Bump github.com/spiffe/spire-api-sdk from 1.12.0 to 1.12.4 (#540)

Bumps [github.com/spiffe/spire-api-sdk](https://github.com/spiffe/spire-api-sdk) from 1.12.0 to 1.12.4.
- [Commits](https://github.com/spiffe/spire-api-sdk/compare/v1.12.0...v1.12.4)

---
updated-dependencies:
- dependency-name: github.com/spiffe/spire-api-sdk
  dependency-version: 1.12.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/nightly_build.yaml

@@ -30,7 +30,7 @@ jobs:
       - name: Build image
         run: make docker-build
       - name: Log in to GHCR
-        uses: docker/login-action@v3.3.0
+        uses: docker/login-action@v3.4.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/pr_build.yaml

@@ -55,7 +55,7 @@ jobs:
       - name: Export images
         run: tar -czvf images.tar.gz *-image.tar
       - name: Archive image
-        uses: actions/upload-artifact@v4.4.0
+        uses: actions/upload-artifact@v4.6.2
         with:
           name: images
           path: images.tar.gz
@@ -74,7 +74,7 @@ jobs:
       - name: Install regctl
         uses: regclient/actions/regctl-installer@main
       - name: Download archived image
-        uses: actions/download-artifact@v4.1.8
+        uses: actions/download-artifact@v4.3.0
         with:
           name: images
           path: .

.github/workflows/release_build.yaml

@@ -26,7 +26,7 @@ jobs:
       - name: Export image
         run: tar -czvf images.tar.gz *-image.tar
       - name: Archive image
-        uses: actions/upload-artifact@v4.4.0
+        uses: actions/upload-artifact@v4.6.2
         with:
           name: images
           path: images.tar.gz
@@ -45,7 +45,7 @@ jobs:
       - name: Install regctl
         uses: regclient/actions/regctl-installer@main
       - name: Download archived image
-        uses: actions/download-artifact@v4.1.8
+        uses: actions/download-artifact@v4.3.0
         with:
           name: images
           path: .
@@ -74,12 +74,12 @@ jobs:
       - name: Install regctl
         uses: regclient/actions/regctl-installer@main
       - name: Download archived image
-        uses: actions/download-artifact@v4.1.8
+        uses: actions/download-artifact@v4.3.0
         with:
           name: images
           path: .
       - name: Log in to GHCR
-        uses: docker/login-action@v3.3.0
+        uses: docker/login-action@v3.4.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.go-version

@@ -1 +1 @@
-1.22.2
+1.23.4

.golangci.yml

@@ -7,17 +7,27 @@ linters:
     - bodyclose
     - durationcheck
     - errorlint
+    - gofmt
     - goimports
     - revive
     - gosec
     - misspell
     - nakedret
+    - nilerr
     - unconvert
     - unparam
+    - intrange
     - whitespace
     - gocritic
+    - wastedassign
+    - nolintlint
 
 linters-settings:
+  govet:
+    enable:
+      - nilness
+      - sortslice
+      - unusedwrite
   revive:
     # minimal confidence for issues, default is 0.8
     min-confidence: 0.0

CHANGELOG.md

@@ -1,5 +1,27 @@
 # Changelog
 
+## [0.6.2] - 2025-04-17
+
+### Added
+
+- Support `staticManifestPath`: watch a directory for CRs instead of using Kubernetes API (#411)
+
+## [0.6.1] - 2025-02-14
+
+### Added
+
+- Support for configuring the log level (#388, #464)
+- New metrics to track `ClusterStaticEntry` failures (#387)
+
+### Fixed
+
+- Failed controller upgrade when webhook certificate is expired (#450)
+
+### Updated
+
+- Minor documentation changes (#435, #443)
+- Version used in migration guide (#465)
+
 ## [0.6.0] - 2024-10-03
 
 <font size='7'>:rotating_light: ***PLEASE READ BEFORE UPGRADING*** :rotating_light:</font>

CODEOWNERS

@@ -1 +1 @@
-* @azdagron @MarcosDY
+* @azdagron @MarcosDY @kfox1111

Dockerfile

@@ -1,7 +1,7 @@
 ARG goversion
 
 # Build the manager binary
-FROM --platform=${BUILDPLATFORM} golang:${goversion}-alpine as base
+FROM --platform=${BUILDPLATFORM} golang:${goversion}-alpine AS base
 WORKDIR /workspace
 # Copy the Go Modules manifests
 COPY go.* ./
@@ -22,7 +22,7 @@ COPY pkg/ pkg/
 FROM --platform=${BUILDPLATFORM} tonistiigi/xx@sha256:904fe94f236d36d65aeb5a2462f88f2c537b8360475f6342e7599194f291fb7e AS xx
 
 # Build
-FROM --platform=${BUILDPLATFORM} base as builder
+FROM --platform=${BUILDPLATFORM} base AS builder
 ARG TARGETPLATFORM
 ARG TARGETARCH
 ENV CGO_ENABLED=0

Makefile

@@ -80,7 +80,7 @@ endif
 go_version := $(shell cat .go-version)
 build_dir := $(DIR)/.build/$(os1)-$(arch1)
 
-golangci_lint_version = v1.59.1
+golangci_lint_version = v1.60.1
 golangci_lint_dir = $(build_dir)/golangci_lint/$(golangci_lint_version)
 golangci_lint_bin = $(golangci_lint_dir)/golangci-lint
 golangci_lint_cache = $(golangci_lint_dir)/cache

api/v1alpha1/clusterfederatedtrustdomain_loader.go

@@ -0,0 +1,61 @@
+package v1alpha1
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+)
+
+func loadClusterFederatedTrustDomainFile(path string, scheme *runtime.Scheme, expandEnv bool) (*ClusterFederatedTrustDomain, error) {
+	var entry ClusterFederatedTrustDomain
+	content, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("could not read file at %s: %w", path, err)
+	}
+
+	if expandEnv {
+		content = []byte(os.ExpandEnv(string(content)))
+	}
+
+	codecs := serializer.NewCodecFactory(scheme)
+
+	// Regardless of if the bytes are of any external version,
+	// it will be read successfully and converted into the internal version
+	if err = runtime.DecodeInto(codecs.UniversalDecoder(), content, &entry); err != nil {
+		return nil, fmt.Errorf("could not decode file (%s) into runtime.Object: %w", path, err)
+	}
+
+	return &entry, nil
+}
+
+func ListClusterFederatedTrustDomains(_ context.Context, manifestPath string) ([]ClusterFederatedTrustDomain, error) {
+	scheme := runtime.NewScheme()
+	res := make([]ClusterFederatedTrustDomain, 0)
+	expandEnv := false
+	files, err := os.ReadDir(manifestPath)
+	if err != nil {
+		return nil, err
+	}
+	for _, file := range files {
+		if !strings.HasSuffix(file.Name(), ".yaml") {
+			continue
+		}
+		fullfile := path.Join(manifestPath, file.Name())
+		entry, err := loadClusterFederatedTrustDomainFile(fullfile, scheme, expandEnv)
+		// Ignore files of the wrong type in manifestPath
+		if entry.APIVersion != "spire.spiffe.io/v1alpha1" || entry.Kind != "ClusterFederatedTrustDomain" {
+			continue
+		}
+		// Right file type, but error loading
+		if err != nil {
+			return nil, err
+		}
+		res = append(res, *entry)
+	}
+	return res, nil
+}

api/v1alpha1/clusterfederatedtrustdomain_webhook.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"context"
 	"fmt"
 	"strings"
 
@@ -36,6 +37,7 @@ var clusterfederatedtrustdomainlog = logf.Log.WithName("clusterfederatedtrustdom
 func (r *ClusterFederatedTrustDomain) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
+		WithValidator(&ClusterFederatedTrustDomainCustomValidator{}).
 		Complete()
 }
 
