Bump github.com/spiffe/spire-api-sdk from 1.12.0 to 1.12.4 (#540 )

Bumps [github.com/spiffe/spire-api-sdk](https://github.com/spiffe/spire-api-sdk) from 1.12.0 to 1.12.4. - [Commits](https://github.com/spiffe/spire-api-sdk/compare/v1.12.0...v1.12.4) --- updated-dependencies: - dependency-name: github.com/spiffe/spire-api-sdk dependency-version: 1.12.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Enable configuring log encoder (#539 )
2025-07-02 09:29:26 -07:00 · 2025-06-27 09:33:44 -03:00 · 2025-06-05 09:23:53 -07:00 · 2025-06-05 08:43:28 -07:00 · 2025-05-26 12:39:10 -07:00 · 2025-05-26 08:41:49 -07:00
125 changed files with 6763 additions and 2450 deletions
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@ -0,0 +1,20 @@
 version: 2
 updates:
  - package-ecosystem: gomod
    directory: /
    schedule:
      interval: daily
    open-pull-requests-limit: 5
    groups:
      k8s.io:
        patterns:
          - "k8s.io/*"
  - package-ecosystem: gomod
    directory: /demo/greeter
    schedule:
      interval: daily
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: daily
    open-pull-requests-limit: 5
--- a/.github/workflows/nightly_build.yaml
+++ b/.github/workflows/nightly_build.yaml
@ -4,20 +4,33 @@ on:
    # Random minute number to avoid GH scheduler stampede
    - cron: '37 21 * * *'
  workflow_dispatch: {}
 jobs:
  build-and-publish-images:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    permissions:
      contents: read
      id-token: write
      packages: write
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
      - name: Setup go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
        with:
-          go-version: 1.17
+          go-version-file: 'go.mod'
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Install regctl
        uses: regclient/actions/regctl-installer@main
      - name: Build image
        run: make docker-build
      - name: Log in to GHCR
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
--- a/.github/workflows/pr_build.yaml
+++ b/.github/workflows/pr_build.yaml
@ -2,45 +2,96 @@ name: PR Build
 on:
  pull_request: {}
  workflow_dispatch: {}
 jobs:
-  build-image:
+  lint:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
      - name: Setup go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
        with:
-          go-version: 1.17
+          go-version-file: 'go.mod'
      - name: Lint
        run: make lint
  unit-test:
    runs-on: ubuntu-22.04
    permissions:
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup go
        uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
      - name: Run unit tests
        run: make test
  build-image:
    runs-on: ubuntu-22.04
    permissions:
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup go
        uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build image
        run: make docker-build
-      - name: Export image
+      - name: Export images
-        run: docker save ghcr.io/spiffe/spire-controller-manager:devel | gzip > image.tar.gz
+        run: tar -czvf images.tar.gz *-image.tar
      - name: Archive image
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4.6.2
        with:
-          name: image
+          name: images
-          path: image.tar.gz
+          path: images.tar.gz
  test-image:
-    needs: [build-image]
+    runs-on: ubuntu-22.04
-    runs-on: ubuntu-latest
+
    needs: [unit-test, build-image]
    permissions:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
      - name: Install regctl
        uses: regclient/actions/regctl-installer@main
      - name: Download archived image
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4.3.0
        with:
-          name: image
+          name: images
          path: .
-      - name: Load archived image
+      - name: Load archived images
-        run: zcat image.tar.gz | docker load
+        run: |
          tar xvf images.tar.gz
          make load-images
      - name: Test image
        run: |
          docker tag ghcr.io/spiffe/spire-controller-manager:devel ghcr.io/spiffe/spire-controller-manager:nightly
          (cd demo; ./test.sh)
  success:
-    needs: [build-image, test-image]
+    runs-on: ubuntu-22.04
-    runs-on: ubuntu-latest
+
    needs: [lint, unit-test, build-image, test-image]
    steps:
      - name: Shout it out
        run: echo SUCCESS
--- a/.github/workflows/release_build.yaml
+++ b/.github/workflows/release_build.yaml
@ -5,65 +5,89 @@ on:
      - 'v[0-9].[0-9]+.[0-9]+'
 jobs:
  build-image:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    permissions:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
      - name: Setup go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
        with:
-          go-version: 1.17
+          go-version-file: 'go.mod'
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build image
        run: make docker-build
      - name: Export image
-        run: docker save ghcr.io/spiffe/spire-controller-manager:devel | gzip > image.tar.gz
+        run: tar -czvf images.tar.gz *-image.tar
      - name: Archive image
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4.6.2
        with:
-          name: image
+          name: images
-          path: image.tar.gz
+          path: images.tar.gz
  test-image:
    runs-on: ubuntu-22.04
    needs: [build-image]
-    runs-on: ubuntu-latest
+
    permissions:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
      - name: Install regctl
        uses: regclient/actions/regctl-installer@main
      - name: Download archived image
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4.3.0
        with:
-          name: image
+          name: images
          path: .
      - name: Load archived image
-        run: zcat image.tar.gz | docker load
+        run: |
          tar xvf images.tar.gz
          make load-images
      - name: Test image
        run: |
-          docker tag ghcr.io/spiffe/spire-controller-manager:devel ghcr.io/spiffe/spire-controller-manager:nightly
+          docker tag "ghcr.io/${{ github.repository_owner }}/spire-controller-manager:devel" ghcr.io/spiffe/spire-controller-manager:devel
          (cd demo; ./test.sh)
  publish-image-and-release:
    runs-on: ubuntu-22.04
    needs: [test-image]
-    runs-on: ubuntu-latest
+
    permissions:
      contents: write
      id-token: write
      packages: write
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
-      - name: Setup go
+      - name: Install regctl
-        uses: actions/setup-go@v2
+        uses: regclient/actions/regctl-installer@main
        with:
          go-version: 1.17
      - name: Download archived image
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4.3.0
        with:
-          name: image
+          name: images
          path: .
      - name: Load archived image
        run: zcat image.tar.gz | docker load
      - name: Log in to GHCR
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Push image
-        run: ./.github/workflows/scripts/push-images.sh "${GITHUB_REF#refs/tags/v}"
+        run: |
          tar xvf images.tar.gz
          ./.github/workflows/scripts/push-images.sh "${GITHUB_REF}"
      - name: Create Release
        env:
          # GH_REPO is required for older releases of `gh`. Until we're
--- a/.github/workflows/scripts/load-oci-archives.sh
+++ b/.github/workflows/scripts/load-oci-archives.sh
@ -0,0 +1,68 @@
 #!/usr/bin/env bash
 # shellcheck shell=bash
 ##
 ## USAGE: __PROG__
 ##
 ## "__PROG__" loads oci tarballs created with xbuild into docker.
 ##
 ## Usage example(s):
 ##   ./__PROG__
 ##   PLATFORM=linux/arm64 ./__PROG__
 ##
 ## Commands
 ## - ./__PROG__   loads the oci tarball into Docker.
 function usage {
  grep '^##' "$0" | sed -e 's/^##//' -e "s/__PROG__/$me/" >&2
 }
 function normalize_path {
    # Remove all /./ sequences.
    local path=${1//\/.\//\/}
    local npath
    # Remove first dir/.. sequence.
    npath="${path//[^\/][^\/]*\/\.\.\//}"
    # Remove remaining dir/.. sequence.
    while [[ $npath != "$path" ]] ; do
        path=$npath
        npath="${path//[^\/][^\/]*\/\.\.\//}"
    done
    echo "$path"
 }
 me=$(basename "$0")
 BASEDIR=$(dirname "$0")
 ROOTDIR="$(normalize_path "$BASEDIR/../../../")"
 command -v regctl >/dev/null 2>&1 || { usage; echo -e "\n * The regctl cli is required to run this script." >&2 ; exit 1; }
 command -v docker >/dev/null 2>&1 || { usage; echo -e "\n * The docker cli is required to run this script." >&2 ; exit 1; }
 # Takes the current platform architecture or plaftorm as defined externally in a platform variable.
 # e.g.:
 # linux/amd64
 # linux/arm64
 PLATFORM="${PLATFORM:-local}"
 OCI_IMAGES=(
    spire-controller-manager
 )
 org_name=$(echo "$GITHUB_REPOSITORY" | tr '/' "\n" | head -1 | tr -d "\n")
 org_name="${org_name:-spiffe}" # default to spiffe in case ran on local
 registry=ghcr.io/${org_name}
 echo "Importing ${OCI_IMAGES[*]} into docker".
 for img in "${OCI_IMAGES[@]}"; do
    oci_dir="ocidir://${ROOTDIR}oci/${img}"
    platform_tar="${img}-${PLATFORM}-image.tar"
    image_to_load="${registry}/${img}:devel"
    # regclient works with directories rather than tars, so import the OCI tar to a directory
    regctl image import "$oci_dir" "${img}-image.tar"
    dig="$(regctl image digest --platform "$PLATFORM" "$oci_dir")"
    # export the single platform image using the digest
    regctl image export "$oci_dir@${dig}" "${platform_tar}"
    docker load < "${platform_tar}"
    docker image tag "localhost/oci/${img}:latest" "${image_to_load}"
    docker image rm "localhost/oci/${img}:latest"
 done
--- a/.github/workflows/scripts/push-images.sh
+++ b/.github/workflows/scripts/push-images.sh
@ -1,20 +1,62 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # shellcheck shell=bash
 ##
 ## USAGE: __PROG__
 ##
 ## "__PROG__" publishes images to a registry.
 ##
 ## Usage example(s):
 ##   ./__PROG__ 1.5.2
 ##   ./__PROG__ v1.5.2
 ##   ./__PROG__ refs/tags/v1.5.2
 ##
 ## Commands
 ## - ./__PROG__ <version>    pushes images to the registry using given version.
 set -e
-IMAGETAG="$1"
+function usage {
-if [ -z "$IMAGETAG" ]; then
+  grep '^##' "$0" | sed -e 's/^##//' -e "s/__PROG__/$me/" >&2
-    echo "IMAGETAG not provided!" 1>&2
+}
-    echo "Usage: push-image.sh IMAGETAG" 1>&2
+
 function normalize_path {
  # Remove all /./ sequences.
  local path=${1//\/.\//\/}
  local npath
  # Remove first dir/.. sequence.
  npath="${path//[^\/][^\/]*\/\.\.\//}"
  # Remove remaining dir/.. sequence.
  while [[ $npath != "$path" ]] ; do
    path=$npath
    npath="${path//[^\/][^\/]*\/\.\.\//}"
  done
  echo "$path"
 }
 me=$(basename "$0")
 BASEDIR=$(dirname "$0")
 ROOTDIR="$(normalize_path "$BASEDIR/../../../")"
 version="$1"
 # remove the git tag prefix
 # Push the images using the version tag (without the "v" prefix).
 # Also strips the refs/tags part if the GITHUB_REF variable is used.
 version="${version#refs/tags/v}"
 version="${version#v}"
 if [ -z "${version}" ]; then
    usage
    echo "version not provided!" 1>&2
    exit 1
 fi
-echo "Pushing image tagged as $IMAGETAG..."
+image=spire-controller-manager
 org_name=$(echo "$GITHUB_REPOSITORY" | tr '/' "\n" | head -1 | tr -d "\n")
 org_name="${org_name:-spiffe}" # default to spiffe in case ran outside of GitHub actions
 registry=ghcr.io/${org_name}
 image_to_push="${registry}/${image}:${version}"
 oci_dir="ocidir://${ROOTDIR}oci/${image}"
-LOCALIMG=ghcr.io/spiffe/spire-controller-manager:devel
+echo "Pushing ${image_to_push}."
-REMOTEIMG=ghcr.io/spiffe/spire-controller-manager:"${IMAGETAG}"
+regctl image import "${oci_dir}" "${image}-image.tar"
-
+regctl image copy "${oci_dir}" "${image_to_push}"
 echo "Executing: docker tag $LOCALIMG $REMOTEIMG"
 docker tag "$LOCALIMG" "$REMOTEIMG"
 echo "Executing: docker push $REMOTEIMG"
 docker push "$REMOTEIMG"
--- a/.gitignore
+++ b/.gitignore
@ -24,3 +24,11 @@ testbin/*
 *.swp
 *.swo
 *~
 # oci image builds
 oci/
 *-image.tar
 # Ignore go workspaces files
 go.work
 go.work.sum
--- a/.go-version
+++ b/.go-version
@ -0,0 +1 @@
 1.23.4
--- a/.golangci.yml
+++ b/.golangci.yml
@ -0,0 +1,33 @@
 run:
  # timeout for analysis, e.g. 30s, 5m, default is 1m
  timeout: 12m
 linters:
  enable:
    - bodyclose
    - durationcheck
    - errorlint
    - gofmt
    - goimports
    - revive
    - gosec
    - misspell
    - nakedret
    - nilerr
    - unconvert
    - unparam
    - intrange
    - whitespace
    - gocritic
    - wastedassign
    - nolintlint
 linters-settings:
  govet:
    enable:
      - nilness
      - sortslice
      - unusedwrite
  revive:
    # minimal confidence for issues, default is 0.8
    min-confidence: 0.0
--- a/.kubebuilder-hist
+++ b/.kubebuilder-hist
@ -4,3 +4,11 @@ v3.2.0: .scripts/kubebuilder create api --resource --controller --group spire --
 v3.2.0: .scripts/kubebuilder create api --group spire --version v1alpha1 --kind ControllerManagerConfig --resource --controller=false --make=false
 v3.2.0: .scripts/kubebuilder create webhook --programmatic-validation --kind ClusterFederatedTrustDomain --version v1alpha1 --group spire
 v3.2.0: .scripts/kubebuilder create webhook --programmatic-validation --kind ClusterSPIFFEID --version v1alpha1 --group spire
 v3.3.0: .scripts/kubebuilder create api --resource --controller --group spire --version v1alpha1 --namespaced=false --kind ClusterStaticEntry
 v3.12.0: ./.scripts/kubebuilder init --domain spiffe.io --owner SPIRE\ Authors --project-name spire-controller-manager --skip-go-version-check --plugins=go/v4
 v3.12.0: .scripts/kubebuilder create api --resource --controller --group spire --version v1alpha1 --namespaced=false --kind ClusterSPIFFEID
 v3.12.0: .scripts/kubebuilder create api --resource --controller --group spire --version v1alpha1 --namespaced=false --kind ClusterFederatedTrustDomain
 v3.12.0: .scripts/kubebuilder create api --group spire --version v1alpha1 --kind ControllerManagerConfig --resource --controller=false --make=false
 v3.12.0: .scripts/kubebuilder create api --resource --controller --group spire --version v1alpha1 --namespaced=false --kind ClusterStaticEntry
 v3.12.0: .scripts/kubebuilder create webhook --programmatic-validation --kind ClusterFederatedTrustDomain --version v1alpha1 --group spire
 v3.12.0: .scripts/kubebuilder create webhook --programmatic-validation --kind ClusterSPIFFEID --version v1alpha1 --group spire
--- a/.scripts/common
+++ b/.scripts/common
@ -32,7 +32,7 @@ case "${ARCH1}" in
 x86_64)
    ARCH2=amd64
    ;;
-aarch64)
+aarch64|arm64)
    ARCH2=arm64
    ;;
 *)
--- a/.scripts/kubebuilder
+++ b/.scripts/kubebuilder
@ -8,7 +8,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 KUBEBUILDERHIST="${DIR}"/../.kubebuilder-hist
-KUBEBUILDERVER="v3.3.0"
+KUBEBUILDERVER="v3.12.0"
 KUBEBUILDERBASE="${BUILDDIR}/kubebuilder"
 KUBEBUILDERDIR="${KUBEBUILDERBASE}/${KUBEBUILDERVER}"
 KUBEBUILDERBIN="${KUBEBUILDERDIR}/kubebuilder"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,171 @@
 # Changelog
 ## [0.6.2] - 2025-04-17
 ### Added
 - Support `staticManifestPath`: watch a directory for CRs instead of using Kubernetes API (#411)
 ## [0.6.1] - 2025-02-14
 ### Added
 - Support for configuring the log level (#388, #464)
 - New metrics to track `ClusterStaticEntry` failures (#387)
 ### Fixed
 - Failed controller upgrade when webhook certificate is expired (#450)
 ### Updated
 - Minor documentation changes (#435, #443)
 - Version used in migration guide (#465)
 ## [0.6.0] - 2024-10-03
 <font size='7'>:rotating_light: ***PLEASE READ BEFORE UPGRADING*** :rotating_light:</font>
 This version contains changes in the `ClusterSPIFFEID` CRD. Before upgrading you __MUST__ do the following:
 - Update the CRD in your cluster (see [here](./config/crd/bases/spire.spiffe.io_clusterspiffeids.yaml)).
 ### Added
 - Hint field to the ClusterSPIFFEID CRD that controls the hint on resulting entries (#416)
 - Fallback field to the ClusterSPIFFEID CRD which causes the CR to only apply if no other non-fallback CRs have been applied to a given pod (#415)
 - Missing documentation for the className on the ClusterFederatedTrustDomain CRD (#413)
 ## [0.5.0] - 2024-04-10
 <font size='7'>:rotating_light: ***PLEASE READ BEFORE UPGRADING*** :rotating_light:</font>
 This version contains changes in the `ClusterStaticEntry` CRD. Before upgrading you __MUST__ do the following:
 - Update the CRD in your cluster (see [here](.config/crd/bases/spire.spiffe.io_clusterstaticentries.yaml)).
 ### Added
 - Support for `storeSVID` on ClusterStaticEntry (#304)
 - Support for more than one spire-controller-manager managing entries against a single SPIRE server cluster via entry prefixes (#325)
 ## [0.4.4] - 2024-04-05
 ### Security
 - Updated Golang to 1.21.9 to address CVE-2023-45288 (#338)
 ## [0.4.3] - 2024-02-22
 ### Added
 - Ability to selectively choose which CRDs to reconcile (#297)
 ### Changed
 - Join token novelty entries are ignored during entry reconciliation (#306)
 ## [0.4.2] - 2024-01-24
 ### Added
 - Process-wide support for customizing the parent ID template for workload registration (#289)
 ### Fixed
 - Failed controller startup when webhook was disabled via ENABLE_WEBHOOKS=false (#294)
 ## [0.4.1] - 2024-01-17
 ### Added
 - Support for caching multiple namespaces instead of one or all (#271,#286)
 - Support for expanding environment variables in the controller configuration (#256)
 - Support for disabling webhooks by setting the environment variable ENABLE_WEBHOOKS=false (#234)
 ## [0.4.0] - 2023-11-02
 <font size='7'>:rotating_light: ***PLEASE READ BEFORE UPGRADING*** :rotating_light:</font>
 This version contains changes in the `ClusterSPIFFEID` CRD, `ClusterFederatedTrustDomain` CRD and `ClusterStaticEntry` CRD. Before upgrading you __MUST__ do the following, in order:
 - Update those CRDs into your cluster (see [here](./config/crd/bases/spire.spiffe.io_clusterspiffeids.yaml), [here](./config/crd/bases/spire.spiffe.io_clusterfederatedtrustdomains.yaml) and [here](.config/crd/bases/spire.spiffe.io_clusterstaticentries.yaml)).
 - Update the `manager-role` ClusterRole, which includes additional permissions for `endpoints` CRD (see [here](./config/rbac/role.yaml))
 ### Security
 - Updated to google.golang.org/grpc v1.59.0 to address CVE-2023-44487 (#231)
 ### Added
 - ClusterSPIFFEID CRD support for DNS name auto-population (#122)
 - Support for multiple SPIRE clusters running in the same K8S cluster using ClassName's (#230)
 ### Fixed
 - Missing status subresource definitions (#223)
 ## [0.3.0] - 2023-09-14
 <font size='7'>:rotating_light: ***PLEASE READ BEFORE UPGRADING*** :rotating_light:</font>
 This version contains changes in the `ClusterSPIFFEID` CRD. It also adds a new `ClusterStaticEntry` CRD. Before upgrading you __MUST__ do the following, in order:
 - Update/install those CRDs into your cluster (see [here](./config/crd/bases/spire.spiffe.io_clusterstaticentries.yaml) and [here](./config/crd/bases/spire.spiffe.io_clusterspiffeids.yaml)).
 - Update the `manager-role` ClusterRole, which includes additional permissions for the new `ClusterStaticEntry` CRD (see [here](./config/rbac/role.yaml))
 ### Added
 - ClusterStaticEntry CRD for registering workloads that live outside the cluster (#149)
 - ClusterSPIFFEID CRD can configure JWT-SVID TTL (#189)
 - The namespaces to ignore can now be defined using a regex (#170)
 ### Updated
 - Minor documentation changes (#213)
 ### Changed
 - Use distroless static image as base (#198)
 ## [0.2.3] - 2023-06-20
 ### Added
 - Auto-detection for the cluster domain name (#90)
 ### Updated
 - Examples to use the downward API to locate the kubelet for Kubernetes workload attestation (#160)
 - Migrated to the latest controller runtime (#151)
 ### Security
 - Enforce TLS1.2 as a minimum version on the webhook server (#128)
 ## [0.2.2] - 2023-02-28
 ### Added
 - Multiarch docker images supporting both amd64 and arm64 (#51)
 - Support for registration for downstream workloads (#44)
 - Migration guide for migrating from the k8s-workload-registrer (#40)
 ### Fixed
 - Status subresource yaml in demo preventing status from being updated (#38)
 ### Changed
 - Waits for 5 seconds for the SPIRE Server socket to become available (#80)
 - Generated DNS Names are deduplicated before registration (#85)
 ## [0.2.1] - 2022-07-11
 ### Fixed
 - Bug causing entries to be recreated on every reconciliation (#32)
 ## [0.2.0] - 2022-06-01
 ### Added
--- a/2
+++ b/2
@ -1 +1 @@
-* @azdagron @MarcosDY
+* @azdagron @MarcosDY @kfox1111
--- a/40
+++ b/40
@ -1,29 +1,43 @@
-# Build the manager binary
+ARG goversion
 FROM golang:1.17 as builder
 # Build the manager binary
 FROM --platform=${BUILDPLATFORM} golang:${goversion}-alpine AS base
 WORKDIR /workspace
 # Copy the Go Modules manifests
-COPY go.mod go.mod
+COPY go.* ./
-COPY go.sum go.sum
+# Cache deps before building and copying source so that we don't need to re-download as much
 # cache deps before building and copying source so that we don't need to re-download as much
 # and so that source changes don't invalidate our downloaded layer
-RUN go mod download
+RUN --mount=type=cache,target=/go/pkg/mod go mod download
 # Copy the go source
-COPY main.go main.go
+COPY cmd/main.go cmd/main.go
 COPY api/ api/
-COPY controllers/ controllers/
+COPY internal/ internal/
 COPY pkg/ pkg/
 # xx is a helper for cross-compilation
 # when bumping to a new version analyze the new version for security issues
 # then use crane to lookup the digest of that version so we are immutable
 # crane digest tonistiigi/xx:1.3.0
 FROM --platform=${BUILDPLATFORM} tonistiigi/xx@sha256:904fe94f236d36d65aeb5a2462f88f2c537b8360475f6342e7599194f291fb7e AS xx
 # Build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go
+FROM --platform=${BUILDPLATFORM} base AS builder
 ARG TARGETPLATFORM
 ARG TARGETARCH
 ENV CGO_ENABLED=0
 COPY --link --from=xx / /
 RUN xx-go --wrap
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
    go build -o bin/spire-controller-manager cmd/main.go
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 #FROM gcr.io/distroless/static:nonroot
-FROM gcr.io/distroless/base
+FROM gcr.io/distroless/static AS spire-controller-manager
 WORKDIR /
-COPY --from=builder /workspace/manager .
+ENTRYPOINT ["/spire-controller-manager"]
 CMD []
 COPY --link --from=builder /workspace/bin/spire-controller-manager /spire-controller-manager
 #USER 65532:65532
 ENTRYPOINT ["/manager"]
--- a/181
+++ b/181
@ -1,8 +1,11 @@
 BINARIES := spire-controller-manager
 PLATFORMS ?= linux/amd64,linux/arm64
 DIR := ${CURDIR}
 # Image URL to use all building/pushing image targets
 IMG ?= ghcr.io/spiffe/spire-controller-manager:devel
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
-ENVTEST_K8S_VERSION = 1.23
+ENVTEST_K8S_VERSION = 1.28.0
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@ -11,6 +14,12 @@ else
 GOBIN=$(shell go env GOBIN)
 endif
 # CONTAINER_TOOL defines the container tool to be used for building images.
 # Be aware that the target commands are only tested with Docker which is
 # scaffolded by default. However, you might want to replace it to use other
 # tools. (i.e. podman)
 CONTAINER_TOOL ?= docker
 # Setting SHELL to bash allows bash commands to be executed by recipes.
 # This is a requirement for 'setup-envtest.sh' in the test target.
 # Options are set to exit when a recipe line exits non-zero or a piped command fails.
@ -24,7 +33,7 @@ all: build
 # The help target prints out all targets with their descriptions organized
 # beneath their categories. The categories are represented by '##@' and the
-# target descriptions by '##'. The awk commands is responsible for reading the
+# target descriptions by '##'. The awk command is responsible for reading the
 # entire set of makefiles included in this invocation, looking for lines of the
 # file as xyz: ## something, and then pretty-format the target and help. Then,
 # if there's a line with ##@ something, that gets pretty-printed as a category.
@ -33,10 +42,60 @@ all: build
 # More info on the awk command:
 # http://linuxcommand.org/lc3_adv_awk.php
 # Used to force some rules to run every time
 .PHONY: FORCE
 FORCE: ;
 .PHONY: help
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 ##@ OS/ARCH detection
 os1=$(shell uname -s)
 os2=
 ifeq ($(os1),Darwin)
 os1=darwin
 os2=osx
 else ifeq ($(os1),Linux)
 os1=linux
 os2=linux
 else
 $(error unsupported OS: $(os1))
 endif
 arch1=$(shell uname -m)
 ifeq ($(arch1),x86_64)
 arch2=amd64
 else ifeq ($(arch1),aarch64)
 arch2=arm64
 else ifeq ($(arch1),arm64)
 arch2=arm64
 else
 $(error unsupported ARCH: $(arch1))
 endif
 ##@ Vars
 go_version := $(shell cat .go-version)
 build_dir := $(DIR)/.build/$(os1)-$(arch1)
 golangci_lint_version = v1.60.1
 golangci_lint_dir = $(build_dir)/golangci_lint/$(golangci_lint_version)
 golangci_lint_bin = $(golangci_lint_dir)/golangci-lint
 golangci_lint_cache = $(golangci_lint_dir)/cache
 ##@ Install toolchain
 install-golangci-lint: $(golangci_lint_bin)
 $(golangci_lint_bin):
 	@echo "Installing golangci-lint $(golangci_lint_version)..."
 	$(E)rm -rf $(dir $(golangci_lint_dir))
 	$(E)mkdir -p $(golangci_lint_dir)
 	$(E)mkdir -p $(golangci_lint_cache)
 	$(E)GOBIN=$(golangci_lint_dir) $(go_path) go install github.com/golangci/golangci-lint/cmd/golangci-lint@$(golangci_lint_version)
 ##@ Development
 .PHONY: manifests
@ -57,25 +116,69 @@ vet: ## Run go vet against code.
 .PHONY: test
 test: manifests generate fmt vet envtest ## Run tests.
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./... -coverprofile cover.out
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out
 ##@ Code cleanliness
 .PHONY: lint lint-code
 lint: lint-code
 lint-code: $(golangci_lint_bin)
 	$(E)PATH="$(PATH):$(go_bin_dir)" $(golangci_lint_bin) run ./...
 ##@ Build
 .PHONY: build
-build: generate fmt vet ## Build manager binary.
+build: $(addprefix bin,/$(BINARIES)) ## Build manager binary.
-	go build -o bin/manager main.go
+
 bin/%: cmd/main.go generate fmt vet FORCE
 	go build -o $@ $<
 .PHONY: run
-run: manifests generate fmt vet ## Run a controller from your host.
+run: build ## Run a controller from your host.
-	go run ./main.go
+	bin/spire-controller-manager
 .PHONY: container-builder
 container-builder: ## Create a buildx node to create crossplatform images.
 	$(CONTAINER_TOOL) buildx create --platform $(PLATFORMS) --name container-builder --node container-builder0 --use
 .PHONY: docker-build
-docker-build: test ## Build docker image with the manager.
+docker-build: $(addsuffix -image.tar,$(BINARIES)) ## Build docker image with the manager.
-	docker build -t ${IMG} .
+
 # PLATFORMS defines the target platforms for the manager image be built to provide support to multiple
 # architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to:
 # - be able to use docker buildx. More info: https://docs.docker.com/build/buildx/
 # - have enabled BuildKit. More info: https://docs.docker.com/develop/develop-images/build_enhancements/
 # - be able to push the image to your registry (i.e. if you do not set a valid value via IMG=<myregistry/image:<tag>> then the export will fail)
 # To adequately provide solutions that are compatible with multiple platforms, you should consider using this option.
 PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
 # TODO: may we support this?
 .PHONY: docker-buildx
 docker-buildx: ## Build and push docker image for the manager for cross-platform support
 	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile
 	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
 	- $(CONTAINER_TOOL) buildx create --name project-v3-builder
 	$(CONTAINER_TOOL) buildx use project-v3-builder
 	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross .
 	- $(CONTAINER_TOOL) buildx rm project-v3-builder
 	rm Dockerfile.cross
 spire-controller-manager-image.tar: Dockerfile FORCE | container-builder
 	$(CONTAINER_TOOL) buildx build \
 		--platform $(PLATFORMS) \
 		--target spire-controller-manager \
 		--build-arg goversion=$(go_version) \
 		-o type=oci,dest=$@ \
 	    .
 .PHONY: load-images
 load-images: $(addsuffix -image.tar,$(BINARIES)) ## Load the image for your current PLATFORM into docker from the cross-platform oci tar.
 	./.github/workflows/scripts/load-oci-archives.sh
 .PHONY: docker-push
 docker-push: ## Push docker image with the manager.
-	docker push ${IMG}
+	./.github/workflows/scripts/push-images.sh
 ##@ Deployment
@ -85,41 +188,55 @@ endif
 .PHONY: install
 install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config.
-	$(KUSTOMIZE) build config/crd | kubectl apply -f -
+	$(KUSTOMIZE) build config/crd | $(KUBECTL) apply -f -
 .PHONY: uninstall
 uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
-	$(KUSTOMIZE) build config/crd | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
+	$(KUSTOMIZE) build config/crd | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -
 .PHONY: deploy
 deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	$(KUSTOMIZE) build config/default | kubectl apply -f -
+	$(KUSTOMIZE) build config/default | $(KUBECTL) apply -f -
 .PHONY: undeploy
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
-	$(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
+	$(KUSTOMIZE) build config/default | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -
-CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
+##@ Build Dependencies
-.PHONY: controller-gen
+
-controller-gen: ## Download controller-gen locally if necessary.
+## Location to install dependencies to
-	$(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.8.0)
+LOCALBIN ?= $(shell pwd)/bin
 $(LOCALBIN):
 	mkdir -p $(LOCALBIN)
 ## Tool Binaries
 KUBECTL ?= kubectl
 KUSTOMIZE ?= $(LOCALBIN)/kustomize
 CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
 ENVTEST ?= $(LOCALBIN)/setup-envtest
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.1.1
 CONTROLLER_TOOLS_VERSION ?= v0.14.0
 KUSTOMIZE = $(shell pwd)/bin/kustomize
 .PHONY: kustomize
-kustomize: ## Download kustomize locally if necessary.
+kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading.
-	$(call go-get-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v3@v3.8.7)
+$(KUSTOMIZE): $(LOCALBIN)
 	@if test -x $(LOCALBIN)/kustomize && ! $(LOCALBIN)/kustomize version | grep -q $(KUSTOMIZE_VERSION); then \
 		echo "$(LOCALBIN)/kustomize version is not expected $(KUSTOMIZE_VERSION). Removing it before installing."; \
 		rm -rf $(LOCALBIN)/kustomize; \
 	fi
 	test -s $(LOCALBIN)/kustomize || GOBIN=$(LOCALBIN) GO111MODULE=on go install sigs.k8s.io/kustomize/kustomize/v5@$(KUSTOMIZE_VERSION)
 .PHONY: controller-gen
 controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. If wrong version is installed, it will be overwritten.
 $(CONTROLLER_GEN): $(LOCALBIN)
 	test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \
 	GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION)
 ENVTEST = $(shell pwd)/bin/setup-envtest
 .PHONY: envtest
-envtest: ## Download envtest-setup locally if necessary.
+envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
-	$(call go-get-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
+$(ENVTEST): $(LOCALBIN)
 	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
 # go-get-tool will 'go install' any package $2 and install it to $1.
 PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
 define go-get-tool
@[ -f $(1) ] || { \
 set -e ;\
 GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
 }
 endef
--- a/14
+++ b/14
@ -1,6 +1,10 @@
 # Code generated by tool. DO NOT EDIT.
 # This file is used to track the info used to scaffold your project
 # and allow the plugins properly work.
 # More info: https://book.kubebuilder.io/reference/project-config.html
 domain: spiffe.io
 layout:
- go.kubebuilder.io/v3
+- go.kubebuilder.io/v4
 projectName: spire-controller-manager
 repo: github.com/spiffe/spire-controller-manager
 resources:
@ -34,4 +38,12 @@ resources:
  kind: ControllerManagerConfig
  path: github.com/spiffe/spire-controller-manager/api/v1alpha1
  version: v1alpha1
 - api:
    crdVersion: v1
  controller: true
  domain: spiffe.io
  group: spire
  kind: ClusterStaticEntry
  path: github.com/spiffe/spire-controller-manager/api/v1alpha1
  version: v1alpha1
 version: "3"
--- a/README.md
+++ b/README.md
@ -24,6 +24,14 @@ The [ClusterFederatedTrustDomain](docs/clusterfederatedtrustdomain-crd.md)
 resource is a cluster scoped CRD that describes a federation relationship for
 the cluster.
 ### ClusterStaticEntry
 The [ClusterStaticEntry](docs/clusterstaticentry-crd.md) resource is a cluster
 scoped CRD that describes a static SPIRE registration entry. It is typically
 used for registering workloads that do not run in the Kubernetes cluster but
 otherwise need to be part of the trust domain (e.g. downstream nested SPIRE
 servers).
 ### Reconciliation
 #### Workload Registration
@ -33,12 +41,14 @@ controllers against the following resources:
 - [Pods](https://kubernetes.io/docs/concepts/workloads/pods/)
 - [ClusterSPIFFEID](docs/clusterspiffeid-crd.md)
 - [ClusterStaticEntry](docs/clusterstaticentry-crd.md)
 When changes are detected on these resources, a workload reconciliation process
 is triggered. This process determines which SPIRE entries should exist based on
-the existing Pods and ClusterSPIFFEID resources which apply to those pods. It
+the existing Pods and ClusterSPIFFEID resources which apply to those pods, as
-creates, updates, and deletes entries on SPIRE server as appropriate to match
+well as static entries declared via ClusterStaticEntry resources. The
-the declared state.
+reconciliation process creates, updates, and deletes entries on SPIRE server as
 appropriate to match the declared state.
 #### Federation
@ -64,6 +74,38 @@ The [demo](demo) includes [sample configuration](demo/config/cluster1) for
 deploying the SPIRE Controller Manager, SPIRE, and the SPIFFE CSI driver,
 including requisite RBAC and Webhook configuration.
 ### Upgrading
 The SPIRE Controller Manager must have the correct set of [Custom Resources](#custom-resources) 
 and the `manager-role` that corresponds to the version to be installed.
 Before upgrading, please install custom resources from [config/crd](/config/crd) and 
 verify that [manager-role](/config/rbac/role.yaml) is up-to-date.
 ## Compatibility
 The SPIRE APIs used by the SPIRE Controller Manager are generally stable and
 supported since at least SPIRE v1.0. However, the API has gained support for
 additional entry fields beyond what was supported in SPIRE v1.0. Notably, these
 include the `jwt_svid_ttl`, `hint` and the `store_svid` fields. The
 ClusterStaticEntry CRD allows these fields to be set, however, a SPIRE server
 that does not support these fields will not retain them. This means if these
 fields are set on a ClusterStaticEntry with an older version of SPIRE, the
 SPIRE Controller Manager will continously try to reconcile SPIRE server. In
 order to use these fields, you must be on a version of SPIRE Server which
 supports them.
 At the moment, SPIRE Controller Manager will silently try and reconcile these
 fields over and over. Future updates may cause the SPIRE Controller Manager
 to fail when an unsupporting SPIRE Server is encounted while these fields
 are set.
 The `hint` field is supported as of SPIRE 1.6.3.
 The `jwt_svid_ttl` field is supported as of SPIRE 1.5.0.
 The `store_svid` field is supported as of SPIRE 1.1.0.
 ## Demo
 [Link](demo)
--- a/api/v1alpha1/clusterfederatedtrustdomain_loader.go
+++ b/api/v1alpha1/clusterfederatedtrustdomain_loader.go
@ -0,0 +1,61 @@
 package v1alpha1
 import (
 	"context"
 	"fmt"
 	"os"
 	"path"
 	"strings"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 )
 func loadClusterFederatedTrustDomainFile(path string, scheme *runtime.Scheme, expandEnv bool) (*ClusterFederatedTrustDomain, error) {
 	var entry ClusterFederatedTrustDomain
 	content, err := os.ReadFile(path)
 	if err != nil {
 		return nil, fmt.Errorf("could not read file at %s: %w", path, err)
 	}
 	if expandEnv {
 		content = []byte(os.ExpandEnv(string(content)))
 	}
 	codecs := serializer.NewCodecFactory(scheme)
 	// Regardless of if the bytes are of any external version,
 	// it will be read successfully and converted into the internal version
 	if err = runtime.DecodeInto(codecs.UniversalDecoder(), content, &entry); err != nil {
 		return nil, fmt.Errorf("could not decode file (%s) into runtime.Object: %w", path, err)
 	}
 	return &entry, nil
 }
 func ListClusterFederatedTrustDomains(_ context.Context, manifestPath string) ([]ClusterFederatedTrustDomain, error) {
 	scheme := runtime.NewScheme()
 	res := make([]ClusterFederatedTrustDomain, 0)
 	expandEnv := false
 	files, err := os.ReadDir(manifestPath)
 	if err != nil {
 		return nil, err
 	}
 	for _, file := range files {
 		if !strings.HasSuffix(file.Name(), ".yaml") {
 			continue
 		}
 		fullfile := path.Join(manifestPath, file.Name())
 		entry, err := loadClusterFederatedTrustDomainFile(fullfile, scheme, expandEnv)
 		// Ignore files of the wrong type in manifestPath
 		if entry.APIVersion != "spire.spiffe.io/v1alpha1" || entry.Kind != "ClusterFederatedTrustDomain" {
 			continue
 		}
 		// Right file type, but error loading
 		if err != nil {
 			return nil, err
 		}
 		res = append(res, *entry)
 	}
 	return res, nil
 }
--- a/api/v1alpha1/clusterfederatedtrustdomain_types.go
+++ b/api/v1alpha1/clusterfederatedtrustdomain_types.go
@ -37,6 +37,10 @@ type ClusterFederatedTrustDomainSpec struct {
 	// domain. This field is optional when the resource is created.
 	// +kubebuilder:validation:Optional
 	TrustDomainBundle string `json:"trustDomainBundle,omitempty"`
 	// Set which Controller Class will act on this object
 	// +kubebuilder:validation:Optional
 	ClassName string `json:"className,omitempty"`
 }
 // BundleEndpointProfile is the profile for the federated trust domain
--- a/api/v1alpha1/clusterfederatedtrustdomain_webhook.go
+++ b/api/v1alpha1/clusterfederatedtrustdomain_webhook.go
@ -17,6 +17,7 @@ limitations under the License.
 package v1alpha1
 import (
 	"context"
 	"fmt"
 	"strings"
@ -27,6 +28,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 // log is for logging in this package.
@ -35,6 +37,7 @@ var clusterfederatedtrustdomainlog = logf.Log.WithName("clusterfederatedtrustdom
 func (r *ClusterFederatedTrustDomain) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
 		WithValidator(&ClusterFederatedTrustDomainCustomValidator{}).
 		Complete()
 }
@ -43,29 +46,41 @@ func (r *ClusterFederatedTrustDomain) SetupWebhookWithManager(mgr ctrl.Manager)
 // TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation.
 //+kubebuilder:webhook:path=/validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain,mutating=false,failurePolicy=fail,sideEffects=None,groups=spire.spiffe.io,resources=clusterfederatedtrustdomains,verbs=create;update,versions=v1alpha1,name=vclusterfederatedtrustdomain.kb.io,admissionReviewVersions=v1
-var _ webhook.Validator = &ClusterFederatedTrustDomain{}
+type ClusterFederatedTrustDomainCustomValidator struct {
-
+	// TODO(user): Add more fields as needed for validation
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
 func (r *ClusterFederatedTrustDomain) ValidateCreate() error {
 	clusterfederatedtrustdomainlog.Info("validate create", "name", r.Name)
 	return r.validate()
 }
-// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
+var _ webhook.CustomValidator = &ClusterFederatedTrustDomainCustomValidator{}
-func (r *ClusterFederatedTrustDomain) ValidateUpdate(old runtime.Object) error {
+
-	clusterfederatedtrustdomainlog.Info("validate update", "name", r.Name)
+// ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type
-	return r.validate()
+func (r *ClusterFederatedTrustDomainCustomValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
 	o, ok := obj.(*ClusterFederatedTrustDomain)
 	if !ok {
 		return nil, fmt.Errorf("expected a ClusterFederatedTrustDomain object but got %T", obj)
 	}
 	clusterfederatedtrustdomainlog.Info("validate create", "name", o.Name)
 	return r.validate(o)
 }
-// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
+// ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type
-func (r *ClusterFederatedTrustDomain) ValidateDelete() error {
+func (r *ClusterFederatedTrustDomainCustomValidator) ValidateUpdate(_ context.Context, _ runtime.Object, nobj runtime.Object) (admission.Warnings, error) {
 	o, ok := nobj.(*ClusterFederatedTrustDomain)
 	if !ok {
 		return nil, fmt.Errorf("expected a ClusterFederatedTrustDomain object but got %T", nobj)
 	}
 	clusterfederatedtrustdomainlog.Info("validate update", "name", o.Name)
 	return r.validate(o)
 }
 // ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type
 func (r *ClusterFederatedTrustDomainCustomValidator) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
 	// Deletes are not validated.
-	return nil
+	return nil, nil
 }
-func (r *ClusterFederatedTrustDomain) validate() error {
+func (r *ClusterFederatedTrustDomainCustomValidator) validate(o *ClusterFederatedTrustDomain) (admission.Warnings, error) {
-	_, err := ParseClusterFederatedTrustDomainSpec(&r.Spec)
+	_, err := ParseClusterFederatedTrustDomainSpec(&o.Spec)
-	return err
+	return nil, err
 }
 func ParseClusterFederatedTrustDomainSpec(spec *ClusterFederatedTrustDomainSpec) (*spireapi.FederationRelationship, error) {
--- a/api/v1alpha1/clusterspiffeid_types.go
+++ b/api/v1alpha1/clusterspiffeid_types.go
@ -20,9 +20,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
 // ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID
 type ClusterSPIFFEIDSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
@ -32,10 +29,14 @@ type ClusterSPIFFEIDSpec struct {
 	// available to the template under .NodeSpec, .PodSpec respectively.
 	SPIFFEIDTemplate string `json:"spiffeIDTemplate"`
-	// TTL indicates an upper-bound time-to-live for SVIDs minted for this
+	// TTL indicates an upper-bound time-to-live for X509 SVIDs minted for this
 	// ClusterSPIFFEID. If unset, a default will be chosen.
 	TTL metav1.Duration `json:"ttl,omitempty"`
 	// JWTTTL indicates an upper-bound time-to-live for JWT SVIDs minted for this
 	// ClusterSPIFFEID.
 	JWTTTL metav1.Duration `json:"jwtTtl,omitempty"`
 	// DNSNameTemplate represents templates for extra DNS names that are
 	// applicable to SVIDs minted for this ClusterSPIFFEID.
 	// The node and pod spec are made available to the template under
@ -55,11 +56,11 @@ type ClusterSPIFFEIDSpec struct {
 	// obtain this SPIFFE ID will federate with.
 	FederatesWith []string `json:"federatesWith,omitempty"`
-	// NamespaceSelector selects the namespaces that are targetted by this
+	// NamespaceSelector selects the namespaces that are targeted by this
 	// CRD.
 	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
-	// PodSelector selects the pods that are targetted by this
+	// PodSelector selects the pods that are targeted by this
 	// CRD.
 	PodSelector *metav1.LabelSelector `json:"podSelector,omitempty"`
@ -67,13 +68,28 @@ type ClusterSPIFFEIDSpec struct {
 	// administrative APIs. Extra care should be taken to only apply this
 	// SPIFFE ID to admin workloads.
 	Admin bool `json:"admin,omitempty"`
 	// Downstream indicates that the entry describes a downstream SPIRE server.
 	Downstream bool `json:"downstream,omitempty"`
 	// AutoPopulateDNSNames indicates whether or not to auto populate service DNS names.
 	AutoPopulateDNSNames bool `json:"autoPopulateDNSNames,omitempty"`
 	// Set which Controller Class will act on this object
 	// +kubebuilder:validation:Optional
 	ClassName string `json:"className,omitempty"`
 	// Apply this ID only if there are no other matching non fallback ClusterSPIFFEIDs.
 	// +kubebuilder:validation:Optional
 	Fallback bool `json:"fallback,omitempty"`
 	// Set the entry hint
 	// +kubebuilder:validation:Optional
 	Hint string `json:"hint,omitempty"`
 }
 // ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID
 type ClusterSPIFFEIDStatus struct {
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 	// Stats produced by the last entry reconciliation run
 	// +kubebuilder:validation:Optional
 	Stats ClusterSPIFFEIDStats `json:"stats"`
@ -129,6 +145,7 @@ type ClusterSPIFFEID struct {
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 	Spec ClusterSPIFFEIDSpec `json:"spec,omitempty"`
 	// +optional
 	Status ClusterSPIFFEIDStatus `json:"status,omitempty"`
 }
--- a/api/v1alpha1/clusterspiffeid_webhook.go
+++ b/api/v1alpha1/clusterspiffeid_webhook.go
@ -17,6 +17,7 @@ limitations under the License.
 package v1alpha1
 import (
 	"context"
 	"errors"
 	"fmt"
 	"text/template"
@ -29,6 +30,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 const (
@ -43,6 +45,7 @@ var clusterspiffeidlog = logf.Log.WithName("clusterspiffeid-resource")
 func (r *ClusterSPIFFEID) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
 		WithValidator(&ClusterSPIFFEIDCustomValidator{}).
 		Complete()
 }
@ -51,31 +54,43 @@ func (r *ClusterSPIFFEID) SetupWebhookWithManager(mgr ctrl.Manager) error {
 // TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation.
 //+kubebuilder:webhook:path=/validate-spire-spiffe-io-v1alpha1-clusterspiffeid,mutating=false,failurePolicy=fail,sideEffects=None,groups=spire.spiffe.io,resources=clusterspiffeids,verbs=create;update,versions=v1alpha1,name=vclusterspiffeid.kb.io,admissionReviewVersions=v1
-var _ webhook.Validator = &ClusterSPIFFEID{}
+type ClusterSPIFFEIDCustomValidator struct {
-
+	// TODO(user): Add more fields as needed for validation
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
 func (r *ClusterSPIFFEID) ValidateCreate() error {
 	clusterspiffeidlog.Info("validate create", "name", r.Name)
 	return r.validate()
 }
-// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
+var _ webhook.CustomValidator = &ClusterSPIFFEIDCustomValidator{}
 func (r *ClusterSPIFFEID) ValidateUpdate(old runtime.Object) error {
 	clusterspiffeidlog.Info("validate update", "name", r.Name)
-	return r.validate()
+// ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type
 func (r *ClusterSPIFFEIDCustomValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
 	o, ok := obj.(*ClusterSPIFFEID)
 	if !ok {
 		return nil, fmt.Errorf("expected a ClusterSPIFFEID object but got %T", obj)
 	}
 	clusterspiffeidlog.Info("validate create", "name", o.Name)
 	return r.validate(o)
 }
-// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
+// ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type
-func (r *ClusterSPIFFEID) ValidateDelete() error {
+func (r *ClusterSPIFFEIDCustomValidator) ValidateUpdate(_ context.Context, _ runtime.Object, nobj runtime.Object) (admission.Warnings, error) {
 	o, ok := nobj.(*ClusterSPIFFEID)
 	if !ok {
 		return nil, fmt.Errorf("expected a ClusterSPIFFEID object but got %T", nobj)
 	}
 	clusterspiffeidlog.Info("validate update", "name", o.Name)
 	return r.validate(o)
 }
 // ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type
 func (r *ClusterSPIFFEIDCustomValidator) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
 	// Deletes are not validated.
-	return nil
+	return nil, nil
 }
-func (r *ClusterSPIFFEID) validate() error {
+func (r *ClusterSPIFFEIDCustomValidator) validate(o *ClusterSPIFFEID) (admission.Warnings, error) {
-	_, err := ParseClusterSPIFFEIDSpec(&r.Spec)
+	_, err := ParseClusterSPIFFEIDSpec(&o.Spec)
-	return err
+	return nil, err
 }
 // +kubebuilder:object:generate=false
@ -85,10 +100,14 @@ type ParsedClusterSPIFFEIDSpec struct {
 	NamespaceSelector         labels.Selector
 	PodSelector               labels.Selector
 	TTL                       time.Duration
 	JWTTTL                    time.Duration
 	FederatesWith             []spiffeid.TrustDomain
 	DNSNameTemplates          []*template.Template
 	WorkloadSelectorTemplates []*template.Template
 	Admin                     bool
 	Downstream                bool
 	AutoPopulateDNSNames      bool
 	Hint                      string
 }
 // ParseClusterSPIFFEIDSpec parses and validates the fields in the ClusterSPIFFEIDSpec
@ -150,9 +169,13 @@ func ParseClusterSPIFFEIDSpec(spec *ClusterSPIFFEIDSpec) (*ParsedClusterSPIFFEID
 		NamespaceSelector:         namespaceSelector,
 		PodSelector:               podSelector,
 		TTL:                       spec.TTL.Duration,
 		JWTTTL:                    spec.JWTTTL.Duration,
 		FederatesWith:             federatesWith,
 		DNSNameTemplates:          dnsNameTemplates,
 		WorkloadSelectorTemplates: workloadSelectorTemplates,
 		Admin:                     spec.Admin,
 		Downstream:                spec.Downstream,
 		AutoPopulateDNSNames:      spec.AutoPopulateDNSNames,
 		Hint:                      spec.Hint,
 	}, nil
 }
--- a/api/v1alpha1/clusterstaticentry_loader.go
+++ b/api/v1alpha1/clusterstaticentry_loader.go
@ -0,0 +1,61 @@
 package v1alpha1
 import (
 	"context"
 	"fmt"
 	"os"
 	"path"
 	"strings"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 )
 func loadClusterStaticEntryFile(path string, scheme *runtime.Scheme, expandEnv bool) (*ClusterStaticEntry, error) {
 	var entry ClusterStaticEntry
 	content, err := os.ReadFile(path)
 	if err != nil {
 		return nil, fmt.Errorf("could not read file at %s: %w", path, err)
 	}
 	if expandEnv {
 		content = []byte(os.ExpandEnv(string(content)))
 	}
 	codecs := serializer.NewCodecFactory(scheme)
 	// Regardless of if the bytes are of any external version,
 	// it will be read successfully and converted into the internal version
 	if err = runtime.DecodeInto(codecs.UniversalDecoder(), content, &entry); err != nil {
 		return nil, fmt.Errorf("could not decode file (%s) into runtime.Object: %w", path, err)
 	}
 	return &entry, nil
 }
 func ListClusterStaticEntries(_ context.Context, manifestPath string) ([]ClusterStaticEntry, error) {
 	scheme := runtime.NewScheme()
 	res := make([]ClusterStaticEntry, 0)
 	expandEnv := false
 	files, err := os.ReadDir(manifestPath)
 	if err != nil {
 		return nil, err
 	}
 	for _, file := range files {
 		if !strings.HasSuffix(file.Name(), ".yaml") {
 			continue
 		}
 		fullfile := path.Join(manifestPath, file.Name())
 		entry, err := loadClusterStaticEntryFile(fullfile, scheme, expandEnv)
 		// Ignore files of the wrong type in manifestPath
 		if entry.APIVersion != "spire.spiffe.io/v1alpha1" || entry.Kind != "ClusterStaticEntry" {
 			continue
 		}
 		// Right file type, but error loading
 		if err != nil {
 			return nil, err
 		}
 		res = append(res, *entry)
 	}
 	return res, nil
 }
--- a/api/v1alpha1/clusterstaticentry_types.go
+++ b/api/v1alpha1/clusterstaticentry_types.go
@ -0,0 +1,80 @@
 /*
 Copyright 2023 SPIRE Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package v1alpha1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
 // ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry
 type ClusterStaticEntrySpec struct {
 	SPIFFEID      string          `json:"spiffeID"`
 	ParentID      string          `json:"parentID"`
 	Selectors     []string        `json:"selectors"`
 	FederatesWith []string        `json:"federatesWith,omitempty"`
 	X509SVIDTTL   metav1.Duration `json:"x509SVIDTTL,omitempty"`
 	JWTSVIDTTL    metav1.Duration `json:"jwtSVIDTTL,omitempty"`
 	DNSNames      []string        `json:"dnsNames,omitempty"`
 	Hint          string          `json:"hint,omitempty"`
 	Admin         bool            `json:"admin,omitempty"`
 	Downstream    bool            `json:"downstream,omitempty"`
 	StoreSVID     bool            `json:"storeSVID,omitempty"`
 	// Set which Controller Class will act on this object
 	// +kubebuilder:validation:Optional
 	ClassName string `json:"className,omitempty"`
 }
 // ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry
 type ClusterStaticEntryStatus struct {
 	// If the static entry rendered properly.
 	Rendered bool `json:"rendered"`
 	// If the static entry was masked by another entry.
 	Masked bool `json:"masked"`
 	// If the static entry was successfully created/updated.
 	Set bool `json:"set"`
 }
 //+kubebuilder:object:root=true
 //+kubebuilder:subresource:status
 //+kubebuilder:resource:scope=Cluster
 // ClusterStaticEntry is the Schema for the clusterstaticentries API
 type ClusterStaticEntry struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 	Spec   ClusterStaticEntrySpec   `json:"spec,omitempty"`
 	Status ClusterStaticEntryStatus `json:"status,omitempty"`
 }
 //+kubebuilder:object:root=true
 // ClusterStaticEntryList contains a list of ClusterStaticEntry
 type ClusterStaticEntryList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
 	Items           []ClusterStaticEntry `json:"items"`
 }
 func init() {
 	SchemeBuilder.Register(&ClusterStaticEntry{}, &ClusterStaticEntryList{})
 }
--- a/api/v1alpha1/controllermanagerconfig_loader.go
+++ b/api/v1alpha1/controllermanagerconfig_loader.go
@ -0,0 +1,143 @@
 package v1alpha1
 import (
 	"errors"
 	"fmt"
 	"os"
 	"reflect"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 )
 func LoadOptionsFromFile(path string, scheme *runtime.Scheme, options *ctrl.Options, config *ControllerManagerConfig, expandEnv bool) error {
 	if err := loadFile(path, scheme, config, expandEnv); err != nil {
 		return err
 	}
 	return addOptionsFromConfigSpec(options, config.ControllerManagerConfigurationSpec)
 }
 func loadFile(path string, scheme *runtime.Scheme, config *ControllerManagerConfig, expandEnv bool) error {
 	content, err := os.ReadFile(path)
 	if err != nil {
 		return fmt.Errorf("could not read file at %s: %w", path, err)
 	}
 	if expandEnv {
 		content = []byte(os.ExpandEnv(string(content)))
 	}
 	codecs := serializer.NewCodecFactory(scheme)
 	// Regardless of if the bytes are of any external version,
 	// it will be read successfully and converted into the internal version
 	if err = runtime.DecodeInto(codecs.UniversalDecoder(), content, config); err != nil {
 		return fmt.Errorf("could not decode file into runtime.Object: %w", err)
 	}
 	return nil
 }
 func addOptionsFromConfigSpec(o *ctrl.Options, configSpec ControllerManagerConfigurationSpec) error {
 	setLeaderElectionConfig(o, configSpec)
 	if o.Cache.SyncPeriod == nil && configSpec.SyncPeriod != nil {
 		o.Cache.SyncPeriod = &configSpec.SyncPeriod.Duration
 	}
 	if len(o.Cache.DefaultNamespaces) == 0 {
 		switch {
 		case configSpec.CacheNamespace != "" && len(configSpec.CacheNamespaces) > 0:
 			return errors.New("cacheNamespace or cacheNamespaces can be used, but not both")
 		case configSpec.CacheNamespace != "":
 			o.Cache.DefaultNamespaces = map[string]cache.Config{
 				configSpec.CacheNamespace: {},
 			}
 		case len(configSpec.CacheNamespaces) > 0:
 			o.Cache.DefaultNamespaces = make(map[string]cache.Config, len(configSpec.CacheNamespaces))
 			for namespace, opts := range configSpec.CacheNamespaces {
 				cacheConfig := cache.Config{}
 				if opts != nil {
 					if len(opts.LabelSelectors) > 0 {
 						cacheConfig.LabelSelector = labels.SelectorFromSet(opts.LabelSelectors)
 					}
 					if len(opts.FieldSelectors) > 0 {
 						cacheConfig.FieldSelector = fields.SelectorFromSet(opts.FieldSelectors)
 					}
 				}
 				o.Cache.DefaultNamespaces[namespace] = cacheConfig
 			}
 		}
 	}
 	if o.Metrics.BindAddress == "" && configSpec.Metrics.BindAddress != "" {
 		o.Metrics.BindAddress = configSpec.Metrics.BindAddress
 	}
 	if o.HealthProbeBindAddress == "" && configSpec.Health.HealthProbeBindAddress != "" {
 		o.HealthProbeBindAddress = configSpec.Health.HealthProbeBindAddress
 	}
 	if o.ReadinessEndpointName == "" && configSpec.Health.ReadinessEndpointName != "" {
 		o.ReadinessEndpointName = configSpec.Health.ReadinessEndpointName
 	}
 	if o.LivenessEndpointName == "" && configSpec.Health.LivenessEndpointName != "" {
 		o.LivenessEndpointName = configSpec.Health.LivenessEndpointName
 	}
 	if configSpec.Controller != nil {
 		if o.Controller.CacheSyncTimeout == 0 && configSpec.Controller.CacheSyncTimeout != nil {
 			o.Controller.CacheSyncTimeout = *configSpec.Controller.CacheSyncTimeout
 		}
 		if len(o.Controller.GroupKindConcurrency) == 0 && len(configSpec.Controller.GroupKindConcurrency) > 0 {
 			o.Controller.GroupKindConcurrency = configSpec.Controller.GroupKindConcurrency
 		}
 	}
 	return nil
 }
 func setLeaderElectionConfig(o *ctrl.Options, obj ControllerManagerConfigurationSpec) {
 	if obj.LeaderElection == nil {
 		// The source does not have any configuration; noop
 		return
 	}
 	if !o.LeaderElection && obj.LeaderElection.LeaderElect != nil {
 		o.LeaderElection = *obj.LeaderElection.LeaderElect
 	}
 	if o.LeaderElectionResourceLock == "" && obj.LeaderElection.ResourceLock != "" {
 		o.LeaderElectionResourceLock = obj.LeaderElection.ResourceLock
 	}
 	if o.LeaderElectionNamespace == "" && obj.LeaderElection.ResourceNamespace != "" {
 		o.LeaderElectionNamespace = obj.LeaderElection.ResourceNamespace
 	}
 	if o.LeaderElectionID == "" && obj.LeaderElection.ResourceName != "" {
 		o.LeaderElectionID = obj.LeaderElection.ResourceName
 	}
 	if o.LeaseDuration == nil && !reflect.DeepEqual(obj.LeaderElection.LeaseDuration, metav1.Duration{}) {
 		o.LeaseDuration = &obj.LeaderElection.LeaseDuration.Duration
 	}
 	if o.RenewDeadline == nil && !reflect.DeepEqual(obj.LeaderElection.RenewDeadline, metav1.Duration{}) {
 		o.RenewDeadline = &obj.LeaderElection.RenewDeadline.Duration
 	}
 	if o.RetryPeriod == nil && !reflect.DeepEqual(obj.LeaderElection.RetryPeriod, metav1.Duration{}) {
 		o.RetryPeriod = &obj.LeaderElection.RetryPeriod.Duration
 	}
 }
--- a/api/v1alpha1/controllermanagerconfig_loader_test.go
+++ b/api/v1alpha1/controllermanagerconfig_loader_test.go
@ -0,0 +1,259 @@
 package v1alpha1_test
 import (
 	"fmt"
 	"os"
 	"path/filepath"
 	"testing"
 	"time"
 	spirev1alpha1 "github.com/spiffe/spire-controller-manager/api/v1alpha1"
 	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/component-base/config/v1alpha1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 )
 const (
 	fileContent = `
 apiVersion: spire.spiffe.io/v1alpha1
 kind: ControllerManagerConfig
 metrics:
  bindAddress: 127.0.0.1:8082
 health:
  healthProbeBindAddress: 127.0.0.1:8083
 leaderElection:
  leaderElect: true
  resourceName: 98c9c988.spiffe.io
  resourceNamespace: spire-system
 clusterName: cluster2
 trustDomain: cluster2.demo
 ignoreNamespaces:
  - kube-system
  - kube-public
  - spire-system
  - local-path-storage
 `
 	fileContentExpandEnv = `
 apiVersion: spire.spiffe.io/v1alpha1
 kind: ControllerManagerConfig
 clusterName: cluster2
 trustDomain: $TRUST_DOMAIN
 `
 	cacheNamespace = `
 cacheNamespace: default
 `
 	cacheNamespaces = `
 cacheNamespaces:
   default:
   nsWithLabel:
      labelSelectors:
         lName: l1
   nsWithField:
      fieldSelectors:
         fName: f1
   nsWithBoth:
      labelSelectors:
         lName: l1
      fieldSelectors:
         fName: f1
 `
 )
 func TestLoadOptionsFromFileReplaceDefaultValues(t *testing.T) {
 	scheme := runtime.NewScheme()
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 	utilruntime.Must(spirev1alpha1.AddToScheme(scheme))
 	tempDir := t.TempDir()
 	path := filepath.Join(tempDir, "config.yaml")
 	require.NoError(t, os.WriteFile(path, []byte(fileContent), 0600))
 	options := ctrl.Options{Scheme: scheme}
 	ctrlConfig := spirev1alpha1.ControllerManagerConfig{
 		IgnoreNamespaces:                   []string{"kube-system", "kube-public", "spire-system", "foo"},
 		GCInterval:                         time.Minute,
 		ValidatingWebhookConfigurationName: "foo-webhook",
 	}
 	err := spirev1alpha1.LoadOptionsFromFile(path, scheme, &options, &ctrlConfig, false)
 	require.NoError(t, err)
 	ok := true
 	expectConfig := spirev1alpha1.ControllerManagerConfig{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "ControllerManagerConfig",
 			APIVersion: "spire.spiffe.io/v1alpha1",
 		},
 		ControllerManagerConfigurationSpec: spirev1alpha1.ControllerManagerConfigurationSpec{
 			LeaderElection: &v1alpha1.LeaderElectionConfiguration{
 				LeaderElect:       &ok,
 				ResourceName:      "98c9c988.spiffe.io",
 				ResourceNamespace: "spire-system",
 			},
 			Metrics: spirev1alpha1.ControllerMetrics{
 				BindAddress: "127.0.0.1:8082",
 			},
 			Health: spirev1alpha1.ControllerHealth{
 				HealthProbeBindAddress: "127.0.0.1:8083",
 			},
 		},
 		ClusterName: "cluster2",
 		TrustDomain: "cluster2.demo",
 		IgnoreNamespaces: []string{
 			"kube-system",
 			"kube-public",
 			"spire-system",
 			"local-path-storage",
 		},
 		ValidatingWebhookConfigurationName: "foo-webhook",
 		GCInterval:                         time.Minute,
 	}
 	require.Equal(t, expectConfig, ctrlConfig)
 	require.Equal(t, "spire-system", options.LeaderElectionNamespace)
 	require.True(t, true, options.LeaderElection)
 	require.Equal(t, "98c9c988.spiffe.io", options.LeaderElectionID)
 	require.Equal(t, "127.0.0.1:8082", options.Metrics.BindAddress)
 }
 func TestLoadOptionsFromFileInvalidPath(t *testing.T) {
 	scheme := runtime.NewScheme()
 	options := ctrl.Options{Scheme: scheme}
 	ctrlConfig := spirev1alpha1.ControllerManagerConfig{
 		IgnoreNamespaces:                   []string{"kube-system", "kube-public", "spire-system", "foo"},
 		GCInterval:                         time.Minute,
 		ValidatingWebhookConfigurationName: "foo-webhook",
 	}
 	err := spirev1alpha1.LoadOptionsFromFile("", scheme, &options, &ctrlConfig, false)
 	require.EqualError(t, err, "could not read file at : open : no such file or directory")
 	err = spirev1alpha1.LoadOptionsFromFile("foo.yaml", scheme, &options, &ctrlConfig, false)
 	fmt.Printf("err :%v\n", err)
 	require.EqualError(t, err, "could not read file at foo.yaml: open foo.yaml: no such file or directory")
 }
 func TestLoadOptionsFromFileExpandEnv(t *testing.T) {
 	t.Setenv("TRUST_DOMAIN", "example.org")
 	tempDir := t.TempDir()
 	path := filepath.Join(tempDir, "config.yaml")
 	require.NoError(t, os.WriteFile(path, []byte(fileContentExpandEnv), 0600))
 	scheme := runtime.NewScheme()
 	options := ctrl.Options{Scheme: scheme}
 	ctrlConfig := spirev1alpha1.ControllerManagerConfig{}
 	tests := []struct {
 		expandEnv     bool
 		expectedValue string
 	}{
 		{
 			expandEnv:     true,
 			expectedValue: "example.org",
 		},
 		{
 			expandEnv:     false,
 			expectedValue: "$TRUST_DOMAIN",
 		},
 	}
 	for _, test := range tests {
 		err := spirev1alpha1.LoadOptionsFromFile(path, scheme, &options, &ctrlConfig, test.expandEnv)
 		require.NoError(t, err)
 		require.Equal(t, test.expectedValue, ctrlConfig.TrustDomain)
 	}
 }
 func TestLoadOptionsWithCacheNamespaces(t *testing.T) {
 	scheme := runtime.NewScheme()
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 	utilruntime.Must(spirev1alpha1.AddToScheme(scheme))
 	for _, tt := range []struct {
 		name             string
 		cacheNamespace   string
 		expectErr        string
 		expectNamespaces map[string]cache.Config
 	}{
 		{
 			name:             "no namespace",
 			expectNamespaces: nil,
 		},
 		{
 			name:           "using namespaces",
 			cacheNamespace: cacheNamespace,
 			expectNamespaces: map[string]cache.Config{
 				"default": {},
 			},
 		},
 		{
 			name:           "with cacheNamespaces",
 			cacheNamespace: cacheNamespaces,
 			expectNamespaces: map[string]cache.Config{
 				"default": {},
 				"nsWithLabel": {
 					LabelSelector: labels.SelectorFromSet(labels.Set{
 						"lName": "l1",
 					}),
 				},
 				"nsWithField": {
 					FieldSelector: fields.SelectorFromSet(fields.Set{
 						"fName": "f1",
 					}),
 				},
 				"nsWithBoth": {
 					LabelSelector: labels.SelectorFromSet(labels.Set{
 						"lName": "l1",
 					}),
 					FieldSelector: fields.SelectorFromSet(fields.Set{
 						"fName": "f1",
 					}),
 				},
 			},
 		},
 		{
 			name:           "with cacheNamespace and cacheNamespaces",
 			cacheNamespace: cacheNamespace + cacheNamespaces,
 			expectErr:      "cacheNamespace or cacheNamespaces can be used, but not both",
 		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
 			tempDir := t.TempDir()
 			path := filepath.Join(tempDir, "config.yaml")
 			config := fileContent + tt.cacheNamespace
 			require.NoError(t, os.WriteFile(path, []byte(config), 0600))
 			options := ctrl.Options{Scheme: scheme}
 			ctrlConfig := spirev1alpha1.ControllerManagerConfig{
 				IgnoreNamespaces:                   []string{"kube-system", "kube-public", "spire-system", "foo"},
 				GCInterval:                         time.Minute,
 				ValidatingWebhookConfigurationName: "foo-webhook",
 			}
 			err := spirev1alpha1.LoadOptionsFromFile(path, scheme, &options, &ctrlConfig, false)
 			if tt.expectErr != "" {
 				require.EqualError(t, err, tt.expectErr)
 				return
 			}
 			require.NoError(t, err)
 			require.Equal(t, tt.expectNamespaces, options.Cache.DefaultNamespaces)
 		})
 	}
 }
--- a/api/v1alpha1/controllermanagerconfig_types.go
+++ b/api/v1alpha1/controllermanagerconfig_types.go
@ -20,7 +20,7 @@ import (
 	"time"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	cfgv1alpha1 "sigs.k8s.io/controller-runtime/pkg/config/v1alpha1"
+	configv1alpha1 "k8s.io/component-base/config/v1alpha1"
 )
 //+kubebuilder:object:root=true
@ -30,11 +30,14 @@ type ControllerManagerConfig struct {
 	metav1.TypeMeta `json:",inline"`
 	// ControllerManagerConfigurationSpec returns the contfigurations for controllers
-	cfgv1alpha1.ControllerManagerConfigurationSpec `json:",inline"`
+	ControllerManagerConfigurationSpec `json:",inline"`
 	// ClusterName is the cluster name
 	ClusterName string `json:"clusterName"`
 	// ClusterDomain is the cluster domain, ie cluster.local
 	ClusterDomain string `json:"clusterDomain"`
 	// TrustDomain is the name of the SPIFFE trust domain
 	TrustDomain string `json:"trustDomain"`
@ -53,6 +56,197 @@ type ControllerManagerConfig struct {
 	// SPIREServerSocketPath is the path to the SPIRE Server API socket
 	SPIREServerSocketPath string `json:"spireServerSocketPath"`
 	// LogLevel is the log level for the controller manager
 	LogLevel string `json:"logLevel"`
 	// LogEncoding is the log encoding for the controller manager
 	LogEncoding string `json:"logEncoding"`
 }
 // ControllerManagerConfigurationSpec defines the desired state of GenericControllerManagerConfiguration.
