
+++ b/CODE-OF-CONDUCT.md
@ -0,0 +1,19 @@
 # Contributor Code of Conduct
 We follow the [CNCF Contributor Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md). Additionally, we commit to the following guidelines as detailed on the [Linkerd Code of Conduct](https://github.com/linkerd/linkerd/wiki/Linkerd-code-of-conduct):
 ## Community Guidelines
 - Our goal is to foster an inclusive and diverse community of technology enthusiasts.
 - Try to be your best self. Treat your fellow community members with kindness and empathy. We welcome disagreements when they are conducted respectfully and without personal attacks.
 - We ask that you keep unstructured critique to a minimum. Disparaging remarks about the project are unnecessary and a drain on community morale. Feedback should be constructive and relevant. Having passionately held opinions on what should improve is encouraged! We hope you will use that enthusiasm to roll up your sleeves and get involved by submitting pull requests. We have additional guidelines on [how to ask constructive questions](https://github.com/linkerd/linkerd/wiki/How-To-Ask-Questions-in-Slack).
 - We don't tolerate insults, spamming, trolling, flaming, baiting, or harassment. We don't tolerate sexual language, imagery, or unwanted advances. Private harassment is also unacceptable.
 - We do our best to avoid [subtle-isms](https://www.recurse.com/manual#sub-sec-social-rules): small actions that make others feel uncomfortable. If you witness a subtle-ism, you may respectfully point it out to the person publicly or privately, or you may ask a moderator to say something. Accidentally saying something biased is common, expected, and readily forgiven. It is not in and of itself a bannable offense.
 ## Moderation
 - If you feel any of SPIFFE's communication channels require moderation, please e-mail the [SPIFFE Steering Committee (SSC)](mailto:ssc@spiffe.io).
--- a/4
+++ b/4
@ -1,7 +1,7 @@
 # These owners will be the default owners for everything in
 # the repo. Unless a later match takes precedence,
-# they will be requested for review when someone opens a 
+# they will be requested for review when someone opens a
 # pull request.
-*       @marcofranssen @Kfox1111 @developer-guy @dennisgove @dfeldman @faisal-memon @mrsabath
+*       @marcofranssen @Kfox1111 @dfeldman @faisal-memon @mrsabath @edwbuck
 # See CODEOWNERS syntax here: https://help.github.com/articles/about-codeowners/#codeowners-syntax
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -34,12 +34,33 @@ git checkout «your-branch»
 git rebase main
 ```
-## Generating documentation
+## Testing
-Any changes to Chart.yaml or values.yaml require an update of the README.md. This update can easily be generated using [helm-docs][].
+Our CI pipeline takes care of the majority of the testing of this Chart. Other ways for you to test are by running `make test` locally using:
 > [!Warning]
 > Ensure to run the test on a dedicated k8s cluster that does not have Spire installed yet.
 ```shell
-./helm-docs.sh charts/«chart-name»
+make test
 ```
-[helm-docs]: https://github.com/norwoodj/helm-docs "Generate documentation for your Helm chart."
+Another approach to testing the chart is by installing one of the examples in your own cluster to verify your contributed changes work before issueing your PR.
 ## Generating documentation
 Any changes to Chart.yaml or values.yaml require an update of the README.md. This update can easily be generated using [readme-generator][].
 ```shell
 ./helm-docs.sh
 ```
 ## Bumping Chart version
 In contrary to many other Helm repositories we do NOT require contributors to increate the Chart version. We have customized our release pipeline so we can bundle various PRs in a single release. Maintainers of the helm-charts in this repo will take care of the semantic versioning.
 [readme-generator]: https://github.com/bitnami-labs/readme-generator-for-helm "Auto generate READMEs for Helm Charts."
 ## devcontainer support
 We have a usable devcontainer with all the dev tools preinstalled to make contributions easier. You should be able to use it via Codespaces (https://github.com/codespaces/), Visual Studio Code (https://code.visualstudio.com/), DevPod (https://devpod.sh), etc. Please consult the documentation for those tools for how to use them.
--- a/FAQ.md
+++ b/FAQ.md
@ -0,0 +1,83 @@
 # Frequently Asked Questions
 - [How does this repo relate to the helm-charts repo?](#how-does-this-repo-relate-to-the-helm-charts-repo)
 - [How do I migrate my changeset from the old helm-charts repo to this one?](#how-do-i-migrate-my-changeset-from-the-old-helm-charts-repo-to-this-one)
 - [How do I update my helm registry to point to this one?](#how-do-i-update-my-helm-registry-to-point-to-this-one)
 - [Pods are stuck terminating after uninstall. How do I fix it?](#pods-are-stuck-terminating-after-uninstall-how-do-i-fix-it)
 - [Uninstall is stuck. How do I fix it?](#uninstall-is-stuck-how-do-i-fix-it)
 - [The PSAT plugin is not working](#the-psat-plugin-is-not-working)
 ## How does this repo relate to the helm-charts repo?
 The helm-charts repo has been archived. This repo has all the commit history and releases copied over from that repo and is continuing development to provide a SPIRE helm chart for the community to use and contribute to.
 ## How do I migrate my changeset from the old helm-charts repo to this one?
 Run one of these commands to switch to the new repo:
 - If working off a branch (maintainers with write access): `git remote set-url origin git@github.com:spiffe/helm-charts-hardened.git`
 - If working off a fork:
    1. Create a new fork of helm-charts-hardened
    1. In your local clone of your old fork of helm-charts: `git remote set-url origin https://github.com/<your new fork>/helm-charts-hardened.git`
 Then just `git push` your branches. Git history has been migrated over so you can just push your existing branches without issues.
 ## How do I update my helm registry to point to this one?
 Assuming you named the repo `spiffe`:
 ``` bash
 helm repo remove spiffe
 helm repo add spiffe https://spiffe.github.io/helm-charts-hardened
 ```
 ## Pods are stuck terminating after uninstall. How do I fix it?
 If you uninstall the SPIRE chart before all users of the CSI driver are removed, Pods will get stuck in a terminating state waiting for the driver, that no longer is installed, to unmount the volumes for the Pod. In order to fix this, reinstall the chart and remove all affected workloads that are not part of the SPIRE helm chart itself, before attempting to remove SPIRE again.
 You can discover Pods that use the driver with the following command:
 ```shell
 kubectl get pods --all-namespaces -o go-template='{{range .items}}{{$nn := printf "%s %s" .metadata.namespace .metadata.name}}{{range .spec.volumes}}{{if .csi.driver}}{{if eq .csi.driver "csi.spiffe.io"}}{{printf "%s\n" $nn}}{{end}}{{end}}{{end}}{{end}}'
 ```
 ## Uninstall is stuck. How do I fix it?
 If you uninstall the SPIFFE CSI driver manually before removing the chart, Pods can still be using the driver and are unable to unmount the CSI volume.
 To resolve, reinstall the chart before trying to remove it again.
 ## The PSAT plugin is not working
 The chart requires `Projected Service Account Tokens` which has to be enabled on your Kubernetes API server. In most cases this is already done for you.
 > [!Note]
 > This is enabled by default with newer versions as shown by the existence of:
 >
 > ```yaml
 >        - --service-account-issuer
 >        - --service-account-key-file
 >        - --service-account-signing-key-file
 > ```
 See [Service Account Token Volume Projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) in the Kubernetes docs for more details.
 To enable Projected Service Account Tokens on Docker for Mac/Windows run the following
 command to SSH into the Docker Desktop K8s VM.
 ```bash
 docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
 ```
 Then add the following to `/etc/kubernetes/manifests/kube-apiserver.yaml`
 ```yaml
 spec:
  containers:
    - command:
        - kube-apiserver
        - --api-audiences=api,spire-server
        - --service-account-issuer=api,spire-agent
        - --service-account-key-file=/run/config/pki/sa.pub
        - --service-account-signing-key-file=/run/config/pki/sa.key
 ```
--- a/70
+++ b/70
@ -0,0 +1,70 @@
 TARGET_BRANCH ?= main
 .PHONY: help
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 ##@ Linting:
 .PHONY: lint
 lint: ## Lint the charts using chart-testing
 	@echo Linting charts…
 	@ct lint --config ct.yaml --target-branch $(TARGET_BRANCH) --check-version-increment=false
 lint-release: ## Lint the charts using chart-testing for release
 	@echo Linting charts…
 	@ct lint --config ct.yaml --target-branch $(TARGET_BRANCH)
 ##@ Testing: (ensure to run on dedicated test cluster)
 .PHONY: clean-test-leftovers
 clean-test-leftovers: ## Cleans up any lingering resources in case tests fail massively
 	@echo Cleanup potential leftovers…
 	@-kubectl delete csidrivers.storage.k8s.io csi.spiffe.io \
 		&>/dev/null || true
 	@-kubectl delete ns \
 		$$(kubectl get ns -o json | jq -r '.items[] | .metadata.name' | grep spire) \
 		&>/dev/null || true
 	@-kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io \
 		$$(kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io -o json | jq -r '.items[] | .metadata.name' | grep spire) \
 		&>/dev/null || true
 .PHONY: test
 test: install-test-deps test-charts test-examples ## Run all chart tests and example tests
 .PHONY: install-test-deps
 install-test-deps: ## Install test dependency resources
 	@echo Installing test dependencies…
 	@.github/tests/pre-install.sh
 .PHONY: test-charts
 test-charts: ## Run tests on charts using Helm chart-testing
 	@echo Running tests…
 	@ct install --config ct.yaml
 .PHONY: cleanup-test-deps
 cleanup-test-deps: ## Cleans up all test dependencies resources
 	@echo Uninstalling test dependencies…
 	@helm uninstall -n cert-manager cert-manager 2>/dev/null || true
 	@kubectl delete ns cert-manager 2>/dev/null || true
 	@helm uninstall -n prometheus kube-prometheus-stack 2>/dev/null || true
 	@kubectl delete ns prometheus 2>/dev/null || true
 	@helm uninstall -n mysql mysql 2>/dev/null|| true
 	@kubectl delete ns mysql 2>/dev/null || true
 	@helm uninstall -n postgresql postgresql 2>/dev/null || true
 	@kubectl delete ns postgresql 2>/dev/null || true
 	@helm uninstall -n ingress-nginx ingress-nginx 2>/dev/null || true
 	@kubectl delete ns ingress-nginx 2>/dev/null || true
 test-example-%:
 	@echo Running tests for $* example…
 	@examples/$*/run-tests.sh
 	@echo
 .PHONY: test-examples
 test-examples: $(patsubst examples/%/values.yaml,test-example-%,$(wildcard examples/*/values.yaml)) ## Run `helm install` and `helm test` for all the examples containing `run-tests.sh`
 .PHONY: diagrams
 diagrams: ## Builds diagrams
 	@dot -Tpng examples/nested/singlehardened.dot > examples/nested/singlehardened.png
 	@dot -Tpng examples/nested/multicluster.dot > examples/nested/multicluster.png
--- a/README.md
+++ b/README.md
@ -1,26 +1,20 @@
 >  **Note**
 > Things to consider:
 > 1. We do not support running out of the git main branch. This is where development happens. Please use released versions via the published repo or git tags.
 > 2. All the helm charts in this repo are beta. We encourage you to try them out and contribute. The API may change as we move towards a production ready release.
 # SPIFFE Helm Charts
-[![Apache 2.0 License](https://img.shields.io/github/license/spiffe/helm-charts?style=for-the-badge)](https://opensource.org/licenses/Apache-2.0)
+[![Apache 2.0 License](https://img.shields.io/github/license/spiffe/helm-charts)](https://opensource.org/licenses/Apache-2.0)
 [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/spiffe)](https://artifacthub.io/packages/search?repo=spiffe)
 A suite of [Helm Charts](https://helm.sh/docs) for standardized installations of SPIRE components in Kubernetes environments.
-## Add Helm repository
+## How to install or upgrade
-```bash
+You most likely want to do an integrated setup based on the spire chart.
-helm repo add spiffe https://spiffe.github.io/helm-charts/
+See the [Instructions](https://artifacthub.io/packages/helm/spiffe/spire#install-instructions).
 helm repo update
 ```
 ## Dependencies and Version Compatibility
 Unless otherwise noted in an application chart README, the following dependencies will follow these prescribed version compatibility rules.
 | Dependency | Supported Versions |
 |:-----------|:-------------------|
 | SPIRE      | `1.4.x`, `1.5.x`   |
 | Helm       | `3.x`              |
 For Kubernetes we will officially try to support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions).
 ## Contributing
--- a/charts/spiffe-step-ssh/Chart.yaml
+++ b/charts/spiffe-step-ssh/Chart.yaml
@ -0,0 +1,42 @@
 apiVersion: v2
 name: spiffe-step-ssh
 description: sshd signed host certificates using SPIFFE for trust and step CA
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives
 # to be deployed.
 #
 # Library charts provide useful utilities or functions for the chart developer. They're included as
 # a dependency of application charts to inject those utilities and functions into the rendering
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 version: 0.1.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 appVersion: "1.16.0"
 keywords: ["spiffe", "step", "step-ca", "ssh"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spiffe-step-ssh
 sources:
  - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spiffe-step-ssh
 icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
 maintainers:
  - name: kfox1111
    email: Kevin.Fox@pnnl.gov
 dependencies:
  - name: spire-lib
    repository: file://../spire/charts/spire-lib
    version: 0.1.0
  - name: step-certificates
    alias: step
    repository: https://smallstep.github.io/helm-charts/
    version: 1.27.4
--- a/charts/spiffe-step-ssh/README.md
+++ b/charts/spiffe-step-ssh/README.md
@ -0,0 +1,65 @@
 spire-values.yaml
 ```
 spire-server:
  nodeAttestor:
    httpChallenge:
      enabled: true
  controllerManager:
    identities:
      clusterSPIFFEIDs:
        spiffe-step-ssh-config:
          type: raw
          namespaceSelector:
            matchLabels:
              "kubernetes.io/metadata.name": default
          podSelector:
            matchLabels:
              app: spiffe-step-ssh
              component: config
        spiffe-step-ssh-fetchca:
          type: raw
          namespaceSelector:
            matchLabels:
              "kubernetes.io/metadata.name": default
          podSelector:
            matchLabels:
              app: spiffe-step-ssh
              component: fetchca
          dnsNameTemplates:
          - "spiffe-step-ssh-fetchca.{{ .TrustDomain }}"
 ```
 ```shell
 helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
 helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ -f spire-values.yaml --set global.spire.ingressControllerType=ingress-nginx,spire-server.ingress.enabled=true
 ```
 ```shell
 helm upgrade --install ingress-nginx ingress-nginx -n ingress-nginx --create-namespace --repo https://kubernetes.github.io/ingress-nginx --set controller.service.type=ClusterIP,controller.service.externalIPs[0]=$(minikube ip) --set controller.watchIngressWithoutClass=true --set controller.extraArgs.enable-ssl-passthrough=
 ```
 ```shell
 PASSWORD=$(openssl rand -base64 48)
 echo "$PASSWORD" > spiffe-step-ssh-password.txt
 step ca init --helm --deployment-type=Standalone --name='My CA' --dns spiffe-step-ssh.example.org --ssh --address :8443 --provisioner default --password-file spiffe-step-ssh-password.txt > spiffe-step-ssh-values.yaml
 ```
 ingress-values.yaml
 ```yaml
 global:
  spiffe:
    ingressControllerType: ingress-nginx
 stepIngress:
  enabled: true
 fetchCA:
  ingress:
    enabled: true
 ```
 ```shell
 helm upgrade --install spiffe-step-ssh . --set caPassword=`cat spiffe-step-ssh-password.txt` -f spiffe-step-ssh-values.yaml -f ingress-values.yaml --set trustDomain=example.org
 ```
 <!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
 ## Parameters
--- a/charts/spiffe-step-ssh/ci/default-values.yaml
+++ b/charts/spiffe-step-ssh/ci/default-values.yaml
@ -0,0 +1 @@
 trustDomain: example.org
--- a/charts/spiffe-step-ssh/files/ssh_x5c.tpl
+++ b/charts/spiffe-step-ssh/files/ssh_x5c.tpl
@ -0,0 +1,13 @@
 {{- if eq (len .AuthorizationCrt.URIs) 1 }}
 {{-   $san := printf "%s" (index .AuthorizationCrt.URIs 0) }}
 {{-   if hasPrefix "spiffe://@TRUST_DOMAIN@/@PREFIX@/" $san }}
 {{-     $name := trimPrefix "spiffe://@TRUST_DOMAIN@/@PREFIX@/" $san }}
 {
  "type": {{ toJson .Type }},
  "keyId": {{ toJson $name }},
  "principals": [{{ toJson $name }}],
  "extensions": {{ toJson .Extensions }},
  "criticalOptions": {{ toJson .CriticalOptions }}
 }
 {{-   end }}
 {{- end }}
--- a/charts/spiffe-step-ssh/templates/NOTES.txt
+++ b/charts/spiffe-step-ssh/templates/NOTES.txt
@ -0,0 +1,5 @@
 Installed {{ .Chart.Name }}…
 Configure your ssh clients with known_hosts file with:
@cert-authority *.{{ .Values.trustDomain }} {{ .Values.inject.certificates.ssh_host_ca }}
--- a/charts/spiffe-step-ssh/templates/_helpers.tpl
+++ b/charts/spiffe-step-ssh/templates/_helpers.tpl
@ -0,0 +1,83 @@
 {{/*
 Expand the name of the chart.
 */}}
 {{- define "spiffe-step-ssh.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "spiffe-step-ssh.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- $name := default .Chart.Name .Values.nameOverride }}
 {{- if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{- end }}
 {{- end }}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "spiffe-step-ssh.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Common labels
 */}}
 {{- define "spiffe-step-ssh.labels" -}}
 helm.sh/chart: {{ include "spiffe-step-ssh.chart" . }}
 {{ include "spiffe-step-ssh.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "spiffe-step-ssh.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "spiffe-step-ssh.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 {{/*
 Create the name of the service account to use
 */}}
 {{- define "spiffe-step-ssh.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
 {{- default (include "spiffe-step-ssh.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
 {{/* Takes in a dictionary with keys:
 * global - the standard global object
 * ingress - a standard format ingress config object
 */}}
 {{- define "spiffe-step-ssh.ingress-controller-type" }}
 {{-   $type := "" }}
 {{-   if ne (len (dig "spiffe" "ingressControllerType" "" .global)) 0 }}
 {{-     $type = .global.spiffe.ingressControllerType }}
 {{-   else if ne .ingress.controllerType "" }}
 {{-     $type = .ingress.controllerType }}
 {{-   else if (dig "openshift" false .global) }}
 {{-     $type = "openshift" }}
 {{-   else }}
 {{-     $type = "other" }}
 {{-   end }}
 {{-   if not (has $type (list "ingress-nginx" "openshift" "other")) }}
 {{-     fail "Unsupported ingress controller type specified. Must be one of [ingress-nginx, openshift, other]" }}
 {{-   end }}
 {{-   $type }}
 {{- end }}
--- a/charts/spiffe-step-ssh/templates/config-configmap.yaml
+++ b/charts/spiffe-step-ssh/templates/config-configmap.yaml
@ -0,0 +1,25 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "spiffe-step-ssh.fullname" . }}-config-deployment
  labels:
    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
 data:
  spiffe-helper.conf: |
    agent_address = "/spiffe-workload-api/spire-agent.sock"
    cmd = "sh"
    cmd_args = "/config-deployment/update.sh"
    cert_dir = "/certs"
    svid_file_name = "tls.crt"
    svid_key_file_name = "tls.key"
    svid_bundle_file_name = "ca.pem"
    add_intermediates_to_bundle = false
  update.sh: |
    #!/bin/sh
    export ROOTS=$(base64 /certs/ca.pem | tr '\n' ' ' | sed 's/ //g')
    echo Updating Roots to "$ROOTS"
    cat /config/ca.json > /work/ca.json
    yq e -i -ojson '.authority.provisioners |= map(select(.name == "x5c@spiffe").roots = env(ROOTS))' /work/ca.json
    /helper/kubectl create configmap {{ include "spiffe-step-ssh.fullname" . }}-config -n "{{ .Release.Namespace }}" --from-file=/work/ca.json --from-file=/config/defaults.json --from-file=/config/ssh_x5c.tpl --dry-run=client -o yaml | /helper/kubectl apply -f -
    /helper/kubectl rollout restart statefulset {{ include "spiffe-step-ssh.fullname" . }} -n "{{ .Release.Namespace }}"
    echo $?