@@ -44,28 +46,40 @@ func (r *ClusterFederatedTrustDomain) SetupWebhookWithManager(mgr ctrl.Manager)
 // TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation.
 //+kubebuilder:webhook:path=/validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain,mutating=false,failurePolicy=fail,sideEffects=None,groups=spire.spiffe.io,resources=clusterfederatedtrustdomains,verbs=create;update,versions=v1alpha1,name=vclusterfederatedtrustdomain.kb.io,admissionReviewVersions=v1
 
-var _ webhook.Validator = &ClusterFederatedTrustDomain{}
+type ClusterFederatedTrustDomainCustomValidator struct {
-
+	// TODO(user): Add more fields as needed for validation
-// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *ClusterFederatedTrustDomain) ValidateCreate() (admission.Warnings, error) {
-	clusterfederatedtrustdomainlog.Info("validate create", "name", r.Name)
-	return r.validate()
 }
 
-// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
+var _ webhook.CustomValidator = &ClusterFederatedTrustDomainCustomValidator{}
-func (r *ClusterFederatedTrustDomain) ValidateUpdate(runtime.Object) (admission.Warnings, error) {
+
-	clusterfederatedtrustdomainlog.Info("validate update", "name", r.Name)
+// ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type
-	return r.validate()
+func (r *ClusterFederatedTrustDomainCustomValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
+	o, ok := obj.(*ClusterFederatedTrustDomain)
+	if !ok {
+		return nil, fmt.Errorf("expected a ClusterFederatedTrustDomain object but got %T", obj)
+	}
+	clusterfederatedtrustdomainlog.Info("validate create", "name", o.Name)
+	return r.validate(o)
 }
 
-// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
+// ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type
-func (r *ClusterFederatedTrustDomain) ValidateDelete() (admission.Warnings, error) {
+func (r *ClusterFederatedTrustDomainCustomValidator) ValidateUpdate(_ context.Context, _ runtime.Object, nobj runtime.Object) (admission.Warnings, error) {
+	o, ok := nobj.(*ClusterFederatedTrustDomain)
+	if !ok {
+		return nil, fmt.Errorf("expected a ClusterFederatedTrustDomain object but got %T", nobj)
+	}
+	clusterfederatedtrustdomainlog.Info("validate update", "name", o.Name)
+	return r.validate(o)
+}
+
+// ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type
+func (r *ClusterFederatedTrustDomainCustomValidator) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
 	// Deletes are not validated.
 	return nil, nil
 }
 
-func (r *ClusterFederatedTrustDomain) validate() (admission.Warnings, error) {
+func (r *ClusterFederatedTrustDomainCustomValidator) validate(o *ClusterFederatedTrustDomain) (admission.Warnings, error) {
-	_, err := ParseClusterFederatedTrustDomainSpec(&r.Spec)
+	_, err := ParseClusterFederatedTrustDomainSpec(&o.Spec)
 	return nil, err
 }
 

api/v1alpha1/clusterspiffeid_webhook.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"text/template"
@@ -44,6 +45,7 @@ var clusterspiffeidlog = logf.Log.WithName("clusterspiffeid-resource")
 func (r *ClusterSPIFFEID) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
+		WithValidator(&ClusterSPIFFEIDCustomValidator{}).
 		Complete()
 }
 
@@ -52,30 +54,42 @@ func (r *ClusterSPIFFEID) SetupWebhookWithManager(mgr ctrl.Manager) error {
 // TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation.
 //+kubebuilder:webhook:path=/validate-spire-spiffe-io-v1alpha1-clusterspiffeid,mutating=false,failurePolicy=fail,sideEffects=None,groups=spire.spiffe.io,resources=clusterspiffeids,verbs=create;update,versions=v1alpha1,name=vclusterspiffeid.kb.io,admissionReviewVersions=v1
 
-var _ webhook.Validator = &ClusterSPIFFEID{}
+type ClusterSPIFFEIDCustomValidator struct {
-
+	// TODO(user): Add more fields as needed for validation
-// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *ClusterSPIFFEID) ValidateCreate() (admission.Warnings, error) {
-	clusterspiffeidlog.Info("validate create", "name", r.Name)
-
-	return r.validate()
 }
 
-// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
+var _ webhook.CustomValidator = &ClusterSPIFFEIDCustomValidator{}
-func (r *ClusterSPIFFEID) ValidateUpdate(runtime.Object) (admission.Warnings, error) {
-	clusterspiffeidlog.Info("validate update", "name", r.Name)
 
-	return r.validate()
+// ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type
+func (r *ClusterSPIFFEIDCustomValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
+	o, ok := obj.(*ClusterSPIFFEID)
+	if !ok {
+		return nil, fmt.Errorf("expected a ClusterSPIFFEID object but got %T", obj)
+	}
+	clusterspiffeidlog.Info("validate create", "name", o.Name)
+
+	return r.validate(o)
 }
 
-// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
+// ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type
-func (r *ClusterSPIFFEID) ValidateDelete() (admission.Warnings, error) {
+func (r *ClusterSPIFFEIDCustomValidator) ValidateUpdate(_ context.Context, _ runtime.Object, nobj runtime.Object) (admission.Warnings, error) {
+	o, ok := nobj.(*ClusterSPIFFEID)
+	if !ok {
+		return nil, fmt.Errorf("expected a ClusterSPIFFEID object but got %T", nobj)
+	}
+	clusterspiffeidlog.Info("validate update", "name", o.Name)
+
+	return r.validate(o)
+}
+
+// ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type
+func (r *ClusterSPIFFEIDCustomValidator) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
 	// Deletes are not validated.
 	return nil, nil
 }
 
-func (r *ClusterSPIFFEID) validate() (admission.Warnings, error) {
+func (r *ClusterSPIFFEIDCustomValidator) validate(o *ClusterSPIFFEID) (admission.Warnings, error) {
-	_, err := ParseClusterSPIFFEIDSpec(&r.Spec)
+	_, err := ParseClusterSPIFFEIDSpec(&o.Spec)
 	return nil, err
 }
 

api/v1alpha1/clusterstaticentry_loader.go

@@ -0,0 +1,61 @@
+package v1alpha1
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+)
+
+func loadClusterStaticEntryFile(path string, scheme *runtime.Scheme, expandEnv bool) (*ClusterStaticEntry, error) {
+	var entry ClusterStaticEntry
+	content, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("could not read file at %s: %w", path, err)
+	}
+
+	if expandEnv {
+		content = []byte(os.ExpandEnv(string(content)))
+	}
+
+	codecs := serializer.NewCodecFactory(scheme)
+
+	// Regardless of if the bytes are of any external version,
+	// it will be read successfully and converted into the internal version
+	if err = runtime.DecodeInto(codecs.UniversalDecoder(), content, &entry); err != nil {
+		return nil, fmt.Errorf("could not decode file (%s) into runtime.Object: %w", path, err)
+	}
+
+	return &entry, nil
+}
+
+func ListClusterStaticEntries(_ context.Context, manifestPath string) ([]ClusterStaticEntry, error) {
+	scheme := runtime.NewScheme()
+	res := make([]ClusterStaticEntry, 0)
+	expandEnv := false
+	files, err := os.ReadDir(manifestPath)
+	if err != nil {
+		return nil, err
+	}
+	for _, file := range files {
+		if !strings.HasSuffix(file.Name(), ".yaml") {
+			continue
+		}
+		fullfile := path.Join(manifestPath, file.Name())
+		entry, err := loadClusterStaticEntryFile(fullfile, scheme, expandEnv)
+		// Ignore files of the wrong type in manifestPath
+		if entry.APIVersion != "spire.spiffe.io/v1alpha1" || entry.Kind != "ClusterStaticEntry" {
+			continue
+		}
+		// Right file type, but error loading
+		if err != nil {
+			return nil, err
+		}
+		res = append(res, *entry)
+	}
+	return res, nil
+}

api/v1alpha1/controllermanagerconfig_types.go

@@ -56,6 +56,12 @@ type ControllerManagerConfig struct {
 
 	// SPIREServerSocketPath is the path to the SPIRE Server API socket
 	SPIREServerSocketPath string `json:"spireServerSocketPath"`
+
+	// LogLevel is the log level for the controller manager
+	LogLevel string `json:"logLevel"`
+
+	// LogEncoding is the log encoding for the controller manager
+	LogEncoding string `json:"logEncoding"`
 }
 