 type ControllerManagerConfigurationSpec struct {
 	// SyncPeriod determines the minimum frequency at which watched resources are
 	// reconciled. A lower period will correct entropy more quickly, but reduce
 	// responsiveness to change if there are many watched resources. Change this
 	// value only if you know what you are doing. Defaults to 10 hours if unset.
 	// there will a 10 percent jitter between the SyncPeriod of all controllers
 	// so that all controllers will not send list requests simultaneously.
 	// +optional
 	SyncPeriod *metav1.Duration `json:"syncPeriod,omitempty"`
 	// LeaderElection is the LeaderElection config to be used when configuring
 	// the manager.Manager leader election.
 	// +optional
 	LeaderElection *configv1alpha1.LeaderElectionConfiguration `json:"leaderElection,omitempty"`
 	// CacheNamespace if specified restricts the manager's cache to watch objects in
 	// the desired namespace. Defaults to all namespaces.
 	// Deprecated: use cacheNamespaces instead
 	//
 	// Note: If a namespace is specified, controllers can still Watch for a
 	// cluster-scoped resource (e.g Node).  For namespaced resources the cache
 	// will only hold objects from the desired namespace.
 	// +optional
 	CacheNamespace string `json:"cacheNamespace,omitempty"`
 	// CacheNamespaces if specified restricts the manager's cache to watch objects in
 	// the desired namespaces. Defaults to all namespaces.
 	// +optional
 	CacheNamespaces map[string]*NamespaceConfig `json:"cacheNamespaces,omitempty"`
 	// GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop.
 	// To disable graceful shutdown, set to time.Duration(0)
 	// To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1)
 	// The graceful shutdown is skipped for safety reasons in case the leader election lease is lost.
 	GracefulShutdownTimeout *metav1.Duration `json:"gracefulShutDown,omitempty"`
 	// Controller contains global configuration options for controllers
 	// registered within this manager.
 	// +optional
 	Controller *ControllerConfigurationSpec `json:"controller,omitempty"`
 	// Metrics contains the controller metrics configuration
 	// +optional
 	Metrics ControllerMetrics `json:"metrics,omitempty"`
 	// Health contains the controller health configuration
 	// +optional
 	Health ControllerHealth `json:"health,omitempty"`
 	// Webhook contains the controllers webhook configuration
 	// +optional
 	Webhook ControllerWebhook `json:"webhook,omitempty"`
 	// ClassName contains the name of a class to watch CRs for. Others will be ignored.
 	// If unset all will be watched.
 	// +optional
 	ClassName string `json:"className,omitempty"`
 	// If WatchClassless is set and ClassName is set, any CR without a ClassName
 	// specified will also be handled by this controller.
 	// +optional
 	WatchClassless bool `json:"watchClassless,omitempty"`
 	// If specified, uses a different parent id template for linking pods to nodes
 	// +optional
 	ParentIDTemplate string `json:"parentIDTemplate,omitempty"`
 	// If specified, only syncs the specified CR types. Defaults to all.
 	// +optional
 	Reconcile *ReconcileConfig `json:"reconcile,omitempty"`
 	// If specified, prefixes each entry id with `<prefix>.`. Entries without the Prefix will be ignored (except ones marked for cleanup, see EntryIDPrefixCleanup).
 	// +optiional
 	EntryIDPrefix string `json:"entryIDPrefix,omitempty"`
 	// If specified, entries with the specified prefix will be removed. If set to "" it will clean up all unprefixed entries.
 	// It can not be set to the same value as EntryIDPrefix.
 	// Generally useful when switching from nonprefixed to prefixed, or between two different prefixes.
 	// +optiional
 	EntryIDPrefixCleanup *string `json:"entryIDPrefixCleanup,omitempty"`
 	// When configured, read yaml objects from the specified path rather then from Kubernetes.
 	StaticManifestPath *string `json:"staticManifestPath,omitempty"`
 }
 // ReconcileConfig configuration used to enable/disable syncing various types
 type ReconcileConfig struct {
 	// ClusterSpiffeIds enable syncing of clusterspiffeids
 	// +optional
 	ClusterSPIFFEIDs bool `json:"clusterSPIFFEIDs,omitempty"`
 	// ClusterFederatedTrustDomains enable syncing of clusterfederatedtrustdomains
 	// +optional
 	ClusterFederatedTrustDomains bool `json:"clusterFederatedTrustDomains,omitempty"`
 	// ClusterStaticEntries enable syncing of clusterstaticentries
 	// +optional
 	ClusterStaticEntries bool `json:"clusterStaticEntries,omitempty"`
 }
 // NamespaceConfig configuration used to filter cached namespaces
 type NamespaceConfig struct {
 	// LabelSelectors map of Labels selectors
 	// +optional
 	LabelSelectors map[string]string `json:"labelSelectors,omitempty"`
 	// FieldSelectors map of Fields selectors
 	// +optional
 	FieldSelectors map[string]string `json:"fieldSelectors,omitempty"`
 }
 // ControllerConfigurationSpec defines the global configuration for
 // controllers registered with the manager.
 type ControllerConfigurationSpec struct {
 	// GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation
 	// allowed for that controller.
 	//
 	// When a controller is registered within this manager using the builder utilities,
 	// users have to specify the type the controller reconciles in the For(...) call.
 	// If the object's kind passed matches one of the keys in this map, the concurrency
 	// for that controller is set to the number specified.
 	//
 	// The key is expected to be consistent in form with GroupKind.String(),
 	// e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`.
 	//
 	// +optional
 	GroupKindConcurrency map[string]int `json:"groupKindConcurrency,omitempty"`
 	// CacheSyncTimeout refers to the time limit set to wait for syncing caches.
 	// Defaults to 2 minutes if not set.
 	// +optional
 	CacheSyncTimeout *time.Duration `json:"cacheSyncTimeout,omitempty"`
 	// RecoverPanic indicates if panics should be recovered.
 	// +optional
 	RecoverPanic *bool `json:"recoverPanic,omitempty"`
 }
 // ControllerMetrics defines the metrics configs.
 type ControllerMetrics struct {
 	// BindAddress is the TCP address that the controller should bind to
 	// for serving prometheus metrics.
 	// It can be set to "0" to disable the metrics serving.
 	// +optional
 	BindAddress string `json:"bindAddress,omitempty"`
 }
 // ControllerHealth defines the health configs.
 type ControllerHealth struct {
 	// HealthProbeBindAddress is the TCP address that the controller should bind to
 	// for serving health probes
 	// It can be set to "0" or "" to disable serving the health probe.
 	// +optional
 	HealthProbeBindAddress string `json:"healthProbeBindAddress,omitempty"`
 	// ReadinessEndpointName, defaults to "readyz"
 	// +optional
 	ReadinessEndpointName string `json:"readinessEndpointName,omitempty"`
 	// LivenessEndpointName, defaults to "healthz"
 	// +optional
 	LivenessEndpointName string `json:"livenessEndpointName,omitempty"`
 }
 // ControllerWebhook defines the webhook server for the controller.
 type ControllerWebhook struct {
 	// Port is the port that the webhook server serves at.
 	// It is used to set webhook.Server.Port.
 	// +optional
 	Port *int `json:"port,omitempty"`
 	// Host is the hostname that the webhook server binds to.
 	// It is used to set webhook.Server.Host.
 	// +optional
 	Host string `json:"host,omitempty"`
 	// CertDir is the directory that contains the server key and certificate.
 	// if not set, webhook server would look up the server key and certificate in
 	// {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate
 	// must be named tls.key and tls.crt, respectively.
 	// +optional
 	CertDir string `json:"certDir,omitempty"`
 }
 func init() {
--- a/api/v1alpha1/webhook_suite_test.go
+++ b/api/v1alpha1/webhook_suite_test.go
@ -22,22 +22,24 @@ import (
 	"fmt"
 	"net"
 	"path/filepath"
 	"runtime"
 	"testing"
 	"time"
-	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/ginkgo/v2" //nolint:revive // auto-generated
-	. "github.com/onsi/gomega"
+	. "github.com/onsi/gomega"    //nolint:revive // auto-generated
-	admissionv1beta1 "k8s.io/api/admission/v1beta1"
+	admissionv1 "k8s.io/api/admission/v1"
 	//+kubebuilder:scaffold:imports
-	"k8s.io/apimachinery/pkg/runtime"
+	apimachineryruntime "k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/rest"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/envtest"
 	"sigs.k8s.io/controller-runtime/pkg/envtest/printer"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 )
 // These tests use Ginkgo (BDD-style Go testing framework). Refer to
@ -52,9 +54,7 @@ var cancel context.CancelFunc
 func TestAPIs(t *testing.T) {
 	RegisterFailHandler(Fail)
-	RunSpecsWithDefaultAndCustomReporters(t,
+	RunSpecs(t, "Webhook Suite")
 		"Webhook Suite",
 		[]Reporter{printer.NewlineReporter{}})
 }
 var _ = BeforeSuite(func() {
@ -66,23 +66,31 @@ var _ = BeforeSuite(func() {
 	testEnv = &envtest.Environment{
 		CRDDirectoryPaths:     []string{filepath.Join("..", "..", "config", "crd", "bases")},
 		ErrorIfCRDPathMissing: false,
 		// The BinaryAssetsDirectory is only required if you want to run the tests directly
 		// without call the makefile target test. If not informed it will look for the
 		// default path defined in controller-runtime which is /usr/local/kubebuilder/.
 		// Note that you must have the required binaries setup under the bin directory to perform
 		// the tests directly. When we run make test it will be setup and used automatically.
 		BinaryAssetsDirectory: filepath.Join("..", "..", "bin", "k8s",
 			fmt.Sprintf("1.28.0-%s-%s", runtime.GOOS, runtime.GOARCH)),
 		WebhookInstallOptions: envtest.WebhookInstallOptions{
 			Paths: []string{filepath.Join("..", "..", "config", "webhook")},
 		},
 	}
-	cfg, err := testEnv.Start()
+	var err error
 	// cfg is defined in this file globally.
 	cfg, err = testEnv.Start()
 	Expect(err).NotTo(HaveOccurred())
 	Expect(cfg).NotTo(BeNil())
-	scheme := runtime.NewScheme()
+	scheme := apimachineryruntime.NewScheme()
 	err = AddToScheme(scheme)
 	Expect(err).NotTo(HaveOccurred())
-	err = admissionv1beta1.AddToScheme(scheme)
+	err = admissionv1.AddToScheme(scheme)
 	Expect(err).NotTo(HaveOccurred())
 	err = admissionv1beta1.AddToScheme(scheme)
 	Expect(err).NotTo(HaveOccurred())
 	//+kubebuilder:scaffold:scheme
@ -95,12 +103,15 @@ var _ = BeforeSuite(func() {
 	webhookInstallOptions := &testEnv.WebhookInstallOptions
 	mgr, err := ctrl.NewManager(cfg, ctrl.Options{
 		Scheme: scheme,
 		WebhookServer: webhook.NewServer(webhook.Options{
 			Host:    webhookInstallOptions.LocalServingHost,
 			Port:    webhookInstallOptions.LocalServingPort,
 			CertDir: webhookInstallOptions.LocalServingCertDir,
 		}),
 		LeaderElection: false,
-		MetricsBindAddress: "0",
+		Metrics:        metricsserver.Options{BindAddress: "0"},
 	})
 	Expect(err).NotTo(HaveOccurred())
 	err = (&ClusterFederatedTrustDomain{}).SetupWebhookWithManager(mgr)
@ -121,7 +132,7 @@ var _ = BeforeSuite(func() {
 	dialer := &net.Dialer{Timeout: time.Second}
 	addrPort := fmt.Sprintf("%s:%d", webhookInstallOptions.LocalServingHost, webhookInstallOptions.LocalServingPort)
 	Eventually(func() error {
-		conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true})
+		conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true}) //nolint: gosec // this is intentional for the unit test
 		if err != nil {
 			return err
 		}
@ -129,7 +140,7 @@ var _ = BeforeSuite(func() {
 		return nil
 	}).Should(Succeed())
-}, 60)
+})
 var _ = AfterSuite(func() {
 	cancel()
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@ -1,8 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 /*
-Copyright 2021 SPIRE Authors.
+Copyright 2023 SPIRE Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@ -24,6 +23,8 @@ package v1alpha1
 import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	configv1alpha1 "k8s.io/component-base/config/v1alpha1"
 	timex "time"
 )
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
@ -68,6 +69,21 @@ func (in *ClusterFederatedTrustDomain) DeepCopyObject() runtime.Object {
 	return nil
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterFederatedTrustDomainCustomValidator) DeepCopyInto(out *ClusterFederatedTrustDomainCustomValidator) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterFederatedTrustDomainCustomValidator.
 func (in *ClusterFederatedTrustDomainCustomValidator) DeepCopy() *ClusterFederatedTrustDomainCustomValidator {
 	if in == nil {
 		return nil
 	}
 	out := new(ClusterFederatedTrustDomainCustomValidator)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterFederatedTrustDomainList) DeepCopyInto(out *ClusterFederatedTrustDomainList) {
 	*out = *in
@ -158,6 +174,21 @@ func (in *ClusterSPIFFEID) DeepCopyObject() runtime.Object {
 	return nil
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterSPIFFEIDCustomValidator) DeepCopyInto(out *ClusterSPIFFEIDCustomValidator) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSPIFFEIDCustomValidator.
 func (in *ClusterSPIFFEIDCustomValidator) DeepCopy() *ClusterSPIFFEIDCustomValidator {
 	if in == nil {
 		return nil
 	}
 	out := new(ClusterSPIFFEIDCustomValidator)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterSPIFFEIDList) DeepCopyInto(out *ClusterSPIFFEIDList) {
 	*out = *in
@ -194,6 +225,7 @@ func (in *ClusterSPIFFEIDList) DeepCopyObject() runtime.Object {
 func (in *ClusterSPIFFEIDSpec) DeepCopyInto(out *ClusterSPIFFEIDSpec) {
 	*out = *in
 	out.TTL = in.TTL
 	out.JWTTTL = in.JWTTTL
 	if in.DNSNameTemplates != nil {
 		in, out := &in.DNSNameTemplates, &out.DNSNameTemplates
 		*out = make([]string, len(*in))
@ -262,6 +294,159 @@ func (in *ClusterSPIFFEIDStatus) DeepCopy() *ClusterSPIFFEIDStatus {
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterStaticEntry) DeepCopyInto(out *ClusterStaticEntry) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
 	out.Status = in.Status
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterStaticEntry.
 func (in *ClusterStaticEntry) DeepCopy() *ClusterStaticEntry {
 	if in == nil {
 		return nil
 	}
 	out := new(ClusterStaticEntry)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
 func (in *ClusterStaticEntry) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
 	return nil
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterStaticEntryList) DeepCopyInto(out *ClusterStaticEntryList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
 		*out = make([]ClusterStaticEntry, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterStaticEntryList.
 func (in *ClusterStaticEntryList) DeepCopy() *ClusterStaticEntryList {
 	if in == nil {
 		return nil
 	}
 	out := new(ClusterStaticEntryList)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
 func (in *ClusterStaticEntryList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
 	return nil
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterStaticEntrySpec) DeepCopyInto(out *ClusterStaticEntrySpec) {
 	*out = *in
 	if in.Selectors != nil {
 		in, out := &in.Selectors, &out.Selectors
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
 	if in.FederatesWith != nil {
 		in, out := &in.FederatesWith, &out.FederatesWith
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
 	out.X509SVIDTTL = in.X509SVIDTTL
 	out.JWTSVIDTTL = in.JWTSVIDTTL
 	if in.DNSNames != nil {
 		in, out := &in.DNSNames, &out.DNSNames
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterStaticEntrySpec.
 func (in *ClusterStaticEntrySpec) DeepCopy() *ClusterStaticEntrySpec {
 	if in == nil {
 		return nil
 	}
 	out := new(ClusterStaticEntrySpec)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterStaticEntryStatus) DeepCopyInto(out *ClusterStaticEntryStatus) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterStaticEntryStatus.
 func (in *ClusterStaticEntryStatus) DeepCopy() *ClusterStaticEntryStatus {
 	if in == nil {
 		return nil
 	}
 	out := new(ClusterStaticEntryStatus)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ControllerConfigurationSpec) DeepCopyInto(out *ControllerConfigurationSpec) {
 	*out = *in
 	if in.GroupKindConcurrency != nil {
 		in, out := &in.GroupKindConcurrency, &out.GroupKindConcurrency
 		*out = make(map[string]int, len(*in))
 		for key, val := range *in {
 			(*out)[key] = val
 		}
 	}
 	if in.CacheSyncTimeout != nil {
 		in, out := &in.CacheSyncTimeout, &out.CacheSyncTimeout
 		*out = new(timex.Duration)
 		**out = **in
 	}
 	if in.RecoverPanic != nil {
 		in, out := &in.RecoverPanic, &out.RecoverPanic
 		*out = new(bool)
 		**out = **in
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControllerConfigurationSpec.
 func (in *ControllerConfigurationSpec) DeepCopy() *ControllerConfigurationSpec {
 	if in == nil {
 		return nil
 	}
 	out := new(ControllerConfigurationSpec)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ControllerHealth) DeepCopyInto(out *ControllerHealth) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControllerHealth.
 func (in *ControllerHealth) DeepCopy() *ControllerHealth {
 	if in == nil {
 		return nil
 	}
 	out := new(ControllerHealth)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ControllerManagerConfig) DeepCopyInto(out *ControllerManagerConfig) {
 	*out = *in
@ -291,3 +476,151 @@ func (in *ControllerManagerConfig) DeepCopyObject() runtime.Object {
 	}
 	return nil
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ControllerManagerConfigurationSpec) DeepCopyInto(out *ControllerManagerConfigurationSpec) {
 	*out = *in
 	if in.SyncPeriod != nil {
 		in, out := &in.SyncPeriod, &out.SyncPeriod
 		*out = new(v1.Duration)
 		**out = **in
 	}
 	if in.LeaderElection != nil {
 		in, out := &in.LeaderElection, &out.LeaderElection
 		*out = new(configv1alpha1.LeaderElectionConfiguration)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.CacheNamespaces != nil {
 		in, out := &in.CacheNamespaces, &out.CacheNamespaces
 		*out = make(map[string]*NamespaceConfig, len(*in))
 		for key, val := range *in {
 			var outVal *NamespaceConfig
 			if val == nil {
 				(*out)[key] = nil
 			} else {
 				inVal := (*in)[key]
 				in, out := &inVal, &outVal
 				*out = new(NamespaceConfig)
 				(*in).DeepCopyInto(*out)
 			}
 			(*out)[key] = outVal
 		}
 	}
 	if in.GracefulShutdownTimeout != nil {
 		in, out := &in.GracefulShutdownTimeout, &out.GracefulShutdownTimeout
 		*out = new(v1.Duration)
 		**out = **in
 	}
 	if in.Controller != nil {
 		in, out := &in.Controller, &out.Controller
 		*out = new(ControllerConfigurationSpec)
 		(*in).DeepCopyInto(*out)
 	}
 	out.Metrics = in.Metrics
 	out.Health = in.Health
 	in.Webhook.DeepCopyInto(&out.Webhook)
 	if in.Reconcile != nil {
 		in, out := &in.Reconcile, &out.Reconcile
 		*out = new(ReconcileConfig)
 		**out = **in
 	}
 	if in.EntryIDPrefixCleanup != nil {
 		in, out := &in.EntryIDPrefixCleanup, &out.EntryIDPrefixCleanup
 		*out = new(string)
 		**out = **in
 	}
 	if in.StaticManifestPath != nil {
 		in, out := &in.StaticManifestPath, &out.StaticManifestPath
 		*out = new(string)
 		**out = **in
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControllerManagerConfigurationSpec.
 func (in *ControllerManagerConfigurationSpec) DeepCopy() *ControllerManagerConfigurationSpec {
 	if in == nil {
 		return nil
 	}
 	out := new(ControllerManagerConfigurationSpec)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ControllerMetrics) DeepCopyInto(out *ControllerMetrics) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControllerMetrics.
 func (in *ControllerMetrics) DeepCopy() *ControllerMetrics {
 	if in == nil {
 		return nil
 	}
 	out := new(ControllerMetrics)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ControllerWebhook) DeepCopyInto(out *ControllerWebhook) {
 	*out = *in
 	if in.Port != nil {
 		in, out := &in.Port, &out.Port
 		*out = new(int)
 		**out = **in
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControllerWebhook.
 func (in *ControllerWebhook) DeepCopy() *ControllerWebhook {
 	if in == nil {
 		return nil
 	}
 	out := new(ControllerWebhook)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NamespaceConfig) DeepCopyInto(out *NamespaceConfig) {
 	*out = *in
 	if in.LabelSelectors != nil {
 		in, out := &in.LabelSelectors, &out.LabelSelectors
 		*out = make(map[string]string, len(*in))
 		for key, val := range *in {
 			(*out)[key] = val
 		}
 	}
 	if in.FieldSelectors != nil {
 		in, out := &in.FieldSelectors, &out.FieldSelectors
 		*out = make(map[string]string, len(*in))
 		for key, val := range *in {
 			(*out)[key] = val
 		}
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceConfig.
 func (in *NamespaceConfig) DeepCopy() *NamespaceConfig {
 	if in == nil {
 		return nil
 	}
 	out := new(NamespaceConfig)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReconcileConfig) DeepCopyInto(out *ReconcileConfig) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReconcileConfig.
 func (in *ReconcileConfig) DeepCopy() *ReconcileConfig {
 	if in == nil {
 		return nil
 	}
 	out := new(ReconcileConfig)
 	in.DeepCopyInto(out)
 	return out
 }
--- a/cmd/config_test.go
+++ b/cmd/config_test.go
@ -0,0 +1,54 @@
 package main
 import (
 	"errors"
 	"testing"
 	"github.com/stretchr/testify/require"
 )
 func TestParseClusterDomainCNAME(t *testing.T) {
 	for _, test := range []struct {
 		name           string
 		cname          string
 		expectedDomain string
 		expectedErr    string
 	}{
 		{
 			name:           "Valid CNAME with trailing dot",
 			cname:          k8sDefaultService + ".cluster.local.",
 			expectedDomain: "cluster.local",
 		},
 		{
 			name:           "Valid CNAME without trailing dot",
 			cname:          k8sDefaultService + ".cluster2.local",
 			expectedDomain: "cluster2.local",
 		},
 		{
 			name:        "Invalid prefix",
 			cname:       "test.cluster.local",
 			expectedErr: "CNAME did not have expected prefix",
 		},
 		{
 			name:        "No domain with trailing dot",
 			cname:       k8sDefaultService + ".",
 			expectedErr: "CNAME did not have a cluster domain",
 		},
 		{
 			name:        "No domain without trailing dot",
 			cname:       k8sDefaultService,
 			expectedErr: "CNAME did not have expected prefix",
 		},
 	} {
 		t.Run(test.name, func(t *testing.T) {
 			domain, err := parseClusterDomainCNAME(test.cname)
 			if test.expectedErr != "" {
 				require.EqualError(t, errors.New(test.expectedErr), err.Error())
 				return
 			}
 			require.Equal(t, domain, test.expectedDomain)
 			require.NoError(t, err)
 		})
 	}
 }
--- a/cmd/main.go
+++ b/cmd/main.go
@ -0,0 +1,636 @@
 /*
 Copyright 2021 SPIRE Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"crypto/tls"
 	"errors"
 	"flag"
 	"fmt"
 	"net"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
 	"sync"
 	"text/template"
 	"time"
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
 	"k8s.io/client-go/kubernetes"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"k8s.io/client-go/rest"
 	"go.uber.org/zap/zapcore"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	k8sMetrics "sigs.k8s.io/controller-runtime/pkg/metrics"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	spirev1alpha1 "github.com/spiffe/spire-controller-manager/api/v1alpha1"
 	"github.com/spiffe/spire-controller-manager/internal/controller"
 	"github.com/spiffe/spire-controller-manager/pkg/metrics"
 	"github.com/spiffe/spire-controller-manager/pkg/reconciler"
 	"github.com/spiffe/spire-controller-manager/pkg/spireapi"
 	"github.com/spiffe/spire-controller-manager/pkg/spireentry"
 	"github.com/spiffe/spire-controller-manager/pkg/spirefederationrelationship"
 	"github.com/spiffe/spire-controller-manager/pkg/webhookmanager"
 	//+kubebuilder:scaffold:imports
 )
 type Config struct {
 	ctrlConfig            spirev1alpha1.ControllerManagerConfig
 	options               ctrl.Options
 	ignoreNamespacesRegex []*regexp.Regexp
 	parentIDTemplate      *template.Template
 	reconcile             spirev1alpha1.ReconcileConfig
 }
 const (
 	defaultSPIREServerSocketPath = "/spire-server/api.sock"
 	defaultGCInterval            = 10 * time.Second
 	defaultLogLevel              = "info"
 	defaultLogEncoding           = "console"
 	k8sDefaultService            = "kubernetes.default.svc"
 )
 var (
 	scheme   = runtime.NewScheme()
 	setupLog = ctrl.Log.WithName("setup")
 )
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 	utilruntime.Must(spirev1alpha1.AddToScheme(scheme))
 	k8sMetrics.Registry.MustRegister(
 		metrics.PromCounters[metrics.StaticEntryFailures],
 	)
 	//+kubebuilder:scaffold:scheme
 }
 func main() {
 	mainConfig, err := parseConfig()
 	if err != nil {
 		setupLog.Error(err, "error parsing configuration")
 		os.Exit(1)
 	}
 	if mainConfig.ctrlConfig.StaticManifestPath != nil {
 		if err := staticRun(mainConfig); err != nil {
 			os.Exit(1)
 		}
 	}
 	if err := run(mainConfig); err != nil {
 		os.Exit(1)
 	}
 }
 func addDotSuffix(val string) string {
 	if val != "" && !strings.HasSuffix(val, ".") {
 		val += "."