--- a/charts/spiffe-step-ssh/templates/config-deployment.yaml
+++ b/charts/spiffe-step-ssh/templates/config-deployment.yaml
@ -0,0 +1,143 @@
 {{- $configSum := (include (print $.Template.BasePath "/config-configmap.yaml") . | sha256sum) }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "spiffe-step-ssh.fullname" . }}-config
  labels:
    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
    app: spiffe-step-ssh
    component: config
 spec:
  replicas: 1
  selector:
    matchLabels:
      {{- include "spiffe-step-ssh.selectorLabels" . | nindent 6 }}
      app: spiffe-step-ssh
      component: config
  template:
    metadata:
      annotations:
        checksum/config: {{ $configSum }}
        {{- with .Values.podAnnotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      labels:
        {{- include "spiffe-step-ssh.labels" . | nindent 8 }}
        {{- with .Values.podLabels }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
        app: spiffe-step-ssh
        component: config
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "spiffe-step-ssh.serviceAccountName" . }}-svc-config
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      initContainers:
      - name: setup-volume-p1
        image: {{ template "spire-lib.image" (dict "image" .Values.busybox.image "global" .Values.global) }}
        imagePullPolicy: {{ .Values.busybox.image.pullPolicy }}
        command:
        - sh
        - -c
        - 'cp -a /bin/busybox /helper'
        securityContext:
          {{- toYaml .Values.securityContext | nindent 12 }}
        volumeMounts:
        - name: spiffe-helper
          mountPath: /helper
        resources:
          {{- toYaml .Values.config.resources | nindent 12 }}
      - name: setup-volume-p2
        image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }}
        imagePullPolicy: {{ .Values.kubectl.image.pullPolicy }}
        command:
        - /helper/busybox
        - sh
        - -c
        - '/helper/busybox cp -a /bin/kubectl /helper'
        securityContext:
          {{- toYaml .Values.securityContext | nindent 12 }}
        volumeMounts:
        - name: spiffe-helper
          mountPath: /helper
        resources:
          {{- toYaml .Values.config.resources | nindent 12 }}
      - name: setup-volume-p3
        image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
        imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
        command:
        - /helper/busybox
        - sh
        - -c
        - '/helper/busybox cp -a /spiffe-helper /helper && /helper/busybox rm -f /helper/busybox'
        securityContext:
          {{- toYaml .Values.securityContext | nindent 12 }}
        volumeMounts:
        - name: spiffe-helper
          mountPath: /helper
        resources:
          {{- toYaml .Values.config.resources | nindent 12 }}
      containers:
      - name: {{ .Chart.Name }}
        securityContext:
          {{- toYaml .Values.securityContext | nindent 12 }}
        image: {{ template "spire-lib.image" (dict "image" .Values.yq.image "global" .Values.global) }}
        imagePullPolicy: {{ .Values.yq.image.pullPolicy }}
        command:
        - /helper/spiffe-helper
        - -config
        - /config-deployment/spiffe-helper.conf
        resources:
          {{- toYaml .Values.config.resources | nindent 12 }}
        volumeMounts:
        - name: spiffe-helper
          mountPath: /helper
          readOnly: true
        - name: config
          mountPath: /config
          readOnly: true
        - name: config-deployment
          mountPath: /config-deployment
          readOnly: true
        - name: certdir
          mountPath: /certs
        - name: spiffe-workload-api
          mountPath: /spiffe-workload-api
          readOnly: true
        - name: workdir
          mountPath: /work
      volumes:
      - name: spiffe-workload-api
        csi:
          driver: {{ .Values.csiDriver | quote }}
          readOnly: true
      - name: config-deployment
        configMap:
          name: {{ include "spiffe-step-ssh.fullname" . }}-config-deployment
      - name: config
        configMap:
          name: {{ include "spiffe-step-ssh.fullname" . }}-config-raw
      - name: certdir
        emptyDir: {}
      - name: spiffe-helper-config
        emptyDir: {}
      - name: spiffe-helper
        emptyDir: {}
      - name: workdir
        emptyDir: {}
      {{- with .Values.config.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.config.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.config.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
--- a/charts/spiffe-step-ssh/templates/config-role.yaml
+++ b/charts/spiffe-step-ssh/templates/config-role.yaml
@ -0,0 +1,41 @@
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
 rules:
  - apiGroups: [""]
    resources: [configmaps]
    verbs:
      - create
  - apiGroups: [""]
    resources: [configmaps]
    resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}-config]
    verbs:
      - get
      - update
      - patch
  - apiGroups: ["apps"]
    resources: [statefulsets]
    resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}]
    verbs:
      - get
      - patch
  - apiGroups: ["apps"]
    resources: [deployments]
    resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}-fetchca]
    verbs:
      - get
      - patch
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
 subjects:
  - kind: ServiceAccount
    name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
    namespace: {{ .Release.Namespace }}
 roleRef:
  kind: Role
  name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
  apiGroup: rbac.authorization.k8s.io
--- a/charts/spiffe-step-ssh/templates/config-serviceaccount.yaml
+++ b/charts/spiffe-step-ssh/templates/config-serviceaccount.yaml
@ -0,0 +1,13 @@
 {{- if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "spiffe-step-ssh.serviceAccountName" . }}-svc-config
  labels:
    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
    component: config
  {{- with .Values.serviceAccount.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 {{- end }}
--- a/charts/spiffe-step-ssh/templates/fetchca-configmap.yaml
+++ b/charts/spiffe-step-ssh/templates/fetchca-configmap.yaml
@ -0,0 +1,28 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
  labels:
    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
 data:
  spiffe-helper-init.conf: |
    agent_address = "/spiffe-workload-api/spire-agent.sock"
    cmd = ""
    cmd_args = ""
    cert_dir = "/certs"
    svid_file_name = "tls.crt"
    svid_key_file_name = "tls.key"
    svid_bundle_file_name = "ca.pem"
    add_intermediates_to_bundle = false
  spiffe-helper-sidecar.conf: |
    agent_address = "/spiffe-workload-api/spire-agent.sock"
    cmd = "/busybox/busybox"
    cmd_args = "sh /update.sh"
    cert_dir = "/certs"
    svid_file_name = "tls.crt"
    svid_key_file_name = "tls.key"
    svid_bundle_file_name = "ca.pem"
    add_intermediates_to_bundle = false
  update.sh: |
    #!/bin/sh
    /busybox/busybox kill -HUP `/busybox/busybox busybox cat /pid/pid`
--- a/charts/spiffe-step-ssh/templates/fetchca-deployment.yaml
+++ b/charts/spiffe-step-ssh/templates/fetchca-deployment.yaml
@ -0,0 +1,182 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
  labels:
    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
    app: spiffe-step-ssh
    component: fetchca
 spec:
  {{- if not .Values.fetchCA.autoscaling.enabled }}
  replicas: {{ .Values.fetchCA.replicaCount }}
  {{- end }}
  selector:
    matchLabels:
      {{- include "spiffe-step-ssh.selectorLabels" . | nindent 6 }}
      app: spiffe-step-ssh
      component: fetchca
  template:
    metadata:
      {{- with .Values.podAnnotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      labels:
        {{- include "spiffe-step-ssh.labels" . | nindent 8 }}
        {{- with .Values.podLabels }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
        app: spiffe-step-ssh
        component: fetchca
    spec:
      shareProcessNamespace: true
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "spiffe-step-ssh.serviceAccountName" . }}-fetchca
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      initContainers:
        - name: busybox-volume
          image: {{ template "spire-lib.image" (dict "image" .Values.busybox.image "global" .Values.global) }}
          imagePullPolicy: {{ .Values.busybox.image.pullPolicy }}
          command:
          - sh
          - -c
          - 'cp -a /bin/busybox /busybox'
          volumeMounts:
          - name: busybox
            mountPath: /busybox
          resources:
            {{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }}
        - name: init-tls
          image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
          imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
          command:
          - /spiffe-helper
          - -config
          - /etc/spiffe-helper.conf
          - -daemon-mode=false
          volumeMounts:
          - name: spiffe-workload-api
            mountPath: /spiffe-workload-api
            readOnly: true
          - name: config
            mountPath: /etc/spiffe-helper.conf
            subPath: spiffe-helper-init.conf
            readOnly: true
          - name: certs
            mountPath: /certs
          resources:
            {{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }}
      containers:
        - name: {{ .Chart.Name }}-fetchca
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
          image: {{ template "spire-lib.image" (dict "image" .Values.nginx.image "global" .Values.global) }}
          imagePullPolicy: {{ .Values.nginx.image.pullPolicy }}
          command:
          - /bin/sh
          - -c
          - |
            echo $$$$ > /pid/pid
            cat > /etc/nginx/conf.d/ssl.conf <<EOF
            server {
                listen       8443 ssl;
                server_name  localhost;
                ssl_certificate     /certs/tls.crt;
                ssl_certificate_key /certs/tls.key;
                location / {
                    root   /usr/share/nginx/html;
                    index  root_ca.crt index.html index.htm;
                }
                error_page   500 502 503 504  /50x.html;
                location = /50x.html {
                    root   /usr/share/nginx/html;
                }
            }
            EOF
            exec nginx -g "daemon off;"
          ports:
            - name: http
              containerPort: 8443
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /
              port: http
              scheme: HTTPS
          readinessProbe:
            httpGet:
              path: /
              port: http
              scheme: HTTPS
          resources:
            {{- toYaml .Values.fetchCA.resources | nindent 12 }}
          volumeMounts:
          - name: certs
            mountPath: /certs
            readOnly: true
          - name: pid
            mountPath: /pid
          - name: share
            mountPath: /usr/share/nginx/html
        - name: update-tls
          image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
          imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
          command:
          - /spiffe-helper
          - -config
          - /etc/spiffe-helper.conf
          volumeMounts:
          - name: certs
            mountPath: /certs
          - name: spiffe-workload-api
            mountPath: /spiffe-workload-api
            readOnly: true
          - name: config
            mountPath: /etc/spiffe-helper.conf
            subPath: spiffe-helper-sidecar.conf
            readOnly: true
          - name: config
            mountPath: /update.sh
            subPath: update.sh
            readOnly: true
          - name: pid
            mountPath: /pid
            readOnly: true
          - name: busybox
            mountPath: /busybox
            readOnly: true
          resources:
            {{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }}
      volumes:
      - name: certs
        emptyDir: {}
      - name: pid
        emptyDir: {}
      - name: busybox
        emptyDir: {}
      - name: config
        configMap:
          name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
      - name: spiffe-workload-api
        csi:
          driver: {{ .Values.csiDriver | quote }}
          readOnly: true
      - name: share
        configMap:
          name: {{ include "spiffe-step-ssh.fullname" . }}-certs
      {{- with .Values.fetchCA.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.fetchCA.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.fetchCA.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
--- a/charts/spiffe-step-ssh/templates/fetchca-hpa.yaml
+++ b/charts/spiffe-step-ssh/templates/fetchca-hpa.yaml
@ -0,0 +1,32 @@
 {{- if .Values.fetchCA.autoscaling.enabled }}
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchCA
  labels:
    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
 spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
  minReplicas: {{ .Values.fetchCA.autoscaling.minReplicas }}
  maxReplicas: {{ .Values.fetchCA.autoscaling.maxReplicas }}
  metrics:
    {{- if .Values.fetchCA.autoscaling.targetCPUUtilizationPercentage }}
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: {{ .Values.fetchCA.autoscaling.targetCPUUtilizationPercentage }}
    {{- end }}
    {{- if .Values.fetchCA.autoscaling.targetMemoryUtilizationPercentage }}
    - type: Resource
      resource:
        name: memory
        target:
          type: Utilization
          averageUtilization: {{ .Values.fetchCA.autoscaling.targetMemoryUtilizationPercentage }}
    {{- end }}
 {{- end }}
--- a/charts/spiffe-step-ssh/templates/fetchca-ingress.yaml
+++ b/charts/spiffe-step-ssh/templates/fetchca-ingress.yaml
@ -0,0 +1,31 @@
 {{- if .Values.fetchCA.ingress.enabled -}}
 {{- $ingressControllerType := include "spiffe-step-ssh.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.fetchCA.ingress) }}
 {{- $fullName := printf "%s-fetchca" (include "spiffe-step-ssh.fullname" .) -}}
 {{- $path := "/" }}
 {{- $pathType := "Prefix" }}
 {{- $tlsSection := true }}
 {{- $annotations := deepCopy .Values.fetchCA.ingress.annotations }}
 {{- if eq $ingressControllerType "ingress-nginx" }}
 {{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
 {{-   $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
 {{-   $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
 {{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
 {{- else if eq $ingressControllerType "openshift" }}
 {{-   $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
 {{-   $path = "" }}
 {{-   $pathType = "ImplementationSpecific" }}
 {{-   $tlsSection = false }}
 {{- end }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ $fullName }}
  labels:
    {{ include "spiffe-step-ssh.labels" . | nindent 4}}
  {{- with $annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.fetchCA.ingress "svcName" $fullName "port" .Values.fetchCA.service.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
 {{- end }}
--- a/charts/spiffe-step-ssh/templates/fetchca-service.yaml
+++ b/charts/spiffe-step-ssh/templates/fetchca-service.yaml
@ -0,0 +1,17 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
  labels:
    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
    app: spiffe-step-ssh
    component: fetchca
 spec:
  type: {{ .Values.fetchCA.service.type }}
  ports:
    - port: {{ .Values.fetchCA.service.port }}
      targetPort: http
      protocol: TCP
      name: http
  selector:
    {{- include "spiffe-step-ssh.selectorLabels" . | nindent 4 }}
--- a/charts/spiffe-step-ssh/templates/fetchca-serviceaccount.yaml
+++ b/charts/spiffe-step-ssh/templates/fetchca-serviceaccount.yaml
@ -0,0 +1,12 @@
 {{- if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "spiffe-step-ssh.serviceAccountName" . }}-fetchca
  labels:
    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
  {{- with .Values.serviceAccount.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 {{- end }}
--- a/charts/spiffe-step-ssh/templates/ssh-certificate-issuer-password-secret.yaml
+++ b/charts/spiffe-step-ssh/templates/ssh-certificate-issuer-password-secret.yaml
@ -0,0 +1,8 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "spiffe-step-ssh.fullname" . }}-certificate-issuer-password
  labels:
    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
 data:
  password: {{ .Values.caPassword | b64enc }}
--- a/charts/spiffe-step-ssh/templates/step-ca-password-secret.yaml
+++ b/charts/spiffe-step-ssh/templates/step-ca-password-secret.yaml
@ -0,0 +1,8 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "spiffe-step-ssh.fullname" . }}-ca-password
  labels:
    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
 data:
  password: {{ .Values.caPassword | b64enc }}
--- a/charts/spiffe-step-ssh/templates/step-certs-configmap.yaml
+++ b/charts/spiffe-step-ssh/templates/step-certs-configmap.yaml
@ -0,0 +1,15 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "spiffe-step-ssh.fullname" . }}-certs
  labels:
    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
 data:
  "root_ca.crt": |
    {{- .Values.inject.certificates.root_ca | nindent 4}}
  "intermediate_ca.crt": |
    {{ .Values.inject.certificates.intermediate_ca | nindent 4}}
  "ssh_host_ca_key.pub": |
    {{ .Values.inject.certificates.ssh_host_ca | nindent 4 }}
  "ssh_user_ca_key.pub": |
    {{ .Values.inject.certificates.ssh_user_ca | nindent 4 }}
--- a/charts/spiffe-step-ssh/templates/step-config.yaml
+++ b/charts/spiffe-step-ssh/templates/step-config.yaml
@ -0,0 +1,32 @@
 {{- define "spiffe-step-ssh.config-provisioners" }}
 type: X5C
 name: "x5c@spiffe"
 roots: ""
 claims:
  maxTLSCertDuration: {{ .Values.maxTLSCertDuration | quote }}
  defaultTLSCertDuration: {{ .Values.defaultTLSCertDuration | quote }}
  disableRenewal: true
  enableSSHCA: true
 disableCustomSANs: true
 options:
 ssh:
   templateFile: /home/step/config/ssh_x5c.tpl
 {{- end }}
 {{ $ca := deepCopy (index .Values.inject.config.files "ca.json") }}
 {{ $_ := set $ca.authority "provisioners" (list (include "spiffe-step-ssh.config-provisioners" . | fromYaml )) }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "spiffe-step-ssh.fullname" . }}-config-raw
  labels:
    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
 data:
  "ca.json": |
    {{- $ca | toPrettyJson | nindent 4 }}
  "defaults.json": |
    {{- index .Values.inject.config.files "defaults.json" | toPrettyJson | nindent 4 }}
 {{- if eq .Values.trustDomain "" }}
 {{-   fail "You must set trustDomain" }}
 {{- end }}
  "ssh_x5c.tpl": |
    {{- .Files.Get "files/ssh_x5c.tpl" | replace "@TRUST_DOMAIN@" .Values.trustDomain | replace "@PREFIX@" .Values.prefix | nindent 4}}
--- a/charts/spiffe-step-ssh/templates/step-ingress.yaml
+++ b/charts/spiffe-step-ssh/templates/step-ingress.yaml
@ -0,0 +1,31 @@
 {{- if .Values.stepIngress.enabled -}}
 {{- $ingressControllerType := include "spiffe-step-ssh.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.stepIngress) }}
 {{- $fullName := printf "%s" (include "spiffe-step-ssh.fullname" .) -}}
 {{- $path := "/" }}
 {{- $pathType := "Prefix" }}
 {{- $tlsSection := true }}
 {{- $annotations := deepCopy .Values.stepIngress.annotations }}
 {{- if eq $ingressControllerType "ingress-nginx" }}
 {{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
 {{-   $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
 {{-   $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
 {{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
 {{- else if eq $ingressControllerType "openshift" }}
 {{-   $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
 {{-   $path = "" }}
 {{-   $pathType = "ImplementationSpecific" }}
 {{-   $tlsSection = false }}
 {{- end }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ $fullName }}
  labels:
    {{ include "spiffe-step-ssh.labels" . | nindent 4}}
  {{- with $annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.stepIngress "svcName" $fullName "port" .Values.step.service.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
 {{- end }}
--- a/charts/spiffe-step-ssh/templates/step-secret.yaml
+++ b/charts/spiffe-step-ssh/templates/step-secret.yaml
@ -0,0 +1,11 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "spiffe-step-ssh.fullname" . }}-secrets
  labels:
    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
 data:
  root_ca_key: {{ .Values.inject.secrets.x509.root_ca_key | b64enc }}
  intermediate_ca_key: {{ .Values.inject.secrets.x509.intermediate_ca_key | b64enc }}
  ssh_host_ca_key: {{ .Values.inject.secrets.ssh.host_ca_key | b64enc }}
  ssh_user_ca_key: {{ .Values.inject.secrets.ssh.user_ca_key | b64enc }}
--- a/charts/spiffe-step-ssh/templates/step-ssh-host-ca-password-secret.yaml
+++ b/charts/spiffe-step-ssh/templates/step-ssh-host-ca-password-secret.yaml
@ -0,0 +1,8 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "spiffe-step-ssh.fullname" . }}-ssh-host-ca-password
  labels:
    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
 data:
  password: {{ .Values.caPassword | b64enc }}
--- a/charts/spiffe-step-ssh/templates/step-ssh-user-ca-password-secret.yaml
+++ b/charts/spiffe-step-ssh/templates/step-ssh-user-ca-password-secret.yaml
@ -0,0 +1,8 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "spiffe-step-ssh.fullname" . }}-ssh-user-ca-password
  labels:
    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
 data:
  password: {{ .Values.caPassword | b64enc }}
--- a/charts/spiffe-step-ssh/values.yaml
+++ b/charts/spiffe-step-ssh/values.yaml
@ -0,0 +1,292 @@
 # Default values for spiffe-step-ssh.
 # SPDX-License-Identifier: APACHE-2.0
 global:
  spiffe:
    ## @param global.spiffe.ingressControllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
    ingressControllerType: ""
 ## @param trustDomain The trust domain for SPIRE
 trustDomain: ""
 ## @param caPassword Password securing the SSH CA
 caPassword: ""
 ## @param maxTLSCertDuration The maximum duration the X5C traded cert is valid for.
 maxTLSCertDuration: 24h
 ## @param defaultTLSCertDuration The default duration the X5C traded cert is valid for.
 defaultTLSCertDuration: 1h
 ## @param prefix Prefix where hosts show up that are allowed to get ssh host certs
 prefix: sshd
 ## @param csiDriver The csi driver to use
 csiDriver: csi.spiffe.io
 ## @skip inject
 ## These will be generated by the step-ca tool
 inject:
  secrets:
    x509:
      root_ca_key: ""
      intermediate_ca_key: ""
    ssh:
      host_ca_key: ""
      user_ca_key: ""
  config:
    files:
      ca.json:
        authority: {}
  certificates:
    root_ca: ""
    intermediate_ca: ""
    ssh_host_ca: ""
    ssh_user_ca: ""
 stepIngress:
  ## @param stepIngress.enabled Flag to enable ingress
  enabled: false
  ## @param stepIngress.className Ingress class name
  className: ""
  ## @param stepIngress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
  controllerType: ""
  ## @param stepIngress.annotations [object] Annotations for the ingress object
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
    # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    # If Profile Type == https_spiffe:
    # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  ## @param stepIngress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
  host: "spiffe-step-ssh"
  ## @param stepIngress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
  tlsSecret: ""
  ## @param stepIngress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
  hosts: []
  #  - host: spiffe-step-ssh.example.org
  #    paths:
  #      - path: /
  #        pathType: Prefix
  ## @param stepIngress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
  tls: []
  #  - hosts:
  #      - spiffe-step-ssh.example.org
 ## @skip step
 step:
  service:
    port: 443
    targetPort: 8443
  inject:
    enabled: false
  bootstrap:
    enabled: false
    configmaps: false
    secrets: false
  existingSecrets:
    enabled: true
    ca: true
    issuer: true
    certsAsSecret: false
    configAsSecret: false
    sshHostCa: true
    sshUserCa: true
 spiffeHelper:
  ## @param spiffeHelper.image.registry The OCI registry to pull the image from
  ## @param spiffeHelper.image.repository The repository within the registry
  ## @param spiffeHelper.image.pullPolicy The image pull policy
  ## @param spiffeHelper.image.tag Overrides the image tag whose default is the chart appVersion
  ##
  image:
    registry: ghcr.io
    repository: spiffe/spiffe-helper
    pullPolicy: IfNotPresent
    tag: 0.8.0
 nginx:
  ## @param nginx.image.registry The OCI registry to pull the image from
  ## @param nginx.image.repository The repository within the registry
  ## @param nginx.image.pullPolicy The image pull policy
  ## @param nginx.image.tag Overrides the image tag whose default is the chart appVersion
  ##
  image:
    registry: docker.io
    repository: nginxinc/nginx-unprivileged
    pullPolicy: IfNotPresent
    tag: 1.25.3-alpine
 kubectl:
  ## @param kubectl.image.registry The OCI registry to pull the image from
  ## @param kubectl.image.repository The repository within the registry
  ## @param kubectl.image.pullPolicy The image pull policy
  ## @param kubectl.image.tag Overrides the image tag whose default is the chart appVersion
  ##
  image:
    registry: registry.k8s.io
    repository: kubectl
    pullPolicy: IfNotPresent
    tag: ""
 yq:
  ## @param yq.image.registry The OCI registry to pull the image from
  ## @param yq.image.repository The repository within the registry
  ## @param yq.image.pullPolicy The image pull policy
  ## @param yq.image.tag Overrides the image tag whose default is the chart appVersion
  ##
  image:
    registry: docker.io
    repository: mikefarah/yq
    pullPolicy: IfNotPresent
    tag: "4.40.5"
 busybox:
  ## @param busybox.image.registry The OCI registry to pull the image from
  ## @param busybox.image.repository The repository within the registry
  ## @param busybox.image.pullPolicy The image pull policy
  ## @param busybox.image.tag Overrides the image tag whose default is the chart appVersion
  ##
  image:
    registry: docker.io
    repository: busybox
    pullPolicy: IfNotPresent
    tag: "1.36.1-uclibc"
 ## @param imagePullSecrets [array] Pull secrets for images
 imagePullSecrets: []
 ## @param nameOverride Name override
 nameOverride: ""
 ## @param fullnameOverride Fullname override
 fullnameOverride: ""
 ## @param serviceAccount.create Specifies whether a service account should be created
 ## @param serviceAccount.annotations [object] Annotations to add to the service account
 ## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
 ##
 serviceAccount:
  create: true
  annotations: {}
  name: ""
 ## @param podAnnotations [object] Additional pod annotations to add
 podAnnotations: {}
 ## @param podLabels [object] Additional pod labels to add
 podLabels: {}
 ## @param podSecurityContext [object} Specify pod security context settings
 podSecurityContext: {}
  # fsGroup: 2000
 ## @param securityContext [object] Specify container security context settings
 securityContext:
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000
  # FIXME
  runAsUser: 0
 fetchCA:
  ## @param fetchCA.replicaCount Number of replicas to launch
  replicaCount: 1
  ## @param fetchCA.service.type The type of service to deploy
  ## @param fetchCA.service.port The port number of the service port
  service:
    type: ClusterIP
    port: 443
  ingress:
    ## @param fetchCA.ingress.enabled Flag to enable ingress
    enabled: false
    ## @param fetchCA.ingress.className Ingress class name
    className: ""
    ## @param fetchCA.ingress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
    controllerType: ""
    ## @param fetchCA.ingress.annotations [object] Annotations for the ingress object
    annotations: {}
      # kubernetes.io/ingress.class: nginx
      # kubernetes.io/tls-acme: "true"
      # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
      # If Profile Type == https_spiffe:
      # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    ## @param fetchCA.ingress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
    host: "spiffe-step-ssh-fetchca"
    ## @param fetchCA.ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
    tlsSecret: ""
    ## @param fetchCA.ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
    hosts: []
    #  - host: spiffe-step-ssh-fetchca.example.org
    #    paths:
    #      - path: /
    #        pathType: Prefix
    ## @param fetchCA.ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
    tls: []
    #  - hosts:
    #      - spiffe-step-ssh-fetchca.example.org
  ## @param fetchCA.autoscaling.enabled Enable autoscaling
  ## @param fetchCA.autoscaling.minReplicas Minimum number of replicas to deploy
  ## @param fetchCA.autoscaling.maxReplicas Maximum number of replicas to deploy
  ## @param fetchCA.autoscaling.targetCPUUtilizationPercentage Target CPU utilization to use for autoscaling
  autoscaling:
    enabled: false
    minReplicas: 1
    maxReplicas: 100
    targetCPUUtilizationPercentage: 80
    # targetMemoryUtilizationPercentage: 80
  ## @param fetchCA.resources [object] Specify resources
  resources: {}
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
    # requests:
    #   cpu: 100m
    #   memory: 128Mi
  spiffeHelper:
    ## @param fetchCA.spiffeHelper.resources [object] Specify resources for the SPIFFE helper
    resources: {}
      # limits:
      #   cpu: 100m
      #   memory: 128Mi
      # requests:
      #   cpu: 100m
      #   memory: 128Mi
  ## @param fetchCA.nodeSelector [object] Specify node selector
  nodeSelector: {}
  ## @param fetchCA.tolerations [array] Specify tolerations
  tolerations: []
  ## @param fetchCA.affinity [object] Specify affinity
  affinity: {}
 config:
  ## @param config.resources [object] Specify resources
  resources: {}
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
    # requests:
    #   cpu: 100m
    #   memory: 128Mi
  ## @param config.nodeSelector [object] Specify node selector
  nodeSelector: {}
  ## @param config.tolerations [array] Specify tolerations
  tolerations: []
  ## @param config.affinity [object] Specify affinity
  affinity: {}
--- a/charts/spire-crds/.helmignore
+++ b/charts/spire-crds/.helmignore
@ -0,0 +1,23 @@
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
 .DS_Store
 # Common VCS dirs
 .git/
 .gitignore
 .bzr/
 .bzrignore
 .hg/
 .hgignore
 .svn/
 # Common backup files
 *.swp
 *.bak
 *.tmp
 *.orig
 *~
 # Various IDEs
 .project
 .idea/
 *.tmproj
 .vscode/
--- a/charts/spire-crds/Chart.yaml
+++ b/charts/spire-crds/Chart.yaml
@ -0,0 +1,22 @@
 apiVersion: v2
 name: spire-crds
 description: >
  A Helm chart for deploying the Spire CRDS
 type: application
 version: 0.5.0
 appVersion: "0.0.1"
 keywords: ["spire-crds"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:
  - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
 maintainers:
  - name: marcofranssen
    email: marco.franssen@gmail.com
    url: https://marcofranssen.nl
  - name: kfox1111
    email: Kevin.Fox@pnnl.gov
  - name: faisal-memon
    email: fymemon@yahoo.com
  - name: edwbuck
    email: edwbuck@gmail.com
--- a/charts/spire-crds/README.md
+++ b/charts/spire-crds/README.md
@ -0,0 +1,24 @@
 # spire-crds
 ![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square)
 A Helm chart to install the SPIRE CRDS.
 **Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
 ## Maintainers
 | Name | Email | Url |
 | ---- | ------ | --- |
 | marcofranssen | <marco.franssen@gmail.com> | <https://marcofranssen.nl> |
 | kfox1111 | <Kevin.Fox@pnnl.gov> |  |
 | faisal-memon | <fymemon@yahoo.com> |  |
 | edwbuck | <edwbuck@gmail.com> |  |
 ## Source Code
 * <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire-crds>
 <!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
 ## Parameters
--- a/charts/spire-crds/templates/spire.spiffe.io_clusterfederatedtrustdomains.yaml
+++ b/charts/spire-crds/templates/spire.spiffe.io_clusterfederatedtrustdomains.yaml
@ -3,7 +3,8 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
+    controller-gen.kubebuilder.io/version: v0.11.1
    {{- .Values.annotations | toYaml | nindent 4 }}
  creationTimestamp: null
  name: clusterfederatedtrustdomains.spire.spiffe.io
 spec:
@ -64,6 +65,9 @@ spec:
                description: BundleEndpointURL is the URL of the bundle endpoint.