 // ControllerManagerConfigurationSpec defines the desired state of GenericControllerManagerConfiguration.
@@ -139,6 +145,9 @@ type ControllerManagerConfigurationSpec struct {
 	// Generally useful when switching from nonprefixed to prefixed, or between two different prefixes.
 	// +optiional
 	EntryIDPrefixCleanup *string `json:"entryIDPrefixCleanup,omitempty"`
+
+	// When configured, read yaml objects from the specified path rather then from Kubernetes.
+	StaticManifestPath *string `json:"staticManifestPath,omitempty"`
 }
 
 // ReconcileConfig configuration used to enable/disable syncing various types

api/v1alpha1/webhook_suite_test.go

@@ -132,7 +132,7 @@ var _ = BeforeSuite(func() {
 	dialer := &net.Dialer{Timeout: time.Second}
 	addrPort := fmt.Sprintf("%s:%d", webhookInstallOptions.LocalServingHost, webhookInstallOptions.LocalServingPort)
 	Eventually(func() error {
-		conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true}) // nolint: gosec // this is intentional for the unit test
+		conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true}) //nolint: gosec // this is intentional for the unit test
 		if err != nil {
 			return err
 		}

api/v1alpha1/zz_generated.deepcopy.go

@@ -69,6 +69,21 @@ func (in *ClusterFederatedTrustDomain) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterFederatedTrustDomainCustomValidator) DeepCopyInto(out *ClusterFederatedTrustDomainCustomValidator) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterFederatedTrustDomainCustomValidator.
+func (in *ClusterFederatedTrustDomainCustomValidator) DeepCopy() *ClusterFederatedTrustDomainCustomValidator {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterFederatedTrustDomainCustomValidator)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterFederatedTrustDomainList) DeepCopyInto(out *ClusterFederatedTrustDomainList) {
 	*out = *in
@@ -159,6 +174,21 @@ func (in *ClusterSPIFFEID) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterSPIFFEIDCustomValidator) DeepCopyInto(out *ClusterSPIFFEIDCustomValidator) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSPIFFEIDCustomValidator.
+func (in *ClusterSPIFFEIDCustomValidator) DeepCopy() *ClusterSPIFFEIDCustomValidator {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterSPIFFEIDCustomValidator)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterSPIFFEIDList) DeepCopyInto(out *ClusterSPIFFEIDList) {
 	*out = *in
@@ -499,6 +529,11 @@ func (in *ControllerManagerConfigurationSpec) DeepCopyInto(out *ControllerManage
 		*out = new(string)
 		**out = **in
 	}
+	if in.StaticManifestPath != nil {
+		in, out := &in.StaticManifestPath, &out.StaticManifestPath
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControllerManagerConfigurationSpec.

cmd/main.go

@@ -26,6 +26,7 @@ import (
 	"path/filepath"
 	"regexp"
 	"strings"
+	"sync"
 	"text/template"
 	"time"
 
@@ -35,6 +36,7 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"k8s.io/client-go/rest"
 
+	"go.uber.org/zap/zapcore"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
@@ -42,11 +44,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
+	k8sMetrics "sigs.k8s.io/controller-runtime/pkg/metrics"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	spirev1alpha1 "github.com/spiffe/spire-controller-manager/api/v1alpha1"
 	"github.com/spiffe/spire-controller-manager/internal/controller"
+	"github.com/spiffe/spire-controller-manager/pkg/metrics"
 	"github.com/spiffe/spire-controller-manager/pkg/reconciler"
 	"github.com/spiffe/spire-controller-manager/pkg/spireapi"
 	"github.com/spiffe/spire-controller-manager/pkg/spireentry"
@@ -66,6 +70,8 @@ type Config struct {
 const (
 	defaultSPIREServerSocketPath = "/spire-server/api.sock"
 	defaultGCInterval            = 10 * time.Second
+	defaultLogLevel              = "info"
+	defaultLogEncoding           = "console"
 	k8sDefaultService            = "kubernetes.default.svc"
 )
 
@@ -78,6 +84,10 @@ func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 
 	utilruntime.Must(spirev1alpha1.AddToScheme(scheme))
+
+	k8sMetrics.Registry.MustRegister(
+		metrics.PromCounters[metrics.StaticEntryFailures],
+	)
 	//+kubebuilder:scaffold:scheme
 }
 
@@ -88,6 +98,12 @@ func main() {
 		os.Exit(1)
 	}
 
+	if mainConfig.ctrlConfig.StaticManifestPath != nil {
+		if err := staticRun(mainConfig); err != nil {
+			os.Exit(1)
+		}
+	}
+
 	if err := run(mainConfig); err != nil {
 		os.Exit(1)
 	}
@@ -111,30 +127,30 @@ func parseConfig() (Config, error) {
 			"Command-line flags override configuration from this file.")
 	flag.StringVar(&spireAPISocketFlag, "spire-api-socket", "", "The path to the SPIRE API socket (deprecated; use the config file)")
 	flag.BoolVar(&expandEnvFlag, "expand-env", false, "Expand environment variables in SPIRE Controller Manager config file")
-
-	// Parse log flags
 	opts := zap.Options{
 		Development: true,
 	}
 	opts.BindFlags(flag.CommandLine)
 	flag.Parse()
 
-	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
-
 	// Set default values
 	retval.ctrlConfig = spirev1alpha1.ControllerManagerConfig{
 		IgnoreNamespaces:                   []string{"kube-system", "kube-public", "spire-system"},
 		GCInterval:                         defaultGCInterval,
 		ValidatingWebhookConfigurationName: "spire-controller-manager-webhook",
+		LogLevel:                           defaultLogLevel,
+		LogEncoding:                        defaultLogEncoding,
 	}
 
 	retval.options = ctrl.Options{Scheme: scheme}
 
+	// Setup logger to zap's default log level so errors parsing the config which contains the desired log level are logged
+	_ = setLogger(&opts, "", "")
+
 	if configFileFlag != "" {
 		if err := spirev1alpha1.LoadOptionsFromFile(configFileFlag, scheme, &retval.options, &retval.ctrlConfig, expandEnvFlag); err != nil {
 			return retval, fmt.Errorf("unable to load the config file: %w", err)
 		}
-
 		for _, ignoredNamespace := range retval.ctrlConfig.IgnoreNamespaces {
 			regex, err := regexp.Compile(ignoredNamespace)
 			if err != nil {
@@ -144,6 +160,13 @@ func parseConfig() (Config, error) {
 			retval.ignoreNamespacesRegex = append(retval.ignoreNamespacesRegex, regex)
 		}
 	}
+
+	// Parse log flags
+	if err := setLogger(&opts, retval.ctrlConfig.LogLevel, retval.ctrlConfig.LogEncoding); err != nil {
+		return retval, fmt.Errorf("unable to parse log level: %w", err)
+	}
+	setupLog.Info("Logger configured", "level", opts.Level)
+
 	// Determine the SPIRE Server socket path
 	switch {
 	case retval.ctrlConfig.SPIREServerSocketPath == "" && spireAPISocketFlag == "":
@@ -179,13 +202,25 @@ func parseConfig() (Config, error) {
 	}
 
 	if retval.ctrlConfig.Reconcile == nil {
-		retval.reconcile.ClusterSPIFFEIDs = true
 		retval.reconcile.ClusterFederatedTrustDomains = true
 		retval.reconcile.ClusterStaticEntries = true
+		if retval.ctrlConfig.StaticManifestPath == nil {
+			// Static mode default is to have ClusterSPIFFEID syncing off (unsupported). Non static mode syncing on.
+			retval.reconcile.ClusterSPIFFEIDs = true
+		}
 	} else {
 		retval.reconcile = *retval.ctrlConfig.Reconcile
 	}
 
