Bump github.com/spiffe/spire-api-sdk from 1.12.0 to 1.12.4 (#540)

Bumps [github.com/spiffe/spire-api-sdk](https://github.com/spiffe/spire-api-sdk) from 1.12.0 to 1.12.4.
- [Commits](https://github.com/spiffe/spire-api-sdk/compare/v1.12.0...v1.12.4)

---
updated-dependencies:
- dependency-name: github.com/spiffe/spire-api-sdk
  dependency-version: 1.12.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/dependabot.yaml

@@ -9,6 +9,10 @@ updates:
       k8s.io:
         patterns:
           - "k8s.io/*"
+  - package-ecosystem: gomod
+    directory: /demo/greeter
+    schedule:
+      interval: daily
   - package-ecosystem: github-actions
     directory: /
     schedule:

.github/workflows/nightly_build.yaml

@@ -20,7 +20,7 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.20.1
+          go-version-file: 'go.mod'
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
@@ -30,7 +30,7 @@ jobs:
       - name: Build image
         run: make docker-build
       - name: Log in to GHCR
-        uses: docker/login-action@v3.0.0
+        uses: docker/login-action@v3.4.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/pr_build.yaml

@@ -2,8 +2,6 @@ name: PR Build
 on:
   pull_request: {}
   workflow_dispatch: {}
-env:
-  GO_VERSION: 1.20.1
 
 jobs:
   lint:
@@ -15,7 +13,7 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v5
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
       - name: Lint
         run: make lint
 
@@ -31,7 +29,7 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v5
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
       - name: Run unit tests
         run: make test
 
@@ -47,7 +45,7 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v5
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
@@ -57,7 +55,7 @@ jobs:
       - name: Export images
         run: tar -czvf images.tar.gz *-image.tar
       - name: Archive image
-        uses: actions/upload-artifact@v4.3.1
+        uses: actions/upload-artifact@v4.6.2
         with:
           name: images
           path: images.tar.gz
@@ -76,7 +74,7 @@ jobs:
       - name: Install regctl
         uses: regclient/actions/regctl-installer@main
       - name: Download archived image
-        uses: actions/download-artifact@v4.1.2
+        uses: actions/download-artifact@v4.3.0
         with:
           name: images
           path: .

.github/workflows/release_build.yaml

@@ -3,7 +3,6 @@ on:
   push:
     tags:
       - 'v[0-9].[0-9]+.[0-9]+'
-
 jobs:
   build-image:
     runs-on: ubuntu-22.04
@@ -17,7 +16,7 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.20.1
+          go-version-file: 'go.mod'
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
@@ -27,7 +26,7 @@ jobs:
       - name: Export image
         run: tar -czvf images.tar.gz *-image.tar
       - name: Archive image
-        uses: actions/upload-artifact@v4.3.1
+        uses: actions/upload-artifact@v4.6.2
         with:
           name: images
           path: images.tar.gz
@@ -46,7 +45,7 @@ jobs:
       - name: Install regctl
         uses: regclient/actions/regctl-installer@main
       - name: Download archived image
-        uses: actions/download-artifact@v4.1.2
+        uses: actions/download-artifact@v4.3.0
         with:
           name: images
           path: .
@@ -75,12 +74,12 @@ jobs:
       - name: Install regctl
         uses: regclient/actions/regctl-installer@main
       - name: Download archived image
-        uses: actions/download-artifact@v4.1.2
+        uses: actions/download-artifact@v4.3.0
         with:
           name: images
           path: .
       - name: Log in to GHCR
-        uses: docker/login-action@v3.0.0
+        uses: docker/login-action@v3.4.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.go-version

@@ -0,0 +1 @@
+1.23.4

.golangci.yml

@@ -1,24 +1,33 @@
 run:
   # timeout for analysis, e.g. 30s, 5m, default is 1m
-  deadline: 10m
+  timeout: 12m
 
 linters:
   enable:
     - bodyclose
-    - depguard
     - durationcheck
     - errorlint
+    - gofmt
     - goimports
     - revive
     - gosec
     - misspell
     - nakedret
+    - nilerr
     - unconvert
     - unparam
+    - intrange
     - whitespace
     - gocritic
+    - wastedassign
+    - nolintlint
 
 linters-settings:
+  govet:
+    enable:
+      - nilness
+      - sortslice
+      - unusedwrite
   revive:
     # minimal confidence for issues, default is 0.8
     min-confidence: 0.0

.scripts/common

@@ -32,7 +32,7 @@ case "${ARCH1}" in
 x86_64)
     ARCH2=amd64
     ;;
-aarch64)
+aarch64|arm64)
     ARCH2=arm64
     ;;
 *)

CHANGELOG.md

@@ -1,5 +1,60 @@
 # Changelog
 
+## [0.6.2] - 2025-04-17
+
+### Added
+
+- Support `staticManifestPath`: watch a directory for CRs instead of using Kubernetes API (#411)
+
+## [0.6.1] - 2025-02-14
+
+### Added
+
+- Support for configuring the log level (#388, #464)
+- New metrics to track `ClusterStaticEntry` failures (#387)
+
+### Fixed
+
+- Failed controller upgrade when webhook certificate is expired (#450)
+
+### Updated
+
+- Minor documentation changes (#435, #443)
+- Version used in migration guide (#465)
+
+## [0.6.0] - 2024-10-03
+
+<font size='7'>:rotating_light: ***PLEASE READ BEFORE UPGRADING*** :rotating_light:</font>
+
+This version contains changes in the `ClusterSPIFFEID` CRD. Before upgrading you __MUST__ do the following:
+
+- Update the CRD in your cluster (see [here](./config/crd/bases/spire.spiffe.io_clusterspiffeids.yaml)).
+
+### Added
+
+- Hint field to the ClusterSPIFFEID CRD that controls the hint on resulting entries (#416)
+- Fallback field to the ClusterSPIFFEID CRD which causes the CR to only apply if no other non-fallback CRs have been applied to a given pod (#415)
+- Missing documentation for the className on the ClusterFederatedTrustDomain CRD (#413)
+
+## [0.5.0] - 2024-04-10
+
+<font size='7'>:rotating_light: ***PLEASE READ BEFORE UPGRADING*** :rotating_light:</font>
+
+This version contains changes in the `ClusterStaticEntry` CRD. Before upgrading you __MUST__ do the following:
+
+- Update the CRD in your cluster (see [here](.config/crd/bases/spire.spiffe.io_clusterstaticentries.yaml)).
+
+### Added
+
+- Support for `storeSVID` on ClusterStaticEntry (#304)
+- Support for more than one spire-controller-manager managing entries against a single SPIRE server cluster via entry prefixes (#325)
+
+## [0.4.4] - 2024-04-05
+
+### Security
+
+- Updated Golang to 1.21.9 to address CVE-2023-45288 (#338)
+
 ## [0.4.3] - 2024-02-22
 
 ### Added

CODEOWNERS

@@ -1 +1 @@
-* @azdagron @MarcosDY
+* @azdagron @MarcosDY @kfox1111

Dockerfile

@@ -1,5 +1,7 @@
+ARG goversion
+
 # Build the manager binary
-FROM --platform=${BUILDPLATFORM} golang:1.21.5-alpine as base
+FROM --platform=${BUILDPLATFORM} golang:${goversion}-alpine AS base
 WORKDIR /workspace
 # Copy the Go Modules manifests
 COPY go.* ./
@@ -20,7 +22,7 @@ COPY pkg/ pkg/
 FROM --platform=${BUILDPLATFORM} tonistiigi/xx@sha256:904fe94f236d36d65aeb5a2462f88f2c537b8360475f6342e7599194f291fb7e AS xx
 
 # Build
-FROM --platform=${BUILDPLATFORM} base as builder
+FROM --platform=${BUILDPLATFORM} base AS builder
 ARG TARGETPLATFORM
 ARG TARGETARCH
 ENV CGO_ENABLED=0

Makefile

@@ -77,9 +77,10 @@ endif
 
 ##@ Vars
 
+go_version := $(shell cat .go-version)
 build_dir := $(DIR)/.build/$(os1)-$(arch1)
 
-golangci_lint_version = v1.52.2
+golangci_lint_version = v1.60.1
 golangci_lint_dir = $(build_dir)/golangci_lint/$(golangci_lint_version)
 golangci_lint_bin = $(golangci_lint_dir)/golangci-lint
 golangci_lint_cache = $(golangci_lint_dir)/cache
@@ -167,6 +168,7 @@ spire-controller-manager-image.tar: Dockerfile FORCE | container-builder
 	$(CONTAINER_TOOL) buildx build \
 		--platform $(PLATFORMS) \
 		--target spire-controller-manager \
+		--build-arg goversion=$(go_version) \
 		-o type=oci,dest=$@ \
 	    .
 
@@ -216,7 +218,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.1.1
-CONTROLLER_TOOLS_VERSION ?= v0.13.0
+CONTROLLER_TOOLS_VERSION ?= v0.14.0
 
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading.

README.md

@@ -87,12 +87,13 @@ verify that [manager-role](/config/rbac/role.yaml) is up-to-date.
 The SPIRE APIs used by the SPIRE Controller Manager are generally stable and
 supported since at least SPIRE v1.0. However, the API has gained support for
 additional entry fields beyond what was supported in SPIRE v1.0. Notably, these
-include both the `jwt_svid_ttl` and the `hint` fields. The ClusterStaticEntry
-CRD allows these fields to be set, however, a SPIRE server that does not
-support these fields will not retain them. This means if these fields are set
-on a ClusterStaticEntry with an older version of SPIRE, the SPIRE Controller
-Manager will continously try to reconcile SPIRE server. In order to use these
-fields, you must be on a version of SPIRE Server which supports them.
+include the `jwt_svid_ttl`, `hint` and the `store_svid` fields. The
+ClusterStaticEntry CRD allows these fields to be set, however, a SPIRE server
+that does not support these fields will not retain them. This means if these
+fields are set on a ClusterStaticEntry with an older version of SPIRE, the
+SPIRE Controller Manager will continously try to reconcile SPIRE server. In
+order to use these fields, you must be on a version of SPIRE Server which
+supports them.
 
 At the moment, SPIRE Controller Manager will silently try and reconcile these
 fields over and over. Future updates may cause the SPIRE Controller Manager
@@ -103,6 +104,8 @@ The `hint` field is supported as of SPIRE 1.6.3.
 
 The `jwt_svid_ttl` field is supported as of SPIRE 1.5.0.
 
+The `store_svid` field is supported as of SPIRE 1.1.0.
+
 ## Demo
 
 [Link](demo)

api/v1alpha1/clusterfederatedtrustdomain_loader.go

@@ -0,0 +1,61 @@
+package v1alpha1
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+)
+
+func loadClusterFederatedTrustDomainFile(path string, scheme *runtime.Scheme, expandEnv bool) (*ClusterFederatedTrustDomain, error) {
+	var entry ClusterFederatedTrustDomain
+	content, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("could not read file at %s: %w", path, err)
+	}
+
+	if expandEnv {
+		content = []byte(os.ExpandEnv(string(content)))
+	}
+
+	codecs := serializer.NewCodecFactory(scheme)
+
+	// Regardless of if the bytes are of any external version,
+	// it will be read successfully and converted into the internal version
+	if err = runtime.DecodeInto(codecs.UniversalDecoder(), content, &entry); err != nil {
+		return nil, fmt.Errorf("could not decode file (%s) into runtime.Object: %w", path, err)
+	}
+
+	return &entry, nil
+}
+
+func ListClusterFederatedTrustDomains(_ context.Context, manifestPath string) ([]ClusterFederatedTrustDomain, error) {
+	scheme := runtime.NewScheme()
+	res := make([]ClusterFederatedTrustDomain, 0)
+	expandEnv := false
+	files, err := os.ReadDir(manifestPath)
+	if err != nil {
+		return nil, err
+	}
+	for _, file := range files {
+		if !strings.HasSuffix(file.Name(), ".yaml") {
+			continue
+		}
+		fullfile := path.Join(manifestPath, file.Name())
+		entry, err := loadClusterFederatedTrustDomainFile(fullfile, scheme, expandEnv)
+		// Ignore files of the wrong type in manifestPath
+		if entry.APIVersion != "spire.spiffe.io/v1alpha1" || entry.Kind != "ClusterFederatedTrustDomain" {
+			continue
+		}
+		// Right file type, but error loading
+		if err != nil {
+			return nil, err
+		}
+		res = append(res, *entry)
+	}
+	return res, nil
+}

api/v1alpha1/clusterfederatedtrustdomain_webhook.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"context"
 	"fmt"
 	"strings"
 
@@ -36,6 +37,7 @@ var clusterfederatedtrustdomainlog = logf.Log.WithName("clusterfederatedtrustdom
 func (r *ClusterFederatedTrustDomain) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
+		WithValidator(&ClusterFederatedTrustDomainCustomValidator{}).
 		Complete()
 }
 
@@ -44,28 +46,40 @@ func (r *ClusterFederatedTrustDomain) SetupWebhookWithManager(mgr ctrl.Manager)
 // TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation.
 //+kubebuilder:webhook:path=/validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain,mutating=false,failurePolicy=fail,sideEffects=None,groups=spire.spiffe.io,resources=clusterfederatedtrustdomains,verbs=create;update,versions=v1alpha1,name=vclusterfederatedtrustdomain.kb.io,admissionReviewVersions=v1
 
-var _ webhook.Validator = &ClusterFederatedTrustDomain{}
-
-// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *ClusterFederatedTrustDomain) ValidateCreate() (admission.Warnings, error) {
-	clusterfederatedtrustdomainlog.Info("validate create", "name", r.Name)
-	return r.validate()
+type ClusterFederatedTrustDomainCustomValidator struct {
+	// TODO(user): Add more fields as needed for validation
 }
 
-// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *ClusterFederatedTrustDomain) ValidateUpdate(runtime.Object) (admission.Warnings, error) {
-	clusterfederatedtrustdomainlog.Info("validate update", "name", r.Name)
-	return r.validate()
+var _ webhook.CustomValidator = &ClusterFederatedTrustDomainCustomValidator{}
+
+// ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type
+func (r *ClusterFederatedTrustDomainCustomValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
+	o, ok := obj.(*ClusterFederatedTrustDomain)
+	if !ok {
+		return nil, fmt.Errorf("expected a ClusterFederatedTrustDomain object but got %T", obj)
+	}
+	clusterfederatedtrustdomainlog.Info("validate create", "name", o.Name)
+	return r.validate(o)
 }
 
-// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *ClusterFederatedTrustDomain) ValidateDelete() (admission.Warnings, error) {
+// ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type
+func (r *ClusterFederatedTrustDomainCustomValidator) ValidateUpdate(_ context.Context, _ runtime.Object, nobj runtime.Object) (admission.Warnings, error) {
+	o, ok := nobj.(*ClusterFederatedTrustDomain)
+	if !ok {
+		return nil, fmt.Errorf("expected a ClusterFederatedTrustDomain object but got %T", nobj)
+	}
+	clusterfederatedtrustdomainlog.Info("validate update", "name", o.Name)
+	return r.validate(o)
+}
+
+// ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type
+func (r *ClusterFederatedTrustDomainCustomValidator) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
 	// Deletes are not validated.
 	return nil, nil
 }
 
-func (r *ClusterFederatedTrustDomain) validate() (admission.Warnings, error) {
-	_, err := ParseClusterFederatedTrustDomainSpec(&r.Spec)
+func (r *ClusterFederatedTrustDomainCustomValidator) validate(o *ClusterFederatedTrustDomain) (admission.Warnings, error) {
+	_, err := ParseClusterFederatedTrustDomainSpec(&o.Spec)
 	return nil, err
 }
 

api/v1alpha1/clusterspiffeid_types.go

@@ -78,6 +78,14 @@ type ClusterSPIFFEIDSpec struct {
 	// Set which Controller Class will act on this object
 	// +kubebuilder:validation:Optional
 	ClassName string `json:"className,omitempty"`
+
+	// Apply this ID only if there are no other matching non fallback ClusterSPIFFEIDs.
+	// +kubebuilder:validation:Optional
+	Fallback bool `json:"fallback,omitempty"`
+
+	// Set the entry hint
+	// +kubebuilder:validation:Optional
+	Hint string `json:"hint,omitempty"`
 }
 
 // ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID

api/v1alpha1/clusterspiffeid_webhook.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"text/template"
@@ -44,6 +45,7 @@ var clusterspiffeidlog = logf.Log.WithName("clusterspiffeid-resource")
 func (r *ClusterSPIFFEID) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
+		WithValidator(&ClusterSPIFFEIDCustomValidator{}).
 		Complete()
 }
 
@@ -52,30 +54,42 @@ func (r *ClusterSPIFFEID) SetupWebhookWithManager(mgr ctrl.Manager) error {
 // TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation.
 //+kubebuilder:webhook:path=/validate-spire-spiffe-io-v1alpha1-clusterspiffeid,mutating=false,failurePolicy=fail,sideEffects=None,groups=spire.spiffe.io,resources=clusterspiffeids,verbs=create;update,versions=v1alpha1,name=vclusterspiffeid.kb.io,admissionReviewVersions=v1
 
