Bump test chart dependencies (#641 )

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: marcofranssen <694733+marcofranssen@users.noreply.github.com> Co-authored-by: kfox1111 <Kevin.Fox@pnnl.gov>
Add Datadog as telemetry option (#639 )
2025-08-07 07:27:41 -07:00 · 2025-08-07 07:03:15 -07:00 · 2025-08-05 03:27:50 -07:00 · 2025-07-28 12:42:44 -07:00 · 2025-07-28 12:30:10 -07:00 · 2025-07-28 07:19:58 -07:00
146 changed files with 4747 additions and 856 deletions
--- a/.github/scripts/update-versions.sh
+++ b/.github/scripts/update-versions.sh
@ -32,7 +32,7 @@ jq -r ".[].name" "${CHARTJSON}" | while read -r NAME; do
  echo Processing: "${NAME}"
  echo "  chart: ${REGISTRY}"
  echo "  current version: ${VERSION}"
-  LATEST_VERSION=$(crane ls "$REGISTRY" | grep 'v[0-9]*\.[0-9]*\.[0-9]\.*$' | sort -V -r | head -n 1)
+  LATEST_VERSION=$(crane ls "$REGISTRY" | grep 'v\?[0-9]*\.[0-9]*\.[0-9]\.*$' | sort -V -r | head -n 1)
  echo "  latest version: ${LATEST_VERSION}"
  if [ "x${VERSION}" != "x${LATEST_VERSION}" ]; then
    echo "  New version found!"
--- a/.github/tests/charts.json
+++ b/.github/tests/charts.json
@ -2,26 +2,16 @@
  {
    "name": "kube-prometheus-stack",
    "repo": "https://prometheus-community.github.io/helm-charts",
-    "version": "62.3.1"
+    "version": "75.15.1"
  },
  {
    "name": "cert-manager",
    "repo": "https://charts.jetstack.io",
-    "version": "v1.15.3"
+    "version": "v1.18.2"
  },
  {
    "name": "ingress-nginx",
    "repo": "https://kubernetes.github.io/ingress-nginx",
-    "version": "4.11.2"
-  },
-  {
-    "name": "mysql",
-    "repo": "https://charts.bitnami.com/bitnami",
-    "version": "11.1.15"
-  },
-  {
-    "name": "postgresql",
-    "repo": "https://charts.bitnami.com/bitnami",
-    "version": "15.5.27"
+    "version": "4.13.0"
  }
 ]
--- a/.github/tests/common.sh
+++ b/.github/tests/common.sh
@ -82,6 +82,16 @@ while true; do
 done
 )

+common_test_file_exists () (
+count=20
+while true; do
+        if [ -f "$1" ]; then exit 0; fi
+        sleep 2
+        count=$((count-1))
+        [ $count -le 0 ] && exit 1
+done
+)
+
 # Used just for testing. You should provide your own values as described in the install instructions.
 common_test_your_values () {
 cat > /tmp/$$.example-your-values.yaml <<EOF
--- a/.github/tests/images.json
+++ b/.github/tests/images.json
@ -7,8 +7,13 @@
    },
    {
      "query": "chown.image",
-      "filter": "LATESTSHA",
-      "sort-flags": []
+      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
+      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
+    },
+    {
+      "query": "tools.busybox.image",
+      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
+      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
    }
  ],
  "spire-agent/values.yaml": [
@ -63,6 +68,11 @@
      "query": "tests.busybox.image",
      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+-uclibc$",
      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
+    },
+    {
+      "query": "spiffeHelper.image",
+      "filter": "^[0-9]\\+\\.[0-9]\\+\\.[0-9]\\+$",
+      "sort-flags": ["-t", ".", "-k1,1n", "-k2,2n", "-k3,3n"]
    }
  ],
  "tornjak-frontend/values.yaml": [
--- a/.github/tests/oci-charts.json
+++ b/.github/tests/oci-charts.json
@ -1,7 +1,17 @@
 [
+  {
+    "name": "mysql",
+    "registry": "docker.io/bitnamicharts/mysql",
+    "version": "14.0.0"
+  },
+  {
+    "name": "postgresql",
+    "registry": "docker.io/bitnamicharts/postgresql",
+    "version": "16.7.9"
+  },
  {
    "name": "envoy-gateway",
    "registry": "docker.io/envoyproxy/gateway-helm",
-    "version": ""
+    "version": "v1.4.2"
  }
 ]
--- a/.github/tests/pre-install.sh
+++ b/.github/tests/pre-install.sh
@ -37,13 +37,13 @@ kubectl wait --namespace ingress-nginx --for=condition=ready --timeout 60s pod -
 # external database

 # mysql
-"${helm_install[@]}" mysql mysql --version "$VERSION_MYSQL" --repo "$HELM_REPO_MYSQL" \
+"${helm_install[@]}" mysql "${HELM_REGISTRY_MYSQL}" --version "$VERSION_MYSQL" \
  --namespace mysql \
  --values "${DEPS}/mysql.yaml" \
  --wait

 # postgres
-"${helm_install[@]}" postgresql postgresql --version "$VERSION_POSTGRESQL" --repo "$HELM_REPO_POSTGRESQL" \
+"${helm_install[@]}" postgresql "${HELM_REGISTRY_POSTGRESQL}" --version "$VERSION_POSTGRESQL" \
  --namespace postgresql \
  --values "${DEPS}/postgresql.yaml" \
  --wait
--- a/.github/workflows/check-versions.yaml
+++ b/.github/workflows/check-versions.yaml
@ -27,6 +27,9 @@ jobs:
        with:
          version: ${{ env.HELM_VERSION }}

+      - name: Setup crane
+        uses: imjasonh/setup-crane@v0.3
+
      - name: Update test chart versions
        run: |
          ./.github/scripts/update-versions.sh
@ -38,9 +41,6 @@ jobs:
          go-version: '1.21'
          cache: false

-      - name: Setup crane
-        uses: imjasonh/setup-crane@v0.3
-
      - uses: actions/setup-python@v5
        with:
          python-version: '3.9'
--- a/.github/workflows/helm-chart-ci-ignore.yaml
+++ b/.github/workflows/helm-chart-ci-ignore.yaml
@ -30,9 +30,9 @@ jobs:
    strategy:
      matrix:
        k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8

    steps:
      - run: 'echo "Skipping tests"'
@ -74,9 +74,9 @@ jobs:
    strategy:
      matrix:
        k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
        example:
          - ${{ fromJson(needs.build-matrix.outputs.examples) }}

@ -92,9 +92,9 @@ jobs:
    strategy:
      matrix:
        k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
        example:
          - ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}

@ -110,9 +110,9 @@ jobs:
    strategy:
      matrix:
        k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8

    steps:
      - run: 'echo "Skipping upgrade-test"'
--- a/.github/workflows/helm-chart-ci.yaml
+++ b/.github/workflows/helm-chart-ci.yaml
@ -21,9 +21,9 @@ concurrency:
  cancel-in-progress: true

 env:
-  HELM_VERSION: v3.12.0
+  HELM_VERSION: v3.16.2
  PYTHON_VERSION: 3.11.3
-  KIND_VERSION: v0.19.0
+  KIND_VERSION: v0.24.0
  CHART_TESTING_VERSION: v3.8.0

 jobs:
@ -130,9 +130,9 @@ jobs:
        # Kubernetes, but can go back farther as long as we don't need heroics
        # to pull it off (i.e. kubectl version juggling).
        k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8

    steps:
      - name: Checkout
@ -171,7 +171,7 @@ jobs:
      - name: Run chart-testing (install)
        run: |
          helm install -n spire-server spire-crds charts/spire-crds
-          ct install --config ct.yaml --excluded-charts spire-crds \
+          ct install --config ct.yaml --excluded-charts spire-crds,spiffe-step-ssh \
            --target-branch ${{ github.base_ref }}

      - name: Test summary
@ -218,9 +218,9 @@ jobs:
      fail-fast: false
      matrix:
        k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
        example:
          - ${{ fromJson(needs.build-matrix.outputs.examples) }}

@ -243,7 +243,7 @@ jobs:
        # Only build a kind cluster if there are chart changes to test.
        with:
          version: ${{ env.KIND_VERSION }}
-          node_image: kindest/node:v1.26.4
+          node_image: kindest/node:${{ matrix.k8s }}
          config: .github/kind/conf/kind-config.yaml
          verbosity: 1

@ -256,6 +256,7 @@ jobs:
            kubectl create namespace spire-server
            helm install -n spire-server spire-crds charts/spire-crds
          fi
+          export K8S="${{ matrix.k8s }}"
          ${{ matrix.example }}/run-tests.sh

  integration-test:
@ -269,9 +270,9 @@ jobs:
      fail-fast: false
      matrix:
        k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8
        integrationtest:
          - ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}

@ -294,7 +295,7 @@ jobs:
        # Only build a kind cluster if there are chart changes to test.
        with:
          version: ${{ env.KIND_VERSION }}
-          node_image: kindest/node:v1.26.4
+          node_image: kindest/node:${{ matrix.k8s }}
          config: .github/kind/conf/kind-config.yaml
          verbosity: 1

@ -314,9 +315,9 @@ jobs:
      fail-fast: false
      matrix:
        k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.4
+          - v1.29.8

    steps:
      - name: Checkout
@ -337,7 +338,7 @@ jobs:
        # Only build a kind cluster if there are chart changes to test.
        with:
          version: ${{ env.KIND_VERSION }}
-          node_image: kindest/node:v1.26.4
+          node_image: kindest/node:${{ matrix.k8s }}
          config: .github/kind/conf/kind-config.yaml
          verbosity: 1

--- a/charts/spiffe-step-ssh/Chart.yaml
+++ b/charts/spiffe-step-ssh/Chart.yaml
@ -0,0 +1,42 @@
+apiVersion: v2
+name: spiffe-step-ssh
+description: sshd signed host certificates using SPIFFE for trust and step CA
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
+
+keywords: ["spiffe", "step", "step-ca", "ssh"]
+home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spiffe-step-ssh
+sources:
+  - https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spiffe-step-ssh
+icon: https://spiffe.io/img/logos/spire/icon/color/spire-icon-color.png
+maintainers:
+  - name: kfox1111
+    email: Kevin.Fox@pnnl.gov
+
+dependencies:
+  - name: spire-lib
+    repository: file://../spire/charts/spire-lib
+    version: 0.1.0
+  - name: step-certificates
+    alias: step
+    repository: https://smallstep.github.io/helm-charts/
+    version: 1.27.4
--- a/charts/spiffe-step-ssh/README.md
+++ b/charts/spiffe-step-ssh/README.md
@ -0,0 +1,65 @@
+spire-values.yaml
+```
+spire-server:
+  nodeAttestor:
+    httpChallenge:
+      enabled: true
+  controllerManager:
+    identities:
+      clusterSPIFFEIDs:
+        spiffe-step-ssh-config:
+          type: raw
+          namespaceSelector:
+            matchLabels:
+              "kubernetes.io/metadata.name": default
+          podSelector:
+            matchLabels:
+              app: spiffe-step-ssh
+              component: config
+        spiffe-step-ssh-fetchca:
+          type: raw
+          namespaceSelector:
+            matchLabels:
+              "kubernetes.io/metadata.name": default
+          podSelector:
+            matchLabels:
+              app: spiffe-step-ssh
+              component: fetchca
+          dnsNameTemplates:
+          - "spiffe-step-ssh-fetchca.{{ .TrustDomain }}"
+```
+
+```shell
+helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
+helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ -f spire-values.yaml --set global.spire.ingressControllerType=ingress-nginx,spire-server.ingress.enabled=true
+```
+
+```shell
+helm upgrade --install ingress-nginx ingress-nginx -n ingress-nginx --create-namespace --repo https://kubernetes.github.io/ingress-nginx --set controller.service.type=ClusterIP,controller.service.externalIPs[0]=$(minikube ip) --set controller.watchIngressWithoutClass=true --set controller.extraArgs.enable-ssl-passthrough=
+```
+
+```shell
+PASSWORD=$(openssl rand -base64 48)
+echo "$PASSWORD" > spiffe-step-ssh-password.txt
+step ca init --helm --deployment-type=Standalone --name='My CA' --dns spiffe-step-ssh.example.org --ssh --address :8443 --provisioner default --password-file spiffe-step-ssh-password.txt > spiffe-step-ssh-values.yaml
+```
+
+ingress-values.yaml
+```yaml
+global:
+  spiffe:
+    ingressControllerType: ingress-nginx
+stepIngress:
+  enabled: true
+fetchCA:
+  ingress:
+    enabled: true
+```
+
+```shell
+helm upgrade --install spiffe-step-ssh . --set caPassword=`cat spiffe-step-ssh-password.txt` -f spiffe-step-ssh-values.yaml -f ingress-values.yaml --set trustDomain=example.org
+```
+
+<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
+
+## Parameters
--- a/charts/spiffe-step-ssh/ci/default-values.yaml
+++ b/charts/spiffe-step-ssh/ci/default-values.yaml
@ -0,0 +1 @@
+trustDomain: example.org
--- a/charts/spiffe-step-ssh/files/ssh_x5c.tpl
+++ b/charts/spiffe-step-ssh/files/ssh_x5c.tpl
@ -0,0 +1,13 @@
+{{- if eq (len .AuthorizationCrt.URIs) 1 }}
+{{-   $san := printf "%s" (index .AuthorizationCrt.URIs 0) }}
+{{-   if hasPrefix "spiffe://@TRUST_DOMAIN@/@PREFIX@/" $san }}
+{{-     $name := trimPrefix "spiffe://@TRUST_DOMAIN@/@PREFIX@/" $san }}
+{
+  "type": {{ toJson .Type }},
+  "keyId": {{ toJson $name }},
+  "principals": [{{ toJson $name }}],
+  "extensions": {{ toJson .Extensions }},
+  "criticalOptions": {{ toJson .CriticalOptions }}
+}
+{{-   end }}
+{{- end }}
--- a/charts/spiffe-step-ssh/templates/NOTES.txt
+++ b/charts/spiffe-step-ssh/templates/NOTES.txt
@ -0,0 +1,5 @@
+Installed {{ .Chart.Name }}…
+
+Configure your ssh clients with known_hosts file with:
+
+@cert-authority *.{{ .Values.trustDomain }} {{ .Values.inject.certificates.ssh_host_ca }}
--- a/charts/spiffe-step-ssh/templates/_helpers.tpl
+++ b/charts/spiffe-step-ssh/templates/_helpers.tpl
@ -0,0 +1,83 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "spiffe-step-ssh.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "spiffe-step-ssh.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "spiffe-step-ssh.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "spiffe-step-ssh.labels" -}}
+helm.sh/chart: {{ include "spiffe-step-ssh.chart" . }}
+{{ include "spiffe-step-ssh.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "spiffe-step-ssh.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "spiffe-step-ssh.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "spiffe-step-ssh.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "spiffe-step-ssh.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/* Takes in a dictionary with keys:
+ * global - the standard global object
+ * ingress - a standard format ingress config object
+*/}}
+{{- define "spiffe-step-ssh.ingress-controller-type" }}
+{{-   $type := "" }}
+{{-   if ne (len (dig "spiffe" "ingressControllerType" "" .global)) 0 }}
+{{-     $type = .global.spiffe.ingressControllerType }}
+{{-   else if ne .ingress.controllerType "" }}
+{{-     $type = .ingress.controllerType }}
+{{-   else if (dig "openshift" false .global) }}
+{{-     $type = "openshift" }}
+{{-   else }}
+{{-     $type = "other" }}
+{{-   end }}
+{{-   if not (has $type (list "ingress-nginx" "openshift" "other")) }}
+{{-     fail "Unsupported ingress controller type specified. Must be one of [ingress-nginx, openshift, other]" }}
+{{-   end }}
+{{-   $type }}
+{{- end }}
--- a/charts/spiffe-step-ssh/templates/config-configmap.yaml
+++ b/charts/spiffe-step-ssh/templates/config-configmap.yaml
@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-config-deployment
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  spiffe-helper.conf: |
+    agent_address = "/spiffe-workload-api/spire-agent.sock"
+    cmd = "sh"
+    cmd_args = "/config-deployment/update.sh"
+    cert_dir = "/certs"
+    svid_file_name = "tls.crt"
+    svid_key_file_name = "tls.key"
+    svid_bundle_file_name = "ca.pem"
+    add_intermediates_to_bundle = false
+  update.sh: |
+    #!/bin/sh
+    export ROOTS=$(base64 /certs/ca.pem | tr '\n' ' ' | sed 's/ //g')
+    echo Updating Roots to "$ROOTS"
+    cat /config/ca.json > /work/ca.json
+    yq e -i -ojson '.authority.provisioners |= map(select(.name == "x5c@spiffe").roots = env(ROOTS))' /work/ca.json
+    /helper/kubectl create configmap {{ include "spiffe-step-ssh.fullname" . }}-config -n "{{ .Release.Namespace }}" --from-file=/work/ca.json --from-file=/config/defaults.json --from-file=/config/ssh_x5c.tpl --dry-run=client -o yaml | /helper/kubectl apply -f -
+    /helper/kubectl rollout restart statefulset {{ include "spiffe-step-ssh.fullname" . }} -n "{{ .Release.Namespace }}"
+    echo $?
--- a/charts/spiffe-step-ssh/templates/config-deployment.yaml
+++ b/charts/spiffe-step-ssh/templates/config-deployment.yaml
@ -0,0 +1,143 @@
+{{- $configSum := (include (print $.Template.BasePath "/config-configmap.yaml") . | sha256sum) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-config
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+    app: spiffe-step-ssh
+    component: config
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "spiffe-step-ssh.selectorLabels" . | nindent 6 }}
+      app: spiffe-step-ssh
+      component: config
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ $configSum }}
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      labels:
+        {{- include "spiffe-step-ssh.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        app: spiffe-step-ssh
+        component: config
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "spiffe-step-ssh.serviceAccountName" . }}-svc-config
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      initContainers:
+      - name: setup-volume-p1
+        image: {{ template "spire-lib.image" (dict "image" .Values.busybox.image "global" .Values.global) }}
+        imagePullPolicy: {{ .Values.busybox.image.pullPolicy }}
+        command:
+        - sh
+        - -c
+        - 'cp -a /bin/busybox /helper'
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+        volumeMounts:
+        - name: spiffe-helper
+          mountPath: /helper
+        resources:
+          {{- toYaml .Values.config.resources | nindent 12 }}
+      - name: setup-volume-p2
+        image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }}
+        imagePullPolicy: {{ .Values.kubectl.image.pullPolicy }}
+        command:
+        - /helper/busybox
+        - sh
+        - -c
+        - '/helper/busybox cp -a /bin/kubectl /helper'
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+        volumeMounts:
+        - name: spiffe-helper
+          mountPath: /helper
+        resources:
+          {{- toYaml .Values.config.resources | nindent 12 }}
+      - name: setup-volume-p3
+        image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
+        imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
+        command:
+        - /helper/busybox
+        - sh
+        - -c
+        - '/helper/busybox cp -a /spiffe-helper /helper && /helper/busybox rm -f /helper/busybox'
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+        volumeMounts:
+        - name: spiffe-helper
+          mountPath: /helper
+        resources:
+          {{- toYaml .Values.config.resources | nindent 12 }}
+      containers:
+      - name: {{ .Chart.Name }}
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+        image: {{ template "spire-lib.image" (dict "image" .Values.yq.image "global" .Values.global) }}
+        imagePullPolicy: {{ .Values.yq.image.pullPolicy }}
+        command:
+        - /helper/spiffe-helper
+        - -config
+        - /config-deployment/spiffe-helper.conf
+        resources:
+          {{- toYaml .Values.config.resources | nindent 12 }}
+        volumeMounts:
+        - name: spiffe-helper
+          mountPath: /helper
+          readOnly: true
+        - name: config
+          mountPath: /config
+          readOnly: true
+        - name: config-deployment
+          mountPath: /config-deployment
+          readOnly: true
+        - name: certdir
+          mountPath: /certs
+        - name: spiffe-workload-api
+          mountPath: /spiffe-workload-api
+          readOnly: true
+        - name: workdir
+          mountPath: /work
+      volumes:
+      - name: spiffe-workload-api
+        csi:
+          driver: {{ .Values.csiDriver | quote }}
+          readOnly: true
+      - name: config-deployment
+        configMap:
+          name: {{ include "spiffe-step-ssh.fullname" . }}-config-deployment
+      - name: config
+        configMap:
+          name: {{ include "spiffe-step-ssh.fullname" . }}-config-raw
+      - name: certdir
+        emptyDir: {}
+      - name: spiffe-helper-config
+        emptyDir: {}
+      - name: spiffe-helper
+        emptyDir: {}
+      - name: workdir
+        emptyDir: {}
+      {{- with .Values.config.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.config.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.config.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
--- a/charts/spiffe-step-ssh/templates/config-role.yaml
+++ b/charts/spiffe-step-ssh/templates/config-role.yaml
@ -0,0 +1,41 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
+rules:
+  - apiGroups: [""]
+    resources: [configmaps]
+    verbs:
+      - create
+  - apiGroups: [""]
+    resources: [configmaps]
+    resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}-config]
+    verbs:
+      - get
+      - update
+      - patch
+  - apiGroups: ["apps"]
+    resources: [statefulsets]
+    resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}]
+    verbs:
+      - get
+      - patch
+  - apiGroups: ["apps"]
+    resources: [deployments]
+    resourceNames: [{{ include "spiffe-step-ssh.fullname" . }}-fetchca]
+    verbs:
+      - get
+      - patch
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "spiffe-step-ssh.fullname" . }}-svc-config
+  apiGroup: rbac.authorization.k8s.io
--- a/charts/spiffe-step-ssh/templates/config-serviceaccount.yaml
+++ b/charts/spiffe-step-ssh/templates/config-serviceaccount.yaml
@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "spiffe-step-ssh.serviceAccountName" . }}-svc-config
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+    component: config
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
--- a/charts/spiffe-step-ssh/templates/fetchca-configmap.yaml
+++ b/charts/spiffe-step-ssh/templates/fetchca-configmap.yaml
@ -0,0 +1,28 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  spiffe-helper-init.conf: |
+    agent_address = "/spiffe-workload-api/spire-agent.sock"
+    cmd = ""
+    cmd_args = ""
+    cert_dir = "/certs"
+    svid_file_name = "tls.crt"
+    svid_key_file_name = "tls.key"
+    svid_bundle_file_name = "ca.pem"
+    add_intermediates_to_bundle = false
+  spiffe-helper-sidecar.conf: |
+    agent_address = "/spiffe-workload-api/spire-agent.sock"
+    cmd = "/busybox/busybox"
+    cmd_args = "sh /update.sh"
+    cert_dir = "/certs"
+    svid_file_name = "tls.crt"
+    svid_key_file_name = "tls.key"
+    svid_bundle_file_name = "ca.pem"
+    add_intermediates_to_bundle = false
+  update.sh: |
+    #!/bin/sh
+    /busybox/busybox kill -HUP `/busybox/busybox busybox cat /pid/pid`
--- a/charts/spiffe-step-ssh/templates/fetchca-deployment.yaml
+++ b/charts/spiffe-step-ssh/templates/fetchca-deployment.yaml
@ -0,0 +1,182 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+    app: spiffe-step-ssh
+    component: fetchca
+spec:
+  {{- if not .Values.fetchCA.autoscaling.enabled }}
+  replicas: {{ .Values.fetchCA.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "spiffe-step-ssh.selectorLabels" . | nindent 6 }}
+      app: spiffe-step-ssh
+      component: fetchca
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "spiffe-step-ssh.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        app: spiffe-step-ssh
+        component: fetchca
+    spec:
+      shareProcessNamespace: true
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "spiffe-step-ssh.serviceAccountName" . }}-fetchca
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      initContainers:
+        - name: busybox-volume
+          image: {{ template "spire-lib.image" (dict "image" .Values.busybox.image "global" .Values.global) }}
+          imagePullPolicy: {{ .Values.busybox.image.pullPolicy }}
+          command:
+          - sh
+          - -c
+          - 'cp -a /bin/busybox /busybox'
+          volumeMounts:
+          - name: busybox
+            mountPath: /busybox
+          resources:
+            {{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }}
+        - name: init-tls
+          image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
+          imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
+          command:
+          - /spiffe-helper
+          - -config
+          - /etc/spiffe-helper.conf
+          - -daemon-mode=false
+          volumeMounts:
+          - name: spiffe-workload-api
+            mountPath: /spiffe-workload-api
+            readOnly: true
+          - name: config
+            mountPath: /etc/spiffe-helper.conf
+            subPath: spiffe-helper-init.conf
+            readOnly: true
+          - name: certs
+            mountPath: /certs
+          resources:
+            {{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }}
+      containers:
+        - name: {{ .Chart.Name }}-fetchca
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: {{ template "spire-lib.image" (dict "image" .Values.nginx.image "global" .Values.global) }}
+          imagePullPolicy: {{ .Values.nginx.image.pullPolicy }}
+          command:
+          - /bin/sh
+          - -c
+          - |
+            echo $$$$ > /pid/pid
+            cat > /etc/nginx/conf.d/ssl.conf <<EOF
+            server {
+                listen       8443 ssl;
+                server_name  localhost;
+                ssl_certificate     /certs/tls.crt;
+                ssl_certificate_key /certs/tls.key;
+                location / {
+                    root   /usr/share/nginx/html;
+                    index  root_ca.crt index.html index.htm;
+                }
+                error_page   500 502 503 504  /50x.html;
+                location = /50x.html {
+                    root   /usr/share/nginx/html;
+                }
+            }
+            EOF
+            exec nginx -g "daemon off;"
+          ports:
+            - name: http
+              containerPort: 8443
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+              scheme: HTTPS
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+              scheme: HTTPS
+          resources:
+            {{- toYaml .Values.fetchCA.resources | nindent 12 }}
+          volumeMounts:
+          - name: certs
+            mountPath: /certs
+            readOnly: true
+          - name: pid
+            mountPath: /pid
+          - name: share
+            mountPath: /usr/share/nginx/html
+        - name: update-tls
+          image: {{ template "spire-lib.image" (dict "image" .Values.spiffeHelper.image "global" .Values.global) }}
+          imagePullPolicy: {{ .Values.spiffeHelper.image.pullPolicy }}
+          command:
+          - /spiffe-helper
+          - -config
+          - /etc/spiffe-helper.conf
+          volumeMounts:
+          - name: certs
+            mountPath: /certs
+          - name: spiffe-workload-api
+            mountPath: /spiffe-workload-api
+            readOnly: true
+          - name: config
+            mountPath: /etc/spiffe-helper.conf
+            subPath: spiffe-helper-sidecar.conf
+            readOnly: true
+          - name: config
+            mountPath: /update.sh
+            subPath: update.sh
+            readOnly: true
+          - name: pid
+            mountPath: /pid
+            readOnly: true
+          - name: busybox
+            mountPath: /busybox
+            readOnly: true
+          resources:
+            {{- toYaml .Values.fetchCA.spiffeHelper.resources | nindent 12 }}
+      volumes:
+      - name: certs
+        emptyDir: {}
+      - name: pid
+        emptyDir: {}
+      - name: busybox
+        emptyDir: {}
+      - name: config
+        configMap:
+          name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
+      - name: spiffe-workload-api
+        csi:
+          driver: {{ .Values.csiDriver | quote }}
+          readOnly: true
+      - name: share
+        configMap:
+          name: {{ include "spiffe-step-ssh.fullname" . }}-certs
+      {{- with .Values.fetchCA.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.fetchCA.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.fetchCA.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
--- a/charts/spiffe-step-ssh/templates/fetchca-hpa.yaml
+++ b/charts/spiffe-step-ssh/templates/fetchca-hpa.yaml
@ -0,0 +1,32 @@
+{{- if .Values.fetchCA.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchCA
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
+  minReplicas: {{ .Values.fetchCA.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.fetchCA.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.fetchCA.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.fetchCA.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.fetchCA.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.fetchCA.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}
--- a/charts/spiffe-step-ssh/templates/fetchca-ingress.yaml
+++ b/charts/spiffe-step-ssh/templates/fetchca-ingress.yaml
@ -0,0 +1,31 @@
+{{- if .Values.fetchCA.ingress.enabled -}}
+{{- $ingressControllerType := include "spiffe-step-ssh.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.fetchCA.ingress) }}
+{{- $fullName := printf "%s-fetchca" (include "spiffe-step-ssh.fullname" .) -}}
+{{- $path := "/" }}
+{{- $pathType := "Prefix" }}
+{{- $tlsSection := true }}
+{{- $annotations := deepCopy .Values.fetchCA.ingress.annotations }}
+{{- if eq $ingressControllerType "ingress-nginx" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
+{{- else if eq $ingressControllerType "openshift" }}
+{{-   $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
+{{-   $path = "" }}
+{{-   $pathType = "ImplementationSpecific" }}
+{{-   $tlsSection = false }}
+{{- end }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{ include "spiffe-step-ssh.labels" . | nindent 4}}
+  {{- with $annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.fetchCA.ingress "svcName" $fullName "port" .Values.fetchCA.service.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
+{{- end }}
--- a/charts/spiffe-step-ssh/templates/fetchca-service.yaml
+++ b/charts/spiffe-step-ssh/templates/fetchca-service.yaml
@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-fetchca
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+    app: spiffe-step-ssh
+    component: fetchca
+spec:
+  type: {{ .Values.fetchCA.service.type }}
+  ports:
+    - port: {{ .Values.fetchCA.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "spiffe-step-ssh.selectorLabels" . | nindent 4 }}
--- a/charts/spiffe-step-ssh/templates/fetchca-serviceaccount.yaml
+++ b/charts/spiffe-step-ssh/templates/fetchca-serviceaccount.yaml
@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "spiffe-step-ssh.serviceAccountName" . }}-fetchca
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
--- a/charts/spiffe-step-ssh/templates/ssh-certificate-issuer-password-secret.yaml
+++ b/charts/spiffe-step-ssh/templates/ssh-certificate-issuer-password-secret.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-certificate-issuer-password
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  password: {{ .Values.caPassword | b64enc }}
--- a/charts/spiffe-step-ssh/templates/step-ca-password-secret.yaml
+++ b/charts/spiffe-step-ssh/templates/step-ca-password-secret.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-ca-password
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  password: {{ .Values.caPassword | b64enc }}
--- a/charts/spiffe-step-ssh/templates/step-certs-configmap.yaml
+++ b/charts/spiffe-step-ssh/templates/step-certs-configmap.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-certs
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  "root_ca.crt": |
+    {{- .Values.inject.certificates.root_ca | nindent 4}}
+  "intermediate_ca.crt": |
+    {{ .Values.inject.certificates.intermediate_ca | nindent 4}}
+  "ssh_host_ca_key.pub": |
+    {{ .Values.inject.certificates.ssh_host_ca | nindent 4 }}
+  "ssh_user_ca_key.pub": |
+    {{ .Values.inject.certificates.ssh_user_ca | nindent 4 }}
--- a/charts/spiffe-step-ssh/templates/step-config.yaml
+++ b/charts/spiffe-step-ssh/templates/step-config.yaml
@ -0,0 +1,32 @@
+{{- define "spiffe-step-ssh.config-provisioners" }}
+type: X5C
+name: "x5c@spiffe"
+roots: ""
+claims:
+  maxTLSCertDuration: {{ .Values.maxTLSCertDuration | quote }}
+  defaultTLSCertDuration: {{ .Values.defaultTLSCertDuration | quote }}
+  disableRenewal: true
+  enableSSHCA: true
+disableCustomSANs: true
+options:
+ ssh:
+   templateFile: /home/step/config/ssh_x5c.tpl
+{{- end }}
+{{ $ca := deepCopy (index .Values.inject.config.files "ca.json") }}
+{{ $_ := set $ca.authority "provisioners" (list (include "spiffe-step-ssh.config-provisioners" . | fromYaml )) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-config-raw
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  "ca.json": |
+    {{- $ca | toPrettyJson | nindent 4 }}
+  "defaults.json": |
+    {{- index .Values.inject.config.files "defaults.json" | toPrettyJson | nindent 4 }}
+{{- if eq .Values.trustDomain "" }}
+{{-   fail "You must set trustDomain" }}
+{{- end }}
+  "ssh_x5c.tpl": |
+    {{- .Files.Get "files/ssh_x5c.tpl" | replace "@TRUST_DOMAIN@" .Values.trustDomain | replace "@PREFIX@" .Values.prefix | nindent 4}}
--- a/charts/spiffe-step-ssh/templates/step-ingress.yaml
+++ b/charts/spiffe-step-ssh/templates/step-ingress.yaml
@ -0,0 +1,31 @@
+{{- if .Values.stepIngress.enabled -}}
+{{- $ingressControllerType := include "spiffe-step-ssh.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.stepIngress) }}
+{{- $fullName := printf "%s" (include "spiffe-step-ssh.fullname" .) -}}
+{{- $path := "/" }}
+{{- $pathType := "Prefix" }}
+{{- $tlsSection := true }}
+{{- $annotations := deepCopy .Values.stepIngress.annotations }}
+{{- if eq $ingressControllerType "ingress-nginx" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
+{{- else if eq $ingressControllerType "openshift" }}
+{{-   $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
+{{-   $path = "" }}
+{{-   $pathType = "ImplementationSpecific" }}
+{{-   $tlsSection = false }}
+{{- end }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{ include "spiffe-step-ssh.labels" . | nindent 4}}
+  {{- with $annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.stepIngress "svcName" $fullName "port" .Values.step.service.port "path" $path "pathType" $pathType "tlsSection" $tlsSection "Values" .Values) | nindent 2 }}
+{{- end }}
--- a/charts/spiffe-step-ssh/templates/step-secret.yaml
+++ b/charts/spiffe-step-ssh/templates/step-secret.yaml
@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-secrets
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  root_ca_key: {{ .Values.inject.secrets.x509.root_ca_key | b64enc }}
+  intermediate_ca_key: {{ .Values.inject.secrets.x509.intermediate_ca_key | b64enc }}
+  ssh_host_ca_key: {{ .Values.inject.secrets.ssh.host_ca_key | b64enc }}
+  ssh_user_ca_key: {{ .Values.inject.secrets.ssh.user_ca_key | b64enc }}
--- a/charts/spiffe-step-ssh/templates/step-ssh-host-ca-password-secret.yaml
+++ b/charts/spiffe-step-ssh/templates/step-ssh-host-ca-password-secret.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-ssh-host-ca-password
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  password: {{ .Values.caPassword | b64enc }}
--- a/charts/spiffe-step-ssh/templates/step-ssh-user-ca-password-secret.yaml
+++ b/charts/spiffe-step-ssh/templates/step-ssh-user-ca-password-secret.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "spiffe-step-ssh.fullname" . }}-ssh-user-ca-password
+  labels:
+    {{- include "spiffe-step-ssh.labels" . | nindent 4 }}
+data:
+  password: {{ .Values.caPassword | b64enc }}
--- a/charts/spiffe-step-ssh/values.yaml
+++ b/charts/spiffe-step-ssh/values.yaml
@ -0,0 +1,292 @@
+# Default values for spiffe-step-ssh.
+# SPDX-License-Identifier: APACHE-2.0
+
+global:
+  spiffe:
+    ## @param global.spiffe.ingressControllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
+    ingressControllerType: ""
+
+## @param trustDomain The trust domain for SPIRE
+trustDomain: ""
+## @param caPassword Password securing the SSH CA
+caPassword: ""
+## @param maxTLSCertDuration The maximum duration the X5C traded cert is valid for.
+maxTLSCertDuration: 24h
+## @param defaultTLSCertDuration The default duration the X5C traded cert is valid for.
+defaultTLSCertDuration: 1h
+## @param prefix Prefix where hosts show up that are allowed to get ssh host certs
+prefix: sshd
+## @param csiDriver The csi driver to use
+csiDriver: csi.spiffe.io
+
+## @skip inject
+## These will be generated by the step-ca tool
+inject:
+  secrets:
+    x509:
+      root_ca_key: ""
+      intermediate_ca_key: ""
+    ssh:
+      host_ca_key: ""
+      user_ca_key: ""
+  config:
+    files:
+      ca.json:
+        authority: {}
+  certificates:
+    root_ca: ""
+    intermediate_ca: ""
+    ssh_host_ca: ""
+    ssh_user_ca: ""
+
+stepIngress:
+  ## @param stepIngress.enabled Flag to enable ingress
+  enabled: false
+  ## @param stepIngress.className Ingress class name
+  className: ""
+  ## @param stepIngress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
+  controllerType: ""
+  ## @param stepIngress.annotations [object] Annotations for the ingress object
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+    # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    # If Profile Type == https_spiffe:
+    # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+
+  ## @param stepIngress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
+  host: "spiffe-step-ssh"
+
+  ## @param stepIngress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
+  tlsSecret: ""
+
+  ## @param stepIngress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
+  hosts: []
+  #  - host: spiffe-step-ssh.example.org
+  #    paths:
+  #      - path: /
+  #        pathType: Prefix
+
+  ## @param stepIngress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
+  tls: []
+  #  - hosts:
+  #      - spiffe-step-ssh.example.org
+
+## @skip step
+step:
+  service:
+    port: 443
+    targetPort: 8443
+  inject:
+    enabled: false
+  bootstrap:
+    enabled: false
+    configmaps: false
+    secrets: false
+  existingSecrets:
+    enabled: true
+    ca: true
+    issuer: true
+    certsAsSecret: false
+    configAsSecret: false
+    sshHostCa: true
+    sshUserCa: true
+
+spiffeHelper:
+  ## @param spiffeHelper.image.registry The OCI registry to pull the image from
+  ## @param spiffeHelper.image.repository The repository within the registry
+  ## @param spiffeHelper.image.pullPolicy The image pull policy
+  ## @param spiffeHelper.image.tag Overrides the image tag whose default is the chart appVersion
+  ##
+  image:
+    registry: ghcr.io
+    repository: spiffe/spiffe-helper
+    pullPolicy: IfNotPresent
+    tag: 0.8.0
+
+nginx:
+  ## @param nginx.image.registry The OCI registry to pull the image from
+  ## @param nginx.image.repository The repository within the registry
+  ## @param nginx.image.pullPolicy The image pull policy
+  ## @param nginx.image.tag Overrides the image tag whose default is the chart appVersion
+  ##
+  image:
+    registry: docker.io
+    repository: nginxinc/nginx-unprivileged
+    pullPolicy: IfNotPresent
+    tag: 1.25.3-alpine
+
+kubectl:
+  ## @param kubectl.image.registry The OCI registry to pull the image from
+  ## @param kubectl.image.repository The repository within the registry
+  ## @param kubectl.image.pullPolicy The image pull policy
+  ## @param kubectl.image.tag Overrides the image tag whose default is the chart appVersion
+  ##
+  image:
+    registry: registry.k8s.io
+    repository: kubectl
+    pullPolicy: IfNotPresent
+    tag: ""
+
+yq:
+  ## @param yq.image.registry The OCI registry to pull the image from
+  ## @param yq.image.repository The repository within the registry
+  ## @param yq.image.pullPolicy The image pull policy
+  ## @param yq.image.tag Overrides the image tag whose default is the chart appVersion
+  ##
+  image:
+    registry: docker.io
+    repository: mikefarah/yq
+    pullPolicy: IfNotPresent
+    tag: "4.40.5"
+
+busybox:
+  ## @param busybox.image.registry The OCI registry to pull the image from
+  ## @param busybox.image.repository The repository within the registry
+  ## @param busybox.image.pullPolicy The image pull policy
+  ## @param busybox.image.tag Overrides the image tag whose default is the chart appVersion
+  ##
+  image:
+    registry: docker.io
+    repository: busybox
+    pullPolicy: IfNotPresent
+    tag: "1.36.1-uclibc"
+
+## @param imagePullSecrets [array] Pull secrets for images
+imagePullSecrets: []
+
+## @param nameOverride Name override
+nameOverride: ""
+
+## @param fullnameOverride Fullname override
+fullnameOverride: ""
+
+## @param serviceAccount.create Specifies whether a service account should be created
+## @param serviceAccount.annotations [object] Annotations to add to the service account
+## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
+##
+serviceAccount:
+  create: true
+  annotations: {}
+  name: ""
+
+## @param podAnnotations [object] Additional pod annotations to add
+podAnnotations: {}
+## @param podLabels [object] Additional pod labels to add
+podLabels: {}
+
+## @param podSecurityContext [object} Specify pod security context settings
+podSecurityContext: {}
+  # fsGroup: 2000
+
+## @param securityContext [object] Specify container security context settings
+securityContext:
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+  # FIXME
+  runAsUser: 0
+
+fetchCA:
+  ## @param fetchCA.replicaCount Number of replicas to launch
+  replicaCount: 1
+
+  ## @param fetchCA.service.type The type of service to deploy
+  ## @param fetchCA.service.port The port number of the service port
+  service:
+    type: ClusterIP
+    port: 443
+
+  ingress:
+    ## @param fetchCA.ingress.enabled Flag to enable ingress
+    enabled: false
+    ## @param fetchCA.ingress.className Ingress class name
+    className: ""
+    ## @param fetchCA.ingress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
+    controllerType: ""
+    ## @param fetchCA.ingress.annotations [object] Annotations for the ingress object
+    annotations: {}
+      # kubernetes.io/ingress.class: nginx
+      # kubernetes.io/tls-acme: "true"
+      # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+      # If Profile Type == https_spiffe:
+      # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+
+    ## @param fetchCA.ingress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
+    host: "spiffe-step-ssh-fetchca"
+
+    ## @param fetchCA.ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
+    tlsSecret: ""
+
+    ## @param fetchCA.ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
+    hosts: []
+    #  - host: spiffe-step-ssh-fetchca.example.org
+    #    paths:
+    #      - path: /
+    #        pathType: Prefix
+
+    ## @param fetchCA.ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
+    tls: []
+    #  - hosts:
+    #      - spiffe-step-ssh-fetchca.example.org
+
+  ## @param fetchCA.autoscaling.enabled Enable autoscaling
+  ## @param fetchCA.autoscaling.minReplicas Minimum number of replicas to deploy
+  ## @param fetchCA.autoscaling.maxReplicas Maximum number of replicas to deploy
+  ## @param fetchCA.autoscaling.targetCPUUtilizationPercentage Target CPU utilization to use for autoscaling
+  autoscaling:
+    enabled: false
+    minReplicas: 1
+    maxReplicas: 100
+    targetCPUUtilizationPercentage: 80
+    # targetMemoryUtilizationPercentage: 80
+
+  ## @param fetchCA.resources [object] Specify resources
+  resources: {}
+    # limits:
+    #   cpu: 100m
+    #   memory: 128Mi
+    # requests:
+    #   cpu: 100m
+    #   memory: 128Mi
+
+  spiffeHelper:
+    ## @param fetchCA.spiffeHelper.resources [object] Specify resources for the SPIFFE helper
+    resources: {}
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+      # requests:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+  ## @param fetchCA.nodeSelector [object] Specify node selector
+  nodeSelector: {}
+
+  ## @param fetchCA.tolerations [array] Specify tolerations
+  tolerations: []
+
+  ## @param fetchCA.affinity [object] Specify affinity
+  affinity: {}
+
+config:
+  ## @param config.resources [object] Specify resources
+  resources: {}
+    # limits:
+    #   cpu: 100m
+    #   memory: 128Mi
+    # requests:
+    #   cpu: 100m
+    #   memory: 128Mi
+
+  ## @param config.nodeSelector [object] Specify node selector
+  nodeSelector: {}
+
+  ## @param config.tolerations [array] Specify tolerations
+  tolerations: []
+
+  ## @param config.affinity [object] Specify affinity
+  affinity: {}
--- a/charts/spire-crds/Chart.yaml
+++ b/charts/spire-crds/Chart.yaml
@ -3,7 +3,7 @@ name: spire-crds
 description: >
  A Helm chart for deploying the Spire CRDS
 type: application
-version: 0.4.0
+version: 0.5.0
 appVersion: "0.0.1"
 keywords: ["spire-crds"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
--- a/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml
+++ b/charts/spire-crds/templates/spire.spiffe.io_clusterspiffeids.yaml
@ -45,6 +45,11 @@ spec:
                description: AutoPopulateDNSNames indicates whether or not to auto
                  populate service DNS names.
                type: boolean
+              fallback:
+                description: |-
+                  Apply this ID only if there are no other matching non fallback
+                  ClusterSPIFFEIDs
+                type: boolean
              dnsNameTemplates:
                description: DNSNameTemplate represents templates for extra DNS names
                  that are applicable to SVIDs minted for this ClusterSPIFFEID. The
@ -66,6 +71,9 @@ spec:
                items:
                  type: string
                type: array
+              hint:
+                description: Set the entry hint
+                type: string
              jwtTtl:
                description: JWTTTL indicates an upper-bound time-to-live for JWT
                  SVIDs minted for this ClusterSPIFFEID.
--- a/charts/spire-nested/Chart.yaml
+++ b/charts/spire-nested/Chart.yaml
@ -3,8 +3,8 @@ name: spire-nested
 description: >
  A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 type: application
-version: 0.23.0
-appVersion: "1.10.3"
+version: 0.26.1
+appVersion: "1.12.4"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:
--- a/charts/spire-nested/README.md
+++ b/charts/spire-nested/README.md
@ -1,6 +1,6 @@
 # spire