+	if retval.ctrlConfig.StaticManifestPath != nil {
+		if retval.options.LeaderElection {
+			return retval, fmt.Errorf("Leader election is not possible with static manifests")
+		}
+		if retval.reconcile.ClusterSPIFFEIDs {
+			return retval, fmt.Errorf("ClusterSPIFFEID reconciliation is not possible with static manifests")
+		}
+	}
+
 	retval.ctrlConfig.EntryIDPrefix = addDotSuffix(retval.ctrlConfig.EntryIDPrefix)
 
 	printCleanup := "<unset>"
@@ -251,7 +286,7 @@ func run(mainConfig Config) (err error) {
 	// file to keep rotation simple.
 	// TODO: upstream a change to the WebhookServer so it can use callbacks to
 	// obtain the certificates so we don't have to touch disk.
-	var webhookRunnable manager.Runnable
+	var webhookManager *webhookmanager.Manager
 	if webhookEnabled {
 		const keyPairName = "keypair.pem"
 		certDir, err := os.MkdirTemp("", "spire-controller-manager-")
@@ -291,7 +326,7 @@ func run(mainConfig Config) (err error) {
 			return err
 		}
 
-		webhookManager := webhookmanager.New(webhookmanager.Config{
+		webhookManager = webhookmanager.New(webhookmanager.Config{
 			ID:            spiffeid.RequireFromPath(trustDomain, "/spire-controller-manager-webhook"),
 			KeyPairPath:   filepath.Join(certDir, keyPairName),
 			WebhookName:   mainConfig.ctrlConfig.ValidatingWebhookConfigurationName,
@@ -304,8 +339,6 @@ func run(mainConfig Config) (err error) {
 			setupLog.Error(err, "failed to mint initial webhook certificate")
 			return err
 		}
-
-		webhookRunnable = webhookManager
 	}
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), mainConfig.options)
@@ -419,9 +452,9 @@ func run(mainConfig Config) (err error) {
 		}
 	}
 
-	if webhookRunnable != nil {
+	if webhookManager != nil {
-		if err = mgr.Add(webhookRunnable); err != nil {
+		if err = mgr.Add(webhookManager); err != nil {
-			setupLog.Error(err, "unable to manage federation relationship reconciler")
+			setupLog.Error(err, "unable to manage webhook")
 			return err
 		}
 	}
@@ -443,6 +476,97 @@ func run(mainConfig Config) (err error) {
 	return nil
 }
 
+func staticRun(mainConfig Config) (err error) {
+	var wg sync.WaitGroup
+	if mainConfig.reconcile.ClusterFederatedTrustDomains {
+		wg.Add(1)
+	}
+	if mainConfig.reconcile.ClusterStaticEntries {
+		wg.Add(1)
+	}
+	trustDomain, err := spiffeid.TrustDomainFromString(mainConfig.ctrlConfig.TrustDomain)
+	if err != nil {
+		setupLog.Error(err, "invalid trust domain name")
+		return err
+	}
+
+	ctx := ctrl.SetupSignalHandler()
+
+	setupLog.Info("Dialing SPIRE Server socket")
+	spireClient, err := spireapi.DialSocket(mainConfig.ctrlConfig.SPIREServerSocketPath)
+	if err != nil {
+		setupLog.Error(err, "unable to dial SPIRE Server socket")
+		return err
+	}
+	defer spireClient.Close()
+
+	mgr, err := ctrl.NewManager(&rest.Config{}, mainConfig.options)
+	if err != nil {
+		setupLog.Error(err, "unable to start manager")
+		return err
+	}
+	if mainConfig.reconcile.ClusterStaticEntries {
+		entryReconciler := spireentry.Reconciler(spireentry.ReconcilerConfig{
+			TrustDomain:          trustDomain,
+			ClusterName:          mainConfig.ctrlConfig.ClusterName,
+			ClusterDomain:        mainConfig.ctrlConfig.ClusterDomain,
+			K8sClient:            nil,
+			EntryClient:          spireClient,
+			IgnoreNamespaces:     mainConfig.ignoreNamespacesRegex,
+			GCInterval:           mainConfig.ctrlConfig.GCInterval,
+			ClassName:            mainConfig.ctrlConfig.ClassName,
+			WatchClassless:       mainConfig.ctrlConfig.WatchClassless,
+			ParentIDTemplate:     mainConfig.parentIDTemplate,
+			Reconcile:            mainConfig.reconcile,
+			EntryIDPrefix:        mainConfig.ctrlConfig.EntryIDPrefix,
+			EntryIDPrefixCleanup: mainConfig.ctrlConfig.EntryIDPrefixCleanup,
+			StaticManifestPath:   mainConfig.ctrlConfig.StaticManifestPath,
+		})
+		go func() {
+			err = entryReconciler.Run(ctx)
+			if err != nil {
+				setupLog.Error(err, "failure starting entry reconciler", "controller", "ClusterStaticEntry")
+			}
+			wg.Done()
+		}()
+	}
+	if mainConfig.reconcile.ClusterFederatedTrustDomains {
+		federationRelationshipReconciler := spirefederationrelationship.Reconciler(spirefederationrelationship.ReconcilerConfig{
+			K8sClient:          nil,
+			TrustDomainClient:  spireClient,
+			GCInterval:         mainConfig.ctrlConfig.GCInterval,
+			ClassName:          mainConfig.ctrlConfig.ClassName,
+			WatchClassless:     mainConfig.ctrlConfig.WatchClassless,
+			StaticManifestPath: mainConfig.ctrlConfig.StaticManifestPath,
+		})
+		go func() {
+			err = federationRelationshipReconciler.Run(ctx)
+			if err != nil {
+				setupLog.Error(err, "failure starting federation relationship reconciler", "controller", "ClusterFederatedTrustDomain")
+			}
+			wg.Done()
+		}()
+	}
+
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up health check")
+		return err
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up ready check")
+		return err
+	}
+
+	wg.Wait()
+	setupLog.Info("starting manager")
+	if err := mgr.Start(ctx); err != nil {
+		setupLog.Error(err, "problem running manager")
+		return err
+	}
+
+	return nil
+}
+
 func autoDetectClusterDomain() (string, error) {
 	cname, err := net.LookupCNAME(k8sDefaultService)
 	if err != nil {
@@ -471,3 +595,42 @@ func parseClusterDomainCNAME(cname string) (string, error) {
 
 	return clusterDomain, nil
 }
+
+func setLogger(opts *zap.Options, logLevel string, logEncoding string) error {
+	if logLevel != "" && opts.Level == nil {
+		zapLogLevel, err := getLogLevel(logLevel)
+		if err != nil {
+			return fmt.Errorf("unable to parse log level: %w", err)
+		}
+		opts.Level = zapLogLevel
+	}
+	if logEncoding != "" && opts.Encoder == nil {
+		switch logEncoding {
+		case "console":
+			zap.ConsoleEncoder(opts.EncoderConfigOptions...)(opts)
+		case "json":
+			zap.JSONEncoder(opts.EncoderConfigOptions...)(opts)
+		default:
+			return fmt.Errorf("unrecognized log encoding: %s", logEncoding)
+		}
+	}
+
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(opts)))
+
+	return nil
+}
+
+func getLogLevel(logLevel string) (zapcore.Level, error) {
+	switch strings.ToLower(logLevel) {
+	case "debug":
+		return zapcore.DebugLevel, nil
+	case "warn":
+		return zapcore.WarnLevel, nil
+	case "error":
+		return zapcore.ErrorLevel, nil
+	case "info":
+		return zapcore.InfoLevel, nil
+	default:
+		return zapcore.InfoLevel, fmt.Errorf("invalid log level: %q", logLevel)
+	}
+}

demo/README.md

@@ -33,9 +33,9 @@ Build the greeter server and client:
 