-var _ webhook.Validator = &ClusterSPIFFEID{}
-
-// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *ClusterSPIFFEID) ValidateCreate() (admission.Warnings, error) {
-	clusterspiffeidlog.Info("validate create", "name", r.Name)
-
-	return r.validate()
+type ClusterSPIFFEIDCustomValidator struct {
+	// TODO(user): Add more fields as needed for validation
 }
 
-// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *ClusterSPIFFEID) ValidateUpdate(runtime.Object) (admission.Warnings, error) {
-	clusterspiffeidlog.Info("validate update", "name", r.Name)
+var _ webhook.CustomValidator = &ClusterSPIFFEIDCustomValidator{}
 
-	return r.validate()
+// ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type
+func (r *ClusterSPIFFEIDCustomValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
+	o, ok := obj.(*ClusterSPIFFEID)
+	if !ok {
+		return nil, fmt.Errorf("expected a ClusterSPIFFEID object but got %T", obj)
+	}
+	clusterspiffeidlog.Info("validate create", "name", o.Name)
+
+	return r.validate(o)
 }
 
-// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *ClusterSPIFFEID) ValidateDelete() (admission.Warnings, error) {
+// ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type
+func (r *ClusterSPIFFEIDCustomValidator) ValidateUpdate(_ context.Context, _ runtime.Object, nobj runtime.Object) (admission.Warnings, error) {
+	o, ok := nobj.(*ClusterSPIFFEID)
+	if !ok {
+		return nil, fmt.Errorf("expected a ClusterSPIFFEID object but got %T", nobj)
+	}
+	clusterspiffeidlog.Info("validate update", "name", o.Name)
+
+	return r.validate(o)
+}
+
+// ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type
+func (r *ClusterSPIFFEIDCustomValidator) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
 	// Deletes are not validated.
 	return nil, nil
 }
 
-func (r *ClusterSPIFFEID) validate() (admission.Warnings, error) {
-	_, err := ParseClusterSPIFFEIDSpec(&r.Spec)
+func (r *ClusterSPIFFEIDCustomValidator) validate(o *ClusterSPIFFEID) (admission.Warnings, error) {
+	_, err := ParseClusterSPIFFEIDSpec(&o.Spec)
 	return nil, err
 }
 
@@ -93,6 +107,7 @@ type ParsedClusterSPIFFEIDSpec struct {
 	Admin                     bool
 	Downstream                bool
 	AutoPopulateDNSNames      bool
+	Hint                      string
 }
 
 // ParseClusterSPIFFEIDSpec parses and validates the fields in the ClusterSPIFFEIDSpec
@@ -161,5 +176,6 @@ func ParseClusterSPIFFEIDSpec(spec *ClusterSPIFFEIDSpec) (*ParsedClusterSPIFFEID
 		Admin:                     spec.Admin,
 		Downstream:                spec.Downstream,
 		AutoPopulateDNSNames:      spec.AutoPopulateDNSNames,
+		Hint:                      spec.Hint,
 	}, nil
 }

api/v1alpha1/clusterstaticentry_loader.go

@@ -0,0 +1,61 @@
+package v1alpha1
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+)
+
+func loadClusterStaticEntryFile(path string, scheme *runtime.Scheme, expandEnv bool) (*ClusterStaticEntry, error) {
+	var entry ClusterStaticEntry
+	content, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("could not read file at %s: %w", path, err)
+	}
+
+	if expandEnv {
+		content = []byte(os.ExpandEnv(string(content)))
+	}
+
+	codecs := serializer.NewCodecFactory(scheme)
+
+	// Regardless of if the bytes are of any external version,
+	// it will be read successfully and converted into the internal version
+	if err = runtime.DecodeInto(codecs.UniversalDecoder(), content, &entry); err != nil {
+		return nil, fmt.Errorf("could not decode file (%s) into runtime.Object: %w", path, err)
+	}
+
+	return &entry, nil
+}
+
+func ListClusterStaticEntries(_ context.Context, manifestPath string) ([]ClusterStaticEntry, error) {
+	scheme := runtime.NewScheme()
+	res := make([]ClusterStaticEntry, 0)
+	expandEnv := false
+	files, err := os.ReadDir(manifestPath)
+	if err != nil {
+		return nil, err
+	}
+	for _, file := range files {
+		if !strings.HasSuffix(file.Name(), ".yaml") {
+			continue
+		}
+		fullfile := path.Join(manifestPath, file.Name())
+		entry, err := loadClusterStaticEntryFile(fullfile, scheme, expandEnv)
+		// Ignore files of the wrong type in manifestPath
+		if entry.APIVersion != "spire.spiffe.io/v1alpha1" || entry.Kind != "ClusterStaticEntry" {
+			continue
+		}
+		// Right file type, but error loading
+		if err != nil {
+			return nil, err
+		}
+		res = append(res, *entry)
+	}
+	return res, nil
+}

api/v1alpha1/clusterstaticentry_types.go

@@ -35,6 +35,7 @@ type ClusterStaticEntrySpec struct {
 	Hint          string          `json:"hint,omitempty"`
 	Admin         bool            `json:"admin,omitempty"`
 	Downstream    bool            `json:"downstream,omitempty"`
+	StoreSVID     bool            `json:"storeSVID,omitempty"`
 	// Set which Controller Class will act on this object
 	// +kubebuilder:validation:Optional
 	ClassName string `json:"className,omitempty"`

api/v1alpha1/controllermanagerconfig_types.go

@@ -56,6 +56,12 @@ type ControllerManagerConfig struct {
 
 	// SPIREServerSocketPath is the path to the SPIRE Server API socket
 	SPIREServerSocketPath string `json:"spireServerSocketPath"`
+
+	// LogLevel is the log level for the controller manager
+	LogLevel string `json:"logLevel"`
+
+	// LogEncoding is the log encoding for the controller manager
+	LogEncoding string `json:"logEncoding"`
 }
 
 // ControllerManagerConfigurationSpec defines the desired state of GenericControllerManagerConfiguration.
@@ -129,6 +135,19 @@ type ControllerManagerConfigurationSpec struct {
 	// If specified, only syncs the specified CR types. Defaults to all.
 	// +optional
 	Reconcile *ReconcileConfig `json:"reconcile,omitempty"`
+
+	// If specified, prefixes each entry id with `<prefix>.`. Entries without the Prefix will be ignored (except ones marked for cleanup, see EntryIDPrefixCleanup).
+	// +optiional
+	EntryIDPrefix string `json:"entryIDPrefix,omitempty"`
+
+	// If specified, entries with the specified prefix will be removed. If set to "" it will clean up all unprefixed entries.
+	// It can not be set to the same value as EntryIDPrefix.
+	// Generally useful when switching from nonprefixed to prefixed, or between two different prefixes.
+	// +optiional
+	EntryIDPrefixCleanup *string `json:"entryIDPrefixCleanup,omitempty"`
+
+	// When configured, read yaml objects from the specified path rather then from Kubernetes.
+	StaticManifestPath *string `json:"staticManifestPath,omitempty"`
 }
 
 // ReconcileConfig configuration used to enable/disable syncing various types

api/v1alpha1/webhook_suite_test.go

@@ -26,8 +26,8 @@ import (
 	"testing"
 	"time"
 
-	. "github.com/onsi/ginkgo/v2"
-	. "github.com/onsi/gomega"
+	. "github.com/onsi/ginkgo/v2" //nolint:revive // auto-generated
+	. "github.com/onsi/gomega"    //nolint:revive // auto-generated
 
 	admissionv1 "k8s.io/api/admission/v1"
 	//+kubebuilder:scaffold:imports
@@ -132,7 +132,7 @@ var _ = BeforeSuite(func() {
 	dialer := &net.Dialer{Timeout: time.Second}
 	addrPort := fmt.Sprintf("%s:%d", webhookInstallOptions.LocalServingHost, webhookInstallOptions.LocalServingPort)
 	Eventually(func() error {
-		conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true}) // nolint: gosec // this is intentional for the unit test
+		conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true}) //nolint: gosec // this is intentional for the unit test
 		if err != nil {
 			return err
 		}

api/v1alpha1/zz_generated.deepcopy.go

@@ -69,6 +69,21 @@ func (in *ClusterFederatedTrustDomain) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterFederatedTrustDomainCustomValidator) DeepCopyInto(out *ClusterFederatedTrustDomainCustomValidator) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterFederatedTrustDomainCustomValidator.
+func (in *ClusterFederatedTrustDomainCustomValidator) DeepCopy() *ClusterFederatedTrustDomainCustomValidator {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterFederatedTrustDomainCustomValidator)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterFederatedTrustDomainList) DeepCopyInto(out *ClusterFederatedTrustDomainList) {
 	*out = *in
@@ -159,6 +174,21 @@ func (in *ClusterSPIFFEID) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterSPIFFEIDCustomValidator) DeepCopyInto(out *ClusterSPIFFEIDCustomValidator) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSPIFFEIDCustomValidator.
+func (in *ClusterSPIFFEIDCustomValidator) DeepCopy() *ClusterSPIFFEIDCustomValidator {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterSPIFFEIDCustomValidator)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterSPIFFEIDList) DeepCopyInto(out *ClusterSPIFFEIDList) {
 	*out = *in
@@ -494,6 +524,16 @@ func (in *ControllerManagerConfigurationSpec) DeepCopyInto(out *ControllerManage
 		*out = new(ReconcileConfig)
 		**out = **in
 	}
+	if in.EntryIDPrefixCleanup != nil {
+		in, out := &in.EntryIDPrefixCleanup, &out.EntryIDPrefixCleanup
+		*out = new(string)
+		**out = **in
+	}
+	if in.StaticManifestPath != nil {
+		in, out := &in.StaticManifestPath, &out.StaticManifestPath
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControllerManagerConfigurationSpec.

cmd/main.go

@@ -26,6 +26,7 @@ import (
 	"path/filepath"
 	"regexp"
 	"strings"
+	"sync"
 	"text/template"
 	"time"
 
@@ -35,6 +36,7 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"k8s.io/client-go/rest"
 
+	"go.uber.org/zap/zapcore"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
@@ -42,11 +44,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
+	k8sMetrics "sigs.k8s.io/controller-runtime/pkg/metrics"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	spirev1alpha1 "github.com/spiffe/spire-controller-manager/api/v1alpha1"
 	"github.com/spiffe/spire-controller-manager/internal/controller"
+	"github.com/spiffe/spire-controller-manager/pkg/metrics"
 	"github.com/spiffe/spire-controller-manager/pkg/reconciler"
 	"github.com/spiffe/spire-controller-manager/pkg/spireapi"
 	"github.com/spiffe/spire-controller-manager/pkg/spireentry"
@@ -66,6 +70,8 @@ type Config struct {
 const (
 	defaultSPIREServerSocketPath = "/spire-server/api.sock"
 	defaultGCInterval            = 10 * time.Second
+	defaultLogLevel              = "info"
+	defaultLogEncoding           = "console"
 	k8sDefaultService            = "kubernetes.default.svc"
 )
 
@@ -78,6 +84,10 @@ func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 
 	utilruntime.Must(spirev1alpha1.AddToScheme(scheme))
+
+	k8sMetrics.Registry.MustRegister(
+		metrics.PromCounters[metrics.StaticEntryFailures],
+	)
 	//+kubebuilder:scaffold:scheme
 }
 
@@ -88,11 +98,24 @@ func main() {
 		os.Exit(1)
 	}
 
+	if mainConfig.ctrlConfig.StaticManifestPath != nil {
+		if err := staticRun(mainConfig); err != nil {
+			os.Exit(1)
+		}
+	}
+
 	if err := run(mainConfig); err != nil {
 		os.Exit(1)
 	}
 }
 
+func addDotSuffix(val string) string {
+	if val != "" && !strings.HasSuffix(val, ".") {
+		val += "."
+	}
+	return val
+}
+
 func parseConfig() (Config, error) {
 	var retval Config
 	var configFileFlag string
@@ -104,30 +127,30 @@ func parseConfig() (Config, error) {
 			"Command-line flags override configuration from this file.")
 	flag.StringVar(&spireAPISocketFlag, "spire-api-socket", "", "The path to the SPIRE API socket (deprecated; use the config file)")
 	flag.BoolVar(&expandEnvFlag, "expand-env", false, "Expand environment variables in SPIRE Controller Manager config file")
-
-	// Parse log flags
 	opts := zap.Options{
 		Development: true,
 	}
 	opts.BindFlags(flag.CommandLine)
 	flag.Parse()
 
-	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
-
 	// Set default values
 	retval.ctrlConfig = spirev1alpha1.ControllerManagerConfig{
 		IgnoreNamespaces:                   []string{"kube-system", "kube-public", "spire-system"},
 		GCInterval:                         defaultGCInterval,
 		ValidatingWebhookConfigurationName: "spire-controller-manager-webhook",
+		LogLevel:                           defaultLogLevel,
+		LogEncoding:                        defaultLogEncoding,
 	}
 
 	retval.options = ctrl.Options{Scheme: scheme}
 
+	// Setup logger to zap's default log level so errors parsing the config which contains the desired log level are logged
+	_ = setLogger(&opts, "", "")
+
 	if configFileFlag != "" {
 		if err := spirev1alpha1.LoadOptionsFromFile(configFileFlag, scheme, &retval.options, &retval.ctrlConfig, expandEnvFlag); err != nil {
 			return retval, fmt.Errorf("unable to load the config file: %w", err)
 		}
-
 		for _, ignoredNamespace := range retval.ctrlConfig.IgnoreNamespaces {
 			regex, err := regexp.Compile(ignoredNamespace)
 			if err != nil {
@@ -137,6 +160,13 @@ func parseConfig() (Config, error) {
 			retval.ignoreNamespacesRegex = append(retval.ignoreNamespacesRegex, regex)
 		}
 	}
+
+	// Parse log flags
+	if err := setLogger(&opts, retval.ctrlConfig.LogLevel, retval.ctrlConfig.LogEncoding); err != nil {
+		return retval, fmt.Errorf("unable to parse log level: %w", err)
+	}
+	setupLog.Info("Logger configured", "level", opts.Level)
+
 	// Determine the SPIRE Server socket path
 	switch {
 	case retval.ctrlConfig.SPIREServerSocketPath == "" && spireAPISocketFlag == "":
@@ -172,13 +202,36 @@ func parseConfig() (Config, error) {
 	}
 
 	if retval.ctrlConfig.Reconcile == nil {
-		retval.reconcile.ClusterSPIFFEIDs = true
 		retval.reconcile.ClusterFederatedTrustDomains = true
 		retval.reconcile.ClusterStaticEntries = true
+		if retval.ctrlConfig.StaticManifestPath == nil {
+			// Static mode default is to have ClusterSPIFFEID syncing off (unsupported). Non static mode syncing on.
+			retval.reconcile.ClusterSPIFFEIDs = true
+		}
 	} else {
 		retval.reconcile = *retval.ctrlConfig.Reconcile
 	}
 
+	if retval.ctrlConfig.StaticManifestPath != nil {
+		if retval.options.LeaderElection {
+			return retval, fmt.Errorf("Leader election is not possible with static manifests")
+		}
+		if retval.reconcile.ClusterSPIFFEIDs {
+			return retval, fmt.Errorf("ClusterSPIFFEID reconciliation is not possible with static manifests")
+		}
+	}
+
+	retval.ctrlConfig.EntryIDPrefix = addDotSuffix(retval.ctrlConfig.EntryIDPrefix)
+
+	printCleanup := "<unset>"
+	if retval.ctrlConfig.EntryIDPrefixCleanup != nil {
+		printCleanup = *retval.ctrlConfig.EntryIDPrefixCleanup
+		*retval.ctrlConfig.EntryIDPrefixCleanup = addDotSuffix(*retval.ctrlConfig.EntryIDPrefixCleanup)
+		if retval.ctrlConfig.EntryIDPrefix != "" && retval.ctrlConfig.EntryIDPrefix == *retval.ctrlConfig.EntryIDPrefixCleanup {
+			return retval, fmt.Errorf("if entryIDPrefixCleanup is specified, it can not be the same value as entryIDPrefix")
+		}
+	}
+
 	setupLog.Info("Config loaded",
 		"cluster name", retval.ctrlConfig.ClusterName,
 		"cluster domain", retval.ctrlConfig.ClusterDomain,
@@ -190,7 +243,9 @@ func parseConfig() (Config, error) {
 		"handle crs without class name", retval.ctrlConfig.WatchClassless,
 		"reconcile ClusterSPIFFEIDs", retval.reconcile.ClusterSPIFFEIDs,
 		"reconcile ClusterFederatedTrustDomains", retval.reconcile.ClusterFederatedTrustDomains,
-		"reconcile ClusterStaticEntries", retval.reconcile.ClusterStaticEntries)
+		"reconcile ClusterStaticEntries", retval.reconcile.ClusterStaticEntries,
+		"entryIDPrefix", retval.ctrlConfig.EntryIDPrefix,
+		"entryIDPrefixCleanup", printCleanup)
 
 	switch {
 	case retval.ctrlConfig.TrustDomain == "":
@@ -219,7 +274,7 @@ func run(mainConfig Config) (err error) {
 	ctx := ctrl.SetupSignalHandler()
 
 	setupLog.Info("Dialing SPIRE Server socket")
-	spireClient, err := spireapi.DialSocket(ctx, mainConfig.ctrlConfig.SPIREServerSocketPath)
+	spireClient, err := spireapi.DialSocket(mainConfig.ctrlConfig.SPIREServerSocketPath)
 	if err != nil {
 		setupLog.Error(err, "unable to dial SPIRE Server socket")
 		return err
@@ -231,7 +286,7 @@ func run(mainConfig Config) (err error) {
 	// file to keep rotation simple.
 	// TODO: upstream a change to the WebhookServer so it can use callbacks to
 	// obtain the certificates so we don't have to touch disk.
-	var webhookRunnable manager.Runnable
+	var webhookManager *webhookmanager.Manager
 	if webhookEnabled {
 		const keyPairName = "keypair.pem"
 		certDir, err := os.MkdirTemp("", "spire-controller-manager-")
@@ -271,7 +326,7 @@ func run(mainConfig Config) (err error) {
 			return err
 		}
 