-![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.3](https://img.shields.io/badge/AppVersion-1.10.3-informational?style=flat-square)
+![Version: 0.26.1](https://img.shields.io/badge/Version-0.26.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.12.4](https://img.shields.io/badge/AppVersion-1.12.4-informational?style=flat-square)
 [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)

 A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
@ -303,7 +303,7 @@ Now you can interact with the Spire agent socket from your own application. The
 | `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled`               | Enable the test-keys identity                                                                                                                     | `false`                      |
 | `root-spire-server.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled`                             | Enable the test-keys identity                                                                                                                     | `false`                      |
 | `root-spire-server.externalControllerManagers.enabled`                                                          | Flag to enable external controller managers                                                                                                       | `true`                       |
-| `root-spire-server.nodeAttestor.k8sPsat.serviceAccountAllowList`                                                | Allowed service accounts for Psat nodeattestor                                                                                                    | `[]`                         |
+| `root-spire-server.nodeAttestor.k8sPSAT.serviceAccountAllowList`                                                | Allowed service accounts for PSAT nodeattestor                                                                                                    | `[]`                         |
 | `root-spire-server.bundleConfigMap`                                                                             | The name of the configmap to store the upstream bundle                                                                                            | `spire-bundle-upstream`      |
 | `external-root-spire-server-full.externalServer`                                                                | Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers. | `true`                       |
 | `external-root-spire-server-full.nameOverride`                                                                  | Name override                                                                                                                                     | `root-server`                |
@ -315,7 +315,7 @@ Now you can interact with the Spire agent socket from your own application. The
 | `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.default.enabled`                 | Enable the default cluster spiffe id                                                                                                              | `false`                      |
 | `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.enabled` | Enable the test-keys identity                                                                                                                     | `false`                      |
 | `external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled`               | Enable the test-keys identity                                                                                                                     | `false`                      |
-| `external-root-spire-server-full.nodeAttestor.k8sPsat.serviceAccountAllowList`                                  | Allowed service accounts for Psat nodeattestor                                                                                                    | `[]`                         |
+| `external-root-spire-server-full.nodeAttestor.k8sPSAT.serviceAccountAllowList`                                  | Allowed service accounts for PSAT nodeattestor                                                                                                    | `[]`                         |
 | `external-root-spire-server-full.bundleConfigMap`                                                               | The name of the configmap to store the upstream bundle                                                                                            | `spire-bundle-upstream`      |
 | `external-root-spire-server-security.externalServer`                                                            | Set to true to setup the bundle configmap, rbac rules, and identity documents but doesn't deploy the server locally. Useful for external servers. | `true`                       |
 | `external-root-spire-server-security.nameOverride`                                                              | Name override                                                                                                                                     | `root-server`                |
@ -323,7 +323,7 @@ Now you can interact with the Spire agent socket from your own application. The
 | `external-root-spire-server-security.controllerManager.enabled`                                                 | Enable controller manager and provision CRD's                                                                                                     | `true`                       |
 | `external-root-spire-server-security.controllerManager.validatingWebhookConfiguration.enabled`                  | Disable only when you have another instance on the k8s cluster with webhooks enabled.                                                             | `false`                      |
 | `external-root-spire-server-security.controllerManager.className`                                               | specify to use an explicit class name.                                                                                                            | `spire-mgmt-external-server` |
-| `external-root-spire-server-security.nodeAttestor.k8sPsat.serviceAccountAllowList`                              | Allowed service accounts for Psat nodeattestor                                                                                                    | `[]`                         |
+| `external-root-spire-server-security.nodeAttestor.k8sPSAT.serviceAccountAllowList`                              | Allowed service accounts for PSAT nodeattestor                                                                                                    | `[]`                         |
 | `external-root-spire-server-security.bundleConfigMap`                                                           | The name of the configmap to store the upstream bundle                                                                                            | `spire-bundle-upstream`      |

 ### Spire server parameters
@ -350,6 +350,6 @@ Now you can interact with the Spire agent socket from your own application. The
 | `external-spire-server.upstreamAuthority.spire.enabled`                                                            | Enable upstream SPIRE server                                                          | `true`                       |
 | `external-spire-server.upstreamAuthority.spire.upstreamDriver`                                                     | Use an upstream driver for authentication                                             | `upstream.csi.spiffe.io`     |
 | `external-spire-server.upstreamAuthority.spire.server.nameOverride`                                                | The name override setting of the root SPIRE server                                    | `root-server`                |
-| `external-spire-server.notifier.k8sbundle.enabled`                                                                 | Enable local k8s bundle uploader                                                      | `false`                      |
-| `external-spire-server.nodeAttestor.k8sPsat.enabled`                                                               | Enable Psat k8s nodeattestor                                                          | `false`                      |
+| `external-spire-server.bundlePublisher.k8sConfigMap.enabled`                                                       | Enable local k8s bundle uploader                                                      | `false`                      |
+| `external-spire-server.nodeAttestor.k8sPSAT.enabled`                                                               | Enable PSAT k8s nodeattestor                                                          | `false`                      |
 | `external-spire-server.nodeAttestor.joinToken.enabled`                                                             | Enable the join_token nodeattestor                                                    | `true`                       |
--- a/charts/spire-nested/values.yaml
+++ b/charts/spire-nested/values.yaml
@ -246,8 +246,8 @@ root-spire-server:
    ## @param root-spire-server.externalControllerManagers.enabled Flag to enable external controller managers
    enabled: true
  nodeAttestor:
-    k8sPsat:
-      ## @param root-spire-server.nodeAttestor.k8sPsat.serviceAccountAllowList [array] Allowed service accounts for Psat nodeattestor
+    k8sPSAT:
+      ## @param root-spire-server.nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor
      serviceAccountAllowList:
        - spire-agent-upstream
  ## @param root-spire-server.bundleConfigMap The name of the configmap to store the upstream bundle
@ -284,8 +284,8 @@ external-root-spire-server-full:
          ## @param external-root-spire-server-full.controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled Enable the test-keys identity
          enabled: false
  nodeAttestor:
-    k8sPsat:
-      ## @param external-root-spire-server-full.nodeAttestor.k8sPsat.serviceAccountAllowList [array] Allowed service accounts for Psat nodeattestor
+    k8sPSAT:
+      ## @param external-root-spire-server-full.nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor
      serviceAccountAllowList:
        - spire-agent-upstream
  ## @param external-root-spire-server-full.bundleConfigMap The name of the configmap to store the upstream bundle
@ -308,8 +308,8 @@ external-root-spire-server-security:
    ## @param external-root-spire-server-security.controllerManager.className specify to use an explicit class name.
    className: spire-mgmt-external-server
  nodeAttestor:
-    k8sPsat:
-      ## @param external-root-spire-server-security.nodeAttestor.k8sPsat.serviceAccountAllowList [array] Allowed service accounts for Psat nodeattestor
+    k8sPSAT:
+      ## @param external-root-spire-server-security.nodeAttestor.k8sPSAT.serviceAccountAllowList [array] Allowed service accounts for PSAT nodeattestor
      serviceAccountAllowList:
        - spire-agent-upstream
  ## @param external-root-spire-server-security.bundleConfigMap The name of the configmap to store the upstream bundle
@ -384,13 +384,13 @@ external-spire-server:
      server:
        ## @param external-spire-server.upstreamAuthority.spire.server.nameOverride The name override setting of the root SPIRE server
        nameOverride: root-server
-  notifier:
-    k8sbundle:
-      ## @param external-spire-server.notifier.k8sbundle.enabled Enable local k8s bundle uploader
+  bundlePublisher:
+    k8sConfigMap:
+      ## @param external-spire-server.bundlePublisher.k8sConfigMap.enabled Enable local k8s bundle uploader
      enabled: false
  nodeAttestor:
-    k8sPsat:
-      ## @param external-spire-server.nodeAttestor.k8sPsat.enabled Enable Psat k8s nodeattestor
+    k8sPSAT:
+      ## @param external-spire-server.nodeAttestor.k8sPSAT.enabled Enable PSAT k8s nodeattestor
      enabled: false
    joinToken:
      ## @param external-spire-server.nodeAttestor.joinToken.enabled Enable the join_token nodeattestor
--- a/charts/spire/Chart.yaml
+++ b/charts/spire/Chart.yaml
@ -3,8 +3,8 @@ name: spire
 description: >
  A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 type: application
-version: 0.23.0
-appVersion: "1.10.3"
+version: 0.26.1
+appVersion: "1.12.4"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:
@ -55,6 +55,18 @@ dependencies:
    condition: tornjak-frontend.enabled
    repository: file://./charts/tornjak-frontend
    version: 0.1.0
+  - name: spike-keeper
+    condition: spike-keeper.enabled
+    repository: file://./charts/spike-keeper
+    version: 0.1.0
+  - name: spike-nexus
+    condition: spike-nexus.enabled
+    repository: file://./charts/spike-nexus
+    version: 0.1.0
+  - name: spike-pilot
+    condition: spike-pilot.enabled
+    repository: file://./charts/spike-pilot
+    version: 0.1.0
 annotations:
  artifacthub.io/category: security
  artifacthub.io/license: Apache-2.0
--- a/charts/spire/README.md
+++ b/charts/spire/README.md
@ -1,6 +1,6 @@
 # spire

-![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.3](https://img.shields.io/badge/AppVersion-1.10.3-informational?style=flat-square)
+![Version: 0.26.1](https://img.shields.io/badge/Version-0.26.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.12.4](https://img.shields.io/badge/AppVersion-1.12.4-informational?style=flat-square)
 [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)

 A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
@ -24,11 +24,6 @@ Preparing a production deployment requires a few steps.

 1. Save the following to your-values.yaml, ideally in your git repo.

-> [!NOTE]
-> Please note that `rancher/kubectl` image does not always correspond to the most
-> recent version of Kubernetes. In order to find the most up-to-date version,
-> please visit their [releases](https://github.com/rancher/kubectl/releases) page.
-
 ```yaml
 global:
  openshift: false # If running on openshift, set to true
@ -45,10 +40,6 @@ global:
      country: ARPA
      organization: Example
      commonName: example.org
-# If rancher/kubectl doesn't have a version that matches your cluster, uncomment and update:
-#    tools:
-#       kubectl:
-#         tag: "v1.23.3"
 ```

 2. If you need a non default storageClass, append the following to the global.spire section and update:
@ -88,6 +79,42 @@ kubectl delete crds clusterfederatedtrustdomains.spire.spiffe.io clusterspiffeid

 We only support upgrading one major/minor version at a time. Version skipping isn't supported. Please see <https://spiffe.io/docs/latest/spire-helm-charts-hardened-about/upgrading/> for details.

+### 0.26.X
+
+- The notifier.k8sBundle plugin has been deprecated in favor of bundlePublisher.k8sConfigMap. The only features it does not provide are the settings `apiServiceLabel` and `webhookLabel`. If you are using either of these two features, set the chart to use the notifier.k8sBundle plugin again, and let us know. We don't think anyone is using these features.
+- The default trust bundle format has been changed to `spiffe`. This switch should be transparent unless you ware fetching the bundle from the configmap manually, or have a nested setup and dont upgrade the root, then child clusters in short order.
+
+### 0.24.X
+
+- You must upgrade [spire-crds](https://artifacthub.io/packages/helm/spiffe/spire-crds) to 0.5.0+ before performing this upgrade.
+
+- SPIRE changed the default in 1.11.0 from `spire-agent.workloadAttestors.k8s.useNewContainerLocator=false` to `spire-agent.workloadAttestors.k8s.useNewContainerLocator=true`
+
+- In order to make it easier to target specific SPIFFE IDs to workloads, a fallback feature was added to ClusterSPIFFEIDs so that a default ID will only apply when no others do. To change back to the previous behavior, use `spire-server.controllerManager.identities.clusterSPIFFEIDs.default.fallback=false`. The new default is unlikely to need changes.
+
+- We now set a hint of the ClusterSPIFFEID name on each entry created by default. This can be undone by setting the `hint=""` property on the ClusterSPIFFEID. The new default is unlikely to need changes.
+
+- We have added the remaining options needed for the SPIRE Server SQL data store plugin as native values. We have removed `spire-server.dataStore.sql.plugin_data` section as it is no longer needed. If you are using it, please migrate your settings to the ones under `spire-server.dataStore.sql`.
+
+- For users of `spire-server.upstreamAuthority.certManager`, a bug was discovered with templates not honoring `global.spire.caSubject.*`. It has been fixed, but may change values if you are not careful. Please double check the new settings are what you need them to be before completing the upgrade.
+
+- Lastly, as we approach 1.0.0, we would like to ensure all the values follow the same convention. We have made a bunch of minor changes to the values in this version to make sure they are all camel cased and properly capitalized. If you are upgrading from a previous version, please look though this list carefully to see if a value you are using is impacted:
+
+    - `spire-server.federation.bundleEndpoint.refresh_hint` -> `spire-server.federation.bundleEndpoint.refreshHint`
+    - `spire-server.nodeAttestor.k8sPsat` -> `spire-server.nodeAttestor.k8sPSAT`
+    - `spire-server.nodeAttestor.externalK8sPsat` -> `spire-server.nodeAttestor.ExternalK8sPSAT`
+    - `spire-server.notifier.k8sbundle` -> `spire-server.notifier.k8sBundle`
+    - `spire-server.ca_subject` -> `spire-server.caSubject`
+    - `spire-server.ca_subject.common_name -> `spire-server.caSubject.commonName`
+    - `spire-server.upstreamAuthority.certManager.issuer_name` -> `spire-server.upstreamAuthority.certManager.issuerName`
+    - `spire-server.upstreamAuthority.certManager.issuer_kind` -> `spire-server.upstreamAuthority.certManager.issuerKind`
+    - `spire-server.upstreamAuthority.certManager.issuer_group` -> `spire-server.upstreamAuthority.certManager.issuerGroup`
+    - `spire-server.upstreamAuthority.certManager.kube_config_file` -> `spire-server.upstreamAuthority.certManager.kubeConfigFile`
+    - `spire-agent.sds.defaultSvidName` -> `spire-agent.sds.defaultSVIDName`
+    - `spire-agent.sds.disableSpiffeCertValidation` -> `spire-agent.sds.disableSPIFFECertValidation`
+    - `spire-agent.sds.defaultSvidName` -> `spire-agent.sds.defaultSVIDName`
+    - `spire-agent.nodeAttestor.k8sPsat` -> `spire-agent.nodeAttestor.k8sPSAT`
+
 ### 0.23.X

 In previous versions, the setting spire-agent.workloadAttestors.k8s.skipKubeletVerification was set to true by default. Starting in 0.23.x, we removed that setting and replaced it with
@ -342,3 +369,21 @@ Now you can interact with the Spire agent socket from your own application. The
 | Name                       | Description                                                    | Value   |
 | -------------------------- | -------------------------------------------------------------- | ------- |
 | `tornjak-frontend.enabled` | Enables deployment of Tornjak frontend/UI (Not for production) | `false` |
+
+### SPIKE Keeper parameters
+
+| Name                   | Description                                             | Value   |
+| ---------------------- | ------------------------------------------------------- | ------- |
+| `spike-keeper.enabled` | Enables deployment of SPIKE Keeper (Not for production) | `false` |
+
+### SPIKE Nexus parameters
+
+| Name                  | Description                                            | Value   |
+| --------------------- | ------------------------------------------------------ | ------- |
+| `spike-nexus.enabled` | Enables deployment of SPIKE Nexus (Not for production) | `false` |
+
+### SPIKE Pilot parameters
+
+| Name                  | Description                                            | Value   |
+| --------------------- | ------------------------------------------------------ | ------- |
+| `spike-pilot.enabled` | Enables deployment of SPIKE Pilot (Not for production) | `false` |
--- a/charts/spire/charts/spiffe-csi-driver/Chart.yaml
+++ b/charts/spire/charts/spiffe-csi-driver/Chart.yaml
@ -3,7 +3,7 @@ name: spiffe-csi-driver
 description: A Helm chart to install the SPIFFE CSI driver.
 type: application
 version: 0.1.0
-appVersion: "0.2.3"
+appVersion: "0.2.7"
 keywords: ["spiffe", "csi-driver"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:
--- a/charts/spire/charts/spiffe-csi-driver/README.md
+++ b/charts/spire/charts/spiffe-csi-driver/README.md
@ -1,6 +1,6 @@
 # spiffe-csi-driver

-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square)
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.7](https://img.shields.io/badge/AppVersion-0.2.7-informational?style=flat-square)

 A Helm chart to install the SPIFFE CSI driver.

@ -25,50 +25,54 @@ A Helm chart to install the SPIFFE CSI driver.

 ### SPIFFE CSI Driver Chart parameters

-| Name                                          | Description                                                                                                    | Value                                       |
-| --------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------- |
-| `pluginName`                                  | Set the csi driver name deployed to Kubernetes.                                                                | `csi.spiffe.io`                             |
-| `image.registry`                              | The OCI registry to pull the image from                                                                        | `ghcr.io`                                   |
-| `image.repository`                            | The repository within the registry                                                                             | `spiffe/spiffe-csi-driver`                  |
-| `image.pullPolicy`                            | The image pull policy                                                                                          | `IfNotPresent`                              |
-| `image.tag`                                   | Overrides the image tag whose default is the chart appVersion                                                  | `""`                                        |
-| `resources`                                   | Resource requests and limits for spiffe-csi-driver                                                             | `{}`                                        |
-| `healthChecks.port`                           | The healthcheck port for spiffe-csi-driver                                                                     | `9809`                                      |
-| `updateStrategy.type`                         | The update strategy to use to replace existing DaemonSet pods with new pods. Can be RollingUpdate or OnDelete. | `RollingUpdate`                             |
-| `updateStrategy.rollingUpdate.maxUnavailable` | Max unavailable pods during update. Can be a number or a percentage.                                           | `1`                                         |
-| `livenessProbe.initialDelaySeconds`           | Initial delay seconds for livenessProbe                                                                        | `5`                                         |
-| `livenessProbe.timeoutSeconds`                | Timeout value in seconds for livenessProbe                                                                     | `5`                                         |
-| `imagePullSecrets`                            | Image pull secret details for spiffe-csi-driver                                                                | `[]`                                        |
-| `nameOverride`                                | Name override for spiffe-csi-driver                                                                            | `""`                                        |
-| `namespaceOverride`                           | Namespace to install spiffe-csi-driver                                                                         | `""`                                        |
-| `fullnameOverride`                            | Full name override for spiffe-csi-driver                                                                       | `""`                                        |
-| `csiDriverLabels`                             | Labels to apply to the CSIDriver                                                                               | `{}`                                        |
-| `initContainers`                              | Init Containers to apply to the CSI Driver DaemonSet                                                           | `[]`                                        |
-| `serviceAccount.create`                       | Specifies whether a service account should be created                                                          | `true`                                      |
-| `serviceAccount.annotations`                  | Annotations to add to the service account                                                                      | `{}`                                        |
-| `serviceAccount.name`                         | The name of the service account to use. If not set and create is true, a name is generated.                    | `""`                                        |
-| `podAnnotations`                              | Pod annotations for spiffe-csi-driver                                                                          | `{}`                                        |
-| `podSecurityContext`                          | Security context for CSI driver pods                                                                           | `{}`                                        |
-| `securityContext.readOnlyRootFilesystem`      | Flag for read only root filesystem                                                                             | `true`                                      |
-| `securityContext.privileged`                  | Flag for specifying privileged mode                                                                            | `true`                                      |
-| `nodeSelector`                                | Node selector for CSI driver pods                                                                              | `{}`                                        |
-| `tolerations`                                 | Tolerations for CSI driver pods                                                                                | `[]`                                        |
-| `affinity`                                    | Node affinity                                                                                                  | `{}`                                        |
-| `nodeDriverRegistrar.image.registry`          | The OCI registry to pull the image from                                                                        | `registry.k8s.io`                           |
-| `nodeDriverRegistrar.image.repository`        | The repository within the registry                                                                             | `sig-storage/csi-node-driver-registrar`     |
-| `nodeDriverRegistrar.image.pullPolicy`        | The image pull policy                                                                                          | `IfNotPresent`                              |
-| `nodeDriverRegistrar.image.tag`               | Overrides the image tag                                                                                        | `v2.9.4`                                    |
-| `nodeDriverRegistrar.resources`               | Resource requests and limits for CSI driver pods                                                               | `{}`                                        |
-| `agentSocketPath`                             | The unix socket path to the spire-agent                                                                        | `/run/spire/agent-sockets/spire-agent.sock` |
-| `kubeletPath`                                 | Path to kubelet file                                                                                           | `/var/lib/kubelet`                          |
-| `priorityClassName`                           | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName.      | `""`                                        |
-| `restrictedScc.enabled`                       | Enables the creation of a SecurityContextConstraint based on the restricted SCC with CSI volume support        | `false`                                     |
-| `restrictedScc.name`                          | Set the name of the restricted SCC with CSI support                                                            | `""`                                        |
-| `restrictedScc.version`                       | Version of the restricted SCC                                                                                  | `2`                                         |
-| `selinux.enabled`                             | Enable selinux support                                                                                         | `false`                                     |
-| `selinux.context`                             | Which selinux context to use                                                                                   | `container_file_t`                          |
-| `selinux.image.registry`                      | The OCI registry to pull the image from                                                                        | `registry.access.redhat.com`                |
-| `selinux.image.repository`                    | The repository within the registry                                                                             | `ubi9`                                      |
-| `selinux.image.pullPolicy`                    | The image pull policy                                                                                          | `Always`                                    |
-| `selinux.image.tag`                           | Overrides the image tag whose default is the chart appVersion                                                  | `latest`                                    |
+| Name                                          | Description                                                                                                                                                              | Value                                       |
+| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------- |
+| `pluginName`                                  | Set the csi driver name deployed to Kubernetes.                                                                                                                          | `csi.spiffe.io`                             |
+| `image.registry`                              | The OCI registry to pull the image from                                                                                                                                  | `ghcr.io`                                   |
+| `image.repository`                            | The repository within the registry                                                                                                                                       | `spiffe/spiffe-csi-driver`                  |
+| `image.pullPolicy`                            | The image pull policy                                                                                                                                                    | `IfNotPresent`                              |
+| `image.tag`                                   | Overrides the image tag whose default is the chart appVersion                                                                                                            | `""`                                        |
+| `resources`                                   | Resource requests and limits for spiffe-csi-driver                                                                                                                       | `{}`                                        |
+| `extraEnvVars`                                | Extra environment variables to be added to the spiffe-csi-driver container                                                                                               | `[]`                                        |
+| `healthChecks.port`                           | The healthcheck port for spiffe-csi-driver                                                                                                                               | `9809`                                      |
+| `updateStrategy.type`                         | The update strategy to use to replace existing DaemonSet pods with new pods. Can be RollingUpdate or OnDelete.                                                           | `RollingUpdate`                             |
+| `updateStrategy.rollingUpdate.maxUnavailable` | Max unavailable pods during update. Can be a number or a percentage.                                                                                                     | `1`                                         |
+| `livenessProbe.initialDelaySeconds`           | Initial delay seconds for livenessProbe                                                                                                                                  | `5`                                         |
+| `livenessProbe.timeoutSeconds`                | Timeout value in seconds for livenessProbe                                                                                                                               | `5`                                         |
+| `imagePullSecrets`                            | Image pull secret details for spiffe-csi-driver                                                                                                                          | `[]`                                        |
+| `nameOverride`                                | Name override for spiffe-csi-driver                                                                                                                                      | `""`                                        |
+| `namespaceOverride`                           | Namespace to install spiffe-csi-driver                                                                                                                                   | `""`                                        |
+| `serverNamespaceOverride`                     | Override the namespace that the spire-server is installed into                                                                                                           | `""`                                        |
+| `validatingAdmissionPolicy.enabled`           | When set to auto, the validatingAdmissionPolicy will be enabled when the pluginName == "upstream.csi.spiffe.io" and k8s >= 1.30.0. Valid options are [auto, true, false] | `auto`                                      |
+| `fullnameOverride`                            | Full name override for spiffe-csi-driver                                                                                                                                 | `""`                                        |
+| `csiDriverLabels`                             | Labels to apply to the CSIDriver                                                                                                                                         | `{}`                                        |
+| `initContainers`                              | Init Containers to apply to the CSI Driver DaemonSet                                                                                                                     | `[]`                                        |
+| `serviceAccount.create`                       | Specifies whether a service account should be created                                                                                                                    | `true`                                      |
+| `serviceAccount.annotations`                  | Annotations to add to the service account                                                                                                                                | `{}`                                        |
+| `serviceAccount.name`                         | The name of the service account to use. If not set and create is true, a name is generated.                                                                              | `""`                                        |
+| `podAnnotations`                              | Pod annotations for spiffe-csi-driver                                                                                                                                    | `{}`                                        |
+| `podSecurityContext`                          | Security context for CSI driver pods                                                                                                                                     | `{}`                                        |
+| `securityContext.readOnlyRootFilesystem`      | Flag for read only root filesystem                                                                                                                                       | `true`                                      |
+| `securityContext.privileged`                  | Flag for specifying privileged mode                                                                                                                                      | `true`                                      |
+| `nodeSelector`                                | Node selector for CSI driver pods                                                                                                                                        | `{}`                                        |
+| `tolerations`                                 | Tolerations for CSI driver pods                                                                                                                                          | `[]`                                        |
+| `affinity`                                    | Node affinity                                                                                                                                                            | `{}`                                        |
+| `nodeDriverRegistrar.image.registry`          | The OCI registry to pull the image from                                                                                                                                  | `registry.k8s.io`                           |
+| `nodeDriverRegistrar.image.repository`        | The repository within the registry                                                                                                                                       | `sig-storage/csi-node-driver-registrar`     |
+| `nodeDriverRegistrar.image.pullPolicy`        | The image pull policy                                                                                                                                                    | `IfNotPresent`                              |
+| `nodeDriverRegistrar.image.tag`               | Overrides the image tag                                                                                                                                                  | `v2.9.4`                                    |
+| `nodeDriverRegistrar.resources`               | Resource requests and limits for CSI driver pods                                                                                                                         | `{}`                                        |
+| `nodeDriverRegistrar.extraEnvVars`            | Extra environment variables to be added to the nodeDriverRegistrar container                                                                                             | `[]`                                        |
+| `agentSocketPath`                             | The unix socket path to the spire-agent                                                                                                                                  | `/run/spire/agent-sockets/spire-agent.sock` |
+| `kubeletPath`                                 | Path to kubelet file                                                                                                                                                     | `/var/lib/kubelet`                          |
+| `priorityClassName`                           | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName.                                                                | `""`                                        |
+| `restrictedScc.enabled`                       | Enables the creation of a SecurityContextConstraint based on the restricted SCC with CSI volume support                                                                  | `false`                                     |
+| `restrictedScc.name`                          | Set the name of the restricted SCC with CSI support                                                                                                                      | `""`                                        |
+| `restrictedScc.version`                       | Version of the restricted SCC                                                                                                                                            | `2`                                         |
+| `selinux.enabled`                             | Enable selinux support                                                                                                                                                   | `false`                                     |
+| `selinux.context`                             | Which selinux context to use                                                                                                                                             | `container_file_t`                          |
+| `selinux.image.registry`                      | The OCI registry to pull the image from                                                                                                                                  | `registry.access.redhat.com`                |
+| `selinux.image.repository`                    | The repository within the registry                                                                                                                                       | `ubi9`                                      |
+| `selinux.image.pullPolicy`                    | The image pull policy                                                                                                                                                    | `Always`                                    |
+| `selinux.image.tag`                           | Overrides the image tag whose default is the chart appVersion                                                                                                            | `latest`                                    |

--- a/charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl
+++ b/charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl
@ -40,6 +40,23 @@ Allow the release namespace to be overridden for multi-namespace deployments in
  {{- end -}}
 {{- end -}}

+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "spiffe-csi-driver.server-namespace" -}}
+  {{- if .Values.serverNamespaceOverride -}}
+    {{- .Values.serverNamespaceOverride -}}
+  {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
+    {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
+      {{- .Values.global.spire.namespaces.server.name }}
+    {{- else }}
+      {{- printf "spire-server" }}
+    {{- end }}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
--- a/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml
+++ b/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml
@ -90,6 +90,9 @@ spec:
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
+          {{- with .Values.extraEnvVars }}
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
          volumeMounts:
            # The volume containing the SPIRE agent socket. The SPIFFE CSI
            # driver will mount this directory into containers.
@ -123,6 +126,10 @@ spec:
            "-kubelet-registration-path", "{{ .Values.kubeletPath }}/plugins/{{ .Values.pluginName }}/csi.sock",
            "-health-port", "{{ .Values.healthChecks.port }}"
          ]
+          env:
+          {{- with .Values.nodeDriverRegistrar.extraEnvVars }}
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
          volumeMounts:
            # The registrar needs access to the SPIFFE CSI driver socket
            - mountPath: /spiffe-csi
--- a/charts/spire/charts/spiffe-csi-driver/templates/policy.yaml
+++ b/charts/spire/charts/spiffe-csi-driver/templates/policy.yaml
@ -0,0 +1,37 @@
+{{- $upstream := eq .Values.pluginName "upstream.csi.spiffe.io" }}
+{{- $detectedValidation := semverCompare ">=1.30-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- $policyEnabled := .Values.validatingAdmissionPolicy.enabled | toString }}
+{{- $auto := eq $policyEnabled "auto" }}
+{{- if or (eq $policyEnabled "true") (and $auto $upstream $detectedValidation) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: {{ .Values.pluginName | quote }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+  validations:
+  - expression: |
+      !object.spec.volumes.exists(c, has(c.csi) && has(c.csi.driver) && c.csi.driver == {{ .Values.pluginName | quote }})
+    message: 'you may not use the upstream.csi.spiffe.io csi driver'
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: {{ .Values.pluginName | quote }}
+spec:
+  policyName: {{ .Values.pluginName | quote }}
+  validationActions: ["Deny"]
+  matchResources:
+    namespaceSelector:
+      matchExpressions:
+      - key: "kubernetes.io/metadata.name"
+        operator: NotIn
+        values:
+        - {{ include "spiffe-csi-driver.server-namespace" . | quote }}
+{{- end }}
--- a/charts/spire/charts/spiffe-csi-driver/values.yaml
+++ b/charts/spire/charts/spiffe-csi-driver/values.yaml
@ -33,6 +33,9 @@ resources: {}
  #   cpu: 100m
  #   memory: 64Mi

+## @param extraEnvVars [array] Extra environment variables to be added to the spiffe-csi-driver container
+extraEnvVars: []
+
 healthChecks:
  ## @param healthChecks.port The healthcheck port for spiffe-csi-driver
  port: 9809
@ -60,6 +63,13 @@ nameOverride: ""
 ## @param namespaceOverride Namespace to install spiffe-csi-driver
 namespaceOverride: ""

+## @param serverNamespaceOverride Override the namespace that the spire-server is installed into
+serverNamespaceOverride: ""
+
+validatingAdmissionPolicy:
+  ## @param validatingAdmissionPolicy.enabled When set to auto, the validatingAdmissionPolicy will be enabled when the pluginName == "upstream.csi.spiffe.io" and k8s >= 1.30.0. Valid options are [auto, true, false]
+  enabled: auto
+
 ## @param fullnameOverride Full name override for spiffe-csi-driver
 fullnameOverride: ""

@ -129,6 +139,8 @@ nodeDriverRegistrar:
    # limits:
    #   cpu: 100m
    #   memory: 64Mi
+  ## @param nodeDriverRegistrar.extraEnvVars [array] Extra environment variables to be added to the nodeDriverRegistrar container
+  extraEnvVars: []

 ## @param agentSocketPath The unix socket path to the spire-agent
 agentSocketPath: /run/spire/agent-sockets/spire-agent.sock
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/Chart.yaml
@ -3,7 +3,7 @@ name: spiffe-oidc-discovery-provider
 description: A Helm chart to install the SPIFFE OIDC discovery provider.
 type: application
 version: 0.1.0
-appVersion: "1.10.3"
+appVersion: "1.12.4"
 keywords: ["spiffe", "oidc"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/README.md
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/README.md
@ -25,115 +25,121 @@ A Helm chart to install the SPIFFE OIDC discovery provider.