 	}
 	return val
 }
 func parseConfig() (Config, error) {
 	var retval Config
 	var configFileFlag string
 	var spireAPISocketFlag string
 	var expandEnvFlag bool
 	flag.StringVar(&configFileFlag, "config", "",
 		"The controller will load its initial configuration from this file. "+
 			"Omit this flag to use the default configuration values. "+
 			"Command-line flags override configuration from this file.")
 	flag.StringVar(&spireAPISocketFlag, "spire-api-socket", "", "The path to the SPIRE API socket (deprecated; use the config file)")
 	flag.BoolVar(&expandEnvFlag, "expand-env", false, "Expand environment variables in SPIRE Controller Manager config file")
 	opts := zap.Options{
 		Development: true,
 	}
 	opts.BindFlags(flag.CommandLine)
 	flag.Parse()
 	// Set default values
 	retval.ctrlConfig = spirev1alpha1.ControllerManagerConfig{
 		IgnoreNamespaces:                   []string{"kube-system", "kube-public", "spire-system"},
 		GCInterval:                         defaultGCInterval,
 		ValidatingWebhookConfigurationName: "spire-controller-manager-webhook",
 		LogLevel:                           defaultLogLevel,
 		LogEncoding:                        defaultLogEncoding,
 	}
 	retval.options = ctrl.Options{Scheme: scheme}
 	// Setup logger to zap's default log level so errors parsing the config which contains the desired log level are logged
 	_ = setLogger(&opts, "", "")
 	if configFileFlag != "" {
 		if err := spirev1alpha1.LoadOptionsFromFile(configFileFlag, scheme, &retval.options, &retval.ctrlConfig, expandEnvFlag); err != nil {
 			return retval, fmt.Errorf("unable to load the config file: %w", err)
 		}
 		for _, ignoredNamespace := range retval.ctrlConfig.IgnoreNamespaces {
 			regex, err := regexp.Compile(ignoredNamespace)
 			if err != nil {
 				return retval, fmt.Errorf("unable to compile ignore namespaces regex: %w", err)
 			}
 			retval.ignoreNamespacesRegex = append(retval.ignoreNamespacesRegex, regex)
 		}
 	}
 	// Parse log flags
 	if err := setLogger(&opts, retval.ctrlConfig.LogLevel, retval.ctrlConfig.LogEncoding); err != nil {
 		return retval, fmt.Errorf("unable to parse log level: %w", err)
 	}
 	setupLog.Info("Logger configured", "level", opts.Level)
 	// Determine the SPIRE Server socket path
 	switch {
 	case retval.ctrlConfig.SPIREServerSocketPath == "" && spireAPISocketFlag == "":
 		// Neither is set. Use the default.
 		retval.ctrlConfig.SPIREServerSocketPath = defaultSPIREServerSocketPath
 	case retval.ctrlConfig.SPIREServerSocketPath != "" && spireAPISocketFlag == "":
 		// Configuration file value is set. Use it.
 	case retval.ctrlConfig.SPIREServerSocketPath == "" && spireAPISocketFlag != "":
 		// Deprecated flag value is set. Use it but warn.
 		retval.ctrlConfig.SPIREServerSocketPath = spireAPISocketFlag
 		setupLog.Error(nil, "The spire-api-socket flag is deprecated and will be removed in a future release; use the configuration file instead")
 	case retval.ctrlConfig.SPIREServerSocketPath != "" && spireAPISocketFlag != "":
 		// Both are set. Warn and ignore the deprecated flag.
 		setupLog.Error(nil, "Ignoring deprecated spire-api-socket flag which will be removed in a future release")
 	}
 	// Attempt to auto detect cluster domain if it wasn't specified
 	if retval.ctrlConfig.ClusterDomain == "" {
 		clusterDomain, err := autoDetectClusterDomain()
 		if err != nil {
 			setupLog.Error(err, "unable to autodetect cluster domain")
 		}
 		retval.ctrlConfig.ClusterDomain = clusterDomain
 	}
 	if retval.ctrlConfig.ParentIDTemplate != "" {
 		var err error
 		retval.parentIDTemplate, err = template.New("customParentIDTemplate").Parse(retval.ctrlConfig.ParentIDTemplate)
 		if err != nil {
 			return retval, fmt.Errorf("unable to parse parent ID template: %w", err)
 		}
 	}
 	if retval.ctrlConfig.Reconcile == nil {
 		retval.reconcile.ClusterFederatedTrustDomains = true
 		retval.reconcile.ClusterStaticEntries = true
 		if retval.ctrlConfig.StaticManifestPath == nil {
 			// Static mode default is to have ClusterSPIFFEID syncing off (unsupported). Non static mode syncing on.
 			retval.reconcile.ClusterSPIFFEIDs = true
 		}
 	} else {
 		retval.reconcile = *retval.ctrlConfig.Reconcile
 	}
 	if retval.ctrlConfig.StaticManifestPath != nil {
 		if retval.options.LeaderElection {
 			return retval, fmt.Errorf("Leader election is not possible with static manifests")
 		}
 		if retval.reconcile.ClusterSPIFFEIDs {
 			return retval, fmt.Errorf("ClusterSPIFFEID reconciliation is not possible with static manifests")
 		}
 	}
 	retval.ctrlConfig.EntryIDPrefix = addDotSuffix(retval.ctrlConfig.EntryIDPrefix)
 	printCleanup := "<unset>"
 	if retval.ctrlConfig.EntryIDPrefixCleanup != nil {
 		printCleanup = *retval.ctrlConfig.EntryIDPrefixCleanup
 		*retval.ctrlConfig.EntryIDPrefixCleanup = addDotSuffix(*retval.ctrlConfig.EntryIDPrefixCleanup)
 		if retval.ctrlConfig.EntryIDPrefix != "" && retval.ctrlConfig.EntryIDPrefix == *retval.ctrlConfig.EntryIDPrefixCleanup {
 			return retval, fmt.Errorf("if entryIDPrefixCleanup is specified, it can not be the same value as entryIDPrefix")
 		}
 	}
 	setupLog.Info("Config loaded",
 		"cluster name", retval.ctrlConfig.ClusterName,
 		"cluster domain", retval.ctrlConfig.ClusterDomain,
 		"trust domain", retval.ctrlConfig.TrustDomain,
 		"ignore namespaces", retval.ctrlConfig.IgnoreNamespaces,
 		"gc interval", retval.ctrlConfig.GCInterval,
 		"spire server socket path", retval.ctrlConfig.SPIREServerSocketPath,
 		"class name", retval.ctrlConfig.ClassName,
 		"handle crs without class name", retval.ctrlConfig.WatchClassless,
 		"reconcile ClusterSPIFFEIDs", retval.reconcile.ClusterSPIFFEIDs,
 		"reconcile ClusterFederatedTrustDomains", retval.reconcile.ClusterFederatedTrustDomains,
 		"reconcile ClusterStaticEntries", retval.reconcile.ClusterStaticEntries,
 		"entryIDPrefix", retval.ctrlConfig.EntryIDPrefix,
 		"entryIDPrefixCleanup", printCleanup)
 	switch {
 	case retval.ctrlConfig.TrustDomain == "":
 		setupLog.Error(nil, "trust domain is required configuration")
 		return retval, errors.New("trust domain is required configuration")
 	case retval.ctrlConfig.ClusterName == "":
 		return retval, errors.New("cluster name is required configuration")
 	case retval.ctrlConfig.ValidatingWebhookConfigurationName == "":
 		return retval, errors.New("validating webhook configuration name is required configuration")
 	case retval.ctrlConfig.ControllerManagerConfigurationSpec.Webhook.CertDir != "":
 		setupLog.Info("certDir configuration is ignored", "certDir", retval.ctrlConfig.ControllerManagerConfigurationSpec.Webhook.CertDir)
 	}
 	return retval, nil
 }
 func run(mainConfig Config) (err error) {
 	webhookEnabled := os.Getenv("ENABLE_WEBHOOKS") != "false"
 	trustDomain, err := spiffeid.TrustDomainFromString(mainConfig.ctrlConfig.TrustDomain)
 	if err != nil {
 		setupLog.Error(err, "invalid trust domain name")
 		return err
 	}
 	ctx := ctrl.SetupSignalHandler()
 	setupLog.Info("Dialing SPIRE Server socket")
 	spireClient, err := spireapi.DialSocket(mainConfig.ctrlConfig.SPIREServerSocketPath)
 	if err != nil {
 		setupLog.Error(err, "unable to dial SPIRE Server socket")
 		return err
 	}
 	defer spireClient.Close()
 	// It's unfortunate that we have to keep credentials on disk so that the
 	// manager can load them. Webhook server credentials are stored in a single
 	// file to keep rotation simple.
 	// TODO: upstream a change to the WebhookServer so it can use callbacks to
 	// obtain the certificates so we don't have to touch disk.
 	var webhookManager *webhookmanager.Manager
 	if webhookEnabled {
 		const keyPairName = "keypair.pem"
 		certDir, err := os.MkdirTemp("", "spire-controller-manager-")
 		if err != nil {
 			setupLog.Error(err, "failed to create temporary cert directory")
 			return err
 		}
 		defer func() {
 			if err := os.RemoveAll(certDir); err != nil {
 				setupLog.Error(err, "failed to remove temporary cert directory", "certDir", certDir)
 				os.Exit(1)
 			}
 		}()
 		mainConfig.options.WebhookServer = webhook.NewServer(webhook.Options{
 			CertDir:  certDir,
 			CertName: keyPairName,
 			KeyName:  keyPairName,
 			TLSOpts: []func(*tls.Config){
 				func(s *tls.Config) {
 					s.MinVersion = tls.VersionTLS12
 				},
 			},
 		})
 		// We need a direct client to query and patch up the webhook. We can't use
 		// the controller runtime client for this because we can't start the manager
 		// without the webhook credentials being in place, and the webhook credentials
 		// need the DNS name of the webhook service from the configuration.
 		config, err := rest.InClusterConfig()
 		if err != nil {
 			setupLog.Error(err, "failed to get in cluster configuration")
 			return err
 		}
 		// creates the clientset
 		clientset, err := kubernetes.NewForConfig(config)
 		if err != nil {
 			setupLog.Error(err, "failed to create an API client")
 			return err
 		}
 		webhookManager = webhookmanager.New(webhookmanager.Config{
 			ID:            spiffeid.RequireFromPath(trustDomain, "/spire-controller-manager-webhook"),
 			KeyPairPath:   filepath.Join(certDir, keyPairName),
 			WebhookName:   mainConfig.ctrlConfig.ValidatingWebhookConfigurationName,
 			WebhookClient: clientset.AdmissionregistrationV1().ValidatingWebhookConfigurations(),
 			SVIDClient:    spireClient,
 			BundleClient:  spireClient,
 		})
 		if err := webhookManager.Init(ctx); err != nil {
 			setupLog.Error(err, "failed to mint initial webhook certificate")
 			return err
 		}
 	}
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), mainConfig.options)
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")
 		return err
 	}
 	var entryReconciler reconciler.Reconciler
 	if mainConfig.reconcile.ClusterSPIFFEIDs || mainConfig.reconcile.ClusterStaticEntries {
 		entryReconciler = spireentry.Reconciler(spireentry.ReconcilerConfig{
 			TrustDomain:          trustDomain,
 			ClusterName:          mainConfig.ctrlConfig.ClusterName,
 			ClusterDomain:        mainConfig.ctrlConfig.ClusterDomain,
 			K8sClient:            mgr.GetClient(),
 			EntryClient:          spireClient,
 			IgnoreNamespaces:     mainConfig.ignoreNamespacesRegex,
 			GCInterval:           mainConfig.ctrlConfig.GCInterval,
 			ClassName:            mainConfig.ctrlConfig.ClassName,
 			WatchClassless:       mainConfig.ctrlConfig.WatchClassless,
 			ParentIDTemplate:     mainConfig.parentIDTemplate,
 			Reconcile:            mainConfig.reconcile,
 			EntryIDPrefix:        mainConfig.ctrlConfig.EntryIDPrefix,
 			EntryIDPrefixCleanup: mainConfig.ctrlConfig.EntryIDPrefixCleanup,
 		})
 	}
 	var federationRelationshipReconciler reconciler.Reconciler
 	if mainConfig.reconcile.ClusterFederatedTrustDomains {
 		federationRelationshipReconciler = spirefederationrelationship.Reconciler(spirefederationrelationship.ReconcilerConfig{
 			K8sClient:         mgr.GetClient(),
 			TrustDomainClient: spireClient,
 			GCInterval:        mainConfig.ctrlConfig.GCInterval,
 			ClassName:         mainConfig.ctrlConfig.ClassName,
 			WatchClassless:    mainConfig.ctrlConfig.WatchClassless,
 		})
 		if err = (&controller.ClusterFederatedTrustDomainReconciler{
 			Client:    mgr.GetClient(),
 			Scheme:    mgr.GetScheme(),
 			Triggerer: federationRelationshipReconciler,
 		}).SetupWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "ClusterFederatedTrustDomain")
 			return err
 		}
 	}
 	if mainConfig.reconcile.ClusterSPIFFEIDs {
 		if err = (&controller.ClusterSPIFFEIDReconciler{
 			Client:    mgr.GetClient(),
 			Scheme:    mgr.GetScheme(),
 			Triggerer: entryReconciler,
 		}).SetupWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "ClusterSPIFFEID")
 			return err
 		}
 	}
 	if mainConfig.reconcile.ClusterStaticEntries {
 		if err = (&controller.ClusterStaticEntryReconciler{
 			Client:    mgr.GetClient(),
 			Scheme:    mgr.GetScheme(),
 			Triggerer: entryReconciler,
 		}).SetupWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "ClusterStaticEntry")
 			return err
 		}
 	}
 	if webhookEnabled {
 		if err = (&spirev1alpha1.ClusterFederatedTrustDomain{}).SetupWebhookWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create webhook", "webhook", "ClusterFederatedTrustDomain")
 			return err
 		}
 		if err = (&spirev1alpha1.ClusterSPIFFEID{}).SetupWebhookWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create webhook", "webhook", "ClusterSPIFFEID")
 			return err
 		}
 	}
 	//+kubebuilder:scaffold:builder
 	if mainConfig.reconcile.ClusterSPIFFEIDs {
 		if err = (&controller.PodReconciler{
 			Client:           mgr.GetClient(),
 			Scheme:           mgr.GetScheme(),
 			Triggerer:        entryReconciler,
 			IgnoreNamespaces: mainConfig.ignoreNamespacesRegex,
 		}).SetupWithManager(ctx, mgr); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "Pod")
 			return err
 		}
 		if err = (&controller.EndpointsReconciler{
 			Client:           mgr.GetClient(),
 			Scheme:           mgr.GetScheme(),
 			Triggerer:        entryReconciler,
 			IgnoreNamespaces: mainConfig.ignoreNamespacesRegex,
 		}).SetupWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "Endpoints")
 			return err
 		}
 	}
 	if entryReconciler != nil {
 		if err = mgr.Add(manager.RunnableFunc(entryReconciler.Run)); err != nil {
 			setupLog.Error(err, "unable to manage entry reconciler")
 			return err
 		}
 	}
 	if federationRelationshipReconciler != nil {
 		if err = mgr.Add(manager.RunnableFunc(federationRelationshipReconciler.Run)); err != nil {
 			setupLog.Error(err, "unable to manage federation relationship reconciler")
 			return err
 		}
 	}
 	if webhookManager != nil {
 		if err = mgr.Add(webhookManager); err != nil {
 			setupLog.Error(err, "unable to manage webhook")
 			return err
 		}
 	}
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
 		setupLog.Error(err, "unable to set up health check")
 		return err
 	}
 	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
 		setupLog.Error(err, "unable to set up ready check")
 		return err
 	}
 	setupLog.Info("starting manager")
 	if err := mgr.Start(ctx); err != nil {
 		setupLog.Error(err, "problem running manager")
 		return err
 	}
 	return nil
 }
 func staticRun(mainConfig Config) (err error) {
 	var wg sync.WaitGroup
 	if mainConfig.reconcile.ClusterFederatedTrustDomains {
 		wg.Add(1)
 	}
 	if mainConfig.reconcile.ClusterStaticEntries {
 		wg.Add(1)
 	}
 	trustDomain, err := spiffeid.TrustDomainFromString(mainConfig.ctrlConfig.TrustDomain)
 	if err != nil {
 		setupLog.Error(err, "invalid trust domain name")
 		return err
 	}
 	ctx := ctrl.SetupSignalHandler()
 	setupLog.Info("Dialing SPIRE Server socket")
 	spireClient, err := spireapi.DialSocket(mainConfig.ctrlConfig.SPIREServerSocketPath)
 	if err != nil {
 		setupLog.Error(err, "unable to dial SPIRE Server socket")
 		return err
 	}
 	defer spireClient.Close()
 	mgr, err := ctrl.NewManager(&rest.Config{}, mainConfig.options)
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")
 		return err
 	}
 	if mainConfig.reconcile.ClusterStaticEntries {
 		entryReconciler := spireentry.Reconciler(spireentry.ReconcilerConfig{
 			TrustDomain:          trustDomain,
 			ClusterName:          mainConfig.ctrlConfig.ClusterName,
 			ClusterDomain:        mainConfig.ctrlConfig.ClusterDomain,
 			K8sClient:            nil,
 			EntryClient:          spireClient,
 			IgnoreNamespaces:     mainConfig.ignoreNamespacesRegex,
 			GCInterval:           mainConfig.ctrlConfig.GCInterval,
 			ClassName:            mainConfig.ctrlConfig.ClassName,
 			WatchClassless:       mainConfig.ctrlConfig.WatchClassless,
 			ParentIDTemplate:     mainConfig.parentIDTemplate,
 			Reconcile:            mainConfig.reconcile,
 			EntryIDPrefix:        mainConfig.ctrlConfig.EntryIDPrefix,
 			EntryIDPrefixCleanup: mainConfig.ctrlConfig.EntryIDPrefixCleanup,
 			StaticManifestPath:   mainConfig.ctrlConfig.StaticManifestPath,
 		})
 		go func() {
 			err = entryReconciler.Run(ctx)
 			if err != nil {
 				setupLog.Error(err, "failure starting entry reconciler", "controller", "ClusterStaticEntry")
 			}
 			wg.Done()
 		}()
 	}
 	if mainConfig.reconcile.ClusterFederatedTrustDomains {
 		federationRelationshipReconciler := spirefederationrelationship.Reconciler(spirefederationrelationship.ReconcilerConfig{
 			K8sClient:          nil,
 			TrustDomainClient:  spireClient,
 			GCInterval:         mainConfig.ctrlConfig.GCInterval,
 			ClassName:          mainConfig.ctrlConfig.ClassName,
 			WatchClassless:     mainConfig.ctrlConfig.WatchClassless,
 			StaticManifestPath: mainConfig.ctrlConfig.StaticManifestPath,
 		})
 		go func() {
 			err = federationRelationshipReconciler.Run(ctx)
 			if err != nil {
 				setupLog.Error(err, "failure starting federation relationship reconciler", "controller", "ClusterFederatedTrustDomain")
 			}
 			wg.Done()
 		}()
 	}
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
 		setupLog.Error(err, "unable to set up health check")
 		return err
 	}
 	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
 		setupLog.Error(err, "unable to set up ready check")
 		return err
 	}
 	wg.Wait()
 	setupLog.Info("starting manager")
 	if err := mgr.Start(ctx); err != nil {
 		setupLog.Error(err, "problem running manager")
 		return err
 	}
 	return nil
 }
 func autoDetectClusterDomain() (string, error) {
 	cname, err := net.LookupCNAME(k8sDefaultService)
 	if err != nil {
 		return "", fmt.Errorf("unable to lookup CNAME: %w", err)
 	}
 	clusterDomain, err := parseClusterDomainCNAME(cname)
 	if err != nil {
 		return "", fmt.Errorf("unable to parse CNAME \"%s\": %w", cname, err)
 	}
 	return clusterDomain, nil
 }
 func parseClusterDomainCNAME(cname string) (string, error) {
 	clusterDomain := strings.TrimPrefix(cname, k8sDefaultService+".")
 	if clusterDomain == cname {
 		return "", errors.New("CNAME did not have expected prefix")
 	}
 	// Trim off optional trailing dot
 	clusterDomain = strings.TrimSuffix(clusterDomain, ".")
 	if clusterDomain == "" {
 		return "", errors.New("CNAME did not have a cluster domain")
 	}
 	return clusterDomain, nil
 }
 func setLogger(opts *zap.Options, logLevel string, logEncoding string) error {
 	if logLevel != "" && opts.Level == nil {
 		zapLogLevel, err := getLogLevel(logLevel)
 		if err != nil {
 			return fmt.Errorf("unable to parse log level: %w", err)
 		}
 		opts.Level = zapLogLevel
 	}
 	if logEncoding != "" && opts.Encoder == nil {
 		switch logEncoding {
 		case "console":
 			zap.ConsoleEncoder(opts.EncoderConfigOptions...)(opts)
 		case "json":
 			zap.JSONEncoder(opts.EncoderConfigOptions...)(opts)
 		default:
 			return fmt.Errorf("unrecognized log encoding: %s", logEncoding)
 		}
 	}
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(opts)))
 	return nil
 }
 func getLogLevel(logLevel string) (zapcore.Level, error) {
 	switch strings.ToLower(logLevel) {
 	case "debug":
 		return zapcore.DebugLevel, nil
 	case "warn":
 		return zapcore.WarnLevel, nil
 	case "error":
 		return zapcore.ErrorLevel, nil
 	case "info":
 		return zapcore.InfoLevel, nil
 	default:
 		return zapcore.InfoLevel, fmt.Errorf("invalid log level: %q", logLevel)
 	}
 }
--- a/config/crd/bases/spire.spiffe.io_clusterfederatedtrustdomains.yaml
+++ b/config/crd/bases/spire.spiffe.io_clusterfederatedtrustdomains.yaml
@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
+    controller-gen.kubebuilder.io/version: v0.14.0
  creationTimestamp: null
  name: clusterfederatedtrustdomains.spire.spiffe.io
 spec:
  group: spire.spiffe.io
@ -29,14 +28,19 @@ spec:
          API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
+            description: |-
-              of an object. Servers should convert recognized schemas to the latest
+              APIVersion defines the versioned schema of this representation of an object.
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
+            description: |-
-              object represents. Servers may infer this from the endpoint the client
+              Kind is a string value representing the REST resource this object represents.
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@ -48,8 +52,9 @@ spec:
                description: BundleEndpointProfile is the profile for the bundle endpoint.
                properties:
                  endpointSPIFFEID:
-                    description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint.
+                    description: |-
-                      It is required for the "https_spiffe" profile.
+                      EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. It is
                      required for the "https_spiffe" profile.
                    type: string
                  type:
                    description: Type is the type of the bundle endpoint profile.
@ -61,8 +66,12 @@ spec:
                - type
                type: object
              bundleEndpointURL:
-                description: BundleEndpointURL is the URL of the bundle endpoint.
+                description: |-
-                  It must be an HTTPS URL and cannot contain userinfo (i.e. username/password).
+                  BundleEndpointURL is the URL of the bundle endpoint. It must be an
                  HTTPS URL and cannot contain userinfo (i.e. username/password).
                type: string
              className:
                description: Set which Controller Class will act on this object
                type: string
              trustDomain:
                description: TrustDomain is the name of the trust domain to federate
@ -70,9 +79,9 @@ spec:
                pattern: '[a-z0-9._-]{1,255}'
                type: string
              trustDomainBundle:
-                description: TrustDomainBundle is the contents of the bundle for the
+                description: |-
-                  referenced trust domain. This field is optional when the resource
+                  TrustDomainBundle is the contents of the bundle for the referenced trust
-                  is created.
+                  domain. This field is optional when the resource is created.
                type: string
            required:
            - bundleEndpointProfile
--- a/config/crd/bases/spire.spiffe.io_clusterspiffeids.yaml
+++ b/config/crd/bases/spire.spiffe.io_clusterspiffeids.yaml
@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
+    controller-gen.kubebuilder.io/version: v0.14.0
  creationTimestamp: null
  name: clusterspiffeids.spire.spiffe.io
 spec:
  group: spire.spiffe.io
@ -21,14 +20,19 @@ spec:
        description: ClusterSPIFFEID is the Schema for the clusterspiffeids API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
+            description: |-
-              of an object. Servers should convert recognized schemas to the latest
+              APIVersion defines the versioned schema of this representation of an object.
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
+            description: |-
-              object represents. Servers may infer this from the endpoint the client
+              Kind is a string value representing the REST resource this object represents.
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@ -36,95 +40,79 @@ spec:
            description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID
            properties:
              admin:
-                description: Admin indicates whether or not the SVID can be used to
+                description: |-
-                  access the SPIRE administrative APIs. Extra care should be taken
+                  Admin indicates whether or not the SVID can be used to access the SPIRE
-                  to only apply this SPIFFE ID to admin workloads.
+                  administrative APIs. Extra care should be taken to only apply this
                  SPIFFE ID to admin workloads.
                type: boolean
              autoPopulateDNSNames:
                description: AutoPopulateDNSNames indicates whether or not to auto
                  populate service DNS names.
                type: boolean
              className:
                description: Set which Controller Class will act on this object
                type: string
              fallback:
                description: |-
                  Apply this ID only if there are no other matching non fallback
                  ClusterSPIFFEIDs
                type: boolean
              dnsNameTemplates:
-                description: DNSNameTemplate represents templates for extra DNS names
+                description: |-
-                  that are applicable to SVIDs minted for this ClusterSPIFFEID. The
+                  DNSNameTemplate represents templates for extra DNS names that are
-                  node and pod spec are made available to the template under .NodeSpec,
+                  applicable to SVIDs minted for this ClusterSPIFFEID.
-                  .PodSpec respectively.
+                  The node and pod spec are made available to the template under
                  .NodeSpec, .PodSpec respectively.
                items:
                  type: string
                type: array
              downstream:
                description: Downstream indicates that the entry describes a downstream
                  SPIRE server.
                type: boolean
              federatesWith:
-                description: FederatesWith is a list of trust domain names that workloads
+                description: |-
-                  that obtain this SPIFFE ID will federate with.
+                  FederatesWith is a list of trust domain names that workloads that
                  obtain this SPIFFE ID will federate with.
                items:
                  type: string
                type: array
              hint:
                description: |-
                  Set the entry hint
                type: string
              jwtTtl:
                description: |-
                  JWTTTL indicates an upper-bound time-to-live for JWT SVIDs minted for this
                  ClusterSPIFFEID.
                type: string
              namespaceSelector:
-                description: NamespaceSelector selects the namespaces that are targetted
+                description: |-
-                  by this CRD.
+                  NamespaceSelector selects the namespaces that are targeted by this
                properties:
                  matchExpressions:
                    description: matchExpressions is a list of label selector requirements.
                      The requirements are ANDed.
                    items:
                      description: A label selector requirement is a selector that
                        contains values, a key, and an operator that relates the key
                        and values.
                      properties:
                        key:
                          description: key is the label key that the selector applies
                            to.
                          type: string
                        operator:
                          description: operator represents a key's relationship to
                            a set of values. Valid operators are In, NotIn, Exists
                            and DoesNotExist.
                          type: string
                        values:
                          description: values is an array of string values. If the
                            operator is In or NotIn, the values array must be non-empty.
                            If the operator is Exists or DoesNotExist, the values
                            array must be empty. This array is replaced during a strategic
                            merge patch.
                          items:
                            type: string
                          type: array
                      required:
                      - key
                      - operator
                      type: object
                    type: array
                  matchLabels:
                    additionalProperties:
                      type: string
                    description: matchLabels is a map of {key,value} pairs. A single
                      {key,value} in the matchLabels map is equivalent to an element
                      of matchExpressions, whose key field is "key", the operator
                      is "In", and the values array contains only "value". The requirements
                      are ANDed.
                    type: object
                type: object
              podSelector:
                description: PodSelector selects the pods that are targetted by this
                  CRD.
                properties:
                  matchExpressions:
                    description: matchExpressions is a list of label selector requirements.
                      The requirements are ANDed.
                    items:
-                      description: A label selector requirement is a selector that
+                      description: |-
-                        contains values, a key, and an operator that relates the key
+                        A label selector requirement is a selector that contains values, a key, and an operator that
-                        and values.
+                        relates the key and values.
                      properties:
                        key:
                          description: key is the label key that the selector applies
                            to.
                          type: string
                        operator:
-                          description: operator represents a key's relationship to
+                          description: |-
-                            a set of values. Valid operators are In, NotIn, Exists
+                            operator represents a key's relationship to a set of values.
-                            and DoesNotExist.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
                          type: string
                        values:
-                          description: values is an array of string values. If the
+                          description: |-
-                            operator is In or NotIn, the values array must be non-empty.
+                            values is an array of string values. If the operator is In or NotIn,
-                            If the operator is Exists or DoesNotExist, the values
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                            array must be empty. This array is replaced during a strategic
+                            the values array must be empty. This array is replaced during a strategic
                            merge patch.
                          items:
                            type: string
@ -137,30 +125,78 @@ spec:
                  matchLabels:
                    additionalProperties:
                      type: string
-                    description: matchLabels is a map of {key,value} pairs. A single
+                    description: |-
-                      {key,value} in the matchLabels map is equivalent to an element
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                      of matchExpressions, whose key field is "key", the operator
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
-                      is "In", and the values array contains only "value". The requirements
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
                      are ANDed.
                    type: object
                type: object
                x-kubernetes-map-type: atomic
              podSelector:
                description: |-
                  PodSelector selects the pods that are targeted by this
                  CRD.
                properties:
                  matchExpressions:
                    description: matchExpressions is a list of label selector requirements.
                      The requirements are ANDed.
                    items:
                      description: |-
                        A label selector requirement is a selector that contains values, a key, and an operator that
                        relates the key and values.
                      properties:
                        key:
                          description: key is the label key that the selector applies
                            to.
                          type: string
                        operator:
                          description: |-
                            operator represents a key's relationship to a set of values.
                            Valid operators are In, NotIn, Exists and DoesNotExist.
                          type: string
                        values:
                          description: |-
                            values is an array of string values. If the operator is In or NotIn,
                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
                            the values array must be empty. This array is replaced during a strategic
                            merge patch.
                          items:
                            type: string
                          type: array
                      required:
                      - key
                      - operator
                      type: object
                    type: array
                  matchLabels:
                    additionalProperties:
                      type: string
                    description: |-
                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                      map is equivalent to an element of matchExpressions, whose key field is "key", the
                      operator is "In", and the values array contains only "value". The requirements are ANDed.
                    type: object
                type: object
                x-kubernetes-map-type: atomic
              spiffeIDTemplate:
-                description: SPIFFEID is the SPIFFE ID template. The node and pod
+                description: |-
-                  spec are made available to the template under .NodeSpec, .PodSpec
+                  SPIFFEID is the SPIFFE ID template. The node and pod spec are made
-                  respectively.
+                  available to the template under .NodeSpec, .PodSpec respectively.
                type: string
              ttl:
-                description: TTL indicates an upper-bound time-to-live for SVIDs minted
+                description: |-
-                  for this ClusterSPIFFEID. If unset, a default will be chosen.
+                  TTL indicates an upper-bound time-to-live for X509 SVIDs minted for this
                  ClusterSPIFFEID. If unset, a default will be chosen.
                type: string
              workloadSelectorTemplates:
-                description: WorkloadSelectorTemplates are templates to produce arbitrary
+                description: |-
-                  workload selectors that apply to a given workload before it will
+                  WorkloadSelectorTemplates are templates to produce arbitrary workload
-                  receive this SPIFFE ID. The rendered value is interpreted by SPIRE
+                  selectors that apply to a given workload before it will receive this
-                  and are of the form type:value, where the value may, and often does,
+                  SPIFFE ID. The rendered value is interpreted by SPIRE and are of the
-                  contain semicolons, .e.g., k8s:container-image:docker/hello-world
+                  form type:value, where the value may, and often does, contain
-                  The node and pod spec are made available to the template under .NodeSpec,
+                  semicolons, .e.g., k8s:container-image:docker/hello-world
-                  .PodSpec respectively.
+                  The node and pod spec are made available to the template under
                  .NodeSpec, .PodSpec respectively.
                items:
                  type: string
                type: array
@ -174,21 +210,22 @@ spec:
                description: Stats produced by the last entry reconciliation run
                properties:
                  entriesMasked:
-                    description: How many entries were masked by entries for other
+                    description: |-
-                      ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs
+                      How many entries were masked by entries for other ClusterSPIFFEIDs.
-                      produce an entry for the same pod with the same set of workload
+                      This happens when one or more ClusterSPIFFEIDs produce an entry for
-                      selectors.
+                      the same pod with the same set of workload selectors.
                    type: integer
                  entriesToSet:
-                    description: How many entries are to be set for this ClusterSPIFFEID.
+                    description: |-
-                      In nominal conditions, this should reflect the number of pods
+                      How many entries are to be set for this ClusterSPIFFEID. In nominal
-                      selected, but not always if there were problems encountered
+                      conditions, this should reflect the number of pods selected, but not
-                      rendering an entry for the pod (RenderFailures) or entries are
+                      always if there were problems encountered rendering an entry for the pod
-                      masked (EntriesMasked).
+                      (RenderFailures) or entries are masked (EntriesMasked).
                    type: integer
                  entryFailures:
-                    description: How many entries were unable to be set due to failures
+                    description: |-
-                      to create or update the entries via the SPIRE Server API.
+                      How many entries were unable to be set due to failures to create or
                      update the entries via the SPIRE Server API.
                    type: integer
                  namespacesIgnored:
                    description: How many (selected) namespaces were ignored (based
@ -198,10 +235,11 @@ spec:
                    description: How many namespaces were selected.
                    type: integer
                  podEntryRenderFailures:
-                    description: How many failures were encountered rendering an entry
+                    description: |-
-                      selected pods. This could be due to either a bad template in
+                      How many failures were encountered rendering an entry selected pods.
-                      the ClusterSPIFFEID or Pod metadata that when applied to the
+                      This could be due to either a bad template in the ClusterSPIFFEID or
-                      template did not produce valid entry values.
+                      Pod metadata that when applied to the template did not produce valid
                      entry values.
                    type: integer
                  podsSelected:
                    description: How many pods were selected out of the namespaces.
--- a/config/crd/bases/spire.spiffe.io_clusterstaticentries.yaml
+++ b/config/crd/bases/spire.spiffe.io_clusterstaticentries.yaml
@ -0,0 +1,106 @@
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.14.0
  name: clusterstaticentries.spire.spiffe.io
 spec:
  group: spire.spiffe.io
  names:
    kind: ClusterStaticEntry
    listKind: ClusterStaticEntryList
    plural: clusterstaticentries
    singular: clusterstaticentry
  scope: Cluster
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: ClusterStaticEntry is the Schema for the clusterstaticentries
          API
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry
            properties:
              admin:
                type: boolean
              className:
                description: Set which Controller Class will act on this object
                type: string
              dnsNames:
                items:
                  type: string
                type: array
              downstream:
                type: boolean
              federatesWith:
                items:
                  type: string
                type: array
              hint:
                type: string
              jwtSVIDTTL:
                type: string
              parentID:
                type: string
              selectors:
                items:
                  type: string
                type: array
              spiffeID:
                type: string
              storeSVID:
                type: boolean
              x509SVIDTTL:
                type: string
            required:
            - parentID
            - selectors
            - spiffeID
            type: object
          status:
            description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry
            properties:
              masked:
                description: If the static entry was masked by another entry.
                type: boolean
              rendered:
                description: If the static entry rendered properly.
                type: boolean
              set:
                description: If the static entry was successfully created/updated.
                type: boolean
            required:
            - masked
            - rendered
            - set
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
 status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
--- a/config/crd/kustomization.yaml
+++ b/config/crd/kustomization.yaml
@ -5,6 +5,7 @@ resources:
 - bases/spire.spiffe.io_clusterspiffeids.yaml
 - bases/spire.spiffe.io_clusterfederatedtrustdomains.yaml
 - bases/spire.spiffe.io_controllermanagerconfigs.yaml
 - bases/spire.spiffe.io_clusterstaticentries.yaml
 #+kubebuilder:scaffold:crdkustomizeresource
 patchesStrategicMerge:
@ -13,6 +14,7 @@ patchesStrategicMerge:
 #- patches/webhook_in_clusterspiffeids.yaml
 #- patches/webhook_in_clusterfederatedtrustdomains.yaml
 #- patches/webhook_in_controllermanagerconfigs.yaml
 #- patches/webhook_in_clusterstaticentries.yaml
 #+kubebuilder:scaffold:crdkustomizewebhookpatch
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
@ -20,6 +22,7 @@ patchesStrategicMerge:
 #- patches/cainjection_in_clusterspiffeids.yaml
 #- patches/cainjection_in_clusterfederatedtrustdomains.yaml
 #- patches/cainjection_in_controllermanagerconfigs.yaml
 #- patches/cainjection_in_clusterstaticentries.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 # the following config is for teaching kustomize how to do kustomization for CRDs.