-		webhookManager := webhookmanager.New(webhookmanager.Config{
+		webhookManager = webhookmanager.New(webhookmanager.Config{
 			ID:            spiffeid.RequireFromPath(trustDomain, "/spire-controller-manager-webhook"),
 			KeyPairPath:   filepath.Join(certDir, keyPairName),
 			WebhookName:   mainConfig.ctrlConfig.ValidatingWebhookConfigurationName,
@@ -284,8 +339,6 @@ func run(mainConfig Config) (err error) {
 			setupLog.Error(err, "failed to mint initial webhook certificate")
 			return err
 		}
-
-		webhookRunnable = webhookManager
 	}
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), mainConfig.options)
@@ -297,17 +350,19 @@ func run(mainConfig Config) (err error) {
 	var entryReconciler reconciler.Reconciler
 	if mainConfig.reconcile.ClusterSPIFFEIDs || mainConfig.reconcile.ClusterStaticEntries {
 		entryReconciler = spireentry.Reconciler(spireentry.ReconcilerConfig{
-			TrustDomain:      trustDomain,
-			ClusterName:      mainConfig.ctrlConfig.ClusterName,
-			ClusterDomain:    mainConfig.ctrlConfig.ClusterDomain,
-			K8sClient:        mgr.GetClient(),
-			EntryClient:      spireClient,
-			IgnoreNamespaces: mainConfig.ignoreNamespacesRegex,
-			GCInterval:       mainConfig.ctrlConfig.GCInterval,
-			ClassName:        mainConfig.ctrlConfig.ClassName,
-			WatchClassless:   mainConfig.ctrlConfig.WatchClassless,
-			ParentIDTemplate: mainConfig.parentIDTemplate,
-			Reconcile:        mainConfig.reconcile,
+			TrustDomain:          trustDomain,
+			ClusterName:          mainConfig.ctrlConfig.ClusterName,
+			ClusterDomain:        mainConfig.ctrlConfig.ClusterDomain,
+			K8sClient:            mgr.GetClient(),
+			EntryClient:          spireClient,
+			IgnoreNamespaces:     mainConfig.ignoreNamespacesRegex,
+			GCInterval:           mainConfig.ctrlConfig.GCInterval,
+			ClassName:            mainConfig.ctrlConfig.ClassName,
+			WatchClassless:       mainConfig.ctrlConfig.WatchClassless,
+			ParentIDTemplate:     mainConfig.parentIDTemplate,
+			Reconcile:            mainConfig.reconcile,
+			EntryIDPrefix:        mainConfig.ctrlConfig.EntryIDPrefix,
+			EntryIDPrefixCleanup: mainConfig.ctrlConfig.EntryIDPrefixCleanup,
 		})
 	}
 
@@ -397,9 +452,9 @@ func run(mainConfig Config) (err error) {
 		}
 	}
 
-	if webhookRunnable != nil {
-		if err = mgr.Add(webhookRunnable); err != nil {
-			setupLog.Error(err, "unable to manage federation relationship reconciler")
+	if webhookManager != nil {
+		if err = mgr.Add(webhookManager); err != nil {
+			setupLog.Error(err, "unable to manage webhook")
 			return err
 		}
 	}
@@ -421,6 +476,97 @@ func run(mainConfig Config) (err error) {
 	return nil
 }
 
+func staticRun(mainConfig Config) (err error) {
+	var wg sync.WaitGroup
+	if mainConfig.reconcile.ClusterFederatedTrustDomains {
+		wg.Add(1)
+	}
+	if mainConfig.reconcile.ClusterStaticEntries {
+		wg.Add(1)
+	}
+	trustDomain, err := spiffeid.TrustDomainFromString(mainConfig.ctrlConfig.TrustDomain)
+	if err != nil {
+		setupLog.Error(err, "invalid trust domain name")
+		return err
+	}
+
+	ctx := ctrl.SetupSignalHandler()
+
+	setupLog.Info("Dialing SPIRE Server socket")
+	spireClient, err := spireapi.DialSocket(mainConfig.ctrlConfig.SPIREServerSocketPath)
+	if err != nil {
+		setupLog.Error(err, "unable to dial SPIRE Server socket")
+		return err
+	}
+	defer spireClient.Close()
+
+	mgr, err := ctrl.NewManager(&rest.Config{}, mainConfig.options)
+	if err != nil {
+		setupLog.Error(err, "unable to start manager")
+		return err
+	}
+	if mainConfig.reconcile.ClusterStaticEntries {
+		entryReconciler := spireentry.Reconciler(spireentry.ReconcilerConfig{
+			TrustDomain:          trustDomain,
+			ClusterName:          mainConfig.ctrlConfig.ClusterName,
+			ClusterDomain:        mainConfig.ctrlConfig.ClusterDomain,
+			K8sClient:            nil,
+			EntryClient:          spireClient,
+			IgnoreNamespaces:     mainConfig.ignoreNamespacesRegex,
+			GCInterval:           mainConfig.ctrlConfig.GCInterval,
+			ClassName:            mainConfig.ctrlConfig.ClassName,
+			WatchClassless:       mainConfig.ctrlConfig.WatchClassless,
+			ParentIDTemplate:     mainConfig.parentIDTemplate,
+			Reconcile:            mainConfig.reconcile,
+			EntryIDPrefix:        mainConfig.ctrlConfig.EntryIDPrefix,
+			EntryIDPrefixCleanup: mainConfig.ctrlConfig.EntryIDPrefixCleanup,
+			StaticManifestPath:   mainConfig.ctrlConfig.StaticManifestPath,
+		})
+		go func() {
+			err = entryReconciler.Run(ctx)
+			if err != nil {
+				setupLog.Error(err, "failure starting entry reconciler", "controller", "ClusterStaticEntry")
+			}
+			wg.Done()
+		}()
+	}
+	if mainConfig.reconcile.ClusterFederatedTrustDomains {
+		federationRelationshipReconciler := spirefederationrelationship.Reconciler(spirefederationrelationship.ReconcilerConfig{
+			K8sClient:          nil,
+			TrustDomainClient:  spireClient,
+			GCInterval:         mainConfig.ctrlConfig.GCInterval,
+			ClassName:          mainConfig.ctrlConfig.ClassName,
+			WatchClassless:     mainConfig.ctrlConfig.WatchClassless,
+			StaticManifestPath: mainConfig.ctrlConfig.StaticManifestPath,
+		})
+		go func() {
+			err = federationRelationshipReconciler.Run(ctx)
+			if err != nil {
+				setupLog.Error(err, "failure starting federation relationship reconciler", "controller", "ClusterFederatedTrustDomain")
+			}
+			wg.Done()
+		}()
+	}
+
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up health check")
+		return err
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up ready check")
+		return err
+	}
+
+	wg.Wait()
+	setupLog.Info("starting manager")
+	if err := mgr.Start(ctx); err != nil {
+		setupLog.Error(err, "problem running manager")
+		return err
+	}
+
+	return nil
+}
+
 func autoDetectClusterDomain() (string, error) {
 	cname, err := net.LookupCNAME(k8sDefaultService)
 	if err != nil {
@@ -449,3 +595,42 @@ func parseClusterDomainCNAME(cname string) (string, error) {
 
 	return clusterDomain, nil
 }
+
+func setLogger(opts *zap.Options, logLevel string, logEncoding string) error {
+	if logLevel != "" && opts.Level == nil {
+		zapLogLevel, err := getLogLevel(logLevel)
+		if err != nil {
+			return fmt.Errorf("unable to parse log level: %w", err)
+		}
+		opts.Level = zapLogLevel
+	}
+	if logEncoding != "" && opts.Encoder == nil {
+		switch logEncoding {
+		case "console":
+			zap.ConsoleEncoder(opts.EncoderConfigOptions...)(opts)
+		case "json":
+			zap.JSONEncoder(opts.EncoderConfigOptions...)(opts)
+		default:
+			return fmt.Errorf("unrecognized log encoding: %s", logEncoding)
+		}
+	}
+
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(opts)))
+
+	return nil
+}
+
+func getLogLevel(logLevel string) (zapcore.Level, error) {
+	switch strings.ToLower(logLevel) {
+	case "debug":
+		return zapcore.DebugLevel, nil
+	case "warn":
+		return zapcore.WarnLevel, nil
+	case "error":
+		return zapcore.ErrorLevel, nil
+	case "info":
+		return zapcore.InfoLevel, nil
+	default:
+		return zapcore.InfoLevel, fmt.Errorf("invalid log level: %q", logLevel)
+	}
+}

config/crd/bases/spire.spiffe.io_clusterfederatedtrustdomains.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: clusterfederatedtrustdomains.spire.spiffe.io
 spec:
   group: spire.spiffe.io
@@ -28,14 +28,19 @@ spec:
           API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -47,8 +52,9 @@ spec:
                 description: BundleEndpointProfile is the profile for the bundle endpoint.
                 properties:
                   endpointSPIFFEID:
-                    description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint.
-                      It is required for the "https_spiffe" profile.
+                    description: |-
+                      EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. It is
+                      required for the "https_spiffe" profile.
                     type: string
                   type:
                     description: Type is the type of the bundle endpoint profile.
@@ -60,8 +66,9 @@ spec:
                 - type
                 type: object
               bundleEndpointURL:
-                description: BundleEndpointURL is the URL of the bundle endpoint.
-                  It must be an HTTPS URL and cannot contain userinfo (i.e. username/password).
+                description: |-
+                  BundleEndpointURL is the URL of the bundle endpoint. It must be an
+                  HTTPS URL and cannot contain userinfo (i.e. username/password).
                 type: string
               className:
                 description: Set which Controller Class will act on this object
@@ -72,9 +79,9 @@ spec:
                 pattern: '[a-z0-9._-]{1,255}'
                 type: string
               trustDomainBundle:
-                description: TrustDomainBundle is the contents of the bundle for the
-                  referenced trust domain. This field is optional when the resource
-                  is created.
+                description: |-
+                  TrustDomainBundle is the contents of the bundle for the referenced trust
+                  domain. This field is optional when the resource is created.
                 type: string
             required:
             - bundleEndpointProfile

config/crd/bases/spire.spiffe.io_clusterspiffeids.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: clusterspiffeids.spire.spiffe.io
 spec:
   group: spire.spiffe.io
@@ -20,14 +20,19 @@ spec:
         description: ClusterSPIFFEID is the Schema for the clusterspiffeids API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -35,9 +40,10 @@ spec:
             description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID
             properties:
               admin:
-                description: Admin indicates whether or not the SVID can be used to
-                  access the SPIRE administrative APIs. Extra care should be taken
-                  to only apply this SPIFFE ID to admin workloads.
+                description: |-
+                  Admin indicates whether or not the SVID can be used to access the SPIRE
+                  administrative APIs. Extra care should be taken to only apply this
+                  SPIFFE ID to admin workloads.
                 type: boolean
               autoPopulateDNSNames:
                 description: AutoPopulateDNSNames indicates whether or not to auto
@@ -46,11 +52,17 @@ spec:
               className:
                 description: Set which Controller Class will act on this object
                 type: string
+              fallback:
+                description: |-
+                  Apply this ID only if there are no other matching non fallback
+                  ClusterSPIFFEIDs
+                type: boolean
               dnsNameTemplates:
-                description: DNSNameTemplate represents templates for extra DNS names
-                  that are applicable to SVIDs minted for this ClusterSPIFFEID. The
-                  node and pod spec are made available to the template under .NodeSpec,
-                  .PodSpec respectively.
+                description: |-
+                  DNSNameTemplate represents templates for extra DNS names that are
+                  applicable to SVIDs minted for this ClusterSPIFFEID.
+                  The node and pod spec are made available to the template under
+                  .NodeSpec, .PodSpec respectively.
                 items:
                   type: string
                 type: array
@@ -59,87 +71,48 @@ spec:
                   SPIRE server.
                 type: boolean
               federatesWith:
-                description: FederatesWith is a list of trust domain names that workloads
-                  that obtain this SPIFFE ID will federate with.
+                description: |-
+                  FederatesWith is a list of trust domain names that workloads that
+                  obtain this SPIFFE ID will federate with.
                 items:
                   type: string
                 type: array
+              hint:
+                description: |-
+                  Set the entry hint
+                type: string
               jwtTtl:
-                description: JWTTTL indicates an upper-bound time-to-live for JWT
-                  SVIDs minted for this ClusterSPIFFEID.
+                description: |-
+                  JWTTTL indicates an upper-bound time-to-live for JWT SVIDs minted for this
+                  ClusterSPIFFEID.
                 type: string
               namespaceSelector:
-                description: NamespaceSelector selects the namespaces that are targeted
-                  by this CRD.
-                properties:
-                  matchExpressions:
-                    description: matchExpressions is a list of label selector requirements.
-                      The requirements are ANDed.
-                    items:
-                      description: A label selector requirement is a selector that
-                        contains values, a key, and an operator that relates the key
-                        and values.
-                      properties:
-                        key:
-                          description: key is the label key that the selector applies
-                            to.
-                          type: string
-                        operator:
-                          description: operator represents a key's relationship to
-                            a set of values. Valid operators are In, NotIn, Exists
-                            and DoesNotExist.
-                          type: string
-                        values:
-                          description: values is an array of string values. If the
-                            operator is In or NotIn, the values array must be non-empty.
-                            If the operator is Exists or DoesNotExist, the values
-                            array must be empty. This array is replaced during a strategic
-                            merge patch.
-                          items:
-                            type: string
-                          type: array
-                      required:
-                      - key
-                      - operator
-                      type: object
-                    type: array
-                  matchLabels:
-                    additionalProperties:
-                      type: string
-                    description: matchLabels is a map of {key,value} pairs. A single
-                      {key,value} in the matchLabels map is equivalent to an element
-                      of matchExpressions, whose key field is "key", the operator
-                      is "In", and the values array contains only "value". The requirements
-                      are ANDed.
-                    type: object
-                type: object
-                x-kubernetes-map-type: atomic
-              podSelector:
-                description: PodSelector selects the pods that are targeted by this
+                description: |-
+                  NamespaceSelector selects the namespaces that are targeted by this
                   CRD.
                 properties:
                   matchExpressions:
                     description: matchExpressions is a list of label selector requirements.
                       The requirements are ANDed.
                     items:
-                      description: A label selector requirement is a selector that
-                        contains values, a key, and an operator that relates the key
-                        and values.
+                      description: |-
+                        A label selector requirement is a selector that contains values, a key, and an operator that
+                        relates the key and values.
                       properties:
                         key:
                           description: key is the label key that the selector applies
                             to.
                           type: string
                         operator:
-                          description: operator represents a key's relationship to
-                            a set of values. Valid operators are In, NotIn, Exists
-                            and DoesNotExist.
+                          description: |-
+                            operator represents a key's relationship to a set of values.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
                           type: string
                         values:
-                          description: values is an array of string values. If the
-                            operator is In or NotIn, the values array must be non-empty.
-                            If the operator is Exists or DoesNotExist, the values
-                            array must be empty. This array is replaced during a strategic
+                          description: |-
+                            values is an array of string values. If the operator is In or NotIn,
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                            the values array must be empty. This array is replaced during a strategic
                             merge patch.
                           items:
                             type: string
@@ -152,31 +125,78 @@ spec:
                   matchLabels:
                     additionalProperties:
                       type: string
-                    description: matchLabels is a map of {key,value} pairs. A single
-                      {key,value} in the matchLabels map is equivalent to an element
-                      of matchExpressions, whose key field is "key", the operator
-                      is "In", and the values array contains only "value". The requirements
-                      are ANDed.
+                    description: |-
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
+              podSelector:
+                description: |-
+                  PodSelector selects the pods that are targeted by this
+                  CRD.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: |-
+                        A label selector requirement is a selector that contains values, a key, and an operator that
+                        relates the key and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: |-
+                            operator represents a key's relationship to a set of values.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
+                          type: string
+                        values:
+                          description: |-
+                            values is an array of string values. If the operator is In or NotIn,
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                            the values array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
                     type: object
                 type: object
                 x-kubernetes-map-type: atomic
               spiffeIDTemplate:
-                description: SPIFFEID is the SPIFFE ID template. The node and pod
-                  spec are made available to the template under .NodeSpec, .PodSpec
-                  respectively.
+                description: |-
+                  SPIFFEID is the SPIFFE ID template. The node and pod spec are made
+                  available to the template under .NodeSpec, .PodSpec respectively.
                 type: string
               ttl:
-                description: TTL indicates an upper-bound time-to-live for X509 SVIDs
-                  minted for this ClusterSPIFFEID. If unset, a default will be chosen.
+                description: |-
+                  TTL indicates an upper-bound time-to-live for X509 SVIDs minted for this
+                  ClusterSPIFFEID. If unset, a default will be chosen.
                 type: string
               workloadSelectorTemplates:
-                description: WorkloadSelectorTemplates are templates to produce arbitrary
-                  workload selectors that apply to a given workload before it will
-                  receive this SPIFFE ID. The rendered value is interpreted by SPIRE
-                  and are of the form type:value, where the value may, and often does,
-                  contain semicolons, .e.g., k8s:container-image:docker/hello-world
-                  The node and pod spec are made available to the template under .NodeSpec,
-                  .PodSpec respectively.
+                description: |-
+                  WorkloadSelectorTemplates are templates to produce arbitrary workload
+                  selectors that apply to a given workload before it will receive this
+                  SPIFFE ID. The rendered value is interpreted by SPIRE and are of the
+                  form type:value, where the value may, and often does, contain
+                  semicolons, .e.g., k8s:container-image:docker/hello-world
+                  The node and pod spec are made available to the template under
+                  .NodeSpec, .PodSpec respectively.
                 items:
                   type: string
                 type: array
@@ -190,21 +210,22 @@ spec:
                 description: Stats produced by the last entry reconciliation run
                 properties:
                   entriesMasked:
-                    description: How many entries were masked by entries for other
-                      ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs
-                      produce an entry for the same pod with the same set of workload
-                      selectors.
+                    description: |-
+                      How many entries were masked by entries for other ClusterSPIFFEIDs.
+                      This happens when one or more ClusterSPIFFEIDs produce an entry for
+                      the same pod with the same set of workload selectors.
                     type: integer
                   entriesToSet:
-                    description: How many entries are to be set for this ClusterSPIFFEID.
-                      In nominal conditions, this should reflect the number of pods
-                      selected, but not always if there were problems encountered
-                      rendering an entry for the pod (RenderFailures) or entries are
-                      masked (EntriesMasked).
+                    description: |-
+                      How many entries are to be set for this ClusterSPIFFEID. In nominal
+                      conditions, this should reflect the number of pods selected, but not
+                      always if there were problems encountered rendering an entry for the pod
+                      (RenderFailures) or entries are masked (EntriesMasked).
                     type: integer
                   entryFailures:
-                    description: How many entries were unable to be set due to failures
-                      to create or update the entries via the SPIRE Server API.
+                    description: |-
+                      How many entries were unable to be set due to failures to create or
+                      update the entries via the SPIRE Server API.
                     type: integer
                   namespacesIgnored:
                     description: How many (selected) namespaces were ignored (based
@@ -214,10 +235,11 @@ spec:
                     description: How many namespaces were selected.
                     type: integer
                   podEntryRenderFailures:
-                    description: How many failures were encountered rendering an entry
-                      selected pods. This could be due to either a bad template in
-                      the ClusterSPIFFEID or Pod metadata that when applied to the
-                      template did not produce valid entry values.
+                    description: |-
+                      How many failures were encountered rendering an entry selected pods.
+                      This could be due to either a bad template in the ClusterSPIFFEID or
+                      Pod metadata that when applied to the template did not produce valid
+                      entry values.
                     type: integer
                   podsSelected:
                     description: How many pods were selected out of the namespaces.