 ### Chart parameters

-| Name                                                  | Description                                                                                                                                                                                                                            | Value                                                                             |
-| ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- |
-| `agentSocketName`                                     | The name of the spire-agent unix socket                                                                                                                                                                                                | `spire-agent.sock`                                                                |
-| `csiDriverName`                                       | The csi driver to use                                                                                                                                                                                                                  | `csi.spiffe.io`                                                                   |
-| `replicaCount`                                        | Replica count                                                                                                                                                                                                                          | `1`                                                                               |
-| `namespaceOverride`                                   | Namespace override                                                                                                                                                                                                                     | `""`                                                                              |
-| `annotations`                                         | Annotations for the deployment                                                                                                                                                                                                         | `{}`                                                                              |
-| `image.registry`                                      | The OCI registry to pull the image from                                                                                                                                                                                                | `ghcr.io`                                                                         |
-| `image.repository`                                    | The repository within the registry                                                                                                                                                                                                     | `spiffe/oidc-discovery-provider`                                                  |
-| `image.pullPolicy`                                    | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                    |
-| `image.tag`                                           | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `""`                                                                              |
-| `spiffeHelper.image.registry`                         | The OCI registry to pull the image from                                                                                                                                                                                                | `ghcr.io`                                                                         |
-| `spiffeHelper.image.repository`                       | The repository within the registry                                                                                                                                                                                                     | `spiffe/spiffe-helper`                                                            |
-| `spiffeHelper.image.pullPolicy`                       | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                    |
-| `spiffeHelper.image.tag`                              | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6` |
-| `spiffeHelper.resources`                              | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                              |
-| `resources`                                           | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                              |
-| `service.type`                                        | Service type                                                                                                                                                                                                                           | `ClusterIP`                                                                       |
-| `service.ports.http`                                  | Insecure port for the service                                                                                                                                                                                                          | `80`                                                                              |
-| `service.ports.https`                                 | Secure port for the service                                                                                                                                                                                                            | `443`                                                                             |
-| `service.annotations`                                 | Annotations for service resource                                                                                                                                                                                                       | `{}`                                                                              |
-| `configMap.annotations`                               | Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap                                                                                                                                                                     | `{}`                                                                              |
-| `podSecurityContext`                                  | Pod security context for OIDC discovery provider pods                                                                                                                                                                                  | `{}`                                                                              |
-| `securityContext`                                     | Security context for OIDC discovery provider deployment                                                                                                                                                                                | `{}`                                                                              |
-| `readinessProbe.initialDelaySeconds`                  | Initial delay seconds for readinessProbe                                                                                                                                                                                               | `5`                                                                               |
-| `readinessProbe.periodSeconds`                        | Period seconds for readinessProbe                                                                                                                                                                                                      | `5`                                                                               |
-| `livenessProbe.initialDelaySeconds`                   | Initial delay seconds for livenessProbe                                                                                                                                                                                                | `5`                                                                               |
-| `livenessProbe.periodSeconds`                         | Period seconds for livenessProbe                                                                                                                                                                                                       | `5`                                                                               |
-| `podAnnotations`                                      | Pod annotations for Spire OIDC discovery provider                                                                                                                                                                                      | `{}`                                                                              |
-| `tls.spire.enabled`                                   | Use spire to secure the oidc-discovery-provider                                                                                                                                                                                        | `true`                                                                            |
-| `tls.externalSecret.enabled`                          | Provide your own certificate/key via tls style Kubernetes Secret                                                                                                                                                                       | `false`                                                                           |
-| `tls.externalSecret.secretName`                       | Specify which Secret to use                                                                                                                                                                                                            | `""`                                                                              |
-| `tls.certManager.enabled`                             | Use certificateManager to create the certificate                                                                                                                                                                                       | `false`                                                                           |
-| `tls.certManager.issuer.create`                       | Create an issuer to use to issue the certificate                                                                                                                                                                                       | `true`                                                                            |
-| `tls.certManager.issuer.acme.email`                   | Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service                                                                                                                                     | `""`                                                                              |
-| `tls.certManager.issuer.acme.server`                  | Server to use to get certificate. Defaults to LetsEncrypt                                                                                                                                                                              | `https://acme-v02.api.letsencrypt.org/directory`                                  |
-| `tls.certManager.issuer.acme.solvers`                 | Configure the issuer solvers. Defaults to http01 via ingress.                                                                                                                                                                          | `{}`                                                                              |
-| `tls.certManager.certificate.dnsNames`                | Override the dnsNames on the certificate request. Defaults to the same settings as Ingress                                                                                                                                             | `[]`                                                                              |
-| `tls.certManager.certificate.issuerRef.group`         | If you are using an external plugin, specify the group for it here                                                                                                                                                                     | `""`                                                                              |
-| `tls.certManager.certificate.issuerRef.kind`          | Kind of the issuer reference. Override if you want to use a ClusterIssuer                                                                                                                                                              | `Issuer`                                                                          |
-| `tls.certManager.certificate.issuerRef.name`          | Name of the issuer to use. If unset, it will use the name of the built in issuer                                                                                                                                                       | `""`                                                                              |
-| `insecureScheme.nginx.image.registry`                 | The OCI registry to pull the image from. Only used when TLS is disabled.                                                                                                                                                               | `docker.io`                                                                       |
-| `insecureScheme.nginx.image.repository`               | The repository within the registry. Only used when TLS is disabled.                                                                                                                                                                    | `nginxinc/nginx-unprivileged`                                                     |
-| `insecureScheme.nginx.image.pullPolicy`               | The image pull policy.  Only used when TLS is disabled.                                                                                                                                                                                | `IfNotPresent`                                                                    |
-| `insecureScheme.nginx.image.tag`                      | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled.                                                                                                                                         | `1.27.1-alpine`                                                                   |
-| `insecureScheme.nginx.ipMode`                         | IP modes supported by the cluster. Must be one of [ipv4, ipv6, both]                                                                                                                                                                   | `both`                                                                            |
-| `insecureScheme.nginx.resources`                      | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                              |
-| `jwtIssuer`                                           | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset                                                                                                                                                                   | `""`                                                                              |
-| `config.logLevel`                                     | The log level, valid values are "debug", "info", "warn", and "error"                                                                                                                                                                   | `info`                                                                            |
-| `config.additionalDomains`                            | Add additional domains that can be used for oidc discovery                                                                                                                                                                             | `[]`                                                                              |
-| `imagePullSecrets`                                    | Image pull secret names                                                                                                                                                                                                                | `[]`                                                                              |
-| `nameOverride`                                        | Name override                                                                                                                                                                                                                          | `""`                                                                              |
-| `fullnameOverride`                                    | Full name override                                                                                                                                                                                                                     | `""`                                                                              |
-| `serviceAccount.create`                               | Specifies whether a service account should be created                                                                                                                                                                                  | `true`                                                                            |
-| `serviceAccount.annotations`                          | Annotations to add to the service account                                                                                                                                                                                              | `{}`                                                                              |
-| `serviceAccount.name`                                 | The name of the service account to use. If not set and create is true, a name is generated.                                                                                                                                            | `""`                                                                              |
-| `deleteHook.enabled`                                  | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`)                                                                                                                                      | `true`                                                                            |
-| `autoscaling.enabled`                                 | Flag to enable autoscaling                                                                                                                                                                                                             | `false`                                                                           |
-| `autoscaling.minReplicas`                             | Minimum replicas for autoscaling                                                                                                                                                                                                       | `1`                                                                               |
-| `autoscaling.maxReplicas`                             | Maximum replicas for autoscaling                                                                                                                                                                                                       | `5`                                                                               |
-| `autoscaling.targetCPUUtilizationPercentage`          | Target CPU utlization that triggers autoscaling                                                                                                                                                                                        | `80`                                                                              |
-| `autoscaling.targetMemoryUtilizationPercentage`       | Target Memory utlization that triggers autoscaling                                                                                                                                                                                     | `80`                                                                              |
-| `nodeSelector`                                        | Node selector                                                                                                                                                                                                                          | `{}`                                                                              |
-| `tolerations`                                         | iist of tolerations                                                                                                                                                                                                                    | `[]`                                                                              |
-| `affinity`                                            | Node affinity                                                                                                                                                                                                                          | `{}`                                                                              |
-| `trustDomain`                                         | Set the trust domain to be used for the SPIFFE identifiers                                                                                                                                                                             | `example.org`                                                                     |
-| `clusterDomain`                                       | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`)                                                                                                                                                               | `cluster.local`                                                                   |
-| `telemetry.prometheus.enabled`                        | Flag to enable prometheus monitoring                                                                                                                                                                                                   | `false`                                                                           |
-| `telemetry.prometheus.port`                           | Port for prometheus metrics                                                                                                                                                                                                            | `9988`                                                                            |
-| `telemetry.prometheus.podMonitor.enabled`             | Enable podMonitor for prometheus                                                                                                                                                                                                       | `false`                                                                           |
-| `telemetry.prometheus.podMonitor.namespace`           | Override where to install the podMonitor, if not set will use the same namespace as the helm release                                                                                                                                   | `""`                                                                              |
-| `telemetry.prometheus.podMonitor.labels`              | Pod labels to filter for prometheus monitoring                                                                                                                                                                                         | `{}`                                                                              |
-| `telemetry.prometheus.nginxExporter.image.registry`   | The OCI registry to pull the image from                                                                                                                                                                                                | `docker.io`                                                                       |
-| `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry                                                                                                                                                                                                     | `nginx/nginx-prometheus-exporter`                                                 |
-| `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                    |
-| `telemetry.prometheus.nginxExporter.image.tag`        | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `1.3.0`                                                                           |
-| `telemetry.prometheus.nginxExporter.resources`        | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                              |
-| `ingress.enabled`                                     | Flag to enable ingress                                                                                                                                                                                                                 | `false`                                                                           |
-| `ingress.className`                                   | Ingress class name                                                                                                                                                                                                                     | `""`                                                                              |
-| `ingress.controllerType`                              | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""`                                                                              |
-| `ingress.annotations`                                 | Annotations for ingress object                                                                                                                                                                                                         | `{}`                                                                              |
-| `ingress.host`                                        | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.                                                       | `oidc-discovery`                                                                  |
-| `ingress.tlsSecret`                                   | Secret that has the certs. If blank will use default certs. Used with host var.                                                                                                                                                        | `""`                                                                              |
-| `ingress.hosts`                                       | Host paths for ingress object. If emtpy, rules will be built based on the host var.                                                                                                                                                    | `[]`                                                                              |
-| `ingress.tls`                                         | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars.                                                                                                         | `[]`                                                                              |
-| `tests.hostAliases`                                   | List of host aliases for testing                                                                                                                                                                                                       | `[]`                                                                              |
-| `tests.tls.enabled`                                   | Flag for enabling tls for tests                                                                                                                                                                                                        | `false`                                                                           |
-| `tests.tls.customCA`                                  | Custom CA value for tests                                                                                                                                                                                                              | `""`                                                                              |
-| `tests.bash.image.registry`                           | The OCI registry to pull the image from                                                                                                                                                                                                | `cgr.dev`                                                                         |
-| `tests.bash.image.repository`                         | The repository within the registry                                                                                                                                                                                                     | `chainguard/bash`                                                                 |
-| `tests.bash.image.pullPolicy`                         | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                    |
-| `tests.bash.image.tag`                                | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a`  |
-| `tests.toolkit.image.registry`                        | The OCI registry to pull the image from                                                                                                                                                                                                | `cgr.dev`                                                                         |
-| `tests.toolkit.image.repository`                      | The repository within the registry                                                                                                                                                                                                     | `chainguard/min-toolkit-debug`                                                    |
-| `tests.toolkit.image.pullPolicy`                      | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                    |
-| `tests.toolkit.image.tag`                             | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `latest@sha256:5420e15d91112458fc573755954c9174dbf4db8d802c4de3aac18145f5a78a17`  |
-| `tests.step.image.registry`                           | The OCI registry to pull the image from                                                                                                                                                                                                | `docker.io`                                                                       |
-| `tests.step.image.repository`                         | The repository within the registry                                                                                                                                                                                                     | `smallstep/step-cli`                                                              |
-| `tests.step.image.pullPolicy`                         | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                    |
-| `tests.step.image.tag`                                | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `0.27.2`                                                                          |
-| `tests.busybox.image.registry`                        | The OCI registry to pull the image from                                                                                                                                                                                                | `""`                                                                              |
-| `tests.busybox.image.repository`                      | The repository within the registry                                                                                                                                                                                                     | `busybox`                                                                         |
-| `tests.busybox.image.pullPolicy`                      | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                    |
-| `tests.busybox.image.tag`                             | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `1.36.1-uclibc`                                                                   |
-| `tests.agent.image.registry`                          | The OCI registry to pull the image from                                                                                                                                                                                                | `ghcr.io`                                                                         |
-| `tests.agent.image.repository`                        | The repository within the registry                                                                                                                                                                                                     | `spiffe/spire-agent`                                                              |
-| `tests.agent.image.pullPolicy`                        | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                    |
-| `tests.agent.image.tag`                               | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `""`                                                                              |
-| `tools.kubectl.image.registry`                        | The OCI registry to pull the image from                                                                                                                                                                                                | `docker.io`                                                                       |
-| `tools.kubectl.image.repository`                      | The repository within the registry                                                                                                                                                                                                     | `rancher/kubectl`                                                                 |
-| `tools.kubectl.image.pullPolicy`                      | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                    |
-| `tools.kubectl.image.tag`                             | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `""`                                                                              |
+| Name                                                  | Description                                                                                                                                                                                                                            | Value                                                                            |
+| ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- |
+| `agentSocketName`                                     | The name of the spire-agent unix socket                                                                                                                                                                                                | `spire-agent.sock`                                                               |
+| `csiDriverName`                                       | The csi driver to use                                                                                                                                                                                                                  | `csi.spiffe.io`                                                                  |
+| `bundleSource`                                        | Configure where to fetch the trust bundle from. Must be CSI or ConfigMap.                                                                                                                                                              | `CSI`                                                                            |
+| `bundleConfigMap`                                     | ConfigMap name for SPIRE bundle when bundleSource is ConfigMap                                                                                                                                                                         | `spire-bundle`                                                                   |
+| `replicaCount`                                        | Replica count                                                                                                                                                                                                                          | `1`                                                                              |
+| `namespaceOverride`                                   | Namespace override                                                                                                                                                                                                                     | `""`                                                                             |
+| `annotations`                                         | Annotations for the deployment                                                                                                                                                                                                         | `{}`                                                                             |
+| `image.registry`                                      | The OCI registry to pull the image from                                                                                                                                                                                                | `ghcr.io`                                                                        |
+| `image.repository`                                    | The repository within the registry                                                                                                                                                                                                     | `spiffe/oidc-discovery-provider`                                                 |
+| `image.pullPolicy`                                    | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `image.tag`                                           | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `""`                                                                             |
+| `expandEnv`                                           | Set to true to enable environment variable substitution of config file options                                                                                                                                                         | `false`                                                                          |
+| `extraEnv`                                            | Extra environment variables to add to the spiffe oidc discovery provider                                                                                                                                                               | `[]`                                                                             |
+| `spiffeHelper.image.registry`                         | The OCI registry to pull the image from                                                                                                                                                                                                | `ghcr.io`                                                                        |
+| `spiffeHelper.image.repository`                       | The repository within the registry                                                                                                                                                                                                     | `spiffe/spiffe-helper`                                                           |
+| `spiffeHelper.image.pullPolicy`                       | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `spiffeHelper.image.tag`                              | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `0.10.1`                                                                         |
+| `spiffeHelper.resources`                              | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                             |
+| `resources`                                           | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                             |
+| `service.type`                                        | Service type                                                                                                                                                                                                                           | `ClusterIP`                                                                      |
+| `service.ports.http`                                  | Insecure port for the service                                                                                                                                                                                                          | `80`                                                                             |
+| `service.ports.https`                                 | Secure port for the service                                                                                                                                                                                                            | `443`                                                                            |
+| `service.annotations`                                 | Annotations for service resource                                                                                                                                                                                                       | `{}`                                                                             |
+| `configMap.annotations`                               | Annotations to add to the SPIFFE OIDC Discovery Provider ConfigMap                                                                                                                                                                     | `{}`                                                                             |
+| `podSecurityContext`                                  | Pod security context for OIDC discovery provider pods                                                                                                                                                                                  | `{}`                                                                             |
+| `securityContext`                                     | Security context for OIDC discovery provider deployment                                                                                                                                                                                | `{}`                                                                             |
+| `readinessProbe.initialDelaySeconds`                  | Initial delay seconds for readinessProbe                                                                                                                                                                                               | `5`                                                                              |
+| `readinessProbe.periodSeconds`                        | Period seconds for readinessProbe                                                                                                                                                                                                      | `5`                                                                              |
+| `livenessProbe.initialDelaySeconds`                   | Initial delay seconds for livenessProbe                                                                                                                                                                                                | `5`                                                                              |
+| `livenessProbe.periodSeconds`                         | Period seconds for livenessProbe                                                                                                                                                                                                       | `5`                                                                              |
+| `podAnnotations`                                      | Pod annotations for Spire OIDC discovery provider                                                                                                                                                                                      | `{}`                                                                             |
+| `tls.spire.enabled`                                   | Use spire to secure the oidc-discovery-provider                                                                                                                                                                                        | `true`                                                                           |
+| `tls.externalSecret.enabled`                          | Provide your own certificate/key via tls style Kubernetes Secret                                                                                                                                                                       | `false`                                                                          |
+| `tls.externalSecret.secretName`                       | Specify which Secret to use                                                                                                                                                                                                            | `""`                                                                             |
+| `tls.certManager.enabled`                             | Use certificateManager to create the certificate                                                                                                                                                                                       | `false`                                                                          |
+| `tls.certManager.issuer.create`                       | Create an issuer to use to issue the certificate                                                                                                                                                                                       | `true`                                                                           |
+| `tls.certManager.issuer.acme.email`                   | Must be set in order to register with LetsEncrypt. By setting, you agree to their Terms of Service                                                                                                                                     | `""`                                                                             |
+| `tls.certManager.issuer.acme.server`                  | Server to use to get certificate. Defaults to LetsEncrypt                                                                                                                                                                              | `https://acme-v02.api.letsencrypt.org/directory`                                 |
+| `tls.certManager.issuer.acme.solvers`                 | Configure the issuer solvers. Defaults to http01 via ingress.                                                                                                                                                                          | `{}`                                                                             |
+| `tls.certManager.certificate.dnsNames`                | Override the dnsNames on the certificate request. Defaults to the same settings as Ingress                                                                                                                                             | `[]`                                                                             |
+| `tls.certManager.certificate.issuerRef.group`         | If you are using an external plugin, specify the group for it here                                                                                                                                                                     | `""`                                                                             |
+| `tls.certManager.certificate.issuerRef.kind`          | Kind of the issuer reference. Override if you want to use a ClusterIssuer                                                                                                                                                              | `Issuer`                                                                         |
+| `tls.certManager.certificate.issuerRef.name`          | Name of the issuer to use. If unset, it will use the name of the built in issuer                                                                                                                                                       | `""`                                                                             |
+| `insecureScheme.nginx.image.registry`                 | The OCI registry to pull the image from. Only used when TLS is disabled.                                                                                                                                                               | `docker.io`                                                                      |
+| `insecureScheme.nginx.image.repository`               | The repository within the registry. Only used when TLS is disabled.                                                                                                                                                                    | `nginxinc/nginx-unprivileged`                                                    |
+| `insecureScheme.nginx.image.pullPolicy`               | The image pull policy.  Only used when TLS is disabled.                                                                                                                                                                                | `IfNotPresent`                                                                   |
+| `insecureScheme.nginx.image.tag`                      | Overrides the image tag whose default is the chart appVersion. Only used when TLS is disabled.                                                                                                                                         | `1.29.0-alpine`                                                                  |
+| `insecureScheme.nginx.ipMode`                         | IP modes supported by the cluster. Must be one of [ipv4, ipv6, both]                                                                                                                                                                   | `both`                                                                           |
+| `insecureScheme.nginx.resources`                      | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                             |
+| `jwtIssuer`                                           | Path to JWT issuer. Defaults to oidc-discovery.$trustDomain if unset                                                                                                                                                                   | `""`                                                                             |
+| `config.logLevel`                                     | The log level, valid values are "debug", "info", "warn", and "error"                                                                                                                                                                   | `info`                                                                           |
+| `config.jwtDomain`                                    | The JWT domain. Defaults to oidc-discovery.$jwtIssuer URL-parsed host if unset                                                                                                                                                         | `""`                                                                             |
+| `config.jwksUri`                                      | The JWKS URI                                                                                                                                                                                                                           | `""`                                                                             |
+| `config.additionalDomains`                            | Add additional domains that can be used for oidc discovery                                                                                                                                                                             | `[]`                                                                             |
+| `imagePullSecrets`                                    | Image pull secret names                                                                                                                                                                                                                | `[]`                                                                             |
+| `nameOverride`                                        | Name override                                                                                                                                                                                                                          | `""`                                                                             |
+| `fullnameOverride`                                    | Full name override                                                                                                                                                                                                                     | `""`                                                                             |
+| `serviceAccount.create`                               | Specifies whether a service account should be created                                                                                                                                                                                  | `true`                                                                           |
+| `serviceAccount.annotations`                          | Annotations to add to the service account                                                                                                                                                                                              | `{}`                                                                             |
+| `serviceAccount.name`                                 | The name of the service account to use. If not set and create is true, a name is generated.                                                                                                                                            | `""`                                                                             |
+| `deleteHook.enabled`                                  | Enable Helm hooks to autofix common delete issues (should be disabled when using `helm template`)                                                                                                                                      | `true`                                                                           |
+| `autoscaling.enabled`                                 | Flag to enable autoscaling                                                                                                                                                                                                             | `false`                                                                          |
+| `autoscaling.minReplicas`                             | Minimum replicas for autoscaling                                                                                                                                                                                                       | `1`                                                                              |
+| `autoscaling.maxReplicas`                             | Maximum replicas for autoscaling                                                                                                                                                                                                       | `5`                                                                              |
+| `autoscaling.targetCPUUtilizationPercentage`          | Target CPU utlization that triggers autoscaling                                                                                                                                                                                        | `80`                                                                             |
+| `autoscaling.targetMemoryUtilizationPercentage`       | Target Memory utlization that triggers autoscaling                                                                                                                                                                                     | `80`                                                                             |
+| `nodeSelector`                                        | Node selector                                                                                                                                                                                                                          | `{}`                                                                             |
+| `tolerations`                                         | iist of tolerations                                                                                                                                                                                                                    | `[]`                                                                             |
+| `affinity`                                            | Node affinity                                                                                                                                                                                                                          | `{}`                                                                             |
+| `trustDomain`                                         | Set the trust domain to be used for the SPIFFE identifiers                                                                                                                                                                             | `example.org`                                                                    |
+| `clusterDomain`                                       | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`)                                                                                                                                                               | `cluster.local`                                                                  |
+| `telemetry.prometheus.enabled`                        | Flag to enable prometheus monitoring                                                                                                                                                                                                   | `false`                                                                          |
+| `telemetry.prometheus.port`                           | Port for prometheus metrics                                                                                                                                                                                                            | `9988`                                                                           |
+| `telemetry.prometheus.podMonitor.enabled`             | Enable podMonitor for prometheus                                                                                                                                                                                                       | `false`                                                                          |
+| `telemetry.prometheus.podMonitor.namespace`           | Override where to install the podMonitor, if not set will use the same namespace as the helm release                                                                                                                                   | `""`                                                                             |
+| `telemetry.prometheus.podMonitor.labels`              | Pod labels to filter for prometheus monitoring                                                                                                                                                                                         | `{}`                                                                             |
+| `telemetry.prometheus.nginxExporter.image.registry`   | The OCI registry to pull the image from                                                                                                                                                                                                | `docker.io`                                                                      |
+| `telemetry.prometheus.nginxExporter.image.repository` | The repository within the registry                                                                                                                                                                                                     | `nginx/nginx-prometheus-exporter`                                                |
+| `telemetry.prometheus.nginxExporter.image.pullPolicy` | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `telemetry.prometheus.nginxExporter.image.tag`        | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `1.4.2`                                                                          |
+| `telemetry.prometheus.nginxExporter.resources`        | Resource requests and limits                                                                                                                                                                                                           | `{}`                                                                             |
+| `ingress.enabled`                                     | Flag to enable ingress                                                                                                                                                                                                                 | `false`                                                                          |
+| `ingress.className`                                   | Ingress class name                                                                                                                                                                                                                     | `""`                                                                             |
+| `ingress.controllerType`                              | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""`                                                                             |
+| `ingress.annotations`                                 | Annotations for ingress object                                                                                                                                                                                                         | `{}`                                                                             |
+| `ingress.host`                                        | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.                                                       | `oidc-discovery`                                                                 |
+| `ingress.tlsSecret`                                   | Secret that has the certs. If blank will use default certs. Used with host var.                                                                                                                                                        | `""`                                                                             |
+| `ingress.hosts`                                       | Host paths for ingress object. If emtpy, rules will be built based on the host var.                                                                                                                                                    | `[]`                                                                             |
+| `ingress.tls`                                         | Secrets containining TLS certs to enable https on ingress. If emtpy, rules will be built based on the host and tlsSecret vars.                                                                                                         | `[]`                                                                             |
+| `tests.hostAliases`                                   | List of host aliases for testing                                                                                                                                                                                                       | `[]`                                                                             |
+| `tests.tls.enabled`                                   | Flag for enabling tls for tests                                                                                                                                                                                                        | `false`                                                                          |
+| `tests.tls.customCA`                                  | Custom CA value for tests                                                                                                                                                                                                              | `""`                                                                             |
+| `tests.bash.image.registry`                           | The OCI registry to pull the image from                                                                                                                                                                                                | `cgr.dev`                                                                        |
+| `tests.bash.image.repository`                         | The repository within the registry                                                                                                                                                                                                     | `chainguard/bash`                                                                |
+| `tests.bash.image.pullPolicy`                         | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `tests.bash.image.tag`                                | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
+| `tests.toolkit.image.registry`                        | The OCI registry to pull the image from                                                                                                                                                                                                | `cgr.dev`                                                                        |
+| `tests.toolkit.image.repository`                      | The repository within the registry                                                                                                                                                                                                     | `chainguard/min-toolkit-debug`                                                   |
+| `tests.toolkit.image.pullPolicy`                      | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `tests.toolkit.image.tag`                             | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53` |
+| `tests.step.image.registry`                           | The OCI registry to pull the image from                                                                                                                                                                                                | `docker.io`                                                                      |
+| `tests.step.image.repository`                         | The repository within the registry                                                                                                                                                                                                     | `smallstep/step-cli`                                                             |
+| `tests.step.image.pullPolicy`                         | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `tests.step.image.tag`                                | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `0.28.7`                                                                         |
+| `tests.busybox.image.registry`                        | The OCI registry to pull the image from                                                                                                                                                                                                | `""`                                                                             |
+| `tests.busybox.image.repository`                      | The repository within the registry                                                                                                                                                                                                     | `busybox`                                                                        |
+| `tests.busybox.image.pullPolicy`                      | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `tests.busybox.image.tag`                             | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `1.37.0-uclibc`                                                                  |
+| `tests.agent.image.registry`                          | The OCI registry to pull the image from                                                                                                                                                                                                | `ghcr.io`                                                                        |
+| `tests.agent.image.repository`                        | The repository within the registry                                                                                                                                                                                                     | `spiffe/spire-agent`                                                             |
+| `tests.agent.image.pullPolicy`                        | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `tests.agent.image.tag`                               | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `""`                                                                             |
+| `tools.kubectl.image.registry`                        | The OCI registry to pull the image from                                                                                                                                                                                                | `registry.k8s.io`                                                                |
+| `tools.kubectl.image.repository`                      | The repository within the registry                                                                                                                                                                                                     | `kubectl`                                                                        |
+| `tools.kubectl.image.pullPolicy`                      | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
+| `tools.kubectl.image.tag`                             | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `""`                                                                             |
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/configmap.yaml
@ -1,3 +1,6 @@
+{{- if and (ne .Values.bundleSource "ConfigMap") (ne .Values.bundleSource "CSI") }}
+{{-   fail "Bundle source must be CSI or ConfigmMap" }}
+{{- end }}
 {{- $tlsCount := 0 }}
 {{- if and .Values.enabled .Values.tls.spire.enabled }}
 {{-   $tlsCount = add $tlsCount 1 }}
@ -23,9 +26,12 @@ domains:
  - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}"
  - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}"
  - "{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}"
-  {{- $uri := urlParse (include "spire-lib.jwt-issuer" .) }}
-  {{- $jwtIssuer := (default $uri.path $uri.host) }}
-  {{- uniq (concat (list $jwtIssuer) .Values.config.additionalDomains) | toYaml | nindent 2 }}
+  {{- $jwtDomain := .Values.config.jwtDomain }}
+  {{- if not $jwtDomain }}
+    {{- $uri := urlParse (include "spire-lib.jwt-issuer" .) }}
+    {{- $jwtDomain = (default $uri.path $uri.host) }}
+  {{- end }}
+  {{- uniq (concat (list $jwtDomain) .Values.config.additionalDomains) | toYaml | nindent 2 }}

 {{- if eq (include "spiffe-oidc-discovery-provider.tls-enabled" .) "false" }}
 allow_insecure_scheme: true
@ -37,9 +43,18 @@ serving_cert_file:
  addr: ':8443'
 {{- end }}

+{{- if .Values.config.jwksUri}}
+jwks_uri: {{ .Values.config.jwksUri | quote }}
+{{- end }}
+
+{{- if eq .Values.bundleSource "ConfigMap" }}
+file:
+  path: /bundle/bundle.spiffe
+{{- else }}
 workload_api:
  socket_path: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | quote }}
  trust_domain: {{ include "spire-lib.trust-domain" . | quote }}
+{{- end }}

 health_checks:
  bind_port: "8008"
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/deployment.yaml
@ -50,7 +50,7 @@ spec:
          args:
            - -config
            - /etc/spiffe-helper.conf
-            - -exitWhenReady
+            - -daemon-mode=false
          volumeMounts:
            - name: spiffe-workload-api
              mountPath: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | dir }}
@ -71,6 +71,13 @@ spec:
          args:
            - -config
            - /run/spire/oidc/config/oidc-discovery-provider.conf
+            {{- if .Values.expandEnv }}
+            - -expandEnv
+            {{- end }}
+          {{- with .Values.extraEnv }}
+          env:
+          {{- . | toYaml | nindent 12 }}
+          {{- end }}
          ports:
            - containerPort: 8008
              name: healthz
@ -79,9 +86,15 @@ spec:
              name: https
          {{- end }}
          volumeMounts:
+            {{- if eq .Values.bundleSource "ConfigMap" }}
+            - name: spiffe-bundle
+              mountPath: /bundle
+              readOnly: true
+            {{- else }}
            - name: spiffe-workload-api
              mountPath: {{ include "spiffe-oidc-discovery-provider.workload-api-socket-path" . | dir }}
              readOnly: true
+            {{- end }}
            - name: spire-oidc-sockets
              mountPath: /run/spire/oidc-sockets
              readOnly: false
@ -164,10 +177,17 @@ spec:
        {{- end }}
        {{- end }}
      volumes:
+        {{- if or .Values.tls.spire.enabled (eq .Values.bundleSource "CSI") }}
        - name: spiffe-workload-api
          csi:
            driver: "{{ .Values.csiDriverName }}"
            readOnly: true
+        {{- end }}
+        {{- if eq .Values.bundleSource "ConfigMap" }}
+        - name: spiffe-bundle
+          configMap:
+            name: {{ include "spire-lib.bundle-configmap" . }}
+        {{- end }}
        - name: spire-oidc-sockets
          emptyDir: {}
        - name: spire-oidc-config
--- a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml
+++ b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml
@ -11,6 +11,12 @@ agentSocketName: spire-agent.sock
 ## @param csiDriverName The csi driver to use
 csiDriverName: csi.spiffe.io

+## @param bundleSource Configure where to fetch the trust bundle from. Must be CSI or ConfigMap.
+bundleSource: CSI
+
+## @param bundleConfigMap ConfigMap name for SPIRE bundle when bundleSource is ConfigMap
+bundleConfigMap: spire-bundle
+
 ## @param replicaCount Replica count
 replicaCount: 1

@ -31,6 +37,12 @@ image:
  pullPolicy: IfNotPresent
  tag: ""

+## @param expandEnv Set to true to enable environment variable substitution of config file options
+expandEnv: false
+
+## @param extraEnv [array] Extra environment variables to add to the spiffe oidc discovery provider
+extraEnv: []
+
 spiffeHelper:
  image:
    ## @param spiffeHelper.image.registry The OCI registry to pull the image from
@ -41,7 +53,7 @@ spiffeHelper:
    registry: ghcr.io
    repository: spiffe/spiffe-helper
    pullPolicy: IfNotPresent
-    tag: nightly@sha256:8cee346ffdcee5c996d394f1c3bb761c2c06834a0e779a78db6dc6a46fd13ae6
+    tag: 0.10.1
  ## @param spiffeHelper.resources [object] Resource requests and limits
  resources: {}

@ -164,7 +176,7 @@ insecureScheme:
      registry: docker.io
      repository: nginxinc/nginx-unprivileged
      pullPolicy: IfNotPresent
-      tag: 1.27.1-alpine
+      tag: 1.29.0-alpine
    ## @param insecureScheme.nginx.ipMode IP modes supported by the cluster. Must be one of [ipv4, ipv6, both]
    ipMode: both
    ## @param insecureScheme.nginx.resources Resource requests and limits
@ -186,6 +198,10 @@ jwtIssuer: ""
 config:
  ## @param config.logLevel The log level, valid values are "debug", "info", "warn", and "error"
  logLevel: info
+  ## @param config.jwtDomain [string] The JWT domain. Defaults to oidc-discovery.$jwtIssuer URL-parsed host if unset
+  jwtDomain: ""
+  ## @param config.jwksUri [string] The JWKS URI
+  jwksUri: ""
  ## @param config.additionalDomains [array] Add additional domains that can be used for oidc discovery
  additionalDomains: []
  # - localhost
@ -264,7 +280,7 @@ telemetry:
        registry: docker.io
        repository: nginx/nginx-prometheus-exporter
        pullPolicy: IfNotPresent
-        tag: "1.3.0"
+        tag: "1.4.2"