                  It must be an HTTPS URL and cannot contain userinfo (i.e. username/password).
                type: string
              className:
                description: Set the class of controller to handle this object.
                type: string
              trustDomain:
                description: TrustDomain is the name of the trust domain to federate
                  with (e.g. example.org)
--- a/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml
+++ b/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml
@ -3,7 +3,8 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
+    controller-gen.kubebuilder.io/version: v0.11.1
    {{- .Values.annotations | toYaml | nindent 4 }}
  creationTimestamp: null
  name: clusterspiffeids.spire.spiffe.io
 spec:
@ -40,6 +41,15 @@ spec:
                  access the SPIRE administrative APIs. Extra care should be taken
                  to only apply this SPIFFE ID to admin workloads.
                type: boolean
              autoPopulateDNSNames:
                description: AutoPopulateDNSNames indicates whether or not to auto
                  populate service DNS names.
                type: boolean
              fallback:
                description: |-
                  Apply this ID only if there are no other matching non fallback
                  ClusterSPIFFEIDs
                type: boolean
              dnsNameTemplates:
                description: DNSNameTemplate represents templates for extra DNS names
                  that are applicable to SVIDs minted for this ClusterSPIFFEID. The
@ -48,14 +58,28 @@ spec:
                items:
                  type: string
                type: array
              downstream:
                description: Downstream indicates that the entry describes a downstream
                  SPIRE server.
                type: boolean
              className:
                description: Set the class of controller to handle this object.
                type: string
              federatesWith:
                description: FederatesWith is a list of trust domain names that workloads
                  that obtain this SPIFFE ID will federate with.
                items:
                  type: string
                type: array
              hint:
                description: Set the entry hint
                type: string
              jwtTtl:
                description: JWTTTL indicates an upper-bound time-to-live for JWT
                  SVIDs minted for this ClusterSPIFFEID.
                type: string
              namespaceSelector:
-                description: NamespaceSelector selects the namespaces that are targetted
+                description: NamespaceSelector selects the namespaces that are targeted
                  by this CRD.
                properties:
                  matchExpressions:
@ -99,8 +123,9 @@ spec:
                      are ANDed.
                    type: object
                type: object
                x-kubernetes-map-type: atomic
              podSelector:
-                description: PodSelector selects the pods that are targetted by this
+                description: PodSelector selects the pods that are targeted by this
                  CRD.
                properties:
                  matchExpressions:
@ -144,14 +169,15 @@ spec:
                      are ANDed.
                    type: object
                type: object
                x-kubernetes-map-type: atomic
              spiffeIDTemplate:
                description: SPIFFEID is the SPIFFE ID template. The node and pod
                  spec are made available to the template under .NodeSpec, .PodSpec
                  respectively.
                type: string
              ttl:
-                description: TTL indicates an upper-bound time-to-live for SVIDs minted
+                description: TTL indicates an upper-bound time-to-live for X509 SVIDs
-                  for this ClusterSPIFFEID. If unset, a default will be chosen.
+                  minted for this ClusterSPIFFEID. If unset, a default will be chosen.
                type: string
              workloadSelectorTemplates:
                description: WorkloadSelectorTemplates are templates to produce arbitrary
--- a/charts/spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml
+++ b/charts/spire-crds/templates/spire.spiffe.io_clusterstaticentries.yaml
@ -0,0 +1,103 @@
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
    {{- .Values.annotations | toYaml | nindent 4 }}
  creationTimestamp: null
  name: clusterstaticentries.spire.spiffe.io
 spec:
  group: spire.spiffe.io
  names:
    kind: ClusterStaticEntry
    listKind: ClusterStaticEntryList
    plural: clusterstaticentries
    singular: clusterstaticentry
  scope: Cluster
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: ClusterStaticEntry is the Schema for the clusterstaticentries
          API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry
            properties:
              admin:
                type: boolean
              className:
                description: Set the class of controller to handle this object.
                type: string
              dnsNames:
                items:
                  type: string
                type: array
              downstream:
                type: boolean
              federatesWith:
                items:
                  type: string
                type: array
              hint:
                type: string
              jwtSVIDTTL:
                type: string
              parentID:
                type: string
              selectors:
                items:
                  type: string
                type: array
              spiffeID:
                type: string
              storeSVID:
                type: boolean
              x509SVIDTTL:
                type: string
            required:
            - parentID
            - selectors
            - spiffeID
            type: object
          status:
            description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry
            properties:
              masked:
                description: If the static entry was masked by another entry.
                type: boolean
              rendered:
                description: If the static entry rendered properly.
                type: boolean
              set:
                description: If the static entry was successfully created/updated.
                type: boolean
            required:
            - masked
            - rendered
            - set
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
 status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
--- a/charts/spire-crds/values.yaml
+++ b/charts/spire-crds/values.yaml
@ -0,0 +1,3 @@
 annotations:
  ## @param annotations.helm.sh/resource-policy keep the crds after chart deletion
  helm.sh/resource-policy: keep
--- a/charts/spire-nested/.helmignore
+++ b/charts/spire-nested/.helmignore
@ -0,0 +1,24 @@
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
 .DS_Store
 # Common VCS dirs
 .git/
 .gitignore
 .bzr/
 .bzrignore
 .hg/
 .hgignore
 .svn/
 # Common backup files
 *.swp
 *.bak
 *.tmp
 *.orig
 *~
 # Various IDEs
 .project
 .idea/
 *.tmproj
 .vscode/
 ci/
--- a/charts/spire-nested/Chart.yaml
+++ b/charts/spire-nested/Chart.yaml
@ -0,0 +1,116 @@
 apiVersion: v2
 name: spire-nested
 description: >
  A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 type: application
 version: 0.26.1
 appVersion: "1.12.4"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:
  - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
 maintainers:
  - name: marcofranssen
    email: marco.franssen@gmail.com
    url: https://marcofranssen.nl
  - name: kfox1111
    email: Kevin.Fox@pnnl.gov
  - name: faisal-memon
    email: fymemon@yahoo.com
 kubeVersion: ">=1.21.0-0"
 dependencies:
  - name: spire-lib
    repository: file://../spire/charts/spire-lib
    version: 0.1.0
  - name: spire-server
    alias: root-spire-server
    condition: root-spire-server.enabled
    tags:
    - nestedRoot
    repository: file://../spire/charts/spire-server
    version: 0.1.0
  - name: spire-server
    alias: external-root-spire-server-full
    condition: external-root-spire-server-full.enabled
    tags:
    - nestedChildFull
    repository: file://../spire/charts/spire-server
    version: 0.1.0
  - name: spire-server
    alias: external-root-spire-server-security
    condition: external-root-spire-server-security.enabled
    tags:
    - nestedChildSecurity
    repository: file://../spire/charts/spire-server
    version: 0.1.0
  - name: spire-server
    alias: internal-spire-server
    condition: internal-spire-server.enabled
    tags:
    - nestedRoot
    - nestedChildFull
    repository: file://../spire/charts/spire-server
    version: 0.1.0
  - name: spire-server
    alias: external-spire-server
    condition: external-spire-server.enabled
    tags:
    - nestedRoot
    repository: file://../spire/charts/spire-server
    version: 0.1.0
  - name: spire-agent
    alias: downstream-spire-agent-full
    condition: downstream-spire-agent-full.enabled
    tags:
    - nestedRoot
    - nestedChildFull
    repository: file://../spire/charts/spire-agent
    version: 0.1.0
  - name: spire-agent
    alias: downstream-spire-agent-security
    condition: downstream-spire-agent-security.enabled
    tags:
    - nestedChildSecurity
    repository: file://../spire/charts/spire-agent
    version: 0.1.0
  - name: spire-agent
    alias: upstream-spire-agent
    condition: upstream-spire-agent.enabled
    tags:
    - nestedRoot
    - nestedChildFull
    repository: file://../spire/charts/spire-agent
    version: 0.1.0
  - name: spiffe-csi-driver
    alias: downstream-spiffe-csi-driver
    condition: downstream-spiffe-csi-driver.enabled
    tags:
    - nestedRoot
    - nestedChildFull
    - nestedChildSecurity
    repository: file://../spire/charts/spiffe-csi-driver
    version: 0.1.0
  - name: spiffe-csi-driver
    alias: upstream-spiffe-csi-driver
    condition: upstream-spiffe-csi-driver.enabled
    tags:
    - nestedRoot
    - nestedChildFull
    repository: file://../spire/charts/spiffe-csi-driver
    version: 0.1.0
  - name: spiffe-oidc-discovery-provider
    condition: spiffe-oidc-discovery-provider.enabled
    tags:
    - nestedRoot
    - nestedChildFull
    - nestedChildSecurity
    repository: file://../spire/charts/spiffe-oidc-discovery-provider
    version: 0.1.0
  - name: tornjak-frontend
    condition: tornjak-frontend.enabled
    repository: file://../spire/charts/tornjak-frontend
    version: 0.1.0
 annotations:
  artifacthub.io/category: security
  artifacthub.io/license: Apache-2.0
--- a/charts/spire-nested/LICENSE
+++ b/charts/spire-nested/LICENSE
@ -0,0 +1,201 @@
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. We also recommend that a
      file or class name and description of purpose be included on the
      same "printed page" as the copyright notice for easier
      identification within third-party archives.
   Copyright [yyyy] [name of copyright owner]
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
--- a/charts/spire-nested/README.md
+++ b/charts/spire-nested/README.md
@ -0,0 +1,355 @@
 # spire
 ![Version: 0.26.1](https://img.shields.io/badge/Version-0.26.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.12.4](https://img.shields.io/badge/AppVersion-1.12.4-informational?style=flat-square)
 [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
 A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 **Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
 ## Install Instructions
 ### Non Production
 To do a quick install suitable for testing in something like minikube:
 ```shell
 helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
 helm upgrade --install -n spire-server spire spire-nested --repo https://spiffe.github.io/helm-charts-hardened/
 ```
 ### Production
 Preparing a production deployment requires a few steps.
 1. Save the following to your-values.yaml, ideally in your git repo.
 ```yaml
 global:
  openshift: false # If running on openshift, set to true
  spire:
    recommendations:
      enabled: true
    namespaces:
      create: true
    ingressControllerType: "" # If not openshift, and want to expose services, set to a supported option [ingress-nginx]
    # Update these
    clusterName: example-cluster
    trustDomain: example.org
    caSubject:
      country: ARPA
      organization: Example
      commonName: example.org
 ```
 2. If you need a non default storageClass, append the following to the spire-server section and update:
 ```
  persistence:
    storageClass: your-storage-class
 ```
 3. If your Kubernetes cluster is OpenShift based, use the output of the following command to update the trustDomain setting:
 ```shell
 oc get cm -n openshift-config-managed  console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//'
 ```
 4. Find any additional values you might want to set based on the documentation below or using the [examples](https://github.com/spiffe/helm-charts-hardened/tree/main/examples)
 In particular, consider using an external database.
 5. Deploy
 ```shell
 helm upgrade --install -n spire-mgmt spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
 helm upgrade --install -n spire-mgmt spire spire-nested --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml
 ```
 ## Clean up
 ```shell
 helm -n spire-mgmt uninstall spire-crds
 helm -n spire-mgmt uninstall spire
 kubectl -n spire-server delete pvc -l app.kubernetes.io/instance=spire
 kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeids.spire.spiffe.io clusterstaticentries.spire.spiffe.io
 ```
 ## Upgrade notes
 We only support upgrading one major version at a time. Version skipping isn't supported.
 ### 0.17.X
 - If you set spire-server.replicaCount > 1, update it to 1 before upgrading and after upgrade you can set it back to its previous value.
 - The SPIFFE OIDC Discovery Provider now has many new TLS options and defaults to using SPIRE to issue its certificate.
 - The `spiffe-oidc-discovery-provider.insecureScheme.enabled` flag was removed. If you previously set that flag, remove the setting from your values.yaml and see if the new default of using a SPIRE issued certificate is suitable for your deployment. If it isn't, please consider one of the other options under `spiffe-oidc-discovery-provider.tls`. If all other options are still unsuitable, you can still enable the previous mode by disabling TLS. (`spiffe-oidc-discovery-provider.tls.spire.enabled=false`)
 - The SPIFFE OIDC Discovery Provider is now enabled by default. If you previously chose to have it off, you can disable it explicitly with `spiffe-oidc-discovery-provider.enabled=false`.
 ### 0.16.X
 The settings under "spire-server.controllerManager.identities" have all been moved under "spire-server.controllerManager.identities.clusterSPIFFEIDs.default". If you have changed any from the defaults, please update them to the new location during upgrade.
 ### 0.15.X
 The spire-crds chart has been updated. Please ensure you have upgraded spire-crds before upgrading the spire chart.
 The chart now supports multiple parallel installs of spire-controller-manager. Each install will handle all custom resources with a matching `className` field.  By default this is set to `Release.Namespace-Release.Name` and the controller manager will only pick up custom resources with this `className`.
 If you have not loaded any SPIRE custom resources yourself, the upgrade process will be transparent. If you have loaded your own SPIRE custom resources, set `spire-server.controllerManager.watchClassless=true` until you can update your SPIRE custom resources to have the `className` for the instance specified.
 ### 0.14.X
 If coming from a chart version before 0.14.0, you must relabel your crds to switch to using the new spire-crds chart. To migrate to the spire-crds chart
 run the following:
 Replace the spire-server namespace in the commands below with the namespace you want to install the spire-crds chart in.
 ```shell
 kubectl label crd "clusterfederatedtrustdomains.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm"
 kubectl annotate crd "clusterfederatedtrustdomains.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds"
 kubectl annotate crd "clusterfederatedtrustdomains.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server"
 kubectl label crd "clusterspiffeids.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm"
 kubectl annotate crd "clusterspiffeids.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds"
 kubectl annotate crd "clusterspiffeids.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server"
 kubectl label crd "controllermanagerconfigs.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm"
 kubectl annotate crd "controllermanagerconfigs.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds"
 kubectl annotate crd "controllermanagerconfigs.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server"
 helm install -n spire-server spire-crds charts/spire-crds
 ```
 ## Version support
 > [!Warning]
 > This Chart is still in development and still subject to change the API (`values.yaml`).
 > Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
 > we do aim for as much stability as possible.
 | Dependency | Supported Versions |
 |:-----------|:-------------------|
 | Helm       | `3.x`              |
 | Kubernetes | `1.22+`            |
 > [!Note]
 > For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden.
 ## FAQ
 For any issues see our [FAQ](../../FAQ.md)…
 ## Usage
 To utilize Spire in your own workloads you should add the following to your workload:
 ```diff
 apiVersion: v1
 kind: Pod
 metadata:
   name: my-app
 spec:
   containers:
     - name: my-app
       image: "my-app:latest"
       imagePullPolicy: Always
 +      volumeMounts:
 +        - name: spiffe-workload-api
 +          mountPath: /spiffe-workload-api
 +          readOnly: true
       resources:
         requests:
           cpu: 200m
           memory: 32Mi
         limits:
           cpu: 500m
           memory: 64Mi
 +  volumes:
 +    - name: spiffe-workload-api
 +      csi:
 +        driver: "csi.spiffe.io"
 +        readOnly: true
 ```
 Now you can interact with the Spire agent socket from your own application. The socket is mounted on `/spiffe-workload-api/spire-agent.sock`.
 ## Maintainers
 | Name | Email | Url |
 | ---- | ------ | --- |
 | marcofranssen | <marco.franssen@gmail.com> | <https://marcofranssen.nl> |
 | kfox1111 | <Kevin.Fox@pnnl.gov> |  |
 | faisal-memon | <fymemon@yahoo.com> |  |
 | edwbuck | <edwbuck@gmail.com> |  |
 ## Source Code
 * <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
 ## Requirements
 | Repository | Name | Version |
 |------------|------|---------|
 | file://./charts/spiffe-csi-driver | spiffe-csi-driver | 0.1.0 |
 | file://./charts/spiffe-csi-driver | upstream-spiffe-csi-driver(spiffe-csi-driver) | 0.1.0 |
 | file://./charts/spiffe-oidc-discovery-provider | spiffe-oidc-discovery-provider | 0.1.0 |
 | file://./charts/spire-agent | spire-agent | 0.1.0 |
 | file://./charts/spire-agent | upstream-spire-agent(spire-agent) | 0.1.0 |
 | file://./charts/spire-server | spire-server | 0.1.0 |
 | file://./charts/tornjak-frontend | tornjak-frontend | 0.1.0 |
 <!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
 ## Parameters
 ### Global parameters
 | Name                                             | Description                                                                                                                                                                                                                            | Value             |
 | ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- |
 | `global.k8s.clusterDomain`                       | Cluster domain name configured for Spire install                                                                                                                                                                                       | `cluster.local`   |
 | `global.spire.clusterName`                       | The name of the k8s cluster for Spire install                                                                                                                                                                                          | `example-cluster` |
 | `global.spire.jwtIssuer`                         | The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset                                                                                                                                                      | `""`              |
 | `global.spire.trustDomain`                       | The trust domain for Spire install                                                                                                                                                                                                     | `example.org`     |
 | `global.spire.caSubject.country`                 | Country for Spire server CA                                                                                                                                                                                                            | `""`              |
 | `global.spire.caSubject.organization`            | Organization for Spire server CA                                                                                                                                                                                                       | `""`              |
 | `global.spire.caSubject.commonName`              | Common Name for Spire server CA                                                                                                                                                                                                        | `""`              |
 | `global.spire.recommendations.enabled`           | Use recommended settings for production deployments. Default is off.                                                                                                                                                                   | `false`           |
 | `global.spire.recommendations.namespaceLayout`   | Set to true to use recommended values for installing across namespaces                                                                                                                                                                 | `true`            |
 | `global.spire.recommendations.namespacePSS`      | When chart namespace creation is enabled, label them with preffered Pod Security Standard labels                                                                                                                                       | `true`            |
 | `global.spire.recommendations.priorityClassName` | Set to true to use recommended values for Pod Priority Class Names                                                                                                                                                                     | `true`            |
 | `global.spire.recommendations.strictMode`        | Check values, such as trustDomain, are overridden with a suitable value for production.                                                                                                                                                | `true`            |
 | `global.spire.recommendations.securityContexts`  | Set to true to use recommended values for Pod and Container Security Contexts                                                                                                                                                          | `true`            |
 | `global.spire.recommendations.prometheus`        | Enable prometheus exporters for monitoring                                                                                                                                                                                             | `true`            |
 | `global.spire.image.registry`                    | Override all Spire image registries at once                                                                                                                                                                                            | `""`              |
 | `global.spire.namespaces.create`                 | Set to true to Create all namespaces. If this or either of the namespace specific create flags is set, the namespace will be created.                                                                                                  | `false`           |
 | `global.spire.namespaces.system.name`            | Name of the Spire system Namespace.                                                                                                                                                                                                    | `spire-system`    |
 | `global.spire.namespaces.system.create`          | Create a Namespace for Spire system resources.                                                                                                                                                                                         | `false`           |
 | `global.spire.namespaces.system.annotations`     | Annotations to apply to the Spire system Namespace.                                                                                                                                                                                    | `{}`              |
 | `global.spire.namespaces.system.labels`          | Labels to apply to the Spire system Namespace.                                                                                                                                                                                         | `{}`              |
 | `global.spire.namespaces.server.name`            | Name of the Spire server Namespace.                                                                                                                                                                                                    | `spire-server`    |
 | `global.spire.namespaces.server.create`          | Create a Namespace for Spire server resources.                                                                                                                                                                                         | `false`           |
 | `global.spire.namespaces.server.annotations`     | Annotations to apply to the Spire server Namespace.                                                                                                                                                                                    | `{}`              |
 | `global.spire.namespaces.server.labels`          | Labels to apply to the Spire server Namespace.                                                                                                                                                                                         | `{}`              |
 | `global.spire.strictMode`                        | Check values, such as trustDomain, are overridden with a suitable value for production.                                                                                                                                                | `false`           |
 | `global.spire.ingressControllerType`             | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""`              |
 | `global.spire.tools.kubectl.tag`                 | Set to force the tag to use for all kubectl instances                                                                                                                                                                                  | `""`              |
 | `global.installAndUpgradeHooks.enabled`          | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`)                                                                                                                             | `true`            |
 | `global.deleteHooks.enabled`                     | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`)                                                                                                                                      | `true`            |
 | `tags.nestedRoot`                                | Set the chart architecture to root nested                                                                                                                                                                                              | `false`           |
 | `tags.nestedChildFull`                           | Set the chart mode to a child cluster with its own nested server                                                                                                                                                                       | `false`           |
 | `tags.nestedChildSecurity`                       | Set the chart mode to a child cluster for use with a security cluster                                                                                                                                                                  | `false`           |
 ### Spire agent parameters
 | Name                                               | Description                                                    | Value                                 |
 | -------------------------------------------------- | -------------------------------------------------------------- | ------------------------------------- |
 | `downstream-spire-agent-full.nameOverride`         | Overrides the name of Spire agent pods                         | `agent-downstream`                    |
 | `downstream-spire-agent-full.server.nameOverride`  | The name override setting of the internal SPIRE server         | `internal-server`                     |
 | `downstream-spire-agent-full.bundleConfigMap`      | The name of the configmap that contains the downstream bundle  | `spire-bundle-downstream`             |
 | `downstream-spire-agent-full.persistence.hostPath` | Which path to use on the host when persistence.type = hostPath | `/var/lib/spire/k8s/downstream-agent` |
 ### Spire agent parameters
 | Name                                                   | Description                                                    | Value                                 |
 | ------------------------------------------------------ | -------------------------------------------------------------- | ------------------------------------- |
 | `downstream-spire-agent-security.nameOverride`         | Overrides the name of Spire agent pods                         | `agent-downstream`                    |
 | `downstream-spire-agent-security.bundleConfigMap`      | The name of the configmap that contains the downstream bundle  | `spire-bundle-upstream`               |
 | `downstream-spire-agent-security.serviceAccount.name`  | The name of the service account to use                         | `spire-agent-upstream`                |
 | `downstream-spire-agent-security.persistence.hostPath` | Which path to use on the host when persistence.type = hostPath | `/var/lib/spire/k8s/downstream-agent` |
 ### Upstream Spire agent parameters
 | Name                                             | Description                                                    | Value                                                |
 | ------------------------------------------------ | -------------------------------------------------------------- | ---------------------------------------------------- |
 | `upstream-spire-agent.upstream`                  | Flag for enabling upstream Spire agent                         | `true`                                               |
 | `upstream-spire-agent.nameOverride`              | Name override for upstream Spire agent                         | `agent-upstream`                                     |
 | `upstream-spire-agent.bundleConfigMap`           | The configmap name for upstream Spire agent bundle             | `spire-bundle-upstream`                              |
 | `upstream-spire-agent.socketPath`                | Socket path where Spire agent socket is mounted                | `/run/spire/agent-sockets-upstream/spire-agent.sock` |
 | `upstream-spire-agent.serviceAccount.name`       | Service account name for upstream Spire agent                  | `spire-agent-upstream`                               |
 | `upstream-spire-agent.healthChecks.port`         | Health check port number for upstream Spire agent              | `9981`                                               |
 | `upstream-spire-agent.telemetry.prometheus.port` | The port where prometheus metrics are available                | `9989`                                               |
 | `upstream-spire-agent.server.nameOverride`       | The name override setting of the root SPIRE server             | `root-server`                                        |
 | `upstream-spire-agent.persistence.hostPath`      | Which path to use on the host when persistence.type = hostPath | `/var/lib/spire/k8s/upstream-agent`                  |
 ### SPIFFE CSI Driver parameters
 | Name                                            | Description       | Value                          |
 | ----------------------------------------------- | ----------------- | ------------------------------ |
 | `downstream-spiffe-csi-driver.fullnameOverride` | Fullname override | `spiffe-csi-driver-downstream` |
 ### Upstream SPIFFE CSI Driver parameters
 | Name                                           | Description                                                 | Value                                                |
 | ---------------------------------------------- | ----------------------------------------------------------- | ---------------------------------------------------- |
 | `upstream-spiffe-csi-driver.fullnameOverride`  | Fullname override                                           | `spiffe-csi-driver-upstream`                         |
 | `upstream-spiffe-csi-driver.pluginName`        | The plugin name for configuring upstream Spiffe CSI driver  | `upstream.csi.spiffe.io`                             |
 | `upstream-spiffe-csi-driver.agentSocketPath`   | The socket path where Spiffe CSI driver mounts agent socket | `/run/spire/agent-sockets-upstream/spire-agent.sock` |
 | `upstream-spiffe-csi-driver.healthChecks.port` | The port where Spiffe CSI driver health checks are exposed  | `9810`                                               |
 ### SPIFFE oidc discovery provider parameters
 | Name                                              | Description       | Value                            |
 | ------------------------------------------------- | ----------------- | -------------------------------- |
 | `spiffe-oidc-discovery-provider.fullnameOverride` | Fullname override | `spiffe-oidc-discovery-provider` |
 ### Tornjak frontend parameters
 | Name                                                                                                            | Description                                                                                                                                       | Value                        |
 | --------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- |
 | `tornjak-frontend.enabled`                                                                                      | Enables deployment of Tornjak frontend/UI (Not for production)                                                                                    | `false`                      |
 | `root-spire-server.nameOverride`                                                                                | Name override                                                                                                                                     | `root-server`                |
 | `root-spire-server.crNameOverride`                                                                              | Custom Resource name override                                                                                                                     | `root`                       |
 | `root-spire-server.controllerManager.enabled`                                                                   | Enable controller manager and provision CRD's                                                                                                     | `true`                       |
 | `root-spire-server.controllerManager.externalControllerManagers.enabled`                                        | Flag to enable external controller managers                                                                                                       | `true`                       |
 | `root-spire-server.controllerManager.validatingWebhookConfiguration.enabled`                                    | Disable only when you have another instance on the k8s cluster with webhooks enabled.                                                             | `false`                      |
 | `root-spire-server.controllerManager.className`                                                                 | specify to use an explicit class name.                                                                                                            | `spire-mgmt-root-server`     |
 | `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled`                         | Enable child servers                                                                                                                              | `true`                       |
 | `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.default.enabled`                               | Enable the default cluster spiffe id                                                                                                              | `false`                      |
 | `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled`               | Enable the test-keys identity                                                                                                                     | `false`                      |
 | `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled`                             | Enable the test-keys identity                                                                                                                     | `false`                      |
 | `root-spire-server.externalControllerManagers.enabled`                                                          | Flag to enable external controller managers                                                                                                       | `true`                       |
 | `root-spire-server.nodeAttestor.k8sPSAT.serviceAccountAllowList`                                                | Allowed service accounts for PSAT nodeattestor                                                                                                    | `[]`                         |
 | `root-spire-server.bundleConfigMap`                                                                             | The name of the configmap to store the upstream bundle                                                                                            | `spire-bundle-upstream`      |
 | `external-root-spire-server-full.externalServer`                                                                | Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers. | `true`                       |
 | `external-root-spire-server-full.nameOverride`                                                                  | Name override                                                                                                                                     | `root-server`                |
 | `external-root-spire-server-full.crNameOverride`                                                                | Custom Resource name override                                                                                                                     | `root`                       |
 | `external-root-spire-server-full.controllerManager.enabled`                                                     | Enable controller manager and provision CRD's                                                                                                     | `true`                       |
 | `external-root-spire-server-full.controllerManager.validatingWebhookConfiguration.enabled`                      | Disable only when you have another instance on the k8s cluster with webhooks enabled.                                                             | `false`                      |
 | `external-root-spire-server-full.controllerManager.className`                                                   | specify to use an explicit class name.                                                                                                            | `spire-mgmt-external-server` |
 | `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled`           | Enable child servers                                                                                                                              | `true`                       |
 | `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.default.enabled`                 | Enable the default cluster spiffe id                                                                                                              | `false`                      |
 | `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled` | Enable the test-keys identity                                                                                                                     | `false`                      |
 | `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled`               | Enable the test-keys identity                                                                                                                     | `false`                      |
 | `external-root-spire-server-full.nodeAttestor.k8sPSAT.serviceAccountAllowList`                                  | Allowed service accounts for PSAT nodeattestor                                                                                                    | `[]`                         |
 | `external-root-spire-server-full.bundleConfigMap`                                                               | The name of the configmap to store the upstream bundle                                                                                            | `spire-bundle-upstream`      |
 | `external-root-spire-server-security.externalServer`                                                            | Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers. | `true`                       |
 | `external-root-spire-server-security.nameOverride`                                                              | Name override                                                                                                                                     | `root-server`                |
 | `external-root-spire-server-security.crNameOverride`                                                            | Custom Resource name override                                                                                                                     | `root`                       |
 | `external-root-spire-server-security.controllerManager.enabled`                                                 | Enable controller manager and provision CRD's                                                                                                     | `true`                       |
 | `external-root-spire-server-security.controllerManager.validatingWebhookConfiguration.enabled`                  | Disable only when you have another instance on the k8s cluster with webhooks enabled.                                                             | `false`                      |
 | `external-root-spire-server-security.controllerManager.className`                                               | specify to use an explicit class name.                                                                                                            | `spire-mgmt-external-server` |
 | `external-root-spire-server-security.nodeAttestor.k8sPSAT.serviceAccountAllowList`                              | Allowed service accounts for PSAT nodeattestor                                                                                                    | `[]`                         |
 | `external-root-spire-server-security.bundleConfigMap`                                                           | The name of the configmap to store the upstream bundle                                                                                            | `spire-bundle-upstream`      |
 ### Spire server parameters
 | Name                                                                                                               | Description                                                                           | Value                        |
 | ------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------- | ---------------------------- |
 | `internal-spire-server.nameOverride`                                                                               | Overrides the name of Spire server pods                                               | `internal-server`            |
 | `internal-spire-server.controllerManager.enabled`                                                                  | Enable controller manager and provision CRD's                                         | `true`                       |
 | `internal-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.autoPopulateDNSNames` | Auto populate dns entries                                                             | `false`                      |
 | `internal-spire-server.externalControllerManagers.enabled`                                                         | Flag to enable external controller managers                                           | `true`                       |
 | `internal-spire-server.upstreamAuthority.spire.enabled`                                                            | Enable upstream SPIRE server                                                          | `true`                       |
 | `internal-spire-server.upstreamAuthority.spire.upstreamDriver`                                                     | Use an upstream driver for authentication                                             | `upstream.csi.spiffe.io`     |
 | `internal-spire-server.upstreamAuthority.spire.server.nameOverride`                                                | The name override setting of the root SPIRE server                                    | `root-server`                |
 | `internal-spire-server.bundleConfigMap`                                                                            | The name of the configmap to store the downstream bundle                              | `spire-bundle-downstream`    |
 | `external-spire-server.nameOverride`                                                                               | Overrides the name of Spire server pods                                               | `external-server`            |
 | `external-spire-server.crNameOverride`                                                                             | Custom Resource name override                                                         | `external`                   |
 | `external-spire-server.controllerManager.enabled`                                                                  | Enable controller manager and provision CRD's                                         | `true`                       |
 | `external-spire-server.controllerManager.validatingWebhookConfiguration.enabled`                                   | Disable only when you have another instance on the k8s cluster with webhooks enabled. | `false`                      |
 | `external-spire-server.controllerManager.className`                                                                | specify to use an explicit class name.                                                | `spire-mgmt-external-server` |
 | `external-spire-server.controllerManager.identities.clusterSPIFFEIDs.default.enabled`                              | Enable the default identity                                                           | `false`                      |
 | `external-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled`              | Enable the oidc-discovery-provider identity                                           | `false`                      |
 | `external-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled`                            | Enable the test-keys identity                                                         | `false`                      |
 | `external-spire-server.externalControllerManagers.enabled`                                                         | Flag to enable external controller managers                                           | `true`                       |
 | `external-spire-server.upstreamAuthority.spire.enabled`                                                            | Enable upstream SPIRE server                                                          | `true`                       |
 | `external-spire-server.upstreamAuthority.spire.upstreamDriver`                                                     | Use an upstream driver for authentication                                             | `upstream.csi.spiffe.io`     |
 | `external-spire-server.upstreamAuthority.spire.server.nameOverride`                                                | The name override setting of the root SPIRE server                                    | `root-server`                |
 | `external-spire-server.bundlePublisher.k8sConfigMap.enabled`                                                       | Enable local k8s bundle uploader                                                      | `false`                      |
 | `external-spire-server.nodeAttestor.k8sPSAT.enabled`                                                               | Enable PSAT k8s nodeattestor                                                          | `false`                      |
 | `external-spire-server.nodeAttestor.joinToken.enabled`                                                             | Enable the join_token nodeattestor                                                    | `true`                       |