config/crd/bases/spire.spiffe.io_clusterstaticentries.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: clusterstaticentries.spire.spiffe.io
 spec:
   group: spire.spiffe.io
@@ -21,14 +21,19 @@ spec:
           API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -62,6 +67,8 @@ spec:
                 type: array
               spiffeID:
                 type: string
+              storeSVID:
+                type: boolean
               x509SVIDTTL:
                 type: string
             required:

demo/README.md

@@ -33,9 +33,9 @@ Build the greeter server and client:
 
 Pull the requisite images:
 
-    $ echo ghcr.io/spiffe/spire-server:1.7.0 \
-        ghcr.io/spiffe/spire-agent:1.7.0 \
-        ghcr.io/spiffe/spiffe-csi-driver:0.2.3 \
+    $ echo ghcr.io/spiffe/spire-server:1.10.4 \
+        ghcr.io/spiffe/spire-agent:1.10.4 \
+        ghcr.io/spiffe/spiffe-csi-driver:0.2.6 \
         ghcr.io/spiffe/spire-controller-manager:nightly \
         | xargs -n1 docker pull
 
@@ -43,9 +43,9 @@ Start up cluster1 and load the requisite images:
 
     $ ./cluster1 kind create cluster
     $ echo \
-        ghcr.io/spiffe/spire-server:1.7.0 \
-        ghcr.io/spiffe/spire-agent:1.7.0 \
-        ghcr.io/spiffe/spiffe-csi-driver:0.2.3 \
+        ghcr.io/spiffe/spire-server:1.10.4 \
+        ghcr.io/spiffe/spire-agent:1.10.4 \
+        ghcr.io/spiffe/spiffe-csi-driver:0.2.6 \
         ghcr.io/spiffe/spire-controller-manager:nightly \
         greeter-server:demo \
         | xargs -n1 ./cluster1 kind load docker-image
@@ -54,9 +54,9 @@ Start up cluster 2 and load the requisite images:
 
     $ ./cluster2 kind create cluster
     $ echo \
-        ghcr.io/spiffe/spire-server:1.7.0 \
-        ghcr.io/spiffe/spire-agent:1.7.0 \
-        ghcr.io/spiffe/spiffe-csi-driver:0.2.3 \
+        ghcr.io/spiffe/spire-server:1.10.4 \
+        ghcr.io/spiffe/spire-agent:1.10.4 \
+        ghcr.io/spiffe/spiffe-csi-driver:0.2.6 \
         ghcr.io/spiffe/spire-controller-manager:nightly \
         greeter-client:demo \
         | xargs -n1 ./cluster2 kind load docker-image

demo/config/cluster1/crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: clusterfederatedtrustdomains.spire.spiffe.io
 spec:
   group: spire.spiffe.io

demo/config/cluster1/crd/spire.spiffe.io_clusterspiffeids.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: clusterspiffeids.spire.spiffe.io
 spec:
   group: spire.spiffe.io
@@ -20,14 +20,19 @@ spec:
         description: ClusterSPIFFEID is the Schema for the clusterspiffeids API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -35,9 +40,10 @@ spec:
             description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID
             properties:
               admin:
-                description: Admin indicates whether or not the SVID can be used to
-                  access the SPIRE administrative APIs. Extra care should be taken
-                  to only apply this SPIFFE ID to admin workloads.
+                description: |-
+                  Admin indicates whether or not the SVID can be used to access the SPIRE
+                  administrative APIs. Extra care should be taken to only apply this
+                  SPIFFE ID to admin workloads.
                 type: boolean
               autoPopulateDNSNames:
                 description: AutoPopulateDNSNames indicates whether or not to auto
@@ -46,11 +52,17 @@ spec:
               className:
                 description: Set which Controller Class will act on this object
                 type: string
+              fallback:
+                description: |-
+                  Apply this ID only if there are no other matching non fallback
+                  ClusterSPIFFEIDs
+                type: boolean
               dnsNameTemplates:
-                description: DNSNameTemplate represents templates for extra DNS names
-                  that are applicable to SVIDs minted for this ClusterSPIFFEID. The
-                  node and pod spec are made available to the template under .NodeSpec,
-                  .PodSpec respectively.
+                description: |-
+                  DNSNameTemplate represents templates for extra DNS names that are
+                  applicable to SVIDs minted for this ClusterSPIFFEID.
+                  The node and pod spec are made available to the template under
+                  .NodeSpec, .PodSpec respectively.
                 items:
                   type: string
                 type: array
@@ -59,87 +71,48 @@ spec:
                   SPIRE server.
                 type: boolean
               federatesWith:
-                description: FederatesWith is a list of trust domain names that workloads
-                  that obtain this SPIFFE ID will federate with.
+                description: |-
+                  FederatesWith is a list of trust domain names that workloads that
+                  obtain this SPIFFE ID will federate with.
                 items:
                   type: string
                 type: array
+              hint:
+                description: |-
+                  Set the entry hint
+                type: string
               jwtTtl:
-                description: JWTTTL indicates an upper-bound time-to-live for JWT
-                  SVIDs minted for this ClusterSPIFFEID.
+                description: |-
+                  JWTTTL indicates an upper-bound time-to-live for JWT SVIDs minted for this
+                  ClusterSPIFFEID.
                 type: string
               namespaceSelector:
-                description: NamespaceSelector selects the namespaces that are targeted
-                  by this CRD.
-                properties:
-                  matchExpressions:
-                    description: matchExpressions is a list of label selector requirements.
-                      The requirements are ANDed.
-                    items:
-                      description: A label selector requirement is a selector that
-                        contains values, a key, and an operator that relates the key
-                        and values.
-                      properties:
-                        key:
-                          description: key is the label key that the selector applies
-                            to.
-                          type: string
-                        operator:
-                          description: operator represents a key's relationship to
-                            a set of values. Valid operators are In, NotIn, Exists
-                            and DoesNotExist.
-                          type: string
-                        values:
-                          description: values is an array of string values. If the
-                            operator is In or NotIn, the values array must be non-empty.
-                            If the operator is Exists or DoesNotExist, the values
-                            array must be empty. This array is replaced during a strategic
-                            merge patch.
-                          items:
-                            type: string
-                          type: array
-                      required:
-                      - key
-                      - operator
-                      type: object
-                    type: array
-                  matchLabels:
-                    additionalProperties:
-                      type: string
-                    description: matchLabels is a map of {key,value} pairs. A single
-                      {key,value} in the matchLabels map is equivalent to an element
-                      of matchExpressions, whose key field is "key", the operator
-                      is "In", and the values array contains only "value". The requirements
-                      are ANDed.
-                    type: object
-                type: object
-                x-kubernetes-map-type: atomic
-              podSelector:
-                description: PodSelector selects the pods that are targeted by this
+                description: |-
+                  NamespaceSelector selects the namespaces that are targeted by this
                   CRD.
                 properties:
                   matchExpressions:
                     description: matchExpressions is a list of label selector requirements.
                       The requirements are ANDed.
                     items:
-                      description: A label selector requirement is a selector that
-                        contains values, a key, and an operator that relates the key
-                        and values.
+                      description: |-
+                        A label selector requirement is a selector that contains values, a key, and an operator that
+                        relates the key and values.
                       properties:
                         key:
                           description: key is the label key that the selector applies
                             to.
                           type: string
                         operator:
-                          description: operator represents a key's relationship to
-                            a set of values. Valid operators are In, NotIn, Exists
-                            and DoesNotExist.
+                          description: |-
+                            operator represents a key's relationship to a set of values.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
                           type: string
                         values:
-                          description: values is an array of string values. If the
-                            operator is In or NotIn, the values array must be non-empty.
-                            If the operator is Exists or DoesNotExist, the values
-                            array must be empty. This array is replaced during a strategic
+                          description: |-
+                            values is an array of string values. If the operator is In or NotIn,
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                            the values array must be empty. This array is replaced during a strategic
                             merge patch.
                           items:
                             type: string
@@ -152,31 +125,78 @@ spec:
                   matchLabels:
                     additionalProperties:
                       type: string
-                    description: matchLabels is a map of {key,value} pairs. A single
-                      {key,value} in the matchLabels map is equivalent to an element
-                      of matchExpressions, whose key field is "key", the operator
-                      is "In", and the values array contains only "value". The requirements
-                      are ANDed.
+                    description: |-
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
+              podSelector:
+                description: |-
+                  PodSelector selects the pods that are targeted by this
+                  CRD.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: |-
+                        A label selector requirement is a selector that contains values, a key, and an operator that
+                        relates the key and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: |-
+                            operator represents a key's relationship to a set of values.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
+                          type: string
+                        values:
+                          description: |-
+                            values is an array of string values. If the operator is In or NotIn,
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                            the values array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
                     type: object
                 type: object
                 x-kubernetes-map-type: atomic
               spiffeIDTemplate:
-                description: SPIFFEID is the SPIFFE ID template. The node and pod
-                  spec are made available to the template under .NodeSpec, .PodSpec
-                  respectively.
+                description: |-
+                  SPIFFEID is the SPIFFE ID template. The node and pod spec are made
+                  available to the template under .NodeSpec, .PodSpec respectively.
                 type: string
               ttl:
-                description: TTL indicates an upper-bound time-to-live for X509 SVIDs
-                  minted for this ClusterSPIFFEID. If unset, a default will be chosen.
+                description: |-
+                  TTL indicates an upper-bound time-to-live for X509 SVIDs minted for this
+                  ClusterSPIFFEID. If unset, a default will be chosen.
                 type: string
               workloadSelectorTemplates:
-                description: WorkloadSelectorTemplates are templates to produce arbitrary
-                  workload selectors that apply to a given workload before it will
-                  receive this SPIFFE ID. The rendered value is interpreted by SPIRE
-                  and are of the form type:value, where the value may, and often does,
-                  contain semicolons, .e.g., k8s:container-image:docker/hello-world
-                  The node and pod spec are made available to the template under .NodeSpec,
-                  .PodSpec respectively.
+                description: |-
+                  WorkloadSelectorTemplates are templates to produce arbitrary workload
+                  selectors that apply to a given workload before it will receive this
+                  SPIFFE ID. The rendered value is interpreted by SPIRE and are of the
+                  form type:value, where the value may, and often does, contain
+                  semicolons, .e.g., k8s:container-image:docker/hello-world
+                  The node and pod spec are made available to the template under
+                  .NodeSpec, .PodSpec respectively.
                 items:
                   type: string
                 type: array
@@ -190,21 +210,22 @@ spec:
                 description: Stats produced by the last entry reconciliation run
                 properties:
                   entriesMasked:
-                    description: How many entries were masked by entries for other
-                      ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs
-                      produce an entry for the same pod with the same set of workload
-                      selectors.
+                    description: |-
+                      How many entries were masked by entries for other ClusterSPIFFEIDs.
+                      This happens when one or more ClusterSPIFFEIDs produce an entry for
+                      the same pod with the same set of workload selectors.
                     type: integer
                   entriesToSet:
-                    description: How many entries are to be set for this ClusterSPIFFEID.
-                      In nominal conditions, this should reflect the number of pods
-                      selected, but not always if there were problems encountered
-                      rendering an entry for the pod (RenderFailures) or entries are
-                      masked (EntriesMasked).
+                    description: |-
+                      How many entries are to be set for this ClusterSPIFFEID. In nominal
+                      conditions, this should reflect the number of pods selected, but not
+                      always if there were problems encountered rendering an entry for the pod
+                      (RenderFailures) or entries are masked (EntriesMasked).
                     type: integer
                   entryFailures:
-                    description: How many entries were unable to be set due to failures
-                      to create or update the entries via the SPIRE Server API.
+                    description: |-
+                      How many entries were unable to be set due to failures to create or
+                      update the entries via the SPIRE Server API.
                     type: integer
                   namespacesIgnored:
                     description: How many (selected) namespaces were ignored (based
@@ -214,10 +235,11 @@ spec:
                     description: How many namespaces were selected.
                     type: integer
                   podEntryRenderFailures:
-                    description: How many failures were encountered rendering an entry
-                      selected pods. This could be due to either a bad template in
-                      the ClusterSPIFFEID or Pod metadata that when applied to the
-                      template did not produce valid entry values.
+                    description: |-
+                      How many failures were encountered rendering an entry selected pods.
+                      This could be due to either a bad template in the ClusterSPIFFEID or
+                      Pod metadata that when applied to the template did not produce valid
+                      entry values.
                     type: integer
                   podsSelected:
                     description: How many pods were selected out of the namespaces.