      ## @param telemetry.prometheus.nginxExporter.resources [object] Resource requests and limits
      resources: {}
@ -330,7 +346,7 @@ tests:
      registry: cgr.dev
      repository: chainguard/bash
      pullPolicy: IfNotPresent
-      tag: latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a
+      tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679

  toolkit:
    ## @param tests.toolkit.image.registry The OCI registry to pull the image from
@ -342,7 +358,7 @@ tests:
      registry: cgr.dev
      repository: chainguard/min-toolkit-debug
      pullPolicy: IfNotPresent
-      tag: latest@sha256:5420e15d91112458fc573755954c9174dbf4db8d802c4de3aac18145f5a78a17
+      tag: latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53

  step:
    ## @param tests.step.image.registry The OCI registry to pull the image from
@ -354,7 +370,7 @@ tests:
      registry: "docker.io"
      repository: smallstep/step-cli
      pullPolicy: IfNotPresent
-      tag: 0.27.2
+      tag: 0.28.7

  busybox:
    ## @param tests.busybox.image.registry The OCI registry to pull the image from
@ -366,7 +382,7 @@ tests:
      registry: ""
      repository: busybox
      pullPolicy: IfNotPresent
-      tag: 1.36.1-uclibc
+      tag: 1.37.0-uclibc

  agent:
    ## @param tests.agent.image.registry The OCI registry to pull the image from
@ -388,7 +404,7 @@ tools:
    ## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion
    ##
    image:
-      registry: docker.io
-      repository: rancher/kubectl
+      registry: registry.k8s.io
+      repository: kubectl
      pullPolicy: IfNotPresent
      tag: ""
--- a/charts/spire/charts/spike-keeper/Chart.yaml
+++ b/charts/spire/charts/spike-keeper/Chart.yaml
@ -0,0 +1,13 @@
+apiVersion: v2
+name: spike-keeper
+description: A Helm chart to deploy SPIKE Keeper
+type: application
+version: 0.1.0
+appVersion: "0.4.2"
+home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
+sources:
+  - https://github.com/spiffe/spike
+icon: https://spike.ist/assets/spike-banner.png
+maintainers:
+  - name: kfox1111
+    email: Kevin.Fox@pnnl.gov
--- a/charts/spire/charts/spike-keeper/README.md
+++ b/charts/spire/charts/spike-keeper/README.md
@ -0,0 +1,72 @@
+# spike-keeper
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.1](https://img.shields.io/badge/AppVersion-v0.4.1-informational?style=flat-square)
+[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
+
+A Helm chart to deploy spike keepers
+
+**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
+
+## Version support
+
+> [!Note]
+> This Chart is still in development and still subject to change the API (`values.yaml`).
+> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
+> we do aim for as much stability as possible.
+
+| Dependency | Supported Versions |
+|:-----------|:-------------------|
+| Helm       | `3.x`              |
+
+## Source Code
+
+* <https://github.com/spiffe/spike>
+
+<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
+
+## Parameters
+
+### Chart parameters
+
+| Name                               | Description                                                                                                                                                                                                                             | Value                 |
+| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
+| `image.registry`                   | The OCI registry to pull the image from                                                                                                                                                                                                 | `ghcr.io`             |
+| `image.repository`                 | The repository within the registry                                                                                                                                                                                                      | `spiffe/spike-keeper` |
+| `image.pullPolicy`                 | The image pull policy                                                                                                                                                                                                                   | `IfNotPresent`        |
+| `image.tag`                        | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                           | `""`                  |
+| `replicas`                         | The number of keepers to launch                                                                                                                                                                                                         | `3`                   |
+| `trustRoot.nexus`                  | Override which trustRoot Nexus is in                                                                                                                                                                                                    | `""`                  |
+| `logLevel`                         | The log level, valid values are "debug", "info", "warn", and "error"                                                                                                                                                                    | `debug`               |
+| `agentSocketName`                  | The name of the spire-agent unix socket                                                                                                                                                                                                 | `spire-agent.sock`    |
+| `csiDriverName`                    | The csi driver to use                                                                                                                                                                                                                   | `csi.spiffe.io`       |
+| `imagePullSecrets`                 | Pull secrets for images                                                                                                                                                                                                                 | `[]`                  |
+| `nameOverride`                     | Name override                                                                                                                                                                                                                           | `""`                  |
+| `namespaceOverride`                | Namespace override                                                                                                                                                                                                                      | `""`                  |
+| `fullnameOverride`                 | Fullname override                                                                                                                                                                                                                       | `""`                  |
+| `serviceAccount.create`            | Specifies whether a service account should be created                                                                                                                                                                                   | `true`                |
+| `serviceAccount.annotations`       | Annotations to add to the service account                                                                                                                                                                                               | `{}`                  |
+| `serviceAccount.name`              | The name of the service account to use. If not set and create is true, a name is generated.                                                                                                                                             | `""`                  |
+| `labels`                           | Labels for pods                                                                                                                                                                                                                         | `{}`                  |
+| `podSecurityContext`               | Pod security context                                                                                                                                                                                                                    | `{}`                  |
+| `securityContext`                  | Security context                                                                                                                                                                                                                        | `{}`                  |
+| `service.type`                     | Service type                                                                                                                                                                                                                            | `ClusterIP`           |
+| `service.port`                     | Service port                                                                                                                                                                                                                            | `443`                 |
+| `service.annotations`              | Annotations for service resource                                                                                                                                                                                                        | `{}`                  |
+| `nodeSelector`                     | (Optional) Select specific nodes to run on.                                                                                                                                                                                             | `{}`                  |
+| `affinity`                         | Affinity rules                                                                                                                                                                                                                          | `{}`                  |
+| `tolerations`                      | List of tolerations                                                                                                                                                                                                                     | `[]`                  |
+| `topologySpreadConstraints`        | List of topology spread constraints for resilience                                                                                                                                                                                      | `[]`                  |
+| `startupProbe.enabled`             | Enable startupProbe                                                                                                                                                                                                                     | `true`                |
+| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe                                                                                                                                                                                                  | `5`                   |
+| `startupProbe.periodSeconds`       | Period seconds for startupProbe                                                                                                                                                                                                         | `10`                  |
+| `startupProbe.timeoutSeconds`      | Timeout seconds for startupProbe                                                                                                                                                                                                        | `5`                   |
+| `startupProbe.failureThreshold`    | Failure threshold count for startupProbe                                                                                                                                                                                                | `6`                   |
+| `startupProbe.successThreshold`    | Success threshold count for startupProbe                                                                                                                                                                                                | `1`                   |
+| `ingress.enabled`                  | Flag to enable ingress                                                                                                                                                                                                                  | `false`               |
+| `ingress.className`                | Ingress class name                                                                                                                                                                                                                      | `""`                  |
+| `ingress.controllerType`           | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""`                  |
+| `ingress.annotations`              | Annotations                                                                                                                                                                                                                             | `{}`                  |
+| `ingress.host`                     | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.                                                        | `keeper`              |
+| `ingress.tlsSecret`                | Secret that has the certs. If blank will use default certs. Used with host var.                                                                                                                                                         | `""`                  |
+| `ingress.hosts`                    | Host paths for ingress object. If empty, rules will be built based on the host var.                                                                                                                                                     | `[]`                  |
+| `ingress.tls`                      | Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.                                                                                                            | `[]`                  |
--- a/charts/spire/charts/spike-keeper/templates/NOTES.txt
+++ b/charts/spire/charts/spike-keeper/templates/NOTES.txt
@ -0,0 +1 @@
+Installed {{ .Chart.Name }}…
--- a/charts/spire/charts/spike-keeper/templates/_helpers.tpl
+++ b/charts/spire/charts/spike-keeper/templates/_helpers.tpl
@ -0,0 +1,83 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "spike-keeper.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "spike-keeper.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "spike-keeper.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
+    {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
+      {{- .Values.global.spire.namespaces.server.name }}
+    {{- else }}
+      {{- printf "spire-server" }}
+    {{- end }}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "spike-keeper.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "spike-keeper.labels" -}}
+helm.sh/chart: {{ include "spike-keeper.chart" . }}
+{{ include "spike-keeper.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "spike-keeper.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "spike-keeper.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "spike-keeper.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "spike-keeper.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "spike-keeper.workload-api-socket-path" -}}
+{{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }}
+{{- end }}
--- a/charts/spire/charts/spike-keeper/templates/ingress.yaml
+++ b/charts/spire/charts/spike-keeper/templates/ingress.yaml
@ -0,0 +1,44 @@
+{{- if .Values.ingress.enabled -}}
+{{ $root := . }}
+{{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.ingress) }}
+{{- $fullName := include "spike-keeper.fullname" . -}}
+{{- $tlsSection := true }}
+{{- $annotations := deepCopy .Values.ingress.annotations }}
+{{- if eq $ingressControllerType "ingress-nginx" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
+{{- else if eq $ingressControllerType "openshift" }}
+{{-   $path = "" }}
+{{-   $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
+{{-   $tlsSection = false }}
+{{- end }}
+{{ $last := sub (.Values.replicas | int) 1 | int }}
+{{ range (seq 0 ($last) | toString | split " ") }}
+{{ $i := . }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-{{ $i }}
+  namespace: {{ include "spike-keeper.namespace" $root }}
+  labels:
+    {{ include "spike-keeper.labels" $root | nindent 4}}
+  {{- with $annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- $host := $root.Values.ingress.host }}
+  {{- if contains "." $host }}
+  {{-   $hostParts := regexSplit "[.]" $host 2 }}
+  {{-   $host = printf "%s-%s.%s" (index $hostParts 0) $i (index $hostParts 1) }}
+  {{- else }}
+  {{-   $host = printf "%s-%s" $host $i }}
+  {{- end }}
+  {{ $ingress := deepCopy $root.Values.ingress }}
+  {{ $_ :=  set $ingress "host" $host }}
+  {{ include "spire-lib.ingress-spec" (dict "ingress" $ingress "svcName" (printf "%s-%s" $fullName $i) "port" $root.Values.service.port "path" "/" "pathType" "Prefix" "tlsSection" $tlsSection "Values" $root.Values) | nindent 2 }}
+{{- end }}
+{{- end }}
--- a/charts/spire/charts/spike-keeper/templates/service.yaml
+++ b/charts/spire/charts/spike-keeper/templates/service.yaml
@ -0,0 +1,48 @@
+{{ $root := . }}
+{{ $last := sub (.Values.replicas | int) 1 | int }}
+{{ range (seq 0 ($last) | toString | split " ") }}
+{{ $i := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: {{ include "spike-keeper.namespace" $root }}
+  name: {{ include "spike-keeper.fullname" $root }}-{{ $i }}
+  {{- with $root.Values.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    apps.kubernetes.io/pod-index: {{ $i | quote }}
+    {{- include "spike-keeper.labels" $root | nindent 4 }}
+spec:
+  type: {{ $root.Values.service.type }}
+  selector:
+    apps.kubernetes.io/pod-index: {{ $i | quote }}
+    {{- include "spike-keeper.selectorLabels" $root | nindent 4 }}
+  ports:
+    - name: {{ include "spike-keeper.fullname" $root }}
+      port: {{ $root.Values.service.port }}
+      targetPort: http
+{{ end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: {{ include "spike-keeper.namespace" $root }}
+  name: {{ include "spike-keeper.fullname" $root }}-headless
+  {{- with $root.Values.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "spike-keeper.labels" $root | nindent 4 }}
+spec:
+  type: {{ $root.Values.service.type }}
+  clusterIP: None
+  selector:
+    {{- include "spike-keeper.selectorLabels" $root | nindent 4 }}
+  ports:
+    - name: {{ include "spike-keeper.fullname" $root }}
+      port: {{ $root.Values.service.port }}
+      targetPort: http
--- a/charts/spire/charts/spike-keeper/templates/serviceaccount.yaml
+++ b/charts/spire/charts/spike-keeper/templates/serviceaccount.yaml
@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "spike-keeper.serviceAccountName" . }}
+  namespace: {{ include "spike-keeper.namespace" . }}
+  labels:
+    {{- include "spike-keeper.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
--- a/charts/spire/charts/spike-keeper/templates/statefulset.yaml
+++ b/charts/spire/charts/spike-keeper/templates/statefulset.yaml
@ -0,0 +1,84 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ include "spike-keeper.fullname" . }}
+  namespace: {{ include "spike-keeper.namespace" . }}
+  labels:
+    {{- include "spike-keeper.labels" . | nindent 4 }}
+spec:
+  serviceName: {{ include "spike-keeper.fullname" . }}-headless
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      {{- include "spike-keeper.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "spike-keeper.selectorLabels" . | nindent 8 }}
+        release: {{ .Release.Name }}
+        release-namespace: {{ .Release.Namespace }}
+        component: spike-keeper
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "spike-keeper.serviceAccountName" . }}
+      securityContext:
+        {{- include "spire-lib.podsecuritycontext" . | nindent 8 }}
+      containers:
+        - name:  {{ include "spike-keeper.fullname" . }}
+          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global "ubi" true) }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            {{- include "spire-lib.securitycontext" . | nindent 12 }}
+          ports:
+            - name: http
+              containerPort: 8443
+              protocol: TCP
+          env:
+            - name: SPIFFE_ENDPOINT_SOCKET
+              value: unix://{{ include "spike-keeper.workload-api-socket-path" . }}
+            - name: SPIKE_SYSTEM_LOG_LEVEL
+              value: {{ .Values.logLevel | upper }}
+            - name: SPIKE_TRUST_ROOT
+              value: {{ include "spire-lib.trust-domain" . }}
+            - name: SPIKE_TRUST_ROOT_NEXUS
+              value: {{if eq .Values.trustRoot.nexus "" }}{{ include "spire-lib.trust-domain" . }}{{ else }}{{.Values.trustRoot.nexus }}{{ end }}
+            - name: SPIKE_KEEPER_TLS_PORT
+              value: ":8443"
+          {{- if .Values.startupProbe.enabled }}
+          startupProbe:
+            tcpSocket:
+              port: 8443
+            failureThreshold: {{ .Values.startupProbe.failureThreshold }}
+            initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.startupProbe.periodSeconds }}
+            successThreshold: {{ .Values.startupProbe.successThreshold }}
+            timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
+          {{- end }}
+          volumeMounts:
+            - name: spiffe-workload-api
+              mountPath: {{ include "spike-keeper.workload-api-socket-path" . | dir }}
+              readOnly: true
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: spiffe-workload-api
+          csi:
+            driver: "{{ .Values.csiDriverName }}"
+            readOnly: true
--- a/charts/spire/charts/spike-keeper/values.yaml
+++ b/charts/spire/charts/spike-keeper/values.yaml
@ -0,0 +1,139 @@
+# Default configuration for SPIKE Keeper
+# SPDX-License-Identifier: APACHE-2.0
+
+## @skip global
+global: {}
+
+## @section Chart parameters
+##
+## @param image.registry The OCI registry to pull the image from
+## @param image.repository The repository within the registry
+## @param image.pullPolicy The image pull policy
+## @param image.tag Overrides the image tag whose default is the chart appVersion
+##
+image:
+  registry: ghcr.io
+  repository: spiffe/spike-keeper
+  pullPolicy: IfNotPresent
+  tag: ""
+
+## @param replicas The number of keepers to launch
+replicas: 3
+
+trustRoot:
+  ## @param trustRoot.nexus Override which trustRoot Nexus is in
+  nexus: ""
+
+## @param logLevel The log level, valid values are "debug", "info", "warn", and "error"
+logLevel: debug
+
+## @param agentSocketName The name of the spire-agent unix socket
+agentSocketName: spire-agent.sock
+## @param csiDriverName The csi driver to use
+csiDriverName: csi.spiffe.io
+
+## @param imagePullSecrets [array] Pull secrets for images
+imagePullSecrets: []
+
+## @param nameOverride Name override
+nameOverride: ""
+
+## @param namespaceOverride Namespace override
+namespaceOverride: ""
+
+## @param fullnameOverride Fullname override
+fullnameOverride: ""
+
+## @param serviceAccount.create Specifies whether a service account should be created
+## @param serviceAccount.annotations [object] Annotations to add to the service account
+## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
+##
+serviceAccount:
+  create: true
+  annotations: {}
+  name: ""
+
+## @param labels [object] Labels for pods
+labels: {}
+
+## @param podSecurityContext [object] Pod security context
+podSecurityContext: {}
+  # fsGroup: 2000
+
+## @param securityContext [object] Security context
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+## @param service.type Service type
+## @param service.port Service port
+## @param service.annotations Annotations for service resource
+##
+service:
+  type: ClusterIP
+  port: 443
+  annotations: {}
+
+## @param nodeSelector (Optional) Select specific nodes to run on.
+nodeSelector: {}
+
+## @param affinity [object] Affinity rules
+affinity: {}
+
+## @param tolerations [array] List of tolerations
+tolerations: []
+
+## @param topologySpreadConstraints [array] List of topology spread constraints for resilience
+topologySpreadConstraints: []
+
+## Provide minimal resources to prevent accidental crashes due to resource exhaustion
+# resources:
+#   requests:
+#     cpu: 50m
+#     memory: 128Mi
+#   limits:
+#     cpu: 100m
+#     memory: 512Mi
+
+## Configure extra options for startup probe
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
+## @param startupProbe.enabled Enable startupProbe
+## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
+## @param startupProbe.periodSeconds Period seconds for startupProbe
+## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
+## @param startupProbe.failureThreshold Failure threshold count for startupProbe
+## @param startupProbe.successThreshold Success threshold count for startupProbe
+##
+startupProbe:
+  enabled: true
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 6
+  successThreshold: 1
+
+## @param ingress.enabled Flag to enable ingress
+## @param ingress.className Ingress class name
+## @param ingress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
+## @param ingress.annotations [object] Annotations
+ingress:
+  enabled: false
+  className: ""
+  controllerType: ""
+  annotations: {}
+
+  ## @param ingress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
+  host: "keeper"
+
+  ## @param ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
+  tlsSecret: ""
+
+  ## @param ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
+  hosts: []
+
+  ## @param ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
+  tls: []
--- a/charts/spire/charts/spike-nexus/Chart.yaml
+++ b/charts/spire/charts/spike-nexus/Chart.yaml
@ -0,0 +1,13 @@
+apiVersion: v2
+name: spike-nexus
+description: A Helm chart to deploy SPIKE Nexus
+type: application
+version: 0.1.0
+appVersion: "0.4.2"
+home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
+sources:
+  - https://github.com/spiffe/spike
+icon: https://spike.ist/assets/spike-banner.png
+maintainers:
+  - name: kfox1111
+    email: Kevin.Fox@pnnl.gov
--- a/charts/spire/charts/spike-nexus/README.md
+++ b/charts/spire/charts/spike-nexus/README.md
@ -0,0 +1,83 @@
+# spike-nexus
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.1](https://img.shields.io/badge/AppVersion-v0.4.1-informational?style=flat-square)
+[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
+
+A Helm chart to deploy spike nexus
+
+**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
+
+## Version support
+
+> [!Note]
+> This Chart is still in development and still subject to change the API (`values.yaml`).
+> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
+> we do aim for as much stability as possible.
+
+| Dependency | Supported Versions |
+|:-----------|:-------------------|
+| Helm       | `3.x`              |
+
+## Source Code
+
+* <https://github.com/spiffe/spike>
+
+<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
+
+## Parameters
+
+### Chart parameters
+
+| Name                               | Description                                                                                                                                                                                                                             | Value                |
+| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- |
+| `image.registry`                   | The OCI registry to pull the image from                                                                                                                                                                                                 | `ghcr.io`            |
+| `image.repository`                 | The repository within the registry                                                                                                                                                                                                      | `spiffe/spike-nexus` |
+| `image.pullPolicy`                 | The image pull policy                                                                                                                                                                                                                   | `IfNotPresent`       |
+| `image.tag`                        | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                           | `""`                 |
+| `backendStore`                     | The backend store to use. Must be one of [sqlite, memory, lite]                                                                                                                                                                         | `sqlite`             |
+| `replicas`                         | The number of keepers to launch                                                                                                                                                                                                         | `1`                  |
+| `shamir.shares`                    | How many shares to configure for shamir secrets                                                                                                                                                                                         | `3`                  |
+| `shamir.threshold`                 | How many shares needed to recover                                                                                                                                                                                                       | `2`                  |
+| `keeperPeers`                      | Keeper peer configuration. If blank, it will be autodetected                                                                                                                                                                            | `[]`                 |
+| `trustRoot.nexus`                  | Override which trustRoot Nexus is in                                                                                                                                                                                                    | `""`                 |
+| `trustRoot.keepers`                | Override which trustRoot Keepers are in                                                                                                                                                                                                 | `[]`                 |
+| `trustRoot.pilot`                  | Override which trustRoot Pilot is in                                                                                                                                                                                                    | `""`                 |
+| `logLevel`                         | The log level, valid values are "debug", "info", "warn", and "error"                                                                                                                                                                    | `debug`              |
+| `agentSocketName`                  | The name of the spire-agent unix socket                                                                                                                                                                                                 | `spire-agent.sock`   |
+| `csiDriverName`                    | The csi driver to use                                                                                                                                                                                                                   | `csi.spiffe.io`      |
+| `imagePullSecrets`                 | Pull secrets for images                                                                                                                                                                                                                 | `[]`                 |
+| `nameOverride`                     | Name override                                                                                                                                                                                                                           | `""`                 |
+| `namespaceOverride`                | Namespace override                                                                                                                                                                                                                      | `""`                 |
+| `fullnameOverride`                 | Fullname override                                                                                                                                                                                                                       | `""`                 |
+| `serviceAccount.create`            | Specifies whether a service account should be created                                                                                                                                                                                   | `true`               |
+| `serviceAccount.annotations`       | Annotations to add to the service account                                                                                                                                                                                               | `{}`                 |
+| `serviceAccount.name`              | The name of the service account to use. If not set and create is true, a name is generated.                                                                                                                                             | `""`                 |
+| `labels`                           | Labels for pods                                                                                                                                                                                                                         | `{}`                 |
+| `podSecurityContext`               | Pod security context                                                                                                                                                                                                                    | `{}`                 |
+| `securityContext`                  | Security context                                                                                                                                                                                                                        | `{}`                 |
+| `service.type`                     | Service type                                                                                                                                                                                                                            | `ClusterIP`          |
+| `service.port`                     | Service port                                                                                                                                                                                                                            | `443`                |
+| `service.annotations`              | Annotations for service resource                                                                                                                                                                                                        | `{}`                 |
+| `nodeSelector`                     | (Optional) Select specific nodes to run on.                                                                                                                                                                                             | `{}`                 |
+| `affinity`                         | Affinity rules                                                                                                                                                                                                                          | `{}`                 |
+| `tolerations`                      | List of tolerations                                                                                                                                                                                                                     | `[]`                 |
+| `topologySpreadConstraints`        | List of topology spread constraints for resilience                                                                                                                                                                                      | `[]`                 |
+| `startupProbe.enabled`             | Enable startupProbe                                                                                                                                                                                                                     | `true`               |
+| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe                                                                                                                                                                                                  | `5`                  |
+| `startupProbe.periodSeconds`       | Period seconds for startupProbe                                                                                                                                                                                                         | `10`                 |
+| `startupProbe.timeoutSeconds`      | Timeout seconds for startupProbe                                                                                                                                                                                                        | `5`                  |
+| `startupProbe.failureThreshold`    | Failure threshold count for startupProbe                                                                                                                                                                                                | `6`                  |
+| `startupProbe.successThreshold`    | Success threshold count for startupProbe                                                                                                                                                                                                | `1`                  |
+| `ingress.enabled`                  | Flag to enable ingress                                                                                                                                                                                                                  | `false`              |
+| `ingress.className`                | Ingress class name                                                                                                                                                                                                                      | `""`                 |
+| `ingress.controllerType`           | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""]. | `""`                 |
+| `ingress.annotations`              | Annotations                                                                                                                                                                                                                             | `{}`                 |
+| `ingress.host`                     | Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.                                                        | `nexus`              |
+| `ingress.tlsSecret`                | Secret that has the certs. If blank will use default certs. Used with host var.                                                                                                                                                         | `""`                 |
+| `ingress.hosts`                    | Host paths for ingress object. If empty, rules will be built based on the host var.                                                                                                                                                     | `[]`                 |
+| `ingress.tls`                      | Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.                                                                                                            | `[]`                 |
+| `persistence.type`                 | What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only)                                                                                                                          | `pvc`                |
+| `persistence.size`                 | What size volume to use for persistence                                                                                                                                                                                                 | `1Gi`                |
+| `persistence.accessMode`           | What access mode to use for persistence. Valid options are ReadWriteOnce (recommended), ReadWriteOncePod, ReadWriteMany (not recommended)                                                                                               | `ReadWriteOnce`      |
+| `persistence.storageClass`         | What storage class to use for persistence                                                                                                                                                                                               | `nil`                |
+| `persistence.hostPath`             | Which path to use on the host when persistence.type = hostPath                                                                                                                                                                          | `""`                 |
--- a/charts/spire/charts/spike-nexus/templates/NOTES.txt
+++ b/charts/spire/charts/spike-nexus/templates/NOTES.txt
@ -0,0 +1 @@
+Installed {{ .Chart.Name }}…
--- a/charts/spire/charts/spike-nexus/templates/_helpers.tpl
+++ b/charts/spire/charts/spike-nexus/templates/_helpers.tpl
@ -0,0 +1,83 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "spike-nexus.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "spike-nexus.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "spike-nexus.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
+    {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
+      {{- .Values.global.spire.namespaces.server.name }}
+    {{- else }}
+      {{- printf "spire-server" }}
+    {{- end }}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "spike-nexus.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "spike-nexus.labels" -}}
+helm.sh/chart: {{ include "spike-nexus.chart" . }}
+{{ include "spike-nexus.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "spike-nexus.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "spike-nexus.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "spike-nexus.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "spike-nexus.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "spike-nexus.workload-api-socket-path" -}}
+{{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }}
+{{- end }}
--- a/charts/spire/charts/spike-nexus/templates/ingress.yaml
+++ b/charts/spire/charts/spike-nexus/templates/ingress.yaml
@ -0,0 +1,31 @@
+{{- if .Values.ingress.enabled -}}
+{{ $root := . }}
+{{- $ingressControllerType := include "spire-lib.ingress-controller-type" (dict "global" .Values.global "ingress" .Values.ingress) }}
+{{- $fullName := include "spike-nexus.fullname" . -}}
+{{- $tlsSection := true }}
+{{- $annotations := deepCopy .Values.ingress.annotations }}
+{{- if eq $ingressControllerType "ingress-nginx" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/force-ssl-redirect" "true" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" }}
+{{-   $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" }}
+{{- else if eq $ingressControllerType "openshift" }}
+{{-   $path = "" }}
+{{-   $_ := set $annotations "route.openshift.io/termination" "passthrough" }}
+{{-   $tlsSection = false }}
+{{- end }}
+{{ $last := sub (.Values.replicas | int) 1 | int }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ include "spike-nexus.namespace" $root }}
+  labels:
+    {{ include "spike-nexus.labels" $root | nindent 4}}
+  {{- with $annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{ include "spire-lib.ingress-spec" (dict "ingress" .Values.ingress "svcName" $fullName "port" $root.Values.service.port "path" "/" "pathType" "Prefix" "tlsSection" $tlsSection "Values" $root.Values) | nindent 2 }}
+{{- end }}
--- a/charts/spire/charts/spike-nexus/templates/service.yaml
+++ b/charts/spire/charts/spike-nexus/templates/service.yaml
@ -0,0 +1,20 @@
+{{ $root := . }}
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: {{ include "spike-nexus.namespace" $root }}
+  name: {{ include "spike-nexus.fullname" $root }}
+  {{- with $root.Values.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "spike-nexus.labels" $root | nindent 4 }}
+spec:
+  type: {{ $root.Values.service.type }}
+  selector:
+    {{- include "spike-nexus.selectorLabels" $root | nindent 4 }}
+  ports:
+    - name: {{ include "spike-nexus.fullname" $root }}
+      port: {{ $root.Values.service.port }}
+      targetPort: http
--- a/charts/spire/charts/spike-nexus/templates/serviceaccount.yaml
+++ b/charts/spire/charts/spike-nexus/templates/serviceaccount.yaml
@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "spike-nexus.serviceAccountName" . }}
+  namespace: {{ include "spike-nexus.namespace" . }}
+  labels:
+    {{- include "spike-nexus.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
--- a/charts/spire/charts/spike-nexus/templates/statefulset.yaml
+++ b/charts/spire/charts/spike-nexus/templates/statefulset.yaml
@ -0,0 +1,114 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ include "spike-nexus.fullname" . }}
+  namespace: {{ include "spike-nexus.namespace" . }}
+  labels:
+    {{- include "spike-nexus.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      {{- include "spike-nexus.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "spike-nexus.selectorLabels" . | nindent 8 }}
+        release: {{ .Release.Name }}
+        release-namespace: {{ .Release.Namespace }}
+        component: spike-nexus
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "spike-nexus.serviceAccountName" . }}
+      securityContext:
+        {{- include "spire-lib.podsecuritycontext" . | nindent 8 }}
+      containers:
+        - name:  {{ include "spike-nexus.fullname" . }}
+          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global "ubi" true) }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            {{- include "spire-lib.securitycontext" . | nindent 12 }}
+          ports:
+            - name: http
+              containerPort: 8443
+              protocol: TCP
+          env:
+            - name: SPIKE_NEXUS_BACKEND_STORE
+              value: {{ .Values.backendStore | quote }}
+            - name: SPIKE_NEXUS_SHAMIR_SHARES
+              value: {{ .Values.shamir.shares | quote }}
+            - name: SPIKE_NEXUS_SHAMIR_THRESHOLD
+              value: {{ .Values.shamir.threshold | quote }}
+            # Note: IP will depend on the testbed.
+            - name: SPIKE_NEXUS_KEEPER_PEERS
+              {{- if gt (len .Values.keeperPeers) 0 }}
+              value: {{ .Values.keeperPeers | join "," | quote }}
+              {{- else }}
+              value: https://{{ .Release.Name }}-spike-keeper-0.{{ .Release.Name }}-spike-keeper-headless:8443,https://{{ .Release.Name }}-spike-keeper-1.{{ .Release.Name }}-spike-keeper-headless:8443,https://{{ .Release.Name }}-spike-keeper-2.{{ .Release.Name }}-spike-keeper-headless:8443
+              {{- end }}
+            - name: SPIFFE_ENDPOINT_SOCKET
+              value: unix://{{ include "spike-nexus.workload-api-socket-path" . }}
+            - name: SPIKE_SYSTEM_LOG_LEVEL
+              value: {{ .Values.logLevel | upper }}
+            - name: SPIKE_TRUST_ROOT
+              value: {{ include "spire-lib.trust-domain" . }}
+            - name: SPIKE_TRUST_ROOT_KEEPER
+              value: {{ if gt (len .Values.trustRoot.keepers) 0 }}{{ .Values.trustRoot.keepers | join "," | quote}}{{ else }}{{ include "spire-lib.trust-domain" . }}{{ end }}
+            - name: SPIKE_TRUST_ROOT_PILOT
+              value: {{if eq .Values.trustRoot.pilot "" }}{{ include "spire-lib.trust-domain" . }}{{ else }}{{.Values.trustRoot.pilot }}{{ end }}
+            - name: SPIKE_NEXUS_TLS_PORT
+              value: ":8443"
+          {{- if .Values.startupProbe.enabled }}
+          startupProbe:
+            tcpSocket:
+              port: 8443
+            failureThreshold: {{ .Values.startupProbe.failureThreshold }}
+            initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.startupProbe.periodSeconds }}
+            successThreshold: {{ .Values.startupProbe.successThreshold }}
+            timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
+          {{- end }}
+          volumeMounts:
+            - name: spiffe-workload-api
+              mountPath: {{ include "spike-nexus.workload-api-socket-path" . | dir }}
+              readOnly: true
+            - name: nexus-data
+              mountPath: /.spike
+      {{- with .Values.nodeSelector }}
+
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: spiffe-workload-api
+          csi:
+            driver: "{{ .Values.csiDriverName }}"
+            readOnly: true
+  volumeClaimTemplates:
+    - metadata:
+        name: nexus-data
+      spec:
+        accessModes:
+          - {{ .Values.persistence.accessMode | default "ReadWriteOnce" }}
+        resources:
+          requests:
+            storage: {{ .Values.persistence.size }}
+        {{- $storageClass := (dig "spire" "persistence" "storageClass" nil .Values.global) | default .Values.persistence.storageClass }}
+        {{- if $storageClass }}
+        storageClassName: {{ $storageClass }}
+        {{- end }}
--- a/charts/spire/charts/spike-nexus/values.yaml
+++ b/charts/spire/charts/spike-nexus/values.yaml
@ -0,0 +1,175 @@
+# Default configuration for SPIKE Keeper
+# SPDX-License-Identifier: APACHE-2.0
+
+## @skip global
+global: {}
+
+## @section Chart parameters
+##
+## @param image.registry The OCI registry to pull the image from
+## @param image.repository The repository within the registry
+## @param image.pullPolicy The image pull policy
+## @param image.tag Overrides the image tag whose default is the chart appVersion
+##
+image:
+  registry: ghcr.io
+  repository: spiffe/spike-nexus
+  pullPolicy: IfNotPresent
+  tag: ""
+
+## @param backendStore The backend store to use. Must be one of [sqlite, memory, lite]
+backendStore: sqlite
+
+## @param replicas The number of keepers to launch
+replicas: 1
+
+shamir:
+  ## @param shamir.shares How many shares to configure for shamir secrets
+  shares: 3
+  ## @param shamir.threshold How many shares needed to recover
+  threshold: 2
+
+## @param keeperPeers Keeper peer configuration. If blank, it will be autodetected
+keeperPeers: []
+
+trustRoot:
+  ## @param trustRoot.nexus Override which trustRoot Nexus is in
+  nexus: ""
+  ## @param trustRoot.keepers Override which trustRoot Keepers are in
+  keepers: []
+  ## @param trustRoot.pilot Override which trustRoot Pilot is in
+  pilot: ""
+
+## @param logLevel The log level, valid values are "debug", "info", "warn", and "error"
+logLevel: debug
+
+## @param agentSocketName The name of the spire-agent unix socket
+agentSocketName: spire-agent.sock
+## @param csiDriverName The csi driver to use
+csiDriverName: csi.spiffe.io
+
+## @param imagePullSecrets [array] Pull secrets for images
+imagePullSecrets: []
+
+## @param nameOverride Name override
+nameOverride: ""
+
+## @param namespaceOverride Namespace override
+namespaceOverride: ""
+
+## @param fullnameOverride Fullname override
+fullnameOverride: ""
+
+## @param serviceAccount.create Specifies whether a service account should be created
+## @param serviceAccount.annotations [object] Annotations to add to the service account
+## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
+##
+serviceAccount:
+  create: true
+  annotations: {}
+  name: ""
+
+## @param labels [object] Labels for pods
+labels: {}
+
+## @param podSecurityContext [object] Pod security context
+podSecurityContext: {}
+  # fsGroup: 2000
+
+## @param securityContext [object] Security context
+securityContext:
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
+
+## @param service.type Service type
+## @param service.port Service port
+## @param service.annotations Annotations for service resource
+##
+service:
+  type: ClusterIP
+  port: 443
+  annotations: {}
+
+## @param nodeSelector (Optional) Select specific nodes to run on.
+nodeSelector: {}
+
+## @param affinity [object] Affinity rules
+affinity: {}
+
+## @param tolerations [array] List of tolerations
+tolerations: []
+
+## @param topologySpreadConstraints [array] List of topology spread constraints for resilience
+topologySpreadConstraints: []
+
+## Provide minimal resources to prevent accidental crashes due to resource exhaustion
+# resources:
+#   requests:
+#     cpu: 50m
+#     memory: 128Mi
+#   limits:
+#     cpu: 100m
+#     memory: 512Mi
+
+## Configure extra options for startup probe
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
+## @param startupProbe.enabled Enable startupProbe
+## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
+## @param startupProbe.periodSeconds Period seconds for startupProbe
+## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
+## @param startupProbe.failureThreshold Failure threshold count for startupProbe
+## @param startupProbe.successThreshold Success threshold count for startupProbe
+##
+startupProbe:
+  enabled: true
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 6
+  successThreshold: 1
+
+## @param ingress.enabled Flag to enable ingress
+## @param ingress.className Ingress class name
+## @param ingress.controllerType Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, auto-detection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].
+## @param ingress.annotations [object] Annotations
+ingress:
+  enabled: false
+  className: ""
+  controllerType: ""
+  annotations: {}
+
+  ## @param ingress.host Host name for the ingress. If no '.' in host, trustDomain is automatically appended. The rest of the rules will be autogenerated. For more customizability, use hosts[] instead.
+  host: "nexus"
+
+  ## @param ingress.tlsSecret Secret that has the certs. If blank will use default certs. Used with host var.
+  tlsSecret: ""
+
+  ## @param ingress.hosts [array] Host paths for ingress object. If empty, rules will be built based on the host var.
+  hosts: []
+  #   - host: nexus.example.org
+  #     paths:
+  #       - path: /
+  #         pathType: Prefix
+
+  ## @param ingress.tls [array] Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - nexus.example.org
+
+## @param persistence.type What type of volume to use for persistence. Valid options pvc (recommended), hostPath, emptyDir (testing only)
+## @param persistence.size What size volume to use for persistence
+## @param persistence.accessMode What access mode to use for persistence. Valid options are ReadWriteOnce (recommended), ReadWriteOncePod, ReadWriteMany (not recommended)
+## @param persistence.storageClass What storage class to use for persistence
+## @param persistence.hostPath Which path to use on the host when persistence.type = hostPath
+##
+persistence:
+  type: pvc
+  size: 1Gi
+  accessMode: ReadWriteOnce
+  storageClass: null
+  hostPath: ""
--- a/charts/spire/charts/spike-pilot/Chart.yaml
+++ b/charts/spire/charts/spike-pilot/Chart.yaml
@ -0,0 +1,13 @@
+apiVersion: v2
+name: spike-pilot
+description: A Helm chart to deploy SPIKE Pilot
+type: application
+version: 0.1.0
+appVersion: "0.4.2"
+home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
+sources:
+  - https://github.com/spiffe/spike
+icon: https://spike.ist/assets/spike-banner.png
+maintainers:
+  - name: kfox1111
+    email: Kevin.Fox@pnnl.gov
--- a/charts/spire/charts/spike-pilot/README.md
+++ b/charts/spire/charts/spike-pilot/README.md
@ -0,0 +1,63 @@
+# spike-pilot
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.1](https://img.shields.io/badge/AppVersion-v0.4.1-informational?style=flat-square)
+[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
+
+A Helm chart to deploy spike pilot
+
+**Homepage:** <https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire>
+
+## Version support
+
+> [!Note]
+> This Chart is still in development and still subject to change the API (`values.yaml`).
+> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
+> we do aim for as much stability as possible.
+
+| Dependency | Supported Versions |
+|:-----------|:-------------------|
+| Helm       | `3.x`              |
+
+## Source Code
+
+* <https://github.com/spiffe/spike>
+
+<!-- The parameters section is generated using helm-docs.sh and should not be edited by hand. -->
+
+## Parameters
+
+### Chart parameters
+
+| Name                             | Description                                                                                 | Value                |
+| -------------------------------- | ------------------------------------------------------------------------------------------- | -------------------- |
+| `image.registry`                 | The OCI registry to pull the image from                                                     | `ghcr.io`            |
+| `image.repository`               | The repository within the registry                                                          | `spiffe/spike-pilot` |
+| `image.pullPolicy`               | The image pull policy                                                                       | `IfNotPresent`       |
+| `image.tag`                      | Overrides the image tag whose default is the chart appVersion                               | `""`                 |
+| `shell.image.registry`           | The OCI registry to pull the image from                                                     | `""`                 |
+| `shell.image.repository`         | The repository within the registry                                                          | `busybox`            |
+| `shell.image.pullPolicy`         | The image pull policy                                                                       | `IfNotPresent`       |
+| `shell.image.tag`                | Overrides the image tag whose default is the chart appVersion                               | `1.37.0-uclibc`      |
+| `tools.busybox.image.registry`   | The OCI registry to pull the image from                                                     | `""`                 |
+| `tools.busybox.image.repository` | The repository within the registry                                                          | `busybox`            |
+| `tools.busybox.image.pullPolicy` | The image pull policy                                                                       | `IfNotPresent`       |
+| `tools.busybox.image.tag`        | Overrides the image tag whose default is the chart appVersion                               | `1.37.0-uclibc`      |
+| `replicas`                       | The number of keepers to launch                                                             | `1`                  |
+| `trustRoot.nexus`                | Override which trustRoot Nexus is in                                                        | `""`                 |
+| `logLevel`                       | The log level, valid values are "debug", "info", "warn", and "error"                        | `debug`              |
+| `agentSocketName`                | The name of the spire-agent unix socket                                                     | `spire-agent.sock`   |
+| `csiDriverName`                  | The csi driver to use                                                                       | `csi.spiffe.io`      |
+| `imagePullSecrets`               | Pull secrets for images                                                                     | `[]`                 |
+| `nameOverride`                   | Name override                                                                               | `""`                 |
+| `namespaceOverride`              | Namespace override                                                                          | `""`                 |
+| `fullnameOverride`               | Fullname override                                                                           | `""`                 |
+| `serviceAccount.create`          | Specifies whether a service account should be created                                       | `true`               |
+| `serviceAccount.annotations`     | Annotations to add to the service account                                                   | `{}`                 |
+| `serviceAccount.name`            | The name of the service account to use. If not set and create is true, a name is generated. | `""`                 |
+| `labels`                         | Labels for pods                                                                             | `{}`                 |
+| `podSecurityContext`             | Pod security context                                                                        | `{}`                 |
+| `securityContext`                | Security context                                                                            | `{}`                 |
+| `nodeSelector`                   | (Optional) Select specific nodes to run on.                                                 | `{}`                 |
+| `affinity`                       | Affinity rules                                                                              | `{}`                 |
+| `tolerations`                    | List of tolerations                                                                         | `[]`                 |
+| `topologySpreadConstraints`      | List of topology spread constraints for resilience                                          | `[]`                 |
--- a/charts/spire/charts/spike-pilot/templates/NOTES.txt
+++ b/charts/spire/charts/spike-pilot/templates/NOTES.txt
@ -0,0 +1 @@
+Installed {{ .Chart.Name }}…
--- a/charts/spire/charts/spike-pilot/templates/_helpers.tpl
+++ b/charts/spire/charts/spike-pilot/templates/_helpers.tpl
@ -0,0 +1,83 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "spike-pilot.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "spike-pilot.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "spike-pilot.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
+    {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
+      {{- .Values.global.spire.namespaces.server.name }}
+    {{- else }}
+      {{- printf "spire-server" }}
+    {{- end }}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "spike-pilot.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "spike-pilot.labels" -}}
+helm.sh/chart: {{ include "spike-pilot.chart" . }}
+{{ include "spike-pilot.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "spike-pilot.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "spike-pilot.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "spike-pilot.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "spike-pilot.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "spike-pilot.workload-api-socket-path" -}}
+{{- printf "/spiffe-workload-api/%s" .Values.agentSocketName }}
+{{- end }}
--- a/charts/spire/charts/spike-pilot/templates/deployment.yaml
+++ b/charts/spire/charts/spike-pilot/templates/deployment.yaml
@ -0,0 +1,96 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "spike-pilot.fullname" . }}
+  namespace: {{ include "spike-pilot.namespace" . }}
+  labels:
+    {{- include "spike-pilot.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      {{- include "spike-pilot.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "spike-pilot.selectorLabels" . | nindent 8 }}
+        release: {{ .Release.Name }}
+        release-namespace: {{ .Release.Namespace }}
+        component: spike-pilot
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "spike-pilot.serviceAccountName" . }}
+      securityContext:
+        {{- include "spire-lib.podsecuritycontext" . | nindent 8 }}
+      initContainers:
+        - name:  init
+          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.busybox.image "global" .Values.global "ubi" true) }}
+          imagePullPolicy: {{ .Values.tools.busybox.image.pullPolicy }}
+          command: ["/bin/sh", "-c", "cp -a /bin/busybox /data"]
+          securityContext:
+            {{- include "spire-lib.securitycontext" . | nindent 12 }}
+          volumeMounts:
+            - name: pilot
+              mountPath: /data
+        - name:  init2
+          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global "ubi" true) }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command: ["/data/busybox", "sh", "-c", "/data/busybox cp -a /usr/local/bin/spike /data && /data/busybox rm -f /data/busybox"]
+          securityContext:
+            {{- include "spire-lib.securitycontext" . | nindent 12 }}
+          volumeMounts:
+            - name: pilot
+              mountPath: /data
+      containers:
+        - name:  {{ include "spike-pilot.fullname" . }}
+          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.shell.image "global" .Values.global "ubi" true) }}
+          imagePullPolicy: {{ .Values.shell.image.pullPolicy }}
+          command: ["/bin/sh", "-c", "echo I live; while true; do sleep 1000; done"]
+          securityContext:
+            {{- include "spire-lib.securitycontext" . | nindent 12 }}
+          env:
+            #FIXME make this configurable
+            - name: SPIKE_NEXUS_API_URL
+              value: https://{{ .Release.Name }}-spike-nexus:443
+            - name: SPIFFE_ENDPOINT_SOCKET
+              value: unix://{{ include "spike-pilot.workload-api-socket-path" . }}
+            - name: SPIKE_SYSTEM_LOG_LEVEL
+              value: {{ .Values.logLevel | upper }}
+            - name: SPIKE_TRUST_ROOT
+              value: {{ include "spire-lib.trust-domain" . }}
+            - name: SPIKE_TRUST_ROOT_NEXUS
+              value: {{if eq .Values.trustRoot.Nexus "" }}{{ include "spire-lib.trust-domain" . }}{{ else }}{{.Values.trustRoot.Nexus }}{{ end }}
+          volumeMounts:
+            - name: spiffe-workload-api
+              mountPath: {{ include "spike-pilot.workload-api-socket-path" . | dir }}
+              readOnly: true
+            - name: pilot
+              mountPath: /bin/spike
+              subPath: spike
+              readOnly: true
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: pilot
+          emptyDir: {}
+        - name: spiffe-workload-api
+          csi:
+            driver: "{{ .Values.csiDriverName }}"
+            readOnly: true
--- a/charts/spire/charts/spike-pilot/templates/serviceaccount.yaml
+++ b/charts/spire/charts/spike-pilot/templates/serviceaccount.yaml
@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "spike-pilot.serviceAccountName" . }}
+  namespace: {{ include "spike-pilot.namespace" . }}
+  labels:
+    {{- include "spike-pilot.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
--- a/charts/spire/charts/spike-pilot/values.yaml
+++ b/charts/spire/charts/spike-pilot/values.yaml
@ -0,0 +1,116 @@
+# Default configuration for SPIKE Keeper
+# SPDX-License-Identifier: APACHE-2.0
+
+## @skip global
+global: {}
+
+## @section Chart parameters
+##
+## @param image.registry The OCI registry to pull the image from
+## @param image.repository The repository within the registry
+## @param image.pullPolicy The image pull policy
+## @param image.tag Overrides the image tag whose default is the chart appVersion
+##
+image:
+  registry: ghcr.io
+  repository: spiffe/spike-pilot
+  pullPolicy: IfNotPresent
+  tag: ""
+
+shell:
+  ## @param shell.image.registry The OCI registry to pull the image from
+  ## @param shell.image.repository The repository within the registry
+  ## @param shell.image.pullPolicy The image pull policy
+  ## @param shell.image.tag Overrides the image tag whose default is the chart appVersion
+  ##
+  image:
+    registry: ""
+    repository: busybox
+    pullPolicy: IfNotPresent
+    tag: 1.37.0-uclibc
+
+tools:
+  busybox:
+    ## @param tools.busybox.image.registry The OCI registry to pull the image from
+    ## @param tools.busybox.image.repository The repository within the registry
+    ## @param tools.busybox.image.pullPolicy The image pull policy
+    ## @param tools.busybox.image.tag Overrides the image tag whose default is the chart appVersion
+    ##
+    image:
+      registry: ""
+      repository: busybox
+      pullPolicy: IfNotPresent
+      tag: 1.37.0-uclibc
+
+## @param replicas The number of keepers to launch
+replicas: 1
+
+trustRoot:
+  ## @param trustRoot.nexus Override which trustRoot Nexus is in
+  nexus: ""
+
+## @param logLevel The log level, valid values are "debug", "info", "warn", and "error"
+logLevel: debug
+
+## @param agentSocketName The name of the spire-agent unix socket
+agentSocketName: spire-agent.sock
+## @param csiDriverName The csi driver to use
+csiDriverName: csi.spiffe.io
+
+## @param imagePullSecrets [array] Pull secrets for images
+imagePullSecrets: []
+
+## @param nameOverride Name override
+nameOverride: ""
+
+## @param namespaceOverride Namespace override
+namespaceOverride: ""
+
+## @param fullnameOverride Fullname override
+fullnameOverride: ""
+
+## @param serviceAccount.create Specifies whether a service account should be created
+## @param serviceAccount.annotations [object] Annotations to add to the service account
+## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
+##
+serviceAccount:
+  create: true
+  annotations: {}
+  name: ""
+
+## @param labels [object] Labels for pods
+labels: {}
+
+## @param podSecurityContext [object] Pod security context
+podSecurityContext: {}
+  # fsGroup: 2000
+
+## @param securityContext [object] Security context
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+## @param nodeSelector (Optional) Select specific nodes to run on.
+nodeSelector: {}
+
+## @param affinity [object] Affinity rules
+affinity: {}
+
+## @param tolerations [array] List of tolerations
+tolerations: []
+
+## @param topologySpreadConstraints [array] List of topology spread constraints for resilience
+topologySpreadConstraints: []
+
+## Provide minimal resources to prevent accidental crashes due to resource exhaustion
+# resources:
+#   requests:
+#     cpu: 50m
+#     memory: 128Mi
+#   limits:
+#     cpu: 100m
+#     memory: 512Mi
--- a/charts/spire/charts/spire-agent/Chart.yaml
+++ b/charts/spire/charts/spire-agent/Chart.yaml
@ -3,7 +3,7 @@ name: spire-agent
 description: A Helm chart to install the SPIRE agent.
 type: application
 version: 0.1.0
-appVersion: "1.10.3"
+appVersion: "1.12.4"
 keywords: ["spiffe", "spire-agent"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:
--- a/charts/spire/charts/spire-agent/README.md
+++ b/charts/spire/charts/spire-agent/README.md
@ -52,7 +52,8 @@ A Helm chart to install the SPIRE agent.
 | `clusterName`                                          | The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`)                                                                                                                          | `example-cluster`                                                                |
 | `trustDomain`                                          | The trust domain to be used for the SPIFFE identifiers                                                                                                                                            | `example.org`                                                                    |
 | `trustBundleURL`                                       | If set, obtain trust bundle from url instead of Kubernetes ConfigMap                                                                                                                              | `""`                                                                             |
-| `trustBundleFormat`                                    | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe"                                                                                                                   | `pem`                                                                            |
+| `trustBundleFormat`                                    | If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe"                                                                                                                   | `spiffe`                                                                         |
+| `trustBundleHostPath`                                  | If set, obtain trust bundle from a file on the host instead of from the ConfigMap                                                                                                                 | `""`                                                                             |
 | `bundleConfigMap`                                      | Configmap name for Spire bundle                                                                                                                                                                   | `spire-bundle`                                                                   |
 | `availabilityTarget`                                   | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. | `""`                                                                             |
 | `server.address`                                       | Address for Spire server                                                                                                                                                                          | `""`                                                                             |
@ -69,56 +70,61 @@ A Helm chart to install the SPIRE agent.
 | `fsGroupFix.image.registry`                            | The OCI registry to pull the image from                                                                                                                                                           | `cgr.dev`                                                                        |
 | `fsGroupFix.image.repository`                          | The repository within the registry                                                                                                                                                                | `chainguard/bash`                                                                |
 | `fsGroupFix.image.pullPolicy`                          | The image pull policy                                                                                                                                                                             | `Always`                                                                         |
-| `fsGroupFix.image.tag`                                 | Overrides the image tag whose default is the chart appVersion                                                                                                                                     | `latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a` |
+| `fsGroupFix.image.tag`                                 | Overrides the image tag whose default is the chart appVersion                                                                                                                                     | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
 | `fsGroupFix.resources`                                 | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/                                                                                      | `{}`                                                                             |
 | `keyManager.memory.enabled`                            | Enable the memory based Key Manager                                                                                                                                                               | `true`                                                                           |
-| `nodeAttestor.k8sPsat.enabled`                         | Enable Psat k8s Node Attestor                                                                                                                                                                     | `true`                                                                           |
+| `keyManager.disk.enabled`                              | Enable the disk based Key Manager (must have persistence.type set to hostPath when enabled)                                                                                                       | `false`                                                                          |
+| `nodeAttestor.k8sPSAT.enabled`                         | Enable PSAT k8s Node Attestor                                                                                                                                                                     | `true`                                                                           |
 | `nodeAttestor.httpChallenge.enabled`                   | Enable the http challenge Node Attestor                                                                                                                                                           | `false`                                                                          |
 | `nodeAttestor.httpChallenge.agentname`                 | Name of this agent. Useful if you have multiple agents bound to different spire servers on the same host and sharing the same port.                                                               | `default`                                                                        |
 | `nodeAttestor.httpChallenge.port`                      | The port to listen on. If 0, a random value will be used.                                                                                                                                         | `0`                                                                              |
 | `nodeAttestor.httpChallenge.advertisedPort`            | The port to tell the server to call back on. Set only if your using an http proxy on the hosts. If 0, will use the port setting.                                                                  | `0`                                                                              |
 | `nodeAttestor.tpmDirect.enabled`                       | Enable the direct TPM node attestor, a 3rd party plugin by Boxboat. This plugin is experimental.                                                                                                  | `false`                                                                          |
-| `nodeAttestor.tpmDirect.plugin.image.registry`         | The OCI registry to pull the image from                                                                                                                                                           | `docker.io`                                                                      |
-| `nodeAttestor.tpmDirect.plugin.image.repository`       | The repository within the registry                                                                                                                                                                | `boxboat/spire-tpm-plugin-tpm-attestor-agent`                                    |
+| `nodeAttestor.tpmDirect.plugin.image.registry`         | The OCI registry to pull the image from                                                                                                                                                           | `ghcr.io`                                                                        |
+| `nodeAttestor.tpmDirect.plugin.image.repository`       | The repository within the registry                                                                                                                                                                | `spiffe/spire-tpm-plugin-tpm-attestor-agent`                                     |
 | `nodeAttestor.tpmDirect.plugin.image.pullPolicy`       | The image pull policy                                                                                                                                                                             | `IfNotPresent`                                                                   |
-| `nodeAttestor.tpmDirect.plugin.image.tag`              | Overrides the image tag                                                                                                                                                                           | `v1.8.7`                                                                         |
-| `nodeAttestor.tpmDirect.plugin.checksum`               | The sha256 checksum of the plugin binary                                                                                                                                                          | `1d7c73ccac948ee86cbd78ddde2d30128a1838b403f7bb2100d38d916a252244`               |
+| `nodeAttestor.tpmDirect.plugin.image.tag`              | Overrides the image tag                                                                                                                                                                           | `v1.9.0`                                                                         |
+| `nodeAttestor.tpmDirect.plugin.checksum`               | The sha256 checksum of the plugin binary                                                                                                                                                          | `22f67063f1699330e70cdedc9b923e517688f5ae71085a26bd9b83b3060ee86e`               |
 | `nodeAttestor.tpmDirect.plugin.path`                   | The filename in the container of the plugin                                                                                                                                                       | `/app/tpm_attestor_agent`                                                        |
-| `nodeAttestor.tpmDirect.pubHash.enabled`               | Enable Psat k8s nodeattestor                                                                                                                                                                      | `true`                                                                           |
-| `nodeAttestor.tpmDirect.pubHash.image.registry`        | The OCI registry to pull the image from                                                                                                                                                           | `docker.io`                                                                      |
-| `nodeAttestor.tpmDirect.pubHash.image.repository`      | The repository within the registry                                                                                                                                                                | `boxboat/spire-tpm-plugin-get-tpm-pubhash`                                       |
+| `nodeAttestor.tpmDirect.pubHash.enabled`               | Display pubhash in logs                                                                                                                                                                           | `true`                                                                           |
+| `nodeAttestor.tpmDirect.pubHash.image.registry`        | The OCI registry to pull the image from                                                                                                                                                           | `ghcr.io`                                                                        |
+| `nodeAttestor.tpmDirect.pubHash.image.repository`      | The repository within the registry                                                                                                                                                                | `spiffe/spire-tpm-plugin-get-tpm-pubhash`                                        |
 | `nodeAttestor.tpmDirect.pubHash.image.pullPolicy`      | The image pull policy                                                                                                                                                                             | `IfNotPresent`                                                                   |
-| `nodeAttestor.tpmDirect.pubHash.image.tag`             | Overrides the image tag                                                                                                                                                                           | `v1.8.7`                                                                         |
+| `nodeAttestor.tpmDirect.pubHash.image.tag`             | Overrides the image tag                                                                                                                                                                           | `v1.9.0`                                                                         |
+| `nodeAttestor.awsIID.enabled`                          | Enable the aws_iid Node Attestor                                                                                                                                                                  | `false`                                                                          |
 | `workloadAttestors.unix.enabled`                       | Enables the Unix workload attestor                                                                                                                                                                | `false`                                                                          |
 | `workloadAttestors.k8s.enabled`                        | Enables the Kubernetes workload attestor                                                                                                                                                          | `true`                                                                           |
 | `workloadAttestors.k8s.verification.type`              | What kind of verification to do against kubelet. auto will first attempt to use hostCert, and then fall back to apiServerCA. Valid options are [auto, hostCert, apiServerCA, skip]                | `skip`                                                                           |
 | `workloadAttestors.k8s.verification.hostCert.basePath` | Path where kubelet places its certificates                                                                                                                                                        | `/var/lib/kubelet/pki`                                                           |
 | `workloadAttestors.k8s.verification.hostCert.fileName` | File name where kubelet places its certificates. If blank, it will be auto detected.                                                                                                              | `""`                                                                             |
 | `workloadAttestors.k8s.disableContainerSelectors`      | Set to true if using holdApplicationUntilProxyStarts in Istio                                                                                                                                     | `false`                                                                          |
-| `workloadAttestors.k8s.useNewContainerLocator`         | If true, enables the new container locator algorithm that has support for cgroups v2. Defaults to false                                                                                           | `false`                                                                          |
+| `workloadAttestors.k8s.useNewContainerLocator`         | If true, enables the new container locator algorithm that has support for cgroups v2. Defaults to true                                                                                            | `true`                                                                           |
 | `workloadAttestors.k8s.verboseContainerLocatorLogs`    | If true, enables verbose logging of mountinfo and cgroup information used to locate containers. Defaults to false                                                                                 | `false`                                                                          |
 | `sds.enabled`                                          | Enables Envoy SDS configuration                                                                                                                                                                   | `false`                                                                          |
-| `sds.defaultSvidName`                                  | The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS                                                                                                                 | `default`                                                                        |
+| `sds.defaultSVIDName`                                  | The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS                                                                                                                 | `default`                                                                        |
 | `sds.defaultBundleName`                                | The Validation Context resource name to use for the default X.509 bundle with Envoy SDS                                                                                                           | `ROOTCA`                                                                         |
 | `sds.defaultAllBundlesName`                            | The Validation Context resource name to use for all bundles (including federated) with Envoy SDS                                                                                                  | `ALL`                                                                            |
-| `sds.disableSpiffeCertValidation`                      | Disable Envoy SDS custom validation                                                                                                                                                               | `false`                                                                          |
+| `sds.disableSPIFFECertValidation`                      | Disable Envoy SDS custom validation                                                                                                                                                               | `false`                                                                          |
 | `telemetry.prometheus.enabled`                         | Flag to enable prometheus monitoring                                                                                                                                                              | `false`                                                                          |
 | `telemetry.prometheus.port`                            | Port for prometheus metrics                                                                                                                                                                       | `9988`                                                                           |
 | `telemetry.prometheus.podMonitor.enabled`              | Enable podMonitor for prometheus                                                                                                                                                                  | `false`                                                                          |
 | `telemetry.prometheus.podMonitor.namespace`            | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent                                                                                               | `""`                                                                             |
 | `telemetry.prometheus.podMonitor.labels`               | Pod labels to filter for prometheus monitoring                                                                                                                                                    | `{}`                                                                             |
+| `telemetry.datadog.enabled`                            | Flag to enable datadog monitoring                                                                                                                                                                 | `false`                                                                          |
+| `telemetry.datadog.address`                            | The address of the datadog service to send metrics to. The default URL for services are `<service-name>.<namespace>.svc`                                                                          | `datadog.kube-system.svc`                                                        |
+| `telemetry.datadog.port`                               | The port of the datadog service to send metrics to                                                                                                                                                | `8125`                                                                           |
 | `kubeletConnectByHostname`                             | If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise.                                                      | `""`                                                                             |
 | `socketPath`                                           | The unix socket path to the spire-agent                                                                                                                                                           | `/run/spire/agent-sockets/spire-agent.sock`                                      |
 | `socketAlternate.names`                                | List of alternate names for the socket that workloads might expect to be able to access in the driver mount.                                                                                      | `["socket","spire-agent.sock","api.sock"]`                                       |
 | `socketAlternate.image.registry`                       | The OCI registry to pull the image from                                                                                                                                                           | `cgr.dev`                                                                        |
 | `socketAlternate.image.repository`                     | The repository within the registry                                                                                                                                                                | `chainguard/bash`                                                                |
 | `socketAlternate.image.pullPolicy`                     | The image pull policy                                                                                                                                                                             | `Always`                                                                         |
-| `socketAlternate.image.tag`                            | Overrides the image tag whose default is the chart appVersion                                                                                                                                     | `latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a` |
+| `socketAlternate.image.tag`                            | Overrides the image tag whose default is the chart appVersion                                                                                                                                     | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
 | `socketAlternate.resources`                            | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/                                                                                      | `{}`                                                                             |
 | `hostCert.image.registry`                              | The OCI registry to pull the image from                                                                                                                                                           | `cgr.dev`                                                                        |
 | `hostCert.image.repository`                            | The repository within the registry                                                                                                                                                                | `chainguard/min-toolkit-debug`                                                   |
 | `hostCert.image.pullPolicy`                            | The image pull policy                                                                                                                                                                             | `IfNotPresent`                                                                   |
-| `hostCert.image.tag`                                   | Overrides the image tag whose default is the chart appVersion                                                                                                                                     | `latest@sha256:5420e15d91112458fc573755954c9174dbf4db8d802c4de3aac18145f5a78a17` |
+| `hostCert.image.tag`                                   | Overrides the image tag whose default is the chart appVersion                                                                                                                                     | `latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53` |
 | `hostCert.resources`                                   | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/                                                                                      | `{}`                                                                             |
 | `priorityClassName`                                    | Priority class assigned to daemonset pods. Can be auto set with global.recommendations.priorityClassName.                                                                                         | `""`                                                                             |
 | `extraEnvVars`                                         | Extra environment variables to be added to the Spire Agent container                                                                                                                              | `[]`                                                                             |
@ -135,8 +141,8 @@ A Helm chart to install the SPIRE agent.
 | `experimental.syncInterval`                            | Sync interval with SPIRE server with exponential backoff                                                                                                                                          | `5s`                                                                             |
 | `experimental.featureFlags`                            | List of developer feature flags                                                                                                                                                                   | `[]`                                                                             |
 | `agents`                                               | Configure multiple agent DaemonSets. Useful when you have different node types and nodeAttestors                                                                                                  | `{}`                                                                             |
-| `tools.kubectl.image.registry`                         | The OCI registry to pull the image from                                                                                                                                                           | `docker.io`                                                                      |
-| `tools.kubectl.image.repository`                       | The repository within the registry                                                                                                                                                                | `rancher/kubectl`                                                                |
+| `tools.kubectl.image.registry`                         | The OCI registry to pull the image from                                                                                                                                                           | `registry.k8s.io`                                                                |
+| `tools.kubectl.image.repository`                       | The repository within the registry                                                                                                                                                                | `kubectl`                                                                        |
 | `tools.kubectl.image.pullPolicy`                       | The image pull policy                                                                                                                                                                             | `IfNotPresent`                                                                   |
 | `tools.kubectl.image.tag`                              | Overrides the image tag whose default is the chart appVersion                                                                                                                                     | `""`                                                                             |
 | `sockets.hostBasePath`                                 | Path on which the agent socket is made available when admin.mountOnHost is true                                                                                                                   | `/run/spire/agent/sockets`                                                       |
--- a/charts/spire/charts/spire-agent/templates/_helpers.tpl
+++ b/charts/spire/charts/spire-agent/templates/_helpers.tpl
@ -75,20 +75,20 @@ Create chart name and version as used by the chart label.
 Common labels
 */}}
 {{- define "spire-agent.labels" -}}
-helm.sh/chart: {{ include "spire-agent.chart" . }}
+helm.sh/chart: {{ include "spire-agent.chart" . | quote }}
 {{ include "spire-agent.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
 {{- end }}