--- a/charts/spire-nested/templates/namespaces.yaml
+++ b/charts/spire-nested/templates/namespaces.yaml
@ -0,0 +1,3 @@
 {{- include "spire-lib.namespace.system" . }}
 ---
 {{- include "spire-lib.namespace.server" . }}
--- a/charts/spire-nested/values.yaml
+++ b/charts/spire-nested/values.yaml
@ -0,0 +1,397 @@
 # Default configuration for Spire chart
 # SPDX-License-Identifier: APACHE-2.0
 ## @section Global parameters
 ## Note: the parameter values specified here will override the chart level values for these parameters.
 ##
 global:
  k8s:
    ## @param global.k8s.clusterDomain Cluster domain name configured for Spire install
    clusterDomain: cluster.local
  spire:
    ## @param global.spire.clusterName The name of the k8s cluster for Spire install
    clusterName: example-cluster
    ## @param global.spire.jwtIssuer The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset
    jwtIssuer: ""
    ## @param global.spire.trustDomain The trust domain for Spire install
    trustDomain: example.org
    ## @param global.spire.caSubject.country Country for Spire server CA
    ## @param global.spire.caSubject.organization Organization for Spire server CA
    ## @param global.spire.caSubject.commonName Common Name for Spire server CA
    caSubject:
      country: ""
      organization: ""
      commonName: ""
    ## @param global.spire.recommendations.enabled Use recommended settings for production deployments. Default is off.
    ## @param global.spire.recommendations.namespaceLayout Set to true to use recommended values for installing across namespaces
    ## @param global.spire.recommendations.namespacePSS When chart namespace creation is enabled, label them with preffered Pod Security Standard labels
    ## @param global.spire.recommendations.priorityClassName Set to true to use recommended values for Pod Priority Class Names
    ## @param global.spire.recommendations.strictMode Check values, such as trustDomain, are overridden with a suitable value for production.
    ## @param global.spire.recommendations.securityContexts Set to true to use recommended values for Pod and Container Security Contexts
    ## @param global.spire.recommendations.prometheus Enable prometheus exporters for monitoring
    recommendations:
      enabled: false
      namespaceLayout: true
      namespacePSS: true
      priorityClassName: true
      strictMode: true
      securityContexts: true
      prometheus: true
    image:
      ## @param global.spire.image.registry Override all Spire image registries at once
      registry: ""
    namespaces:
      ## @param global.spire.namespaces.create Set to true to Create all namespaces. If this or either of the namespace specific create flags is set, the namespace will be created.
      create: false
      system:
        ## @param global.spire.namespaces.system.name Name of the Spire system Namespace.
        name: "spire-system"
        ## @param global.spire.namespaces.system.create Create a Namespace for Spire system resources.
        create: false
        ## @param global.spire.namespaces.system.annotations [object] Annotations to apply to the Spire system Namespace.
        annotations: {}
        ## @param global.spire.namespaces.system.labels [object] Labels to apply to the Spire system Namespace.
        labels: {}
      server:
        ## @param global.spire.namespaces.server.name Name of the Spire server Namespace.
        name: "spire-server"
        ## @param global.spire.namespaces.server.create Create a Namespace for Spire server resources.
        create: false
        ## @param global.spire.namespaces.server.annotations [object] Annotations to apply to the Spire server Namespace.
        annotations: {}
        ## @param global.spire.namespaces.server.labels [object] Labels to apply to the Spire server Namespace.
        labels: {}
    ## @param global.spire.strictMode Check values, such as trustDomain, are overridden with a suitable value for production.
    strictMode: false
    ## @param global.spire.ingressControllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
    ingressControllerType: ""
    tools:
      kubectl:
        ## @param global.spire.tools.kubectl.tag Set to force the tag to use for all kubectl instances
        tag: ""
  installAndUpgradeHooks:
    ## @param global.installAndUpgradeHooks.enabled Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`)
    enabled: true
  deleteHooks:
    ## @param global.deleteHooks.enabled Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`)
    enabled: true
 #  telemetry:
 #    prometheus:
 #      enabled: true
 #      podMonitor:
 #        enabled: true
 #        # -- Allows to install the PodMonitor in another namespace then the spire components are installed into.
 #        namespace: "kube-prometheus-system"
 #        labels: {}
 tags:
  ## @param tags.nestedRoot Set the chart architecture to root nested
  nestedRoot: false
  ## @param tags.nestedChildFull Set the chart mode to a child cluster with its own nested server
  nestedChildFull: false
  ## @param tags.nestedChildSecurity Set the chart mode to a child cluster for use with a security cluster
  nestedChildSecurity: false
 ## subcharts
 ## @section Spire agent parameters
 ## Parameter values for Spire agent
 ##
 # Used with tags [nestedRoot, nestedChildFull]
 downstream-spire-agent-full:
  # enabled: true
  ## @param downstream-spire-agent-full.nameOverride Overrides the name of Spire agent pods
  nameOverride: agent-downstream
  server:
    ## @param downstream-spire-agent-full.server.nameOverride The name override setting of the internal SPIRE server
    nameOverride: internal-server
  ## @param downstream-spire-agent-full.bundleConfigMap The name of the configmap that contains the downstream bundle
  bundleConfigMap: spire-bundle-downstream
  ## @param downstream-spire-agent-full.persistence.hostPath Which path to use on the host when persistence.type = hostPath
  persistence:
    hostPath: /var/lib/spire/k8s/downstream-agent
 ## @section Spire agent parameters
 ## Parameter values for Spire agent
 ##
 # Used with tags [nestedChildSecurity]
 downstream-spire-agent-security:
  # enabled: true
  ## @param downstream-spire-agent-security.nameOverride Overrides the name of Spire agent pods
  nameOverride: agent-downstream
  ## @param downstream-spire-agent-security.bundleConfigMap The name of the configmap that contains the downstream bundle
  bundleConfigMap: spire-bundle-upstream
  serviceAccount:
    ## @param downstream-spire-agent-security.serviceAccount.name The name of the service account to use
    name: spire-agent-upstream
  ## @param downstream-spire-agent-security.persistence.hostPath Which path to use on the host when persistence.type = hostPath
  persistence:
    hostPath: /var/lib/spire/k8s/downstream-agent
 ## @section Upstream Spire agent parameters
 ## Parameter values for upstream Spire agent
 ##
 # Used with tags [nestedRoot, nestedChildFull]
 upstream-spire-agent:
  # enabled: true
  ## @param upstream-spire-agent.upstream Flag for enabling upstream Spire agent
  upstream: true
  ## @param upstream-spire-agent.nameOverride Name override for upstream Spire agent
  nameOverride: agent-upstream
  ## @param upstream-spire-agent.bundleConfigMap The configmap name for upstream Spire agent bundle
  bundleConfigMap: spire-bundle-upstream
  ## @param upstream-spire-agent.socketPath Socket path where Spire agent socket is mounted
  socketPath: /run/spire/agent-sockets-upstream/spire-agent.sock
  serviceAccount:
    ## @param upstream-spire-agent.serviceAccount.name Service account name for upstream Spire agent
    name: spire-agent-upstream
  healthChecks:
    ## @param upstream-spire-agent.healthChecks.port Health check port number for upstream Spire agent
    port: 9981
  telemetry:
    prometheus:
      ## @param upstream-spire-agent.telemetry.prometheus.port The port where prometheus metrics are available
      port: 9989
  server:
    ## @param upstream-spire-agent.server.nameOverride The name override setting of the root SPIRE server
    nameOverride: root-server
  ## @param upstream-spire-agent.persistence.hostPath Which path to use on the host when persistence.type = hostPath
  persistence:
    hostPath: /var/lib/spire/k8s/upstream-agent
 ## @section SPIFFE CSI Driver parameters
 ## Parameter values for spiffe-csi-driver
 ##
 # Used with tags [nestedRoot, nestedChildFull, nestedChildSecurity]
 downstream-spiffe-csi-driver:
  # enabled: true
  ## @param downstream-spiffe-csi-driver.fullnameOverride Fullname override
  fullnameOverride: spiffe-csi-driver-downstream
 ## @section Upstream SPIFFE CSI Driver parameters
 ## Parameter values for upstream spiffe-csi-driver
 ##
 # Used with tags [nestedRoot, nestedChildFull]
 upstream-spiffe-csi-driver:
  # enabled: true
  ## @param upstream-spiffe-csi-driver.fullnameOverride Fullname override
  fullnameOverride: spiffe-csi-driver-upstream
  ## @param upstream-spiffe-csi-driver.pluginName The plugin name for configuring upstream Spiffe CSI driver
  pluginName: upstream.csi.spiffe.io
  ## @param upstream-spiffe-csi-driver.agentSocketPath The socket path where Spiffe CSI driver mounts agent socket
  agentSocketPath: /run/spire/agent-sockets-upstream/spire-agent.sock
  healthChecks:
    ## @param upstream-spiffe-csi-driver.healthChecks.port The port where Spiffe CSI driver health checks are exposed
    port: 9810
 ## @section SPIFFE oidc discovery provider parameters
 ## Parameter values for spiffe-oidc-discovery-provider
 ##
 # Used with tags [nestedRoot, nestedChildFull, nestedChildSecurity]
 spiffe-oidc-discovery-provider:
  # enabled: true
  ## @param spiffe-oidc-discovery-provider.fullnameOverride Fullname override
  fullnameOverride: spiffe-oidc-discovery-provider
 ## @section Tornjak frontend parameters
 ## Parameter values for Tornjak frontend
 ##
 tornjak-frontend:
  ## @param tornjak-frontend.enabled Enables deployment of Tornjak frontend/UI (Not for production)
  enabled: false
 # Used with tags [nestedRoot]
 root-spire-server:
  # enabled: true
  ## @param root-spire-server.nameOverride Name override
  nameOverride: root-server
  ## @param root-spire-server.crNameOverride Custom Resource name override
  crNameOverride: root
  controllerManager:
    ## @param root-spire-server.controllerManager.enabled Enable controller manager and provision CRD's
    enabled: true
    externalControllerManagers:
      ## @param root-spire-server.controllerManager.externalControllerManagers.enabled Flag to enable external controller managers
      enabled: true
    validatingWebhookConfiguration:
      ## @param root-spire-server.controllerManager.validatingWebhookConfiguration.enabled Disable only when you have another instance on the k8s cluster with webhooks enabled.
      enabled: false
    ## @param root-spire-server.controllerManager.className specify to use an explicit class name.
    className: spire-mgmt-root-server
    identities:
      clusterSPIFFEIDs:
        child-servers:
          ## @param root-spire-server.controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled Enable child servers
          enabled: true
        default:
          ## @param root-spire-server.controllerManager.identities.clusterSPIFFEIDs.default.enabled Enable the default cluster spiffe id
          enabled: false
        oidc-discovery-provider:
          ## @param root-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled Enable the test-keys identity
          enabled: false
        test-keys:
          ## @param root-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled Enable the test-keys identity
          enabled: false
  externalControllerManagers:
    ## @param root-spire-server.externalControllerManagers.enabled Flag to enable external controller managers
    enabled: true
  nodeAttestor:
    k8sPSAT:
      ## @param root-spire-server.nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor
      serviceAccountAllowList:
        - spire-agent-upstream
  ## @param root-spire-server.bundleConfigMap The name of the configmap to store the upstream bundle
  bundleConfigMap: spire-bundle-upstream
 # Used with tags [nestedChildFull]
 external-root-spire-server-full:
  ## @param external-root-spire-server-full.externalServer Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers.
  externalServer: true
  ## @param external-root-spire-server-full.nameOverride Name override
  nameOverride: root-server
  ## @param external-root-spire-server-full.crNameOverride Custom Resource name override
  crNameOverride: root
  controllerManager:
    ## @param external-root-spire-server-full.controllerManager.enabled Enable controller manager and provision CRD's
    enabled: true
    validatingWebhookConfiguration:
      ## @param external-root-spire-server-full.controllerManager.validatingWebhookConfiguration.enabled Disable only when you have another instance on the k8s cluster with webhooks enabled.
      enabled: false
    ## @param external-root-spire-server-full.controllerManager.className specify to use an explicit class name.
    className: spire-mgmt-external-server
    identities:
      clusterSPIFFEIDs:
        child-servers:
          ## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled Enable child servers
          enabled: true
        default:
          ## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.default.enabled Enable the default cluster spiffe id
          enabled: false
        oidc-discovery-provider:
          ## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled Enable the test-keys identity
          enabled: false
        test-keys:
          ## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled Enable the test-keys identity
          enabled: false
  nodeAttestor:
    k8sPSAT:
      ## @param external-root-spire-server-full.nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor
      serviceAccountAllowList:
        - spire-agent-upstream
  ## @param external-root-spire-server-full.bundleConfigMap The name of the configmap to store the upstream bundle
  bundleConfigMap: spire-bundle-upstream
 # Used with tags [nestedChildSecurity]
 external-root-spire-server-security:
  ## @param external-root-spire-server-security.externalServer Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers.
  externalServer: true
  ## @param external-root-spire-server-security.nameOverride Name override
  nameOverride: root-server
  ## @param external-root-spire-server-security.crNameOverride Custom Resource name override
  crNameOverride: root
  controllerManager:
    ## @param external-root-spire-server-security.controllerManager.enabled Enable controller manager and provision CRD's
    enabled: true
    validatingWebhookConfiguration:
      ## @param external-root-spire-server-security.controllerManager.validatingWebhookConfiguration.enabled Disable only when you have another instance on the k8s cluster with webhooks enabled.
      enabled: false
    ## @param external-root-spire-server-security.controllerManager.className specify to use an explicit class name.
    className: spire-mgmt-external-server
  nodeAttestor:
    k8sPSAT:
      ## @param external-root-spire-server-security.nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor
      serviceAccountAllowList:
        - spire-agent-upstream
  ## @param external-root-spire-server-security.bundleConfigMap The name of the configmap to store the upstream bundle
  bundleConfigMap: spire-bundle-upstream
 ## @section Spire server parameters
 ## Parameter values for Spire server
 ##
 # Used with tags [nestedRoot, nestedChildFull]
 internal-spire-server:
  # enabled: true
  ## @param internal-spire-server.nameOverride Overrides the name of Spire server pods
  nameOverride: internal-server
  controllerManager:
    ## @param internal-spire-server.controllerManager.enabled Enable controller manager and provision CRD's
    enabled: true
    identities:
      clusterSPIFFEIDs:
        oidc-discovery-provider:
          ## @param internal-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.autoPopulateDNSNames Auto populate dns entries
          autoPopulateDNSNames: false
  externalControllerManagers:
    ## @param internal-spire-server.externalControllerManagers.enabled Flag to enable external controller managers
    enabled: true
  upstreamAuthority:
    spire:
      ## @param internal-spire-server.upstreamAuthority.spire.enabled Enable upstream SPIRE server
      enabled: true
      ## @param internal-spire-server.upstreamAuthority.spire.upstreamDriver Use an upstream driver for authentication
      upstreamDriver: upstream.csi.spiffe.io
      server:
        ## @param internal-spire-server.upstreamAuthority.spire.server.nameOverride The name override setting of the root SPIRE server
        nameOverride: root-server
  ## @param internal-spire-server.bundleConfigMap The name of the configmap to store the downstream bundle
  bundleConfigMap: spire-bundle-downstream
 # Used with tags [nestedRoot]
 external-spire-server:
  # enabled: true
  ## @param external-spire-server.nameOverride Overrides the name of Spire server pods
  nameOverride: external-server
  ## @param external-spire-server.crNameOverride Custom Resource name override
  crNameOverride: external
  controllerManager:
    ## @param external-spire-server.controllerManager.enabled Enable controller manager and provision CRD's
    enabled: true
    validatingWebhookConfiguration:
      ## @param external-spire-server.controllerManager.validatingWebhookConfiguration.enabled Disable only when you have another instance on the k8s cluster with webhooks enabled.
      enabled: false
    ## @param external-spire-server.controllerManager.className specify to use an explicit class name.
    className: spire-mgmt-external-server
    identities:
      clusterSPIFFEIDs:
        default:
          ## @param external-spire-server.controllerManager.identities.clusterSPIFFEIDs.default.enabled Enable the default identity
          enabled: false
        oidc-discovery-provider:
          ## @param external-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled Enable the oidc-discovery-provider identity
          enabled: false
        test-keys:
          ## @param external-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled Enable the test-keys identity
          enabled: false
  externalControllerManagers:
    ## @param external-spire-server.externalControllerManagers.enabled Flag to enable external controller managers
    enabled: true
  upstreamAuthority:
    spire:
      ## @param external-spire-server.upstreamAuthority.spire.enabled Enable upstream SPIRE server
      enabled: true
      ## @param external-spire-server.upstreamAuthority.spire.upstreamDriver Use an upstream driver for authentication
      upstreamDriver: upstream.csi.spiffe.io
      server:
        ## @param external-spire-server.upstreamAuthority.spire.server.nameOverride The name override setting of the root SPIRE server
        nameOverride: root-server
  bundlePublisher:
    k8sConfigMap:
      ## @param external-spire-server.bundlePublisher.k8sConfigMap.enabled Enable local k8s bundle uploader
      enabled: false
  nodeAttestor:
    k8sPSAT:
      ## @param external-spire-server.nodeAttestor.k8sPSAT.enabled Enable PSAT k8s nodeattestor
      enabled: false
    joinToken:
      ## @param external-spire-server.nodeAttestor.joinToken.enabled Enable the join_token nodeattestor
      enabled: true
--- a/charts/spire/.helmignore
+++ b/charts/spire/.helmignore
@ -21,3 +21,4 @@
 .idea/
 *.tmproj
 .vscode/
 ci/
--- a/charts/spire/Chart.yaml
+++ b/charts/spire/Chart.yaml
@ -3,32 +3,70 @@ name: spire
 description: >
  A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 type: application
-version: 0.2.0
+version: 0.26.1
-appVersion: "1.5.5"
+appVersion: "1.12.4"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
-home: https://github.com/philips-labs/helm-charts/tree/main/charts/spire
+home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:
-  - https://github.com/philips-labs/helm-charts/tree/main/charts/spire
+  - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
 maintainers:
  - name: marcofranssen
    email: marco.franssen@gmail.com
    url: https://marcofranssen.nl
  - name: kfox1111
    email: Kevin.Fox@pnnl.gov
  - name: faisal-memon
    email: fymemon@yahoo.com
  - name: edwbuck
    email: edwbuck@gmail.com
 kubeVersion: ">=1.21.0-0"
 dependencies:
  - name: spire-lib
    repository: file://./charts/spire-lib
    version: 0.1.0
  - name: spire-server
    condition: spire-server.enabled
    repository: file://./charts/spire-server
    version: 0.1.0
  - name: spire-agent
    condition: spire-agent.enabled
    repository: file://./charts/spire-agent
    version: 0.1.0
  - name: spire-agent
    alias: upstream-spire-agent
    condition: upstream.enabled
    repository: file://./charts/spire-agent
    version: 0.1.0
  - name: spiffe-csi-driver
    condition: spiffe-csi-driver.enabled
    repository: file://./charts/spiffe-csi-driver
    version: 0.1.0
  - name: spiffe-csi-driver
    alias: upstream-spiffe-csi-driver
    condition: upstream.enabled
    repository: file://./charts/spiffe-csi-driver
    version: 0.1.0
  - name: spiffe-oidc-discovery-provider
    condition: spiffe-oidc-discovery-provider.enabled
    repository: file://./charts/spiffe-oidc-discovery-provider
    version: 0.1.0
  - name: tornjak-frontend
    condition: tornjak-frontend.enabled
    repository: file://./charts/tornjak-frontend
    version: 0.1.0
  - name: spike-keeper
    condition: spike-keeper.enabled
    repository: file://./charts/spike-keeper
    version: 0.1.0
  - name: spike-nexus
    condition: spike-nexus.enabled
    repository: file://./charts/spike-nexus
    version: 0.1.0
  - name: spike-pilot
    condition: spike-pilot.enabled
    repository: file://./charts/spike-pilot
    version: 0.1.0
 annotations:
  artifacthub.io/category: security
  artifacthub.io/license: Apache-2.0
--- a/charts/spire/README.md
+++ b/charts/spire/README.md
@ -1,75 +1,389 @@
 # spire
-<!-- This README.md is generated. Please edit README.md.gotmpl -->
+![Version: 0.26.1](https://img.shields.io/badge/Version-0.26.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.12.4](https://img.shields.io/badge/AppVersion-1.12.4-informational?style=flat-square)
-
+[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
 ![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.5](https://img.shields.io/badge/AppVersion-1.5.5-informational?style=flat-square)
 A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
-**Homepage:** <https://github.com/philips-labs/helm-charts/tree/main/charts/spire>
+**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
-> **Warning**: Please note this chart requires Projected Service Account Tokens which has to be enabled on your k8s api server.