 Pull the requisite images:
 
-    $ echo ghcr.io/spiffe/spire-server:1.7.0 \
+    $ echo ghcr.io/spiffe/spire-server:1.10.4 \
-        ghcr.io/spiffe/spire-agent:1.7.0 \
+        ghcr.io/spiffe/spire-agent:1.10.4 \
-        ghcr.io/spiffe/spiffe-csi-driver:0.2.3 \
+        ghcr.io/spiffe/spiffe-csi-driver:0.2.6 \
         ghcr.io/spiffe/spire-controller-manager:nightly \
         | xargs -n1 docker pull
 
@@ -43,9 +43,9 @@ Start up cluster1 and load the requisite images:
 
     $ ./cluster1 kind create cluster
     $ echo \
-        ghcr.io/spiffe/spire-server:1.7.0 \
+        ghcr.io/spiffe/spire-server:1.10.4 \
-        ghcr.io/spiffe/spire-agent:1.7.0 \
+        ghcr.io/spiffe/spire-agent:1.10.4 \
-        ghcr.io/spiffe/spiffe-csi-driver:0.2.3 \
+        ghcr.io/spiffe/spiffe-csi-driver:0.2.6 \
         ghcr.io/spiffe/spire-controller-manager:nightly \
         greeter-server:demo \
         | xargs -n1 ./cluster1 kind load docker-image
@@ -54,9 +54,9 @@ Start up cluster 2 and load the requisite images:
 
     $ ./cluster2 kind create cluster
     $ echo \
-        ghcr.io/spiffe/spire-server:1.7.0 \
+        ghcr.io/spiffe/spire-server:1.10.4 \
-        ghcr.io/spiffe/spire-agent:1.7.0 \
+        ghcr.io/spiffe/spire-agent:1.10.4 \
-        ghcr.io/spiffe/spiffe-csi-driver:0.2.3 \
+        ghcr.io/spiffe/spiffe-csi-driver:0.2.6 \
         ghcr.io/spiffe/spire-controller-manager:nightly \
         greeter-client:demo \
         | xargs -n1 ./cluster2 kind load docker-image

demo/config/cluster1/crd/spire.spiffe.io_clusterspiffeids.yaml

@@ -20,14 +20,19 @@ spec:
         description: ClusterSPIFFEID is the Schema for the clusterspiffeids API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
+            description: |-
-              of an object. Servers should convert recognized schemas to the latest
+              APIVersion defines the versioned schema of this representation of an object.
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
+            description: |-
-              object represents. Servers may infer this from the endpoint the client
+              Kind is a string value representing the REST resource this object represents.
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -35,9 +40,10 @@ spec:
             description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID
             properties:
               admin:
-                description: Admin indicates whether or not the SVID can be used to
+                description: |-
-                  access the SPIRE administrative APIs. Extra care should be taken
+                  Admin indicates whether or not the SVID can be used to access the SPIRE
-                  to only apply this SPIFFE ID to admin workloads.
+                  administrative APIs. Extra care should be taken to only apply this
+                  SPIFFE ID to admin workloads.
                 type: boolean
               autoPopulateDNSNames:
                 description: AutoPopulateDNSNames indicates whether or not to auto
@@ -46,11 +52,17 @@ spec:
               className:
                 description: Set which Controller Class will act on this object
                 type: string
+              fallback:
+                description: |-
+                  Apply this ID only if there are no other matching non fallback
+                  ClusterSPIFFEIDs
+                type: boolean
               dnsNameTemplates:
-                description: DNSNameTemplate represents templates for extra DNS names
+                description: |-
-                  that are applicable to SVIDs minted for this ClusterSPIFFEID. The
+                  DNSNameTemplate represents templates for extra DNS names that are
-                  node and pod spec are made available to the template under .NodeSpec,
+                  applicable to SVIDs minted for this ClusterSPIFFEID.
-                  .PodSpec respectively.
+                  The node and pod spec are made available to the template under
+                  .NodeSpec, .PodSpec respectively.
                 items:
                   type: string
                 type: array
@@ -59,87 +71,48 @@ spec:
                   SPIRE server.
                 type: boolean
               federatesWith:
-                description: FederatesWith is a list of trust domain names that workloads
+                description: |-
-                  that obtain this SPIFFE ID will federate with.
+                  FederatesWith is a list of trust domain names that workloads that
+                  obtain this SPIFFE ID will federate with.
                 items:
                   type: string
                 type: array
+              hint:
+                description: |-
+                  Set the entry hint
+                type: string
               jwtTtl:
-                description: JWTTTL indicates an upper-bound time-to-live for JWT
+                description: |-
-                  SVIDs minted for this ClusterSPIFFEID.
+                  JWTTTL indicates an upper-bound time-to-live for JWT SVIDs minted for this
+                  ClusterSPIFFEID.
                 type: string
               namespaceSelector:
-                description: NamespaceSelector selects the namespaces that are targeted
+                description: |-
-                  by this CRD.
+                  NamespaceSelector selects the namespaces that are targeted by this
-                properties:
-                  matchExpressions:
-                    description: matchExpressions is a list of label selector requirements.
-                      The requirements are ANDed.
-                    items:
-                      description: A label selector requirement is a selector that
-                        contains values, a key, and an operator that relates the key
-                        and values.
-                      properties:
-                        key:
-                          description: key is the label key that the selector applies
-                            to.
-                          type: string
-                        operator:
-                          description: operator represents a key's relationship to
-                            a set of values. Valid operators are In, NotIn, Exists
-                            and DoesNotExist.
-                          type: string
-                        values:
-                          description: values is an array of string values. If the
-                            operator is In or NotIn, the values array must be non-empty.
-                            If the operator is Exists or DoesNotExist, the values
-                            array must be empty. This array is replaced during a strategic
-                            merge patch.
-                          items:
-                            type: string
-                          type: array
-                      required:
-                      - key
-                      - operator
-                      type: object
-                    type: array
-                  matchLabels:
-                    additionalProperties:
-                      type: string
-                    description: matchLabels is a map of {key,value} pairs. A single
-                      {key,value} in the matchLabels map is equivalent to an element
-                      of matchExpressions, whose key field is "key", the operator
-                      is "In", and the values array contains only "value". The requirements
-                      are ANDed.
-                    type: object
-                type: object
-                x-kubernetes-map-type: atomic
-              podSelector:
-                description: PodSelector selects the pods that are targeted by this
                   CRD.
                 properties:
                   matchExpressions:
                     description: matchExpressions is a list of label selector requirements.
                       The requirements are ANDed.
                     items:
-                      description: A label selector requirement is a selector that
+                      description: |-
-                        contains values, a key, and an operator that relates the key
+                        A label selector requirement is a selector that contains values, a key, and an operator that
-                        and values.
+                        relates the key and values.
                       properties:
                         key:
                           description: key is the label key that the selector applies
                             to.
                           type: string
                         operator:
-                          description: operator represents a key's relationship to
+                          description: |-
-                            a set of values. Valid operators are In, NotIn, Exists
+                            operator represents a key's relationship to a set of values.
-                            and DoesNotExist.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
                           type: string
                         values:
-                          description: values is an array of string values. If the
+                          description: |-
-                            operator is In or NotIn, the values array must be non-empty.
+                            values is an array of string values. If the operator is In or NotIn,
-                            If the operator is Exists or DoesNotExist, the values
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                            array must be empty. This array is replaced during a strategic
+                            the values array must be empty. This array is replaced during a strategic
                             merge patch.
                           items:
                             type: string
@@ -152,31 +125,78 @@ spec:
                   matchLabels:
                     additionalProperties:
                       type: string
-                    description: matchLabels is a map of {key,value} pairs. A single
+                    description: |-
-                      {key,value} in the matchLabels map is equivalent to an element
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                      of matchExpressions, whose key field is "key", the operator
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
-                      is "In", and the values array contains only "value". The requirements
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
-                      are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
+              podSelector:
+                description: |-
+                  PodSelector selects the pods that are targeted by this
+                  CRD.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: |-
+                        A label selector requirement is a selector that contains values, a key, and an operator that
+                        relates the key and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: |-
+                            operator represents a key's relationship to a set of values.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
+                          type: string
+                        values:
+                          description: |-
+                            values is an array of string values. If the operator is In or NotIn,
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                            the values array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
                     type: object
                 type: object
                 x-kubernetes-map-type: atomic
               spiffeIDTemplate:
-                description: SPIFFEID is the SPIFFE ID template. The node and pod
+                description: |-
-                  spec are made available to the template under .NodeSpec, .PodSpec
+                  SPIFFEID is the SPIFFE ID template. The node and pod spec are made
-                  respectively.
+                  available to the template under .NodeSpec, .PodSpec respectively.
                 type: string
               ttl:
-                description: TTL indicates an upper-bound time-to-live for X509 SVIDs
+                description: |-
-                  minted for this ClusterSPIFFEID. If unset, a default will be chosen.
+                  TTL indicates an upper-bound time-to-live for X509 SVIDs minted for this
+                  ClusterSPIFFEID. If unset, a default will be chosen.
                 type: string
               workloadSelectorTemplates:
-                description: WorkloadSelectorTemplates are templates to produce arbitrary
+                description: |-
-                  workload selectors that apply to a given workload before it will
+                  WorkloadSelectorTemplates are templates to produce arbitrary workload
-                  receive this SPIFFE ID. The rendered value is interpreted by SPIRE
+                  selectors that apply to a given workload before it will receive this
-                  and are of the form type:value, where the value may, and often does,
+                  SPIFFE ID. The rendered value is interpreted by SPIRE and are of the
-                  contain semicolons, .e.g., k8s:container-image:docker/hello-world
+                  form type:value, where the value may, and often does, contain
-                  The node and pod spec are made available to the template under .NodeSpec,
+                  semicolons, .e.g., k8s:container-image:docker/hello-world
-                  .PodSpec respectively.
+                  The node and pod spec are made available to the template under
+                  .NodeSpec, .PodSpec respectively.
                 items:
                   type: string
                 type: array
@@ -190,21 +210,22 @@ spec:
                 description: Stats produced by the last entry reconciliation run
                 properties:
                   entriesMasked:
-                    description: How many entries were masked by entries for other
+                    description: |-
-                      ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs
+                      How many entries were masked by entries for other ClusterSPIFFEIDs.
-                      produce an entry for the same pod with the same set of workload
+                      This happens when one or more ClusterSPIFFEIDs produce an entry for
-                      selectors.
+                      the same pod with the same set of workload selectors.
                     type: integer
                   entriesToSet:
-                    description: How many entries are to be set for this ClusterSPIFFEID.
+                    description: |-
-                      In nominal conditions, this should reflect the number of pods
+                      How many entries are to be set for this ClusterSPIFFEID. In nominal
-                      selected, but not always if there were problems encountered
+                      conditions, this should reflect the number of pods selected, but not
-                      rendering an entry for the pod (RenderFailures) or entries are
+                      always if there were problems encountered rendering an entry for the pod
-                      masked (EntriesMasked).
+                      (RenderFailures) or entries are masked (EntriesMasked).
                     type: integer
                   entryFailures:
-                    description: How many entries were unable to be set due to failures
+                    description: |-
-                      to create or update the entries via the SPIRE Server API.
+                      How many entries were unable to be set due to failures to create or
+                      update the entries via the SPIRE Server API.
                     type: integer
                   namespacesIgnored:
                     description: How many (selected) namespaces were ignored (based
@@ -214,10 +235,11 @@ spec:
                     description: How many namespaces were selected.
                     type: integer
                   podEntryRenderFailures:
-                    description: How many failures were encountered rendering an entry
+                    description: |-
-                      selected pods. This could be due to either a bad template in
+                      How many failures were encountered rendering an entry selected pods.
-                      the ClusterSPIFFEID or Pod metadata that when applied to the
+                      This could be due to either a bad template in the ClusterSPIFFEID or
-                      template did not produce valid entry values.
+                      Pod metadata that when applied to the template did not produce valid
+                      entry values.
                     type: integer
                   podsSelected:
                     description: How many pods were selected out of the namespaces.