 {{/*
 Selector labels
 */}}
 {{- define "spire-agent.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "spire-agent.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/name: {{ include "spire-agent.name" . | quote }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
 {{- end }}

 {{/*
--- a/charts/spire/charts/spire-agent/templates/configmap.yaml
+++ b/charts/spire/charts/spire-agent/templates/configmap.yaml
@ -19,8 +19,11 @@
 {{-     end }}
 {{-   end }}
 {{- end }}
+{{- if and .Values.keyManager.disk.enabled (ne .Values.persistence.type "hostPath") }}
+{{-   fail "keyManager.disk.enabled is true but persistence.type is not hostPath. Ensure persistence.type is hostPath when keyManager.disk.enabled is true." }}
+{{- end }}
 {{- if hasPrefix (.Values.socketPath | dir | clean) (.Values.sockets.hostBasePath | clean) }}
-{{- fail "The sockets.hostBasePath can not be located under the socketPath direcotry" }}
+{{- fail "The sockets.hostBasePath can not be located under the socketPath directory" }}
 {{- end }}
 {{- end }}
 {{- define "spire-agent.yaml-config" -}}
@ -38,11 +41,13 @@ agent:
  server_address: {{ include "spire-agent.server-address" . | trim | quote }}
  server_port: {{ .Values.server.port | quote }}
  socket_path: /tmp/spire-agent/public/{{ include "spire-agent.socket-path" . | base }}
+  trust_bundle_format: {{ .Values.trustBundleFormat | quote }}
  {{- if ne (len .Values.trustBundleURL) 0 }}
  trust_bundle_url: {{ .Values.trustBundleURL | quote }}
-  trust_bundle_format: {{ .Values.trustBundleFormat | quote }}
+  {{- else if ne (len .Values.trustBundleHostPath) 0 }}
+  trust_bundle_path: {{ .Values.trustBundleHostPath | quote }}
  {{- else }}
-  trust_bundle_path: "/run/spire/bundle/bundle.crt"
+  trust_bundle_path: {{ printf "/run/spire/bundle/bundle.%s" (include "spire-lib.trust-bundle-ext" (dict "trustBundleFormat" .Values.trustBundleFormat)) | quote }}
  {{- end }}
  trust_domain: {{ include "spire-lib.trust-domain" . | quote }}
  {{- with .Values.availabilityTarget }}
@ -50,16 +55,16 @@ agent:
  {{- end }}
  {{- if .Values.sds.enabled }}
  sds:
-    default_svid_name: {{ .Values.sds.defaultSvidName | quote }}
+    default_svid_name: {{ .Values.sds.defaultSVIDName | quote }}
    default_bundle_name: {{ .Values.sds.defaultBundleName | quote }}
    default_all_bundles_name: {{ .Values.sds.defaultAllBundlesName | quote }}
-    disable_spiffe_cert_validation: {{ .Values.sds.disableSpiffeCertValidation }}
+    disable_spiffe_cert_validation: {{ eq .Values.sds.disableSPIFFECertValidation true }}
  {{- end }}