+## Install Instructions
-> **Note**: Minimum Spire version is `v1.5.3`.
+### Non Production
-To enable Projected Service Account Tokens on Docker for Mac/Windows run the following
+To do a quick install suitable for testing in something like minikube:
 command to SSH into the Docker Desktop K8s VM.
-```bash
+```shell
-docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
+helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
 helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/
 ```
-Then add the following to `/etc/kubernetes/manifests/kube-apiserver.yaml`
+### Production
 Preparing a production deployment requires a few steps.
 1. Save the following to your-values.yaml, ideally in your git repo.
 ```yaml
-spec:
+global:
-  containers:
+  openshift: false # If running on openshift, set to true
-    - command:
+  spire:
-        - kube-apiserver
+    recommendations:
-        - --api-audiences=api,spire-server
+      enabled: true
-        - --service-account-issuer=api,spire-agent
+    namespaces:
-        - --service-account-key-file=/run/config/pki/sa.pub
+      create: true
-        - --service-account-signing-key-file=/run/config/pki/sa.key
+    ingressControllerType: "" # If not openshift, and want to expose services, set to a supported option [ingress-nginx]
    # Update these
    clusterName: example-cluster
    trustDomain: example.org
    caSubject:
      country: ARPA
      organization: Example
      commonName: example.org
 ```
 2. If you need a non default storageClass, append the following to the global.spire section and update:
 ```
    persistence:
      storageClass: your-storage-class
 ```
 3. If your Kubernetes cluster is OpenShift based, use the output of the following command to update the trustDomain setting:
 ```shell
 oc get cm -n openshift-config-managed  console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//'
 ```
 4. Find any additional values you might want to set based on the documentation below or using the [examples](https://github.com/spiffe/helm-charts-hardened/tree/main/examples)
 In particular, consider using an external database.
 5. Deploy
 ```shell
 helm upgrade --install -n spire-mgmt spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
 helm upgrade --install -n spire-mgmt spire spire --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml
 ```
 ## Clean up
 ```shell
 helm -n spire-mgmt uninstall spire-crds
 helm -n spire-mgmt uninstall spire
 kubectl -n spire-server delete pvc -l app.kubernetes.io/instance=spire
 kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeids.spire.spiffe.io clusterstaticentries.spire.spiffe.io
 ```
 ## Upgrade notes
 We only support upgrading one major/minor version at a time. Version skipping isn't supported. Please see <https://spiffe.io/docs/latest/spire-helm-charts-hardened-about/upgrading/> for details.
 ### 0.26.X
 - The notifier.k8sBundle plugin has been deprecated in favor of bundlePublisher.k8sConfigMap. The only features it does not provide are the settings `apiServiceLabel` and `webhookLabel`. If you are using either of these two features, set the chart to use the notifier.k8sBundle plugin again, and let us know. We don't think anyone is using these features.
 - The default trust bundle format has been changed to `spiffe`. This switch should be transparent unless you ware fetching the bundle from the configmap manually, or have a nested setup and dont upgrade the root, then child clusters in short order.
 ### 0.24.X
 - You must upgrade [spire-crds](https://artifacthub.io/packages/helm/spiffe/spire-crds) to 0.5.0+ before performing this upgrade.
 - SPIRE changed the default in 1.11.0 from `spire-agent.workloadAttestors.k8s.useNewContainerLocator=false` to `spire-agent.workloadAttestors.k8s.useNewContainerLocator=true`
 - In order to make it easier to target specific SPIFFE IDs to workloads, a fallback feature was added to ClusterSPIFFEIDs so that a default ID will only apply when no others do. To change back to the previous behavior, use `spire-server.controllerManager.identities.clusterSPIFFEIDs.default.fallback=false`. The new default is unlikely to need changes.
 - We now set a hint of the ClusterSPIFFEID name on each entry created by default. This can be undone by setting the `hint=""` property on the ClusterSPIFFEID. The new default is unlikely to need changes.
 - We have added the remaining options needed for the SPIRE Server SQL data store plugin as native values. We have removed `spire-server.dataStore.sql.plugin_data` section as it is no longer needed. If you are using it, please migrate your settings to the ones under `spire-server.dataStore.sql`.
 - For users of `spire-server.upstreamAuthority.certManager`, a bug was discovered with templates not honoring `global.spire.caSubject.*`. It has been fixed, but may change values if you are not careful. Please double check the new settings are what you need them to be before completing the upgrade.
 - Lastly, as we approach 1.0.0, we would like to ensure all the values follow the same convention. We have made a bunch of minor changes to the values in this version to make sure they are all camel cased and properly capitalized. If you are upgrading from a previous version, please look though this list carefully to see if a value you are using is impacted:
    - `spire-server.federation.bundleEndpoint.refresh_hint` -> `spire-server.federation.bundleEndpoint.refreshHint`
    - `spire-server.nodeAttestor.k8sPsat` -> `spire-server.nodeAttestor.k8sPSAT`
    - `spire-server.nodeAttestor.externalK8sPsat` -> `spire-server.nodeAttestor.ExternalK8sPSAT`
    - `spire-server.notifier.k8sbundle` -> `spire-server.notifier.k8sBundle`
    - `spire-server.ca_subject` -> `spire-server.caSubject`
    - `spire-server.ca_subject.common_name -> `spire-server.caSubject.commonName`
    - `spire-server.upstreamAuthority.certManager.issuer_name` -> `spire-server.upstreamAuthority.certManager.issuerName`
    - `spire-server.upstreamAuthority.certManager.issuer_kind` -> `spire-server.upstreamAuthority.certManager.issuerKind`
    - `spire-server.upstreamAuthority.certManager.issuer_group` -> `spire-server.upstreamAuthority.certManager.issuerGroup`
    - `spire-server.upstreamAuthority.certManager.kube_config_file` -> `spire-server.upstreamAuthority.certManager.kubeConfigFile`
    - `spire-agent.sds.defaultSvidName` -> `spire-agent.sds.defaultSVIDName`
    - `spire-agent.sds.disableSpiffeCertValidation` -> `spire-agent.sds.disableSPIFFECertValidation`
    - `spire-agent.sds.defaultSvidName` -> `spire-agent.sds.defaultSVIDName`
    - `spire-agent.nodeAttestor.k8sPsat` -> `spire-agent.nodeAttestor.k8sPSAT`
 ### 0.23.X
 In previous versions, the setting spire-agent.workloadAttestors.k8s.skipKubeletVerification was set to true by default. Starting in 0.23.x, we removed that setting and replaced it with
 spire-agent.workloadAttestors.k8s.verification.type. It defaults to "skip" which will have the same behavior as before. In a future version, it will be set to "auto". Please try
 setting it to this with your deployment and let us know if you run into any problems so we can fix it before we change the default for everyone.
 ### 0.21.X
 - In previous versions, spire-server.upstreamAuthority.certManager.issuer_name would incorrectly have '-ca' appended. Starting with this version, that is no longer the case. If you previously set this
 value, you likely want to update your value to include the '-ca' suffix in the value to have your deployment continue to function properly.
 - The default value of spire-server.controllerManager.entryIDPrefixCleanup changed from "" to false. Prior to this release upgrades cleaned up old entries in the database. After upgrading to 0.21.X, manual entries will not be overridden by the spire-controller-manager. Skipping over chart releases (unsupported), requires manual setting of this value to "" to trigger the cleanup.
 ### 0.20.X
 - The default service port for the spire-server was changed to be port 443 to allow easier switching between internal access and external access through an ingress controller. For most users, this will be a transparent
 change.
 - This release configures the entries managed by the spire-controller-manager to move into their own managed space within SPIRE. This should be transparent. In a future release, we will
 disable cleanup by default of the old space. This release lays the groundwork for future support for manually created entries in the SPIRE database without the spire-controller-manager
 destroying them. It is supported in this release by manually setting spire-server.controllerManager.entryIDPrefixCleanup=false after successfully upgrading to the chart without the
 setting and waiting for a spire-controller-manager sync.
 ### 0.19.X
 - The spire-agent daemonset gained a new label. For those disabling the upgrade hooks, you need to delete the spire-agent daemonset before issuing the helm upgrade.
 ### 0.18.X
 - SPIRE no longer emits x509UniqueIdentifiers in x509-SVIDS by default. The old behavior can be reenabled with spire-server.credentialComposer.uniqueID.enabled=true. See <https://github.com/spiffe/spire/pull/4862> for details.
 - SPIRE agents will now automatically reattest when they can. The old behavior can be reenabled with spire-agent.disableReattestToRenew=true. See <https://github.com/spiffe/spire/pull/4791> for details.
 ### 0.17.X
 - If you set spire-server.replicaCount > 1, update it to 1 before upgrading and after upgrade you can set it back to its previous value.
 - The SPIFFE OIDC Discovery Provider now has many new TLS options and defaults to using SPIRE to issue its certificate.
 - The `spiffe-oidc-discovery-provider.insecureScheme.enabled` flag was removed. If you previously set that flag, remove the setting from your values.yaml and see if the new default of using a SPIRE issued certificate is suitable for your deployment. If it isn't, please consider one of the other options under `spiffe-oidc-discovery-provider.tls`. If all other options are still unsuitable, you can still enable the previous mode by disabling TLS. (`spiffe-oidc-discovery-provider.tls.spire.enabled=false`)
 - The SPIFFE OIDC Discovery Provider is now enabled by default. If you previously chose to have it off, you can disable it explicitly with `spiffe-oidc-discovery-provider.enabled=false`.
 ### 0.16.X
 The settings under "spire-server.controllerManager.identities" have all been moved under "spire-server.controllerManager.identities.clusterSPIFFEIDs.default". If you have changed any from the defaults, please update them to the new location during upgrade.
 ### 0.15.X
 The spire-crds chart has been updated. Please ensure you have upgraded spire-crds before upgrading the spire chart.
 The chart now supports multiple parallel installs of spire-controller-manager. Each install will handle all custom resources with a matching `className` field.  By default this is set to `Release.Namespace-Release.Name` and the controller manager will only pick up custom resources with this `className`.
 If you have not loaded any SPIRE custom resources yourself, the upgrade process will be transparent. If you have loaded your own SPIRE custom resources, set `spire-server.controllerManager.watchClassless=true` until you can update your SPIRE custom resources to have the `className` for the instance specified.
 ### 0.14.X
 If coming from a chart version before 0.14.0, you must relabel your crds to switch to using the new spire-crds chart. To migrate to the spire-crds chart
 run the following:
 Replace the spire-server namespace in the commands below with the namespace you want to install the spire-crds chart in.
 ```shell
 kubectl label crd "clusterfederatedtrustdomains.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm"
 kubectl annotate crd "clusterfederatedtrustdomains.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds"
 kubectl annotate crd "clusterfederatedtrustdomains.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server"
 kubectl label crd "clusterspiffeids.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm"
 kubectl annotate crd "clusterspiffeids.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds"
 kubectl annotate crd "clusterspiffeids.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server"
 kubectl label crd "controllermanagerconfigs.spire.spiffe.io" "app.kubernetes.io/managed-by=Helm"
 kubectl annotate crd "controllermanagerconfigs.spire.spiffe.io" "meta.helm.sh/release-name=spire-crds"
 kubectl annotate crd "controllermanagerconfigs.spire.spiffe.io" "meta.helm.sh/release-namespace=spire-server"
 helm install -n spire-server spire-crds charts/spire-crds
 ```
 ## Version support
 > [!Warning]
 > This Chart is still in development and still subject to change the API (`values.yaml`).
 > Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
 > we do aim for as much stability as possible.
 | Dependency | Supported Versions |
 |:-----------|:-------------------|
 | Helm       | `3.x`              |
 | Kubernetes | `1.22+`            |
 > [!Note]
 > For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden.
 ## FAQ
 For any issues see our [FAQ](../../FAQ.md)…
 ## Usage
 To utilize Spire in your own workloads you should add the following to your workload:
 ```diff
 apiVersion: v1
 kind: Pod
 metadata:
   name: my-app
 spec:
   containers:
     - name: my-app
       image: "my-app:latest"
       imagePullPolicy: Always
 +      volumeMounts:
 +        - name: spiffe-workload-api
 +          mountPath: /spiffe-workload-api
 +          readOnly: true
       resources:
         requests:
           cpu: 200m
           memory: 32Mi
         limits:
           cpu: 500m
           memory: 64Mi
 +  volumes:
 +    - name: spiffe-workload-api
 +      csi:
 +        driver: "csi.spiffe.io"
 +        readOnly: true
 ```
 Now you can interact with the Spire agent socket from your own application. The socket is mounted on `/spiffe-workload-api/spire-agent.sock`.
 ## Maintainers
 | Name | Email | Url |
 | ---- | ------ | --- |
 | marcofranssen | <marco.franssen@gmail.com> | <https://marcofranssen.nl> |
 | kfox1111 | <Kevin.Fox@pnnl.gov> |  |
 | faisal-memon | <fymemon@yahoo.com> |  |
 | edwbuck | <edwbuck@gmail.com> |  |
 ## Source Code
-* <https://github.com/philips-labs/helm-charts/tree/main/charts/spire>
+* <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
 ## Requirements
 Kubernetes: `>=1.21.0-0`
 | Repository | Name | Version |
 |------------|------|---------|
 | file://./charts/spiffe-csi-driver | spiffe-csi-driver | 0.1.0 |
 | file://./charts/spiffe-csi-driver | upstream-spiffe-csi-driver(spiffe-csi-driver) | 0.1.0 |
 | file://./charts/spiffe-oidc-discovery-provider | spiffe-oidc-discovery-provider | 0.1.0 |
 | file://./charts/spire-agent | spire-agent | 0.1.0 |
 | file://./charts/spire-agent | upstream-spire-agent(spire-agent) | 0.1.0 |
 | file://./charts/spire-server | spire-server | 0.1.0 |
 | file://./charts/tornjak-frontend | tornjak-frontend | 0.1.0 |
-## Values
+<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
-| Key | Type | Default | Description |
+## Parameters
 |-----|------|---------|-------------|
 | fullnameOverride | string | `""` |  |
 | nameOverride | string | `""` |  |
 | spiffe-csi-driver | object | `{}` |  |
 | spiffe-oidc-discovery-provider.enabled | bool | `false` |  |
 | spiffe-oidc-discovery-provider.trustDomain | string | `"example.org"` |  |
 | spire-agent.bundleConfigMap | string | `"spire-bundle"` |  |
 | spire-agent.clusterName | string | `"example-cluster"` |  |
 | spire-agent.nameOverride | string | `"agent"` |  |
 | spire-agent.trustDomain | string | `"example.org"` |  |
 | spire-server.bundleConfigMap | string | `"spire-bundle"` |  |
 | spire-server.clusterName | string | `"example-cluster"` |  |
 | spire-server.controllerManager.enabled | bool | `true` |  |
 | spire-server.nameOverride | string | `"server"` |  |
 | spire-server.trustDomain | string | `"example.org"` |  |
----------------------------------------------
+### Global parameters
 | Name                                             | Description                                                                                                                                                                                                                            | Value             |
 | ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- |
 | `global.k8s.clusterDomain`                       | Cluster domain name configured for Spire install                                                                                                                                                                                       | `cluster.local`   |
 | `global.spire.bundleConfigMap`                   | A configmap containing the Spire bundle                                                                                                                                                                                                | `""`              |
 | `global.spire.clusterName`                       | The name of the k8s cluster for Spire install                                                                                                                                                                                          | `example-cluster` |
 | `global.spire.jwtIssuer`                         | The issuer for Spire JWT tokens. Defaults to oidc-discovery.$trustDomain if unset                                                                                                                                                      | `""`              |
 | `global.spire.trustDomain`                       | The trust domain for Spire install                                                                                                                                                                                                     | `example.org`     |
 | `global.spire.upstreamServerAddress`             | Set what address to use for the upstream server when using nested spire                                                                                                                                                                | `""`              |
 | `global.spire.caSubject.country`                 | Country for Spire server CA                                                                                                                                                                                                            | `""`              |
 | `global.spire.caSubject.organization`            | Organization for Spire server CA                                                                                                                                                                                                       | `""`              |
 | `global.spire.caSubject.commonName`              | Common Name for Spire server CA                                                                                                                                                                                                        | `""`              |
 | `global.spire.persistence.storageClass`          | What storage class to use for persistence                                                                                                                                                                                              | `nil`             |
 | `global.spire.recommendations.enabled`           | Use recommended settings for production deployments. Default is off.                                                                                                                                                                   | `false`           |
 | `global.spire.recommendations.namespaceLayout`   | Set to true to use recommended values for installing across namespaces                                                                                                                                                                 | `true`            |
 | `global.spire.recommendations.namespacePSS`      | When chart namespace creation is enabled, label them with preffered Pod Security Standard labels                                                                                                                                       | `true`            |
 | `global.spire.recommendations.priorityClassName` | Set to true to use recommended values for Pod Priority Class Names                                                                                                                                                                     | `true`            |
 | `global.spire.recommendations.strictMode`        | Check values, such as trustDomain, are overridden with a suitable value for production.                                                                                                                                                | `true`            |
 | `global.spire.recommendations.securityContexts`  | Set to true to use recommended values for Pod and Container Security Contexts                                                                                                                                                          | `true`            |
 | `global.spire.recommendations.prometheus`        | Enable prometheus exporters for monitoring                                                                                                                                                                                             | `true`            |
 | `global.spire.image.registry`                    | Override all Spire image registries at once                                                                                                                                                                                            | `""`              |
 | `global.spire.namespaces.create`                 | Set to true to Create all namespaces. If this or either of the namespace specific create flags is set, the namespace will be created.                                                                                                  | `false`           |
 | `global.spire.namespaces.system.name`            | Name of the Spire system Namespace.                                                                                                                                                                                                    | `spire-system`    |
 | `global.spire.namespaces.system.create`          | Create a Namespace for Spire system resources.                                                                                                                                                                                         | `false`           |
 | `global.spire.namespaces.system.annotations`     | Annotations to apply to the Spire system Namespace.                                                                                                                                                                                    | `{}`              |
 | `global.spire.namespaces.system.labels`          | Labels to apply to the Spire system Namespace.                                                                                                                                                                                         | `{}`              |
 | `global.spire.namespaces.server.name`            | Name of the Spire server Namespace.                                                                                                                                                                                                    | `spire-server`    |
 | `global.spire.namespaces.server.create`          | Create a Namespace for Spire server resources.                                                                                                                                                                                         | `false`           |
 | `global.spire.namespaces.server.annotations`     | Annotations to apply to the Spire server Namespace.                                                                                                                                                                                    | `{}`              |
 | `global.spire.namespaces.server.labels`          | Labels to apply to the Spire server Namespace.                                                                                                                                                                                         | `{}`              |
 | `global.spire.strictMode`                        | Check values, such as trustDomain, are overridden with a suitable value for production.                                                                                                                                                | `false`           |
 | `global.spire.ingressControllerType`             | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""`              |
 | `global.spire.tools.kubectl.tag`                 | Set to force the tag to use for all kubectl instances                                                                                                                                                                                  | `""`              |
 | `global.installAndUpgradeHooks.enabled`          | Enable Helm hooks to autofix common install/upgrade issues (should be disabled when using `helm template`)                                                                                                                             | `true`            |
 | `global.installAndUpgradeHooks.resources`        | Resource requests and limits for installAndUpgradeHooks                                                                                                                                                                                | `{}`              |
 | `global.deleteHooks.enabled`                     | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`)                                                                                                                                      | `true`            |
 | `global.deleteHooks.resources`                   | Resource requests and limits for deleteHooks                                                                                                                                                                                           | `{}`              |
 ### Spire server parameters
 | Name                                              | Description                                                               | Value         |
 | ------------------------------------------------- | ------------------------------------------------------------------------- | ------------- |
 | `spire-server.enabled`                            | Flag to enable Spire server                                               | `true`        |
 | `spire-server.nameOverride`                       | Overrides the name of Spire server pods                                   | `server`      |
 | `spire-server.kind`                               | Run spire server as deployment/statefulset. This feature is experimental. | `statefulset` |
 | `spire-server.controllerManager.enabled`          | Enable controller manager and provision CRD's                             | `true`        |
 | `spire-server.externalControllerManagers.enabled` | Enable external controller manager support                                | `true`        |
 ### Spire agent parameters
 | Name                       | Description                            | Value   |
 | -------------------------- | -------------------------------------- | ------- |
 | `spire-agent.enabled`      | Flag to enable Spire agent             | `true`  |
 | `spire-agent.nameOverride` | Overrides the name of Spire agent pods | `agent` |
 ### Upstream Spire agent and CSI driver configuration
 | Name               | Description                                                | Value   |
 | ------------------ | ---------------------------------------------------------- | ------- |
 | `upstream.enabled` | Enable upstream agent and driver for use with nested spire | `false` |
 ### Upstream Spire agent parameters
 | Name                                             | Description                                                    | Value                                                |
 | ------------------------------------------------ | -------------------------------------------------------------- | ---------------------------------------------------- |
 | `upstream-spire-agent.upstream`                  | Flag for enabling upstream Spire agent                         | `true`                                               |
 | `upstream-spire-agent.nameOverride`              | Name override for upstream Spire agent                         | `agent-upstream`                                     |
 | `upstream-spire-agent.bundleConfigMap`           | The configmap name for upstream Spire agent bundle             | `spire-bundle-upstream`                              |
 | `upstream-spire-agent.socketPath`                | Socket path where Spire agent socket is mounted                | `/run/spire/agent-sockets-upstream/spire-agent.sock` |
 | `upstream-spire-agent.serviceAccount.name`       | Service account name for upstream Spire agent                  | `spire-agent-upstream`                               |
 | `upstream-spire-agent.healthChecks.port`         | Health check port number for upstream Spire agent              | `9981`                                               |
 | `upstream-spire-agent.telemetry.prometheus.port` | The port where prometheus metrics are available                | `9989`                                               |
 | `upstream-spire-agent.persistence.hostPath`      | Which path to use on the host when persistence.type = hostPath | `/var/lib/spire/k8s/upstream-agent`                  |
 ### SPIFFE CSI Driver parameters
 | Name                        | Description                                      | Value  |
 | --------------------------- | ------------------------------------------------ | ------ |
 | `spiffe-csi-driver.enabled` | Flag to enable spiffe-csi-driver for the cluster | `true` |
 ### Upstream SPIFFE CSI Driver parameters
 | Name                                           | Description                                                 | Value                                                |
 | ---------------------------------------------- | ----------------------------------------------------------- | ---------------------------------------------------- |
 | `upstream-spiffe-csi-driver.pluginName`        | The plugin name for configuring upstream Spiffe CSI driver  | `upstream.csi.spiffe.io`                             |
 | `upstream-spiffe-csi-driver.agentSocketPath`   | The socket path where Spiffe CSI driver mounts agent socket | `/run/spire/agent-sockets-upstream/spire-agent.sock` |
 | `upstream-spiffe-csi-driver.healthChecks.port` | The port where Spiffe CSI driver health checks are exposed  | `9810`                                               |
 ### SPIFFE oidc discovery provider parameters
 | Name                                     | Description                                                   | Value  |
 | ---------------------------------------- | ------------------------------------------------------------- | ------ |
 | `spiffe-oidc-discovery-provider.enabled` | Flag to enable spiffe-oidc-discovery-provider for the cluster | `true` |
 ### Tornjak frontend parameters
 | Name                       | Description                                                    | Value   |
 | -------------------------- | -------------------------------------------------------------- | ------- |
 | `tornjak-frontend.enabled` | Enables deployment of Tornjak frontend/UI (Not for production) | `false` |
 ### SPIKE Keeper parameters
 | Name                   | Description                                             | Value   |
 | ---------------------- | ------------------------------------------------------- | ------- |
 | `spike-keeper.enabled` | Enables deployment of SPIKE Keeper (Not for production) | `false` |
 ### SPIKE Nexus parameters
 | Name                  | Description                                            | Value   |
 | --------------------- | ------------------------------------------------------ | ------- |
 | `spike-nexus.enabled` | Enables deployment of SPIKE Nexus (Not for production) | `false` |
 ### SPIKE Pilot parameters
 | Name                  | Description                                            | Value   |
 | --------------------- | ------------------------------------------------------ | ------- |
 | `spike-pilot.enabled` | Enables deployment of SPIKE Pilot (Not for production) | `false` |
--- a/charts/spire/README.md.gotmpl
+++ b/charts/spire/README.md.gotmpl
@ -1,45 +0,0 @@
 {{ template "chart.header" . }}
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 {{ template "chart.deprecationWarning" . }}
 {{ template "chart.badgesSection" . }}
 {{ template "chart.description" . }}
 {{ template "chart.homepageLine" . }}
 > **Warning**: Please note this chart requires Projected Service Account Tokens which has to be enabled on your k8s api server.