demo/config/cluster1/crd/spire.spiffe.io_clusterstaticentries.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: clusterstaticentries.spire.spiffe.io
 spec:
   group: spire.spiffe.io
@@ -62,6 +62,8 @@ spec:
                 type: array
               spiffeID:
                 type: string
+              storeSVID:
+                type: boolean
               x509SVIDTTL:
                 type: string
             required:

demo/config/cluster1/spire/spire-agent.yaml

@@ -103,7 +103,7 @@ spec:
       serviceAccountName: spire-agent
       containers:
         - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.7.0
+          image: ghcr.io/spiffe/spire-agent:1.10.4
           imagePullPolicy: IfNotPresent
           args: ["-config", "/run/spire/config/agent.conf"]
           env:
@@ -124,7 +124,7 @@ spec:
               mountPath: /run/spire/sockets
         # This is the container which runs the SPIFFE CSI driver.
         - name: spiffe-csi-driver
-          image: ghcr.io/spiffe/spiffe-csi-driver:0.2.3
+          image: ghcr.io/spiffe/spiffe-csi-driver:0.2.6
           imagePullPolicy: IfNotPresent
           args: [
             "-workload-api-socket-dir", "/spire-agent-socket",
@@ -157,7 +157,7 @@ spec:
         # of all the little details required to register a CSI driver with
         # the kubelet.
         - name: node-driver-registrar
-          image: quay.io/k8scsi/csi-node-driver-registrar:v2.0.1
+          image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0
           imagePullPolicy: IfNotPresent
           args: [
             "-csi-address", "/spiffe-csi/csi.sock",

demo/config/cluster1/spire/spire-controller-manager-config.yaml

@@ -3,12 +3,13 @@ kind: ControllerManagerConfig
 metrics:
   bindAddress: 127.0.0.1:8082
 health:
-  healthProbeBindAddress: 127.0.0.1:8083
+  healthProbeBindAddress: 0.0.0.0:8083
 leaderElection:
   leaderElect: true
   resourceName: 98c9c988.spiffe.io
   resourceNamespace: spire-system
 clusterName: cluster1
+logLevel: info
 trustDomain: cluster1.demo
 ignoreNamespaces:
   - kube-system

demo/config/cluster1/spire/spire-server.yaml

@@ -176,7 +176,7 @@ spec:
       shareProcessNamespace: true
       containers:
         - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.7.0
+          image: ghcr.io/spiffe/spire-server:1.10.4
           imagePullPolicy: IfNotPresent
           args: ["-config", "/run/spire/server/config/server.conf"]
           ports:
@@ -192,6 +192,12 @@ spec:
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 9443
+            - containerPort: 8083
+              name: healthz
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: healthz
           args:
           - "--config=spire-controller-manager-config.yaml"
           volumeMounts:

demo/config/cluster2/crd/spire.spiffe.io_clusterfederatedtrustdomains.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: clusterfederatedtrustdomains.spire.spiffe.io
 spec:
   group: spire.spiffe.io

demo/config/cluster2/crd/spire.spiffe.io_clusterspiffeids.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: clusterspiffeids.spire.spiffe.io
 spec:
   group: spire.spiffe.io
@@ -20,14 +20,19 @@ spec:
         description: ClusterSPIFFEID is the Schema for the clusterspiffeids API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -35,9 +40,10 @@ spec:
             description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID
             properties:
               admin:
-                description: Admin indicates whether or not the SVID can be used to
-                  access the SPIRE administrative APIs. Extra care should be taken
-                  to only apply this SPIFFE ID to admin workloads.
+                description: |-
+                  Admin indicates whether or not the SVID can be used to access the SPIRE
+                  administrative APIs. Extra care should be taken to only apply this
+                  SPIFFE ID to admin workloads.
                 type: boolean
               autoPopulateDNSNames:
                 description: AutoPopulateDNSNames indicates whether or not to auto
@@ -46,11 +52,17 @@ spec:
               className:
                 description: Set which Controller Class will act on this object
                 type: string
+              fallback:
+                description: |-
+                  Apply this ID only if there are no other matching non fallback
+                  ClusterSPIFFEIDs
+                type: boolean
               dnsNameTemplates:
-                description: DNSNameTemplate represents templates for extra DNS names
-                  that are applicable to SVIDs minted for this ClusterSPIFFEID. The
-                  node and pod spec are made available to the template under .NodeSpec,
-                  .PodSpec respectively.
+                description: |-
+                  DNSNameTemplate represents templates for extra DNS names that are
+                  applicable to SVIDs minted for this ClusterSPIFFEID.
+                  The node and pod spec are made available to the template under
+                  .NodeSpec, .PodSpec respectively.
                 items:
                   type: string
                 type: array
@@ -59,87 +71,48 @@ spec:
                   SPIRE server.
                 type: boolean
               federatesWith:
-                description: FederatesWith is a list of trust domain names that workloads
-                  that obtain this SPIFFE ID will federate with.
+                description: |-
+                  FederatesWith is a list of trust domain names that workloads that
+                  obtain this SPIFFE ID will federate with.
                 items:
                   type: string
                 type: array
+              hint:
+                description: |-
+                  Set the entry hint
+                type: string
               jwtTtl:
-                description: JWTTTL indicates an upper-bound time-to-live for JWT
-                  SVIDs minted for this ClusterSPIFFEID.
+                description: |-
+                  JWTTTL indicates an upper-bound time-to-live for JWT SVIDs minted for this
+                  ClusterSPIFFEID.
                 type: string
               namespaceSelector:
-                description: NamespaceSelector selects the namespaces that are targeted
-                  by this CRD.
-                properties:
-                  matchExpressions:
-                    description: matchExpressions is a list of label selector requirements.
-                      The requirements are ANDed.
-                    items:
-                      description: A label selector requirement is a selector that
-                        contains values, a key, and an operator that relates the key
-                        and values.
-                      properties:
-                        key:
-                          description: key is the label key that the selector applies
-                            to.
-                          type: string
-                        operator:
-                          description: operator represents a key's relationship to
-                            a set of values. Valid operators are In, NotIn, Exists
-                            and DoesNotExist.
-                          type: string
-                        values:
-                          description: values is an array of string values. If the
-                            operator is In or NotIn, the values array must be non-empty.
-                            If the operator is Exists or DoesNotExist, the values
-                            array must be empty. This array is replaced during a strategic
-                            merge patch.
-                          items:
-                            type: string
-                          type: array
-                      required:
-                      - key
-                      - operator
-                      type: object
-                    type: array
-                  matchLabels:
-                    additionalProperties:
-                      type: string
-                    description: matchLabels is a map of {key,value} pairs. A single
-                      {key,value} in the matchLabels map is equivalent to an element
-                      of matchExpressions, whose key field is "key", the operator
-                      is "In", and the values array contains only "value". The requirements
-                      are ANDed.
-                    type: object
-                type: object
-                x-kubernetes-map-type: atomic
-              podSelector:
-                description: PodSelector selects the pods that are targeted by this
+                description: |-
+                  NamespaceSelector selects the namespaces that are targeted by this
                   CRD.
                 properties:
                   matchExpressions:
                     description: matchExpressions is a list of label selector requirements.
                       The requirements are ANDed.
                     items:
-                      description: A label selector requirement is a selector that
-                        contains values, a key, and an operator that relates the key
-                        and values.
+                      description: |-
+                        A label selector requirement is a selector that contains values, a key, and an operator that
+                        relates the key and values.
                       properties:
                         key:
                           description: key is the label key that the selector applies
                             to.
                           type: string
                         operator:
-                          description: operator represents a key's relationship to
-                            a set of values. Valid operators are In, NotIn, Exists
-                            and DoesNotExist.
+                          description: |-
+                            operator represents a key's relationship to a set of values.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
                           type: string
                         values:
-                          description: values is an array of string values. If the
-                            operator is In or NotIn, the values array must be non-empty.
-                            If the operator is Exists or DoesNotExist, the values
-                            array must be empty. This array is replaced during a strategic
+                          description: |-
+                            values is an array of string values. If the operator is In or NotIn,
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                            the values array must be empty. This array is replaced during a strategic
                             merge patch.
                           items:
                             type: string
@@ -152,31 +125,78 @@ spec:
                   matchLabels:
                     additionalProperties:
                       type: string
-                    description: matchLabels is a map of {key,value} pairs. A single
-                      {key,value} in the matchLabels map is equivalent to an element
-                      of matchExpressions, whose key field is "key", the operator
-                      is "In", and the values array contains only "value". The requirements
-                      are ANDed.
+                    description: |-
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
+              podSelector:
+                description: |-
+                  PodSelector selects the pods that are targeted by this
+                  CRD.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: |-
+                        A label selector requirement is a selector that contains values, a key, and an operator that
+                        relates the key and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: |-
+                            operator represents a key's relationship to a set of values.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
+                          type: string
+                        values:
+                          description: |-
+                            values is an array of string values. If the operator is In or NotIn,
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                            the values array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
                     type: object
                 type: object
                 x-kubernetes-map-type: atomic
               spiffeIDTemplate:
-                description: SPIFFEID is the SPIFFE ID template. The node and pod
-                  spec are made available to the template under .NodeSpec, .PodSpec
-                  respectively.
+                description: |-
+                  SPIFFEID is the SPIFFE ID template. The node and pod spec are made
+                  available to the template under .NodeSpec, .PodSpec respectively.
                 type: string
               ttl:
-                description: TTL indicates an upper-bound time-to-live for X509 SVIDs
-                  minted for this ClusterSPIFFEID. If unset, a default will be chosen.
+                description: |-
+                  TTL indicates an upper-bound time-to-live for X509 SVIDs minted for this
+                  ClusterSPIFFEID. If unset, a default will be chosen.
                 type: string
               workloadSelectorTemplates:
-                description: WorkloadSelectorTemplates are templates to produce arbitrary
-                  workload selectors that apply to a given workload before it will
-                  receive this SPIFFE ID. The rendered value is interpreted by SPIRE
-                  and are of the form type:value, where the value may, and often does,
-                  contain semicolons, .e.g., k8s:container-image:docker/hello-world
-                  The node and pod spec are made available to the template under .NodeSpec,
-                  .PodSpec respectively.
+                description: |-
+                  WorkloadSelectorTemplates are templates to produce arbitrary workload
+                  selectors that apply to a given workload before it will receive this
+                  SPIFFE ID. The rendered value is interpreted by SPIRE and are of the
+                  form type:value, where the value may, and often does, contain
+                  semicolons, .e.g., k8s:container-image:docker/hello-world
+                  The node and pod spec are made available to the template under
+                  .NodeSpec, .PodSpec respectively.
                 items:
                   type: string
                 type: array
@@ -190,21 +210,22 @@ spec:
                 description: Stats produced by the last entry reconciliation run
                 properties:
                   entriesMasked:
-                    description: How many entries were masked by entries for other
-                      ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs
-                      produce an entry for the same pod with the same set of workload
-                      selectors.
+                    description: |-
+                      How many entries were masked by entries for other ClusterSPIFFEIDs.
+                      This happens when one or more ClusterSPIFFEIDs produce an entry for
+                      the same pod with the same set of workload selectors.
                     type: integer
                   entriesToSet:
-                    description: How many entries are to be set for this ClusterSPIFFEID.
-                      In nominal conditions, this should reflect the number of pods
-                      selected, but not always if there were problems encountered
-                      rendering an entry for the pod (RenderFailures) or entries are
-                      masked (EntriesMasked).
+                    description: |-
+                      How many entries are to be set for this ClusterSPIFFEID. In nominal
+                      conditions, this should reflect the number of pods selected, but not
+                      always if there were problems encountered rendering an entry for the pod
+                      (RenderFailures) or entries are masked (EntriesMasked).
                     type: integer
                   entryFailures:
-                    description: How many entries were unable to be set due to failures
-                      to create or update the entries via the SPIRE Server API.
+                    description: |-
+                      How many entries were unable to be set due to failures to create or
+                      update the entries via the SPIRE Server API.
                     type: integer
                   namespacesIgnored:
                     description: How many (selected) namespaces were ignored (based
@@ -214,10 +235,11 @@ spec:
                     description: How many namespaces were selected.
                     type: integer
                   podEntryRenderFailures:
-                    description: How many failures were encountered rendering an entry
-                      selected pods. This could be due to either a bad template in
-                      the ClusterSPIFFEID or Pod metadata that when applied to the
-                      template did not produce valid entry values.
+                    description: |-
+                      How many failures were encountered rendering an entry selected pods.
+                      This could be due to either a bad template in the ClusterSPIFFEID or
+                      Pod metadata that when applied to the template did not produce valid
+                      entry values.
                     type: integer
                   podsSelected:
                     description: How many pods were selected out of the namespaces.

demo/config/cluster2/crd/spire.spiffe.io_clusterstaticentries.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: clusterstaticentries.spire.spiffe.io
 spec:
   group: spire.spiffe.io
@@ -62,6 +62,8 @@ spec:
                 type: array
               spiffeID:
                 type: string
+              storeSVID:
+                type: boolean
               x509SVIDTTL:
                 type: string
             required:

demo/config/cluster2/spire/spire-agent.yaml

@@ -103,7 +103,7 @@ spec:
       serviceAccountName: spire-agent
       containers:
         - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.7.0
+          image: ghcr.io/spiffe/spire-agent:1.10.4
           imagePullPolicy: IfNotPresent
           args: ["-config", "/run/spire/config/agent.conf"]
           env:
@@ -124,7 +124,7 @@ spec:
               mountPath: /run/spire/sockets
         # This is the container which runs the SPIFFE CSI driver.
         - name: spiffe-csi-driver
-          image: ghcr.io/spiffe/spiffe-csi-driver:0.2.3
+          image: ghcr.io/spiffe/spiffe-csi-driver:0.2.6
           imagePullPolicy: IfNotPresent
           args: [
             "-workload-api-socket-dir", "/spire-agent-socket",
@@ -157,7 +157,7 @@ spec:
         # of all the little details required to register a CSI driver with
         # the kubelet.
         - name: node-driver-registrar
-          image: quay.io/k8scsi/csi-node-driver-registrar:v2.0.1
+          image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0
           imagePullPolicy: IfNotPresent
           args: [
             "-csi-address", "/spiffe-csi/csi.sock",

demo/config/cluster2/spire/spire-controller-manager-config.yaml

@@ -3,12 +3,13 @@ kind: ControllerManagerConfig
 metrics:
   bindAddress: 127.0.0.1:8082
 health:
-  healthProbeBindAddress: 127.0.0.1:8083
+  healthProbeBindAddress: 0.0.0.0:8083
 leaderElection:
   leaderElect: true
   resourceName: 98c9c988.spiffe.io
   resourceNamespace: spire-system
 clusterName: cluster2
+logLevel: info
 trustDomain: cluster2.demo
 ignoreNamespaces:
   - kube-system

demo/config/cluster2/spire/spire-server.yaml

@@ -176,7 +176,7 @@ spec:
       shareProcessNamespace: true
       containers:
         - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.7.0
+          image: ghcr.io/spiffe/spire-server:1.10.4
           imagePullPolicy: IfNotPresent
           args: ["-config", "/run/spire/server/config/server.conf"]
           ports:
@@ -192,6 +192,12 @@ spec:
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 9443
+            - containerPort: 8083
+              name: healthz
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: healthz
           args:
           - "--config=spire-controller-manager-config.yaml"
           volumeMounts:

demo/config/static-entry.yaml

@@ -13,3 +13,4 @@ spec:
   hint: "static-hint-2"
   admin: true
   downstream: true
+  storeSVID: true

demo/greeter/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.20.1-alpine AS builder
+FROM golang:1.23.4-alpine AS builder
 WORKDIR /workspace
 COPY go.mod go.mod
 COPY go.sum go.sum

demo/greeter/cmd/greeter-client/main.go

@@ -43,7 +43,7 @@ func main() {
 
 	creds := grpccredentials.MTLSClientCredentials(source, source, tlsconfig.AuthorizeID(serverID))
 