  {{- with .Values.experimental }}
  {{- if eq (.enabled | toString) "true" }}
  experimental:
-  sync_interval: {{ .syncInterval | quote }}
+    sync_interval: {{ .syncInterval | quote }}
    {{- if gt (len .featureFlags) 0 }}
    feature_flags:
      {{- range .featureFlags }}
@ -73,7 +78,7 @@ agent:
 {{- $keyManagerUsed := add (len .Values.customPlugins.keyManager) (len .Values.unsupportedBuiltInPlugins.keyManager) }}
 plugins:
  NodeAttestor:
-    {{- if .Values.nodeAttestor.k8sPsat.enabled }}
+    {{- if .Values.nodeAttestor.k8sPSAT.enabled }}
    k8s_psat:
      plugin_data:
        cluster: {{ include "spire-lib.cluster-name" . | quote }}
@ -97,7 +102,14 @@ plugins:
    {{- if eq (.enabled | toString) "true" }}
    tpm:
      plugin_cmd: "/tpm/tpm_attestor_agent"
-      plugin_checksum: {{ .plugin.checksum }}
+      plugin_checksum: {{ .plugin.checksum | quote }}
+      plugin_data: {}
+    {{- $nodeAttestorUsed = add1 $nodeAttestorUsed }}
+    {{- end }}
+    {{- end }}
+  {{- with .Values.nodeAttestor.awsIID }}
+  {{- if eq (.enabled | toString) "true" }}
+    aws_iid:
      plugin_data: {}
    {{- $nodeAttestorUsed = add1 $nodeAttestorUsed }}
    {{- end }}
@ -112,6 +124,12 @@ plugins:
      plugin_data:
    {{- $keyManagerUsed = add1 $keyManagerUsed }}
    {{- end }}
+    {{- if .Values.keyManager.disk.enabled }}
+    disk:
+      plugin_data:
+        directory: {{ .Values.persistence.hostPath }}
+    {{- $keyManagerUsed = add1 $keyManagerUsed }}
+    {{- end }}
 {{- if ne $keyManagerUsed 1 }}
 {{- fail (printf "You have to enable exactly one Key Manager. There are %d enabled." $keyManagerUsed) }}
 {{- end }}
@ -126,9 +144,9 @@ plugins:
        kubelet_ca_path: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
        {{- end }}
        skip_kubelet_verification: {{ eq .Values.workloadAttestors.k8s.verification.type "skip" }}
-        disable_container_selectors: {{ .Values.workloadAttestors.k8s.disableContainerSelectors }}
-        use_new_container_locator: {{ .Values.workloadAttestors.k8s.useNewContainerLocator }}
-        verbose_container_locator_logs: {{ .Values.workloadAttestors.k8s.verboseContainerLocatorLogs }}
+        disable_container_selectors: {{ eq .Values.workloadAttestors.k8s.disableContainerSelectors true}}
+        use_new_container_locator: {{ eq .Values.workloadAttestors.k8s.useNewContainerLocator true }}
+        verbose_container_locator_logs: {{ eq .Values.workloadAttestors.k8s.verboseContainerLocatorLogs true }}
        {{- if eq (include "spire-agent.connect-by-hostname" .) "true" }}
        node_name_env: "MY_NODE_NAME"
        {{- end }}
@ -152,6 +170,13 @@ telemetry:
      - host: "0.0.0.0"
        port: {{ .Values.telemetry.prometheus.port }}
 {{- end }}
+
+{{- if .Values.telemetry.datadog.enabled }}
+telemetry:
+  - DogStatsd:
+      - address: "{{ .Values.telemetry.datadog.address }}:{{ .Values.telemetry.datadog.port }}"
+{{- end }}
+
 {{- end }}
 {{- $root := . }}
 {{- range $name := (concat (list "default") (keys .Values.agents)) | uniq }}
@ -168,8 +193,8 @@ telemetry:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ include "spire-agent.fullname" . }}{{ $nameSuffix }}
-  namespace: {{ include "spire-agent.namespace" . }}
+  name: {{ printf "%s%s" (include "spire-agent.fullname" .) $nameSuffix | quote }}
+  namespace: {{ include "spire-agent.namespace" . | quote }}
  {{- with .Values.configMap.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
--- a/charts/spire/charts/spire-agent/templates/daemonset.yaml
+++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml
@ -1,5 +1,17 @@
 {{- $configSum := (include (print $.Template.BasePath "/configmap.yaml") . | sha256sum) }}
 {{- $root := . }}
+{{- if hasKey .Values.nodeAttestor "k8sPsat" }}
+{{-   fail "k8sPsat was renamed to k8sPSAT. Please update your config." }}
+{{- end }}
+{{- if hasKey .Values.sds "defaultSvidName" }}
+{{-   fail "defaultSvidName was renamed to defaultSVIDName. Please update your config." }}
+{{- end }}
+{{- if hasKey .Values.sds "disableSpiffeCertValidation" }}
+{{-   fail "disableSpiffeCertValidation was renamed to disableSPIFFECertValidation. Please update your config." }}
+{{- end }}
+{{- if and .Values.keyManager.disk.enabled (ne .Values.persistence.type "hostPath") }}
+{{-   fail "keyManager.disk.enabled is true but persistence.type is not hostPath. Ensure persistence.type is hostPath when keyManager.disk.enabled is true." }}
+{{- end }}
 {{- range $name := (concat (list "default") (keys .Values.agents)) | uniq }}
 {{- with (dict "Release" $root.Release "Chart" $root.Chart "Values" (deepCopy $root.Values)) }}
 {{- $nameSuffix := "" }}
@ -22,16 +34,16 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  name: {{ include "spire-agent.fullname" . }}{{ $nameSuffix }}
-  namespace: {{ include "spire-agent.namespace" . }}
+  name: {{ printf "%s%s" (include "spire-agent.fullname" .) $nameSuffix | quote }}
+  namespace: {{ include "spire-agent.namespace" . | quote}}
  labels:
    {{- include "spire-agent.labels" . | nindent 4 }}
-    app.kubernetes.io/component: {{ $name }}
+    app.kubernetes.io/component: {{ $name | quote }}
 spec:
  selector:
    matchLabels:
      {{- include "spire-agent.selectorLabels" . | nindent 6 }}
-      app.kubernetes.io/component: {{ $name }}
+      app.kubernetes.io/component: {{ $name | quote }}
  {{- with .Values.updateStrategy }}
  updateStrategy:
    {{- if not (has .type (list "RollingUpdate" "OnDelete")) }}
@ -47,13 +59,13 @@ spec:
    metadata:
      annotations:
        kubectl.kubernetes.io/default-container: spire-agent
-        checksum/config: {{ $configSum }}
+        checksum/config: {{ $configSum | quote }}
        {{- with .Values.podAnnotations }}
          {{- toYaml . | nindent 8 }}
        {{- end }}
      labels:
        {{- include "spire-agent.selectorLabels" . | nindent 8 }}
-        app.kubernetes.io/component: {{ $name }}
+        app.kubernetes.io/component: {{ $name | quote }}
        {{- with .Values.podLabels }}
          {{- toYaml . | nindent 8 }}
        {{- end }}
@ -65,7 +77,7 @@ spec:
      hostPID: true
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
-      serviceAccountName: {{ include "spire-agent.serviceAccountName" . }}
+      serviceAccountName: {{ include "spire-agent.serviceAccountName" . | quote }}
      securityContext:
        {{- toYaml $podSecurityContext | nindent 8 }}
      {{- include "spire-lib.default_node_priority_class_name" . | nindent 6 }}
@ -79,17 +91,17 @@ spec:
          securityContext:
            {{- $mainSecurityContext | toYaml | nindent 12 }}
          image: {{ template "spire-lib.image" (dict "image" .Values.hostCert.image "global" .Values.global) }}
-          imagePullPolicy: {{ .Values.hostCert.image.pullPolicy }}
+          imagePullPolicy: {{ .Values.hostCert.image.pullPolicy | quote }}
          command: ["bash", "-xc"]
          args:
            - |
              {{- if ne .Values.workloadAttestors.k8s.verification.hostCert.fileName "" }}
-              openssl x509 -in "{{ .Values.workloadAttestors.k8s.verification.hostCert.basePath }}/{{ .Values.workloadAttestors.k8s.verification.hostCert.fileName }}" -out /hostCert/kubelet.crt
+              openssl x509 -in {{ printf "%s/%s" .Values.workloadAttestors.k8s.verification.hostCert.basePath .Values.workloadAttestors.k8s.verification.hostCert.fileName | quote }} -out /hostCert/kubelet.crt
              {{- else }}
              if [ -f "{{ .Values.workloadAttestors.k8s.verification.hostCert.basePath }}/kubelet-server-current.pem" ]; then
-                openssl x509 -in "{{ .Values.workloadAttestors.k8s.verification.hostCert.basePath }}/kubelet-server-current.pem" -out /hostCert/kubelet.crt
+                openssl x509 -in {{ printf "%s/kubelet-server-current.pem" .Values.workloadAttestors.k8s.verification.hostCert.basePath | quote }} -out /hostCert/kubelet.crt
              elif [ -f "{{ .Values.workloadAttestors.k8s.verification.hostCert.basePath }}/kubelet.crt" ]; then
-                openssl x509 -in "{{ .Values.workloadAttestors.k8s.verification.hostCert.basePath }}/kubelet.crt" -out /hostCert/kubelet.crt
+                openssl x509 -in {{ printf "%s/kubelet.crt" .Values.workloadAttestors.k8s.verification.hostCert.basePath | quote }} -out /hostCert/kubelet.crt
              else
                {{- if eq .Values.workloadAttestors.k8s.verification.type "auto" }}
                {{- if $cbh }}
@ -97,7 +109,7 @@ spec:
                {{- else }}
                URL="https://localhost:10250/spec/"
                {{- end }}
-                curl --caPath /var/run/secrets/kubernetes.io/serviceaccount/ca.crt "$URL"
+                curl --capath /var/run/secrets/kubernetes.io/serviceaccount/ca.crt "$URL"
                if [ $? -eq 0 ]; then
                  echo Mode detected as apiServerCA.
                  ln -s /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /hostCert/kubelet.crt
@ -150,7 +162,7 @@ spec:
              readOnly: true
            - name: kmsg
              mountPath: /dev/kmsg
-          imagePullPolicy: {{ .Values.nodeAttestor.tpmDirect.pubHash.image.pullPolicy }}
+          imagePullPolicy: {{ .Values.nodeAttestor.tpmDirect.pubHash.image.pullPolicy | quote }}
        {{- end }}
        - name: init-tpm-direct
          securityContext:
@ -161,16 +173,16 @@ spec:
            - -ec
            - |
              # SPIRE must be able to fork the plugin directly within its container. Copy the plugin into a volume that can be mounted where SPIRE can execute it.
-              cp -a {{ .Values.nodeAttestor.tpmDirect.plugin.path }} /tpm/tpm_attestor_agent
+              cp -a {{ .Values.nodeAttestor.tpmDirect.plugin.path | quote }} /tpm/tpm_attestor_agent
          volumeMounts:
            - name: tpm-direct
              mountPath: /tpm
-          imagePullPolicy: {{ .Values.nodeAttestor.tpmDirect.plugin.image.pullPolicy }}
+          imagePullPolicy: {{ .Values.nodeAttestor.tpmDirect.plugin.image.pullPolicy | quote }}
        {{- end }}
        {{- if gt (len $socketAlternateNames) 0 }}
        - name: ensure-alternate-names
          image: {{ template "spire-lib.image" (dict "image" .Values.socketAlternate.image "global" .Values.global) }}
-          imagePullPolicy: {{ .Values.socketAlternate.image.pullPolicy }}
+          imagePullPolicy: {{ .Values.socketAlternate.image.pullPolicy | quote }}
          command: ["bash", "-xc"]
          {{- /* 1. Look for symlinks pointing at the wrong place and remove them. 2. Make symlinks that don't exist. 3. If new socket is pointing at an existing symlink, remove old symlink. */}}
          args:
@ -178,7 +190,7 @@ spec:
              cd {{ $socketPath | dir }}
              {{- range $socketAlternateNames }}
              L=`readlink {{ . }}`
-              [ "x$L" != "x{{ $socketPath | base}}" ] && rm -f {{ . }}
+              [ "x$L" != "x{{ $socketPath | base }}" ] && rm -f {{ . }}
              [ ! -L {{ . }} ] && ln -s {{ $socketPath | base }} {{ . }}
              {{- end }}
              [ -L {{ $socketPath | base }} ] && rm -f {{ $socketPath | base }}
@ -195,12 +207,12 @@ spec:
        {{- if gt (int (dig "fsGroup" 0 $podSecurityContext)) 0 }}
        - name: fsgroupfix
          image: {{ template "spire-lib.image" (dict "image" .Values.fsGroupFix.image "global" .Values.global) }}
-          imagePullPolicy: {{ .Values.fsGroupFix.image.pullPolicy }}
+          imagePullPolicy: {{ .Values.fsGroupFix.image.pullPolicy | quote }}
          command: ["bash", "-c"]
          args:
            - |
-              chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} {{ $socketPath | dir }} /tmp/spire-agent/private
-              chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} /var/lib/spire
+              chown -R {{ printf "%v:%v" $podSecurityContext.runAsUser $podSecurityContext.fsGroup | quote }} {{ $socketPath | dir }} /tmp/spire-agent/private
+              chown -R {{ printf "%v:%v" $podSecurityContext.runAsUser $podSecurityContext.fsGroup | quote }} /var/lib/spire
          resources:
            {{- toYaml .Values.fsGroupFix.resources | nindent 12 }}
          volumeMounts:
@ -218,9 +230,9 @@ spec:
        {{- toYaml .Values.initContainers | nindent 8 }}
        {{- end }}
      containers:
-        - name: {{ .Chart.Name }}
+        - name: {{ .Chart.Name | quote }}
          image: {{ template "spire-lib.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image "global" .Values.global) }}
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
          args: ["-config", "/opt/spire/conf/agent/agent.conf"]
          securityContext:
            {{- $mainSecurityContext | toYaml | nindent 12 }}
@ -247,6 +259,11 @@ spec:
            - name: spire-config
              mountPath: /opt/spire/conf/agent
              readOnly: true
+            {{- if .Values.keyManager.disk.enabled }}
+            - name: spire-key-manager
+              mountPath: {{ .Values.persistence.hostPath }}
+              readOnly: false
+            {{- end }}
            - name: spire-agent-persistence
              mountPath: /var/lib/spire
            {{- if .Values.sockets.admin.enabled }}
@ -256,8 +273,12 @@ spec:
            {{- end }}
            {{- if eq (len .Values.trustBundleURL) 0 }}
            - name: spire-bundle
-              mountPath: /run/spire/bundle
              readOnly: true
+            {{- if ne (len .Values.trustBundleHostPath) 0 }}
+              mountPath: {{ .Values.trustBundleHostPath | dir | quote }}
+            {{- else }}
+              mountPath: /run/spire/bundle
+            {{- end }}
            {{- end }}
            {{- if .Values.nodeAttestor.tpmDirect.enabled }}
            - name: tpm-direct
@ -311,10 +332,20 @@ spec:
        - name: spire-config
          configMap:
            name: {{ include "spire-agent.fullname" . }}
+        {{- if .Values.keyManager.disk.enabled }}
+        - name: spire-key-manager
+          hostPath:
+            path: {{ .Values.persistence.hostPath }}
+            type: DirectoryOrCreate
+        {{- end }}
        {{- if .Values.sockets.admin.mountOnHost }}
        - name: spire-agent-admin-socket-dir
          hostPath:
-            path: {{ .Values.sockets.hostBasePath }}/{{ if .Values.upstream }}upstream.csi.spiffe.io{{ else }}csi.spiffe.io{{ end }}/admin
+            {{- if .Values.upstream }}
+            path: {{ printf "%s/upstream.csi.spiffe.io/admin" .Values.sockets.hostBasePath | quote }}
+            {{- else }}
+            path: {{ printf "%s/csi.spiffe.io/admin" .Values.sockets.hostBasePath | quote }}
+            {{- end }}
            type: DirectoryOrCreate
        {{- else }}
        - name: spire-agent-admin-socket-dir
@ -323,7 +354,11 @@ spec:
        {{- if eq .Values.persistence.type "hostPath" }}
        - name: spire-agent-persistence
          hostPath:
-            path: {{ .Values.persistence.hostPath }}/{{ if .Values.upstream }}upstream.csi.spiffe.io{{ else }}csi.spiffe.io{{ end }}
+            {{- if .Values.upstream }}
+            path: {{ printf "%s/upstream.csi.spiffe.io" .Values.persistence.hostPath | quote }}
+            {{- else }}
+            path: {{ printf "%s/csi.spiffe.io" .Values.persistence.hostPath | quote }}
+            {{- end }}
            type: DirectoryOrCreate
        {{- else }}
        - name: spire-agent-persistence
@ -331,8 +366,13 @@ spec:
        {{- end }}
        {{- if eq (len .Values.trustBundleURL) 0 }}
        - name: spire-bundle
+        {{- if ne (len .Values.trustBundleHostPath) 0 }}
+          hostPath:
+            path: {{ .Values.trustBundleHostPath | dir | quote }}
+        {{- else }}
          configMap:
-            name: {{ include "spire-lib.bundle-configmap" . }}{{ $nameSuffix }}
+            name: {{ printf "%s%s" (include "spire-lib.bundle-configmap" .) $nameSuffix | quote }}
+        {{- end }}
        {{- end }}
        {{- if .Values.nodeAttestor.tpmDirect.enabled }}
        - name: tpm-direct
@ -364,7 +404,7 @@ spec:
          emptyDir: {}
        - name: host-cert
          hostPath:
-            path: {{ .Values.workloadAttestors.k8s.verification.hostCert.basePath }}
+            path: {{ .Values.workloadAttestors.k8s.verification.hostCert.basePath | quote }}
        {{- end }}
        {{- if gt (len .Values.extraVolumes) 0 }}
        {{- toYaml .Values.extraVolumes | nindent 8 }}
--- a/charts/spire/charts/spire-agent/templates/podmonitor.yaml
+++ b/charts/spire/charts/spire-agent/templates/podmonitor.yaml
@ -5,7 +5,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
 metadata:
  name: {{ include "spire-agent.fullname" . }}
-  namespace: {{ $namespace }}
+  namespace: {{ $namespace | quote }}
  labels:
    {{- include "spire-agent.labels" . | nindent 4 }}
    {{- if ne (len (dig "telemetry" "prometheus" "podMonitor" "labels" (dict) .Values.global)) 0 }}
@ -22,6 +22,6 @@ spec:
    - port: prom
  {{- if ne $namespace $podNamespace }}
  namespaceSelector:
-    kubernetes.io/metadata.name: {{ $podNamespace }}
+    kubernetes.io/metadata.name: {{ $podNamespace | quote }}
  {{- end }}  
 {{- end }}
--- a/charts/spire/charts/spire-agent/templates/roles.yaml
+++ b/charts/spire/charts/spire-agent/templates/roles.yaml
@ -2,7 +2,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ include "spire-agent.fullname" . }}
+  name: {{ include "spire-agent.fullname" . | quote }}
 rules:
  - apiGroups: [""]
    resources:
@ -15,12 +15,12 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ include "spire-agent.fullname" . }}
+  name: {{ include "spire-agent.fullname" . | quote }}
 subjects:
  - kind: ServiceAccount
-    name: {{ include "spire-agent.serviceAccountName" . }}
-    namespace: {{ include "spire-agent.namespace" . }}
+    name: {{ include "spire-agent.serviceAccountName" . | quote }}
+    namespace: {{ include "spire-agent.namespace" . | quote }}
 roleRef:
  kind: ClusterRole
-  name: {{ include "spire-agent.fullname" . }}
+  name: {{ include "spire-agent.fullname" . | quote }}
  apiGroup: rbac.authorization.k8s.io
--- a/charts/spire/charts/spire-agent/templates/scc-spire-agent.yaml
+++ b/charts/spire/charts/spire-agent/templates/scc-spire-agent.yaml
@ -2,7 +2,7 @@
 apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
-  name: {{ include "spire-agent.fullname" . }}
+  name: {{ include "spire-agent.fullname" . | quote }}
 readOnlyRootFilesystem: true
 runAsUser:
  type: RunAsAny
@ -11,7 +11,7 @@ seLinuxContext:
 supplementalGroups:
  type: RunAsAny
 users:
-  - system:serviceaccount:{{ include "spire-agent.namespace" . }}:{{ include "spire-agent.serviceAccountName" . }}
+  - {{ printf "system:serviceaccount:%s:%s" (include "spire-agent.namespace" .) (include "spire-agent.serviceAccountName" .) | quote }}
 volumes:
  - configMap
  - hostPath
--- a/charts/spire/charts/spire-agent/templates/serviceaccount.yaml
+++ b/charts/spire/charts/spire-agent/templates/serviceaccount.yaml
@ -2,8 +2,8 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "spire-agent.serviceAccountName" . }}
-  namespace: {{ include "spire-agent.namespace" . }}
+  name: {{ include "spire-agent.serviceAccountName" . | quote }}
+  namespace: {{ include "spire-agent.namespace" . | quote }}
  labels:
    {{- include "spire-agent.labels" . | nindent 4 }}
  {{- with .Values.serviceAccount.annotations }}
--- a/charts/spire/charts/spire-agent/values.schema.json
+++ b/charts/spire/charts/spire-agent/values.schema.json
@ -0,0 +1,50 @@
+{
+  "$schema": "http://json-schema.org/schema#",
+  "type": "object",
+  "properties": {
+    "server": {
+      "type": "object",
+      "properties": {
+        "port": {
+          "type": "integer",
+          "minimum": 1
+        }
+      }
+    },
+    "healthChecks": {
+      "type": "object",
+      "properties": {
+        "port": {
+          "type": "integer",
+          "minimum": 1
+        }
+      }
+    },
+    "livenessProbe": {
+      "type": "object",
+      "properties": {
+        "initialDelaySeconds": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "periodSeconds": {
+          "type": "integer",
+          "minimum": 1
+        }
+      }
+    },
+    "readinessProbe": {
+      "type": "object",
+      "properties": {
+        "initialDelaySeconds": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "periodSeconds": {
+          "type": "integer",
+          "minimum": 1
+        }
+      }
+    }
+  }
+}
--- a/charts/spire/charts/spire-agent/values.yaml
+++ b/charts/spire/charts/spire-agent/values.yaml
@ -94,7 +94,9 @@ trustDomain: example.org
 ## @param trustBundleURL If set, obtain trust bundle from url instead of Kubernetes ConfigMap
 trustBundleURL: ""
 ## @param trustBundleFormat If using trustBundleURL, what format is the url. Choices are "pem" and "spiffe"
-trustBundleFormat: pem
+trustBundleFormat: spiffe
+## @param trustBundleHostPath If set, obtain trust bundle from a file on the host instead of from the ConfigMap
+trustBundleHostPath: ""
 ## @param bundleConfigMap Configmap name for Spire bundle
 bundleConfigMap: spire-bundle
 ## @param availabilityTarget The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h.
@ -151,7 +153,7 @@ fsGroupFix:
    registry: cgr.dev
    repository: chainguard/bash
    pullPolicy: Always
-    tag: latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a
+    tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679

  ## @param fsGroupFix.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
  resources: {}
@ -160,10 +162,13 @@ keyManager:
  memory:
    ## @param keyManager.memory.enabled Enable the memory based Key Manager
    enabled: true
+  disk:
+    ## @param keyManager.disk.enabled Enable the disk based Key Manager (must have persistence.type set to hostPath when enabled)
+    enabled: false

 nodeAttestor:
-  k8sPsat:
-    ## @param nodeAttestor.k8sPsat.enabled Enable Psat k8s Node Attestor
+  k8sPSAT:
+    ## @param nodeAttestor.k8sPSAT.enabled Enable PSAT k8s Node Attestor
    enabled: true
  httpChallenge:
    ## @param nodeAttestor.httpChallenge.enabled Enable the http challenge Node Attestor
@ -184,16 +189,16 @@ nodeAttestor:
      ## @param nodeAttestor.tpmDirect.plugin.image.tag Overrides the image tag
      ##
      image:
-        registry: docker.io
-        repository: boxboat/spire-tpm-plugin-tpm-attestor-agent
+        registry: ghcr.io
+        repository: spiffe/spire-tpm-plugin-tpm-attestor-agent
        pullPolicy: IfNotPresent
-        tag: "v1.8.7"
+        tag: "v1.9.0"
      ## @param nodeAttestor.tpmDirect.plugin.checksum The sha256 checksum of the plugin binary
-      checksum: 1d7c73ccac948ee86cbd78ddde2d30128a1838b403f7bb2100d38d916a252244
+      checksum: 22f67063f1699330e70cdedc9b923e517688f5ae71085a26bd9b83b3060ee86e
      ## @param nodeAttestor.tpmDirect.plugin.path The filename in the container of the plugin
      path: /app/tpm_attestor_agent
    pubHash:
-      ## @param nodeAttestor.tpmDirect.pubHash.enabled Enable Psat k8s nodeattestor
+      ## @param nodeAttestor.tpmDirect.pubHash.enabled Display pubhash in logs
      enabled: true
      ## @param nodeAttestor.tpmDirect.pubHash.image.registry The OCI registry to pull the image from
      ## @param nodeAttestor.tpmDirect.pubHash.image.repository The repository within the registry
@ -201,10 +206,13 @@ nodeAttestor:
      ## @param nodeAttestor.tpmDirect.pubHash.image.tag Overrides the image tag
      ##
      image:
-        registry: docker.io
-        repository: boxboat/spire-tpm-plugin-get-tpm-pubhash
+        registry: ghcr.io
+        repository: spiffe/spire-tpm-plugin-get-tpm-pubhash
        pullPolicy: IfNotPresent
-        tag: "v1.8.7"
+        tag: "v1.9.0"
+  awsIID:
+    ## @param nodeAttestor.awsIID.enabled Enable the aws_iid Node Attestor
+    enabled: false

 # workloadAttestors determine a workload's properties and then generate a set of selectors associated with it.
 workloadAttestors:
@ -225,22 +233,22 @@ workloadAttestors:
        fileName: ""
    ## @param workloadAttestors.k8s.disableContainerSelectors Set to true if using holdApplicationUntilProxyStarts in Istio
    disableContainerSelectors: false
-    ## @param workloadAttestors.k8s.useNewContainerLocator If true, enables the new container locator algorithm that has support for cgroups v2. Defaults to false
-    useNewContainerLocator: false
+    ## @param workloadAttestors.k8s.useNewContainerLocator If true, enables the new container locator algorithm that has support for cgroups v2. Defaults to true
+    useNewContainerLocator: true
    ## @param workloadAttestors.k8s.verboseContainerLocatorLogs If true, enables verbose logging of mountinfo and cgroup information used to locate containers. Defaults to false
    verboseContainerLocatorLogs: false

 sds:
  ## @param sds.enabled Enables Envoy SDS configuration
  enabled: false
-  ## @param sds.defaultSvidName The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS
-  defaultSvidName: "default"
+  ## @param sds.defaultSVIDName The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS
+  defaultSVIDName: "default"
  ## @param sds.defaultBundleName The Validation Context resource name to use for the default X.509 bundle with Envoy SDS
  defaultBundleName: "ROOTCA"
  ## @param sds.defaultAllBundlesName The Validation Context resource name to use for all bundles (including federated) with Envoy SDS
  defaultAllBundlesName: "ALL"
-  ## @param sds.disableSpiffeCertValidation Disable Envoy SDS custom validation
-  disableSpiffeCertValidation: false
+  ## @param sds.disableSPIFFECertValidation Disable Envoy SDS custom validation
+  disableSPIFFECertValidation: false

 telemetry:
  prometheus:
@ -255,6 +263,13 @@ telemetry:
      namespace: ""
      ## @param telemetry.prometheus.podMonitor.labels [object] Pod labels to filter for prometheus monitoring
      labels: {}
+  datadog:
+    ## @param telemetry.datadog.enabled Flag to enable datadog monitoring
+    enabled: false
+    ## @param telemetry.datadog.address The address of the datadog service to send metrics to. The default URL for services are `<service-name>.<namespace>.svc`
+    address: "datadog.kube-system.svc"
+    ## @param telemetry.datadog.port The port of the datadog service to send metrics to
+    port: 8125

 ## @param kubeletConnectByHostname If true, connect to kubelet using the nodes hostname. If false, uses localhost. If unset, defaults to true on OpenShift and false otherwise.
 kubeletConnectByHostname: ""
@ -278,7 +293,7 @@ socketAlternate:
    registry: cgr.dev
    repository: chainguard/bash
    pullPolicy: Always
-    tag: latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a
+    tag: latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679

  ## @param socketAlternate.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
  resources: {}
@ -293,7 +308,7 @@ hostCert:
    registry: cgr.dev
    repository: chainguard/min-toolkit-debug
    pullPolicy: IfNotPresent
-    tag: latest@sha256:5420e15d91112458fc573755954c9174dbf4db8d802c4de3aac18145f5a78a17
+    tag: latest@sha256:f662d2b8c7c47e6d29c31b1bc8dbd039770d6186295bbc88bd8f540ca8ec3b53

  ## @param hostCert.resources Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
  resources: {}
@ -355,7 +370,7 @@ agents: {}
 #    nodeSelector:
 #      tpm: with
 #    nodeAttestor:
-#      k8sPsat:
+#      k8sPSAT:
 #        enabled: false
 #      tpmDirect:
 #        enabled: true
@ -368,8 +383,8 @@ tools:
    ## @param tools.kubectl.image.tag Overrides the image tag whose default is the chart appVersion
    ##
    image:
-      registry: docker.io
-      repository: rancher/kubectl
+      registry: registry.k8s.io
+      repository: kubectl
      pullPolicy: IfNotPresent
      tag: ""

--- a/charts/spire/charts/spire-lib/templates/_helpers.tpl
+++ b/charts/spire/charts/spire-lib/templates/_helpers.tpl
@ -53,17 +53,17 @@
 {{- $repo := .image.repository }}
 {{- $tag := .image.tag | toString }}
 {{- if eq (substr 0 7 $tag) "sha256:" }}
-{{- printf "%s/%s@%s" $registry $repo $tag }}
+{{- printf "%s%s@%s" $registry $repo $tag | quote }}
 {{- else if .appVersion }}
 {{- $appVersion := .appVersion }}
 {{- if and (hasKey . "ubi") (dig "openshift" false .global) }}
 {{- $appVersion = printf "ubi-%s" $appVersion }}
 {{- end }}
-{{- printf "%s%s:%s" $registry $repo (default $appVersion $tag) }}
+{{- printf "%s%s:%s" $registry $repo (default $appVersion $tag) | quote }}
 {{- else if $tag }}
-{{- printf "%s%s:%s" $registry $repo $tag }}
+{{- printf "%s%s:%s" $registry $repo $tag | quote }}
 {{- else }}
-{{- printf "%s%s" $registry $repo }}
+{{- printf "%s%s" $registry $repo | quote }}
 {{- end }}
 {{- end }}

@ -309,7 +309,7 @@ securityContext - the subbranch of values that contains the securityContext to m

 {{- define "spire-lib.default_node_priority_class_name" }}
 {{- if .Values.priorityClassName }}
-priorityClassName: {{ .Values.priorityClassName }}
+priorityClassName: {{ .Values.priorityClassName | quote }}
 {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "priorityClassName" true .Values.global) }}
 priorityClassName: system-node-critical
 {{- end }}
@ -317,7 +317,7 @@ priorityClassName: system-node-critical