 > **Note**: Minimum Spire version is `v1.5.3`.
 To enable Projected Service Account Tokens on Docker for Mac/Windows run the following
 command to SSH into the Docker Desktop K8s VM.
 ```bash
 docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
 ```
 Then add the following to `/etc/kubernetes/manifests/kube-apiserver.yaml`
 ```yaml
 spec:
  containers:
    - command:
        - kube-apiserver
        - --api-audiences=api,spire-server
        - --service-account-issuer=api,spire-agent
        - --service-account-key-file=/run/config/pki/sa.pub
        - --service-account-signing-key-file=/run/config/pki/sa.key
 ```
 {{ template "chart.maintainersSection" . }}
 {{ template "chart.sourcesSection" . }}
 {{ template "chart.requirementsSection" . }}
 {{ template "chart.valuesSection" . }}
 ----------------------------------------------
--- a/charts/spire/charts/spiffe-csi-driver/Chart.yaml
+++ b/charts/spire/charts/spiffe-csi-driver/Chart.yaml
@ -3,4 +3,19 @@ name: spiffe-csi-driver
 description: A Helm chart to install the SPIFFE CSI driver.
 type: application
 version: 0.1.0
-appVersion: "0.2.1"
+appVersion: "0.2.7"
 keywords: ["spiffe", "csi-driver"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:
  - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
 maintainers:
  - name: marcofranssen
    email: marco.franssen@gmail.com
    url: https://marcofranssen.nl
  - name: kfox1111
    email: Kevin.Fox@pnnl.gov
  - name: faisal-memon
    email: fymemon@yahoo.com
  - name: edwbuck
    email: edwbuck@gmail.com
--- a/charts/spire/charts/spiffe-csi-driver/README.md
+++ b/charts/spire/charts/spiffe-csi-driver/README.md
@ -1,36 +1,78 @@
 # spiffe-csi-driver
-<!-- This README.md is generated. Please edit README.md.gotmpl -->
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.7](https://img.shields.io/badge/AppVersion-0.2.7-informational?style=flat-square)
 ![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.1](https://img.shields.io/badge/AppVersion-0.2.1-informational?style=flat-square)
 A Helm chart to install the SPIFFE CSI driver.
-## Values
+**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
-| Key | Type | Default | Description |
+## Maintainers
-|-----|------|---------|-------------|
+
-| fullnameOverride | string | `""` |  |
+| Name | Email | Url |
-| image.pullPolicy | string | `"IfNotPresent"` |  |
+| ---- | ------ | --- |
-| image.registry | string | `"ghcr.io"` |  |
+| marcofranssen | <marco.franssen@gmail.com> | <https://marcofranssen.nl> |
-| image.repository | string | `"spiffe/spiffe-csi-driver"` |  |
+| kfox1111 | <Kevin.Fox@pnnl.gov> |  |
-| image.version | string | `""` |  |
+| faisal-memon | <fymemon@yahoo.com> |  |
-| imagePullSecrets | list | `[]` |  |
+| edwbuck | <edwbuck@gmail.com> |  |
-| nameOverride | string | `""` |  |
+
-| namespaceOverride | string | `""` |  |
+## Source Code
-| nodeDriverRegistrar.image.pullPolicy | string | `"IfNotPresent"` |  |
+
-| nodeDriverRegistrar.image.registry | string | `"registry.k8s.io"` |  |
+* <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
-| nodeDriverRegistrar.image.repository | string | `"sig-storage/csi-node-driver-registrar"` |  |
+
-| nodeDriverRegistrar.image.version | string | `"v2.6.2"` |  |
+<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
-| nodeDriverRegistrar.resources | object | `{}` |  |
+
-| nodeSelector."kubernetes.io/arch" | string | `"amd64"` |  |
+## Parameters
-| podAnnotations | object | `{}` |  |
+
-| podSecurityContext | object | `{}` |  |
+### SPIFFE CSI Driver Chart parameters
-| resources | object | `{}` |  |
+
-| securityContext.privileged | bool | `true` |  |
+| Name                                          | Description                                                                                                                                                              | Value                                       |
-| securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------- |
-| serviceAccount.annotations | object | `{}` |  |
+| `pluginName`                                  | Set the csi driver name deployed to Kubernetes.                                                                                                                          | `csi.spiffe.io`                             |
-| serviceAccount.create | bool | `true` |  |
+| `image.registry`                              | The OCI registry to pull the image from                                                                                                                                  | `ghcr.io`                                   |
-| serviceAccount.name | string | `""` |  |
+| `image.repository`                            | The repository within the registry                                                                                                                                       | `spiffe/spiffe-csi-driver`                  |
 | `image.pullPolicy`                            | The image pull policy                                                                                                                                                    | `IfNotPresent`                              |
 | `image.tag`                                   | Overrides the image tag whose default is the chart appVersion                                                                                                            | `""`                                        |
 | `resources`                                   | Resource requests and limits for spiffe-csi-driver                                                                                                                       | `{}`                                        |
 | `extraEnvVars`                                | Extra environment variables to be added to the spiffe-csi-driver container                                                                                               | `[]`                                        |
 | `healthChecks.port`                           | The healthcheck port for spiffe-csi-driver                                                                                                                               | `9809`                                      |
 | `updateStrategy.type`                         | The update strategy to use to replace existing DaemonSet pods with new pods. Can be RollingUpdate or OnDelete.                                                           | `RollingUpdate`                             |
 | `updateStrategy.rollingUpdate.maxUnavailable` | Max unavailable pods during update. Can be a number or a percentage.                                                                                                     | `1`                                         |
 | `livenessProbe.initialDelaySeconds`           | Initial delay seconds for livenessProbe                                                                                                                                  | `5`                                         |
 | `livenessProbe.timeoutSeconds`                | Timeout value in seconds for livenessProbe                                                                                                                               | `5`                                         |
 | `imagePullSecrets`                            | Image pull secret details for spiffe-csi-driver                                                                                                                          | `[]`                                        |
 | `nameOverride`                                | Name override for spiffe-csi-driver                                                                                                                                      | `""`                                        |
 | `namespaceOverride`                           | Namespace to install spiffe-csi-driver                                                                                                                                   | `""`                                        |
 | `serverNamespaceOverride`                     | Override the namespace that the spire-server is installed into                                                                                                           | `""`                                        |
 | `validatingAdmissionPolicy.enabled`           | When set to auto, the validatingAdmissionPolicy will be enabled when the pluginName == "upstream.csi.spiffe.io" and k8s >= 1.30.0. Valid options are [auto, true, false] | `auto`                                      |
 | `fullnameOverride`                            | Full name override for spiffe-csi-driver                                                                                                                                 | `""`                                        |
 | `csiDriverLabels`                             | Labels to apply to the CSIDriver                                                                                                                                         | `{}`                                        |
 | `initContainers`                              | Init Containers to apply to the CSI Driver DaemonSet                                                                                                                     | `[]`                                        |
 | `serviceAccount.create`                       | Specifies whether a service account should be created                                                                                                                    | `true`                                      |
 | `serviceAccount.annotations`                  | Annotations to add to the service account                                                                                                                                | `{}`                                        |
 | `serviceAccount.name`                         | The name of the service account to use. If not set and create is true, a name is generated.                                                                              | `""`                                        |
 | `podAnnotations`                              | Pod annotations for spiffe-csi-driver                                                                                                                                    | `{}`                                        |
 | `podSecurityContext`                          | Security context for CSI driver pods                                                                                                                                     | `{}`                                        |
 | `securityContext.readOnlyRootFilesystem`      | Flag for read only root filesystem                                                                                                                                       | `true`                                      |
 | `securityContext.privileged`                  | Flag for specifying privileged mode                                                                                                                                      | `true`                                      |
 | `nodeSelector`                                | Node selector for CSI driver pods                                                                                                                                        | `{}`                                        |
 | `tolerations`                                 | Tolerations for CSI driver pods                                                                                                                                          | `[]`                                        |
 | `affinity`                                    | Node affinity                                                                                                                                                            | `{}`                                        |
 | `nodeDriverRegistrar.image.registry`          | The OCI registry to pull the image from                                                                                                                                  | `registry.k8s.io`                           |
 | `nodeDriverRegistrar.image.repository`        | The repository within the registry                                                                                                                                       | `sig-storage/csi-node-driver-registrar`     |
 | `nodeDriverRegistrar.image.pullPolicy`        | The image pull policy                                                                                                                                                    | `IfNotPresent`                              |
 | `nodeDriverRegistrar.image.tag`               | Overrides the image tag                                                                                                                                                  | `v2.9.4`                                    |
 | `nodeDriverRegistrar.resources`               | Resource requests and limits for CSI driver pods                                                                                                                         | `{}`                                        |
 | `nodeDriverRegistrar.extraEnvVars`            | Extra environment variables to be added to the nodeDriverRegistrar container                                                                                             | `[]`                                        |
 | `agentSocketPath`                             | The unix socket path to the spire-agent                                                                                                                                  | `/run/spire/agent-sockets/spire-agent.sock` |
 | `kubeletPath`                                 | Path to kubelet file                                                                                                                                                     | `/var/lib/kubelet`                          |
 | `priorityClassName`                           | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName.                                                                | `""`                                        |
 | `restrictedScc.enabled`                       | Enables the creation of a SecurityContextConstraint based on the restricted SCC with CSI volume support                                                                  | `false`                                     |
 | `restrictedScc.name`                          | Set the name of the restricted SCC with CSI support                                                                                                                      | `""`                                        |
 | `restrictedScc.version`                       | Version of the restricted SCC                                                                                                                                            | `2`                                         |
 | `selinux.enabled`                             | Enable selinux support                                                                                                                                                   | `false`                                     |
 | `selinux.context`                             | Which selinux context to use                                                                                                                                             | `container_file_t`                          |
 | `selinux.image.registry`                      | The OCI registry to pull the image from                                                                                                                                  | `registry.access.redhat.com`                |
 | `selinux.image.repository`                    | The repository within the registry                                                                                                                                       | `ubi9`                                      |
 | `selinux.image.pullPolicy`                    | The image pull policy                                                                                                                                                    | `Always`                                    |
 | `selinux.image.tag`                           | Overrides the image tag whose default is the chart appVersion                                                                                                            | `latest`                                    |
 ----------------------------------------------
--- a/charts/spire/charts/spiffe-csi-driver/README.md.gotmpl
+++ b/charts/spire/charts/spiffe-csi-driver/README.md.gotmpl
@ -1,21 +0,0 @@
 {{ template "chart.header" . }}
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 {{ template "chart.deprecationWarning" . }}
 {{ template "chart.badgesSection" . }}
 {{ template "chart.description" . }}
 {{ template "chart.homepageLine" . }}
 {{ template "chart.maintainersSection" . }}
 {{ template "chart.sourcesSection" . }}
 {{ template "chart.requirementsSection" . }}
 {{ template "chart.valuesSection" . }}
 ----------------------------------------------
--- a/charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl
+++ b/charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl
@ -29,6 +29,29 @@ Allow the release namespace to be overridden for multi-namespace deployments in
 {{- define "spiffe-csi-driver.namespace" -}}
  {{- if .Values.namespaceOverride -}}
    {{- .Values.namespaceOverride -}}
  {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
    {{- if ne (len (dig "spire" "namespaces" "system" "name" "" .Values.global)) 0 }}
      {{- .Values.global.spire.namespaces.system.name }}
    {{- else }}
      {{- printf "spire-system" }}
    {{- end }}
  {{- else -}}
    {{- .Release.Namespace -}}
  {{- end -}}
 {{- end -}}
 {{/*
 Allow the release namespace to be overridden for multi-namespace deployments in combined charts
 */}}
 {{- define "spiffe-csi-driver.server-namespace" -}}
  {{- if .Values.serverNamespaceOverride -}}
    {{- .Values.serverNamespaceOverride -}}
  {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
    {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
      {{- .Values.global.spire.namespaces.server.name }}
    {{- else }}
      {{- printf "spire-server" }}
    {{- end }}
  {{- else -}}
    {{- .Release.Namespace -}}
  {{- end -}}
@ -72,15 +95,6 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
-
+{{- define "spiffe-csi-driver.agent-socket-path" -}}
-{{- define "spiffe-csi-driver.image" -}}
+{{- print .Values.agentSocketPath }}
 {{- if eq (substr 0 7 .image.version) "sha256:" -}}
 {{- printf "%s/%s@%s" .image.registry .image.repository .image.version -}}
 {{- else if .appVersion -}}
 {{- printf "%s/%s:%s" .image.registry .image.repository (default .appVersion .image.version) -}}
 {{- else if .image.version -}}
 {{- printf "%s/%s:%s" .image.registry .image.repository .image.version -}}
 {{- else -}}
 {{- printf "%s/%s" .image.registry .image.repository -}}
 {{- end -}}
 {{- end }}
--- a/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml
+++ b/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml
@ -2,15 +2,24 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: {{ include "spiffe-csi-driver.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "spiffe-csi-driver.namespace" . }}
  labels:
    {{- include "spiffe-csi-driver.labels" . | nindent 4 }}
 spec:
  selector:
    matchLabels:
      {{- include "spiffe-csi-driver.selectorLabels" . | nindent 6 }}
  {{- with .Values.updateStrategy }}
  updateStrategy:
-    type: RollingUpdate
+    {{- if not (has .type (list "RollingUpdate" "OnDelete")) }}
    {{- fail "updateStrategy.type can only be RollingUpdate or OnDelete"}}
    {{- end }}
    type: {{ .type }}
    {{- if eq .type "RollingUpdate" }}
    rollingUpdate:
      maxUnavailable: {{ .rollingUpdate.maxUnavailable }}
    {{- end }}
  {{- end }}
  template:
    metadata:
      {{- with .Values.podAnnotations }}
@ -20,18 +29,58 @@ spec:
      labels:
        {{- include "spiffe-csi-driver.selectorLabels" . | nindent 8 }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "spiffe-csi-driver.serviceAccountName" . }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- include "spire-lib.default_node_priority_class_name" . | nindent 6 }}
      {{- if or (gt (len .Values.initContainers) 0) (dig "openshift" false .Values.global) (dig "selinux" false .Values.global) .Values.selinux.enabled }}
      initContainers:
      {{- if or (dig "openshift" false .Values.global) (dig "selinux" false .Values.global) .Values.selinux.enabled }}
        - name: set-context
          command:
            - chcon
            - '-Rvt'
            - {{ .Values.selinux.context }}
            - spire-agent-socket/
          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.selinux.image "global" .Values.global) }}
          imagePullPolicy: {{ .Values.selinux.image.pullPolicy }}
          securityContext:
            capabilities:
              drop:
                - all
            privileged: true
          volumeMounts:
            - name: spire-agent-socket-dir
              mountPath: /spire-agent-socket
          terminationMessagePolicy: File
          terminationMessagePath: /dev/termination-log
      {{- end }}
      {{- if gt (len .Values.initContainers) 0 }}
        {{- toYaml .Values.initContainers | nindent 8 }}
      {{- end }}
      {{- end }}
      containers:
        # This is the container which runs the SPIFFE CSI driver.
        - name: {{ .Chart.Name }}
-          image: {{ template "spiffe-csi-driver.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image) }}
+          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          args: [
            "-workload-api-socket-dir", "/spire-agent-socket",
            "-plugin-name", "{{ .Values.pluginName }}",
            "-csi-socket-path", "/spiffe-csi/csi.sock",
          ]
          env:
@ -41,6 +90,9 @@ spec:
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          {{- with .Values.extraEnvVars }}
          {{- toYaml . | nindent 12 }}
          {{- end }}
          volumeMounts:
            # The volume containing the SPIRE agent socket. The SPIFFE CSI
            # driver will mount this directory into containers.
@ -52,7 +104,7 @@ spec:
            - mountPath: /spiffe-csi
              name: spiffe-csi-socket-dir
            # The volume containing mount points for containers.
-            - mountPath: /var/lib/kubelet/pods
+            - mountPath: {{ .Values.kubeletPath }}/pods
              mountPropagation: Bidirectional
              name: mountpoint-dir
          securityContext:
@ -67,13 +119,17 @@ spec:
        # of all the little details required to register a CSI driver with
        # the kubelet.
        - name: node-driver-registrar
-          image: {{ template "spiffe-csi-driver.image" .Values.nodeDriverRegistrar }}
+          image: {{ template "spire-lib.image" (dict "image" .Values.nodeDriverRegistrar.image "global" .Values.global) }}
          imagePullPolicy: {{ .Values.nodeDriverRegistrar.image.pullPolicy }}
          args: [
            "-csi-address", "/spiffe-csi/csi.sock",
-            "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock",
+            "-kubelet-registration-path", "{{ .Values.kubeletPath }}/plugins/{{ .Values.pluginName }}/csi.sock",
-            "-health-port", "9809"
+            "-health-port", "{{ .Values.healthChecks.port }}"
          ]
          env:
          {{- with .Values.nodeDriverRegistrar.extraEnvVars }}
          {{- toYaml . | nindent 12 }}
          {{- end }}
          volumeMounts:
            # The registrar needs access to the SPIFFE CSI driver socket
            - mountPath: /spiffe-csi
@ -83,34 +139,33 @@ spec:
            - name: kubelet-plugin-registration-dir
              mountPath: /registration
          ports:
-            - containerPort: 9809
+            - containerPort: {{ .Values.healthChecks.port }}
              name: healthz
          livenessProbe:
            httpGet:
              path: /healthz
              port: healthz
-            initialDelaySeconds: 5
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
            timeoutSeconds: 5
          resources:
            {{- toYaml .Values.nodeDriverRegistrar.resources | nindent 12 }}
      volumes:
        - name: spire-agent-socket-dir
          hostPath:
-            path: {{ include "spire.agent-socket-path" . | dir }}
+            path: {{ include "spiffe-csi-driver.agent-socket-path" . | dir }}
            type: DirectoryOrCreate
        # This volume is where the socket for kubelet->driver communication lives
        - name: spiffe-csi-socket-dir
          hostPath:
-            path: /var/lib/kubelet/plugins/csi.spiffe.io
+            path: {{ .Values.kubeletPath }}/plugins/{{ .Values.pluginName }}
            type: DirectoryOrCreate
        # This volume is where the SPIFFE CSI driver mounts volumes
        - name: mountpoint-dir
          hostPath:
-            path: /var/lib/kubelet/pods
+            path: {{ .Values.kubeletPath }}/pods
            type: Directory
        # This volume is where the node-driver-registrar registers the plugin
        # with kubelet
        - name: kubelet-plugin-registration-dir
          hostPath:
-            path: /var/lib/kubelet/plugins_registry
+            path: {{ .Values.kubeletPath }}/plugins_registry
            type: Directory
--- a/charts/spire/charts/spiffe-csi-driver/templates/policy.yaml
+++ b/charts/spire/charts/spiffe-csi-driver/templates/policy.yaml
@ -0,0 +1,37 @@
 {{- $upstream := eq .Values.pluginName "upstream.csi.spiffe.io" }}
 {{- $detectedValidation := semverCompare ">=1.30-0" .Capabilities.KubeVersion.GitVersion -}}
 {{- $policyEnabled := .Values.validatingAdmissionPolicy.enabled | toString }}
 {{- $auto := eq $policyEnabled "auto" }}
 {{- if or (eq $policyEnabled "true") (and $auto $upstream $detectedValidation) }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
  name: {{ .Values.pluginName | quote }}
 spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   [""]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["pods"]
  validations:
  - expression: |
      !object.spec.volumes.exists(c, has(c.csi) && has(c.csi.driver) && c.csi.driver == {{ .Values.pluginName | quote }})
    message: 'you may not use the upstream.csi.spiffe.io csi driver'
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
  name: {{ .Values.pluginName | quote }}
 spec:
  policyName: {{ .Values.pluginName | quote }}
  validationActions: ["Deny"]
  matchResources:
    namespaceSelector:
      matchExpressions:
      - key: "kubernetes.io/metadata.name"
        operator: NotIn
        values:
        - {{ include "spiffe-csi-driver.server-namespace" . | quote }}
 {{- end }}
--- a/charts/spire/charts/spiffe-csi-driver/templates/scc-restricted-csi.yaml
+++ b/charts/spire/charts/spiffe-csi-driver/templates/scc-restricted-csi.yaml
@ -0,0 +1,61 @@
 {{- if and .Values.global.openshift .Values.restrictedScc.enabled }}
 {{- $name := default (printf "restricted-%scsi" (eq (.Values.restrictedScc.version | toString) "2" | ternary "v2-" "")) .Values.restrictedScc.name -}}
 {{- $v2Description := "This is the most restrictive SCC and it is used by default for authenticated users. On top of the legacy 'restricted' SCC, it also requires to drop ALL capabilities and does not allow privilege escalation binaries. It will also default the seccomp profile to runtime/default if unset, otherwise this seccomp profile is required." -}}
 apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 allowHostPorts: false
 priority: null
 requiredDropCapabilities:
 {{- if eq (.Values.restrictedScc.version | toString) "2" }}
  - ALL
 {{- else }}
  - KILL
  - MKNOD
  - SETUID
  - SETGID
 {{- end }}
 allowPrivilegedContainer: false
 runAsUser:
  type: MustRunAsRange
 users: []
 allowHostDirVolumePlugin: false
 {{- if eq (.Values.restrictedScc.version | toString) "2" }}
 seccompProfiles:
  - runtime/default
 {{- end }}
 allowHostIPC: false
 seLinuxContext:
  type: MustRunAs
 readOnlyRootFilesystem: false
 metadata:
  name: {{ $name }}
  annotations:
    kubernetes.io/description: >-
      {{ $name }} denies access to all host features and requires pods to be
      run with a UID, and SELinux context that are allocated to the namespace.
      {{ eq (.Values.restrictedScc.version | toString) "2" | ternary $v2Description "" }}
 fsGroup:
  type: MustRunAs
 groups: []
 defaultAddCapabilities: null
 supplementalGroups:
  type: RunAsAny
 volumes:
  - configMap
  - csi
  - downwardAPI
  - emptyDir
  - ephemeral
  - persistentVolumeClaim
  - projected
  - secret
 allowHostPID: false
 allowHostNetwork: false
 allowPrivilegeEscalation: {{ eq (.Values.restrictedScc.version | toString) "2" | ternary false true }}
 {{- if eq (.Values.restrictedScc.version | toString) "2" }}
 allowedCapabilities:
  - NET_BIND_SERVICE
 {{ else}}
 allowedCapabilities: null
 {{- end }}
 {{- end }}
--- a/charts/spire/charts/spiffe-csi-driver/templates/scc-spiffe-csi-driver.yaml
+++ b/charts/spire/charts/spiffe-csi-driver/templates/scc-spiffe-csi-driver.yaml
@ -0,0 +1,34 @@
 {{- if eq (.Values.global.openshift | toString) "true" }}
 apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
  name: {{ include "spiffe-csi-driver.fullname" . }}
 readOnlyRootFilesystem: true
 runAsUser:
  type: RunAsAny
 seLinuxContext:
  type: RunAsAny
 supplementalGroups:
  type: RunAsAny
 users:
  - system:serviceaccount:{{ include "spiffe-csi-driver.namespace" . }}:{{ include "spiffe-csi-driver.serviceAccountName" . }}
 volumes:
  - configmap
  - hostPath
  - secret
 allowedCapabilities: null
 allowHostDirVolumePlugin: true
 allowHostIPC: false
 allowHostNetwork: false
 allowHostPID: false
 allowHostPorts: false
 allowPrivilegeEscalation: true
 allowPrivilegedContainer: true
 defaultAddCapabilities: null
 fsGroup:
  type: RunAsAny
 groups: []
 priority: null
 requiredDropCapabilities: null
 {{ end }}
--- a/charts/spire/charts/spiffe-csi-driver/templates/spiffe-csi-driver.yaml
+++ b/charts/spire/charts/spiffe-csi-driver/templates/spiffe-csi-driver.yaml
@ -1,7 +1,17 @@
 {{- $labels := dict }}
 {{- if (dig "openshift" false .Values.global) }}
 {{- $_ := set $labels "security.openshift.io/csi-ephemeral-volume-profile" "restricted" }}
 {{- end }}
 {{- $labels = mergeOverwrite $labels .Values.csiDriverLabels }}
 apiVersion: storage.k8s.io/v1
 kind: CSIDriver
 metadata:
-  name: "csi.spiffe.io"
+  name: {{ .Values.pluginName | quote }}
  {{- with $labels }}
  labels:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  # Only ephemeral, inline volumes are supported. There is no need for a
  # controller to provision and attach volumes.
--- a/charts/spire/charts/spiffe-csi-driver/values.yaml
+++ b/charts/spire/charts/spiffe-csi-driver/values.yaml
@ -1,8 +1,26 @@
 # Default configuration for SPIFFE CSI Driver chart
 # SPDX-License-Identifier: APACHE-2.0
 ## @skip global
 global: {}
 ## @section SPIFFE CSI Driver Chart parameters
 ##
 ## @param pluginName Set the csi driver name deployed to Kubernetes.
 pluginName: csi.spiffe.io
 ## @param image.registry The OCI registry to pull the image from
 ## @param image.repository The repository within the registry
 ## @param image.pullPolicy The image pull policy
 ## @param image.tag Overrides the image tag whose default is the chart appVersion
 ##
 image:
  registry: ghcr.io
  repository: spiffe/spiffe-csi-driver
  pullPolicy: IfNotPresent
-  version: ""
+  tag: ""
 ## @param resources [object] Resource requests and limits for spiffe-csi-driver
 resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
@ -15,25 +33,71 @@ resources: {}
  #   cpu: 100m
  #   memory: 64Mi
 ## @param extraEnvVars [array] Extra environment variables to be added to the spiffe-csi-driver container
 extraEnvVars: []
 healthChecks:
  ## @param healthChecks.port The healthcheck port for spiffe-csi-driver
  port: 9809
 ## @param updateStrategy.type The update strategy to use to replace existing DaemonSet pods with new pods. Can be RollingUpdate or OnDelete.