--- a/config/crd/patches/cainjection_in_clusterstaticentries.yaml
+++ b/config/crd/patches/cainjection_in_clusterstaticentries.yaml
@ -0,0 +1,7 @@
 # The following patch adds a directive for certmanager to inject CA into the CRD
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
  name: clusterstaticentries.spire.spiffe.io
--- a/config/crd/patches/webhook_in_clusterstaticentries.yaml
+++ b/config/crd/patches/webhook_in_clusterstaticentries.yaml
@ -0,0 +1,16 @@
 # The following patch enables a conversion webhook for the CRD
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: clusterstaticentries.spire.spiffe.io
 spec:
  conversion:
    strategy: Webhook
    webhook:
      clientConfig:
        service:
          namespace: system
          name: webhook-service
          path: /convert
      conversionReviewVersions:
      - v1
--- a/config/rbac/clusterstaticentry_editor_role.yaml
+++ b/config/rbac/clusterstaticentry_editor_role.yaml
@ -0,0 +1,24 @@
 # permissions for end users to edit clusterstaticentries.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: clusterstaticentry-editor-role
 rules:
 - apiGroups:
  - spire.spiffe.io
  resources:
  - clusterstaticentries
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - spire.spiffe.io
  resources:
  - clusterstaticentries/status
  verbs:
  - get
--- a/config/rbac/clusterstaticentry_viewer_role.yaml
+++ b/config/rbac/clusterstaticentry_viewer_role.yaml
@ -0,0 +1,20 @@
 # permissions for end users to view clusterstaticentries.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: clusterstaticentry-viewer-role
 rules:
 - apiGroups:
  - spire.spiffe.io
  resources:
  - clusterstaticentries
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - spire.spiffe.io
  resources:
  - clusterstaticentries/status
  verbs:
  - get
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@ -2,9 +2,16 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  creationTimestamp: null
  name: manager-role
 rules:
 - apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
@ -29,6 +36,15 @@ rules:
  - get
  - list
  - watch
 - apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  verbs:
  - get
  - list
  - patch
  - watch
 - apiGroups:
  - spire.spiffe.io
  resources:
@ -81,3 +97,29 @@ rules:
  - get
  - patch
  - update
 - apiGroups:
  - spire.spiffe.io
  resources:
  - clusterstaticentries
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - spire.spiffe.io
  resources:
  - clusterstaticentries/finalizers
  verbs:
  - update
 - apiGroups:
  - spire.spiffe.io
  resources:
  - clusterstaticentries/status
  verbs:
  - get
  - patch
  - update
--- a/config/samples/spire_v1alpha1_clusterstaticentry.yaml
+++ b/config/samples/spire_v1alpha1_clusterstaticentry.yaml
@ -0,0 +1,6 @@
 apiVersion: spire.spiffe.io/v1alpha1
 kind: ClusterStaticEntry
 metadata:
  name: clusterstaticentry-sample
 spec:
  # TODO(user): Add fields here
--- a/config/webhook/manifests.yaml
+++ b/config/webhook/manifests.yaml
@ -2,7 +2,6 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
  creationTimestamp: null
  name: validating-webhook-configuration
 webhooks:
 - admissionReviewVersions:
--- a/demo/README.md
+++ b/demo/README.md
@ -33,9 +33,9 @@ Build the greeter server and client:
 Pull the requisite images:
-    $ echo ghcr.io/spiffe/spire-server:1.2.3 \
+    $ echo ghcr.io/spiffe/spire-server:1.10.4 \
-        ghcr.io/spiffe/spire-agent:1.2.3 \
+        ghcr.io/spiffe/spire-agent:1.10.4 \
-        ghcr.io/spiffe/spiffe-csi-driver:0.1.0 \
+        ghcr.io/spiffe/spiffe-csi-driver:0.2.6 \
        ghcr.io/spiffe/spire-controller-manager:nightly \
        | xargs -n1 docker pull
@ -43,9 +43,9 @@ Start up cluster1 and load the requisite images:
    $ ./cluster1 kind create cluster
    $ echo \
-        ghcr.io/spiffe/spire-server:1.2.3 \
+        ghcr.io/spiffe/spire-server:1.10.4 \
-        ghcr.io/spiffe/spire-agent:1.2.3 \
+        ghcr.io/spiffe/spire-agent:1.10.4 \
-        ghcr.io/spiffe/spiffe-csi-driver:0.1.0 \
+        ghcr.io/spiffe/spiffe-csi-driver:0.2.6 \
        ghcr.io/spiffe/spire-controller-manager:nightly \
        greeter-server:demo \
        | xargs -n1 ./cluster1 kind load docker-image
@ -54,9 +54,9 @@ Start up cluster 2 and load the requisite images:
    $ ./cluster2 kind create cluster
    $ echo \
-        ghcr.io/spiffe/spire-server:1.1.0 \
+        ghcr.io/spiffe/spire-server:1.10.4 \
-        ghcr.io/spiffe/spire-agent:1.1.0 \
+        ghcr.io/spiffe/spire-agent:1.10.4 \
-        ghcr.io/spiffe/spiffe-csi-driver:nightly \
+        ghcr.io/spiffe/spiffe-csi-driver:0.2.6 \
        ghcr.io/spiffe/spire-controller-manager:nightly \
        greeter-client:demo \
        | xargs -n1 ./cluster2 kind load docker-image
--- a/demo/config/cluster1/crd-rbac/role.yaml
+++ b/demo/config/cluster1/crd-rbac/role.yaml
@ -15,6 +15,9 @@ rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["spire.spiffe.io"]
    resources: ["clusterfederatedtrustdomains"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
@ -33,3 +36,12 @@ rules:
  - apiGroups: ["spire.spiffe.io"]
    resources: ["clusterspiffeids/status"]
    verbs: ["get", "patch", "update"]
  - apiGroups: ["spire.spiffe.io"]
    resources: ["clusterstaticentries"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["spire.spiffe.io"]
    resources: ["clusterstaticentries/finalizers"]
    verbs: ["update"]
  - apiGroups: ["spire.spiffe.io"]
    resources: ["clusterstaticentries/status"]
    verbs: ["get", "patch", "update"]
--- a/demo/config/cluster1/crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml
+++ b/demo/config/cluster1/crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml
@ -1,8 +1,9 @@
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.4.1
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: clusterfederatedtrustdomains.spire.spiffe.io
 spec:
  group: spire.spiffe.io
@ -20,9 +21,6 @@ spec:
    - jsonPath: .spec.bundleEndpointURL
      name: Endpoint URL
      type: string
        - jsonPath: .spec.bundleEndpointProfile
          name: Endpoint Profile
          type: string
    name: v1alpha1
    schema:
      openAPIV3Schema:
@ -65,14 +63,18 @@ spec:
                description: BundleEndpointURL is the URL of the bundle endpoint.
                  It must be an HTTPS URL and cannot contain userinfo (i.e. username/password).
                type: string
              className:
                description: Set which Controller Class will act on this object
                type: string
              trustDomain:
                description: TrustDomain is the name of the trust domain to federate
                  with (e.g. example.org)
                pattern: '[a-z0-9._-]{1,255}'
                type: string
              trustDomainBundle:
-                  description: TrustDomainBundle is the initial contents of the bundle
+                description: TrustDomainBundle is the contents of the bundle for the
-                    for the referenced trust domain. This field is optional.
+                  referenced trust domain. This field is optional when the resource
                  is created.
                type: string
            required:
            - bundleEndpointProfile
@ -86,3 +88,11 @@ spec:
        type: object
    served: true
    storage: true
    subresources:
      status: {}
 status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
--- a/demo/config/cluster1/crd/spire.spiffe.io_clusterspiffeids.yaml
+++ b/demo/config/cluster1/crd/spire.spiffe.io_clusterspiffeids.yaml
@ -1,8 +1,9 @@
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.4.1
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: clusterspiffeids.spire.spiffe.io
 spec:
  group: spire.spiffe.io
@ -19,14 +20,19 @@ spec:
        description: ClusterSPIFFEID is the Schema for the clusterspiffeids API
        properties:
          apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation
+            description: |-
-              of an object. Servers should convert recognized schemas to the latest
+              APIVersion defines the versioned schema of this representation of an object.
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-              description: 'Kind is a string value representing the REST resource this
+            description: |-
-              object represents. Servers may infer this from the endpoint the client
+              Kind is a string value representing the REST resource this object represents.
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@ -34,95 +40,79 @@ spec:
            description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID
            properties:
              admin:
-                  description: Admin indicates whether or not the SVID can be used to
+                description: |-
-                    access the SPIRE administrative APIs. Extra care should be taken
+                  Admin indicates whether or not the SVID can be used to access the SPIRE
-                    to only apply this SPIFFE ID to admin workloads.
+                  administrative APIs. Extra care should be taken to only apply this
                  SPIFFE ID to admin workloads.
                type: boolean
              autoPopulateDNSNames:
                description: AutoPopulateDNSNames indicates whether or not to auto
                  populate service DNS names.
                type: boolean
              className:
                description: Set which Controller Class will act on this object
                type: string
              fallback:
                description: |-
                  Apply this ID only if there are no other matching non fallback
                  ClusterSPIFFEIDs
                type: boolean
              dnsNameTemplates:
-                  description: DNSNameTemplate represents templates for extra DNS names
+                description: |-
-                    that are applicable to SVIDs minted for this ClusterSPIFFEID. The
+                  DNSNameTemplate represents templates for extra DNS names that are
-                    node and pod spec are made available to the template under .NodeSpec,
+                  applicable to SVIDs minted for this ClusterSPIFFEID.
-                    .PodSpec respectively.
+                  The node and pod spec are made available to the template under
                  .NodeSpec, .PodSpec respectively.
                items:
                  type: string
                type: array
              downstream:
                description: Downstream indicates that the entry describes a downstream
                  SPIRE server.
                type: boolean
              federatesWith:
-                  description: FederatesWith is a list of trust domain names that workloads
+                description: |-
-                    that obtain this SPIFFE ID will federate with.
+                  FederatesWith is a list of trust domain names that workloads that
                  obtain this SPIFFE ID will federate with.
                items:
                  type: string
                type: array
              hint:
                description: |-
                  Set the entry hint
                type: string
              jwtTtl:
                description: |-
                  JWTTTL indicates an upper-bound time-to-live for JWT SVIDs minted for this
                  ClusterSPIFFEID.
                type: string
              namespaceSelector:
-                  description: NamespaceSelector selects the namespaces that are targetted
+                description: |-
-                    by this CRD.
+                  NamespaceSelector selects the namespaces that are targeted by this
                  properties:
                    matchExpressions:
                      description: matchExpressions is a list of label selector requirements.
                        The requirements are ANDed.
                      items:
                        description: A label selector requirement is a selector that
                          contains values, a key, and an operator that relates the key
                          and values.
                        properties:
                          key:
                            description: key is the label key that the selector applies
                              to.
                            type: string
                          operator:
                            description: operator represents a key's relationship to
                              a set of values. Valid operators are In, NotIn, Exists
                              and DoesNotExist.
                            type: string
                          values:
                            description: values is an array of string values. If the
                              operator is In or NotIn, the values array must be non-empty.
                              If the operator is Exists or DoesNotExist, the values
                              array must be empty. This array is replaced during a strategic
                              merge patch.
                            items:
                              type: string
                            type: array
                        required:
                          - key
                          - operator
                        type: object
                      type: array
                    matchLabels:
                      additionalProperties:
                        type: string
                      description: matchLabels is a map of {key,value} pairs. A single
                        {key,value} in the matchLabels map is equivalent to an element
                        of matchExpressions, whose key field is "key", the operator
                        is "In", and the values array contains only "value". The requirements
                        are ANDed.
                      type: object
                  type: object
                podSelector:
                  description: PodSelector selects the pods that are targetted by this
                  CRD.
                properties:
                  matchExpressions:
                    description: matchExpressions is a list of label selector requirements.
                      The requirements are ANDed.
                    items:
-                        description: A label selector requirement is a selector that
+                      description: |-
-                          contains values, a key, and an operator that relates the key
+                        A label selector requirement is a selector that contains values, a key, and an operator that
-                          and values.
+                        relates the key and values.
                      properties:
                        key:
                          description: key is the label key that the selector applies
                            to.
                          type: string
                        operator:
-                            description: operator represents a key's relationship to
+                          description: |-
-                              a set of values. Valid operators are In, NotIn, Exists
+                            operator represents a key's relationship to a set of values.
-                              and DoesNotExist.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
                          type: string
                        values:
-                            description: values is an array of string values. If the
+                          description: |-
-                              operator is In or NotIn, the values array must be non-empty.
+                            values is an array of string values. If the operator is In or NotIn,
-                              If the operator is Exists or DoesNotExist, the values
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                              array must be empty. This array is replaced during a strategic
+                            the values array must be empty. This array is replaced during a strategic
                            merge patch.
                          items:
                            type: string
@ -135,30 +125,78 @@ spec:
                  matchLabels:
                    additionalProperties:
                      type: string
-                      description: matchLabels is a map of {key,value} pairs. A single
+                    description: |-
-                        {key,value} in the matchLabels map is equivalent to an element
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                        of matchExpressions, whose key field is "key", the operator
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
-                        is "In", and the values array contains only "value". The requirements
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
                        are ANDed.
                    type: object
                type: object
                x-kubernetes-map-type: atomic
              podSelector:
                description: |-
                  PodSelector selects the pods that are targeted by this
                  CRD.
                properties:
                  matchExpressions:
                    description: matchExpressions is a list of label selector requirements.
                      The requirements are ANDed.
                    items:
                      description: |-
                        A label selector requirement is a selector that contains values, a key, and an operator that
                        relates the key and values.
                      properties:
                        key:
                          description: key is the label key that the selector applies
                            to.
                          type: string
                        operator:
                          description: |-
                            operator represents a key's relationship to a set of values.
                            Valid operators are In, NotIn, Exists and DoesNotExist.
                          type: string
                        values:
                          description: |-
                            values is an array of string values. If the operator is In or NotIn,
                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
                            the values array must be empty. This array is replaced during a strategic
                            merge patch.
                          items:
                            type: string
                          type: array
                      required:
                      - key
                      - operator
                      type: object
                    type: array
                  matchLabels:
                    additionalProperties:
                      type: string
                    description: |-
                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                      map is equivalent to an element of matchExpressions, whose key field is "key", the
                      operator is "In", and the values array contains only "value". The requirements are ANDed.
                    type: object
                type: object
                x-kubernetes-map-type: atomic
              spiffeIDTemplate:
-                  description: SPIFFEID is the SPIFFE ID template. The node and pod
+                description: |-
-                    spec are made available to the template under .NodeSpec, .PodSpec
+                  SPIFFEID is the SPIFFE ID template. The node and pod spec are made
-                    respectively.
+                  available to the template under .NodeSpec, .PodSpec respectively.
                type: string
              ttl:
-                  description: TTL indicates an upper-bound time-to-live for SVIDs minted
+                description: |-
-                    for this ClusterSPIFFEID. If unset, a default will be chosen.
+                  TTL indicates an upper-bound time-to-live for X509 SVIDs minted for this
                  ClusterSPIFFEID. If unset, a default will be chosen.
                type: string
              workloadSelectorTemplates:
-                  description: WorkloadSelectorTemplates are templates to produce arbitrary
+                description: |-
-                    workload selectors that apply to a given workload before it will
+                  WorkloadSelectorTemplates are templates to produce arbitrary workload
-                    receive this SPIFFE ID. The rendered value is interpreted by SPIRE
+                  selectors that apply to a given workload before it will receive this
-                    and are of the form type:value, where the value may, and often does,
+                  SPIFFE ID. The rendered value is interpreted by SPIRE and are of the
-                    contain semicolons, .e.g., k8s:container-image:docker/hello-world
+                  form type:value, where the value may, and often does, contain
-                    The node and pod spec are made available to the template under .NodeSpec,
+                  semicolons, .e.g., k8s:container-image:docker/hello-world
-                    .PodSpec respectively.
+                  The node and pod spec are made available to the template under
                  .NodeSpec, .PodSpec respectively.
                items:
                  type: string
                type: array
@ -172,21 +210,22 @@ spec:
                description: Stats produced by the last entry reconciliation run
                properties:
                  entriesMasked:
-                      description: How many entries were masked by entries for other
+                    description: |-
-                        ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs
+                      How many entries were masked by entries for other ClusterSPIFFEIDs.
-                        produce an entry for the same pod with the same set of workload
+                      This happens when one or more ClusterSPIFFEIDs produce an entry for
-                        selectors.
+                      the same pod with the same set of workload selectors.
                    type: integer
                  entriesToSet:
-                      description: How many entries are to be set for this ClusterSPIFFEID.
+                    description: |-
-                        In nominal conditions, this should reflect the number of pods
+                      How many entries are to be set for this ClusterSPIFFEID. In nominal
-                        selected, but not always if there were problems encountered
+                      conditions, this should reflect the number of pods selected, but not
-                        rendering an entry for the pod (RenderFailures) or entries are
+                      always if there were problems encountered rendering an entry for the pod
-                        masked (EntriesMasked).
+                      (RenderFailures) or entries are masked (EntriesMasked).
                    type: integer
                  entryFailures:
-                      description: How many entries were unable to be set due to failures
+                    description: |-
-                        to create or update the entries via the SPIRE Server API.
+                      How many entries were unable to be set due to failures to create or
                      update the entries via the SPIRE Server API.
                    type: integer
                  namespacesIgnored:
                    description: How many (selected) namespaces were ignored (based
@ -196,10 +235,11 @@ spec:
                    description: How many namespaces were selected.
                    type: integer
                  podEntryRenderFailures:
-                      description: How many failures were encountered rendering an entry
+                    description: |-
-                        selected pods. This could be due to either a bad template in
+                      How many failures were encountered rendering an entry selected pods.
-                        the ClusterSPIFFEID or Pod metadata that when applied to the
+                      This could be due to either a bad template in the ClusterSPIFFEID or
-                        template did not produce valid entry values.
+                      Pod metadata that when applied to the template did not produce valid
                      entry values.
                    type: integer
                  podsSelected:
                    description: How many pods were selected out of the namespaces.
@ -209,3 +249,11 @@ spec:
        type: object
    served: true
    storage: true
    subresources:
      status: {}
 status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
--- a/demo/config/cluster1/crd/spire.spiffe.io_clusterstaticentries.yaml
+++ b/demo/config/cluster1/crd/spire.spiffe.io_clusterstaticentries.yaml
@ -0,0 +1,101 @@
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.14.0
  name: clusterstaticentries.spire.spiffe.io
 spec:
  group: spire.spiffe.io
  names:
    kind: ClusterStaticEntry
    listKind: ClusterStaticEntryList
    plural: clusterstaticentries
    singular: clusterstaticentry
  scope: Cluster
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: ClusterStaticEntry is the Schema for the clusterstaticentries
          API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry
            properties:
              admin:
                type: boolean
              className:
                description: Set which Controller Class will act on this object
                type: string
              dnsNames:
                items:
                  type: string
                type: array
              downstream:
                type: boolean
              federatesWith:
                items:
                  type: string
                type: array
              hint:
                type: string
              jwtSVIDTTL:
                type: string
              parentID:
                type: string
              selectors:
                items:
                  type: string
                type: array
              spiffeID:
                type: string
              storeSVID:
                type: boolean
              x509SVIDTTL:
                type: string
            required:
            - parentID
            - selectors
            - spiffeID
            type: object
          status:
            description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry
            properties:
              masked:
                description: If the static entry was masked by another entry.
                type: boolean
              rendered:
                description: If the static entry rendered properly.
                type: boolean
              set:
                description: If the static entry was successfully created/updated.
                type: boolean
            required:
            - masked
            - rendered
            - set
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
 status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
--- a/demo/config/cluster1/greeter-server/greeter-server.yaml
+++ b/demo/config/cluster1/greeter-server/greeter-server.yaml
@ -33,3 +33,4 @@ spec:
      - name: spire-agent-socket
        csi:
          driver: "csi.spiffe.io"
          readOnly: true
--- a/demo/config/cluster1/kustomization.yaml
+++ b/demo/config/cluster1/kustomization.yaml
@ -3,6 +3,7 @@ resources:
 - spire/spire-namespace.yaml
 - crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml
 - crd/spire.spiffe.io_clusterspiffeids.yaml
 - crd/spire.spiffe.io_clusterstaticentries.yaml
 - crd-rbac/role.yaml
 - crd-rbac/role_binding.yaml
 - crd-rbac/leader_election_role.yaml
--- a/demo/config/cluster1/spire/spire-agent.yaml
+++ b/demo/config/cluster1/spire/spire-agent.yaml
@ -71,6 +71,7 @@ data:
      WorkloadAttestor "k8s" {
        plugin_data {
          skip_kubelet_verification = true
          node_name_env = "MY_NODE_NAME"
        }
      }
    }
@ -102,9 +103,14 @@ spec:
      serviceAccountName: spire-agent
      containers:
        - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.2.3
+          image: ghcr.io/spiffe/spire-agent:1.10.4
          imagePullPolicy: IfNotPresent
          args: ["-config", "/run/spire/config/agent.conf"]
          env:
          - name: MY_NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
          volumeMounts:
            - name: spire-config
              mountPath: /run/spire/config
@ -118,7 +124,7 @@ spec:
              mountPath: /run/spire/sockets
        # This is the container which runs the SPIFFE CSI driver.
        - name: spiffe-csi-driver
-          image: ghcr.io/spiffe/spiffe-csi-driver:0.1.0
+          image: ghcr.io/spiffe/spiffe-csi-driver:0.2.6
          imagePullPolicy: IfNotPresent
          args: [
            "-workload-api-socket-dir", "/spire-agent-socket",
@ -151,7 +157,7 @@ spec:
        # of all the little details required to register a CSI driver with
        # the kubelet.
        - name: node-driver-registrar
-          image: quay.io/k8scsi/csi-node-driver-registrar:v2.0.1
+          image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0
          imagePullPolicy: IfNotPresent
          args: [
            "-csi-address", "/spiffe-csi/csi.sock",
--- a/demo/config/cluster1/spire/spire-controller-manager-config.yaml
+++ b/demo/config/cluster1/spire/spire-controller-manager-config.yaml
@ -2,13 +2,14 @@ apiVersion: spire.spiffe.io/v1alpha1
 kind: ControllerManagerConfig
 metrics:
  bindAddress: 127.0.0.1:8082
-healthProbe:
+health:
-  bindAddress: 127.0.0.1:8083
+  healthProbeBindAddress: 0.0.0.0:8083
 leaderElection:
  leaderElect: true
  resourceName: 98c9c988.spiffe.io
  resourceNamespace: spire-system
 clusterName: cluster1
 logLevel: info
 trustDomain: cluster1.demo
 ignoreNamespaces:
  - kube-system
--- a/demo/config/cluster1/spire/spire-server.yaml
+++ b/demo/config/cluster1/spire/spire-server.yaml
@ -176,7 +176,7 @@ spec:
      shareProcessNamespace: true
      containers:
        - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.2.3
+          image: ghcr.io/spiffe/spire-server:1.10.4
          imagePullPolicy: IfNotPresent
          args: ["-config", "/run/spire/server/config/server.conf"]
          ports:
@ -192,6 +192,12 @@ spec:
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 9443
            - containerPort: 8083
              name: healthz
          readinessProbe:
            httpGet:
              path: /readyz
              port: healthz
          args:
          - "--config=spire-controller-manager-config.yaml"
          volumeMounts:
--- a/demo/config/cluster2/crd-rbac/role.yaml
+++ b/demo/config/cluster2/crd-rbac/role.yaml
@ -15,6 +15,9 @@ rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["spire.spiffe.io"]
    resources: ["clusterfederatedtrustdomains"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
@ -33,3 +36,12 @@ rules:
  - apiGroups: ["spire.spiffe.io"]
    resources: ["clusterspiffeids/status"]
    verbs: ["get", "patch", "update"]
  - apiGroups: ["spire.spiffe.io"]
    resources: ["clusterstaticentries"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["spire.spiffe.io"]
    resources: ["clusterstaticentries/finalizers"]
    verbs: ["update"]
  - apiGroups: ["spire.spiffe.io"]
    resources: ["clusterstaticentries/status"]
    verbs: ["get", "patch", "update"]
--- a/demo/config/cluster2/crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml
+++ b/demo/config/cluster2/crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml
@ -1,8 +1,9 @@
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.4.1
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: clusterfederatedtrustdomains.spire.spiffe.io
 spec:
  group: spire.spiffe.io
@ -20,9 +21,6 @@ spec:
    - jsonPath: .spec.bundleEndpointURL
      name: Endpoint URL
      type: string
        - jsonPath: .spec.bundleEndpointProfile
          name: Endpoint Profile
          type: string
    name: v1alpha1
    schema:
      openAPIV3Schema:
@ -65,14 +63,18 @@ spec:
                description: BundleEndpointURL is the URL of the bundle endpoint.
                  It must be an HTTPS URL and cannot contain userinfo (i.e. username/password).
                type: string
              className:
                description: Set which Controller Class will act on this object
                type: string
              trustDomain:
                description: TrustDomain is the name of the trust domain to federate
                  with (e.g. example.org)
                pattern: '[a-z0-9._-]{1,255}'
                type: string
              trustDomainBundle:
-                  description: TrustDomainBundle is the initial contents of the bundle
+                description: TrustDomainBundle is the contents of the bundle for the
-                    for the referenced trust domain. This field is optional.
+                  referenced trust domain. This field is optional when the resource
                  is created.
                type: string
            required:
            - bundleEndpointProfile
@ -86,3 +88,11 @@ spec:
        type: object
    served: true
    storage: true
    subresources:
      status: {}
 status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
--- a/demo/config/cluster2/crd/spire.spiffe.io_clusterspiffeids.yaml
+++ b/demo/config/cluster2/crd/spire.spiffe.io_clusterspiffeids.yaml
@ -1,8 +1,9 @@
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.4.1
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: clusterspiffeids.spire.spiffe.io
 spec:
  group: spire.spiffe.io
@ -19,14 +20,19 @@ spec:
        description: ClusterSPIFFEID is the Schema for the clusterspiffeids API
        properties:
          apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation
+            description: |-
-              of an object. Servers should convert recognized schemas to the latest
+              APIVersion defines the versioned schema of this representation of an object.
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-              description: 'Kind is a string value representing the REST resource this
+            description: |-
-              object represents. Servers may infer this from the endpoint the client
+              Kind is a string value representing the REST resource this object represents.
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@ -34,95 +40,79 @@ spec:
            description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID
            properties:
              admin:
-                  description: Admin indicates whether or not the SVID can be used to
+                description: |-
-                    access the SPIRE administrative APIs. Extra care should be taken
+                  Admin indicates whether or not the SVID can be used to access the SPIRE
-                    to only apply this SPIFFE ID to admin workloads.
+                  administrative APIs. Extra care should be taken to only apply this
                  SPIFFE ID to admin workloads.
                type: boolean
              autoPopulateDNSNames:
                description: AutoPopulateDNSNames indicates whether or not to auto
                  populate service DNS names.
                type: boolean
              className:
                description: Set which Controller Class will act on this object
                type: string
              fallback:
                description: |-
                  Apply this ID only if there are no other matching non fallback
                  ClusterSPIFFEIDs
                type: boolean
              dnsNameTemplates:
-                  description: DNSNameTemplate represents templates for extra DNS names
+                description: |-
-                    that are applicable to SVIDs minted for this ClusterSPIFFEID. The
+                  DNSNameTemplate represents templates for extra DNS names that are
-                    node and pod spec are made available to the template under .NodeSpec,
+                  applicable to SVIDs minted for this ClusterSPIFFEID.
-                    .PodSpec respectively.
+                  The node and pod spec are made available to the template under
                  .NodeSpec, .PodSpec respectively.
                items:
                  type: string
                type: array
              downstream:
                description: Downstream indicates that the entry describes a downstream
                  SPIRE server.
                type: boolean
              federatesWith:
-                  description: FederatesWith is a list of trust domain names that workloads
+                description: |-
-                    that obtain this SPIFFE ID will federate with.
+                  FederatesWith is a list of trust domain names that workloads that
                  obtain this SPIFFE ID will federate with.
                items:
                  type: string
                type: array
              hint:
                description: |-
                  Set the entry hint
                type: string
              jwtTtl:
                description: |-
                  JWTTTL indicates an upper-bound time-to-live for JWT SVIDs minted for this
                  ClusterSPIFFEID.
                type: string
              namespaceSelector:
-                  description: NamespaceSelector selects the namespaces that are targetted
+                description: |-
-                    by this CRD.
+                  NamespaceSelector selects the namespaces that are targeted by this
                  properties:
                    matchExpressions:
                      description: matchExpressions is a list of label selector requirements.
                        The requirements are ANDed.
                      items:
                        description: A label selector requirement is a selector that
                          contains values, a key, and an operator that relates the key
                          and values.
                        properties:
                          key:
                            description: key is the label key that the selector applies
                              to.
                            type: string
                          operator:
                            description: operator represents a key's relationship to
                              a set of values. Valid operators are In, NotIn, Exists
                              and DoesNotExist.
                            type: string
                          values:
                            description: values is an array of string values. If the
                              operator is In or NotIn, the values array must be non-empty.
                              If the operator is Exists or DoesNotExist, the values
                              array must be empty. This array is replaced during a strategic
                              merge patch.
                            items:
                              type: string
                            type: array
                        required:
                          - key
                          - operator
                        type: object
                      type: array
                    matchLabels:
                      additionalProperties:
                        type: string
                      description: matchLabels is a map of {key,value} pairs. A single
                        {key,value} in the matchLabels map is equivalent to an element
                        of matchExpressions, whose key field is "key", the operator
                        is "In", and the values array contains only "value". The requirements
                        are ANDed.
                      type: object
                  type: object
                podSelector:
                  description: PodSelector selects the pods that are targetted by this
                  CRD.
                properties:
                  matchExpressions:
                    description: matchExpressions is a list of label selector requirements.
                      The requirements are ANDed.
                    items:
-                        description: A label selector requirement is a selector that
+                      description: |-
-                          contains values, a key, and an operator that relates the key
+                        A label selector requirement is a selector that contains values, a key, and an operator that
-                          and values.
+                        relates the key and values.
                      properties:
                        key:
                          description: key is the label key that the selector applies
                            to.
                          type: string
                        operator:
-                            description: operator represents a key's relationship to
+                          description: |-
-                              a set of values. Valid operators are In, NotIn, Exists
+                            operator represents a key's relationship to a set of values.
-                              and DoesNotExist.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
                          type: string
                        values:
-                            description: values is an array of string values. If the
+                          description: |-
-                              operator is In or NotIn, the values array must be non-empty.
+                            values is an array of string values. If the operator is In or NotIn,
-                              If the operator is Exists or DoesNotExist, the values
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                              array must be empty. This array is replaced during a strategic
+                            the values array must be empty. This array is replaced during a strategic
                            merge patch.
                          items:
                            type: string
@ -135,30 +125,78 @@ spec:
                  matchLabels:
                    additionalProperties:
                      type: string
-                      description: matchLabels is a map of {key,value} pairs. A single
+                    description: |-
-                        {key,value} in the matchLabels map is equivalent to an element
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                        of matchExpressions, whose key field is "key", the operator
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
-                        is "In", and the values array contains only "value". The requirements
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
                        are ANDed.
                    type: object
                type: object
                x-kubernetes-map-type: atomic
              podSelector:
                description: |-
                  PodSelector selects the pods that are targeted by this
                  CRD.
                properties:
                  matchExpressions:
                    description: matchExpressions is a list of label selector requirements.
                      The requirements are ANDed.
                    items:
                      description: |-
                        A label selector requirement is a selector that contains values, a key, and an operator that
                        relates the key and values.
                      properties:
                        key:
                          description: key is the label key that the selector applies
                            to.
                          type: string
                        operator:
                          description: |-
                            operator represents a key's relationship to a set of values.
                            Valid operators are In, NotIn, Exists and DoesNotExist.