-	client, err := grpc.DialContext(ctx, addr, grpc.WithTransportCredentials(creds))
+	client, err := grpc.NewClient(addr, grpc.WithTransportCredentials(creds))
 	if err != nil {
 		log.Fatal(err)
 	}

demo/greeter/go.mod

@@ -1,24 +1,21 @@
 module greeter
 
-go 1.20
+go 1.23.4
 
 require (
-	github.com/spiffe/go-spiffe/v2 v2.1.7
-	google.golang.org/grpc v1.60.1
-	google.golang.org/grpc/examples v0.0.0-20240117000318-ddd377f19841
+	github.com/spiffe/go-spiffe/v2 v2.5.0
+	google.golang.org/grpc v1.73.0
+	google.golang.org/grpc/examples v0.0.0-20240422202308-34de5cf4832f
 )
 
 require (
-	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.1 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/zeebo/errs v1.3.0 // indirect
-	golang.org/x/crypto v0.18.0 // indirect
-	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/net v0.20.0 // indirect
-	golang.org/x/sys v0.16.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
-	golang.org/x/tools v0.17.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac // indirect
-	google.golang.org/protobuf v1.32.0 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
 )

demo/greeter/go.sum

@@ -1,54 +1,54 @@
-github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
-github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA=
-github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
+github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/spiffe/go-spiffe/v2 v2.1.7 h1:VUkM1yIyg/x8X7u1uXqSRVRCdMdfRIEdFBzpqoeASGk=
-github.com/spiffe/go-spiffe/v2 v2.1.7/go.mod h1:QJDGdhXllxjxvd5B+2XnhhXB/+rC8gr+lNrtOryiWeE=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs=
-github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
-golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo=
-golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
-golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
-golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=
-golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac h1:nUQEQmH/csSvFECKYRv6HWEyypysidKl2I6Qpsglq/0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac/go.mod h1:daQN87bsDqDoe316QbbvX60nMoJQa4r6Ds0ZuoAe5yA=
-google.golang.org/grpc v1.60.1 h1:26+wFr+cNqSGFcOXcabYC0lUVJVRa2Sb2ortSK7VrEU=
-google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM=
-google.golang.org/grpc/examples v0.0.0-20240117000318-ddd377f19841 h1:VY7I+o3i1PIcNSwKshRTAfC20dKeVuB7QoXtR+e9F4w=
-google.golang.org/grpc/examples v0.0.0-20240117000318-ddd377f19841/go.mod h1:j5uROIAAgi3YmtiETMt1LW0d/lHqQ7wwrIY4uGRXLQ4=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=
-google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE=
+github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM=
+github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
+go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
+go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
+go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
+go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
+go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
+go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
+go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 h1:e0AIkUUhxyBKh6ssZNrAMeqhA7RKUj42346d1y02i2g=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
+google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
+google.golang.org/grpc/examples v0.0.0-20240422202308-34de5cf4832f h1:DXDiMO+e57lNmXq6CXCWgoiLMvTWyJpmm8q1xQB4cFM=
+google.golang.org/grpc/examples v0.0.0-20240422202308-34de5cf4832f/go.mod h1:uaPEAc5V00jjG3DPhGFLXGT290RUV3+aNQigs1W50/8=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

demo/scripts/show-spire-entries.sh

@@ -3,7 +3,7 @@
 set -eo pipefail
 
 kubectl exec -t \
-    -nspire-system \
+    -n spire-system \
     -c spire-server deployment/spire-server -- \
         /opt/spire/bin/spire-server entry show \
         "$@"

demo/scripts/show-spire-federated-bundles.sh

@@ -3,6 +3,6 @@
 set -eo pipefail
 
 kubectl exec -t \
-    -nspire-system \
+    -n spire-system \
     -c spire-server deployment/spire-server -- \
         /opt/spire/bin/spire-server bundle list -format spiffe

demo/test.sh

@@ -31,13 +31,40 @@ DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 cd "$DIR"
 
 cleanup() {
+    if [[ "$1" -ne 0 ]]; then
+      cat <<EOF >>"$GITHUB_STEP_SUMMARY"
+### Describe Pods Cluster 1
+\`\`\`
+$(./cluster1 kubectl describe pods -n "spire-system")
+\`\`\`
+
+### Logs Cluster 1
+
+\`\`\`
+$(./cluster1 kubectl get pods -o name -n "spire-system" | while read -r line; do echo; echo "logs for ${line}:"; ./cluster1 kubectl logs -n "spire-system" "${line}" --prefix --all-containers=true --ignore-errors=true; done)
+\`\`\`
+
+### Describe Pods Cluster 2
+
+\`\`\`
+$(./cluster2 kubectl describe pods -n "spire-system")
+\`\`\`
+
+### Logs Cluster 2
+
+\`\`\`
+$(./cluster2 kubectl get pods -o name -n "spire-system" | while read -r line; do echo; echo logs for "${line}:"; ./cluster2 kubectl logs -n "spire-system" "${line}" --prefix --all-containers=true --ignore-errors=true; done)
+\`\`\`
+EOF
+    fi
+
     echo "Cleaning up..."
     ./cluster1 kind delete cluster || true
     ./cluster2 kind delete cluster || true
     echo "Done."
 }
 
-trap cleanup EXIT
+trap 'EC=$? && trap - SIGTERM && cleanup $EC' SIGINT SIGTERM EXIT
 
 log-info "Tagging devel image as nightly..."
 docker tag ghcr.io/spiffe/spire-controller-manager:{devel,nightly}
@@ -46,10 +73,10 @@ log-info "Building greeter server/client..."
 (cd greeter; make docker-build)
 
 log-info "Pulling docker images..."
-echo ghcr.io/spiffe/spire-server:1.7.0 \
-    ghcr.io/spiffe/spire-agent:1.7.0 \
-    ghcr.io/spiffe/spiffe-csi-driver:0.2.3 \
-    quay.io/k8scsi/csi-node-driver-registrar:v2.0.1 \
+echo ghcr.io/spiffe/spire-server:1.10.4 \
+    ghcr.io/spiffe/spire-agent:1.10.4 \
+    ghcr.io/spiffe/spiffe-csi-driver:0.2.6 \
+    registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0 \
     | xargs -n1 docker pull
 
 log-info "Creating cluster1..."
@@ -60,20 +87,20 @@ log-info "Creating cluster2..."
 
 log-info "Loading images into cluster1..."
 echo \
-    ghcr.io/spiffe/spire-server:1.7.0 \
-    ghcr.io/spiffe/spire-agent:1.7.0 \
-    ghcr.io/spiffe/spiffe-csi-driver:0.2.3 \
-    quay.io/k8scsi/csi-node-driver-registrar:v2.0.1 \
+    ghcr.io/spiffe/spire-server:1.10.4 \
+    ghcr.io/spiffe/spire-agent:1.10.4 \
+    ghcr.io/spiffe/spiffe-csi-driver:0.2.6 \
+    registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0 \
     ghcr.io/spiffe/spire-controller-manager:nightly \
     greeter-server:demo \
     | xargs -n1 ./cluster1 kind load docker-image
 
 log-info "Loading images into cluster2..."
 echo \
-    ghcr.io/spiffe/spire-server:1.7.0 \
-    ghcr.io/spiffe/spire-agent:1.7.0 \
-    ghcr.io/spiffe/spiffe-csi-driver:0.2.3 \
-    quay.io/k8scsi/csi-node-driver-registrar:v2.0.1 \
+    ghcr.io/spiffe/spire-server:1.10.4 \
+    ghcr.io/spiffe/spire-agent:1.10.4 \
+    ghcr.io/spiffe/spiffe-csi-driver:0.2.6 \
+    registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0 \
     ghcr.io/spiffe/spire-controller-manager:nightly \
     greeter-client:demo \
     | xargs -n1 ./cluster2 kind load docker-image

docs/clusterfederatedtrustdomain-crd.md

@@ -16,6 +16,7 @@ See the [SPIFFE Federation](https://github.com/spiffe/spiffe/blob/main/standards
 | `bundleEndpointURL`     | REQUIRED | `https://somedomain.test/bundle`                        | An HTTPS URL to the bundle endpoint for the foreign trust domain.                                                       |
 | `bundleEndpointProfile` | REQUIRED | See [Bundle Endpoint Profile](#bundle-endpoint-profile) | The profile for the bundle endpoint for the foreign trust domain.                                                       |
 | `trustDomainBundle`     | OPTIONAL |                                                         | The bundle contents for the foreign trust domain.                                                                       |
+| `className`             | OPTIONAL |                                                         | The class name of the SPIRE controller manager.                                                                         |
 
 ### Bundle Endpoint Profile
 

docs/clusterspiffeid-crd.md

@@ -27,6 +27,8 @@ The definition can be found [here](../api/v1alpha1/clusterspiffeid_types.go).
 | `admin`                     | OPTIONAL | Indicates whether the target workload is an admin workload (i.e. can access SPIRE administrative APIs) |
 | `downstream`                | OPTIONAL | Indicates that the entry describes a downstream SPIRE server. |
 | `autoPopulateDNSNames`      | OPTIONAL | Indicates whether or not to auto populate service DNS names. |
+| `fallback`                  | OPTIONAL | Apply this ID only if there are no other matching non fallback ClusterSPIFFEIDs. |
+| `className`                 | OPTIONAL | The class name of the SPIRE controller manager. |
 
 ## ClusterSPIFFEIDStatus
 

docs/clusterstaticentry-crd.md

@@ -20,6 +20,8 @@ The definition can be found [here](../api/v1alpha1/clusterstaticentry_types.go).
 | `hint`                      | OPTIONAL | An opaque string that is provided to the workload as a hint on how the SVID should be used |
 | `admin`                     | OPTIONAL | Indicates whether the target workload is an admin workload (i.e. can access SPIRE administrative APIs) |
 | `downstream`                | OPTIONAL | Indicates that the entry describes a downstream SPIRE server. |
+| `storeSVID`                 | OPTIONAL | Indicates whether the issued SVID must be stored through an SVIDStore plugin. |
+| `className`                 | OPTIONAL | The class name of the SPIRE controller manager. |
 
 ## ClusterStaticEntryStatus
 

docs/spire-controller-manager-config.md

@@ -2,14 +2,31 @@
 
 The SPIRE Controller Manager configuration is defined [here](../api/v1alpha1/controllermanagerconfig_types.go).
 
-Beyond the standard [controller manager configuration](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/config/v1alpha1#ControllerConfigurationSpec), the following fields are defined:
+Beyond the
+standard [controller manager configuration](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/config/v1alpha1#ControllerConfigurationSpec),
+the following fields are defined: 
 
-| Field                                | Required | Default                                          | Description                                                                                                             |
-| ------------------------------------ | -------- | ------------------------------------------------ | ------------------------------------------------------------------ |
-| `clusterName`                        | REQUIRED |                                                  | The name of the cluster |
-| `trustDomain`                        | REQUIRED |                                                  | The trust domain name for the cluster |
-| `clusterDomain`                      | OPTIONAL |                                                  | The domain of the cluster, ie `cluster.local`. If not specified will attempt to auto detect. |
-| `ignoreNamespaces`                   | OPTIONAL | `["kube-system", "kube-public", "spire-system"]` | Namespaces that the controllers should ignore |
-| `validatingWebhookConfigurationName` | OPTIONAL | `spire-controller-manager-webhook`               | The name of the validating admission controller webhook to manage |
+| Field                                | Required | Default                                          | Description                                                                                                                                                                                                   |
+|--------------------------------------|----------|--------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `clusterName`                        | REQUIRED |                                                  | The name of the cluster                                                                                                                                                                                       |
+| `trustDomain`                        | REQUIRED |                                                  | The trust domain name for the cluster                                                                                                                                                                         |
+| `clusterDomain`                      | OPTIONAL |                                                  | The domain of the cluster, ie `cluster.local`. If not specified will attempt to auto detect.                                                                                                                  |
+| `ignoreNamespaces`                   | OPTIONAL | `["kube-system", "kube-public", "spire-system"]` | Namespaces that the controllers should ignore                                                                                                                                                                 |
+| `validatingWebhookConfigurationName` | OPTIONAL | `spire-controller-manager-webhook`               | The name of the validating admission controller webhook to manage                                                                                                                                             |
 | `gcInterval`                         | OPTIONAL | `10s`                                            | How often the SPIRE state is reconciled when the controller is otherwise idle. This impacts how quickly SPIRE state will converge after CRDs are removed or SPIRE state is mutated underneath the controller. |
-| `spireServerSocketPath`              | OPTIONAL | `/spire-server/api.sock`                         | The path the the SPIRE Server API socket |
+| `spireServerSocketPath`              | OPTIONAL | `/spire-server/api.sock`                         | The path the the SPIRE Server API socket                                                                                                                                                                      |
+| `logLevel`                           | OPTIONAL | `info`                                           | The log level for the controller manager. Supported values are `info`, `error`, `warn` and `debug`.                                                                                                           |
+| `logEncoding`                        | OPTIONAL | `console`                                        | The log encoder for the controller manager. Supported values are `console` and `json`.                                                                                                                        |
+| `className`                          | OPTIONAL |                                                  | Only sync resources that have the specified className set on them.                                                                                                                                            |
+| `watchClassless`                     | OPTIONAL |                                                  | If className is set, also watch for resources that do not have any className set.                                                                                                                             |
+| `staticManifestPath`                 | OPTIONAL |                                                  | If specified, manifests will be read from disk instead of from Kubernetes                                                                                                                                     |
+
+## Kubernetes Mode
+
+By default, all objects are synced from the Kubernetes cluster the spire-controller-manager is running in.
+
+## Static Mode
+
+If `staticManifestPath` is specified, Kubernetes will not be used and instead, manifests are loaded from yaml files located in the specified path and synchronized to the SPIRE server.
+
+In this mode, validating webhooks will be ignored as its not useful without Kubernetes.

examples/static.config

@@ -0,0 +1,17 @@
+apiVersion: spire.spiffe.io/v1alpha1
+kind: ControllerManagerConfig
+metadata:
+  name: config
+metrics:
+  bindAddress: 0.0.0.0:8082
+health:
+  healthProbeBindAddress: 0.0.0.0:8083
+entryIDPrefix: scm
+className: scm
+clusterName: scm
+clusterDomain: local
+trustDomain: example.org
+watchClassless: true
+staticManifestPath: /etc/spire/server/main/manifests
+spireServerSocketPath: "/tmp/spire-server/private/api.sock"
+logLevel: info

go.mod

@@ -1,84 +1,84 @@
 module github.com/spiffe/spire-controller-manager
 
-go 1.21
+go 1.23.4
 
 require (
-	github.com/go-logr/logr v1.4.1
-	github.com/google/go-cmp v0.6.0
+	github.com/go-logr/logr v1.4.2
+	github.com/google/go-cmp v0.7.0
+	github.com/google/uuid v1.6.0
 	github.com/jpillora/backoff v1.0.0
-	github.com/onsi/ginkgo/v2 v2.15.0
-	github.com/onsi/gomega v1.31.1
-	github.com/spiffe/go-spiffe/v2 v2.1.7
-	github.com/spiffe/spire-api-sdk v1.8.7
-	github.com/stretchr/testify v1.8.4
-	google.golang.org/grpc v1.62.0
-	google.golang.org/protobuf v1.32.0
-	k8s.io/api v0.29.2
-	k8s.io/apimachinery v0.29.2
-	k8s.io/client-go v0.29.2
-	k8s.io/component-base v0.29.2
-	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
-	sigs.k8s.io/controller-runtime v0.17.2
+	github.com/onsi/ginkgo/v2 v2.23.4
+	github.com/onsi/gomega v1.37.0
+	github.com/prometheus/client_golang v1.22.0
+	github.com/spiffe/go-spiffe/v2 v2.5.0
+	github.com/spiffe/spire-api-sdk v1.12.4
+	github.com/stretchr/testify v1.10.0
+	go.uber.org/zap v1.27.0
+	google.golang.org/grpc v1.73.0
+	google.golang.org/protobuf v1.36.6
+	k8s.io/api v0.32.4
+	k8s.io/apimachinery v0.32.4
+	k8s.io/client-go v0.32.4
+	k8s.io/component-base v0.32.4
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
+	sigs.k8s.io/controller-runtime v0.20.4
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/emicklei/go-restful/v3 v3.12.0 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
-	github.com/evanphx/json-patch/v5 v5.8.0 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.1 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
-	github.com/go-openapi/jsonpointer v0.20.0 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.4 // indirect
-	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/btree v1.1.3 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
-	github.com/google/uuid v1.6.0 // indirect
-	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.18.0 // indirect
-	github.com/prometheus/client_model v0.5.0 // indirect
-	github.com/prometheus/common v0.45.0 // indirect
-	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/zeebo/errs v1.3.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.26.0 // indirect
-	golang.org/x/crypto v0.18.0 // indirect
-	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
-	golang.org/x/net v0.20.0 // indirect
-	golang.org/x/oauth2 v0.16.0 // indirect
-	golang.org/x/sys v0.16.0 // indirect
-	golang.org/x/term v0.16.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.16.1 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/oauth2 v0.28.0 // indirect
+	golang.org/x/sync v0.12.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/term v0.30.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/time v0.7.0 // indirect
+	golang.org/x/tools v0.31.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.29.0 // indirect
-	k8s.io/klog/v2 v2.110.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	k8s.io/apiextensions-apiserver v0.32.1 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )

go.sum

@@ -6,11 +6,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
-github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -18,12 +15,12 @@ github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XP
 github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
-github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk=
+github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -32,33 +29,32 @@ github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
 github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro=
-github.com/evanphx/json-patch/v5 v5.8.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
+github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU=
+github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA=
-github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
-github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
-github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
-github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
+github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
 github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
-github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
-github.com/go-openapi/jsonpointer v0.20.0 h1:ESKJdU9ASRfaPNOPRx12IUyA1vn3R9GiE3KYD14BXdQ=
-github.com/go-openapi/jsonpointer v0.20.0/go.mod h1:6PGzBjjIIumbLYysB73Klnms1mwnU4G3YHOECG3CedA=
-github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
-github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
-github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
-github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogBU=
-github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
+github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
+github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
+github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
+github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
+github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
+github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -73,8 +69,10 @@ github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
+github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
 github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -85,20 +83,17 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
-github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
-github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA=
@@ -107,17 +102,16 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
-github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=
-github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -125,72 +119,79 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY=
-github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM=
-github.com/onsi/gomega v1.31.1 h1:KYppCUK+bUgAZwHOu7EXVBKyQA6ILvOESHkn/tgoqvo=
-github.com/onsi/gomega v1.31.1/go.mod h1:y40C95dwAD1Nz36SsEnxvfFe8FFfNxzI5eJ0EYGyAy0=
+github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
+github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
+github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
+github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk=
-github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
+github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
-github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
-github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM=
-github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
-github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
-github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
+github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
+github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spiffe/go-spiffe/v2 v2.1.7 h1:VUkM1yIyg/x8X7u1uXqSRVRCdMdfRIEdFBzpqoeASGk=
-github.com/spiffe/go-spiffe/v2 v2.1.7/go.mod h1:QJDGdhXllxjxvd5B+2XnhhXB/+rC8gr+lNrtOryiWeE=
-github.com/spiffe/spire-api-sdk v1.8.7 h1:LzKqts7VziON0/din8BV4gjtUSIZqMPgL7eljZm6cWk=
-github.com/spiffe/spire-api-sdk v1.8.7/go.mod h1:4uuhFlN6KBWjACRP3xXwrOTNnvaLp1zJs8Lribtr4fI=
+github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE=
+github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
+github.com/spiffe/spire-api-sdk v1.12.4 h1:RFMW7aPylHrJOPWY+w+YjElKCRUJPOUAMEyn7w4wLTU=
+github.com/spiffe/spire-api-sdk v1.12.4/go.mod h1:4uuhFlN6KBWjACRP3xXwrOTNnvaLp1zJs8Lribtr4fI=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs=
-github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
+github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM=
+github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
+go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
+go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
+go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
+go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
+go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
+go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
+go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
-go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
+go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
+go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
-golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
-golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -201,46 +202,36 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo=
-golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ=
-golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o=
+golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
+golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
-golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE=
-golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
-golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
+golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -249,9 +240,8 @@ golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBn
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU=
+golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -260,14 +250,12 @@ gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw
 gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
-google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 h1:AjyfHzEPEFp/NpvfN5g+KDla3EMojjhRVZc1i7cj+oM=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80/go.mod h1:PAREbraiVEVGVdTZsVWjSbbTtSyGbAgIIvni8a8CD5s=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 h1:e0AIkUUhxyBKh6ssZNrAMeqhA7RKUj42346d1y02i2g=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
@@ -275,8 +263,8 @@ google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8
 google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.62.0 h1:HQKZ/fa1bXkX1oFOvSjmZEUL8wLSaZTjCcLAlmZRtdk=
-google.golang.org/grpc v1.62.0/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE=
+google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
+google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -290,44 +278,43 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=
-google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
+gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A=
-k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0=
-k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0=
-k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc=
-k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8=
-k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU=
-k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg=
-k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA=
-k8s.io/component-base v0.29.2 h1:lpiLyuvPA9yV1aQwGLENYyK7n/8t6l3nn3zAtFTJYe8=
-k8s.io/component-base v0.29.2/go.mod h1:BfB3SLrefbZXiBfbM+2H1dlat21Uewg/5qtKOl8degM=
-k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
-k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
-k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=
-k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
-k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
-k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/controller-runtime v0.17.2 h1:FwHwD1CTUemg0pW2otk7/U5/i5m2ymzvOXdbeGOUvw0=
-sigs.k8s.io/controller-runtime v0.17.2/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
-sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
+k8s.io/api v0.32.4 h1:kw8Y/G8E7EpNy7gjB8gJZl3KJkNz8HM2YHrZPtAZsF4=
+k8s.io/api v0.32.4/go.mod h1:5MYFvLvweRhyKylM3Es/6uh/5hGp0dg82vP34KifX4g=
+k8s.io/apiextensions-apiserver v0.32.1 h1:hjkALhRUeCariC8DiVmb5jj0VjIc1N0DREP32+6UXZw=
+k8s.io/apiextensions-apiserver v0.32.1/go.mod h1:sxWIGuGiYov7Io1fAS2X06NjMIk5CbRHc2StSmbaQto=
+k8s.io/apimachinery v0.32.4 h1:8EEksaxA7nd7xWJkkwLDN4SvWS5ot9g6Z/VZb3ju25I=
+k8s.io/apimachinery v0.32.4/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
+k8s.io/client-go v0.32.4 h1:zaGJS7xoYOYumoWIFXlcVrsiYioRPrXGO7dBfVC5R6M=
+k8s.io/client-go v0.32.4/go.mod h1:k0jftcyYnEtwlFW92xC7MTtFv5BNcZBr+zn9jPlT9Ic=
+k8s.io/component-base v0.32.4 h1:HuF+2JVLbFS5GODLIfPCb1Td6b+G2HszJoArcWOSr5I=
+k8s.io/component-base v0.32.4/go.mod h1:10KloJEYw1keU/Xmjfy9TKJqUq7J2mYdiD1VDXoco4o=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y=
+k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/controller-runtime v0.20.4 h1:X3c+Odnxz+iPTRobG4tp092+CvBU9UK0t/bRf+n0DGU=
+sigs.k8s.io/controller-runtime v0.20.4/go.mod h1:xg2XB0K5ShQzAgsoujxuKN4LNXR2LfwwHsPj7Iaw+XY=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.2 h1:MdmvkGuXi/8io6ixD5wud3vOLwc1rj0aNqRlpuvjmwA=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.2/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=

internal/controller/suite_test.go

@@ -22,8 +22,8 @@ import (
 	"runtime"
 	"testing"
 
-	. "github.com/onsi/ginkgo/v2"
-	. "github.com/onsi/gomega"
+	. "github.com/onsi/ginkgo/v2" //nolint:revive // auto-generated
+	. "github.com/onsi/gomega"    //nolint:revive // auto-generated
 
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"

migration/README.md

@@ -51,7 +51,7 @@ Next deploy the new SPIRE Controller Manager.
 
 ## Delete the Kubernetes Workload Registrar CRD (CRD mode only)
 
-The CRD mode requires an additonal step of removing the SpiffeId CRD. SPIRE Controller Manager uses a different CRD, so this one needs to be removed and resources cleaned up.
+The CRD mode requires an additional step of removing the SpiffeId CRD. SPIRE Controller Manager uses a different CRD, so this one needs to be removed and resources cleaned up.
 
 1. Manually remove the finalizers with the below script. SPIRE Controller Manager will automatically clean up entries, so the finalizers can safely be removed.
 
@@ -228,11 +228,11 @@ For each [ClusterSPIFFEID][1] you want to auto populate DNS names for, set the `
 
 ### Can SPIRE Controller Manager be deployed in a different Pod from SPIRE Server?
 
-This is not supported with SPIRE Controller Manager, they must be in the same Pod. If you require them to be in seperate Pods, please open a [new issue](https://github.com/spiffe/spire-controller-manager/issues/new) with your use case.
+This is not supported with SPIRE Controller Manager, they must be in the same Pod. If you require them to be in separate Pods, please open a [new issue](https://github.com/spiffe/spire-controller-manager/issues/new) with your use case.
 
 ### Can I manually create entries like I could with the CRD Kubernetes Workload Registrar?
 
-This is not currently supported, SPIRE Controller Manager will automatically garbage collect any manually created entries. If you need suppport for manually created entries, please update [#76](https://github.com/spiffe/spire-controller-manager/issues/76) with your use case.
+Yes, but it requires the use of a separate CRD ([ClusterStaticEntry][2]).
 