 ## @param updateStrategy.rollingUpdate.maxUnavailable Max unavailable pods during update. Can be a number or a percentage.
 updateStrategy:
  type: RollingUpdate
  rollingUpdate:
    maxUnavailable: 1
 ## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
 ## @param livenessProbe.timeoutSeconds Timeout value in seconds for livenessProbe
 ##
 livenessProbe:
  initialDelaySeconds: 5
  timeoutSeconds: 5
 ## @param imagePullSecrets Image pull secret details for spiffe-csi-driver
 imagePullSecrets: []
 ## @param nameOverride Name override for spiffe-csi-driver
 nameOverride: ""
 ## @param namespaceOverride Namespace to install spiffe-csi-driver
 namespaceOverride: ""
 ## @param serverNamespaceOverride Override the namespace that the spire-server is installed into
 serverNamespaceOverride: ""
 validatingAdmissionPolicy:
  ## @param validatingAdmissionPolicy.enabled When set to auto, the validatingAdmissionPolicy will be enabled when the pluginName == "upstream.csi.spiffe.io" and k8s >= 1.30.0. Valid options are [auto, true, false]
  enabled: auto
 ## @param fullnameOverride Full name override for spiffe-csi-driver
 fullnameOverride: ""
 ## @param csiDriverLabels Labels to apply to the CSIDriver
 csiDriverLabels: {}
 ## @param initContainers Init Containers to apply to the CSI Driver DaemonSet
 initContainers: []
 ## @param serviceAccount.create Specifies whether a service account should be created
 ## @param serviceAccount.annotations Annotations to add to the service account
 ## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
 ##
 serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""
 ## @param podAnnotations [object] Pod annotations for spiffe-csi-driver
 podAnnotations: {}
 ## @param podSecurityContext [object] Security context for CSI driver pods
 podSecurityContext: {}
  # fsGroup: 2000
 ## @param securityContext.readOnlyRootFilesystem Flag for read only root filesystem
 ## @param securityContext.privileged Flag for specifying privileged mode
 ##
 securityContext:
  readOnlyRootFilesystem: true
  privileged: true
@ -43,15 +107,27 @@ securityContext:
  #   drop:
  #   - ALL
-nodeSelector:
+## @param nodeSelector [object] Node selector for CSI driver pods
-  kubernetes.io/arch: amd64
+nodeSelector: {}
 ## @param tolerations [array] Tolerations for CSI driver pods
 tolerations: []
 ## @param affinity [object] Node affinity
 affinity: {}
 nodeDriverRegistrar:
  ## @param nodeDriverRegistrar.image.registry The OCI registry to pull the image from
  ## @param nodeDriverRegistrar.image.repository The repository within the registry
  ## @param nodeDriverRegistrar.image.pullPolicy The image pull policy
  ## @param nodeDriverRegistrar.image.tag Overrides the image tag
  ##
  image:
    registry: registry.k8s.io
    repository: sig-storage/csi-node-driver-registrar
    pullPolicy: IfNotPresent
-    version: v2.6.2
+    tag: v2.9.4
  ## @param nodeDriverRegistrar.resources Resource requests and limits for CSI driver pods
  resources: {}
    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
@ -63,3 +139,38 @@ nodeDriverRegistrar:
    # limits:
    #   cpu: 100m
    #   memory: 64Mi
  ## @param nodeDriverRegistrar.extraEnvVars [array] Extra environment variables to be added to the nodeDriverRegistrar container
  extraEnvVars: []
 ## @param agentSocketPath The unix socket path to the spire-agent
 agentSocketPath: /run/spire/agent-sockets/spire-agent.sock
 ## @param kubeletPath Path to kubelet file
 kubeletPath: /var/lib/kubelet
 ## @param priorityClassName Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName.
 priorityClassName: ""
 restrictedScc:
  ## @param restrictedScc.enabled Enables the creation of a SecurityContextConstraint based on the restricted SCC with CSI volume support
  enabled: false
  ## @param restrictedScc.name Set the name of the restricted SCC with CSI support
  name: ""
  ## @param restrictedScc.version Version of the restricted SCC
  version: 2
 selinux:
  ## @param selinux.enabled Enable selinux support
  enabled: false
  ## @param selinux.context Which selinux context to use
  context: container_file_t
  ## @param selinux.image.registry The OCI registry to pull the image from
  ## @param selinux.image.repository The repository within the registry
  ## @param selinux.image.pullPolicy The image pull policy
  ## @param selinux.image.tag Overrides the image tag whose default is the chart appVersion
  image:
    registry: registry.access.redhat.com
    repository: ubi9
    pullPolicy: Always
    tag: latest
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml
@ -3,4 +3,19 @@ name: spiffe-oidc-discovery-provider
 description: A Helm chart to install the SPIFFE OIDC discovery provider.
 type: application
 version: 0.1.0
-appVersion: "1.5.4"
+appVersion: "1.12.4"
 keywords: ["spiffe", "oidc"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:
  - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
 maintainers:
  - name: marcofranssen
    email: marco.franssen@gmail.com
    url: https://marcofranssen.nl
  - name: kfox1111
    email: Kevin.Fox@pnnl.gov
  - name: faisal-memon
    email: fymemon@yahoo.com
  - name: edwbuck
    email: edwbuck@gmail.com
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md
@ -1,54 +1,145 @@
 # spiffe-oidc-discovery-provider
-<!-- This README.md is generated. Please edit README.md.gotmpl -->
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat-square)
 ![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.4](https://img.shields.io/badge/AppVersion-1.5.4-informational?style=flat-square)
 A Helm chart to install the SPIFFE OIDC discovery provider.
-## Values
+**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
-| Key | Type | Default | Description |
+## Maintainers
 |-----|------|---------|-------------|
 | affinity | object | `{}` |  |
 | autoscaling.enabled | bool | `false` |  |
 | autoscaling.maxReplicas | int | `5` |  |
 | autoscaling.minReplicas | int | `1` |  |
 | autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
 | autoscaling.targetMemoryUtilizationPercentage | int | `80` |  |
 | config.acme.cacheDir | string | `"/run/spire"` |  |
 | config.acme.directoryUrl | string | `"https://acme-v02.api.letsencrypt.org/directory"` |  |
 | config.acme.emailAddress | string | `"letsencrypt@example.org"` |  |
 | config.acme.tosAccepted | bool | `false` |  |
 | config.domains[0] | string | `"localhost"` |  |
 | config.domains[1] | string | `"oidc-discovery.example.org"` |  |
 | config.logLevel | string | `"info"` |  |
 | fullnameOverride | string | `""` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.registry | string | `"ghcr.io"` |  |
 | image.repository | string | `"spiffe/oidc-discovery-provider"` |  |
 | image.version | string | `""` |  |
 | imagePullSecrets | list | `[]` |  |
 | insecureScheme.enabled | bool | `false` |  |
 | insecureScheme.nginx.image.pullPolicy | string | `"IfNotPresent"` |  |
 | insecureScheme.nginx.image.registry | string | `"docker.io"` |  |
 | insecureScheme.nginx.image.repository | string | `"nginx"` |  |
 | insecureScheme.nginx.image.version | string | `"1.23.2-alpine"` |  |
 | insecureScheme.nginx.resources | object | `{}` |  |
 | nameOverride | string | `""` |  |
 | nodeSelector."kubernetes.io/arch" | string | `"amd64"` |  |
 | podAnnotations | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
 | securityContext | object | `{}` |  |
 | service.annotations | object | `{}` |  |
 | service.port | int | `80` |  |
 | service.type | string | `"ClusterIP"` |  |
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.create | bool | `true` |  |
 | serviceAccount.name | string | `""` |  |
 | tolerations | list | `[]` |  |
 | trustDomain | string | `"example.org"` |  |
----------------------------------------------
+| Name | Email | Url |
 | ---- | ------ | --- |
 | marcofranssen | <marco.franssen@gmail.com> | <https://marcofranssen.nl> |
 | kfox1111 | <Kevin.Fox@pnnl.gov> |  |
 | faisal-memon | <fymemon@yahoo.com> |  |
 | edwbuck | <edwbuck@gmail.com> |  |
 ## Source Code
 * <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
 <!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
 ## Parameters
 ### Chart parameters
 | Name                                                  | Description                                                                                                                                                                                                                            | Value                                                                            |
 | ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- |
 | `agentSocketName`                                     | The name of the spire-agent unix socket                                                                                                                                                                                                | `spire-agent.sock`                                                               |
 | `csiDriverName`                                       | The csi driver to use                                                                                                                                                                                                                  | `csi.spiffe.io`                                                                  |
 | `bundleSource`                                        | Configure where to fetch the trust bundle from. Must be CSI or ConfigMap.                                                                                                                                                              | `CSI`                                                                            |
 | `bundleConfigMap`                                     | ConfigMap name for SPIRE bundle when bundleSource is ConfigMap                                                                                                                                                                         | `spire-bundle`                                                                   |
 | `replicaCount`                                        | Replica count                                                                                                                                                                                                                          | `1`                                                                              |
 | `namespaceOverride`                                   | Namespace override                                                                                                                                                                                                                     | `""`                                                                             |
 | `annotations`                                         | Annotations for the deployment                                                                                                                                                                                                         | `{}`                                                                             |
 | `image.registry`                                      | The OCI registry to pull the image from                                                                                                                                                                                                | `ghcr.io`                                                                        |
 | `image.repository`                                    | The repository within the registry                                                                                                                                                                                                     | `spiffe/oidc-discovery-provider`                                                 |
 | `image.pullPolicy`                                    | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
 | `image.tag`                                           | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `""`                                                                             |
 | `expandEnv`                                           | Set to true to enable environment variable substitution of config file options                                                                                                                                                         | `false`                                                                          |
 | `extraEnv`                                            | Extra environment variables to add to the spiffe oidc discovery provider                                                                                                                                                               | `[]`                                                                             |
 | `spiffeHelper.image.registry`                         | The OCI registry to pull the image from                                                                                                                                                                                                | `ghcr.io`                                                                        |
 | `spiffeHelper.image.repository`                       | The repository within the registry                                                                                                                                                                                                     | `spiffe/spiffe-helper`                                                           |
 | `spiffeHelper.image.pullPolicy`                       | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
 | `spiffeHelper.image.tag`                              | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `0.10.1`                                                                         |
 | `spiffeHelper.resources`                              | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                             |
 | `resources`                                           | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                             |
 | `service.type`                                        | Service type                                                                                                                                                                                                                           | `ClusterIP`                                                                      |
 | `service.ports.http`                                  | Insecure port for the service                                                                                                                                                                                                          | `80`                                                                             |
 | `service.ports.https`                                 | Secure port for the service                                                                                                                                                                                                            | `443`                                                                            |
 | `service.annotations`                                 | Annotations for service resource                                                                                                                                                                                                       | `{}`                                                                             |
 | `configMap.annotations`                               | Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap                                                                                                                                                                     | `{}`                                                                             |
 | `podSecurityContext`                                  | Pod security context for OIDC discovery provider pods                                                                                                                                                                                  | `{}`                                                                             |
 | `securityContext`                                     | Security context for OIDC discovery provider deployment                                                                                                                                                                                | `{}`                                                                             |
 | `readinessProbe.initialDelaySeconds`                  | Initial delay seconds for readinessProbe                                                                                                                                                                                               | `5`                                                                              |
 | `readinessProbe.periodSeconds`                        | Period seconds for readinessProbe                                                                                                                                                                                                      | `5`                                                                              |
 | `livenessProbe.initialDelaySeconds`                   | Initial delay seconds for livenessProbe                                                                                                                                                                                                | `5`                                                                              |
 | `livenessProbe.periodSeconds`                         | Period seconds for livenessProbe                                                                                                                                                                                                       | `5`                                                                              |
 | `podAnnotations`                                      | Pod annotations for Spire OIDC discovery provider                                                                                                                                                                                      | `{}`                                                                             |
 | `tls.spire.enabled`                                   | Use spire to secure the oidc-discovery-provider                                                                                                                                                                                        | `true`                                                                           |
 | `tls.externalSecret.enabled`                          | Provide your own certificate/key via tls style Kubernetes Secret                                                                                                                                                                       | `false`                                                                          |
 | `tls.externalSecret.secretName`                       | Specify which Secret to use                                                                                                                                                                                                            | `""`                                                                             |
 | `tls.certManager.enabled`                             | Use certificateManager to create the certificate                                                                                                                                                                                       | `false`                                                                          |
 | `tls.certManager.issuer.create`                       | Create an issuer to use to issue the certificate                                                                                                                                                                                       | `true`                                                                           |
 | `tls.certManager.issuer.acme.email`                   | Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service                                                                                                                                     | `""`                                                                             |
 | `tls.certManager.issuer.acme.server`                  | Server to use to get certificate. Defaults to LetsEncrypt                                                                                                                                                                              | `https://acme-v02.api.letsencrypt.org/directory`                                 |
 | `tls.certManager.issuer.acme.solvers`                 | Configure the issuer solvers. Defaults to http01 via ingress.                                                                                                                                                                          | `{}`                                                                             |
 | `tls.certManager.certificate.dnsNames`                | Override the dnsNames on the certificate request. Defaults to the same settings as Ingress                                                                                                                                             | `[]`                                                                             |
 | `tls.certManager.certificate.issuerRef.group`         | If you are using an external plugin, specify the group for it here                                                                                                                                                                     | `""`                                                                             |
 | `tls.certManager.certificate.issuerRef.kind`          | Kind of the issuer reference. Override if you want to use a ClusterIssuer                                                                                                                                                              | `Issuer`                                                                         |
 | `tls.certManager.certificate.issuerRef.name`          | Name of the issuer to use. If unset, it will use the name of the built in issuer                                                                                                                                                       | `""`                                                                             |
 | `insecureScheme.nginx.image.registry`                 | The OCI registry to pull the image from. Only used when TLS is disabled.                                                                                                                                                               | `docker.io`                                                                      |
 | `insecureScheme.nginx.image.repository`               | The repository within the registry. Only used when TLS is disabled.                                                                                                                                                                    | `nginxinc/nginx-unprivileged`                                                    |
 | `insecureScheme.nginx.image.pullPolicy`               | The image pull policy.  Only used when TLS is disabled.                                                                                                                                                                                | `IfNotPresent`                                                                   |
 | `insecureScheme.nginx.image.tag`                      | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled.                                                                                                                                         | `1.29.0-alpine`                                                                  |
 | `insecureScheme.nginx.ipMode`                         | IP modes supported by the cluster. Must be one of [ipv4, ipv6, both]                                                                                                                                                                   | `both`                                                                           |
 | `insecureScheme.nginx.resources`                      | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                             |
 | `jwtIssuer`                                           | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset                                                                                                                                                                   | `""`                                                                             |
 | `config.logLevel`                                     | The log level, valid values are "debug", "info", "warn", and "error"                                                                                                                                                                   | `info`                                                                           |
 | `config.jwtDomain`                                    | The JWT domain. Defaults to oidc-discovery.$jwtIssuer URL-parsed host if unset                                                                                                                                                         | `""`                                                                             |
 | `config.jwksUri`                                      | The JWKS URI                                                                                                                                                                                                                           | `""`                                                                             |
 | `config.additionalDomains`                            | Add additional domains that can be used for oidc discovery                                                                                                                                                                             | `[]`                                                                             |
 | `imagePullSecrets`                                    | Image pull secret names                                                                                                                                                                                                                | `[]`                                                                             |
 | `nameOverride`                                        | Name override                                                                                                                                                                                                                          | `""`                                                                             |
 | `fullnameOverride`                                    | Full name override                                                                                                                                                                                                                     | `""`                                                                             |
 | `serviceAccount.create`                               | Specifies whether a service account should be created                                                                                                                                                                                  | `true`                                                                           |
 | `serviceAccount.annotations`                          | Annotations to add to the service account                                                                                                                                                                                              | `{}`                                                                             |
 | `serviceAccount.name`                                 | The name of the service account to use. If not set and create is true, a name is generated.                                                                                                                                            | `""`                                                                             |
 | `deleteHook.enabled`                                  | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`)                                                                                                                                      | `true`                                                                           |
 | `autoscaling.enabled`                                 | Flag to enable autoscaling                                                                                                                                                                                                             | `false`                                                                          |
 | `autoscaling.minReplicas`                             | Minimum replicas for autoscaling                                                                                                                                                                                                       | `1`                                                                              |
 | `autoscaling.maxReplicas`                             | Maximum replicas for autoscaling                                                                                                                                                                                                       | `5`                                                                              |
 | `autoscaling.targetCPUUtilizationPercentage`          | Target CPU utlization that triggers autoscaling                                                                                                                                                                                        | `80`                                                                             |
 | `autoscaling.targetMemoryUtilizationPercentage`       | Target Memory utlization that triggers autoscaling                                                                                                                                                                                     | `80`                                                                             |
 | `nodeSelector`                                        | Node selector                                                                                                                                                                                                                          | `{}`                                                                             |
 | `tolerations`                                         | iist of tolerations                                                                                                                                                                                                                    | `[]`                                                                             |
 | `affinity`                                            | Node affinity                                                                                                                                                                                                                          | `{}`                                                                             |
 | `trustDomain`                                         | Set the trust domain to be used for the SPIFFE identifiers                                                                                                                                                                             | `example.org`                                                                    |
 | `clusterDomain`                                       | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`)                                                                                                                                                               | `cluster.local`                                                                  |
 | `telemetry.prometheus.enabled`                        | Flag to enable prometheus monitoring                                                                                                                                                                                                   | `false`                                                                          |
 | `telemetry.prometheus.port`                           | Port for prometheus metrics                                                                                                                                                                                                            | `9988`                                                                           |
 | `telemetry.prometheus.podMonitor.enabled`             | Enable podMonitor for prometheus                                                                                                                                                                                                       | `false`                                                                          |
 | `telemetry.prometheus.podMonitor.namespace`           | Override where to install the podMonitor, if not set will use the same namespace as the helm release                                                                                                                                   | `""`                                                                             |
 | `telemetry.prometheus.podMonitor.labels`              | Pod labels to filter for prometheus monitoring                                                                                                                                                                                         | `{}`                                                                             |
 | `telemetry.prometheus.nginxExporter.image.registry`   | The OCI registry to pull the image from                                                                                                                                                                                                | `docker.io`                                                                      |
 | `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry                                                                                                                                                                                                     | `nginx/nginx-prometheus-exporter`                                                |
 | `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
 | `telemetry.prometheus.nginxExporter.image.tag`        | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `1.4.2`                                                                          |
 | `telemetry.prometheus.nginxExporter.resources`        | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                             |
 | `ingress.enabled`                                     | Flag to enable ingress                                                                                                                                                                                                                 | `false`                                                                          |
 | `ingress.className`                                   | Ingress class name                                                                                                                                                                                                                     | `""`                                                                             |
 | `ingress.controllerType`                              | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""`                                                                             |
 | `ingress.annotations`                                 | Annotations for ingress object                                                                                                                                                                                                         | `{}`                                                                             |
 | `ingress.host`                                        | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.                                                       | `oidc-discovery`                                                                 |
 | `ingress.tlsSecret`                                   | Secret that has the certs. If blank will use default certs. Used with host var.                                                                                                                                                        | `""`                                                                             |
 | `ingress.hosts`                                       | Host paths for ingress object. If emtpy, rules will be built based on the host var.                                                                                                                                                    | `[]`                                                                             |
 | `ingress.tls`                                         | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars.                                                                                                         | `[]`                                                                             |
 | `tests.hostAliases`                                   | List of host aliases for testing                                                                                                                                                                                                       | `[]`                                                                             |
 | `tests.tls.enabled`                                   | Flag for enabling tls for tests                                                                                                                                                                                                        | `false`                                                                          |
 | `tests.tls.customCA`                                  | Custom CA value for tests                                                                                                                                                                                                              | `""`                                                                             |
 | `tests.bash.image.registry`                           | The OCI registry to pull the image from                                                                                                                                                                                                | `cgr.dev`                                                                        |
 | `tests.bash.image.repository`                         | The repository within the registry                                                                                                                                                                                                     | `chainguard/bash`                                                                |
 | `tests.bash.image.pullPolicy`                         | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
 | `tests.bash.image.tag`                                | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
 | `tests.toolkit.image.registry`                        | The OCI registry to pull the image from                                                                                                                                                                                                | `cgr.dev`                                                                        |
 | `tests.toolkit.image.repository`                      | The repository within the registry                                                                                                                                                                                                     | `chainguard/min-toolkit-debug`                                                   |
 | `tests.toolkit.image.pullPolicy`                      | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
 | `tests.toolkit.image.tag`                             | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53` |
 | `tests.step.image.registry`                           | The OCI registry to pull the image from                                                                                                                                                                                                | `docker.io`                                                                      |
 | `tests.step.image.repository`                         | The repository within the registry                                                                                                                                                                                                     | `smallstep/step-cli`                                                             |
 | `tests.step.image.pullPolicy`                         | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
 | `tests.step.image.tag`                                | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `0.28.7`                                                                         |
 | `tests.busybox.image.registry`                        | The OCI registry to pull the image from                                                                                                                                                                                                | `""`                                                                             |
 | `tests.busybox.image.repository`                      | The repository within the registry                                                                                                                                                                                                     | `busybox`                                                                        |
 | `tests.busybox.image.pullPolicy`                      | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
 | `tests.busybox.image.tag`                             | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `1.37.0-uclibc`                                                                  |
 | `tests.agent.image.registry`                          | The OCI registry to pull the image from                                                                                                                                                                                                | `ghcr.io`                                                                        |
 | `tests.agent.image.repository`                        | The repository within the registry                                                                                                                                                                                                     | `spiffe/spire-agent`                                                             |
 | `tests.agent.image.pullPolicy`                        | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
 | `tests.agent.image.tag`                               | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `""`                                                                             |
 | `tools.kubectl.image.registry`                        | The OCI registry to pull the image from                                                                                                                                                                                                | `registry.k8s.io`                                                                |
 | `tools.kubectl.image.repository`                      | The repository within the registry                                                                                                                                                                                                     | `kubectl`                                                                        |
 | `tools.kubectl.image.pullPolicy`                      | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
 | `tools.kubectl.image.tag`                             | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `""`                                                                             |
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md.gotmpl
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md.gotmpl
@ -1,21 +0,0 @@
 {{ template "chart.header" . }}
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 {{ template "chart.deprecationWarning" . }}
 {{ template "chart.badgesSection" . }}
 {{ template "chart.description" . }}
 {{ template "chart.homepageLine" . }}
 {{ template "chart.maintainersSection" . }}
 {{ template "chart.sourcesSection" . }}
 {{ template "chart.requirementsSection" . }}
 {{ template "chart.valuesSection" . }}
 ----------------------------------------------
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/files/test/jwt-decode.sh
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/files/test/jwt-decode.sh
@ -0,0 +1,116 @@
 #!/usr/bin/env bash
 set -x
 # https://gist.github.com/stokito/f2d7ea0b300f14638a9063559384ec89/
 # Decode a JWT from stdin and verify it's signature with the JWT issuer public key
 # Only RS256 keys are supported for signature check
 #
 # HOW TO USE:
 # $ export JWTTOKEN="eyF...<your token here>...g"
 # $ ./jwt-decode.sh https://example.com/keys "${JWTTOKEN}"
 # if signature check failed then error code will be non-zero
 URL=$1
 JWT=$2
 if [ -z "$(command -v jq)" ]; then
  echo "This script will NOT work on your machine."