                          type: string
                        values:
                          description: |-
                            values is an array of string values. If the operator is In or NotIn,
                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
                            the values array must be empty. This array is replaced during a strategic
                            merge patch.
                          items:
                            type: string
                          type: array
                      required:
                      - key
                      - operator
                      type: object
                    type: array
                  matchLabels:
                    additionalProperties:
                      type: string
                    description: |-
                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                      map is equivalent to an element of matchExpressions, whose key field is "key", the
                      operator is "In", and the values array contains only "value". The requirements are ANDed.
                    type: object
                type: object
                x-kubernetes-map-type: atomic
              spiffeIDTemplate:
-                  description: SPIFFEID is the SPIFFE ID template. The node and pod
+                description: |-
-                    spec are made available to the template under .NodeSpec, .PodSpec
+                  SPIFFEID is the SPIFFE ID template. The node and pod spec are made
-                    respectively.
+                  available to the template under .NodeSpec, .PodSpec respectively.
                type: string
              ttl:
-                  description: TTL indicates an upper-bound time-to-live for SVIDs minted
+                description: |-
-                    for this ClusterSPIFFEID. If unset, a default will be chosen.
+                  TTL indicates an upper-bound time-to-live for X509 SVIDs minted for this
                  ClusterSPIFFEID. If unset, a default will be chosen.
                type: string
              workloadSelectorTemplates:
-                  description: WorkloadSelectorTemplates are templates to produce arbitrary
+                description: |-
-                    workload selectors that apply to a given workload before it will
+                  WorkloadSelectorTemplates are templates to produce arbitrary workload
-                    receive this SPIFFE ID. The rendered value is interpreted by SPIRE
+                  selectors that apply to a given workload before it will receive this
-                    and are of the form type:value, where the value may, and often does,
+                  SPIFFE ID. The rendered value is interpreted by SPIRE and are of the
-                    contain semicolons, .e.g., k8s:container-image:docker/hello-world
+                  form type:value, where the value may, and often does, contain
-                    The node and pod spec are made available to the template under .NodeSpec,
+                  semicolons, .e.g., k8s:container-image:docker/hello-world
-                    .PodSpec respectively.
+                  The node and pod spec are made available to the template under
                  .NodeSpec, .PodSpec respectively.
                items:
                  type: string
                type: array
@ -172,21 +210,22 @@ spec:
                description: Stats produced by the last entry reconciliation run
                properties:
                  entriesMasked:
-                      description: How many entries were masked by entries for other
+                    description: |-
-                        ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs
+                      How many entries were masked by entries for other ClusterSPIFFEIDs.
-                        produce an entry for the same pod with the same set of workload
+                      This happens when one or more ClusterSPIFFEIDs produce an entry for
-                        selectors.
+                      the same pod with the same set of workload selectors.
                    type: integer
                  entriesToSet:
-                      description: How many entries are to be set for this ClusterSPIFFEID.
+                    description: |-
-                        In nominal conditions, this should reflect the number of pods
+                      How many entries are to be set for this ClusterSPIFFEID. In nominal
-                        selected, but not always if there were problems encountered
+                      conditions, this should reflect the number of pods selected, but not
-                        rendering an entry for the pod (RenderFailures) or entries are
+                      always if there were problems encountered rendering an entry for the pod
-                        masked (EntriesMasked).
+                      (RenderFailures) or entries are masked (EntriesMasked).
                    type: integer
                  entryFailures:
-                      description: How many entries were unable to be set due to failures
+                    description: |-
-                        to create or update the entries via the SPIRE Server API.
+                      How many entries were unable to be set due to failures to create or
                      update the entries via the SPIRE Server API.
                    type: integer
                  namespacesIgnored:
                    description: How many (selected) namespaces were ignored (based
@ -196,10 +235,11 @@ spec:
                    description: How many namespaces were selected.
                    type: integer
                  podEntryRenderFailures:
-                      description: How many failures were encountered rendering an entry
+                    description: |-
-                        selected pods. This could be due to either a bad template in
+                      How many failures were encountered rendering an entry selected pods.
-                        the ClusterSPIFFEID or Pod metadata that when applied to the
+                      This could be due to either a bad template in the ClusterSPIFFEID or
-                        template did not produce valid entry values.
+                      Pod metadata that when applied to the template did not produce valid
                      entry values.
                    type: integer
                  podsSelected:
                    description: How many pods were selected out of the namespaces.
@ -209,3 +249,11 @@ spec:
        type: object
    served: true
    storage: true
    subresources:
      status: {}
 status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
--- a/demo/config/cluster2/crd/spire.spiffe.io_clusterstaticentries.yaml
+++ b/demo/config/cluster2/crd/spire.spiffe.io_clusterstaticentries.yaml
@ -0,0 +1,101 @@
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.14.0
  name: clusterstaticentries.spire.spiffe.io
 spec:
  group: spire.spiffe.io
  names:
    kind: ClusterStaticEntry
    listKind: ClusterStaticEntryList
    plural: clusterstaticentries
    singular: clusterstaticentry
  scope: Cluster
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: ClusterStaticEntry is the Schema for the clusterstaticentries
          API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: ClusterStaticEntrySpec defines the desired state of ClusterStaticEntry
            properties:
              admin:
                type: boolean
              className:
                description: Set which Controller Class will act on this object
                type: string
              dnsNames:
                items:
                  type: string
                type: array
              downstream:
                type: boolean
              federatesWith:
                items:
                  type: string
                type: array
              hint:
                type: string
              jwtSVIDTTL:
                type: string
              parentID:
                type: string
              selectors:
                items:
                  type: string
                type: array
              spiffeID:
                type: string
              storeSVID:
                type: boolean
              x509SVIDTTL:
                type: string
            required:
            - parentID
            - selectors
            - spiffeID
            type: object
          status:
            description: ClusterStaticEntryStatus defines the observed state of ClusterStaticEntry
            properties:
              masked:
                description: If the static entry was masked by another entry.
                type: boolean
              rendered:
                description: If the static entry rendered properly.
                type: boolean
              set:
                description: If the static entry was successfully created/updated.
                type: boolean
            required:
            - masked
            - rendered
            - set
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
 status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
--- a/demo/config/cluster2/greeter-client/greeter-client.yaml
+++ b/demo/config/cluster2/greeter-client/greeter-client.yaml
@ -37,3 +37,4 @@ spec:
      - name: spire-agent-socket
        csi:
          driver: "csi.spiffe.io"
          readOnly: true
--- a/demo/config/cluster2/kustomization.yaml
+++ b/demo/config/cluster2/kustomization.yaml
@ -3,6 +3,7 @@ resources:
 - spire/spire-namespace.yaml
 - crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml
 - crd/spire.spiffe.io_clusterspiffeids.yaml
 - crd/spire.spiffe.io_clusterstaticentries.yaml
 - crd-rbac/role.yaml
 - crd-rbac/role_binding.yaml
 - crd-rbac/leader_election_role.yaml
--- a/demo/config/cluster2/spire/spire-agent.yaml
+++ b/demo/config/cluster2/spire/spire-agent.yaml
@ -71,6 +71,7 @@ data:
      WorkloadAttestor "k8s" {
        plugin_data {
          skip_kubelet_verification = true
          node_name_env = "MY_NODE_NAME"
        }
      }
    }
@ -102,9 +103,14 @@ spec:
      serviceAccountName: spire-agent
      containers:
        - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.2.3
+          image: ghcr.io/spiffe/spire-agent:1.10.4
          imagePullPolicy: IfNotPresent
          args: ["-config", "/run/spire/config/agent.conf"]
          env:
          - name: MY_NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
          volumeMounts:
            - name: spire-config
              mountPath: /run/spire/config
@ -118,7 +124,7 @@ spec:
              mountPath: /run/spire/sockets
        # This is the container which runs the SPIFFE CSI driver.
        - name: spiffe-csi-driver
-          image: ghcr.io/spiffe/spiffe-csi-driver:0.1.0
+          image: ghcr.io/spiffe/spiffe-csi-driver:0.2.6
          imagePullPolicy: IfNotPresent
          args: [
            "-workload-api-socket-dir", "/spire-agent-socket",
@ -151,7 +157,7 @@ spec:
        # of all the little details required to register a CSI driver with
        # the kubelet.
        - name: node-driver-registrar
-          image: quay.io/k8scsi/csi-node-driver-registrar:v2.0.1
+          image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0
          imagePullPolicy: IfNotPresent
          args: [
            "-csi-address", "/spiffe-csi/csi.sock",
--- a/demo/config/cluster2/spire/spire-controller-manager-config.yaml
+++ b/demo/config/cluster2/spire/spire-controller-manager-config.yaml
@ -2,13 +2,14 @@ apiVersion: spire.spiffe.io/v1alpha1
 kind: ControllerManagerConfig
 metrics:
  bindAddress: 127.0.0.1:8082
-healthProbe:
+health:
-  bindAddress: 127.0.0.1:8083
+  healthProbeBindAddress: 0.0.0.0:8083
 leaderElection:
  leaderElect: true
  resourceName: 98c9c988.spiffe.io
  resourceNamespace: spire-system
 clusterName: cluster2
 logLevel: info
 trustDomain: cluster2.demo
 ignoreNamespaces:
  - kube-system
--- a/demo/config/cluster2/spire/spire-server.yaml
+++ b/demo/config/cluster2/spire/spire-server.yaml
@ -176,7 +176,7 @@ spec:
      shareProcessNamespace: true
      containers:
        - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.2.3
+          image: ghcr.io/spiffe/spire-server:1.10.4
          imagePullPolicy: IfNotPresent
          args: ["-config", "/run/spire/server/config/server.conf"]
          ports:
@ -192,6 +192,12 @@ spec:
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 9443
            - containerPort: 8083
              name: healthz
          readinessProbe:
            httpGet:
              path: /readyz
              port: healthz
          args:
          - "--config=spire-controller-manager-config.yaml"
          volumeMounts:
--- a/demo/config/static-entry.yaml
+++ b/demo/config/static-entry.yaml
@ -0,0 +1,16 @@
 apiVersion: spire.spiffe.io/v1alpha1
 kind: ClusterStaticEntry
 metadata:
  name: static-entry
 spec:
  spiffeID: spiffe://cluster1.demo/static-spiffe-id
  parentID: spiffe://cluster1.demo/static-parent-id
  selectors: ["static:one", "static:two"]
  federatesWith: ["cluster1.demo"]
  x509SVIDTTL: "2h"
  jwtSVIDTTL: "6m"
  dnsNames: ["static-dns"]
  hint: "static-hint-2"
  admin: true
  downstream: true
  storeSVID: true
--- a/demo/greeter/Dockerfile
+++ b/demo/greeter/Dockerfile
@ -1,4 +1,4 @@
-FROM golang:1.17-alpine AS builder
+FROM golang:1.23.4-alpine AS builder
 WORKDIR /workspace
 COPY go.mod go.mod
 COPY go.sum go.sum
--- a/demo/greeter/cmd/greeter-client/main.go
+++ b/demo/greeter/cmd/greeter-client/main.go
@ -43,7 +43,7 @@ func main() {
 	creds := grpccredentials.MTLSClientCredentials(source, source, tlsconfig.AuthorizeID(serverID))
-	client, err := grpc.DialContext(ctx, addr, grpc.WithTransportCredentials(creds))
+	client, err := grpc.NewClient(addr, grpc.WithTransportCredentials(creds))
 	if err != nil {
 		log.Fatal(err)
 	}
--- a/demo/greeter/go.mod
+++ b/demo/greeter/go.mod
@ -1,24 +1,21 @@
 module greeter
-go 1.17
+go 1.23.4
 require (
-	github.com/kr/pretty v0.3.0
+	github.com/spiffe/go-spiffe/v2 v2.5.0
-	github.com/spiffe/go-spiffe/v2 v2.0.0-beta.10
+	google.golang.org/grpc v1.73.0
-	google.golang.org/grpc v1.41.0
+	google.golang.org/grpc/examples v0.0.0-20240422202308-34de5cf4832f
 	google.golang.org/grpc/examples v0.0.0-20211001222728-09970207abb5
 )
 require (
-	github.com/golang/protobuf v1.4.3 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/kr/text v0.2.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
-	github.com/rogpeppe/go-internal v1.6.1 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
-	github.com/zeebo/errs v1.2.2 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
-	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 // indirect
+	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/net v0.0.0-20200822124328-c89045814202 // indirect
+	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd // indirect
+	golang.org/x/text v0.23.0 // indirect
-	golang.org/x/text v0.3.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 // indirect
-	google.golang.org/genproto v0.0.0-20200806141610-86f49bd18e98 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
 	google.golang.org/protobuf v1.25.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.4.1 // indirect
 )
--- a/demo/greeter/go.sum
+++ b/demo/greeter/go.sum
@ -1,144 +1,54 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
-github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
-github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
-github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
-github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
-github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
-github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0 h1:/QaMHBdZ26BB3SSst0Iwl10Epc+xhTquomWX0oZEB6w=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
 github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE=
-github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
+github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
-github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/spiffe/go-spiffe/v2 v2.0.0-beta.9 h1:quwHijb5qOBjTbWv5TCDMXIsbZjqv/LXhivWuN5a68U=
+github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM=
-github.com/spiffe/go-spiffe/v2 v2.0.0-beta.9/go.mod h1:TEfgrEcyFhuSuvqohJt6IxENUNeHfndWCCV1EX7UaVk=
+github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
-github.com/spiffe/go-spiffe/v2 v2.0.0-beta.10 h1:UXfGMp27MlQcYCAVRl21+cZrbKXMLsFmMXam5W3qBIA=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-github.com/spiffe/go-spiffe/v2 v2.0.0-beta.10/go.mod h1:TEfgrEcyFhuSuvqohJt6IxENUNeHfndWCCV1EX7UaVk=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-github.com/zeebo/errs v1.2.2 h1:5NFypMTuSdoySVTqlNs1dEoU21QVamMQJxW/Fii5O7g=
+go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
-github.com/zeebo/errs v1.2.2/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
+go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
-go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
+go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 h1:e0AIkUUhxyBKh6ssZNrAMeqhA7RKUj42346d1y02i2g=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-golang.org/x/net v0.0.0-20200822124328-c89045814202 h1:VvcQYSHwXgi7W+TpUR6A9g6Up98WAHf3f/ulnJ62IyA=
+google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
-golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+google.golang.org/grpc/examples v0.0.0-20240422202308-34de5cf4832f h1:DXDiMO+e57lNmXq6CXCWgoiLMvTWyJpmm8q1xQB4cFM=
-golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+google.golang.org/grpc/examples v0.0.0-20240422202308-34de5cf4832f/go.mod h1:uaPEAc5V00jjG3DPhGFLXGT290RUV3+aNQigs1W50/8=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd h1:xhmwyvizuTgC2qz7ZlMluP20uW+C3Rm0FD/WLDX8884=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20200806141610-86f49bd18e98 h1:LCO0fg4kb6WwkXQXRQQgUYsFeFb5taTX5WAx5O/Vt28=
 google.golang.org/genproto v0.0.0-20200806141610-86f49bd18e98/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.41.0 h1:f+PlOh7QV4iIJkPrx5NQ7qaNGFQ3OTse67yaDHfju4E=
 google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k=
 google.golang.org/grpc/examples v0.0.0-20201130180447-c456688b1860/go.mod h1:Ly7ZA/ARzg8fnPU9TyZIxoz33sEUuWX7txiqs8lPTgE=
 google.golang.org/grpc/examples v0.0.0-20211001222728-09970207abb5 h1:k1HwCrvyzmToHY1nDSfCGU63gsShFOG46m7dks5rdRw=
 google.golang.org/grpc/examples v0.0.0-20211001222728-09970207abb5/go.mod h1:gID3PKrg7pWKntu9Ss6zTLJ0ttC0X9IHgREOCZwbCVU=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/square/go-jose.v2 v2.4.1 h1:H0TmLt7/KmzlrDOpa1F+zr0Tk90PbJYBfsVUmRLrf9Y=
 gopkg.in/square/go-jose.v2 v2.4.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/demo/scripts/show-spire-entries.sh
+++ b/demo/scripts/show-spire-entries.sh
@ -5,4 +5,5 @@ set -eo pipefail
 kubectl exec -t \
    -n spire-system \
    -c spire-server deployment/spire-server -- \
-        /opt/spire/bin/spire-server entry show
+        /opt/spire/bin/spire-server entry show \
        "$@"
--- a/demo/test.sh
+++ b/demo/test.sh
@ -31,13 +31,40 @@ DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 cd "$DIR"
 cleanup() {
    if [[ "$1" -ne 0 ]]; then
      cat <<EOF >>"$GITHUB_STEP_SUMMARY"
 ### Describe Pods Cluster 1
 \`\`\`
 $(./cluster1 kubectl describe pods -n "spire-system")
 \`\`\`
 ### Logs Cluster 1
 \`\`\`
 $(./cluster1 kubectl get pods -o name -n "spire-system" | while read -r line; do echo; echo "logs for ${line}:"; ./cluster1 kubectl logs -n "spire-system" "${line}" --prefix --all-containers=true --ignore-errors=true; done)
 \`\`\`
 ### Describe Pods Cluster 2
 \`\`\`
 $(./cluster2 kubectl describe pods -n "spire-system")
 \`\`\`
 ### Logs Cluster 2
 \`\`\`
 $(./cluster2 kubectl get pods -o name -n "spire-system" | while read -r line; do echo; echo logs for "${line}:"; ./cluster2 kubectl logs -n "spire-system" "${line}" --prefix --all-containers=true --ignore-errors=true; done)
 \`\`\`
 EOF
    fi
    echo "Cleaning up..."
    ./cluster1 kind delete cluster || true
    ./cluster2 kind delete cluster || true
    echo "Done."
 }
-trap cleanup EXIT
+trap 'EC=$? && trap - SIGTERM && cleanup $EC' SIGINT SIGTERM EXIT
 log-info "Tagging devel image as nightly..."
 docker tag ghcr.io/spiffe/spire-controller-manager:{devel,nightly}
@ -46,9 +73,10 @@ log-info "Building greeter server/client..."
 (cd greeter; make docker-build)
 log-info "Pulling docker images..."
-echo ghcr.io/spiffe/spire-server:1.2.3 \
+echo ghcr.io/spiffe/spire-server:1.10.4 \
-    ghcr.io/spiffe/spire-agent:1.2.3 \
+    ghcr.io/spiffe/spire-agent:1.10.4 \
-    ghcr.io/spiffe/spiffe-csi-driver:0.1.0 \
+    ghcr.io/spiffe/spiffe-csi-driver:0.2.6 \
    registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0 \
    | xargs -n1 docker pull
 log-info "Creating cluster1..."
@ -59,18 +87,20 @@ log-info "Creating cluster2..."
 log-info "Loading images into cluster1..."
 echo \
-    ghcr.io/spiffe/spire-server:1.2.3 \
+    ghcr.io/spiffe/spire-server:1.10.4 \
-    ghcr.io/spiffe/spire-agent:1.2.3 \
+    ghcr.io/spiffe/spire-agent:1.10.4 \
-    ghcr.io/spiffe/spiffe-csi-driver:0.1.0 \
+    ghcr.io/spiffe/spiffe-csi-driver:0.2.6 \
    registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0 \
    ghcr.io/spiffe/spire-controller-manager:nightly \
    greeter-server:demo \
    | xargs -n1 ./cluster1 kind load docker-image
 log-info "Loading images into cluster2..."
 echo \
-    ghcr.io/spiffe/spire-server:1.2.3 \
+    ghcr.io/spiffe/spire-server:1.10.4 \
-    ghcr.io/spiffe/spire-agent:1.2.3 \
+    ghcr.io/spiffe/spire-agent:1.10.4 \
-    ghcr.io/spiffe/spiffe-csi-driver:0.1.0 \
+    ghcr.io/spiffe/spiffe-csi-driver:0.2.6 \
    registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0 \
    ghcr.io/spiffe/spire-controller-manager:nightly \
    greeter-client:demo \
    | xargs -n1 ./cluster2 kind load docker-image
@ -139,6 +169,13 @@ log-info "Configuring the greeter server ID in cluster1..."
 log-info "Configuring the greeter client ID in cluster2..."
 ./cluster2 kubectl apply -f config/greeter-client-id.yaml
 ############################################################################
 # Add a static entry
 ############################################################################
 log-info "Configuring the static entry in cluster1..."
 ./cluster1 kubectl apply -f config/static-entry.yaml
 ############################################################################
 # Check status
 ############################################################################
@ -172,4 +209,19 @@ if [ -z "$SUCCESS" ]; then
    fail-now "Client never received response from server :("
 fi
 log-info "Checking for the static entry..."
 SUCCESS=
 for ((i = 0; i < 30; i++)); do
    if ./cluster1 scripts/show-spire-entries.sh | grep -q static-spiffe-id; then
        log-info "Static entry created in cluster1"
        SUCCESS=true
        break
    fi
    sleep 1
 done
 if [ -z "$SUCCESS" ]; then
    fail-now "Static entry never created :("
 fi
 log-good "Success."
--- a/docs/clusterfederatedtrustdomain-crd.md
+++ b/docs/clusterfederatedtrustdomain-crd.md
@ -16,6 +16,7 @@ See the [SPIFFE Federation](https://github.com/spiffe/spiffe/blob/main/standards
 | `bundleEndpointURL`     | REQUIRED | `https://somedomain.test/bundle`                        | An HTTPS URL to the bundle endpoint for the foreign trust domain.                                                       |
 | `bundleEndpointProfile` | REQUIRED | See [Bundle Endpoint Profile](#bundle-endpoint-profile) | The profile for the bundle endpoint for the foreign trust domain.                                                       |
 | `trustDomainBundle`     | OPTIONAL |                                                         | The bundle contents for the foreign trust domain.                                                                       |
 | `className`             | OPTIONAL |                                                         | The class name of the SPIRE controller manager.                                                                         |
 ### Bundle Endpoint Profile
@ -34,7 +35,7 @@ The ClusterFederatedTrustDomain does not have any status fields.
 1. Create a federation relationship with the "backend" trust domain using the [https_web](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Federation.md#521-web-pki-https_web) profile.
-    ```
+    ```yaml
    apiVersion: spire.spiffe.io/v1alpha1
    kind: ClusterFederatedTrustDomain
    metadata:
@ -48,7 +49,7 @@ The ClusterFederatedTrustDomain does not have any status fields.
 1. Create a federation relationship with the "backend" trust domain using the [https_spiffe](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Federation.md#522-spiffe-authentication-https_spiffe) profile, including the initial bundle contents to authenticate the endpoint:
-    ```
+    ```yaml
    apiVersion: spire.spiffe.io/v1alpha1
    kind: ClusterFederatedTrustDomain
    metadata:
--- a/docs/clusterspiffeid-crd.md
+++ b/docs/clusterspiffeid-crd.md
@ -21,22 +21,27 @@ The definition can be found [here](../api/v1alpha1/clusterspiffeid_types.go).
 | `namespaceSelector`         | OPTIONAL | A label selector used to scope which workload namespaces this ClusterSPIFFEID targets |
 | `dnsNameTemplates`          | OPTIONAL | One or more templates used to render DNS names for the target workload. See [Templates](#templates). |
 | `workloadSelectorTemplates` | OPTIONAL | One or more templates used to render additional selectors for the target workload. See [Templates](#templates). |
-| `ttl`                       | OPTIONAL | Duration value indicating an upper bound on the time-to-live for SVIDs issued to target workload |
+| `ttl`                       | OPTIONAL | Duration value indicating an upper bound on the time-to-live for X509-SVIDs issued to target workload |
 | `jwtTtl`                    | OPTIONAL | Duration value indicating an upper bound on the time-to-live for JWT-SVIDs issued to target workload |
 | `federatesWith`             | OPTIONAL | One or more trust domain names that target workloads federate with |
 | `admin`                     | OPTIONAL | Indicates whether the target workload is an admin workload (i.e. can access SPIRE administrative APIs) |
 | `downstream`                | OPTIONAL | Indicates that the entry describes a downstream SPIRE server. |
 | `autoPopulateDNSNames`      | OPTIONAL | Indicates whether or not to auto populate service DNS names. |
 | `fallback`                  | OPTIONAL | Apply this ID only if there are no other matching non fallback ClusterSPIFFEIDs. |
 | `className`                 | OPTIONAL | The class name of the SPIRE controller manager. |
 ## ClusterSPIFFEIDStatus
 | Field | Description |
 | ----- | ----------- |
-| `stats` | Statistics on what the ClusterSPIFFEID was applied to and any failures. See [ClusterSPIFFEIDStats](#cluster-spiffeid-stats).
+| `stats` | Statistics on what the ClusterSPIFFEID was applied to and any failures. See [ClusterSPIFFEIDStats](#cluster-spiffeid-stats). |
 ### ClusterSPIFFEIDStats
 | Field | Description |
 | ----- | ----------- |
 | `namespaceSelected`      | How many namespaces were selected |
-| `namespacesIgnroed`      | How many namespaces were ignored |
+| `namespacesIgnored`      | How many namespaces were ignored |
 | `podsSelected`           | How many pods were selected |
 | `podEntryRenderFailures` | How many failures were encountered rendering a registration entry for the pod |
 | `entriesMasked`          | How many entries were masked because they were similar to other registration entries |
@ -54,6 +59,7 @@ The following data is available to the template:
 | ----- | ---- | ----------- |
 | `{{ .TrustDomain }}`   | string                                                                           | The name of the trust domain the controller is operating for |
 | `{{ .ClusterName }}`   | string                                                                           | The name of the cluster, as defined in the controller [configuration](./spire-controller-manager-config.md) |
 | `{{ .ClusterDomain }}` | string                                                                           | The domain of the cluster, as defined in the controller [configuration](./spire-controller-manager-config.md) |
 | `{{ .PodMeta }}`       | [ObjectMeta](https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#ObjectMeta) | The pod metadata |
 | `{{ .PodSpec }}`       | [PodSpec](https://pkg.go.dev/k8s.io/api/core/v1#PodSpec)                         | The pod specification |
 | `{{ .NodeMeta }}`      | [ObjectMeta](https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#ObjectMeta) | The node metadata for the node the pod is scheduled on |
@ -63,29 +69,41 @@ The following data is available to the template:
 1. Apply an Istio-style SPIFFE ID to workloads running in namespaces with the "backend" label:
-    ```
+    ```yaml
    apiVersion: spire.spiffe.io/v1alpha1
    kind: ClusterSPIFFEID
    metadata:
      name: backend-workloads
    spec:
-      spiffeIDTemplate: "spiffe://domain.test/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccount }}"
+      spiffeIDTemplate: "spiffe://domain.test/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"
      namespaceSelector:
        matchLabels:
-          backend: true
+          backend: "true"
    ```
 1. Federate workloads running the pods with the "banking" label with the "auditing" trust domain.
-    ```
+    ```yaml
    apiVersion: spire.spiffe.io/v1alpha1
    kind: ClusterSPIFFEID
    metadata:
      name: backend-workloads
    spec:
-      spiffeIDTemplate: "spiffe://domain.test/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccount }}"
+      spiffeIDTemplate: "spiffe://domain.test/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"
      podSelector:
        matchLabels:
-          banking: true
+          banking: "true"
      federatesWith: ["auditing"]
    ```
 1. Add a DNS name:
    ```yaml
    apiVersion: spire.spiffe.io/v1alpha1
    kind: ClusterSPIFFEID
    metadata:
      name: backend-workloads-with-dns-names
    spec:
      spiffeIDTemplate: "spiffe://domain.test/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"
      dnsNameTemplates: ["{{ .PodMeta.Name }}.{{ .PodMeta.Namespace }}.{{ .ClusterDomain }}"]
    ```
--- a/docs/clusterstaticentry-crd.md
+++ b/docs/clusterstaticentry-crd.md
@ -0,0 +1,32 @@
 # ClusterStaticEntry Custom Resource Definition
 The ClusterStaticEntry Custom Resource Definition (CRD) is a cluster-wide
 resource used to automate the registration of workloads that aren't running
 within the Kubernetes cluster.
 The definition can be found [here](../api/v1alpha1/clusterstaticentry_types.go).
 ## ClusterStaticEntrySpec
 | Field | Required | Description |
 | ----- | -------- | ----------- |
 | `spiffeID`                  | REQUIRED | The SPIFFE ID of the workload or node alias |
 | `parentID`                  | REQUIRED | The parent ID of the node or nodes authorized for the entry or the SPIRE server ID for a node alias |
 | `selectors`                 | REQUIRED | One or more workload selectors (when registering a workload) or node selectors (when registering a node alias) |
 | `federatesWith`             | OPTIONAL | One or more trust domain names that target workloads federate with |
 | `x509SVIDTTL`               | OPTIONAL | Duration value indicating an upper bound on the time-to-live for X509-SVIDs issued to target workload |
 | `jwtSVIDTTL`                | OPTIONAL | Duration value indicating an upper bound on the time-to-live for JWT-SVIDs issued to target workload |
 | `dnsNames`                  | OPTIONAL | One or more DNS names for the target workload |
 | `hint`                      | OPTIONAL | An opaque string that is provided to the workload as a hint on how the SVID should be used |
 | `admin`                     | OPTIONAL | Indicates whether the target workload is an admin workload (i.e. can access SPIRE administrative APIs) |
 | `downstream`                | OPTIONAL | Indicates that the entry describes a downstream SPIRE server. |
 | `storeSVID`                 | OPTIONAL | Indicates whether the issued SVID must be stored through an SVIDStore plugin. |
 | `className`                 | OPTIONAL | The class name of the SPIRE controller manager. |
 ## ClusterStaticEntryStatus
 | Field | Description |
 | ----- | ----------- |
 | `rendered` | True if the cluster static entry was successfully rendered into a registration entry |
 | `masked` | True if the entry produced by the cluster static entry was masked by another entry |
 | `set` | True if the entry produced by the cluster static entry was successfully set on the SPIRE server |
--- a/docs/spire-controller-manager-config.md
+++ b/docs/spire-controller-manager-config.md
@ -2,13 +2,31 @@
 The SPIRE Controller Manager configuration is defined [here](../api/v1alpha1/controllermanagerconfig_types.go).
-Beyond the standard [controller manager configuration](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/config/v1alpha1#ControllerConfigurationSpec), the following fields are defined:
+Beyond the
 standard [controller manager configuration](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/config/v1alpha1#ControllerConfigurationSpec),
 the following fields are defined: 
 | Field                                | Required | Default                                          | Description                                                                                                                                                                                                   |
-| ------------------------------------ | -------- | ------------------------------------------------ | ------------------------------------------------------------------ |
+|--------------------------------------|----------|--------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `clusterName`                        | REQUIRED |                                                  | The name of the cluster                                                                                                                                                                                       |
 | `trustDomain`                        | REQUIRED |                                                  | The trust domain name for the cluster                                                                                                                                                                         |
 | `clusterDomain`                      | OPTIONAL |                                                  | The domain of the cluster, ie `cluster.local`. If not specified will attempt to auto detect.                                                                                                                  |
 | `ignoreNamespaces`                   | OPTIONAL | `["kube-system", "kube-public", "spire-system"]` | Namespaces that the controllers should ignore                                                                                                                                                                 |
 | `validatingWebhookConfigurationName` | OPTIONAL | `spire-controller-manager-webhook`               | The name of the validating admission controller webhook to manage                                                                                                                                             |
 | `gcInterval`                         | OPTIONAL | `10s`                                            | How often the SPIRE state is reconciled when the controller is otherwise idle. This impacts how quickly SPIRE state will converge after CRDs are removed or SPIRE state is mutated underneath the controller. |
 | `spireServerSocketPath`              | OPTIONAL | `/spire-server/api.sock`                         | The path the the SPIRE Server API socket                                                                                                                                                                      |
 | `logLevel`                           | OPTIONAL | `info`                                           | The log level for the controller manager. Supported values are `info`, `error`, `warn` and `debug`.                                                                                                           |
 | `logEncoding`                        | OPTIONAL | `console`                                        | The log encoder for the controller manager. Supported values are `console` and `json`.                                                                                                                        |
 | `className`                          | OPTIONAL |                                                  | Only sync resources that have the specified className set on them.                                                                                                                                            |
 | `watchClassless`                     | OPTIONAL |                                                  | If className is set, also watch for resources that do not have any className set.                                                                                                                             |
 | `staticManifestPath`                 | OPTIONAL |                                                  | If specified, manifests will be read from disk instead of from Kubernetes                                                                                                                                     |
 ## Kubernetes Mode
 By default, all objects are synced from the Kubernetes cluster the spire-controller-manager is running in.
 ## Static Mode
 If `staticManifestPath` is specified, Kubernetes will not be used and instead, manifests are loaded from yaml files located in the specified path and synchronized to the SPIRE server.
 In this mode, validating webhooks will be ignored as its not useful without Kubernetes.