demo/config/cluster1/spire/spire-agent.yaml

@@ -103,7 +103,7 @@ spec:
       serviceAccountName: spire-agent
       containers:
         - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.7.0
+          image: ghcr.io/spiffe/spire-agent:1.10.4
           imagePullPolicy: IfNotPresent
           args: ["-config", "/run/spire/config/agent.conf"]
           env:
@@ -124,7 +124,7 @@ spec:
               mountPath: /run/spire/sockets
         # This is the container which runs the SPIFFE CSI driver.
         - name: spiffe-csi-driver
-          image: ghcr.io/spiffe/spiffe-csi-driver:0.2.3
+          image: ghcr.io/spiffe/spiffe-csi-driver:0.2.6
           imagePullPolicy: IfNotPresent
           args: [
             "-workload-api-socket-dir", "/spire-agent-socket",
@@ -157,7 +157,7 @@ spec:
         # of all the little details required to register a CSI driver with
         # the kubelet.
         - name: node-driver-registrar
-          image: quay.io/k8scsi/csi-node-driver-registrar:v2.0.1
+          image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0
           imagePullPolicy: IfNotPresent
           args: [
             "-csi-address", "/spiffe-csi/csi.sock",

demo/config/cluster1/spire/spire-controller-manager-config.yaml

@@ -9,6 +9,7 @@ leaderElection:
   resourceName: 98c9c988.spiffe.io
   resourceNamespace: spire-system
 clusterName: cluster1
+logLevel: info
 trustDomain: cluster1.demo
 ignoreNamespaces:
   - kube-system

demo/config/cluster1/spire/spire-server.yaml

@@ -176,7 +176,7 @@ spec:
       shareProcessNamespace: true
       containers:
         - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.7.0
+          image: ghcr.io/spiffe/spire-server:1.10.4
           imagePullPolicy: IfNotPresent
           args: ["-config", "/run/spire/server/config/server.conf"]
           ports:

demo/config/cluster2/crd/spire.spiffe.io_clusterspiffeids.yaml

@@ -20,14 +20,19 @@ spec:
         description: ClusterSPIFFEID is the Schema for the clusterspiffeids API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
+            description: |-
-              of an object. Servers should convert recognized schemas to the latest
+              APIVersion defines the versioned schema of this representation of an object.
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
+            description: |-
-              object represents. Servers may infer this from the endpoint the client
+              Kind is a string value representing the REST resource this object represents.
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -35,9 +40,10 @@ spec:
             description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID
             properties:
               admin:
-                description: Admin indicates whether or not the SVID can be used to
+                description: |-
-                  access the SPIRE administrative APIs. Extra care should be taken
+                  Admin indicates whether or not the SVID can be used to access the SPIRE
-                  to only apply this SPIFFE ID to admin workloads.
+                  administrative APIs. Extra care should be taken to only apply this
+                  SPIFFE ID to admin workloads.
                 type: boolean
               autoPopulateDNSNames:
                 description: AutoPopulateDNSNames indicates whether or not to auto
@@ -46,11 +52,17 @@ spec:
               className:
                 description: Set which Controller Class will act on this object
                 type: string
+              fallback:
+                description: |-
+                  Apply this ID only if there are no other matching non fallback
+                  ClusterSPIFFEIDs
+                type: boolean
               dnsNameTemplates:
-                description: DNSNameTemplate represents templates for extra DNS names
+                description: |-
-                  that are applicable to SVIDs minted for this ClusterSPIFFEID. The
+                  DNSNameTemplate represents templates for extra DNS names that are
-                  node and pod spec are made available to the template under .NodeSpec,
+                  applicable to SVIDs minted for this ClusterSPIFFEID.
-                  .PodSpec respectively.
+                  The node and pod spec are made available to the template under
+                  .NodeSpec, .PodSpec respectively.
                 items:
                   type: string
                 type: array
@@ -59,87 +71,48 @@ spec:
                   SPIRE server.
                 type: boolean
               federatesWith:
-                description: FederatesWith is a list of trust domain names that workloads
+                description: |-
-                  that obtain this SPIFFE ID will federate with.
+                  FederatesWith is a list of trust domain names that workloads that
+                  obtain this SPIFFE ID will federate with.
                 items:
                   type: string
                 type: array
+              hint:
+                description: |-
+                  Set the entry hint
+                type: string
               jwtTtl:
-                description: JWTTTL indicates an upper-bound time-to-live for JWT
+                description: |-
-                  SVIDs minted for this ClusterSPIFFEID.
+                  JWTTTL indicates an upper-bound time-to-live for JWT SVIDs minted for this
+                  ClusterSPIFFEID.
                 type: string
               namespaceSelector:
-                description: NamespaceSelector selects the namespaces that are targeted
+                description: |-
-                  by this CRD.
+                  NamespaceSelector selects the namespaces that are targeted by this
-                properties:
-                  matchExpressions:
-                    description: matchExpressions is a list of label selector requirements.
-                      The requirements are ANDed.
-                    items:
-                      description: A label selector requirement is a selector that
-                        contains values, a key, and an operator that relates the key
-                        and values.
-                      properties:
-                        key:
-                          description: key is the label key that the selector applies
-                            to.
-                          type: string
-                        operator:
-                          description: operator represents a key's relationship to
-                            a set of values. Valid operators are In, NotIn, Exists
-                            and DoesNotExist.
-                          type: string
-                        values:
-                          description: values is an array of string values. If the
-                            operator is In or NotIn, the values array must be non-empty.
-                            If the operator is Exists or DoesNotExist, the values
-                            array must be empty. This array is replaced during a strategic
-                            merge patch.
-                          items:
-                            type: string
-                          type: array
-                      required:
-                      - key
-                      - operator
-                      type: object
-                    type: array
-                  matchLabels:
-                    additionalProperties:
-                      type: string
-                    description: matchLabels is a map of {key,value} pairs. A single
-                      {key,value} in the matchLabels map is equivalent to an element
-                      of matchExpressions, whose key field is "key", the operator
-                      is "In", and the values array contains only "value". The requirements
-                      are ANDed.
-                    type: object
-                type: object
-                x-kubernetes-map-type: atomic
-              podSelector:
-                description: PodSelector selects the pods that are targeted by this
                   CRD.
                 properties:
                   matchExpressions:
                     description: matchExpressions is a list of label selector requirements.
                       The requirements are ANDed.
                     items:
-                      description: A label selector requirement is a selector that
+                      description: |-
-                        contains values, a key, and an operator that relates the key
+                        A label selector requirement is a selector that contains values, a key, and an operator that
-                        and values.
+                        relates the key and values.
                       properties:
                         key:
                           description: key is the label key that the selector applies
                             to.
                           type: string
                         operator:
-                          description: operator represents a key's relationship to
+                          description: |-
-                            a set of values. Valid operators are In, NotIn, Exists
+                            operator represents a key's relationship to a set of values.
-                            and DoesNotExist.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
                           type: string
                         values:
-                          description: values is an array of string values. If the
+                          description: |-
-                            operator is In or NotIn, the values array must be non-empty.
+                            values is an array of string values. If the operator is In or NotIn,
-                            If the operator is Exists or DoesNotExist, the values
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                            array must be empty. This array is replaced during a strategic
+                            the values array must be empty. This array is replaced during a strategic
                             merge patch.
                           items:
                             type: string
@@ -152,31 +125,78 @@ spec:
                   matchLabels:
                     additionalProperties:
                       type: string
-                    description: matchLabels is a map of {key,value} pairs. A single
+                    description: |-
-                      {key,value} in the matchLabels map is equivalent to an element
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                      of matchExpressions, whose key field is "key", the operator
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
-                      is "In", and the values array contains only "value". The requirements
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
-                      are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
+              podSelector:
+                description: |-
+                  PodSelector selects the pods that are targeted by this
+                  CRD.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: |-
+                        A label selector requirement is a selector that contains values, a key, and an operator that
+                        relates the key and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: |-
+                            operator represents a key's relationship to a set of values.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
+                          type: string
+                        values:
+                          description: |-
+                            values is an array of string values. If the operator is In or NotIn,
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                            the values array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
                     type: object
                 type: object
                 x-kubernetes-map-type: atomic
               spiffeIDTemplate:
-                description: SPIFFEID is the SPIFFE ID template. The node and pod
+                description: |-
-                  spec are made available to the template under .NodeSpec, .PodSpec
+                  SPIFFEID is the SPIFFE ID template. The node and pod spec are made
-                  respectively.
+                  available to the template under .NodeSpec, .PodSpec respectively.
                 type: string
               ttl:
-                description: TTL indicates an upper-bound time-to-live for X509 SVIDs
+                description: |-
-                  minted for this ClusterSPIFFEID. If unset, a default will be chosen.
+                  TTL indicates an upper-bound time-to-live for X509 SVIDs minted for this
+                  ClusterSPIFFEID. If unset, a default will be chosen.
                 type: string
               workloadSelectorTemplates:
-                description: WorkloadSelectorTemplates are templates to produce arbitrary
+                description: |-
-                  workload selectors that apply to a given workload before it will
+                  WorkloadSelectorTemplates are templates to produce arbitrary workload
-                  receive this SPIFFE ID. The rendered value is interpreted by SPIRE
+                  selectors that apply to a given workload before it will receive this
-                  and are of the form type:value, where the value may, and often does,
+                  SPIFFE ID. The rendered value is interpreted by SPIRE and are of the
-                  contain semicolons, .e.g., k8s:container-image:docker/hello-world
+                  form type:value, where the value may, and often does, contain
-                  The node and pod spec are made available to the template under .NodeSpec,
+                  semicolons, .e.g., k8s:container-image:docker/hello-world
-                  .PodSpec respectively.
+                  The node and pod spec are made available to the template under
+                  .NodeSpec, .PodSpec respectively.
                 items:
                   type: string
                 type: array
@@ -190,21 +210,22 @@ spec:
                 description: Stats produced by the last entry reconciliation run
                 properties:
                   entriesMasked:
-                    description: How many entries were masked by entries for other
+                    description: |-
-                      ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs
+                      How many entries were masked by entries for other ClusterSPIFFEIDs.
-                      produce an entry for the same pod with the same set of workload
+                      This happens when one or more ClusterSPIFFEIDs produce an entry for
-                      selectors.
+                      the same pod with the same set of workload selectors.
                     type: integer
                   entriesToSet:
-                    description: How many entries are to be set for this ClusterSPIFFEID.
+                    description: |-
-                      In nominal conditions, this should reflect the number of pods
+                      How many entries are to be set for this ClusterSPIFFEID. In nominal
-                      selected, but not always if there were problems encountered
+                      conditions, this should reflect the number of pods selected, but not
-                      rendering an entry for the pod (RenderFailures) or entries are
+                      always if there were problems encountered rendering an entry for the pod
-                      masked (EntriesMasked).
+                      (RenderFailures) or entries are masked (EntriesMasked).
                     type: integer
                   entryFailures:
-                    description: How many entries were unable to be set due to failures
+                    description: |-
-                      to create or update the entries via the SPIRE Server API.
+                      How many entries were unable to be set due to failures to create or
+                      update the entries via the SPIRE Server API.
                     type: integer
                   namespacesIgnored:
                     description: How many (selected) namespaces were ignored (based
@@ -214,10 +235,11 @@ spec:
                     description: How many namespaces were selected.
                     type: integer
                   podEntryRenderFailures:
-                    description: How many failures were encountered rendering an entry
+                    description: |-
-                      selected pods. This could be due to either a bad template in
+                      How many failures were encountered rendering an entry selected pods.
-                      the ClusterSPIFFEID or Pod metadata that when applied to the
+                      This could be due to either a bad template in the ClusterSPIFFEID or
-                      template did not produce valid entry values.
+                      Pod metadata that when applied to the template did not produce valid
+                      entry values.
                     type: integer
                   podsSelected:
                     description: How many pods were selected out of the namespaces.