  echo "Please install jq first: https://stedolan.github.io/jq/download/"
  exit 1
 fi
 base64_padding() {
  local len=$(( ${#1} % 4 ))
  local padded_b64=''
  if [ ${len} = 2 ]; then
    padded_b64="${1}=="
  elif [ ${len} = 3 ]; then
    padded_b64="${1}="
  else
    padded_b64="${1}"
  fi
  echo -n "$padded_b64"
 }
 base64url_to_b64() {
  base64_padding "${1}" | tr -- '-_' '+/'
 }
 b2hex() { echo -n "$1"==== | fold -w 4 | sed '$ d' | tr -d '\n' |base64 -d | xxd -p | tr -d \\n; }
 mint_rsa_key() {
  JWK=$1
  # Extract the modulus and exponent from the JWK, converting from URL-safe Base64 to standard Base64
  MODULUS=$(echo "$JWK" | jq -r '.n' | tr '_-' '/+')
  EXPONENT=$(echo "$JWK" | jq -r '.e' | tr '_-' '/+')
  modulus=$(b2hex "$MODULUS")
  exponent=$(b2hex "$EXPONENT")
  asnconf=$(mktemp)
  asnconf="asn1=SEQUENCE:pubkeyinfo\n[pubkeyinfo]\nalgorithm=SEQUENCE:rsa_alg\npubkey=BITWRAP,SEQUENCE:rsapubkey\n[rsa_alg]\nalgorithm=OID:rsaEncryption\nparameter=NULL\n[rsapubkey]\nn=INTEGER:0x$modulus\ne=INTEGER:0x$exponent"
  derfile=$(mktemp)
  echo >&2 "derfile: $derfile"
  echo -e "$asnconf" | openssl asn1parse -genconf /dev/stdin -noout -out "$derfile"
  openssl rsa -in "$derfile" -inform DER -pubin
 }
 # read the JWT from stdin and split by comma into three variables
 IFS='.' read -r JWT_HEADER_B64URL JWT_PAYLOAD_B64URL JWT_SIGNATURE_B64URL <<< "${JWT}"
 JWT_HEADER_B64=$(base64url_to_b64 "${JWT_HEADER_B64URL}")
 JWT_PAYLOAD_B64=$(base64url_to_b64 "${JWT_PAYLOAD_B64URL}")
 JWT_SIGNATURE_B64=$(base64url_to_b64 "${JWT_SIGNATURE_B64URL}")
 JWT_HEADER=$(echo "${JWT_HEADER_B64}" | base64 -d)
 JWT_PAYLOAD=$(echo "${JWT_PAYLOAD_B64}" | base64 -d)
 echo "JWT Header:"
 echo "${JWT_HEADER}" | jq
 echo "JWT Payload:"
 echo "${JWT_PAYLOAD}" | jq
 echo "JWT Signature (Base 64 padded):"
 echo "${JWT_SIGNATURE_B64}"
 JWT_ALG=$(echo "$JWT_HEADER" | jq -r .alg)
 JWT_KID=$(echo "$JWT_HEADER" | jq -r .kid)
 #JWT_TYP=$(echo "$JWT_HEADER" | jq -r .typ)
 #JWT_ISS=$(echo "$JWT_PAYLOAD" | jq -r .iss)
 JWT_SUB=$(echo "$JWT_PAYLOAD" | jq -r .sub)
 JWT_EMAIL=$(echo "$JWT_PAYLOAD" | jq -r .email)
 JWT_IAT=$(echo "$JWT_PAYLOAD" | jq -r .iat)
 echo "alg: $JWT_ALG kid: $JWT_KID"
 echo "sub: $JWT_SUB email: $JWT_EMAIL iat: $JWT_IAT"
 echo "URL: ${URL}"
 JWK_SET=$(curl -k -s "${URL}")
 echo >&2 "JWK_SET: $JWK_SET"
 JWK=$(echo "$JWK_SET" | jq -c -r --arg KID "$JWT_KID" '.keys[] | select(.kid==$KID)')
 echo >&2 "JWK: $JWK"
 PUB_KEY_FILE=$(mktemp)
 mint_rsa_key "$JWK" > "$PUB_KEY_FILE"
 # verify signature
 if [ "${JWT_ALG}" = "RS256" ]; then
  #SIG_FILE="/tmp/$JWT_SUB-$JWT_IAT.sig.dat"
  SIG_FILE=$(mktemp)
  echo -n "$JWT_SIGNATURE_B64" | base64 -d > "${SIG_FILE}"
  JWT_BODY=$(echo -n "$JWT_HEADER_B64URL.$JWT_PAYLOAD_B64URL")
  echo -n "$JWT_BODY" | openssl dgst -sha256 -verify "${PUB_KEY_FILE}" -signature "${SIG_FILE}"
  JWT_SIG_VERIFIED=$?
  rm "${SIG_FILE}"
  if [ ${JWT_SIG_VERIFIED} -ne 0 ]; then
    >&2 echo "Bad Signature"
    exit ${JWT_SIG_VERIFIED};
  fi
 else
  >&2 echo "Error 3: Unsupported signature algorithm $JWT_ALG"
  exit 3
 fi
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/_helpers.tpl
@ -23,6 +23,33 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 {{- end }}
 {{/*
 Allow the release namespace to be overridden for multi-namespace deployments in combined charts
 */}}
 {{- define "spiffe-oidc-discovery-provider.namespace" -}}
  {{- if .Values.namespaceOverride -}}
    {{- .Values.namespaceOverride -}}
  {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
    {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
      {{- .Values.global.spire.namespaces.server.name }}
    {{- else }}
      {{- printf "spire-server" }}
    {{- end }}
  {{- else -}}
    {{- .Release.Namespace -}}
  {{- end -}}
 {{- end -}}
 {{- define "spiffe-oidc-discovery-provider.podMonitor.namespace" -}}
  {{- if ne (len .Values.telemetry.prometheus.podMonitor.namespace) 0 }}
    {{- .Values.telemetry.prometheus.podMonitor.namespace }}
  {{- else if ne (len (dig "telemetry" "prometheus" "podMonitor" "namespace" "" .Values.global)) 0 }}
    {{- .Values.global.telemetry.prometheus.podMonitor.namespace }}
  {{- else }}
    {{- include "spiffe-oidc-discovery-provider.namespace" . }}
  {{- end }}
 {{- end -}}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@ -61,14 +88,28 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
-{{- define "spiffe-oidc-discovery-provider.image" -}}
+{{- define "spiffe-oidc-discovery-provider.workload-api-socket-path" -}}
-{{- if eq (substr 0 7 .image.version) "sha256:" -}}
+{{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }}
-{{- printf "%s/%s@%s" .image.registry .image.repository .image.version -}}
+{{- end }}
-{{- else if .appVersion -}}
+
-{{- printf "%s/%s:%s" .image.registry .image.repository (default .appVersion .image.version) -}}
+{{- define "spiffe-oidc-discovery-provider.tls-enabled" -}}
-{{- else if .image.version -}}
+{{-   if or .Values.tls.spire.enabled .Values.tls.externalSecret.enabled .Values.tls.certManager.enabled }}
-{{- printf "%s/%s:%s" .image.registry .image.repository .image.version -}}
+{{-     true }}
-{{- else -}}
+{{-   else }}
-{{- printf "%s/%s" .image.registry .image.repository -}}
+{{-     false }}
-{{- end -}}
+{{-   end }}
 {{- end }}
 {{- define "spiffe-oidc-discovery-provider.podSecurityContext" -}}
 {{-   $podSecurityContext := include "spire-lib.podsecuritycontext" . | fromYaml }}
 {{-   $openshift := ((.Values).global).openshift | default false }}
 {{-   if and .Values.tls.spire.enabled (not $openshift) }}
 {{-     if not (hasKey $podSecurityContext "runAsUser") }}
 {{-       $_ := set $podSecurityContext "runAsUser" 1000 }}
 {{-     end }}
 {{-     if not (hasKey $podSecurityContext "runAsGroup") }}
 {{-       $_ := set $podSecurityContext "runAsGroup" 1000 }}
 {{-     end }}
 {{-   end }}
 {{-   toYaml $podSecurityContext }}
 {{- end }}
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/certificate.yaml
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/certificate.yaml
@ -0,0 +1,26 @@
 {{- define "spiffe-oidc-discovery-provider.cert-manager-default-cert" }}
 {{-   $fullName := include "spiffe-oidc-discovery-provider.fullname" . }}
 dnsNames:
  {{- if ne (len .Values.tls.certManager.certificate.dnsNames) 0 }}
  {{-   toYaml .Values.tls.certManager.certificate.dnsNames | nindent 4 }}
  {{- else }}
  - {{ include "spire-lib.ingress-calculated-name" (dict "ingress" .Values.ingress "Values" .Values) }}
  {{- end }}
 issuerRef:
  {{- with .Values.tls.certManager.certificate.issuerRef.group }}
  group: {{ . }}
  {{- end }}
  kind: {{ default "Issuer" .Values.tls.certManager.certificate.issuerRef.kind }}
  name: {{ default $fullName .Values.tls.certManager.certificate.issuerRef.name }}
 secretName: {{ $fullName }}-cert
 {{- end }}
 {{- if .Values.tls.certManager.enabled }}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}
  namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }}
 spec:
  {{ merge (include "spiffe-oidc-discovery-provider.cert-manager-default-cert" . | fromYaml) .Values.tls.certManager.certificate | toYaml | nindent 2 }}
 {{- end }}
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml
@ -1,57 +1,108 @@
 {{- if and (ne .Values.bundleSource "ConfigMap") (ne .Values.bundleSource "CSI") }}
 {{-   fail "Bundle source must be CSI or ConfigmMap" }}
 {{- end }}
 {{- $tlsCount := 0 }}
 {{- if and .Values.enabled .Values.tls.spire.enabled }}
 {{-   $tlsCount = add $tlsCount 1 }}
 {{- end }}
 {{- if and .Values.enabled .Values.tls.externalSecret.enabled }}
 {{-   $tlsCount = add $tlsCount 1 }}
 {{- end }}
 {{- if and .Values.enabled .Values.tls.certManager.enabled }}
 {{-   $tlsCount = add $tlsCount 1 }}
 {{- end }}
 {{- if gt $tlsCount 1 }}
 {{-   fail "You can only have one TLS configuration enabled" }}
 {{- end }}
 {{- include "spire-lib.check-strict-mode" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}}
 {{- include "spire-lib.check-strict-mode" (list . "jwtIssuer must be set" (eq (include "spire-lib.jwt-issuer" .) "https://oidc-discovery.example.org"))}}
 {{- $oidcSocket := "/run/spire/oidc-sockets/spire-oidc-server.sock" }}
 {{- define "spiffe-oidc-discovery-provider.yaml-config" -}}
 {{- $oidcSocket := .oidcSocket }}
 {{- with .root }}
 log_level: {{ .Values.config.logLevel | quote }}
 domains:
  - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}"
  - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}"
  - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}"
  {{- $jwtDomain := .Values.config.jwtDomain }}
  {{- if not $jwtDomain }}
    {{- $uri := urlParse (include "spire-lib.jwt-issuer" .) }}
    {{- $jwtDomain = (default $uri.path $uri.host) }}
  {{- end }}
  {{- uniq (concat (list $jwtDomain) .Values.config.additionalDomains) | toYaml | nindent 2 }}
 {{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }}
 allow_insecure_scheme: true
 listen_socket_path: {{ $oidcSocket | quote }}
 {{- else }}
 serving_cert_file:
  cert_file_path: /certs/tls.crt
  key_file_path: /certs/tls.key
  addr: ':8443'
 {{- end }}
 {{- if .Values.config.jwksUri}}
 jwks_uri: {{ .Values.config.jwksUri | quote }}
 {{- end }}
 {{- if eq .Values.bundleSource "ConfigMap" }}
 file:
  path: /bundle/bundle.spiffe
 {{- else }}
 workload_api:
  socket_path: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | quote }}
  trust_domain: {{ include "spire-lib.trust-domain" . | quote }}
 {{- end }}
 health_checks:
  bind_port: "8008"
  ready_path: "/ready"
  live_path: "/live"
 {{- end }}
 {{- end }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }}
  {{- with .Values.configMap.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 data:
  oidc-discovery-provider.conf: |
-    log_level = "{{ .Values.config.logLevel }}"
+    {{- include "spiffe-oidc-discovery-provider.yaml-config" (dict "oidcSocket" $oidcSocket "root" .) | fromYaml | toPrettyJson | nindent 4 }}
-
+  {{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }}
-    domains = [
+  default.conf: |
      "{{ include "spiffe-oidc-discovery-provider.fullname" . }}",
      "{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ .Release.Namespace }}",
      "{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local",
    {{- if gt (len .Values.config.domains) 0 }}
      "{{- join "\",\n      \"" .Values.config.domains }}"
    {{- end }}
    ]
    {{- if .Values.insecureScheme.enabled }}
    allow_insecure_scheme = {{ .Values.insecureScheme.enabled }}
    listen_socket_path = {{ $oidcSocket | quote }}
    {{- else }}
    acme {
      directory_url = "{{ .Values.config.acme.directoryUrl }}"
      cache_dir = "{{ .Values.config.acme.cacheDir }}"
      tos_accepted = {{ .Values.config.acme.tosAccepted }}
      email = "{{ .Values.config.acme.emailAddress }}"
    }
    {{- end }}
    workload_api {
      socket_path = "/spiffe-workload-api/{{ include "spire.agent-socket-path" . | splitList "/" | last }}"
      trust_domain = "{{ .Values.trustDomain }}"
    }
    health_checks {
      bind_port = "8008"
      ready_path = "/ready"
      live_path = "/live"
    }
  {{- if .Values.insecureScheme.enabled }}
  default.conf.template: |
    upstream oidc {
      server unix:{{ $oidcSocket }};
    }
    server {
-      listen            80;
+      {{- if or (eq .Values.insecureScheme.nginx.ipMode "ipv4") (eq .Values.insecureScheme.nginx.ipMode "both") }}
-      listen       [::]:80;
+      listen            8080;
      {{- end }}
      {{- if or (eq .Values.insecureScheme.nginx.ipMode "ipv6") (eq .Values.insecureScheme.nginx.ipMode "both") }}
      listen       [::]:8080;
      {{- end }}
      location / {
        proxy_pass http://oidc;
        proxy_set_header Host $host;
      }
      location /stub_status {
        allow 127.0.0.1/32;
        deny  all;
        stub_status on;
      }
    }
  {{- end }}
  spiffe-helper.conf: |
    agent_address = {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | quote }}
    cert_dir = "/certs"
    svid_file_name = "tls.crt"
    svid_key_file_name = "tls.key"
    svid_bundle_file_name = "ca.pem"
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml
@ -1,9 +1,16 @@
 {{- $tlsEnabled := eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "true" }}
 {{- $configSum := (include (print $.Template.BasePath "/configmap.yaml") . | sha256sum) }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}
  namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }}
  labels:
    {{- include "spiffe-oidc-discovery-provider.labels" . | nindent 4 }}
  {{- with .Values.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  {{- if not .Values.autoscaling.enabled }}
  replicas: {{ .Values.replicaCount }}
@ -13,12 +20,16 @@ spec:
      {{- include "spiffe-oidc-discovery-provider.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      {{- with .Values.podAnnotations }}
      annotations:
        checksum/config: {{ $configSum }}
        {{- with .Values.podAnnotations }}
        {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
      labels:
        {{- include "spiffe-oidc-discovery-provider.selectorLabels" . | nindent 8 }}
        release: {{ .Release.Name }}
        release-namespace: {{ .Release.Namespace }}
        component: oidc-discovery-provider
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
@ -26,27 +37,64 @@ spec:
      {{- end }}
      serviceAccountName: {{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }}
      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- include "spiffe-oidc-discovery-provider.podSecurityContext" . | nindent 8 }}
      initContainers:
        {{- if .Values.tls.spire.enabled }}
        - name: init
          securityContext:
            {{- include "spire-lib.securitycontext" . | nindent 12 }}
          resources:
            {{- toYaml .Values.spiffeHelper.resources | nindent 12 }}
          image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
          imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
          args:
            - -config
            - /etc/spiffe-helper.conf
            - -daemon-mode=false
          volumeMounts:
            - name: spiffe-workload-api
              mountPath: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | dir }}
              readOnly: true
            - name: spire-oidc-config
              mountPath: /etc/spiffe-helper.conf
              subPath: spiffe-helper.conf
              readOnly: true
            - name: certdir
              mountPath: /certs
        {{- end }}
      containers:
        - name: {{ .Chart.Name }}
          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- include "spire-lib.securitycontext" . | nindent 12 }}
-          image: {{ template "spiffe-oidc-discovery-provider.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image) }}
+          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          args:
            - -config
            - /run/spire/oidc/config/oidc-discovery-provider.conf
            {{- if .Values.expandEnv }}
            - -expandEnv
            {{- end }}
          {{- with .Values.extraEnv }}
          env:
          {{- . | toYaml | nindent 12 }}
          {{- end }}
          ports:
            - containerPort: 8008
-              name: health
+              name: healthz
-          {{- if not .Values.insecureScheme.enabled }}
+          {{- if $tlsEnabled }}
-            - containerPort: 443
+            - containerPort: 8443
              name: https
          {{- end }}
          volumeMounts:
-            - name: spiffe-workload-api
+            {{- if eq .Values.bundleSource "ConfigMap" }}
-              mountPath: /spiffe-workload-api
+            - name: spiffe-bundle
              mountPath: /bundle
              readOnly: true
            {{- else }}
            - name: spiffe-workload-api
              mountPath: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | dir }}
              readOnly: true
            {{- end }}
            - name: spire-oidc-sockets
              mountPath: /run/spire/oidc-sockets
              readOnly: false
@ -54,50 +102,109 @@ spec:
              mountPath: /run/spire/oidc/config/oidc-discovery-provider.conf
              subPath: oidc-discovery-provider.conf
              readOnly: true
            - name: certdir
              mountPath: /certs
              readOnly: true
          readinessProbe:
            httpGet:
              path: /ready
-              port: health
+              port: healthz
-            initialDelaySeconds: 5
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
            periodSeconds: 5
          livenessProbe:
            httpGet:
              path: /live
-              port: health
+              port: healthz
-            initialDelaySeconds: 5
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
            periodSeconds: 5
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
-        {{- if .Values.insecureScheme.enabled }}
+        {{- if .Values.tls.spire.enabled }}
        - name: spiffe-helper
          resources:
            {{- toYaml .Values.spiffeHelper.resources | nindent 12 }}
          securityContext:
            {{- include "spire-lib.securitycontext" . | nindent 12 }}
          image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
          imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
          args:
            - -config
            - /etc/spiffe-helper.conf
          volumeMounts:
            - name: spiffe-workload-api
              mountPath: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | dir }}
              readOnly: true
            - name: spire-oidc-config
              mountPath: /etc/spiffe-helper.conf
              subPath: spiffe-helper.conf
              readOnly: true
            - name: certdir
              mountPath: /certs
        {{- end }}
        {{- if not $tlsEnabled }}
        - name: nginx
          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- include "spire-lib.securitycontext" . | nindent 12 }}
-          image: {{ template "spiffe-oidc-discovery-provider.image" .Values.insecureScheme.nginx }}
+          image: {{ template "spire-lib.image" (dict "image" .Values.insecureScheme.nginx.image "global" .Values.global) }}
          imagePullPolicy: {{ .Values.insecureScheme.nginx.image.pullPolicy }}
          ports:
-            - containerPort: 80
+            - containerPort: 8080
              name: http
          volumeMounts:
            - name: spire-oidc-sockets
              mountPath: /run/spire/oidc-sockets
              readOnly: true
            - name: spire-oidc-config
-              mountPath: /etc/nginx/templates/default.conf.template
+              mountPath: /etc/nginx/conf.d/default.conf
-              subPath: default.conf.template
+              subPath: default.conf
              readOnly: true
            - name: nginx-tmp
              mountPath: /tmp
              readOnly: false
          resources:
            {{- toYaml .Values.insecureScheme.nginx.resources | nindent 12 }}
        {{- if or (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) (and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "prometheus" true .Values.global)) }}
        - name: nginx-exporter
          securityContext:
            {{- include "spire-lib.securitycontext" . | nindent 12 }}
          image: {{ template "spire-lib.image" (dict "image" .Values.telemetry.prometheus.nginxExporter.image "global" .Values.global) }}
          imagePullPolicy: {{ .Values.telemetry.prometheus.nginxExporter.image.pullPolicy }}
          args:
          - -nginx.scrape-uri=http://127.0.0.1:8080/stub_status
          resources:
            {{- toYaml .Values.telemetry.prometheus.nginxExporter.resources | nindent 12 }}
          ports:
            - containerPort: 9113
              name: prom
        {{- end }}
        {{- end }}
      volumes:
        {{- if or .Values.tls.spire.enabled (eq .Values.bundleSource "CSI") }}
        - name: spiffe-workload-api
          csi:
-            driver: "csi.spiffe.io"
+            driver: "{{ .Values.csiDriverName }}"
            readOnly: true
        {{- end }}
        {{- if eq .Values.bundleSource "ConfigMap" }}
        - name: spiffe-bundle
          configMap:
            name: {{ include "spire-lib.bundle-configmap" . }}
        {{- end }}
        - name: spire-oidc-sockets
          emptyDir: {}
        - name: spire-oidc-config
          configMap:
            name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}
        - name: nginx-tmp
          emptyDir: {}
        - name: certdir
          {{- if .Values.tls.externalSecret.enabled }}
          secret:
            secretName: {{ .Values.tls.externalSecret.secretName }}
          {{- else if .Values.tls.certManager.enabled }}
          secret:
            secretName: {{ include "spiffe-oidc-discovery-provider.fullname" . }}-cert
          {{- else }}
          emptyDir: {}
          {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/hpa.yaml
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/hpa.yaml
@ -1,8 +1,9 @@
 {{- if .Values.autoscaling.enabled }}
-apiVersion: autoscaling/v2beta1
+apiVersion: {{ include "spire-lib.autoscalingVersion" . }}
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}
  namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }}
  labels:
    {{- include "spiffe-oidc-discovery-provider.labels" . | nindent 4 }}
 spec:
@ -13,16 +14,20 @@ spec:
  minReplicas: {{ .Values.autoscaling.minReplicas }}
  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
  metrics:
    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
    - type: Resource
      resource:
        name: cpu
        targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
    {{- end }}
    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
    - type: Resource
      resource:
        name: memory
-        targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+        target:
          type: Utilization
          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
    {{- end }}
    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
    {{- end }}
 {{- end }}
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/ingress.yaml
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/ingress.yaml
@ -0,0 +1,49 @@
 {{- if .Values.ingress.enabled -}}
 {{- $tlsEnabled := eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "true" }}
 {{- $port := .Values.service.ports.https }}
 {{- if not $tlsEnabled }}
 {{- $port = .Values.service.ports.http }}
 {{- end }}
 {{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.ingress) }}
 {{- $fullName := include "spiffe-oidc-discovery-provider.fullname" . }}
 {{- $path := "/" }}
 {{- $pathType := "Prefix" }}
 {{- $tlsSection := true }}
 {{- $annotations := deepCopy .Values.ingress.annotations }}
 {{- if eq $ingressControllerType "ingress-nginx" }}
 {{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
 {{-   $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
 {{-   if $tlsEnabled }}
 {{-     $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
 {{-     if not (and .Values.ingress.enabled .Values.ingress.tlsSecret) }}
 {{-       $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
 {{-     end }}
 {{-   end }}
 {{- else if eq $ingressControllerType "openshift" }}
 {{-   if not $tlsEnabled }}
 {{-     $_ := set $annotations "route.openshift.io/termination" "edge" }}
 {{-   else }}
 {{-     if and .Values.ingress.enabled .Values.ingress.tlsSecret }}
 {{-       $_ := set $annotations "route.openshift.io/termination" "reencrypt" }}
 {{-     else }}
 {{-       $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
 {{-     end }}
 {{-   end }}
 {{-   $path = "" }}
 {{-   $pathType = "ImplementationSpecific" }}
 {{-   $tlsSection = false }}
 {{- end }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ $fullName }}
  namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }}
  labels:
    {{ include "spiffe-oidc-discovery-provider.labels" . | nindent 4 }}
  {{- with $annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.ingress "svcName" $fullName "port" $port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
 {{- end }}
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/issuer.yaml
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/issuer.yaml
@ -0,0 +1,22 @@
 {{- define "spiffe-oidc-discovery-provider.cert-manager-default-issuer" }}
 {{-   if not .Values.tls.certManager.issuer.acme.email }}
 {{-     fail "You must specify an email address via certManager.issuer.acme.email" }}
 {{-   end }}
 email: {{ .Values.tls.certManager.issuer.acme.email | quote}}
 server: {{ .Values.tls.certManager.issuer.acme.server | quote}}
 privateKeySecretRef:
  name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}-issuer
 solvers:
 - http01:
    ingress: {}
 {{- end }}
 {{- if and .Values.tls.certManager.enabled .Values.tls.certManager.issuer.create }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}
  namespace: {{ include "spiffe-oidc-discovery-provider.namespace" . }}
 spec:
  acme:
    {{ mergeOverwrite (include "spiffe-oidc-discovery-provider.cert-manager-default-issuer" . | fromYaml) .Values.tls.certManager.issuer.acme | toYaml | nindent 4 }}
 {{- end }}
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/podmonitor.yaml
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/podmonitor.yaml
@ -0,0 +1,29 @@
 {{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }}
 {{- if (dig "telemetry" "prometheus" "podMonitor" "enabled" .Values.telemetry.prometheus.podMonitor.enabled .Values.global) }}
 {{- $namespace := include "spiffe-oidc-discovery-provider.podMonitor.namespace" . }}
 {{- $podNamespace := ( include "spiffe-oidc-discovery-provider.namespace" . ) }}
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
 metadata:
  name: {{ include "spire-agent.fullname" . }}
  namespace: {{ $namespace }}
  labels:
    {{- include "spire-agent.labels" . | nindent 4 }}
    {{- if ne (len (dig "telemetry" "prometheus" "podMonitor" "labels" (dict) .Values.global)) 0 }}
    {{- .Values.global.telemetry.prometheus.podMonitor.labels | toYaml | nindent 4 }}
    {{- end }}
    {{- with .Values.telemetry.prometheus.podMonitor.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
 spec:
  selector:
    matchLabels:
      {{- include "spire-agent.selectorLabels" . | nindent 6 }}
  podMetricsEndpoints:
    - port: prom
  {{- if ne $namespace $podNamespace }}
  namespaceSelector:
    kubernetes.io/metadata.name: {{ $podNamespace }}
  {{- end }}  
 {{- end }}
 {{- end }}
--- a/Show More
+++ b/Show More