--- a/examples/static.config
+++ b/examples/static.config
@ -0,0 +1,17 @@
 apiVersion: spire.spiffe.io/v1alpha1
 kind: ControllerManagerConfig
 metadata:
  name: config
 metrics:
  bindAddress: 0.0.0.0:8082
 health:
  healthProbeBindAddress: 0.0.0.0:8083
 entryIDPrefix: scm
 className: scm
 clusterName: scm
 clusterDomain: local
 trustDomain: example.org
 watchClassless: true
 staticManifestPath: /etc/spire/server/main/manifests
 spireServerSocketPath: "/tmp/spire-server/private/api.sock"
 logLevel: info
--- a/go.mod
+++ b/go.mod
@ -1,21 +1,84 @@
 module github.com/spiffe/spire-controller-manager
-go 1.16
+go 1.23.4
 require (
-	github.com/go-logr/logr v0.4.0
+	github.com/go-logr/logr v1.4.2
-	github.com/google/go-cmp v0.5.5
+	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
 	github.com/jpillora/backoff v1.0.0
-	github.com/onsi/ginkgo v1.16.4
+	github.com/onsi/ginkgo/v2 v2.23.4
-	github.com/onsi/gomega v1.15.0
+	github.com/onsi/gomega v1.37.0
-	github.com/spiffe/go-spiffe/v2 v2.0.0
+	github.com/prometheus/client_golang v1.22.0
-	github.com/spiffe/spire-api-sdk v1.1.0
+	github.com/spiffe/go-spiffe/v2 v2.5.0
-	github.com/stretchr/testify v1.7.0
+	github.com/spiffe/spire-api-sdk v1.12.4
-	google.golang.org/grpc v1.40.0
+	github.com/stretchr/testify v1.10.0
-	google.golang.org/protobuf v1.27.1
+	go.uber.org/zap v1.27.0
-	k8s.io/api v0.22.2
+	google.golang.org/grpc v1.73.0
-	k8s.io/apimachinery v0.22.2
+	google.golang.org/protobuf v1.36.6
-	k8s.io/client-go v0.22.2
+	k8s.io/api v0.32.4
-	k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a
+	k8s.io/apimachinery v0.32.4
-	sigs.k8s.io/controller-runtime v0.10.2
+	k8s.io/client-go v0.32.4
 	k8s.io/component-base v0.32.4
 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
 	sigs.k8s.io/controller-runtime v0.20.4
 )
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.0 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/zeebo/errs v1.4.0 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.36.0 // indirect
 	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/oauth2 v0.28.0 // indirect
 	golang.org/x/sync v0.12.0 // indirect
 	golang.org/x/sys v0.32.0 // indirect
 	golang.org/x/term v0.30.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
 	golang.org/x/tools v0.31.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.32.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,174 +1,64 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
 cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
 cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
 cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
 cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
 cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
 cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
 cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
 cloud.google.com/go v0.54.0 h1:3ithwDMr7/3vpAMXiH+ZQnYbuIsh+OPhUPMFC9enmn0=
 cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
 cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
 cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
 cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
 cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
 github.com/Azure/go-autorest/autorest v0.11.18 h1:90Y4srNYrwOtAgVo3ndrQkTYn6kf1Eg/AjTFJ8Is2aM=
 github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA=
 github.com/Azure/go-autorest/autorest/adal v0.9.13 h1:Mp5hbtOePIzM8pJVRa3YLrWWmZtoxRXqUEzCfJt3+/Q=
 github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M=
 github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=
 github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
 github.com/Azure/go-autorest/autorest/mocks v0.4.1 h1:K0laFcLE6VLTOwNgSxaGbUcLPuGXlNkbVvq4cW4nIHk=
 github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
 github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg=
 github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
 github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
 github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
-github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo=
+github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA=
+github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI=
+github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
-github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
+github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk=
-github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
+github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
+github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
-github.com/evanphx/json-patch v4.11.0+incompatible h1:glyUF9yIYtMHzn8xaKw5rMhdWcwsYV8dZHIq5567/xs=
+github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU=
-github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=
-github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
-github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
-github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
+github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
-github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
-github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
-github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
-github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
+github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
-github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
+github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
-github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
+github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
-github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc=
+github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
-github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
+github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
-github.com/go-logr/zapr v0.4.0 h1:uc1uML3hRYL9/ZZPdgHS/n8Nzo+eaYL/Efxkkamf7OM=
+github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
-github.com/go-logr/zapr v0.4.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
-github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
 github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
 github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
@ -178,538 +68,203 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
 github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
-github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
-github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
+github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
 github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
-github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
-github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
 github.com/googleapis/gnostic v0.5.5 h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9xHw=
 github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
 github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
 github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
 github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
 github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
 github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
-github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/json-iterator/go v1.1.11 h1:uVUAXhF2To8cbw/3xN3pxj6kk7TYKs98NIrTqPlMWAQ=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
-github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
-github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
-github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
-github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI=
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
 github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
-github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
-github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
-github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
 github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc=
 github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.15.0 h1:WjP/FQ/sk43MRmnEcT+MlDw2TFvkrXlprrPST/IudjU=
 github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
-github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
-github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
+github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
-github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
 github.com/prometheus/client_golang v1.11.0 h1:HNkLOAEQMIDv/K+04rukrLx6ch7msSRwf3/SASFAGtQ=
 github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
+github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/prometheus/common v0.26.0 h1:iMAkS2TDoNWnKM+Kopnx/8tnEStIfpYA0ur0xQzzhMQ=
 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.6.0 h1:mxy4L2jP6qMonqmq+aTtOx1ifVWUgG/TAmntgbh3xv4=
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
 github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
+github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE=
-github.com/spiffe/go-spiffe/v2 v2.0.0 h1:y6N7BZAxgaFZYELyrIdxSMm2e2tWpzgQewUts9h1hfM=
+github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
-github.com/spiffe/go-spiffe/v2 v2.0.0/go.mod h1:TEfgrEcyFhuSuvqohJt6IxENUNeHfndWCCV1EX7UaVk=
+github.com/spiffe/spire-api-sdk v1.12.4 h1:RFMW7aPylHrJOPWY+w+YjElKCRUJPOUAMEyn7w4wLTU=
-github.com/spiffe/spire-api-sdk v1.1.0 h1:n7EQHhCOUpmMfggUJ6pAECFzE8P/hVRe++h/mxai6So=
+github.com/spiffe/spire-api-sdk v1.12.4/go.mod h1:4uuhFlN6KBWjACRP3xXwrOTNnvaLp1zJs8Lribtr4fI=
 github.com/spiffe/spire-api-sdk v1.1.0/go.mod h1:UylWypx+g3HPJeelhKiKykUvcTJFw5VKIKaSaCYgpFw=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
-github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM=
-github.com/zeebo/errs v1.2.2 h1:5NFypMTuSdoySVTqlNs1dEoU21QVamMQJxW/Fii5O7g=
+github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
-github.com/zeebo/errs v1.2.2/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
-go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
+go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
+go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lLS/oTh0=
+go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
-go.etcd.io/etcd/pkg/v3 v3.5.0/go.mod h1:UzJGatBQ1lXChBkQF0AuAtkRQMYnHubxAEYIrC3MSsE=
+go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
-go.etcd.io/etcd/raft/v3 v3.5.0/go.mod h1:UFOHSIvO/nKwd4lhkwabrTD3cqW5yVyYYf/KlD00Szc=
+go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
-go.etcd.io/etcd/server/v3 v3.5.0/go.mod h1:3Ah5ruV+M+7RZr0+Y/5mNLwC+eQlni+mQmOVdCRJoS4=
+go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
-go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
+go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
+go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4=
 go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo=
 go.opentelemetry.io/otel/exporters/otlp v0.20.0/go.mod h1:YIieizyaN77rtLJra0buKiNBOm9XQfkPEKBeuhoMwAM=
 go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU=
 go.opentelemetry.io/otel/oteltest v0.20.0/go.mod h1:L7bgKf9ZB7qCwT9Up7i9/pn0PWIa9FqQ2IQ8LoxiGnw=
 go.opentelemetry.io/otel/sdk v0.20.0/go.mod h1:g/IcepuwNsoiX5Byy2nNV0ySUF1em498m7hBWC279Yc=
 go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi+bJK+Dr8NQCh0qGhm1KDnNlE=
 go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE=
 go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
-go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
+go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
-go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
-go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
-go.uber.org/goleak v1.1.10 h1:z+mqJhf6ss6BSfSM671tgKyZBFPTTJM+HLxnhPC3wu0=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
+go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
-go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
+go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
+go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
-go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
+go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
 go.uber.org/zap v1.19.0 h1:mZQZefskPPCMIBCSEH0v2/iUqqLrYtaeqwD6FUGUnFE=
 go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 h1:/ZScEX8SfEmUGRHs0gxpqteO5nfNW6axyZbBdw9A12g=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
 golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
 golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
 golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
 golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 h1:VLliZ0d+/avPrXXH+OakdXhpJuEoBZuwh1m2j7U6Iug=
 golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/net v0.0.0-20210520170846-37e1c6afe023 h1:ADo5wSpq2gqaCGQWzk7S5vd//0iyyLeAratkEoG5dLE=
 golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
 golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
-golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
-golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2 h1:c8PlLMqBbOHoqtjteWm5/kbe6rNY2pbRfbIMVnepueo=
 golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d h1:SZxvLBoTP5yHO3Frd4z4vrF+DBX9vMVanchswa69toE=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac h1:7zkz7BUtwNFFqcowJ+RIgu2MaV/MapERkDIy+mwPyjs=
 golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
 golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.2 h1:kRBLX7v7Af8W7Gdbbc908OJcdgtK8bOz9Uaj8/F1ACA=
+golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU=
-golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY=
+gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
-gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY=
+gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
 google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
 google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
 google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
 google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
 google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
 google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
 google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
 google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
 google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20200806141610-86f49bd18e98/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 h1:e0AIkUUhxyBKh6ssZNrAMeqhA7RKUj42346d1y02i2g=
-google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
 google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c h1:wtujag7C+4D6KMoulW9YauvK2lgdvCMS260jsqqBXr0=
 google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
+google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
+google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
-google.golang.org/grpc v1.40.0 h1:AGJ0Ih4mHjSeibYkFGh1dD9KJ/eOtZ93I6hoHhukQ5Q=
+google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc/examples v0.0.0-20201130180447-c456688b1860/go.mod h1:Ly7ZA/ARzg8fnPU9TyZIxoz33sEUuWX7txiqs8lPTgE=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@ -718,82 +273,48 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
 google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/square/go-jose.v2 v2.4.1 h1:H0TmLt7/KmzlrDOpa1F+zr0Tk90PbJYBfsVUmRLrf9Y=
 gopkg.in/square/go-jose.v2 v2.4.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
+k8s.io/api v0.32.4 h1:kw8Y/G8E7EpNy7gjB8gJZl3KJkNz8HM2YHrZPtAZsF4=
-honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+k8s.io/api v0.32.4/go.mod h1:5MYFvLvweRhyKylM3Es/6uh/5hGp0dg82vP34KifX4g=
-k8s.io/api v0.22.2 h1:M8ZzAD0V6725Fjg53fKeTJxGsJvRbk4TEm/fexHMtfw=
+k8s.io/apiextensions-apiserver v0.32.1 h1:hjkALhRUeCariC8DiVmb5jj0VjIc1N0DREP32+6UXZw=
-k8s.io/api v0.22.2/go.mod h1:y3ydYpLJAaDI+BbSe2xmGcqxiWHmWjkEeIbiwHvnPR8=
+k8s.io/apiextensions-apiserver v0.32.1/go.mod h1:sxWIGuGiYov7Io1fAS2X06NjMIk5CbRHc2StSmbaQto=
-k8s.io/apiextensions-apiserver v0.22.2 h1:zK7qI8Ery7j2CaN23UCFaC1hj7dMiI87n01+nKuewd4=
+k8s.io/apimachinery v0.32.4 h1:8EEksaxA7nd7xWJkkwLDN4SvWS5ot9g6Z/VZb3ju25I=
-k8s.io/apiextensions-apiserver v0.22.2/go.mod h1:2E0Ve/isxNl7tWLSUDgi6+cmwHi5fQRdwGVCxbC+KFA=
+k8s.io/apimachinery v0.32.4/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
-k8s.io/apimachinery v0.22.2 h1:ejz6y/zNma8clPVfNDLnPbleBo6MpoFy/HBiBqCouVk=
+k8s.io/client-go v0.32.4 h1:zaGJS7xoYOYumoWIFXlcVrsiYioRPrXGO7dBfVC5R6M=
-k8s.io/apimachinery v0.22.2/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0=
+k8s.io/client-go v0.32.4/go.mod h1:k0jftcyYnEtwlFW92xC7MTtFv5BNcZBr+zn9jPlT9Ic=
-k8s.io/apiserver v0.22.2/go.mod h1:vrpMmbyjWrgdyOvZTSpsusQq5iigKNWv9o9KlDAbBHI=
+k8s.io/component-base v0.32.4 h1:HuF+2JVLbFS5GODLIfPCb1Td6b+G2HszJoArcWOSr5I=
-k8s.io/client-go v0.22.2 h1:DaSQgs02aCC1QcwUdkKZWOeaVsQjYvWv8ZazcZ6JcHc=
+k8s.io/component-base v0.32.4/go.mod h1:10KloJEYw1keU/Xmjfy9TKJqUq7J2mYdiD1VDXoco4o=
-k8s.io/client-go v0.22.2/go.mod h1:sAlhrkVDf50ZHx6z4K0S40wISNTarf1r800F+RlCF6U=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
-k8s.io/code-generator v0.22.2/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/component-base v0.22.2 h1:vNIvE0AIrLhjX8drH0BgCNJcR4QZxMXcJzBsDplDx9M=
+k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y=
-k8s.io/component-base v0.22.2/go.mod h1:5Br2QhI9OTe79p+TzPe9JKNQYvEKbq9rTJDWllunGug=
+k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4=
-k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
-k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
+sigs.k8s.io/controller-runtime v0.20.4 h1:X3c+Odnxz+iPTRobG4tp092+CvBU9UK0t/bRf+n0DGU=
-k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
+sigs.k8s.io/controller-runtime v0.20.4/go.mod h1:xg2XB0K5ShQzAgsoujxuKN4LNXR2LfwwHsPj7Iaw+XY=
-k8s.io/klog/v2 v2.9.0 h1:D7HV+n1V57XeZ0m6tdRkfknthUaM06VFbWldOFh8kzM=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
-k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
-k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e h1:KLHHjkdQFomZy8+06csTWZ0m1343QqxZhR2LJ1OxCYM=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.2 h1:MdmvkGuXi/8io6ixD5wud3vOLwc1rj0aNqRlpuvjmwA=
-k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.2/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4=
-k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a h1:8dYfu/Fc9Gz2rNJKB9IQRGgQOh2clmRzNIPPY1xLY5g=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
-k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
 sigs.k8s.io/controller-runtime v0.10.2 h1:jW8qiY+yMnnPx6O9hu63tgcwaKzd1yLYui+mpvClOOc=
 sigs.k8s.io/controller-runtime v0.10.2/go.mod h1:CQp8eyUQZ/Q7PJvnIrB6/hgfTC1kBkGylwsLgOQi1WY=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/structured-merge-diff/v4 v4.1.2 h1:Hr/htKFmJEbtMgS/UD0N+gtgctAqz81t3nu+sPzynno=
 sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
 sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
--- a/hack/boilerplate.go.txt
+++ b/hack/boilerplate.go.txt
@ -1,5 +1,5 @@
 /*
-Copyright 2021 SPIRE Authors.
+Copyright 2023 SPIRE Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
--- a/internal/controller/clusterfederatedtrustdomain_controller.go
+++ b/internal/controller/clusterfederatedtrustdomain_controller.go
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
-package controllers
+package controller
 import (
 	"context"
@ -41,7 +41,7 @@ type ClusterFederatedTrustDomainReconciler struct {
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
-func (r *ClusterFederatedTrustDomainReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+func (r *ClusterFederatedTrustDomainReconciler) Reconcile(ctx context.Context, _ ctrl.Request) (ctrl.Result, error) {
 	log.FromContext(ctx).V(1).Info("Triggering reconciliation")
 	r.Triggerer.Trigger()
 	return ctrl.Result{}, nil
--- a/internal/controller/clusterspiffeid_controller.go
+++ b/internal/controller/clusterspiffeid_controller.go
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
-package controllers
+package controller
 import (
 	"context"
@ -44,7 +44,7 @@ type ClusterSPIFFEIDReconciler struct {
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
-func (r *ClusterSPIFFEIDReconciler) Reconcile(ctx context.Context, req ctrl.Request) (_ ctrl.Result, err error) {
+func (r *ClusterSPIFFEIDReconciler) Reconcile(ctx context.Context, _ ctrl.Request) (ctrl.Result, error) {
 	log.FromContext(ctx).V(1).Info("Triggering reconciliation")
 	r.Triggerer.Trigger()
 	return ctrl.Result{}, nil
--- a/internal/controller/clusterstaticentry_controller.go
+++ b/internal/controller/clusterstaticentry_controller.go
@ -0,0 +1,55 @@
 /*
 Copyright 2021 SPIRE Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package controller
 import (
 	"context"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	spirev1alpha1 "github.com/spiffe/spire-controller-manager/api/v1alpha1"
 	"github.com/spiffe/spire-controller-manager/pkg/reconciler"
 )
 // ClusterStaticEntryReconciler reconciles a ClusterStaticEntry object
 type ClusterStaticEntryReconciler struct {
 	client.Client
 	Scheme    *runtime.Scheme
 	Triggerer reconciler.Triggerer
 }
 //+kubebuilder:rbac:groups=spire.spiffe.io,resources=clusterstaticentries,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=spire.spiffe.io,resources=clusterstaticentries/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=spire.spiffe.io,resources=clusterstaticentries/finalizers,verbs=update
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
 func (r *ClusterStaticEntryReconciler) Reconcile(ctx context.Context, _ ctrl.Request) (ctrl.Result, error) {
 	log.FromContext(ctx).V(1).Info("Triggering reconciliation")
 	r.Triggerer.Trigger()
 	return ctrl.Result{}, nil
 }
 // SetupWithManager sets up the controller with the Manager.
 func (r *ClusterStaticEntryReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&spirev1alpha1.ClusterStaticEntry{}).
 		Complete(r)
 }
--- a/internal/controller/common.go
+++ b/internal/controller/common.go
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
-package controllers
+package controller
 type EntryReconciler interface {
 	Trigger()
--- a/internal/controller/endpoints_controller.go
+++ b/internal/controller/endpoints_controller.go
@ -1,5 +1,5 @@
 /*
-Copyright 2021 SPIRE Authors.
+Copyright 2023 SPIRE Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@ -14,13 +14,14 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
-package controllers
+package controller
 import (
 	"context"
 	"regexp"
 	"github.com/spiffe/spire-controller-manager/pkg/namespace"
 	"github.com/spiffe/spire-controller-manager/pkg/reconciler"
 	"github.com/spiffe/spire-controller-manager/pkg/stringset"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
@ -28,12 +29,12 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
-// PodReconciler reconciles a Pod object
+// EndpointReconciler reconciles a Pod object
-type PodReconciler struct {
+type EndpointsReconciler struct {
 	client.Client
 	Scheme           *runtime.Scheme
 	Triggerer        reconciler.Triggerer
-	IgnoreNamespaces stringset.StringSet
+	IgnoreNamespaces []*regexp.Regexp
 }
 //+kubebuilder:rbac:groups=spire.spiffe.io,resources=clusterspiffeids,verbs=get;list;watch;create;update;patch;delete
@ -42,20 +43,24 @@ type PodReconciler struct {
 //+kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
 //+kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch
 //+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
 //+kubebuilder:rbac:groups="",resources=endpoints,verbs=get;list;watch
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
-func (r *PodReconciler) Reconcile(ctx context.Context, req ctrl.Request) (_ ctrl.Result, err error) {
+func (r *EndpointsReconciler) Reconcile(ctx context.Context, req ctrl.Request) (_ ctrl.Result, err error) {
-	if !r.IgnoreNamespaces.In(req.Namespace) {
+	if namespace.IsIgnored(r.IgnoreNamespaces, req.Namespace) {
 		return ctrl.Result{}, nil
 	}
 	log.FromContext(ctx).V(1).Info("Triggering reconciliation")
 	r.Triggerer.Trigger()
-	}
+
 	return ctrl.Result{}, nil
 }
 // SetupWithManager sets up the controller with the Manager.
-func (r *PodReconciler) SetupWithManager(mgr ctrl.Manager) error {
+func (r *EndpointsReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&corev1.Pod{}).
+		For(&corev1.Endpoints{}).
 		Complete(r)
 }
--- a/internal/controller/pod_controller.go
+++ b/internal/controller/pod_controller.go
@ -0,0 +1,98 @@
 /*
 Copyright 2021 SPIRE Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package controller
 import (
 	"context"
 	"fmt"
 	"regexp"
 	"github.com/spiffe/spire-controller-manager/pkg/namespace"
 	"github.com/spiffe/spire-controller-manager/pkg/reconciler"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 // PodReconciler reconciles a Pod object
 type PodReconciler struct {
 	client.Client
 	Scheme               *runtime.Scheme
 	Triggerer            reconciler.Triggerer
 	IgnoreNamespaces     []*regexp.Regexp
 	AutoPopulateDNSNames bool
 }
 //+kubebuilder:rbac:groups=spire.spiffe.io,resources=clusterspiffeids,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=spire.spiffe.io,resources=clusterspiffeids/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=spire.spiffe.io,resources=clusterspiffeids/finalizers,verbs=update
 //+kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
 //+kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch
 //+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
 //+kubebuilder:rbac:groups="",resources=endpoints,verbs=get;list;watch
 // Required to patch webhook config with spire CA
 //+kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;patch;watch
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
 func (r *PodReconciler) Reconcile(ctx context.Context, req ctrl.Request) (_ ctrl.Result, err error) {
 	if namespace.IsIgnored(r.IgnoreNamespaces, req.Namespace) {
 		return ctrl.Result{}, nil
 	}
 	log.FromContext(ctx).V(1).Info("Triggering reconciliation")
 	r.Triggerer.Trigger()
 	return ctrl.Result{}, nil
 }
 // SetupWithManager sets up the controller with the Manager.
 func (r *PodReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error {
 	// Index endpoints by UID. Later when we reconcile the Pod this will make it easy to find the associated endpoints
 	// and auto populate DNS names.
 	err := mgr.GetFieldIndexer().IndexField(ctx, &corev1.Endpoints{}, reconciler.EndpointUID, func(rawObj client.Object) []string {
 		endpoints, ok := rawObj.(*corev1.Endpoints)
 		if !ok {
 			log.FromContext(ctx).Error(nil, "unexpected type indexing fields", "type", fmt.Sprintf("%T", rawObj), "expecteed", "*corev1.Endpoints")
 			return nil
 		}
 		var podUIDs []string
 		for _, subset := range endpoints.Subsets {
 			for _, address := range subset.Addresses {
 				if address.TargetRef != nil && address.TargetRef.Kind == "Pod" {
 					podUIDs = append(podUIDs, string(address.TargetRef.UID))
 				}
 			}
 			for _, address := range subset.NotReadyAddresses {
 				if address.TargetRef != nil && address.TargetRef.Kind == "Pod" {
 					podUIDs = append(podUIDs, string(address.TargetRef.UID))
 				}
 			}
 		}
 		return podUIDs
 	})
 	if err != nil {
 		return err
 	}
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&corev1.Pod{}).
 		Complete(r)
 }
--- a/internal/controller/suite_test.go
+++ b/internal/controller/suite_test.go
@ -14,19 +14,21 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
-package controllers
+package controller
 import (
 	"fmt"
 	"path/filepath"
 	"runtime"
 	"testing"
-	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/ginkgo/v2" //nolint:revive // auto-generated
-	. "github.com/onsi/gomega"
+	. "github.com/onsi/gomega"    //nolint:revive // auto-generated
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/envtest"
 	"sigs.k8s.io/controller-runtime/pkg/envtest/printer"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
@ -41,12 +43,10 @@ var cfg *rest.Config
 var k8sClient client.Client
 var testEnv *envtest.Environment
-func TestAPIs(t *testing.T) {
+func TestControllers(t *testing.T) {
 	RegisterFailHandler(Fail)
-	RunSpecsWithDefaultAndCustomReporters(t,
+	RunSpecs(t, "Controller Suite")
 		"Controller Suite",
 		[]Reporter{printer.NewlineReporter{}})
 }
 var _ = BeforeSuite(func() {
@ -54,11 +54,21 @@ var _ = BeforeSuite(func() {
 	By("bootstrapping test environment")
 	testEnv = &envtest.Environment{
-		CRDDirectoryPaths:     []string{filepath.Join("..", "config", "crd", "bases")},
+		CRDDirectoryPaths:     []string{filepath.Join("..", "..", "config", "crd", "bases")},
 		ErrorIfCRDPathMissing: true,
 		// The BinaryAssetsDirectory is only required if you want to run the tests directly
 		// without call the makefile target test. If not informed it will look for the
 		// default path defined in controller-runtime which is /usr/local/kubebuilder/.
 		// Note that you must have the required binaries setup under the bin directory to perform
 		// the tests directly. When we run make test it will be setup and used automatically.
 		BinaryAssetsDirectory: filepath.Join("..", "..", "bin", "k8s",
 			fmt.Sprintf("1.28.0-%s-%s", runtime.GOOS, runtime.GOARCH)),
 	}
-	cfg, err := testEnv.Start()
+	var err error
 	// cfg is defined in this file globally.
 	cfg, err = testEnv.Start()
 	Expect(err).NotTo(HaveOccurred())
 	Expect(cfg).NotTo(BeNil())
@ -71,7 +81,7 @@ var _ = BeforeSuite(func() {
 	Expect(err).NotTo(HaveOccurred())
 	Expect(k8sClient).NotTo(BeNil())
-}, 60)
+})
 var _ = AfterSuite(func() {
 	By("tearing down the test environment")
--- a/main.go
+++ b/main.go
@ -1,293 +0,0 @@
 /*
 Copyright 2021 SPIRE Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"flag"
 	"os"
 	"path/filepath"
 	"time"
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
 	"k8s.io/client-go/kubernetes"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"k8s.io/client-go/rest"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	spirev1alpha1 "github.com/spiffe/spire-controller-manager/api/v1alpha1"
 	"github.com/spiffe/spire-controller-manager/controllers"
 	"github.com/spiffe/spire-controller-manager/pkg/spireapi"
 	"github.com/spiffe/spire-controller-manager/pkg/spireentry"
 	"github.com/spiffe/spire-controller-manager/pkg/spirefederationrelationship"
 	"github.com/spiffe/spire-controller-manager/pkg/webhookmanager"
 	//+kubebuilder:scaffold:imports
 )
 const (
 	defaultSPIREServerSocketPath = "/spire-server/api.sock"
 )
 var (
 	scheme   = runtime.NewScheme()
 	setupLog = ctrl.Log.WithName("setup")
 )
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 	utilruntime.Must(spirev1alpha1.AddToScheme(scheme))
 	//+kubebuilder:scaffold:scheme
 }
 func main() {
 	var configFileFlag string
 	var spireAPISocketFlag string
 	flag.StringVar(&configFileFlag, "config", "",
 		"The controller will load its initial configuration from this file. "+
 			"Omit this flag to use the default configuration values. "+
 			"Command-line flags override configuration from this file.")
 	flag.StringVar(&spireAPISocketFlag, "spire-api-socket", "", "The path to the SPIRE API socket (deprecated; use the config file)")
 	opts := zap.Options{
 		Development: true,
 	}
 	opts.BindFlags(flag.CommandLine)
 	flag.Parse()
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 	ctrlConfig := spirev1alpha1.ControllerManagerConfig{
 		IgnoreNamespaces:                   []string{"kube-system", "kube-public", "spire-system"},
 		GCInterval:                         10 * time.Second,
 		ValidatingWebhookConfigurationName: "spire-controller-manager-webhook",
 	}
 	options := ctrl.Options{Scheme: scheme}
 	if configFileFlag != "" {
 		var err error
 		options, err = options.AndFrom(ctrl.ConfigFile().AtPath(configFileFlag).OfKind(&ctrlConfig))
 		if err != nil {
 			setupLog.Error(err, "unable to load the config file")
 			os.Exit(1)
 		}
 	}
 	// Determine the SPIRE Server socket path
 	switch {
 	case ctrlConfig.SPIREServerSocketPath == "" && spireAPISocketFlag == "":
 		// Neither is set. Use the default.
 		ctrlConfig.SPIREServerSocketPath = defaultSPIREServerSocketPath
 	case ctrlConfig.SPIREServerSocketPath != "" && spireAPISocketFlag == "":
 		// Configuration file value is set. Use it.
 	case ctrlConfig.SPIREServerSocketPath == "" && spireAPISocketFlag != "":
 		// Deprecated flag value is set. Use it but warn.
 		ctrlConfig.SPIREServerSocketPath = spireAPISocketFlag
 		setupLog.Error(nil, "The spire-api-socket flag is deprecated and will be removed in a future release; use the configuration file instead")
 	case ctrlConfig.SPIREServerSocketPath != "" && spireAPISocketFlag != "":
 		// Both are set. Warn and ignore the deprecated flag.
 		setupLog.Error(nil, "Ignoring deprecated spire-api-socket flag which will be removed in a future release")
 	}
 	setupLog.Info("Config loaded",
 		"cluster name", ctrlConfig.ClusterName,
 		"trust domain", ctrlConfig.TrustDomain,
 		"ignore namespaces", ctrlConfig.IgnoreNamespaces,
 		"gc interval", ctrlConfig.GCInterval,
 		"spire server socket path", ctrlConfig.SPIREServerSocketPath)
 	switch {
 	case ctrlConfig.TrustDomain == "":
 		setupLog.Error(nil, "trust domain is required configuration")
 		os.Exit(1)
 	case ctrlConfig.ClusterName == "":
 		setupLog.Error(nil, "cluster name is required configuration")
 		os.Exit(1)
 	case ctrlConfig.ValidatingWebhookConfigurationName == "":
 		setupLog.Error(nil, "validating webhook configuration name is required configuration")
 		os.Exit(1)
 	case options.CertDir != "":
 		setupLog.Info("certDir configuration is ignored", "certDir", options.CertDir)
 	}
 	// It's unfortunate that we have to keep credentials on disk so that the
 	// manager can load them:
 	// TODO: upstream a change to the WebhookServer so it can use callbacks to
 	// obtain the certificates so we don't have to touch disk.
 	certDir, err := os.MkdirTemp("", "spire-controller-manager-")
 	if err != nil {
 		setupLog.Error(err, "failed to create temporary cert directory", "certDir", options.CertDir)
 		os.Exit(1)
 	}
 	defer func() {
 		if err := os.RemoveAll(options.CertDir); err != nil {
 			setupLog.Error(err, "failed to remove temporary cert directory", "certDir", options.CertDir)
 			os.Exit(1)
 		}
 	}()
 	// webhook server credentials are stored in a single file to keep rotation
 	// simple.
 	const keyPairName = "keypair.pem"
 	options.WebhookServer = &webhook.Server{
 		CertDir:  certDir,
 		CertName: keyPairName,
 		KeyName:  keyPairName,
 	}
 	ctx := ctrl.SetupSignalHandler()
 	trustDomain, err := spiffeid.TrustDomainFromString(ctrlConfig.TrustDomain)
 	if err != nil {
 		setupLog.Error(err, "invalid trust domain name")
 		os.Exit(1)
 	}
 	spireClient, err := spireapi.DialSocket(ctx, ctrlConfig.SPIREServerSocketPath)
 	if err != nil {
 		setupLog.Error(err, "unable to dial SPIRE Server socket")
 		os.Exit(1)
 	}
 	defer spireClient.Close()
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), options)
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")
 		os.Exit(1)
 	}
 	// We need a direct client to query and patch up the webhook. We can't use
 	// the controller runtime client for this because we can't start the manager
 	// without the webhook credentials being in place, and the webhook credentials
 	// need the DNS name of the webhook service from the configuration.
 	config, err := rest.InClusterConfig()
 	if err != nil {
 		setupLog.Error(err, "failed to get in cluster configuration")
 		os.Exit(1)
 	}
 	// creates the clientset
 	clientset, err := kubernetes.NewForConfig(config)
 	if err != nil {
 		setupLog.Error(err, "failed to create an API client")
 		os.Exit(1)
 	}
 	webhookID, _ := spiffeid.FromPath(trustDomain, "/spire-controller-manager-webhook")
 	webhookManager := webhookmanager.New(webhookmanager.Config{
 		ID:            webhookID,
 		KeyPairPath:   filepath.Join(certDir, keyPairName),
 		WebhookName:   ctrlConfig.ValidatingWebhookConfigurationName,
 		WebhookClient: clientset.AdmissionregistrationV1().ValidatingWebhookConfigurations(),
 		SVIDClient:    spireClient,
 		BundleClient:  spireClient,
 	})
 	if err := webhookManager.Init(ctx); err != nil {
 		setupLog.Error(err, "failed to mint initial webhook certificate")
 		os.Exit(1)
 	}
 	entryReconciler := spireentry.Reconciler(spireentry.ReconcilerConfig{
 		TrustDomain:      trustDomain,
 		ClusterName:      ctrlConfig.ClusterName,
 		K8sClient:        mgr.GetClient(),
 		EntryClient:      spireClient,
 		IgnoreNamespaces: ctrlConfig.IgnoreNamespaces,
 		GCInterval:       ctrlConfig.GCInterval,
 	})
 	federationRelationshipReconciler := spirefederationrelationship.Reconciler(spirefederationrelationship.ReconcilerConfig{
 		K8sClient:         mgr.GetClient(),
 		TrustDomainClient: spireClient,
 		GCInterval:        ctrlConfig.GCInterval,
 	})
 	if err = (&controllers.ClusterSPIFFEIDReconciler{
 		Client:    mgr.GetClient(),
 		Scheme:    mgr.GetScheme(),
 		Triggerer: entryReconciler,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "ClusterSPIFFEID")
 		os.Exit(1)
 	}
 	if err = (&controllers.ClusterFederatedTrustDomainReconciler{
 		Client:    mgr.GetClient(),
 		Scheme:    mgr.GetScheme(),
 		Triggerer: federationRelationshipReconciler,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "ClusterFederatedTrustDomain")
 		os.Exit(1)
 	}
 	if err = (&spirev1alpha1.ClusterFederatedTrustDomain{}).SetupWebhookWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create webhook", "webhook", "ClusterFederatedTrustDomain")
 		os.Exit(1)
 	}
 	if err = (&spirev1alpha1.ClusterSPIFFEID{}).SetupWebhookWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create webhook", "webhook", "ClusterSPIFFEID")
 		os.Exit(1)
 	}
 	//+kubebuilder:scaffold:builder
 	if err = (&controllers.PodReconciler{
 		Client:           mgr.GetClient(),
 		Scheme:           mgr.GetScheme(),
 		Triggerer:        entryReconciler,
 		IgnoreNamespaces: ctrlConfig.IgnoreNamespaces,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Pod")
 		os.Exit(1)
 	}
 	if err = mgr.Add(manager.RunnableFunc(entryReconciler.Run)); err != nil {
 		setupLog.Error(err, "unable to manage entry reconciler")
 		os.Exit(1)
 	}
 	if err = mgr.Add(manager.RunnableFunc(federationRelationshipReconciler.Run)); err != nil {
 		setupLog.Error(err, "unable to manage federation relationship reconciler")
 		os.Exit(1)
 	}
 	if err = mgr.Add(webhookManager); err != nil {
 		setupLog.Error(err, "unable to manage federation relationship reconciler")
 		os.Exit(1)
 	}
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
 		setupLog.Error(err, "unable to set up health check")
 		os.Exit(1)
 	}
 	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
 		setupLog.Error(err, "unable to set up ready check")
 		os.Exit(1)
 	}
 	setupLog.Info("starting manager")
 	if err := mgr.Start(ctx); err != nil {
 		setupLog.Error(err, "problem running manager")
 		os.Exit(1)
 	}
 }
--- a/migration/README.md
+++ b/migration/README.md
@ -0,0 +1,271 @@
 # Kubernetes Workload Registrar Migration
 ## Introduction
 This guide will walk you through how to migrate an existing Kubernetes Workload Registrar deployment to SPIRE Controller Manager. Existing entries created by the Kubernetes Workload Registrar aren't compatible with SPIRE Controller Manager so they'll be deleted and replaced with new entries. Workloads will continue to function with their existing SVIDs. After switching over they'll get pushed new SVIDs based on the new entries.