 {{- define "spire-lib.default_cluster_priority_class_name" }}
 {{- if .Values.priorityClassName }}
-priorityClassName: {{ .Values.priorityClassName }}
+priorityClassName: {{ .Values.priorityClassName | quote }}
 {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "priorityClassName" true .Values.global) }}
 priorityClassName: system-cluster-critical
 {{- end }}
@ -336,3 +336,11 @@ Anything lower has an incompatible API.
 {{- fail "Unsupported autoscaling API version" }}
 {{- end }}
 {{- end }}
+
+{{- define "spire-lib.trust-bundle-ext" -}}
+{{- if eq .trustBundleFormat "spiffe" }}
+{{- print "spiffe" }}
+{{- else }}
+{{- print "crt" }}
+{{- end }}
+{{- end }}
--- a/charts/spire/charts/spire-server/Chart.yaml
+++ b/charts/spire/charts/spire-server/Chart.yaml
@ -3,7 +3,7 @@ name: spire-server
 description: A Helm chart to install the SPIRE server.
 type: application
 version: 0.1.0
-appVersion: "1.10.3"
+appVersion: "1.12.4"
 keywords: ["spiffe", "spire-server", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire
 sources:
--- a/charts/spire/charts/spire-server/README.md
+++ b/charts/spire/charts/spire-server/README.md
@ -125,29 +125,47 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `persistence.accessMode`                                                                     | What access mode to use for persistence. Valid options are ReadWriteOnce (recommended), ReadWriteOncePod, ReadWriteMany (not recommended)                                                                                                                                                                                                                            | `ReadWriteOnce`                                                                                |
 | `persistence.storageClass`                                                                   | What storage class to use for persistence                                                                                                                                                                                                                                                                                                                            | `nil`                                                                                          |
 | `persistence.hostPath`                                                                       | Which path to use on the host when persistence.type = hostPath                                                                                                                                                                                                                                                                                                       | `""`                                                                                           |
-| `dataStore.sql.databaseType`                                                                 | Other supported databases are "postgres" and "mysql"                                                                                                                                                                                                                                                                                                                 | `sqlite3`                                                                                      |
-| `dataStore.sql.databaseName`                                                                 | Only used by "postgres" or "mysql"                                                                                                                                                                                                                                                                                                                                   | `spire`                                                                                        |
-| `dataStore.sql.host`                                                                         | Only used by "postgres" or "mysql"                                                                                                                                                                                                                                                                                                                                   | `""`                                                                                           |
+| `dataStore.sql.databaseType`                                                                 | Other supported databases are ["postgres", "mysql", "aws_postgresql", "aws_mysql"]. Note: aws type databases are still experimental                                                                                                                                                                                                                                  | `sqlite3`                                                                                      |
+| `dataStore.sql.databaseName`                                                                 | Only used when type != "sqlite3"                                                                                                                                                                                                                                                                                                                                     | `spire`                                                                                        |
+| `dataStore.sql.host`                                                                         | Only used when type != "sqlite3"                                                                                                                                                                                                                                                                                                                                     | `""`                                                                                           |
 | `dataStore.sql.port`                                                                         | If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases.                                                                                                                                                                                                                                                              | `0`                                                                                            |
-| `dataStore.sql.username`                                                                     | Only used by "postgres" or "mysql"                                                                                                                                                                                                                                                                                                                                   | `spire`                                                                                        |
-| `dataStore.sql.password`                                                                     | Only used by "postgres" or "mysql"                                                                                                                                                                                                                                                                                                                                   | `""`                                                                                           |
-| `dataStore.sql.options`                                                                      | Only used by "postgres" or "mysql"                                                                                                                                                                                                                                                                                                                                   | `[]`                                                                                           |
-| `dataStore.sql.plugin_data`                                                                  | Settings from https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md go in this section                                                                                                                                                                                                                                                        | `{}`                                                                                           |
+| `dataStore.sql.username`                                                                     | Only used when type != "sqlite3"                                                                                                                                                                                                                                                                                                                                     | `spire`                                                                                        |
+| `dataStore.sql.password`                                                                     | Only used when type != "sqlite3"                                                                                                                                                                                                                                                                                                                                     | `""`                                                                                           |
+| `dataStore.sql.file`                                                                         | Data source file. Only used when type == "sqlite3"                                                                                                                                                                                                                                                                                                                   | `/run/spire/data/datastore.sqlite3`                                                            |
+| `dataStore.sql.options`                                                                      | takes an array of objects of form {<key>: <value>} to use when building the database connection string                                                                                                                                                                                                                                                               | `[]`                                                                                           |
+| `dataStore.sql.rootCAPath`                                                                   | Path to Root CA bundle (MySQL only)                                                                                                                                                                                                                                                                                                                                  | `""`                                                                                           |
+| `dataStore.sql.clientCertPath`                                                               | Path to client certificate (MySQL only)                                                                                                                                                                                                                                                                                                                              | `""`                                                                                           |
+| `dataStore.sql.clientKeyPath`                                                                | Path to private key for client certificate (MySQL only)                                                                                                                                                                                                                                                                                                              | `""`                                                                                           |
 | `dataStore.sql.externalSecret.enabled`                                                       | Enable external secret for datastore creds                                                                                                                                                                                                                                                                                                                           | `false`                                                                                        |
 | `dataStore.sql.externalSecret.name`                                                          | The name of the secret object                                                                                                                                                                                                                                                                                                                                        | `""`                                                                                           |
 | `dataStore.sql.externalSecret.key`                                                           | The key of the secret object whose value is the dataStore.sql password                                                                                                                                                                                                                                                                                               | `""`                                                                                           |
+| `dataStore.sql.maxOpenConns`                                                                 | The maximum number of open db connections                                                                                                                                                                                                                                                                                                                            | `100`                                                                                          |
+| `dataStore.sql.maxIdleConns`                                                                 | The maximum number of idle connections in the pool                                                                                                                                                                                                                                                                                                                   | `2`                                                                                            |
+| `dataStore.sql.connMaxLifetime`                                                              | The maximum amount of time a connection may be reused. If 0, time is unlimited                                                                                                                                                                                                                                                                                       | `0`                                                                                            |
+| `dataStore.sql.disableMigration`                                                             | True to disable auto-migration functionality                                                                                                                                                                                                                                                                                                                         | `false`                                                                                        |
+| `dataStore.sql.region`                                                                       | Region to use when database type is either aws_mysql or aws_postgresql                                                                                                                                                                                                                                                                                               | `""`                                                                                           |
+| `dataStore.sql.readOnly.enabled`                                                             | Set to true to configure a readOnly dartabase connection                                                                                                                                                                                                                                                                                                             | `false`                                                                                        |
+| `dataStore.sql.readOnly.host`                                                                | Only used when type != "sqlite3"                                                                                                                                                                                                                                                                                                                                     | `""`                                                                                           |
+| `dataStore.sql.readOnly.port`                                                                | If 0 (default), it will auto set to 5432 for postgres and 3306 for mysql. Only used by those databases.                                                                                                                                                                                                                                                              | `0`                                                                                            |
+| `dataStore.sql.readOnly.username`                                                            | Only used when type != "sqlite3"                                                                                                                                                                                                                                                                                                                                     | `spire`                                                                                        |
+| `dataStore.sql.readOnly.password`                                                            | Only used when type != "sqlite3"                                                                                                                                                                                                                                                                                                                                     | `""`                                                                                           |
+| `dataStore.sql.readOnly.options`                                                             | Only used when type != "sqlite3"                                                                                                                                                                                                                                                                                                                                     | `[]`                                                                                           |
+| `dataStore.sql.readOnly.externalSecret.enabled`                                              | Enable external secret for datastore creds                                                                                                                                                                                                                                                                                                                           | `false`                                                                                        |
+| `dataStore.sql.readOnly.externalSecret.name`                                                 | The name of the secret object                                                                                                                                                                                                                                                                                                                                        | `""`                                                                                           |
+| `dataStore.sql.readOnly.externalSecret.key`                                                  | The key of the secret object whose value is the dataStore.sql password                                                                                                                                                                                                                                                                                               | `""`                                                                                           |
 | `adminIDs`                                                                                   | SPIFFE IDs that, when present in a caller’s X509-SVID, grant that caller admin privileges.                                                                                                                                                                                                                                                                           | `[]`                                                                                           |
 | `auditLogEnabled`                                                                            | If true, enables audit logging                                                                                                                                                                                                                                                                                                                                       | `false`                                                                                        |
 | `logLevel`                                                                                   | The log level, valid values are "debug", "info", "warn", and "error"                                                                                                                                                                                                                                                                                                 | `info`                                                                                         |
 | `jwtIssuer`                                                                                  | The JWT issuer domain. Defaults to oidc-discovery.$trustDomain if unset                                                                                                                                                                                                                                                                                              | `""`                                                                                           |
 | `clusterName`                                                                                | Set the name of the Kubernetes cluster. (`kubeadm init --service-dns-domain`)                                                                                                                                                                                                                                                                                        | `example-cluster`                                                                              |
 | `trustDomain`                                                                                | Set the trust domain to be used for the SPIFFE identifiers                                                                                                                                                                                                                                                                                                           | `example.org`                                                                                  |
-| `bundleConfigMap`                                                                            | Set the trust domain to be used for the SPIFFE identifiers                                                                                                                                                                                                                                                                                                           | `spire-bundle`                                                                                 |
+| `bundleConfigMap`                                                                            | Set the Configmap name for SPIRE bundle                                                                                                                                                                                                                                                                                                                              | `spire-bundle`                                                                                 |
 | `clusterDomain`                                                                              | This is the value of your clusters `kubeadm init --service-dns-domain` flag                                                                                                                                                                                                                                                                                          | `cluster.local`                                                                                |
 | `federation.enabled`                                                                         | Flag to enable federation                                                                                                                                                                                                                                                                                                                                            | `false`                                                                                        |
 | `federation.bundleEndpoint.port`                                                             | Port value for trust bundle federation                                                                                                                                                                                                                                                                                                                               | `8443`                                                                                         |
 | `federation.bundleEndpoint.address`                                                          | Address for trust bundle federation                                                                                                                                                                                                                                                                                                                                  | `0.0.0.0`                                                                                      |
-| `federation.bundleEndpoint.refresh_hint`                                                     | Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server.                                                                                                                                              | `5m`                                                                                           |
+| `federation.bundleEndpoint.refreshHint`                                                      | Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server.                                                                                                                                              | `5m`                                                                                           |
+| `federation.bundleEndpoint.profile.httpWeb.fileSyncInterval`                                 | Interval on which to reload the certificate/key from disk                                                                                                                                                                                                                                                                                                            | `1h`                                                                                           |
 | `federation.tls.spire.enabled`                                                               | Use spire to secure the federation bundle endpoint                                                                                                                                                                                                                                                                                                                   | `true`                                                                                         |
 | `federation.tls.externalSecret.enabled`                                                      | Provide your own certificate/key via tls style Kubernetes Secret                                                                                                                                                                                                                                                                                                     | `false`                                                                                        |
 | `federation.tls.externalSecret.secretName`                                                   | Specify which Secret to use                                                                                                                                                                                                                                                                                                                                          | `""`                                                                                           |
@ -168,9 +186,17 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `federation.ingress.tlsSecret`                                                               | Secret that has the certs. If blank will use default certs. Used with host var.                                                                                                                                                                                                                                                                                      | `""`                                                                                           |
 | `federation.ingress.hosts`                                                                   | Host paths for ingress object. If empty, rules will be built based on the host var.                                                                                                                                                                                                                                                                                  | `[]`                                                                                           |
 | `federation.ingress.tls`                                                                     | Secrets containing TLS certs to enable https on ingress. If empty, rules will be built based on the host and tlsSecret vars.                                                                                                                                                                                                                                         | `[]`                                                                                           |
-| `ca_subject.country`                                                                         | Country for Spire server CA                                                                                                                                                                                                                                                                                                                                          | `ARPA`                                                                                         |
-| `ca_subject.organization`                                                                    | Organization for Spire server CA                                                                                                                                                                                                                                                                                                                                     | `Example`                                                                                      |
-| `ca_subject.common_name`                                                                     | Common Name for Spire server CA                                                                                                                                                                                                                                                                                                                                      | `example.org`                                                                                  |
+| `caSubject.country`                                                                          | Country for Spire server CA                                                                                                                                                                                                                                                                                                                                          | `ARPA`                                                                                         |
+| `caSubject.organization`                                                                     | Organization for Spire server CA                                                                                                                                                                                                                                                                                                                                     | `Example`                                                                                      |
+| `caSubject.commonName`                                                                       | Common Name for Spire server CA                                                                                                                                                                                                                                                                                                                                      | `example.org`                                                                                  |
+| `credentialComposer.cel.enabled`                                                             | Enable the cel based credential composer                                                                                                                                                                                                                                                                                                                             | `false`                                                                                        |
+| `credentialComposer.cel.image.registry`                                                      | The OCI registry to pull the image from                                                                                                                                                                                                                                                                                                                              | `ghcr.io`                                                                                      |
+| `credentialComposer.cel.image.repository`                                                    | The repository within the registry                                                                                                                                                                                                                                                                                                                                   | `spiffe/spire-credentialcomposer-cel`                                                          |
+| `credentialComposer.cel.image.pullPolicy`                                                    | The image pull policy                                                                                                                                                                                                                                                                                                                                                | `IfNotPresent`                                                                                 |
+| `credentialComposer.cel.image.tag`                                                           | Overrides the image tag                                                                                                                                                                                                                                                                                                                                              | `0.0.2`                                                                                        |
+| `credentialComposer.cel.checksum`                                                            | The sha256 checksum of the plugin binary                                                                                                                                                                                                                                                                                                                             | `23fa1d10f15ad5d5c555930cf82289c664801d7d5609bfd8847f95a0a667e4e4`                             |
+| `credentialComposer.cel.pluginPath`                                                          | The filename in the container of the plugin                                                                                                                                                                                                                                                                                                                          | `/ko-app/cmd`                                                                                  |
+| `credentialComposer.cel.jwt.expression`                                                      | The expression to use for jwt token composing                                                                                                                                                                                                                                                                                                                        | `""`                                                                                           |
 | `credentialComposer.uniqueID.enabled`                                                        | Add the x509UniqueIdentifier attribute to workload X509-SVIDs                                                                                                                                                                                                                                                                                                        | `false`                                                                                        |
 | `keyManager.disk.enabled`                                                                    | Flag to enable keyManager on disk                                                                                                                                                                                                                                                                                                                                    | `true`                                                                                         |
 | `keyManager.memory.enabled`                                                                  | Flag to enable keyManager in memory                                                                                                                                                                                                                                                                                                                                  | `false`                                                                                        |
@ -201,11 +227,11 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `upstreamAuthority.awsPCA.supplementalBundlePath`                                            | (Optional) Path to a file containing PEM-encoded CA certificates that should be additionally included in the bundle.                                                                                                                                                                                                                                                 | `""`                                                                                           |
 | `upstreamAuthority.certManager.enabled`                                                      | Flag to enable upstream authority plugin with cert manager                                                                                                                                                                                                                                                                                                           | `false`                                                                                        |
 | `upstreamAuthority.certManager.rbac.create`                                                  | Flag to create RBAC roles                                                                                                                                                                                                                                                                                                                                            | `true`                                                                                         |
-| `upstreamAuthority.certManager.issuer_name`                                                  | Defaults to the release name, override if CA is provided outside of the chart                                                                                                                                                                                                                                                                                        | `""`                                                                                           |
-| `upstreamAuthority.certManager.issuer_kind`                                                  | Defaults to "Issuer", override if CA is provided outside of the chart                                                                                                                                                                                                                                                                                                | `Issuer`                                                                                       |
-| `upstreamAuthority.certManager.issuer_group`                                                 | Defaults to "cert-manager.io", override if CA is provided outside of the chart                                                                                                                                                                                                                                                                                       | `cert-manager.io`                                                                              |
+| `upstreamAuthority.certManager.issuerName`                                                   | Defaults to the release name, override if CA is provided outside of the chart                                                                                                                                                                                                                                                                                        | `""`                                                                                           |
+| `upstreamAuthority.certManager.issuerKind`                                                   | Defaults to "Issuer", override if CA is provided outside of the chart                                                                                                                                                                                                                                                                                                | `Issuer`                                                                                       |
+| `upstreamAuthority.certManager.issuerGroup`                                                  | Defaults to "cert-manager.io", override if CA is provided outside of the chart                                                                                                                                                                                                                                                                                       | `cert-manager.io`                                                                              |
 | `upstreamAuthority.certManager.namespace`                                                    | Specify to use a namespace other then the one the chart is installed into                                                                                                                                                                                                                                                                                            | `""`                                                                                           |
-| `upstreamAuthority.certManager.kube_config_file`                                             | Path to kube_config_file on node to setup cert manager                                                                                                                                                                                                                                                                                                               | `""`                                                                                           |
+| `upstreamAuthority.certManager.kubeConfigFile`                                               | Path to kube config file on node to setup cert manager                                                                                                                                                                                                                                                                                                               | `""`                                                                                           |
 | `upstreamAuthority.certManager.ca.create`                                                    | Creates a Cert-Manager CA                                                                                                                                                                                                                                                                                                                                            | `false`                                                                                        |
 | `upstreamAuthority.certManager.ca.duration`                                                  | Duration of the CA. Defaults to 10 years                                                                                                                                                                                                                                                                                                                             | `87600h`                                                                                       |
 | `upstreamAuthority.certManager.ca.privateKey.algorithm`                                      | Algorithm to generate private key for CA                                                                                                                                                                                                                                                                                                                             | `ECDSA`                                                                                        |
@ -230,14 +256,17 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `upstreamAuthority.vault.k8sAuth.k8sAuthRoleName`                                            | Required - Name of the Vault role. The plugin authenticates against the named role                                                                                                                                                                                                                                                                                   | `""`                                                                                           |
 | `upstreamAuthority.vault.k8sAuth.token.audience`                                             | Intended audience of the PSAT, it must match one of the audiences supported by the Kubernetes API server. If no audience is specified, it defaults to the identifier of API Server. See ['Service Account Documentation'](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) for more info. | `vault`                                                                                        |
 | `upstreamAuthority.vault.k8sAuth.token.expiry`                                               | Expiry time in seconds for the token                                                                                                                                                                                                                                                                                                                                 | `7200`                                                                                         |
-| `notifier.k8sbundle.enabled`                                                                 | Enable local k8s bundle uploader                                                                                                                                                                                                                                                                                                                                     | `true`                                                                                         |
-| `notifier.k8sbundle.namespace`                                                               | Namespace to push the bundle into, if blank will default to SPIRE Server namespace                                                                                                                                                                                                                                                                                   | `""`                                                                                           |
-| `notifier.externalK8sBundle.enabled`                                                         | Enable external k8s bundle uploader                                                                                                                                                                                                                                                                                                                                  | `true`                                                                                         |
+| `notifier.k8sBundle.enabled`                                                                 | Enable local k8s bundle uploader                                                                                                                                                                                                                                                                                                                                     | `false`                                                                                        |
+| `notifier.k8sBundle.namespace`                                                               | Namespace to push the bundle into, if blank will default to SPIRE Server namespace                                                                                                                                                                                                                                                                                   | `""`                                                                                           |
+| `notifier.k8sBundle.apiServiceLabel`                                                         | If set, rotate the CA Bundle in API services with this label set to true.                                                                                                                                                                                                                                                                                            | `""`                                                                                           |
+| `notifier.k8sBundle.webhookLabel`                                                            | If set, rotate the CA Bundle in validating and mutating webhooks with this label set to true.                                                                                                                                                                                                                                                                        | `""`                                                                                           |
+| `notifier.externalK8sBundle.enabled`                                                         | Enable external k8s bundle uploader                                                                                                                                                                                                                                                                                                                                  | `false`                                                                                        |
 | `notifier.externalK8sBundle.defaults.namespace`                                              | Namespace to push the bundle into on clusters                                                                                                                                                                                                                                                                                                                        | `spire-system`                                                                                 |
 | `notifier.externalK8sBundle.defaults.configMap`                                              | ConfigMap name to push the bundle into on external clusters                                                                                                                                                                                                                                                                                                          | `spire-bundle-upstream`                                                                        |
 | `notifier.externalK8sBundle.defaults.configMapKey`                                           | ConfigMap key to push the bundle into on external clusters                                                                                                                                                                                                                                                                                                           | `bundle.crt`                                                                                   |
 | `notifier.externalK8sBundle.clusters`                                                        | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used.                                                                                                                                                                                                                                                 | `{}`                                                                                           |
 | `controllerManager.enabled`                                                                  | Flag to enable controller manager                                                                                                                                                                                                                                                                                                                                    | `false`                                                                                        |
+| `controllerManager.staticManifestMode`                                                       | Flag to configure static mode. Valid options off, internal, and external. If internal, the identities config options will be rendered to an included configmap                                                                                                                                                                                                       | `off`                                                                                          |
 | `controllerManager.className`                                                                | specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs.                                                                                                                                                                                     | `""`                                                                                           |
 | `controllerManager.watchClassless`                                                           | specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true.                                                                                                                                                                | `false`                                                                                        |
 | `controllerManager.entryIDPrefixCleanup`                                                     | Sets which entry prefixes to remove for migrations. Consult the spiffe.io docs about this option before changing. Its unlikely you will need to ever change it.                                                                                                                                                                                                      | `false`                                                                                        |
@ -249,7 +278,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `controllerManager.image.registry`                                                           | The OCI registry to pull the image from                                                                                                                                                                                                                                                                                                                              | `ghcr.io`                                                                                      |
 | `controllerManager.image.repository`                                                         | The repository within the registry                                                                                                                                                                                                                                                                                                                                   | `spiffe/spire-controller-manager`                                                              |
 | `controllerManager.image.pullPolicy`                                                         | The image pull policy                                                                                                                                                                                                                                                                                                                                                | `IfNotPresent`                                                                                 |
-| `controllerManager.image.tag`                                                                | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                                                                                                                                                        | `0.5.0`                                                                                        |
+| `controllerManager.image.tag`                                                                | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                                                                                                                                                        | `0.6.2`                                                                                        |
 | `controllerManager.resources`                                                                | Resource requests and limits for controller manager                                                                                                                                                                                                                                                                                                                  | `{}`                                                                                           |
 | `controllerManager.securityContext`                                                          | Security context                                                                                                                                                                                                                                                                                                                                                     | `{}`                                                                                           |
 | `controllerManager.service.type`                                                             | Service type for controller manager                                                                                                                                                                                                                                                                                                                                  | `ClusterIP`                                                                                    |
@ -272,6 +301,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `controllerManager.identities.clusterSPIFFEIDs.default.admin`                                | Indicates any pod matched by this identity will be an admin. Use this with extreme care.                                                                                                                                                                                                                                                                             | `false`                                                                                        |
 | `controllerManager.identities.clusterSPIFFEIDs.default.downstream`                           | Set if this spire instance is a root server and the workloads are downstream servers.                                                                                                                                                                                                                                                                                | `false`                                                                                        |
 | `controllerManager.identities.clusterSPIFFEIDs.default.autoPopulateDNSNames`                 | Auto populate DNS names from services attached to pods                                                                                                                                                                                                                                                                                                               | `false`                                                                                        |
+| `controllerManager.identities.clusterSPIFFEIDs.default.fallback`                             | Apply this ID only if there are no other matching non fallback ClusterSPIFFEIDs                                                                                                                                                                                                                                                                                      | `true`                                                                                         |
 | `controllerManager.identities.clusterSPIFFEIDs.child-servers.enabled`                        | Enable this identity for controller manager                                                                                                                                                                                                                                                                                                                          | `false`                                                                                        |
 | `controllerManager.identities.clusterSPIFFEIDs.child-servers.type`                           | The type of rule this is.                                                                                                                                                                                                                                                                                                                                            | `child-servers`                                                                                |
 | `controllerManager.identities.clusterSPIFFEIDs.child-servers.downstream`                     | Set if this spire instance is a root server and the workloads are downstream servers.                                                                                                                                                                                                                                                                                | `true`                                                                                         |
@ -281,6 +311,15 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `controllerManager.identities.clusterSPIFFEIDs.oidc-discovery-provider.dnsNameTemplates`     | DNS name template for issued identities                                                                                                                                                                                                                                                                                                                              | `[]`                                                                                           |
 | `controllerManager.identities.clusterSPIFFEIDs.test-keys.enabled`                            | Enable this identity for controller manager                                                                                                                                                                                                                                                                                                                          | `true`                                                                                         |
 | `controllerManager.identities.clusterSPIFFEIDs.test-keys.type`                               | The type of rule this is.                                                                                                                                                                                                                                                                                                                                            | `test-keys`                                                                                    |
+| `controllerManager.identities.clusterSPIFFEIDs.spike-keeper.enabled`                         | Enable this identity for controller manager                                                                                                                                                                                                                                                                                                                          | `true`                                                                                         |
+| `controllerManager.identities.clusterSPIFFEIDs.spike-keeper.type`                            | The type of rule this is.                                                                                                                                                                                                                                                                                                                                            | `spike-keeper`                                                                                 |
+| `controllerManager.identities.clusterSPIFFEIDs.spike-keeper.spiffeIDTemplate`                | The template to use for this rule.                                                                                                                                                                                                                                                                                                                                   | `spiffe://{{ .TrustDomain }}/spike/keeper`                                                     |
+| `controllerManager.identities.clusterSPIFFEIDs.spike-nexus.enabled`                          | Enable this identity for controller manager                                                                                                                                                                                                                                                                                                                          | `true`                                                                                         |
+| `controllerManager.identities.clusterSPIFFEIDs.spike-nexus.type`                             | The type of rule this is.                                                                                                                                                                                                                                                                                                                                            | `spike-nexus`                                                                                  |
+| `controllerManager.identities.clusterSPIFFEIDs.spike-nexus.spiffeIDTemplate`                 | The template to use for this rule.                                                                                                                                                                                                                                                                                                                                   | `spiffe://{{ .TrustDomain }}/spike/nexus`                                                      |
+| `controllerManager.identities.clusterSPIFFEIDs.spike-pilot.enabled`                          | Enable this identity for controller manager                                                                                                                                                                                                                                                                                                                          | `true`                                                                                         |
+| `controllerManager.identities.clusterSPIFFEIDs.spike-pilot.type`                             | The type of rule this is.                                                                                                                                                                                                                                                                                                                                            | `spike-pilot`                                                                                  |
+| `controllerManager.identities.clusterSPIFFEIDs.spike-pilot.spiffeIDTemplate`                 | The template to use for this rule.                                                                                                                                                                                                                                                                                                                                   | `spiffe://{{ .TrustDomain }}/spike/pilot/role/superuser`                                       |
 | `controllerManager.identities.clusterStaticEntries`                                          | Specify ClusterStaticEntry objects.                                                                                                                                                                                                                                                                                                                                  | `{}`                                                                                           |
 | `controllerManager.identities.clusterFederatedTrustDomains`                                  | Specify ClusterFederatedTrustDomain objects.                                                                                                                                                                                                                                                                                                                         | `{}`                                                                                           |
 | `controllerManager.validatingWebhookConfiguration.enabled`                                   | Disable only when you have another chart instance on the k8s cluster with webhooks enabled.                                                                                                                                                                                                                                                                          | `true`                                                                                         |
@ -302,14 +341,21 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `externalControllerManagers.defaults.ignoreNamespaces`                                       | These namespaces are ignored by controller manager                                                                                                                                                                                                                                                                                                                   | `[]`                                                                                           |
 | `externalControllerManagers.defaults.cacheNamespaces`                                        | If specified restricts the manager's cache to watch objects in the desired namespaces. Defaults to all namespaces.                                                                                                                                                                                                                                                   | `{}`                                                                                           |
 | `externalControllerManagers.clusters`                                                        | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used.                                                                                                                                                                                                                                                 | `{}`                                                                                           |
-| `tools.kubectl.image.registry`                                                               | The OCI registry to pull the image from                                                                                                                                                                                                                                                                                                                              | `docker.io`                                                                                    |
-| `tools.kubectl.image.repository`                                                             | The repository within the registry                                                                                                                                                                                                                                                                                                                                   | `rancher/kubectl`                                                                              |
+| `tools.kubectl.image.registry`                                                               | The OCI registry to pull the image from                                                                                                                                                                                                                                                                                                                              | `registry.k8s.io`                                                                              |
+| `tools.kubectl.image.repository`                                                             | The repository within the registry                                                                                                                                                                                                                                                                                                                                   | `kubectl`                                                                                      |
 | `tools.kubectl.image.pullPolicy`                                                             | The image pull policy                                                                                                                                                                                                                                                                                                                                                | `IfNotPresent`                                                                                 |
 | `tools.kubectl.image.tag`                                                                    | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                                                                                                                                                        | `""`                                                                                           |
+| `tools.busybox.image.registry`                                                               | The OCI registry to pull the image from                                                                                                                                                                                                                                                                                                                              | `""`                                                                                           |
+| `tools.busybox.image.repository`                                                             | The repository within the registry                                                                                                                                                                                                                                                                                                                                   | `busybox`                                                                                      |
+| `tools.busybox.image.pullPolicy`                                                             | The image pull policy                                                                                                                                                                                                                                                                                                                                                | `IfNotPresent`                                                                                 |
+| `tools.busybox.image.tag`                                                                    | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                                                                                                                                                        | `1.37.0-uclibc`                                                                                |
 | `telemetry.prometheus.enabled`                                                               | Flag to enable prometheus monitoring                                                                                                                                                                                                                                                                                                                                 | `false`                                                                                        |
 | `telemetry.prometheus.podMonitor.enabled`                                                    | Enable podMonitor for prometheus                                                                                                                                                                                                                                                                                                                                     | `false`                                                                                        |
 | `telemetry.prometheus.podMonitor.namespace`                                                  | Override where to install the podMonitor, if not set will use the same namespace as the spire-agent                                                                                                                                                                                                                                                                  | `""`                                                                                           |
 | `telemetry.prometheus.podMonitor.labels`                                                     | Pod labels to filter for prometheus monitoring                                                                                                                                                                                                                                                                                                                       | `{}`                                                                                           |
+| `telemetry.datadog.enabled`                                                                  | Flag to enable datadog monitoring                                                                                                                                                                                                                                                                                                                                    | `false`                                                                                        |
+| `telemetry.datadog.address`                                                                  | The address of the datadog service to send metrics to. The default URL for services are `<service-name>.<namespace>.svc`                                                                                                                                                                                                                                             | `datadog.kube-system.svc`                                                                      |
+| `telemetry.datadog.port`                                                                     | The port of the datadog service to send metrics to                                                                                                                                                                                                                                                                                                                   | `8125`                                                                                         |
 | `ingress.enabled`                                                                            | Flag to enable ingress                                                                                                                                                                                                                                                                                                                                               | `false`                                                                                        |
 | `ingress.className`                                                                          | Ingress class name                                                                                                                                                                                                                                                                                                                                                   | `""`                                                                                           |
 | `ingress.controllerType`                                                                     | Specify what type of ingress controller you're using to add the necessary annotations accordingly. If blank, autodetection is attempted. If other, no annotations will be added. Must be one of [ingress-nginx, openshift, other, ""].                                                                                                                               | `""`                                                                                           |
@ -325,19 +371,20 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `initContainers`                                                                             | Additional init containers to create                                                                                                                                                                                                                                                                                                                                 | `[]`                                                                                           |
 | `caKeyType`                                                                                  | The CA key type to use, possible values are rsa-2048, rsa-4096, ec-p256, ec-p384 (AWS requires the use of RSA. EC cryptography is not supported)                                                                                                                                                                                                                     | `rsa-2048`                                                                                     |
 | `caTTL`                                                                                      | TTL for CA                                                                                                                                                                                                                                                                                                                                                           | `24h`                                                                                          |
+| `agentTTL`                                                                                   | The TTL to use for agent SVIDs. If unset, the defaultX509SvidTTL will be used.                                                                                                                                                                                                                                                                                       | `""`                                                                                           |
 | `defaultX509SvidTTL`                                                                         | TTL for X509 Svids                                                                                                                                                                                                                                                                                                                                                   | `4h`                                                                                           |
 | `defaultJwtSvidTTL`                                                                          | TTL for JWT Svids                                                                                                                                                                                                                                                                                                                                                    | `1h`                                                                                           |
-| `nodeAttestor.k8sPsat.enabled`                                                               | Enable Psat k8s nodeattestor                                                                                                                                                                                                                                                                                                                                         | `true`                                                                                         |
-| `nodeAttestor.k8sPsat.serviceAccountAllowList`                                               | Allowed service accounts for Psat nodeattestor. If namespace isn't specified, release namespace will be used.                                                                                                                                                                                                                                                        | `[]`                                                                                           |
-| `nodeAttestor.k8sPsat.audience`                                                              | Audience for token validation. If set to [] (empty array), Kubernetes API server audience is used                                                                                                                                                                                                                                                                    | `[]`                                                                                           |
-| `nodeAttestor.k8sPsat.allowedNodeLabelKeys`                                                  | Node label keys considered for selectors                                                                                                                                                                                                                                                                                                                             | `[]`                                                                                           |
-| `nodeAttestor.k8sPsat.allowedPodLabelKeys`                                                   | Pod label keys considered for selectors                                                                                                                                                                                                                                                                                                                              | `[]`                                                                                           |
-| `nodeAttestor.externalK8sPsat.enabled`                                                       | Enable PSAT k8s nodeattestor for external Kubernetes clusters                                                                                                                                                                                                                                                                                                        | `true`                                                                                         |
-| `nodeAttestor.externalK8sPsat.defaults.serviceAccountAllowList`                              | Allowed service accounts for PSAT node attestor                                                                                                                                                                                                                                                                                                                      | `[]`                                                                                           |
-| `nodeAttestor.externalK8sPsat.defaults.audience`                                             | Audience for token validation. If it is set to an empty array ([]), Kubernetes API server audience is used                                                                                                                                                                                                                                                           | `[]`                                                                                           |
-| `nodeAttestor.externalK8sPsat.defaults.allowedNodeLabelKeys`                                 | Node label keys considered for selectors                                                                                                                                                                                                                                                                                                                             | `[]`                                                                                           |
-| `nodeAttestor.externalK8sPsat.defaults.allowedPodLabelKeys`                                  | Pod label keys considered for selectors                                                                                                                                                                                                                                                                                                                              | `[]`                                                                                           |
-| `nodeAttestor.externalK8sPsat.clusters`                                                      | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used.                                                                                                                                                                                                                                                 | `{}`                                                                                           |
+| `nodeAttestor.k8sPSAT.enabled`                                                               | Enable PSAT k8s nodeattestor                                                                                                                                                                                                                                                                                                                                         | `true`                                                                                         |
+| `nodeAttestor.k8sPSAT.serviceAccountAllowList`                                               | Allowed service accounts for PSAT nodeattestor. If namespace isn't specified, release namespace will be used.                                                                                                                                                                                                                                                        | `[]`                                                                                           |
+| `nodeAttestor.k8sPSAT.audience`                                                              | Audience for token validation. If set to [] (empty array), Kubernetes API server audience is used                                                                                                                                                                                                                                                                    | `[]`                                                                                           |
+| `nodeAttestor.k8sPSAT.allowedNodeLabelKeys`                                                  | Node label keys considered for selectors                                                                                                                                                                                                                                                                                                                             | `[]`                                                                                           |
+| `nodeAttestor.k8sPSAT.allowedPodLabelKeys`                                                   | Pod label keys considered for selectors                                                                                                                                                                                                                                                                                                                              | `[]`                                                                                           |
+| `nodeAttestor.externalK8sPSAT.enabled`                                                       | Enable PSAT k8s nodeattestor for external Kubernetes clusters                                                                                                                                                                                                                                                                                                        | `true`                                                                                         |
+| `nodeAttestor.externalK8sPSAT.defaults.serviceAccountAllowList`                              | Allowed service accounts for PSAT node attestor                                                                                                                                                                                                                                                                                                                      | `[]`                                                                                           |
+| `nodeAttestor.externalK8sPSAT.defaults.audience`                                             | Audience for token validation. If it is set to an empty array ([]), Kubernetes API server audience is used                                                                                                                                                                                                                                                           | `[]`                                                                                           |
+| `nodeAttestor.externalK8sPSAT.defaults.allowedNodeLabelKeys`                                 | Node label keys considered for selectors                                                                                                                                                                                                                                                                                                                             | `[]`                                                                                           |
+| `nodeAttestor.externalK8sPSAT.defaults.allowedPodLabelKeys`                                  | Pod label keys considered for selectors                                                                                                                                                                                                                                                                                                                              | `[]`                                                                                           |
+| `nodeAttestor.externalK8sPSAT.clusters`                                                      | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used.                                                                                                                                                                                                                                                 | `{}`                                                                                           |
 | `nodeAttestor.joinToken.enabled`                                                             | Enable the join_token nodeattestor                                                                                                                                                                                                                                                                                                                                   | `false`                                                                                        |
 | `nodeAttestor.httpChallenge.enabled`                                                         | Enable the http_challenge nodeattesto                                                                                                                                                                                                                                                                                                                                | `false`                                                                                        |
 | `nodeAttestor.httpChallenge.allowedDNSPatterns`                                              | A list of regular expressions to match to the hostname being attested. If none match, attestation will fail. If a blank list, all hostnames are allowed.                                                                                                                                                                                                             | `[]`                                                                                           |
@ -345,18 +392,30 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `nodeAttestor.httpChallenge.allowNonRootPorts`                                               | Allow using ports >= 1024 from clients for attestation                                                                                                                                                                                                                                                                                                               | `true`                                                                                         |
 | `nodeAttestor.httpChallenge.tofu`                                                            | Trust on first use of the successful challenge. Can only be disabled if allowNonRootPorts=false or requiredPort < 1024                                                                                                                                                                                                                                               | `true`                                                                                         |
 | `nodeAttestor.tpmDirect.enabled`                                                             | Enable the direct TPM node attestor, a 3rd party plugin by Boxboat. This plugin is experimental.                                                                                                                                                                                                                                                                     | `false`                                                                                        |
-| `nodeAttestor.tpmDirect.image.registry`                                                      | The OCI registry to pull the image from                                                                                                                                                                                                                                                                                                                              | `docker.io`                                                                                    |
-| `nodeAttestor.tpmDirect.image.repository`                                                    | The repository within the registry                                                                                                                                                                                                                                                                                                                                   | `boxboat/spire-tpm-plugin-tpm-attestor-server`                                                 |
+| `nodeAttestor.tpmDirect.image.registry`                                                      | The OCI registry to pull the image from                                                                                                                                                                                                                                                                                                                              | `ghcr.io`                                                                                      |
+| `nodeAttestor.tpmDirect.image.repository`                                                    | The repository within the registry                                                                                                                                                                                                                                                                                                                                   | `spiffe/spire-tpm-plugin-tpm-attestor-server`                                                  |
 | `nodeAttestor.tpmDirect.image.pullPolicy`                                                    | The image pull policy                                                                                                                                                                                                                                                                                                                                                | `IfNotPresent`                                                                                 |
-| `nodeAttestor.tpmDirect.image.tag`                                                           | Overrides the image tag                                                                                                                                                                                                                                                                                                                                              | `v1.8.7`                                                                                       |
-| `nodeAttestor.tpmDirect.checksum`                                                            | The sha256 checksum of the plugin binary                                                                                                                                                                                                                                                                                                                             | `f39ef9cdd2b3dd74112bfe827b79d6721c59215d0d5f4c2e34fa09bbc60d36d2`                             |
+| `nodeAttestor.tpmDirect.image.tag`                                                           | Overrides the image tag                                                                                                                                                                                                                                                                                                                                              | `v1.9.0`                                                                                       |
+| `nodeAttestor.tpmDirect.checksum`                                                            | The sha256 checksum of the plugin binary                                                                                                                                                                                                                                                                                                                             | `46d0caad8c25a027dd11c93e18b58a8bc6fbd9f1fe2e36fa2a0dd440986de4dc`                             |
 | `nodeAttestor.tpmDirect.pluginPath`                                                          | The filename in the container of the plugin                                                                                                                                                                                                                                                                                                                          | `/app/tpm_attestor_server`                                                                     |
 | `nodeAttestor.tpmDirect.cas`                                                                 | A dictionary of TPM CA PEM or DER files that are allowed to connect.                                                                                                                                                                                                                                                                                                 | `{}`                                                                                           |
 | `nodeAttestor.tpmDirect.hashes`                                                              | A list of TPM hashes that are allowed to connect.                                                                                                                                                                                                                                                                                                                    | `[]`                                                                                           |
+| `nodeAttestor.awsIID.enabled`                                                                | Enable the aws_iid node attestor                                                                                                                                                                                                                                                                                                                                     | `false`                                                                                        |
+| `nodeAttestor.awsIID.assumeRole`                                                             | AWS IAM Role NAME to use for the attestation                                                                                                                                                                                                                                                                                                                         | `""`                                                                                           |
+| `bundlePublisher.k8sConfigMap.enabled`                                                       | Enable local k8s bundle uploader                                                                                                                                                                                                                                                                                                                                     | `true`                                                                                         |
+| `bundlePublisher.k8sConfigMap.namespace`                                                     | Namespace to push the bundle into, if blank will default to SPIRE Server namespace                                                                                                                                                                                                                                                                                   | `""`                                                                                           |
+| `bundlePublisher.k8sConfigMap.format`                                                        | Format of the trust bundle. Can be pem or spiffe                                                                                                                                                                                                                                                                                                                     | `spiffe`                                                                                       |
+| `bundlePublisher.externalK8sConfigMap.enabled`                                               | Enable external k8s bundle uploader                                                                                                                                                                                                                                                                                                                                  | `true`                                                                                         |
+| `bundlePublisher.externalK8sConfigMap.defaults.namespace`                                    | Namespace to push the bundle into on clusters                                                                                                                                                                                                                                                                                                                        | `spire-system`                                                                                 |
+| `bundlePublisher.externalK8sConfigMap.defaults.configMapName`                                | ConfigMap name to push the bundle into on external clusters                                                                                                                                                                                                                                                                                                          | `spire-bundle-upstream`                                                                        |
+| `bundlePublisher.externalK8sConfigMap.defaults.configMapKey`                                 | ConfigMap key to push the bundle into on external clusters                                                                                                                                                                                                                                                                                                           | `""`                                                                                           |
+| `bundlePublisher.externalK8sConfigMap.defaults.format`                                       | Format of the trust bundle. Can be pem or spiffe                                                                                                                                                                                                                                                                                                                     | `spiffe`                                                                                       |
+| `bundlePublisher.externalK8sConfigMap.clusters`                                              | A dictionary of clusters to add with optional overrides. If empty, all clusters defined in kubeConfigs will be used.                                                                                                                                                                                                                                                 | `{}`                                                                                           |
 | `bundlePublisher.awsRolesAnywhereTrustAnchor.enabled`                                        | Enable the AWS S3 bundle publisher                                                                                                                                                                                                                                                                                                                                   | `false`                                                                                        |
 | `bundlePublisher.awsRolesAnywhereTrustAnchor.region`                                         | AWS region to store the trust bundle                                                                                                                                                                                                                                                                                                                                 | `""`                                                                                           |
 | `bundlePublisher.awsRolesAnywhereTrustAnchor.trustAnchorID`                                  | AWS trust anchor ID to publish to                                                                                                                                                                                                                                                                                                                                    | `""`                                                                                           |
 | `bundlePublisher.awsS3.enabled`                                                              | Enable the AWS S3 bundle publisher                                                                                                                                                                                                                                                                                                                                   | `false`                                                                                        |
+| `bundlePublisher.awsS3.endpoint`                                                             | A custom S3 endpoint should be set when using third-party object storage providers, such as Minio.                                                                                                                                                                                                                                                                   | `""`                                                                                           |
 | `bundlePublisher.awsS3.region`                                                               | AWS region to store the trust bundle                                                                                                                                                                                                                                                                                                                                 | `""`                                                                                           |
 | `bundlePublisher.awsS3.bucket`                                                               | AWS S3 bucket name to which the trust bundle is uploaded                                                                                                                                                                                                                                                                                                             | `""`                                                                                           |
 | `bundlePublisher.awsS3.objectKey`                                                            | AWS S3 object key inside the bucket                                                                                                                                                                                                                                                                                                                                  | `""`                                                                                           |
@ -375,7 +434,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `tornjak.image.repository`                 | The repository within the registry                                                                                                                                                                                                     | `spiffe/tornjak-backend`                                                         |
 | `tornjak.image.pullPolicy`                 | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
 | `tornjak.image.tag`                        | Overrides the image tag to be whatever you need it to be. It will always be the flag you set without modifications                                                                                                                     | `""`                                                                             |
-| `tornjak.image.defaultTag`                 | Sets the default image to use when image.tag is not set. It will automatically be updated with a ubi- prefix if on OpenShift.                                                                                                          | `v1.6.0`                                                                         |
+| `tornjak.image.defaultTag`                 | Sets the default image to use when image.tag is not set. It will automatically be updated with a ubi- prefix if on OpenShift.                                                                                                          | `v2.1.0`                                                                         |
 | `tornjak.service.type`                     | Type of service resource                                                                                                                                                                                                               | `ClusterIP`                                                                      |
 | `tornjak.service.ports.http`               | Insecure port for tornjak service                                                                                                                                                                                                      | `10000`                                                                          |
 | `tornjak.service.ports.https`              | Secure port for tornjak service                                                                                                                                                                                                        | `10443`                                                                          |
@ -413,10 +472,10 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `customPlugins.nodeAttestor`               | Custom plugins of type NodeAttestor are configured here                                                                                                                                                                                | `{}`                                                                             |
 | `customPlugins.upstreamAuthority`          | Custom plugins of type upstreamAuthority are configured here                                                                                                                                                                           | `{}`                                                                             |
 | `customPlugins.notifier`                   | Custom plugins of type notifier are configured here                                                                                                                                                                                    | `{}`                                                                             |
-| `chown.image.registry`                     | The OCI registry to pull the image from                                                                                                                                                                                                | `cgr.dev`                                                                        |
-| `chown.image.repository`                   | The repository within the registry                                                                                                                                                                                                     | `chainguard/bash`                                                                |
+| `chown.image.registry`                     | The OCI registry to pull the image from                                                                                                                                                                                                | `""`                                                                             |
+| `chown.image.repository`                   | The repository within the registry                                                                                                                                                                                                     | `busybox`                                                                        |
 | `chown.image.pullPolicy`                   | The image pull policy                                                                                                                                                                                                                  | `Always`                                                                         |
-| `chown.image.tag`                          | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a` |
+| `chown.image.tag`                          | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `1.37.0-uclibc`                                                                  |
 | `chown.resources`                          | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/                                                                                                                           | `{}`                                                                             |
 | `experimental.enabled`                     | Allow configuration of experimental features                                                                                                                                                                                           | `false`                                                                          |
 | `experimental.cacheReloadInterval`         | The amount of time between two reloads of the in-memory entry cache.                                                                                                                                                                   | `5s`                                                                             |
@ -429,5 +488,5 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `tests.bash.image.registry`                | The OCI registry to pull the image from                                                                                                                                                                                                | `cgr.dev`                                                                        |
 | `tests.bash.image.repository`              | The repository within the registry                                                                                                                                                                                                     | `chainguard/bash`                                                                |
 | `tests.bash.image.pullPolicy`              | The image pull policy                                                                                                                                                                                                                  | `IfNotPresent`                                                                   |
-| `tests.bash.image.tag`                     | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `latest@sha256:f5c85affd2aa0f55fc1ead7dc07952577ad82741bbbba742ead0fd9dde2de14a` |
+| `tests.bash.image.tag`                     | Overrides the image tag whose default is the chart appVersion                                                                                                                                                                          | `latest@sha256:330ad2ea11cf3018a331326fb08e44cedd0c0c604cfbfcff32b81272460bb679` |
 | `kubeConfigs`                              | Manage additional kubeconfig files to talk to external Kubernetes clusters                                                                                                                                                             | `{}`                                                                             |
--- a/charts/spire/charts/spire-server/templates/_controller-manager-container.tpl
+++ b/charts/spire/charts/spire-server/templates/_controller-manager-container.tpl
@ -75,7 +75,11 @@
    {{- end }}
  env:
    - name: ENABLE_WEBHOOKS
+    {{- if eq .Values.controllerManager.staticManifestMode "off" }}
      value: {{ .webhooksEnabled | toString | quote }}
+    {{- else }}
+      value: "false"
+    {{- end }}
  {{- if gt (len $extraEnv) 0 }}
  {{-   $extraEnv | toYaml | nindent 4 }}
  {{- end }}
@ -91,6 +95,7 @@
    - containerPort: {{ $promPort }}
      name: prom-cm{{ .suffix }}
    {{- end }}
+{{- if eq .Values.controllerManager.staticManifestMode "off" }}
  livenessProbe:
    httpGet:
      path: /healthz
@ -99,12 +104,17 @@
    httpGet:
      path: /readyz
      port: healthz
+{{- end }}
  resources:
    {{- toYaml .Values.controllerManager.resources | nindent 4 }}
  volumeMounts:
    - name: spire-server-socket
      mountPath: /tmp/spire-server/private
      readOnly: true
+    {{- if ne .Values.controllerManager.staticManifestMode "off" }}
+    - name: controller-manager-static-config
+      mountPath: /manifests
+    {{- end }}
    - name: controller-manager-config
      mountPath: /controller-manager-config{{ .suffix }}.yaml
      subPath: controller-manager-config{{ .suffix }}.yaml
--- a/charts/spire/charts/spire-server/templates/_helpers.tpl
+++ b/charts/spire/charts/spire-server/templates/_helpers.tpl
@ -65,9 +65,9 @@ Allow the release namespace to be overridden for multi-namespace deployments in
  {{- end -}}
 {{- end -}}

-{{- define "spire-server.bundle-namespace" -}}
-  {{- if .Values.notifier.k8sbundle.namespace }}
-    {{- .Values.notifier.k8sbundle.namespace }}
+{{- define "spire-server.bundle-namespace-bundlepublisher" -}}
+  {{- if .Values.bundlePublisher.k8sConfigMap.namespace }}
+    {{- .Values.bundlePublisher.k8sConfigMap.namespace }}
  {{- else if .Values.namespaceOverride -}}
    {{- .Values.namespaceOverride -}}
  {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
@ -81,6 +81,30 @@ Allow the release namespace to be overridden for multi-namespace deployments in
  {{- end -}}
 {{- end -}}