 ### How do i see SPIRE Controller Manager logs?
 
@@ -245,7 +245,7 @@ $ kubectl logs spire-server-0 -n spire -c spire-controller-manager
 2022-12-13T00:41:21.844Z	INFO	webhook-manager	Webhook configuration patched with CABundle
 ```
 
-### I'm using CRD mode Kubernetes Workload Registrar and it gets stuck deleting the SpiffeId CRD. What do I do?
+### I'm using CRD mode Kubernetes Workload Registrar, and it gets stuck deleting the SpiffeId CRD. What do I do?
 
 This can happen if the Kubernetes Workload Registrar is deleted before all the SpiffeId custom resources are removed. To get around this, manually remove the finalizers with the below script and try deleting the CRD again.
 
@@ -261,10 +261,11 @@ done
 
 ### Why can't Kubernetes Workload Registrar entries be reused with SPIRE Controller Manager?
 
-SPIRE Controller Manager uses a different scheme for parenting SPIFFE IDs. Though it is technically possible to modify all the entries, its a lot easier to just allow SPIRE Controller Manager to automatically replace the entries.
+SPIRE Controller Manager uses a different scheme for parenting SPIFFE IDs. Though it is technically possible to modify all the entries, it's a lot easier to just allow SPIRE Controller Manager to automatically replace the entries.
 
-### What happens if a Pod is deployed while I'm in the middle of this cutover?
+### What happens if a Pod is deployed while I'm in the middle of this cut-over?
 
 SPIRE Controller Manager will reconcile the state of the system when it starts up. Any new Pods deployed after Kubernetes Workload Registrar is deleted and before SPIRE Controller Manager is up will have entries created when SPIRE Controller Manager is up.
 
 [1]: docs/clusterspiffeid-crd.md
+[2]: docs/clusterstaticentry-crd.md

migration/config/spire-server.yaml

@@ -176,7 +176,7 @@ spec:
       shareProcessNamespace: true
       containers:
         - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.7.2
+          image: ghcr.io/spiffe/spire-server:1.11.1
           imagePullPolicy: IfNotPresent
           args: ["-config", "/run/spire/server/config/server.conf"]
           ports:
@@ -190,7 +190,7 @@ spec:
             - name: spire-server-socket
               mountPath: /tmp/spire-server/private
         - name: spire-controller-manager
-          image: ghcr.io/spiffe/spire-controller-manager:nightly
+          image: ghcr.io/spiffe/spire-controller-manager:0.6.2
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 9443

pkg/metrics/controller_runtime.go

@@ -0,0 +1,18 @@
+package metrics
+
+import "github.com/prometheus/client_golang/prometheus"
+
+const (
+	StaticEntryFailures = "cluster_static_entry_failures"
+)
+
+var (
+	PromCounters = map[string]prometheus.Counter{
+		StaticEntryFailures: prometheus.NewGauge(
+			prometheus.GaugeOpts{
+				Name: StaticEntryFailures,
+				Help: "Number of cluster static entry render failures",
+			},
+		),
+	}
+)

pkg/spireapi/client.go

@@ -17,11 +17,9 @@ limitations under the License.
 package spireapi
 
 import (
-	"context"
 	"fmt"
 	"io"
 	"path/filepath"
-	"time"
 
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
@@ -35,7 +33,7 @@ type Client interface {
 	io.Closer
 }
 
-func DialSocket(ctx context.Context, path string) (Client, error) {
+func DialSocket(path string) (Client, error) {
 	var target string
 	if filepath.IsAbs(path) {
 		target = "unix://" + path
@@ -43,9 +41,7 @@ func DialSocket(ctx context.Context, path string) (Client, error) {
 		target = "unix:" + path
 	}
 
-	ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
-	defer cancel()
-	grpcClient, err := grpc.DialContext(ctx, target, grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithBlock())
+	grpcClient, err := grpc.NewClient(target, grpc.WithTransportCredentials(insecure.NewCredentials()))
 	if err != nil {
 		return nil, fmt.Errorf("failed to dial API socket: %w", err)
 	}

pkg/spireapi/common_test.go

@@ -45,7 +45,7 @@ func startServer(t *testing.T, registerFn func(s *grpc.Server)) grpc.ClientConnI
 	go func() { _ = s.Serve(listener) }()
 	t.Cleanup(s.GracefulStop)
 
-	conn, err := grpc.DialContext(context.Background(), listener.Addr().String(), grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.FailOnNonTempDialError(true), grpc.WithReturnConnectionError())
+	conn, err := grpc.NewClient(listener.Addr().String(), grpc.WithTransportCredentials(insecure.NewCredentials()))
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		_ = conn.Close()

pkg/spireapi/entryapi.go

@@ -35,6 +35,7 @@ const (
 	FederatesWithField Field = "federatesWith"
 	HintField          Field = "hint"
 	JWTSVIDTTLField    Field = "jwtSVIDTTL"
+	StoreSVIDField     Field = "storeSVID"
 	X509SVIDTTL        Field = "x509SVIDTTL"
 )
 
@@ -96,6 +97,7 @@ func (c entryClient) GetUnsupportedFields(ctx context.Context, td string) (map[F
 				},
 				X509SvidTtl: 60,
 				JwtSvidTtl:  60,
+				StoreSvid:   true,
 				Hint:        "hint",
 			},
 		},
@@ -132,6 +134,10 @@ func (c entryClient) GetUnsupportedFields(ctx context.Context, td string) (map[F
 		unsupportedFields[HintField] = struct{}{}
 	}
 
+	if !result.Entry.StoreSvid {
+		unsupportedFields[StoreSVIDField] = struct{}{}
+	}
+
 	return unsupportedFields, nil
 }
 

pkg/spireapi/entryapi_test.go

@@ -177,6 +177,7 @@ func TestGetUnsupportedFields(t *testing.T) {
 			expectFields: map[Field]struct{}{
 				HintField:       {},
 				JWTSVIDTTLField: {},
+				StoreSVIDField:  {},
 			},
 		},
 		{
@@ -191,6 +192,7 @@ func TestGetUnsupportedFields(t *testing.T) {
 			expectFields: map[Field]struct{}{
 				HintField:       {},
 				JWTSVIDTTLField: {},
+				StoreSVIDField:  {},
 			},
 		},
 	} {
@@ -400,6 +402,7 @@ func (s *entryServer) BatchCreateEntry(_ context.Context, req *entryv1.BatchCrea
 		if s.clearUnsupportedFields {
 			entry.JwtSvidTtl = 0
 			entry.Hint = ""
+			entry.StoreSvid = false
 		}
 
 		st := status.Convert(s.createEntry(entry))

pkg/spireapi/types.go

@@ -44,6 +44,7 @@ type Entry struct {
 	Downstream    bool
 	DNSNames      []string
 	Hint          string
+	StoreSVID     bool
 }
 
 type Selector struct {
@@ -154,6 +155,7 @@ func entryToAPI(in Entry) *apitypes.Entry {
 		DnsNames:      in.DNSNames,
 		Downstream:    in.Downstream,
 		Hint:          in.Hint,
+		StoreSvid:     in.StoreSVID,
 	}
 }
 
@@ -204,6 +206,7 @@ func entryFromAPI(in *apitypes.Entry) (Entry, error) {
 		DNSNames:      in.DnsNames,
 		Downstream:    in.Downstream,
 		Hint:          in.Hint,
+		StoreSVID:     in.StoreSvid,
 	}, nil
 }
 

pkg/spireapi/types_test.go

@@ -32,6 +32,7 @@ var (
 		Admin:         true,
 		Downstream:    true,
 		DNSNames:      []string{"dnsname"},
+		StoreSVID:     true,
 	}
 
 	apiEntry = &apitypes.Entry{
@@ -50,6 +51,7 @@ var (
 		Admin:         true,
 		Downstream:    true,
 		DnsNames:      []string{"dnsname"},
+		StoreSvid:     true,
 	}
 )
 
@@ -85,7 +87,7 @@ func TestFederationRelationshipEqual(t *testing.T) {
 		assert.False(t, base.Equal(compareTo))
 	}
 
-	assertEqual(t, func(compareTo *FederationRelationship) {})
+	assertEqual(t, func(_ *FederationRelationship) {})
 	assertNotEqual(t, func(compareTo *FederationRelationship) {
 		compareTo.TrustDomain = tdB
 	})
@@ -161,7 +163,7 @@ func TestEntryFromAPI(t *testing.T) {
 	}{
 		{
 			desc: "nil entry",
-			makeEntry: func(base *apitypes.Entry) *apitypes.Entry {
+			makeEntry: func(_ *apitypes.Entry) *apitypes.Entry {
 				return nil
 			},
 			expectErr: "entry is nil",

pkg/spireentry/entries.go

@@ -65,6 +65,7 @@ func renderStaticEntry(spec *spirev1alpha1.ClusterStaticEntrySpec) (*spireapi.En
 		Admin:         spec.Admin,
 		Downstream:    spec.Downstream,
 		Hint:          spec.Hint,
+		StoreSVID:     spec.StoreSVID,
 	}, nil
 }
 
@@ -125,6 +126,7 @@ func renderPodEntry(spec *spirev1alpha1.ParsedClusterSPIFFEIDSpec, node *corev1.
 		DNSNames:      dnsNames,
 		Admin:         spec.Admin,
 		Downstream:    spec.Downstream,
+		Hint:          spec.Hint,
 	}, nil
 }
 

pkg/spireentry/logging.go

@@ -42,6 +42,7 @@ const (
 	adminKey                 = "admin"
 	downstreamKey            = "downstream"
 	hintKey                  = "hint"
+	storeSVIDKey             = "storeSVID"
 )
 
 func objectName(o metav1.Object) string {
@@ -64,6 +65,7 @@ func entryLogFields(entry spireapi.Entry) []interface{} {
 		adminKey, entry.Admin,
 		downstreamKey, entry.Downstream,
 		hintKey, entry.Hint,
+		storeSVIDKey, entry.StoreSVID,
 	}
 }
 
@@ -90,7 +92,7 @@ func stringList(ss []string) string {
 func renderList(n int, fn func(i int, w io.StringWriter)) string {
 	var builder strings.Builder
 	builder.WriteRune('[')
-	for i := 0; i < n; i++ {
+	for i := range n {
 		if i > 0 {
 			builder.WriteRune(',')
 		}

pkg/spireentry/reconciler.go

@@ -20,14 +20,18 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
+	"fmt"
 	"io"
 	"regexp"
+	"slices"
 	"sort"
 	"strings"
 	"text/template"
 	"time"
 
 	"github.com/go-logr/logr"
+	"github.com/google/uuid"
+	"github.com/prometheus/client_golang/prometheus"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"google.golang.org/grpc/codes"
 	corev1 "k8s.io/api/core/v1"
@@ -39,6 +43,7 @@ import (
 
 	spirev1alpha1 "github.com/spiffe/spire-controller-manager/api/v1alpha1"
 	"github.com/spiffe/spire-controller-manager/pkg/k8sapi"
+	"github.com/spiffe/spire-controller-manager/pkg/metrics"
 	"github.com/spiffe/spire-controller-manager/pkg/namespace"
 	"github.com/spiffe/spire-controller-manager/pkg/reconciler"
 	"github.com/spiffe/spire-controller-manager/pkg/spireapi"
@@ -47,12 +52,12 @@ import (
 const (
 	// joinTokenSpiffePrefix is the prefix that is the part of the parent SPIFFE ID for join token entries.
 	// Ref: https://github.com/spiffe/spire/blob/v1.8.7/pkg/server/api/agent/v1/service.go#L714
-	// nolint: gosec // not a credential
+	//nolint: gosec // not a credential
 	joinTokenSpiffePrefix = "/spire/agent/join_token/"
 
 	// joinTokenSelectorType is the selector type used in the selector for join token entries.
 	// Ref: https://github.com/spiffe/spire/blob/v1.8.7/pkg/server/api/agent/v1/service.go#L515
-	// nolint: gosec // not a credential
+	//nolint: gosec // not a credential
 	joinTokenSelectorType = "spiffe_id"
 )
 
@@ -68,6 +73,9 @@ type ReconcilerConfig struct {
 	WatchClassless       bool
 	ParentIDTemplate     *template.Template
 	Reconcile            spirev1alpha1.ReconcileConfig
+	EntryIDPrefix        string
+	EntryIDPrefixCleanup *string
+	StaticManifestPath   *string
 
 	// GCInterval how long to sit idle (i.e. untriggered) before doing
 	// another reconcile.
@@ -76,7 +84,9 @@ type ReconcilerConfig struct {
 
 func Reconciler(config ReconcilerConfig) reconciler.Reconciler {
 	r := &entryReconciler{
-		config: config,
+		config:             config,
+		promCounter:        metrics.PromCounters,
+		staticManifestPath: config.StaticManifestPath,
 	}
 	return reconciler.New(reconciler.Config{
 		Kind:       "entry",
@@ -89,7 +99,9 @@ type entryReconciler struct {
 	config ReconcilerConfig
 
 	unsupportedFields        map[spireapi.Field]struct{}
+	promCounter              map[string]prometheus.Counter
 	nextGetUnsupportedFields time.Time
+	staticManifestPath       *string
 }
 
 func (r *entryReconciler) reconcile(ctx context.Context) {
@@ -101,7 +113,7 @@ func (r *entryReconciler) reconcile(ctx context.Context) {
 	unsupportedFields := r.unsupportedFields
 
 	// Load current entries from SPIRE server.
-	currentEntries, err := r.listEntries(ctx)
+	currentEntries, deleteOnlyEntries, err := r.listEntries(ctx)
 	if err != nil {
 		log.Error(err, "Failed to list SPIRE entries")
 		return
@@ -156,6 +168,9 @@ func (r *entryReconciler) reconcile(ctx context.Context) {
 			// drop the current entry from the list so it isn't added to the
 			// "to delete" list.
 			if len(s.Current) == 0 {
+				if preferredEntry.Entry.ID == "" && r.config.EntryIDPrefix != "" {
+					preferredEntry.Entry.ID = fmt.Sprintf("%s%s", r.config.EntryIDPrefix, uuid.New())
+				}
 				toCreate = append(toCreate, preferredEntry)
 			} else {
 				preferredEntry.Entry.ID = s.Current[0].ID
@@ -172,6 +187,7 @@ func (r *entryReconciler) reconcile(ctx context.Context) {
 		toDelete = append(toDelete, filterJoinTokenEntries(s.Current)...)
 	}
 
+	toDelete = append(toDelete, deleteOnlyEntries...)
 	if len(toDelete) > 0 {
 		r.deleteEntries(ctx, toDelete)
 	}
@@ -190,6 +206,9 @@ func (r *entryReconciler) reconcile(ctx context.Context) {
 			continue
 		}
 		clusterStaticEntry.Status = clusterStaticEntry.NextStatus
+		if r.config.K8sClient == nil {
+			continue
+		}
 		if err := r.config.K8sClient.Status().Update(ctx, &clusterStaticEntry.ClusterStaticEntry); err == nil {
 			log.Info("Updated status")
 		} else {
@@ -250,9 +269,43 @@ func (r *entryReconciler) recalculateUnsupportFields(ctx context.Context, log lo
 	r.nextGetUnsupportedFields = time.Now().Add(10 * time.Minute)
 }
 
-func (r *entryReconciler) listEntries(ctx context.Context) ([]spireapi.Entry, error) {
+func (r *entryReconciler) shouldProcessOrDeleteEntryID(entry spireapi.Entry) (bool, bool) {
+	if r.config.EntryIDPrefix == "" {
+		return true, false
+	}
+	if strings.HasPrefix(entry.ID, r.config.EntryIDPrefix) {
+		return true, false
+	}
+	if r.config.EntryIDPrefixCleanup != nil {
+		cleanupPrefix := *r.config.EntryIDPrefixCleanup
+		if cleanupPrefix == "" {
+			return false, !strings.Contains(entry.ID, ".")
+		}
+		if strings.HasPrefix(entry.ID, cleanupPrefix) {
+			return false, true
+		}
+	}
+	return false, false
+}
+
+func (r *entryReconciler) listEntries(ctx context.Context) ([]spireapi.Entry, []spireapi.Entry, error) {
 	// TODO: cache?
-	return r.config.EntryClient.ListEntries(ctx)
+	var deleteOnlyEntries []spireapi.Entry
+	var currentEntries []spireapi.Entry
+	tmpvals, err := r.config.EntryClient.ListEntries(ctx)
+	if err != nil {
+		return currentEntries, deleteOnlyEntries, err
+	}
+	for _, value := range tmpvals {
+		proc, del := r.shouldProcessOrDeleteEntryID(value)
+		if proc {
+			currentEntries = append(currentEntries, value)
+		}
+		if del {
+			deleteOnlyEntries = append(deleteOnlyEntries, value)
+		}
+	}
+	return currentEntries, deleteOnlyEntries, nil
 }
 
 func (r *entryReconciler) getUnsupportedFields(ctx context.Context) (map[spireapi.Field]struct{}, error) {
@@ -260,7 +313,13 @@ func (r *entryReconciler) getUnsupportedFields(ctx context.Context) (map[spireap
 }
 
 func (r *entryReconciler) listClusterStaticEntries(ctx context.Context) ([]*ClusterStaticEntry, error) {
-	clusterStaticEntries, err := k8sapi.ListClusterStaticEntries(ctx, r.config.K8sClient)
+	var clusterStaticEntries []spirev1alpha1.ClusterStaticEntry
+	var err error
+	if r.config.K8sClient != nil {
+		clusterStaticEntries, err = k8sapi.ListClusterStaticEntries(ctx, r.config.K8sClient)
+	} else {
+		clusterStaticEntries, err = spirev1alpha1.ListClusterStaticEntries(ctx, *r.staticManifestPath)
+	}
 	if err != nil {
 		return nil, err
 	}
@@ -307,6 +366,7 @@ func (r *entryReconciler) addClusterStaticEntryEntriesState(ctx context.Context,
 		if err != nil {
 			log.Error(err, "Failed to render ClusterStaticEntry")
 			clusterStaticEntry.NextStatus.Rendered = false
+			r.promCounter[metrics.StaticEntryFailures].Add(1)
 			continue
 		}
 		clusterStaticEntry.NextStatus.Rendered = true
@@ -316,6 +376,17 @@ func (r *entryReconciler) addClusterStaticEntryEntriesState(ctx context.Context,
 
 func (r *entryReconciler) addClusterSPIFFEIDEntriesState(ctx context.Context, state entriesState, clusterSPIFFEIDs []*ClusterSPIFFEID) {
 	log := log.FromContext(ctx)
+	podsWithNonFallbackApplied := make(map[types.UID]struct{})
+	// Process all the fallback clusterSPIFFEIDs last.
+	slices.SortStableFunc(clusterSPIFFEIDs, func(x, y *ClusterSPIFFEID) int {
+		if x.Spec.Fallback == y.Spec.Fallback {
+			return 0
+		}
+		if x.Spec.Fallback {
+			return 1
+		}
+		return -1
+	})
 	for _, clusterSPIFFEID := range clusterSPIFFEIDs {
 		log := log.WithValues(clusterSPIFFEIDLogKey, objectName(clusterSPIFFEID))
 
@@ -357,6 +428,9 @@ func (r *entryReconciler) addClusterSPIFFEIDEntriesState(ctx context.Context, st
 			clusterSPIFFEID.NextStatus.Stats.PodsSelected += len(pods)
 			for i := range pods {
 				log := log.WithValues(podLogKey, objectName(&pods[i]))
+				if _, ok := podsWithNonFallbackApplied[pods[i].UID]; ok && clusterSPIFFEID.Spec.Fallback {
+					continue
+				}
 
 				entry, err := r.renderPodEntry(ctx, spec, &pods[i])
 				switch {
@@ -367,6 +441,9 @@ func (r *entryReconciler) addClusterSPIFFEIDEntriesState(ctx context.Context, st
 					// renderPodEntry will return a nil entry if requisite k8s
 					// objects disappeared from underneath.
 					state.AddDeclared(*entry, clusterSPIFFEID)
+					if !clusterSPIFFEID.Spec.Fallback {
+						podsWithNonFallbackApplied[pods[i].UID] = struct{}{}
+					}
 				}
 			}
 		}
@@ -592,6 +669,11 @@ func getOutdatedEntryFields(newEntry, oldEntry spireapi.Entry, unsupportedFields
 			outdated = append(outdated, spireapi.HintField)
 		}
 	}
+	if oldEntry.StoreSVID != newEntry.StoreSVID {
+		if _, ok := unsupportedFields[spireapi.StoreSVIDField]; !ok {
+			outdated = append(outdated, spireapi.StoreSVIDField)
+		}
+	}
 
 	return outdated
 }

pkg/spirefederationrelationship/reconciler.go

@@ -32,10 +32,11 @@ import (
 )
 
 type ReconcilerConfig struct {
-	TrustDomainClient spireapi.TrustDomainClient
-	K8sClient         client.Client
-	ClassName         string
-	WatchClassless    bool
+	TrustDomainClient  spireapi.TrustDomainClient
+	K8sClient          client.Client
+	ClassName          string
+	WatchClassless     bool
+	StaticManifestPath *string
 
 	// GCInterval how long to sit idle (i.e. untriggered) before doing
 	// another reconcile.
@@ -46,27 +47,29 @@ func Reconciler(config ReconcilerConfig) reconciler.Reconciler {
 	return reconciler.New(reconciler.Config{
 		Kind: "federation relationship",
 		Reconcile: func(ctx context.Context) {
-			Reconcile(ctx, config.TrustDomainClient, config.K8sClient, config.ClassName, config.WatchClassless)
+			Reconcile(ctx, config.TrustDomainClient, config.K8sClient, config.ClassName, config.WatchClassless, config.StaticManifestPath)
 		},
 		GCInterval: config.GCInterval,
 	})
 }
 
-func Reconcile(ctx context.Context, trustDomainClient spireapi.TrustDomainClient, k8sClient client.Client, className string, watchClassless bool) {
+func Reconcile(ctx context.Context, trustDomainClient spireapi.TrustDomainClient, k8sClient client.Client, className string, watchClassless bool, staticManifestPath *string) {
 	r := &federationRelationshipReconciler{
-		trustDomainClient: trustDomainClient,
-		k8sClient:         k8sClient,
-		className:         className,
-		watchClassless:    watchClassless,
+		trustDomainClient:  trustDomainClient,
+		k8sClient:          k8sClient,
+		className:          className,
+		watchClassless:     watchClassless,
+		staticManifestPath: staticManifestPath,
 	}
 	r.reconcile(ctx)
 }
 
 type federationRelationshipReconciler struct {
-	trustDomainClient spireapi.TrustDomainClient
-	k8sClient         client.Client
-	className         string
-	watchClassless    bool
+	trustDomainClient  spireapi.TrustDomainClient
+	k8sClient          client.Client
+	className          string
+	watchClassless     bool
+	staticManifestPath *string
 }
 
 func (r *federationRelationshipReconciler) reconcile(ctx context.Context) {
@@ -135,7 +138,13 @@ func (r *federationRelationshipReconciler) listFederationRelationships(ctx conte
 func (r *federationRelationshipReconciler) listClusterFederatedTrustDomains(ctx context.Context) (map[spiffeid.TrustDomain]*clusterFederatedTrustDomainState, error) {
 	log := log.FromContext(ctx)
 
-	clusterFederatedTrustDomains, err := k8sapi.ListClusterFederatedTrustDomains(ctx, r.k8sClient)
+	var clusterFederatedTrustDomains []spirev1alpha1.ClusterFederatedTrustDomain
+	var err error
+	if r.k8sClient != nil {
+		clusterFederatedTrustDomains, err = k8sapi.ListClusterFederatedTrustDomains(ctx, r.k8sClient)
+	} else {
+		clusterFederatedTrustDomains, err = spirev1alpha1.ListClusterFederatedTrustDomains(ctx, *r.staticManifestPath)
+	}
 	if err != nil {
 		return nil, err
 	}

pkg/spirefederationrelationship/reconciler_test.go

@@ -191,7 +191,7 @@ func TestReconcile(t *testing.T) {
 			ctx := log.IntoContext(context.Background(), logrtesting.NewTestLogger(t))
 
 			k8sClient := k8stest.NewClientBuilder(t).WithRuntimeObjects(tt.withObjects...).Build()
-			spirefederationrelationship.Reconcile(ctx, tdc, k8sClient, "", false)
+			spirefederationrelationship.Reconcile(ctx, tdc, k8sClient, "", false, nil)
 			assert.Equal(t, tt.expectFRs, tdc.getFederationRelationships())
 		})
 	}

pkg/webhookmanager/manager.go

@@ -169,6 +169,10 @@ func (m *Manager) Start(ctx context.Context) error {
 	}
 }
 
+func (m *Manager) NeedLeaderElection() bool {
+	return false
+}
+
 func (m *Manager) mintX509SVIDIfNeeded(ctx context.Context, store cache.Store) error {
 	log := log.FromContext(ctx)
 
@@ -364,7 +368,7 @@ func dnsNamesEqual(a, b []string) bool {
 	if len(a) != len(b) {
 		return false
 	}
-	for i := 0; i < len(a); i++ {
+	for i := range a {
 		if a[i] != b[i] {
 			return false
 		}
@@ -383,8 +387,8 @@ func startInformer(ctx context.Context, config Config) (cache.Store, chan struct
 	}
 
 	log := log.FromContext(ctx)
-	store, controller := cache.NewInformer(
-		&cache.ListWatch{
+	store, controller := cache.NewInformerWithOptions(cache.InformerOptions{
+		ListerWatcher: &cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				return config.WebhookClient.List(ctx, options)
 			},
@@ -392,29 +396,29 @@ func startInformer(ctx context.Context, config Config) (cache.Store, chan struct
 				return config.WebhookClient.Watch(ctx, options)
 			},
 		},
-		&admissionregistrationv1.ValidatingWebhookConfiguration{},
-		time.Hour,
-		cache.FilteringResourceEventHandler{
+		ObjectType:   &admissionregistrationv1.ValidatingWebhookConfiguration{},
+		ResyncPeriod: time.Hour,
+		Handler: cache.FilteringResourceEventHandler{
 			FilterFunc: func(obj interface{}) bool {
 				o, ok := obj.(*admissionregistrationv1.ValidatingWebhookConfiguration)
 				return ok && o.Name == config.WebhookName
 			},
 			Handler: cache.ResourceEventHandlerFuncs{
-				AddFunc: func(obj interface{}) {
+				AddFunc: func(_ interface{}) {
 					log.Info("Received webhook added event")
 					notify()
 				},
-				UpdateFunc: func(oldObj, newObj interface{}) {
+				UpdateFunc: func(_, _ interface{}) {
 					log.Info("Received webhook updated event")
 					notify()
 				},
-				DeleteFunc: func(obj interface{}) {
+				DeleteFunc: func(_ interface{}) {
 					log.Info("Received webhook deleted event")
 					notify()
 				},
 			},
 		},
-	)
+	})
 
 	wg := new(sync.WaitGroup)
 	wg.Add(1)