 > **Note**
 > As we'll be deleting and creating entries, it's important to do this migration during a downtime window.
 ## Clean up Kubernetes Workload Registrar Resources
 First clean up the Kubernetes Workload Registrar and its resources.
 1. Delete the `ValidatingWebhookConfiguration`, `Service`, `Roles`, and other k8s-workload-registrar config. Not all of the resources below are applicable for all Kubernetes Workload Registrar modes, so if there's a "not found" message it's safe to ignore. In general make sure to clean up any Kubernetes Workload Registrar resources aside from the SPIRE Server and Kubernetes Workload Registrar itself. Those will be removed below.
   ```shell
   kubectl delete validatingwebhookconfigurations k8s-workload-registrar k8s-workload-registrar-webhook
   kubectl delete service k8s-workload-registrar -n spire
   kubectl delete clusterrolebindings k8s-workload-registrar-role-binding spire-k8s-registrar-cluster-role-binding
   kubectl delete clusterroles k8s-workload-registrar-role spire-k8s-registrar-cluster-role
   kubectl delete rolebinding spire-k8s-registrar-role-binding -n spire
   kubectl delete role spire-k8s-registrar-role -n spire
   kubectl delete configmaps k8s-workload-registrar k8s-workload-registrar-certs -n spire
   kubectl delete secret k8s-workload-registrar-secret
   ```
 ## Deploy Spire Controller Manager
 Next deploy the new SPIRE Controller Manager.
 1. Create the `ClusterSPIFFEID` Custom Resource Definition (CRD), `ValidatingWebhookConfiguration`, `Service`, `Roles`, and other SPIRE Controller Manager config.
   ```shell
   kubectl apply -f ../config/crd/bases/spire.spiffe.io_clusterspiffeids.yaml \
                 -f ../config/crd/bases/spire.spiffe.io_clusterfederatedtrustdomains.yaml \
                 -f ../config/crd/bases/spire.spiffe.io_clusterstaticentries.yaml \
                 -f config/spire-controller-manager-webhook.yaml \
                 -f config/leader_election_role.yaml \
                 -f config/leader_election_role_binding.yaml \
                 -f config/role.yaml \
                 -f config/role_binding.yaml \
                 -f config/spire-controller-manager-config.yaml \
                 -f config/spire-server.yaml
   ```
 1. Create the `ClusterSpiffeId` custom resource. The below example will create SPIFFE IDs with this shape: `spiffe://<trust domain>/ns/<namespace>/sa/<serviceaccount>`. Only Pods with the label `spiffe.io/spiffe-id: true` will have entries auto-created. This corresponds to the `identity_template` and `identity_template_label` configurables from CRD mode Kubernetes Workload Registrar. 
   ```shell
   kubectl apply -f config/clusterspiffeid.yaml
   ```
   > **Note**
   > See [FAQs](#faqs) for instructions on how to translate [label](#how-do-i-do-label-based-workload-registration), [annotation](#how-do-i-do-annotation-based-workload-registration), and [service account](#how-do-i-do-service-account-based-workload-registration) based workload registration. Also see [ClusterSPIFFEID definition][1] for more information on how to create the most suitable shape for your environment.
 ## Delete the Kubernetes Workload Registrar CRD (CRD mode only)
 The CRD mode requires an additional step of removing the SpiffeId CRD. SPIRE Controller Manager uses a different CRD, so this one needs to be removed and resources cleaned up.
 1. Manually remove the finalizers with the below script. SPIRE Controller Manager will automatically clean up entries, so the finalizers can safely be removed.
   ```shell
   for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2)
   do
     if [ $(kubectl get spiffeids -n $ns 2>/dev/null | wc -l) -ne 0 ]
     then
       kubectl patch spiffeid $(kubectl get spiffeids -n $ns | awk '{print $1}' | tail -n +2) --type='merge' -p '{"metadata":{"finalizers":null}}' -n $ns
     fi
   done
   ```
 1. Delete the SpiffeId CRD. This will delete all entries created by the k8s-workload-registrar. If you have a lot of SpiffeId resources this may take a little while to complete.
   ```shell
   kubectl delete crd spiffeids.spiffeid.spiffe.io
   ```
 ## Verify Spire Controller Manager Deployment
 Finally verify SPIRE Controller Manager deployed correctly.
 1. Verify the Pods came up correctly. The `spire-server-0` Pod should have two containers running in it.
   ```shell
   $ kubectl get pods -n spire
   NAME                READY   STATUS    RESTARTS      AGE
   spire-agent-5jkzg   1/1     Running   0             46m
   spire-server-0      2/2     Running   1 (11m ago)   11m
   ```
   > **Note**
   > It's ok to see a restart in the `spire-server-0` Pod. SPIRE Controller Manager relies on the SPIRE Server to get a certificate for it's Webhook, and when SPIRE Controller Manager comes up first it can't get that certificate and restarts. See [#39](https://github.com/spiffe/spire-controller-manager/issues/39).
 1. Deploy this example NGINX Deployment.
   ```shell
   kubectl apply -f https://raw.githubusercontent.com/kubernetes/website/master/content/en/examples/application/simple_deployment.yaml
   ```
 1. Add the 'spiffe.io/spiffe-id' label to the Deployment Template. This will reroll the Deployment.
   ```shell
   kubectl patch deployment nginx-deployment -p '{"spec":{"template":{"metadata":{"labels":{"spiffe.io/spiffe-id": "true"}}}}}'
   ```
 1. From the SPIRE Server you should see a single entry with SPIFFE ID `spiffe://example.org/ns/default/sa/default`.
   ```shell
   $ kubectl exec spire-server-0  -n spire -c spire-server -- ./bin/spire-server entry show
   Found 1 entry
   Entry ID         : c93a53bd-c313-4239-a13b-75ebf292db8f
   SPIFFE ID        : spiffe://example.org/ns/default/sa/default
   Parent ID        : spiffe://example.org/spire/agent/k8s_psat/demo-cluster/85ad58a6-64ae-4cc7-a126-f60dfa5b8139
   Revision         : 0
   X509-SVID TTL    : default
   JWT-SVID TTL     : default
   Selector         : k8s:pod-uid:dca56e85-142e-4de2-b04a-257ac8d7e3c8
   ```
 1. When done you can delete the NGINX deployment, this will automatically delete the SPIFFE ID.
   ```shell
   kubectl delete -f https://raw.githubusercontent.com/kubernetes/website/master/content/en/examples/application/simple_deployment.yaml
   ```
 ## FAQs
 ### How do I do label based workload registration?
 With this configuration Kubernetes Workload Registrar took a specified Label off of a Pod and used that to form the SPIFFE ID. For example:
 ```
 pod_label = "spiffe.io/spiffe-id"
 ```
 This can be done with the SPIRE Controller Manager with a config like the below:
 ```yaml
 apiVersion: spire.spiffe.io/v1alpha1
 kind: ClusterSPIFFEID
 metadata:
  name: label-based
 spec:
  spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/{{ index .PodMeta.Labels \"spiffe.io/spiffe-id\" }}"
  podSelector:
    matchExpressions:
      - key: "spiffe.io/spiffe-id"
        operator: "Exists"
 ```
 The `matchExpressions` statement will select only Pods with the `spiffe.io/spiffe-id` label. For Pods with this label, the `spiffeIDTemplate` will extract the value of this label and use it to form the SPIFFE ID.
 > **Note**
 > Allowing the value of labels to directly populate a SPIFFE ID gives the power to create arbitrary SPIFFE IDs to anyone that can deploy a Pod in your cluster. It's better to define a SPIFFE ID using a template that doesn't depend on a label. See [ClusterSPIFFEID defintion][1] for more information.
 ### How do I do annotation based workload registration?
 There is no equivalent to this configuration in SPIRE Controller Manager. Annotations specifically don't allow for selecting Pods with a specific annotation, which SPIRE Controller Manager relies on. The easiest path forward is to convert the annotations to labels and use [label based workload registration]((#how-do-i-do-label-based-workload-registration)).
 ### How do I do service account based workload registration?
 This can be done with the SPIRE Controller Manager with a config like the below:
 ```yaml
 apiVersion: spire.spiffe.io/v1alpha1
 kind: ClusterSPIFFEID
 metadata:
  name: service-account-based
 spec:
  spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"
 ```
 > **Note**
 > This will create an entry for every Pod in the system. For use cases where every Pod needs a certificate this configuration will work well. If you prefer to limit what Pods get a certificate, restrict it with a label like in the main example in `config/clusterspiffeid.yaml`. Also see [ClusterSPIFFEID defintion][1] for more information.
 ### How do I federate trust domains?
 With Kubernetes Workload Registrar the Pod annotation `spiffe.io/federatesWith` is used to create SPIFFE ID's that federate with other trust domains. For example:
 ```yaml
 apiVersion: v1
 kind: Pod
 metadata:
  annotations:
    spiffe.io/federatesWith: example.io,example.ai
  name: test
  ...
 ```
 The equivalent with SPIRE Controller Manager is accomplished with the `federatesWith` field of the [ClusterSPIFFEID CRD][1].
 ```yaml
 apiVersion: spire.spiffe.io/v1alpha1
 kind: ClusterSPIFFEID
 metadata:
  name: federation
 spec:
  spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"
  podSelector:
    matchLabels:
      spiffe.io/spiffe-id: "true"
  federatesWith: ["example.io", "example.ai"]
 ```
 ### How do I add DNS names to my certificates?
 You can add multiple DNS names with the `dnsNameTemplates` field of the [ClusterSPIFFEID CRD][1].
 ```yaml
 apiVersion: spire.spiffe.io/v1alpha1
 kind: ClusterSPIFFEID
 metadata:
  name: federation
 spec:
  spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"
  podSelector:
    matchLabels:
      spiffe.io/spiffe-id: "true"
  dnsNameTemplates: ["{{ .PodMeta.Name }}", "my-custom-dns-name"]
 ```
 ### Does SPIRE Controller Manager automatically populate DNS Names of Services a Pod is attached to?
 Yes, this is enabled with the sample configuration in this migration guide. 
 For each [ClusterSPIFFEID][1] you want to auto populate DNS names for, set the `autoPopulateDNSNames` field there. See [example](config/clusterspiffeid.yaml).
 > **Note**
 > Spire Controller Manager 0.4.0 or later is required to auto populate DNS names.
 ### Can SPIRE Controller Manager be deployed in a different Pod from SPIRE Server?
 This is not supported with SPIRE Controller Manager, they must be in the same Pod. If you require them to be in separate Pods, please open a [new issue](https://github.com/spiffe/spire-controller-manager/issues/new) with your use case.
 ### Can I manually create entries like I could with the CRD Kubernetes Workload Registrar?
 Yes, but it requires the use of a separate CRD ([ClusterStaticEntry][2]).
 ### How do i see SPIRE Controller Manager logs?
 ```shell
 $ kubectl logs spire-server-0 -n spire -c spire-controller-manager
 2022-12-13T00:41:21.362Z	INFO	setup	Config loaded	{"cluster name": "demo-cluster", "trust domain": "example.org", "ignore namespaces": ["kube-system", "kube-public", "istio-system", "spire", "local-path-storage"], "gc interval": "10s", "spire server socket path": "/spire-server/api.sock"}
 2022-12-13T00:41:21.764Z	INFO	controller-runtime.metrics	metrics server is starting to listen	{"addr": "127.0.0.1:8082"}
 2022-12-13T00:41:21.807Z	INFO	webhook-manager	Minting webhook certificate	{"reason": "initializing", "dnsNames": ["spire-controller-manager-webhook-service.spire.svc"]}
 2022-12-13T00:41:21.828Z	INFO	webhook-manager	Minted webhook certificate
 2022-12-13T00:41:21.844Z	INFO	webhook-manager	Webhook configuration patched with CABundle
 ```
 ### I'm using CRD mode Kubernetes Workload Registrar, and it gets stuck deleting the SpiffeId CRD. What do I do?
 This can happen if the Kubernetes Workload Registrar is deleted before all the SpiffeId custom resources are removed. To get around this, manually remove the finalizers with the below script and try deleting the CRD again.
 ```shell
 for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2)
 do
  if [ $(kubectl get spiffeids -n $ns 2>/dev/null | wc -l) -ne 0 ]
  then
    kubectl patch spiffeid $(kubectl get spiffeids -n $ns | awk '{print $1}' | tail -n +2) --type='merge' -p '{"metadata":{"finalizers":null}}' -n $ns
  fi
 done
 ```
 ### Why can't Kubernetes Workload Registrar entries be reused with SPIRE Controller Manager?
 SPIRE Controller Manager uses a different scheme for parenting SPIFFE IDs. Though it is technically possible to modify all the entries, it's a lot easier to just allow SPIRE Controller Manager to automatically replace the entries.
 ### What happens if a Pod is deployed while I'm in the middle of this cut-over?
 SPIRE Controller Manager will reconcile the state of the system when it starts up. Any new Pods deployed after Kubernetes Workload Registrar is deleted and before SPIRE Controller Manager is up will have entries created when SPIRE Controller Manager is up.
 [1]: docs/clusterspiffeid-crd.md
 [2]: docs/clusterstaticentry-crd.md
--- a/migration/config/clusterspiffeid.yaml
+++ b/migration/config/clusterspiffeid.yaml
@ -0,0 +1,10 @@
 apiVersion: spire.spiffe.io/v1alpha1
 kind: ClusterSPIFFEID
 metadata:
  name: example
 spec:
  spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"
  autoPopulateDNSNames: true
  podSelector:
    matchLabels:
      spiffe.io/spiffe-id: "true"
--- a/migration/config/leader_election_role.yaml
+++ b/migration/config/leader_election_role.yaml
@ -0,0 +1,16 @@
 # permissions to do leader election.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: leader-election-role
  namespace: spire
 rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
--- a/migration/config/leader_election_role_binding.yaml
+++ b/migration/config/leader_election_role_binding.yaml
@ -0,0 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: leader-election-rolebinding
  namespace: spire
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: leader-election-role
 subjects:
 - kind: ServiceAccount
  name: spire-server
  namespace: spire
--- a/migration/config/role.yaml
+++ b/migration/config/role.yaml
@ -0,0 +1,44 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: manager-role
 rules:
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["validatingwebhookconfigurations"]
    verbs: ["get", "list", "patch", "watch"]
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["spire.spiffe.io"]
    resources: ["clusterfederatedtrustdomains"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["spire.spiffe.io"]
    resources: ["clusterfederatedtrustdomains/finalizers"]
    verbs: ["update"]
  - apiGroups: ["spire.spiffe.io"]
    resources: ["clusterfederatedtrustdomains/status"]
    verbs: ["get", "patch", "update"]
  - apiGroups: ["spire.spiffe.io"]
    resources: ["clusterspiffeids"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["spire.spiffe.io"]
    resources: ["clusterspiffeids/finalizers"]
    verbs: ["update"]
  - apiGroups: ["spire.spiffe.io"]
    resources: ["clusterspiffeids/status"]
    verbs: ["get", "patch", "update"]
  - apiGroups: ["spire.spiffe.io"]
    resources: ["clusterstaticentries"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["spire.spiffe.io"]
    resources: ["clusterstaticentries/status"]
    verbs: ["get"]
--- a/migration/config/role_binding.yaml
+++ b/migration/config/role_binding.yaml
@ -0,0 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: manager-rolebinding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: manager-role
 subjects:
 - kind: ServiceAccount
  name: spire-server
  namespace: spire
--- a/migration/config/spire-controller-manager-config.yaml
+++ b/migration/config/spire-controller-manager-config.yaml
@ -0,0 +1,25 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: spire-controller-manager-config
  namespace: spire
 data:
  spire-controller-manager-config.yaml: |
    apiVersion: spire.spiffe.io/v1alpha1
    kind: ControllerManagerConfig
    metrics:
      bindAddress: 127.0.0.1:8082
    health:
      healthProbeBindAddress: 127.0.0.1:8083
    leaderElection:
      leaderElect: true
      resourceName: 98c9c988.spiffe.io
      resourceNamespace: spire
    clusterName: demo-cluster
    trustDomain: example.org
    ignoreNamespaces:
      - kube-system
      - kube-public
      - istio-system
      - spire
      - local-path-storage
--- a/migration/config/spire-controller-manager-webhook.yaml
+++ b/migration/config/spire-controller-manager-webhook.yaml
@ -0,0 +1,33 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
  name: spire-controller-manager-webhook
 webhooks:
  - admissionReviewVersions: ["v1"]
    clientConfig:
      service:
        name: spire-controller-manager-webhook-service
        namespace: spire
        path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain
    failurePolicy: Fail
    name: vclusterfederatedtrustdomain.kb.io
    rules:
      - apiGroups: ["spire.spiffe.io"]
        apiVersions: ["v1alpha1"]
        operations: ["CREATE", "UPDATE"]
        resources: ["clusterfederatedtrustdomains"]
    sideEffects: None
  - admissionReviewVersions: ["v1"]
    clientConfig:
      service:
        name: spire-controller-manager-webhook-service
        namespace: spire
        path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid
    failurePolicy: Fail
    name: vclusterspiffeid.kb.io
    rules:
      - apiGroups: ["spire.spiffe.io"]
        apiVersions: ["v1alpha1"]
        operations: ["CREATE", "UPDATE"]
        resources: ["clusterspiffeids"]
    sideEffects: None
--- a/migration/config/spire-server.yaml
+++ b/migration/config/spire-server.yaml
@ -0,0 +1,277 @@
 # ServiceAccount used by the SPIRE server.
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: spire-server
  namespace: spire
 ---
 # Required cluster role to allow spire-server to query k8s API server
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: spire-server-cluster-role
 rules:
 - apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get"]
  # allow TokenReview requests (to verify service account tokens for PSAT
  # attestation)
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["get", "create"]
 ---
 # Binds above cluster role to spire-server service account
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: spire-server-cluster-role-binding
 subjects:
 - kind: ServiceAccount
  name: spire-server
  namespace: spire
 roleRef:
  kind: ClusterRole
  name: spire-server-cluster-role
  apiGroup: rbac.authorization.k8s.io
 ---
 # Role for the SPIRE server
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  namespace: spire
  name: spire-server-role
 rules:
  # allow "get" access to pods (to resolve selectors for PSAT attestation)
 - apiGroups: [""]
  resources: ["pods"]
  verbs: ["get"]
  # allow access to "get" and "patch" the spire-bundle ConfigMap (for SPIRE
  # agent bootstrapping, see the spire-bundle ConfigMap below)
 - apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["spire-bundle"]
  verbs: ["get", "patch"]
 ---
 # RoleBinding granting the spire-server-role to the SPIRE server
 # service account.
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: spire-server-role-binding
  namespace: spire
 subjects:
 - kind: ServiceAccount
  name: spire-server
  namespace: spire
 roleRef:
  kind: Role
  name: spire-server-role
  apiGroup: rbac.authorization.k8s.io
 ---
 # ConfigMap containing the latest trust bundle for the trust domain. It is
 # updated by SPIRE using the k8sbundle notifier plugin. SPIRE agents mount
 # this config map and use the certificate to bootstrap trust with the SPIRE
 # server during attestation.
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: spire-bundle
  namespace: spire
 ---
 # ConfigMap containing the SPIRE server configuration.
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: spire-server
  namespace: spire
 data:
  server.conf: |
    server {
      bind_address = "0.0.0.0"
      bind_port = "8081"
      trust_domain = "example.org"
      data_dir = "/run/spire/server/data"
      log_level = "DEBUG"
      federation {
        bundle_endpoint {
          address = "0.0.0.0"
          port = 8443
        }
      }
    }
    plugins {
      DataStore "sql" {
        plugin_data {
          database_type = "sqlite3"
          connection_string = "/run/spire/server/data/datastore.sqlite3"
        }
      }
      NodeAttestor "k8s_psat" {
        plugin_data {
          clusters = {
            "demo-cluster" = {
              service_account_allow_list = ["spire:spire-agent"]
            }
          }
        }
      }
      KeyManager "disk" {
        plugin_data {
          keys_path = "/run/spire/server/data/keys.json"
        }
      }
      Notifier "k8sbundle" {
        plugin_data {
          namespace = "spire"
        }
      }
    }
    health_checks {
      listener_enabled = true
      bind_address = "0.0.0.0"
      bind_port = "8080"
      live_path = "/live"
      ready_path = "/ready"
    }
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: spire-server
  namespace: spire
  labels:
    app: spire-server
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: spire-server
  serviceName: spire-server
  template:
    metadata:
      namespace: spire
      labels:
        app: spire-server
    spec:
      serviceAccountName: spire-server
      shareProcessNamespace: true
      containers:
        - name: spire-server
          image: ghcr.io/spiffe/spire-server:1.11.1
          imagePullPolicy: IfNotPresent
          args: ["-config", "/run/spire/server/config/server.conf"]
          ports:
            - containerPort: 8081
          volumeMounts:
            - name: spire-config
              mountPath: /run/spire/server/config
              readOnly: true
            - name: spire-data
              mountPath: /run/spire/server/data
            - name: spire-server-socket
              mountPath: /tmp/spire-server/private
        - name: spire-controller-manager
          image: ghcr.io/spiffe/spire-controller-manager:0.6.2
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 9443
          args:
          - "--config=spire-controller-manager-config.yaml"
          volumeMounts:
            - name: spire-server-socket
              mountPath: /spire-server
              readOnly: true
            - name: spire-controller-manager-config
              mountPath: /spire-controller-manager-config.yaml
              subPath: spire-controller-manager-config.yaml
      volumes:
        - name: spire-config
          configMap:
            name: spire-server
        - name: spire-server-socket
          emptyDir: {}
        - name: spire-controller-manager-config
          configMap:
            name: spire-controller-manager-config
  volumeClaimTemplates:
    - metadata:
        name: spire-data
        namespace: spire
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 1Gi
 ---
 # Service definition for SPIRE server defining the gRPC port.
 apiVersion: v1
 kind: Service
 metadata:
  name: spire-server
  namespace: spire
 spec:
  type: NodePort
  ports:
    - name: api
      port: 8081
      targetPort: 8081
      protocol: TCP
  selector:
    app: spire-server
 ---
 # Service definition for SPIRE server bundle endpoint
 apiVersion: v1
 kind: Service
 metadata:
  name: spire-server-bundle-endpoint
  namespace: spire
 spec:
  type: NodePort
  ports:
    - name: api
      port: 8443
      protocol: TCP
  selector:
    app: spire-server
 ---
 #
 # Service definition for SPIRE controller manager webhook
 apiVersion: v1
 kind: Service
 metadata:
  name: spire-controller-manager-webhook-service
  namespace: spire
 spec:
  ports:
    - port: 443
      protocol: TCP
      targetPort: 9443
  selector:
    app: spire-server
--- a/pkg/k8sapi/helpers.go
+++ b/pkg/k8sapi/helpers.go
@ -25,6 +25,14 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 func ListClusterStaticEntries(ctx context.Context, c client.Client) ([]spirev1alpha1.ClusterStaticEntry, error) {
 	var list spirev1alpha1.ClusterStaticEntryList
 	if err := c.List(ctx, &list); err != nil {
 		return nil, err
 	}
 	return list.Items, nil
 }
 func ListClusterSPIFFEIDs(ctx context.Context, c client.Client) ([]spirev1alpha1.ClusterSPIFFEID, error) {
 	var list spirev1alpha1.ClusterSPIFFEIDList
 	if err := c.List(ctx, &list); err != nil {
--- a/pkg/k8sapi/helpers_test.go
+++ b/pkg/k8sapi/helpers_test.go
@ -18,7 +18,7 @@ import (
 )
 var (
-	listErr = errors.New("list error")
+	errList = errors.New("list error")
 )
 func TestListClusterSPIFFEIDs(t *testing.T) {
@ -27,21 +27,21 @@ func TestListClusterSPIFFEIDs(t *testing.T) {
 	}
 	t.Run("list fails", func(t *testing.T) {
-		client := FailList(k8stest.NewClientBuilder().Build())
+		client := FailList(k8stest.NewClientBuilder(t).Build())
 		actual, err := k8sapi.ListClusterSPIFFEIDs(context.Background(), client)
-		assert.EqualError(t, err, listErr.Error())
+		assert.EqualError(t, err, errList.Error())
 		assert.Empty(t, actual)
 	})
 	t.Run("list empty", func(t *testing.T) {
-		client := k8stest.NewClientBuilder().Build()
+		client := k8stest.NewClientBuilder(t).Build()
 		actual, err := k8sapi.ListClusterSPIFFEIDs(context.Background(), client)
 		assert.NoError(t, err)
 		assert.Empty(t, actual)
 	})
 	t.Run("list not empty", func(t *testing.T) {
-		client := k8stest.NewClientBuilder().WithRuntimeObjects(&foo).Build()
+		client := k8stest.NewClientBuilder(t).WithRuntimeObjects(&foo).Build()
 		actual, err := k8sapi.ListClusterSPIFFEIDs(context.Background(), client)
 		assert.NoError(t, err)
 		assert.Equal(t, []spirev1alpha1.ClusterSPIFFEID{foo}, actual)
@ -54,21 +54,21 @@ func TestListClusterFederatedTrustDomains(t *testing.T) {
 	}
 	t.Run("list fails", func(t *testing.T) {
-		client := FailList(k8stest.NewClientBuilder().Build())
+		client := FailList(k8stest.NewClientBuilder(t).Build())
 		actual, err := k8sapi.ListClusterFederatedTrustDomains(context.Background(), client)
-		assert.EqualError(t, err, listErr.Error())
+		assert.EqualError(t, err, errList.Error())
 		assert.Empty(t, actual)
 	})
 	t.Run("list empty", func(t *testing.T) {
-		client := k8stest.NewClientBuilder().Build()
+		client := k8stest.NewClientBuilder(t).Build()
 		actual, err := k8sapi.ListClusterFederatedTrustDomains(context.Background(), client)
 		assert.NoError(t, err)
 		assert.Empty(t, actual)
 	})
 	t.Run("list not empty", func(t *testing.T) {
-		client := k8stest.NewClientBuilder().WithRuntimeObjects(&foo).Build()
+		client := k8stest.NewClientBuilder(t).WithRuntimeObjects(&foo).Build()
 		actual, err := k8sapi.ListClusterFederatedTrustDomains(context.Background(), client)
 		assert.NoError(t, err)
 		assert.Equal(t, []spirev1alpha1.ClusterFederatedTrustDomain{foo}, actual)
@ -84,9 +84,9 @@ func TestListNamespaces(t *testing.T) {
 	}
 	t.Run("list fails", func(t *testing.T) {
-		client := FailList(k8stest.NewClientBuilder().Build())
+		client := FailList(k8stest.NewClientBuilder(t).Build())
 		actual, err := k8sapi.ListNamespaces(context.Background(), client, nil)
-		assert.EqualError(t, err, listErr.Error())
+		assert.EqualError(t, err, errList.Error())
 		assert.Empty(t, actual)
 	})
@ -129,9 +129,9 @@ func TestListNamespacePods(t *testing.T) {
 	objects := []runtime.Object{&pod1, &pod2, &pod3}
 	t.Run("list fails", func(t *testing.T) {
-		client := FailList(k8stest.NewClientBuilder().Build())
+		client := FailList(k8stest.NewClientBuilder(t).Build())
 		actual, err := k8sapi.ListNamespacePods(context.Background(), client, "ns1", nil)
-		assert.EqualError(t, err, listErr.Error())
+		assert.EqualError(t, err, errList.Error())
 		assert.Empty(t, actual)
 	})
@ -168,6 +168,6 @@ type failList struct {
 	client.Client
 }
-func (c failList) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) error {
+func (c failList) List(context.Context, client.ObjectList, ...client.ListOption) error {
-	return listErr
+	return errList
 }
--- a/pkg/metrics/controller_runtime.go
+++ b/pkg/metrics/controller_runtime.go
@ -0,0 +1,18 @@
 package metrics
 import "github.com/prometheus/client_golang/prometheus"
 const (
 	StaticEntryFailures = "cluster_static_entry_failures"
 )
 var (
 	PromCounters = map[string]prometheus.Counter{
 		StaticEntryFailures: prometheus.NewGauge(
 			prometheus.GaugeOpts{
 				Name: StaticEntryFailures,
 				Help: "Number of cluster static entry render failures",
 			},
 		),
 	}
 )
--- a/pkg/namespace/namespace.go
+++ b/pkg/namespace/namespace.go
@ -0,0 +1,15 @@
 package namespace
 import (
 	"regexp"
 )
 func IsIgnored(ignoredNamespaces []*regexp.Regexp, namespace string) bool {
 	for _, regex := range ignoredNamespaces {
 		if regex.MatchString(namespace) {
 			return true
 		}
 	}
 	return false
 }
--- a/pkg/namespace/namespace_test.go
+++ b/pkg/namespace/namespace_test.go
@ -0,0 +1,32 @@
 package namespace_test
 import (
 	"regexp"
 	"testing"
 	"github.com/spiffe/spire-controller-manager/pkg/namespace"
 	"github.com/stretchr/testify/require"
 )
 func TestIsIgnored(t *testing.T) {
 	ignoredNamespaces := []*regexp.Regexp{
 		regexp.MustCompile("s([a-z]+)re"),
 		regexp.MustCompile("default"),
 	}
 	tests := []struct {
 		namespace string
 		expected  bool
 	}{
 		{"spire", true},
 		{"default", true},
 		{"spiffe", false},
 		{"kubernetes", false},
 	}
 	for _, test := range tests {
 		actual := namespace.IsIgnored(ignoredNamespaces, test.namespace)
 		require.Equalf(t, test.expected, actual, "IsIgnored(%s, %s): expected does not equal actual",
 			ignoredNamespaces, test.namespace)
 	}
 }
--- a/pkg/reconciler/reconciler.go
+++ b/pkg/reconciler/reconciler.go
@ -25,6 +25,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 const EndpointUID string = "subsets.addresses.targetRef.uid"
 type Triggerer interface {
 	Trigger()
 }
--- a/Show More
+++ b/Show More
`@ -1 +1 @@`
	`* @azdagron @MarcosDY`	`* @azdagron @MarcosDY @kfox1111`