+{{- define "spire-server.bundle-namespace-notifier" -}}
+  {{- if .Values.notifier.k8sBundle.namespace }}
+    {{- .Values.notifier.k8sBundle.namespace }}
+  {{- else if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
+    {{- if ne (len (dig "spire" "namespaces" "system" "name" "" .Values.global)) 0 }}
+      {{- .Values.global.spire.namespaces.system.name }}
+    {{- else }}
+      {{- printf "spire-system" }}
+    {{- end }}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "spire-server.bundle-namespace" -}}
+  {{- if .Values.notifier.k8sBundle.namespace }}
+    {{- .Values.notifier.k8sBundle.namespace }}
+  {{- else }}
+    {{- include "spire-server.bundle-namespace-bundlepublisher" . -}}
+  {{- end }}
+{{- end }}
+
 {{- define "spire-server.podMonitor.namespace" -}}
  {{- if ne (len .Values.telemetry.prometheus.podMonitor.namespace) 0 }}
    {{- .Values.telemetry.prometheus.podMonitor.namespace }}
@ -146,9 +170,9 @@ Create the name of the service account to use

 {{- define "spire-server.serviceAccountAllowedList" }}
 {{- $releaseNamespace := include "spire-server.agent-namespace" . }}
-{{- if ne (len .Values.nodeAttestor.k8sPsat.serviceAccountAllowList) 0 }}
+{{- if ne (len .Values.nodeAttestor.k8sPSAT.serviceAccountAllowList) 0 }}
 {{-   $list := list }}
-{{-   range .Values.nodeAttestor.k8sPsat.serviceAccountAllowList }}
+{{-   range .Values.nodeAttestor.k8sPSAT.serviceAccountAllowList }}
 {{-     if contains ":" . }}
 {{-       $list = append $list . }}
 {{-     else }}
@ -161,6 +185,20 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}

+{{- define "spire-server.config-sqlite-query" }}
+{{- $lst := list }}
+{{- range . }}
+{{- range $key, $value := . }}
+{{- $eValue := toString $value }}
+{{- $entry := printf "%s=%s" (urlquery $key) (urlquery $eValue) }}
+{{- $lst = append $lst $entry }}
+{{- end }}
+{{- end }}
+{{- if gt (len $lst) 0 }}
+{{- printf "?%s" (join "&" (uniq $lst)) }}
+{{- end }}
+{{- end }}
+
 {{- define "spire-server.config-mysql-query" }}
 {{- $lst := list }}
 {{- range . }}
@ -189,20 +227,45 @@ Create the name of the service account to use
 {{- end }}

 {{- define "spire-server.datastore-config" }}
-{{- $config := deepCopy .Values.dataStore.sql.plugin_data }}
+{{- $config := dict }}
+{{- $pw := "" }}
+{{- $ropw := "" }}
 {{- if eq .Values.dataStore.sql.databaseType "sqlite3" }}
  {{- $_ := set $config "database_type" "sqlite3" }}
-  {{- $_ := set $config "connection_string" "/run/spire/data/datastore.sqlite3" }}
-{{- else if eq .Values.dataStore.sql.databaseType "mysql" }}
-  {{- $_ := set $config "database_type" "mysql" }}
+  {{- $query := include "spire-server.config-sqlite-query" .Values.dataStore.sql.options }}
+  {{- $_ := set $config "connection_string" (printf "%s%s" .Values.dataStore.sql.file $query) }}
+{{- else if or (eq .Values.dataStore.sql.databaseType "mysql") (eq .Values.dataStore.sql.databaseType "aws_mysql") }}
+  {{- if eq .Values.dataStore.sql.databaseType "mysql" }}
+  {{-   $_ := set $config "database_type" "mysql" }}
+  {{-   $pw = "${DBPW}" }}
+  {{-   $ropw = "${RODBPW}" }}
+  {{- else }}
+  {{-   $_ := set $config "database_type" (list (dict "aws_mysql" (dict "region" .Values.dataStore.sql.region))) }}
+  {{- end }}
  {{- $port := int .Values.dataStore.sql.port | default 3306 }}
  {{- $query := include "spire-server.config-mysql-query" .Values.dataStore.sql.options }}
-  {{- $_ := set $config "connection_string" (printf "%s:${DBPW}@tcp(%s:%d)/%s%s" .Values.dataStore.sql.username .Values.dataStore.sql.host $port .Values.dataStore.sql.databaseName $query) }}
-{{- else if eq .Values.dataStore.sql.databaseType "postgres" }}
-  {{- $_ := set $config "database_type" "postgres" }}
+  {{- $_ := set $config "connection_string" (printf "%s:%s@tcp(%s:%d)/%s%s" .Values.dataStore.sql.username $pw .Values.dataStore.sql.host $port .Values.dataStore.sql.databaseName $query) }}
+  {{- if .Values.dataStore.sql.readOnly.enabled }}
+  {{-   $roPort := int .Values.dataStore.sql.readOnly.port | default 3306 }}
+  {{-   $roQuery := include "spire-server.config-mysql-query" .Values.dataStore.sql.readOnly.options }}
+  {{-   $_ := set $config "ro_connection_string" (printf "%s:%s@tcp(%s:%d)/%s%s" .Values.dataStore.sql.readOnly.username $ropw .Values.dataStore.sql.readOnly.host $roPort .Values.dataStore.sql.readOnly.databaseName $roQuery) }}
+  {{- end }}
+{{- else if or (eq .Values.dataStore.sql.databaseType "postgres") (eq .Values.dataStore.sql.databaseType "aws_postgres") }}
+  {{- if eq .Values.dataStore.sql.databaseType "postgres" }}
+  {{-   $_ := set $config "database_type" "postgres" }}
+  {{-   $pw = " password=${DBPW}" }}
+  {{-   $ropw = " password=${RODBPW}" }}
+  {{- else }}
+  {{-   $_ := set $config "database_type" (list (dict "aws_postgres" (dict "region" .Values.dataStore.sql.region))) }}
+  {{- end }}
  {{- $port := int .Values.dataStore.sql.port | default 5432 }}
  {{- $options:= include "spire-server.config-postgresql-options" .Values.dataStore.sql.options }}
-  {{- $_ := set $config "connection_string" (printf "dbname=%s user=%s password=${DBPW} host=%s port=%d%s" .Values.dataStore.sql.databaseName .Values.dataStore.sql.username .Values.dataStore.sql.host $port $options) }}
+  {{- $_ := set $config "connection_string" (printf "dbname=%s user=%s%s host=%s port=%d%s" .Values.dataStore.sql.databaseName .Values.dataStore.sql.username $pw .Values.dataStore.sql.host $port $options) }}
+  {{- if .Values.dataStore.sql.readOnly.enabled }}
+  {{-   $roPort := int .Values.dataStore.sql.readOnly.port | default 5432 }}
+  {{-   $roOptions:= include "spire-server.config-postgresql-options" .Values.dataStore.sql.readOnly.options }}
+  {{-   $_ := set $config "ro_connection_string" (printf "dbname=%s user=%s%s host=%s port=%d%s" .Values.dataStore.sql.readOnly.databaseName .Values.dataStore.sql.readOnly.username $ropw .Values.dataStore.sql.readOnly.host $roPort $roOptions) }}
+  {{- end }}
 {{- else }}
  {{- fail "Unsupported database type" }}
 {{- end }}
@ -274,7 +337,7 @@ The code below determines what connection type should be used.
 {{-     end }}
 {{-     $args = append $args (printf "https://%s/" $host) }}
 {{-   else }}
-{{-     $args = append $args (printf "http://%s/" $host) }}
+{{-     $args = append $args (printf "-k -L http://%s/" $host) }}
 {{-   end }}
 {{ $args | toYaml }}
 {{- end -}}
@ -293,17 +356,17 @@ The code below determines what connection type should be used.

 {{- define "spire-server.ca-subject-country" }}
 {{-   $g := dig "spire" "caSubject" "country" "" .Values.global }}
-{{-   default .Values.ca_subject.country $g }}
+{{-   default .Values.caSubject.country $g }}
 {{- end }}

 {{- define "spire-server.ca-subject-organization" }}
 {{-   $g := dig "spire" "caSubject" "organization" "" .Values.global }}
-{{-   default .Values.ca_subject.organization $g }}
+{{-   default .Values.caSubject.organization $g }}
 {{- end }}

 {{- define "spire-server.ca-subject-common-name" }}
 {{-   $g := dig "spire" "caSubject" "commonName" "" .Values.global }}
-{{-   default .Values.ca_subject.common_name $g }}
+{{-   default .Values.caSubject.commonName $g }}
 {{- end }}

 {{- define "spire-server.subject" }}
--- a/charts/spire/charts/spire-server/templates/bundle-configmap.yaml
+++ b/charts/spire/charts/spire-server/templates/bundle-configmap.yaml
@ -1,3 +1,7 @@
+{{- if and .Values.notifier.k8sBundle.enabled .Values.bundlePublisher.k8sConfigMap.enabled }}
+{{- fail "You can only enable either notifier.k8sBundle or bundlePublisher.k8sConfigMap." }}
+{{- end }}
+{{- if .Values.notifier.k8sBundle.enabled }}
 {{- $namespace := include "spire-server.bundle-namespace" . }}
 apiVersion: v1
 kind: ConfigMap
@ -8,3 +12,4 @@ metadata:
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
+{{- end }}
--- a/charts/spire/charts/spire-server/templates/configmap.yaml
+++ b/charts/spire/charts/spire-server/templates/configmap.yaml
@ -1,9 +1,9 @@
 {{- include "spire-lib.check-strict-mode" (list . "clusterName must be set" (eq (include "spire-lib.cluster-name" .) "example-cluster"))}}
 {{- include "spire-lib.check-strict-mode" (list . "trustDomain must be set" (eq (include "spire-lib.trust-domain" .) "example.org"))}}
 {{- include "spire-lib.check-strict-mode" (list . "jwtIssuer must be set" (eq (include "spire-lib.jwt-issuer" .) "https://oidc-discovery.example.org"))}}
-{{- include "spire-lib.check-strict-mode" (list . "ca_subject.country must be set" (eq (include "spire-server.ca-subject-country" .) "ARPA"))}}
-{{- include "spire-lib.check-strict-mode" (list . "ca_subject.organization must be set" (eq (include "spire-server.ca-subject-organization" .) "Example"))}}
-{{- include "spire-lib.check-strict-mode" (list . "ca_subject.common_name must be set" (eq (include "spire-server.ca-subject-common-name" .) "example.org"))}}
+{{- include "spire-lib.check-strict-mode" (list . "caSubject.country must be set" (eq (include "spire-server.ca-subject-country" .) "ARPA"))}}
+{{- include "spire-lib.check-strict-mode" (list . "caSubject.organization must be set" (eq (include "spire-server.ca-subject-organization" .) "Example"))}}
+{{- include "spire-lib.check-strict-mode" (list . "caSubject.commonNname must be set" (eq (include "spire-server.ca-subject-common-name" .) "example.org"))}}
 {{- range $type, $tvals := .Values.customPlugins }}
 {{-   if not (has $type (list "bundlePublisher" "credentialComposer" "keyManager" "nodeAttestor" "upstreamAuthority" "notifier")) }}
 {{-     fail (printf "Unknown plugin type specified: %s" $type) }}
@ -38,9 +38,6 @@
 {{- if and (eq (.Values.keyManager.awsKMS.keyIdentifierFile.enabled | toString) "true") (eq (.Values.keyManager.awsKMS.keyIdentifierValue.enabled | toString ) "true") }}
 {{-   fail "You can only enable one of keyIdentifierFile or keyIdentifierValue at a time" }}
 {{- end }}
-{{- if hasKey .Values.federation.bundleEndpoint "profile" }}
-{{-   fail "Configuring the federation bundle endpoint profile directly isn't supported. You can specify the settings via federation.tls" }}
-{{- end }}
 {{- define "spire-server.yaml-config" -}}
 {{- $upstreamAuthorityUsed := 0 }}
 {{- $keyManagerUsed := 0 }}
@ -61,6 +58,9 @@ server:
  ca_key_type: {{ .Values.caKeyType | quote }}
  ca_ttl: {{ .Values.caTTL | quote }}

+  {{- if .Values.agentTTL }}
+  agent_ttl: {{ .Values.agentTTL | quote }}
+  {{- end }}
  default_x509_svid_ttl: {{ .Values.defaultX509SvidTTL | quote }}
  default_jwt_svid_ttl: {{ .Values.defaultJwtSvidTTL | quote }}

@ -69,12 +69,24 @@ server:
      organization: [{{ include "spire-server.ca-subject-organization" . | quote }}]
      common_name: {{ include "spire-server.ca-subject-common-name" . | quote }}

-  {{- with .Values.federation }}
-  {{- if eq (.enabled | toString) "true" }}
+  {{- if eq (.Values.federation.enabled | toString) "true" }}
  federation:
    bundle_endpoint:
-      - {{ .bundleEndpoint | toYaml | nindent 8 }}
-  {{- end }}
+      address: {{ .Values.federation.bundleEndpoint.address | quote }}
+      port: {{ .Values.federation.bundleEndpoint.port }}
+      refresh_hint: {{ .Values.federation.bundleEndpoint.refreshHint | quote }}
+      profile:
+        {{- if .Values.federation.tls.spire.enabled }}
+        - https_spiffe: {}
+        {{ else }}
+        - https_web:
+            serving_cert_file:
+              file_sync_interval: {{ .Values.federation.bundleEndpoint.profile.httpWeb.fileSyncInterval }}
+              {{- if or .Values.federation.tls.certManager.enabled .Values.federation.tls.externalSecret.enabled }}
+              cert_file_path: /bundle-endpoint-tls/tls.crt
+              key_file_path: /bundle-endpoint-tls/tls.key
+              {{- end }}
+        {{- end }}
  {{- end }}

  {{- with .Values.experimental }}
@ -93,24 +105,51 @@ server:
  {{- end }}

 plugins:
-  {{- if .Values.credentialComposer.uniqueID.enabled }}
+  {{- if or .Values.credentialComposer.uniqueID.enabled .Values.credentialComposer.cel.enabled }}
  CredentialComposer:
+    {{- if or .Values.credentialComposer.uniqueID.enabled }}
    uniqueid: {}
+    {{- end }}
+    {{- with .Values.credentialComposer.cel }}
+    {{- if .enabled }}
+    cel:
+      plugin_cmd: "/cel/credentialcomposer-cel"
+      plugin_checksum: {{ .checksum }}
+      plugin_data:
+        jwt:
+          expression_string: {{ .jwt.expression | quote }}
+    {{- end }}
+    {{- end }}
  {{- end }}

  DataStore:
    sql:
      plugin_data:
-        {{ include "spire-server.datastore-config" . | nindent 10 }}
+        {{ include "spire-server.datastore-config" . | nindent 8 }}
+        {{- if ne .Values.dataStore.sql.rootCAPath "" }}
+        root_ca_path: {{ .Values.dataStore.sql.rootCAPath }}
+        {{- end }}
+        {{- if ne .Values.dataStore.sql.clientCertPath "" }}
+        client_cert_path: {{ .Values.dataStore.sql.clientCertPath }}
+        {{- end }}
+        {{- if ne .Values.dataStore.sql.clientKeyPath "" }}
+        client_key_path	: {{ .Values.dataStore.sql.clientKeyPath }}
+        {{- end }}
+        max_open_conns: {{ .Values.dataStore.sql.maxOpenConns }}
+        max_idle_conns: {{ .Values.dataStore.sql.maxIdleConns }}
+        {{- if ne (int .Values.dataStore.sql.connMaxLifetime) 0 }}
+        conn_max_lifetime: {{ .Values.dataStore.sql.connMaxLifetime }}
+        {{- end }}
+        disable_migration: {{ .Values.dataStore.sql.disableMigration }}

-  {{- if or .Values.nodeAttestor.k8sPsat.enabled .Values.nodeAttestor.externalK8sPsat.enabled .Values.nodeAttestor.joinToken.enabled .Values.nodeAttestor.httpChallenge.enabled .Values.nodeAttestor.tpmDirect.enabled }}
+  {{- if or .Values.nodeAttestor.k8sPSAT.enabled .Values.nodeAttestor.externalK8sPSAT.enabled .Values.nodeAttestor.joinToken.enabled .Values.nodeAttestor.httpChallenge.enabled .Values.nodeAttestor.tpmDirect.enabled .Values.nodeAttestor.awsIID.enabled }}
  NodeAttestor:
-  {{- $clusters := default .Values.kubeConfigs .Values.nodeAttestor.externalK8sPsat.clusters }}
-  {{- if or (eq (.Values.nodeAttestor.k8sPsat.enabled | toString) "true") (and (eq (.Values.nodeAttestor.externalK8sPsat.enabled | toString) "true") (gt (len $clusters) 0)) }}
+  {{- $clusters := default .Values.kubeConfigs .Values.nodeAttestor.externalK8sPSAT.clusters }}
+  {{- if or (eq (.Values.nodeAttestor.k8sPSAT.enabled | toString) "true") (and (eq (.Values.nodeAttestor.externalK8sPSAT.enabled | toString) "true") (gt (len $clusters) 0)) }}
    k8s_psat:
      plugin_data:
        clusters:
-          {{- with .Values.nodeAttestor.k8sPsat }}
+          {{- with .Values.nodeAttestor.k8sPSAT }}
          {{- if eq (.enabled | toString) "true" }}
        - {{ include "spire-lib.cluster-name" $root }}:
            service_account_allow_list: {{ include "spire-server.serviceAccountAllowedList" $root | trim }}
@ -121,12 +160,12 @@ plugins:
              {{ toYaml .allowedPodLabelKeys | nindent 14 }}
          {{- end }}
          {{- end }}
-          {{- if eq (.Values.nodeAttestor.externalK8sPsat.enabled | toString) "true" }}
-          {{- $clusterDefaults := .Values.nodeAttestor.externalK8sPsat.defaults }}
+          {{- if eq (.Values.nodeAttestor.externalK8sPSAT.enabled | toString) "true" }}
+          {{- $clusterDefaults := .Values.nodeAttestor.externalK8sPSAT.defaults }}
          {{- range $name, $_ := $clusters }}
          {{- $clusterSettings := dict }}
-          {{- if hasKey $root.Values.nodeAttestor.externalK8sPsat.clusters $name }}
-          {{- $clusterSettings = index $root.Values.nodeAttestor.externalK8sPsat.clusters $name }}
+          {{- if hasKey $root.Values.nodeAttestor.externalK8sPSAT.clusters $name }}
+          {{- $clusterSettings = index $root.Values.nodeAttestor.externalK8sPSAT.clusters $name }}
          {{- end }}
        - {{ $name }}:
            {{- if hasKey $clusterSettings "kubeConfigName" }}
@ -183,6 +222,15 @@ plugins:
        {{- end }}
  {{- end }}
  {{- end }}
+  {{- with .Values.nodeAttestor.awsIID }}
+  {{- if eq (.enabled | toString) "true" }}
+    aws_iid:
+      plugin_data:
+        {{- if ne .assumeRole "" }}
+        assume_role: {{ .assumeRole | quote }}
+        {{- end }}
+  {{- end }}
+  {{- end }}
  {{- end }}

  {{- with .Values.keyManager.disk }}
@ -233,13 +281,19 @@ plugins:
 {{- end }}

  {{- $externalK8sBundleClusters := default .Values.kubeConfigs .Values.notifier.externalK8sBundle.clusters }}
-  {{- if or .Values.notifier.k8sbundle.enabled (and .Values.notifier.externalK8sBundle.enabled (ne (len $externalK8sBundleClusters) 0)) }}
+  {{- if or .Values.notifier.k8sBundle.enabled (and .Values.notifier.externalK8sBundle.enabled (ne (len $externalK8sBundleClusters) 0)) }}
  Notifier:
    k8sbundle:
      plugin_data:
-        {{- if eq (.Values.notifier.k8sbundle.enabled | toString) "true" }}
-        namespace: {{ include "spire-server.bundle-namespace" . | quote }}
+        {{- if eq (.Values.notifier.k8sBundle.enabled | toString) "true" }}
+        namespace: {{ include "spire-server.bundle-namespace-notifier" . | quote }}
        config_map: {{ include "spire-lib.bundle-configmap" . | quote }}
+        {{- with .Values.notifier.k8sBundle.apiServiceLabel }}
+        api_service_label: {{ . | quote }}
+        {{- end }}
+        {{- with .Values.notifier.k8sBundle.webhookLabel }}
+        webhook_label: {{ . | quote }}
+        {{- end }}
        {{- end }}
        {{- if and (eq (.Values.notifier.externalK8sBundle.enabled | toString) "true") (ne (len $externalK8sBundleClusters) 0) }}
        clusters:
@ -262,8 +316,51 @@ plugins:
        {{- end }}
  {{- end }}

-  {{- if or .Values.bundlePublisher.awsRolesAnywhereTrustAnchor.enabled .Values.bundlePublisher.awsS3.enabled .Values.bundlePublisher.gcpCloudStorage.enabled }}
+  {{- $externalK8sConfigMapClusters := default .Values.kubeConfigs .Values.bundlePublisher.externalK8sConfigMap.clusters }}
+  {{- if or .Values.bundlePublisher.awsRolesAnywhereTrustAnchor.enabled .Values.bundlePublisher.awsS3.enabled .Values.bundlePublisher.gcpCloudStorage.enabled .Values.bundlePublisher.k8sConfigMap.enabled (and .Values.bundlePublisher.externalK8sConfigMap.enabled (ne (len $externalK8sConfigMapClusters) 0)) }}
  BundlePublisher:
+    {{- if or .Values.bundlePublisher.k8sConfigMap.enabled (and .Values.bundlePublisher.externalK8sConfigMap.enabled (ne (len $externalK8sConfigMapClusters) 0)) }}
+    k8s_configmap:
+      plugin_data:
+        clusters:
+          {{- $prefix := "-" }}
+          {{- if eq (.Values.bundlePublisher.k8sConfigMap.enabled | toString) "true" }}
+          {{ $prefix }} chart-internal:
+              format: {{ .Values.bundlePublisher.k8sConfigMap.format | quote }}
+              namespace: {{ include "spire-server.bundle-namespace-bundlepublisher" . | quote }}
+              configmap_name: {{ include "spire-lib.bundle-configmap" . | quote }}
+              configmap_key: {{ printf "bundle.%s" (include "spire-lib.trust-bundle-ext" (dict "trustBundleFormat" .Values.bundlePublisher.k8sConfigMap.format)) | quote }}
+          {{- $prefix := " " }}
+          {{- end }}
+          {{- if and (eq (.Values.bundlePublisher.externalK8sConfigMap.enabled | toString) "true") (ne (len $externalK8sConfigMapClusters) 0) }}
+          {{- $clusterDefaults := .Values.bundlePublisher.externalK8sConfigMap.defaults }}
+          {{- range $name, $_ := $externalK8sConfigMapClusters }}
+          {{ $prefix }} {{ $name | quote }}:
+              {{- $clusterSettings := dict }}
+              {{- if hasKey $root.Values.bundlePublisher.externalK8sConfigMap.clusters $name }}
+              {{- $clusterSettings = index $root.Values.bundlePublisher.externalK8sConfigMap.clusters $name }}
+              {{- end }}
+              {{- if hasKey $clusterSettings "kubeConfigName" }}
+              kubeconfig_path: /kubeconfigs/{{ $clusterSettings.kubeConfigName }}
+              {{- else }}
+              kubeconfig_path: /kubeconfigs/{{ $name }}
+              {{- end }}
+              {{- $format := $clusterDefaults.format }}
+              {{- if hasKey $clusterSettings "format" }}{{- $format = $clusterSettings.format }}{{- end }}
+              format: {{ $format | quote }}
+              namespace: {{ if hasKey $clusterSettings "namespace" }}{{ $clusterSettings.namespace }}{{ else }}{{ $clusterDefaults.namespace }}{{ end }}
+              configmap_name: {{ if hasKey $clusterSettings "configMapName" }}{{ $clusterSettings.configMapName }}{{ else }}{{ $clusterDefaults.configMapName }}{{ end }}
+              {{- if hasKey $clusterSettings "configMapKey" }}
+              configmap_key: {{ $clusterSettings.configMapKey | quote }}
+              {{- else if ne $clusterDefaults.configMapKey "" }}
+              configmap_key: {{ $clusterDefaults.configMapKey | quote }}
+              {{- else }}
+              configmap_key: {{ printf "bundle.%s" (include "spire-lib.trust-bundle-ext" (dict "trustBundleFormat" $format)) | quote }}
+              {{- end }}
+              {{- $prefix := " " }}
+          {{- end }}
+        {{- end }}
+    {{- end }}
    {{- if .Values.bundlePublisher.awsRolesAnywhereTrustAnchor.enabled }}
    aws_rolesanywhere_trustanchor:
      plugin_data:
@ -273,6 +370,7 @@ plugins:
    {{- if .Values.bundlePublisher.awsS3.enabled }}
    aws_s3:
      plugin_data:
+        endpoint: {{ .Values.bundlePublisher.awsS3.endpoint | quote }}
        region: {{ .Values.bundlePublisher.awsS3.region | quote }}
        bucket: {{ .Values.bundlePublisher.awsS3.bucket | quote }}
        object_key: {{ .Values.bundlePublisher.awsS3.objectKey | quote }}
@ -283,7 +381,7 @@ plugins:
      plugin_data:
        bucket_name: {{ .Values.bundlePublisher.gcpCloudStorage.bucketName | quote }}
        object_name: {{ .Values.bundlePublisher.gcpCloudStorage.objectName | quote }}
-        format: {{ .Values.bundlePublisher.awsS3.format | quote }}
+        format: {{ .Values.bundlePublisher.gcpCloudStorage.format | quote }}
    {{- end }}
  {{- end }}

@ -307,12 +405,12 @@ plugins:
  UpstreamAuthority:
    cert-manager:
      plugin_data:
-        issuer_name: {{ default (printf "%s-ca" (include "spire-server.fullname" $root)) .issuer_name }}
-        issuer_kind: {{ .issuer_kind | quote }}
-        issuer_group: {{ .issuer_group | quote }}
-        namespace: {{ default $root.Release.Namespace .namespace | quote }}
-        {{- if ne .kube_config_file "" }}
-        kube_config_file: {{ .kube_config_file | quote }}
+        issuer_name: {{ default (printf "%s-ca" (include "spire-server.fullname" $root)) .issuerName }}
+        issuer_kind: {{ .issuerKind | quote }}
+        issuer_group: {{ .issuerGroup | quote }}
+        namespace: {{ default (include "spire-server.namespace" $) .namespace | quote }}
+        {{- if ne .kubeConfigFile "" }}
+        kube_config_file: {{ .kubeConfigFile | quote }}
        {{- end }}
  {{- end }}
  {{- end }}
@ -401,6 +499,13 @@ telemetry:
      - host: "0.0.0.0"
        port: 9988
 {{- end }}
+
+{{- if .Values.telemetry.datadog.enabled }}
+telemetry:
+  - DogStatsd:
+      - address: "{{ .Values.telemetry.datadog.address }}:{{ .Values.telemetry.datadog.port }}"
+{{- end }}
+
 {{- end }}
 {{- if not .Values.externalServer }}
 apiVersion: v1
--- a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml
+++ b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml
@ -17,6 +17,21 @@ matchLabels:
  release: {{ .Release.Name }}
  release-namespace: {{ .Release.Namespace }}
  component: oidc-discovery-provider
+{{-   else if eq .type "spike-keeper" }}
+matchLabels:
+  release: {{ .Release.Name }}
+  release-namespace: {{ .Release.Namespace }}
+  component: spike-keeper
+{{-   else if eq .type "spike-nexus" }}
+matchLabels:
+  release: {{ .Release.Name }}
+  release-namespace: {{ .Release.Namespace }}
+  component: spike-nexus
+{{-   else if eq .type "spike-pilot" }}
+matchLabels:
+  release: {{ .Release.Name }}
+  release-namespace: {{ .Release.Namespace }}
+  component: spike-pilot
 {{-   else if eq .type "test-keys" }}
 matchLabels:
  release: {{ .Release.Name }}
@ -26,19 +41,20 @@ matchLabels:
 {}
 {{-   end }}
 {{- end }}
+{{- if eq .Values.controllerManager.staticManifestMode "off" }}
 {{- $root := . }}
 {{  $namespaces := list .Release.Namespace .Values.namespaceOverride (dig "spire" "namespaces" "server" "name" "" .Values.global) (dig "spire" "namespaces" "system" "name" "" .Values.global) | compact | uniq }}
 {{- range $key, $value := .Values.controllerManager.identities.clusterSPIFFEIDs }}
 {{-   range $skey, $svalue := $value }}
-{{-     if not (has $skey (list "name" "annotations" "labels" "enabled" "type" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames")) }}
+{{-     if not (has $skey (list "name" "annotations" "labels" "enabled" "type" "admin" "dnsNameTemplates" "downstream" "federatesWith" "jwtTTL" "namespaceSelector" "podSelector" "spiffeIDTemplate" "ttl" "workloadSelectorTemplates" "autoPopulateDNSNames" "fallback" "hint")) }}
 {{-       fail (printf "Unsupported property specified: %s" $skey) }}
 {{-     end }}
 {{-   end }}
 {{-   if eq ($root.Values.controllerManager.enabled | toString) "true" }}
 {{-     if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }}
 {{-       $type := dig "type" "base" $value }}
-{{-       if not (has $type (list "base" "raw" "child-servers" "oidc-discovery-provider" "test-keys")) }}
-{{-         fail (printf "Type given: %s, must be one of [base, raw, child-servers, oidc-discovery-provider, test-keys]" $type) }}
+{{-       if not (has $type (list "base" "raw" "child-servers" "oidc-discovery-provider" "spike-keeper" "spike-nexus" "spike-pilot" "test-keys")) }}
+{{-         fail (printf "Type given: %s, must be one of [base, raw, child-servers, oidc-discovery-provider, spike-keeper, spike-nexus, spike-pilot, test-keys]" $type) }}
 {{-       end }}
 {{-       $namespaceSelector := deepCopy (dig "namespaceSelector" (dict) $value) }}
 {{-       if ne $type "raw" }}
@ -63,6 +79,13 @@ metadata:
  {{- end }}
 spec:
  className: {{ include "spire-server.controller-manager-class-name" $root | quote }}
+  {{- if hasKey $value "hint"  }}
+  {{-   if ne $value.hint  "" }}
+  hint: {{ $value.hint }}
+  {{-   end }}
+  {{- else }}
+  hint: {{ $key }}
+  {{- end }}
  {{- if and (hasKey $value "spiffeIDTemplate") (ne (len $value.spiffeIDTemplate) 0) }}
  spiffeIDTemplate: {{ $value.spiffeIDTemplate | quote }}
  {{- else }}
@ -103,6 +126,10 @@ spec:
  {{- with $value.autoPopulateDNSNames }}
  autoPopulateDNSNames: {{ . }}
  {{- end }}
+  {{- with $value.fallback }}
+  fallback: {{ . }}
+  {{- end }}
 {{-     end }}
 {{-   end }}
 {{- end }}
+{{- end }}
--- a/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml
+++ b/charts/spire/charts/spire-server/templates/controller-manager-configmap.yaml
@ -47,10 +47,12 @@ metrics:
  bindAddress: 0.0.0.0:{{ $promPort }}
 health:
  healthProbeBindAddress: 0.0.0.0:{{ $healthPort }}
+{{- if eq .Values.controllerManager.staticManifestMode "off" }}
 leaderElection:
  leaderElect: true
  resourceName: {{ printf "%s-%s%s" .Release.Namespace (default .Release.Name .Values.crNameOverride) .suffix | sha256sum | trunc 8 }}.spiffe.io
  resourceNamespace: {{ include "spire-server.namespace" . }}
+{{- end }}
 {{- with .settings.cacheNamespaces }}
 cacheNamespaces:
  {{- toYaml . | nindent 2 }}
@ -85,7 +87,12 @@ parentIDTemplate: {{ if hasKey .settings "parentIDTemplate" }}{{ .settings.paren
 {{-   $reconcile = .settings.reconcile }}
 {{- end }}
 reconcile:
+  {{- if eq .Values.controllerManager.staticManifestMode "off" }}
  clusterSPIFFEIDs: {{ if hasKey $reconcile "clusterSPIFFEIDs" }}{{ toYaml $reconcile.clusterSPIFFEIDs }}{{ else }}{{ toYaml .defaults.reconcile.clusterSPIFFEIDs }}{{ end }}
+  {{- end }}
  clusterStaticEntries: {{ if hasKey $reconcile "clusterStaticEntries" }}{{ toYaml $reconcile.clusterStaticEntries }}{{ else }}{{ toYaml .defaults.reconcile.clusterStaticEntries }}{{ end }}
  clusterFederatedTrustDomains: {{ if hasKey $reconcile "clusterFederatedTrustDomains" }}{{ toYaml $reconcile.clusterFederatedTrustDomains }}{{ else }}{{ toYaml .defaults.reconcile.clusterFederatedTrustDomains }}{{ end }}
+{{- if ne .Values.controllerManager.staticManifestMode "off" }}
+staticManifestPath: /manifests
+{{- end }}
 {{- end }}
--- a/charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml
+++ b/charts/spire/charts/spire-server/templates/controller-manager-ftd.yaml
@ -1,5 +1,7 @@
-{{- $root := . }}
-{{- range $key, $value := .Values.controllerManager.identities.clusterFederatedTrustDomains }}
+{{- define "spire-server.cluster-federated-trust-domains" -}}
+{{- $root := .root }}
+{{- $useShortName := .useShortName }}
+{{- range $key, $value := $root.Values.controllerManager.identities.clusterFederatedTrustDomains }}
 {{-   range $skey, $svalue := $value }}
 {{-     if not (has $skey (list "name" "annotations" "labels" "enabled" "bundleEndpointProfile" "bundleEndpointURL" "trustDomain" "trustDomainBundle")) }}
 {{-       fail (printf "Unsupported property specified: %s" $skey) }}
@ -12,34 +14,45 @@
 {{-   end }}
 {{-   if eq ($root.Values.controllerManager.enabled | toString) "true" }}
 {{-     if or (not (hasKey $value "enabled")) (eq ($value.enabled | toString) "true") }}
---
-apiVersion: spire.spiffe.io/v1alpha1
-kind: ClusterFederatedTrustDomain
-metadata:
-  name: {{ $root.Release.Namespace }}-{{ default $root.Release.Name $root.Values.crNameOverride }}-{{ $key }}
-  {{- with $value.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  {{- with $value.labels }}
-  labels:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  className: {{ include "spire-server.controller-manager-class-name" $root | quote }}
-  {{- with $value.bundleEndpointProfile }}
-  bundleEndpointProfile:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  {{- with $value.bundleEndpointURL }}
-  bundleEndpointURL: {{ . | quote }}
-  {{- end }}
-  {{- with $value.trustDomain }}
-  trustDomain: {{ . | quote }}
-  {{- end }}
-  {{- with $value.trustDomainBundle }}
-  trustDomainBundle: {{ . | quote }}
-  {{- end }}
+- apiVersion: spire.spiffe.io/v1alpha1
+  kind: ClusterFederatedTrustDomain
+  metadata:
+    {{- if $useShortName }}
+    name: {{ $key }}
+    {{- else }}
+    name: {{ $root.Release.Namespace }}-{{ default $root.Release.Name $root.Values.crNameOverride }}-{{ $key }}
+    {{- end }}
+    {{- with $value.annotations }}
+    annotations:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with $value.labels }}
+    labels:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  spec:
+    className: {{ include "spire-server.controller-manager-class-name" $root | quote }}
+    {{- with $value.bundleEndpointProfile }}
+    bundleEndpointProfile:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with $value.bundleEndpointURL }}
+    bundleEndpointURL: {{ . | quote }}
+    {{- end }}
+    {{- with $value.trustDomain }}
+    trustDomain: {{ . | quote }}
+    {{- end }}
+    {{- with $value.trustDomainBundle }}
+    trustDomainBundle: {{ . | quote }}
+    {{- end }}
 {{-     end }}
 {{-   end }}
 {{- end }}
+{{- end }}
+{{- if eq .Values.controllerManager.staticManifestMode "off" }}
+{{-   $t := include "spire-server.cluster-federated-trust-domains" (dict "root" . "useShortName" false) | fromYamlArray }}
+{{-   range $_, $v := $t }}
+---
+{{- $v | toYaml }}
+{{-   end }}
+{{- end }}
--- a/charts/spire/charts/spire-server/templates/controller-manager-roles.yaml
+++ b/charts/spire/charts/spire-server/templates/controller-manager-roles.yaml
@ -1,4 +1,4 @@
-{{- if eq (.Values.controllerManager.enabled | toString) "true" }}
+{{- if and (eq (.Values.controllerManager.enabled | toString) "true") (eq .Values.controllerManager.staticManifestMode "off") }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
--- a/charts/spire/charts/spire-server/templates/controller-manager-service.yaml
+++ b/charts/spire/charts/spire-server/templates/controller-manager-service.yaml
@ -1,4 +1,5 @@
 {{- if not .Values.externalServer }}
+{{- if eq .Values.controllerManager.staticManifestMode "off" }}
 {{- if eq (.Values.controllerManager.enabled | toString) "true" }}
 apiVersion: v1
 kind: Service
@ -22,3 +23,4 @@ spec:
    {{- include "spire-server.selectorLabels" . | nindent 4 }}
 {{- end }}
 {{- end }}
+{{- end }}
--- a/Show More
+++ b/Show More