demo/config/cluster2/spire/spire-agent.yaml

@@ -103,7 +103,7 @@ spec:
       serviceAccountName: spire-agent
       containers:
         - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.7.0
+          image: ghcr.io/spiffe/spire-agent:1.10.4
           imagePullPolicy: IfNotPresent
           args: ["-config", "/run/spire/config/agent.conf"]
           env:
@@ -124,7 +124,7 @@ spec:
               mountPath: /run/spire/sockets
         # This is the container which runs the SPIFFE CSI driver.
         - name: spiffe-csi-driver
-          image: ghcr.io/spiffe/spiffe-csi-driver:0.2.3
+          image: ghcr.io/spiffe/spiffe-csi-driver:0.2.6
           imagePullPolicy: IfNotPresent
           args: [
             "-workload-api-socket-dir", "/spire-agent-socket",
@@ -157,7 +157,7 @@ spec:
         # of all the little details required to register a CSI driver with
         # the kubelet.
         - name: node-driver-registrar
-          image: quay.io/k8scsi/csi-node-driver-registrar:v2.0.1
+          image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0
           imagePullPolicy: IfNotPresent
           args: [
             "-csi-address", "/spiffe-csi/csi.sock",

demo/config/cluster2/spire/spire-controller-manager-config.yaml

@@ -9,6 +9,7 @@ leaderElection:
   resourceName: 98c9c988.spiffe.io
   resourceNamespace: spire-system
 clusterName: cluster2
+logLevel: info
 trustDomain: cluster2.demo
 ignoreNamespaces:
   - kube-system

demo/config/cluster2/spire/spire-server.yaml

@@ -176,7 +176,7 @@ spec:
       shareProcessNamespace: true
       containers:
         - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.7.0
+          image: ghcr.io/spiffe/spire-server:1.10.4
           imagePullPolicy: IfNotPresent
           args: ["-config", "/run/spire/server/config/server.conf"]
           ports:

demo/greeter/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.22.2-alpine AS builder
+FROM golang:1.23.4-alpine AS builder
 WORKDIR /workspace
 COPY go.mod go.mod
 COPY go.sum go.sum

demo/greeter/go.mod

@@ -1,21 +1,21 @@
 module greeter
 
-go 1.22.2
+go 1.23.4
 
 require (
-	github.com/spiffe/go-spiffe/v2 v2.3.0
+	github.com/spiffe/go-spiffe/v2 v2.5.0
-	google.golang.org/grpc v1.67.1
+	google.golang.org/grpc v1.73.0
 	google.golang.org/grpc/examples v0.0.0-20240422202308-34de5cf4832f
 )
 
 require (
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
-	github.com/zeebo/errs v1.3.0 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
-	golang.org/x/crypto v0.26.0 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
-	golang.org/x/net v0.28.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/sys v0.24.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/text v0.17.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
 )

demo/greeter/go.sum

@@ -2,33 +2,53 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
+github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
-github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
+github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/spiffe/go-spiffe/v2 v2.3.0 h1:g2jYNb/PDMB8I7mBGL2Zuq/Ur6hUhoroxGQFyD6tTj8=
+github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE=
-github.com/spiffe/go-spiffe/v2 v2.3.0/go.mod h1:Oxsaio7DBgSNqhAO9i/9tLClaVlfRok7zvJnTV8ZyIY=
+github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs=
+github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM=
-github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
+github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
-golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
-golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg=
+go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
+go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
-golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 h1:e7S5W7MGGLaSu8j3YjdezkZ+m1/Nm0uRVRMEMGk26Xs=
+go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
-google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
+go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
+go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 h1:e0AIkUUhxyBKh6ssZNrAMeqhA7RKUj42346d1y02i2g=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
+google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
 google.golang.org/grpc/examples v0.0.0-20240422202308-34de5cf4832f h1:DXDiMO+e57lNmXq6CXCWgoiLMvTWyJpmm8q1xQB4cFM=
 google.golang.org/grpc/examples v0.0.0-20240422202308-34de5cf4832f/go.mod h1:uaPEAc5V00jjG3DPhGFLXGT290RUV3+aNQigs1W50/8=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

demo/scripts/show-spire-entries.sh

@@ -3,7 +3,7 @@
 set -eo pipefail
 
 kubectl exec -t \
-    -nspire-system \
+    -n spire-system \
     -c spire-server deployment/spire-server -- \
         /opt/spire/bin/spire-server entry show \
         "$@"

demo/scripts/show-spire-federated-bundles.sh

@@ -3,6 +3,6 @@
 set -eo pipefail
 
 kubectl exec -t \
-    -nspire-system \
+    -n spire-system \
     -c spire-server deployment/spire-server -- \
         /opt/spire/bin/spire-server bundle list -format spiffe

demo/test.sh

@@ -73,10 +73,10 @@ log-info "Building greeter server/client..."
 (cd greeter; make docker-build)
 
 log-info "Pulling docker images..."
-echo ghcr.io/spiffe/spire-server:1.7.0 \
+echo ghcr.io/spiffe/spire-server:1.10.4 \
-    ghcr.io/spiffe/spire-agent:1.7.0 \
+    ghcr.io/spiffe/spire-agent:1.10.4 \
-    ghcr.io/spiffe/spiffe-csi-driver:0.2.3 \
+    ghcr.io/spiffe/spiffe-csi-driver:0.2.6 \
-    quay.io/k8scsi/csi-node-driver-registrar:v2.0.1 \
+    registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0 \
     | xargs -n1 docker pull
 
 log-info "Creating cluster1..."
@@ -87,20 +87,20 @@ log-info "Creating cluster2..."
 
 log-info "Loading images into cluster1..."
 echo \
-    ghcr.io/spiffe/spire-server:1.7.0 \
+    ghcr.io/spiffe/spire-server:1.10.4 \
-    ghcr.io/spiffe/spire-agent:1.7.0 \
+    ghcr.io/spiffe/spire-agent:1.10.4 \
-    ghcr.io/spiffe/spiffe-csi-driver:0.2.3 \
+    ghcr.io/spiffe/spiffe-csi-driver:0.2.6 \
-    quay.io/k8scsi/csi-node-driver-registrar:v2.0.1 \
+    registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0 \
     ghcr.io/spiffe/spire-controller-manager:nightly \
     greeter-server:demo \
     | xargs -n1 ./cluster1 kind load docker-image
 
 log-info "Loading images into cluster2..."
 echo \
-    ghcr.io/spiffe/spire-server:1.7.0 \
+    ghcr.io/spiffe/spire-server:1.10.4 \
-    ghcr.io/spiffe/spire-agent:1.7.0 \
+    ghcr.io/spiffe/spire-agent:1.10.4 \
-    ghcr.io/spiffe/spiffe-csi-driver:0.2.3 \
+    ghcr.io/spiffe/spiffe-csi-driver:0.2.6 \
-    quay.io/k8scsi/csi-node-driver-registrar:v2.0.1 \
+    registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0 \
     ghcr.io/spiffe/spire-controller-manager:nightly \
     greeter-client:demo \
     | xargs -n1 ./cluster2 kind load docker-image

docs/clusterspiffeid-crd.md

@@ -28,6 +28,7 @@ The definition can be found [here](../api/v1alpha1/clusterspiffeid_types.go).
 | `downstream`                | OPTIONAL | Indicates that the entry describes a downstream SPIRE server. |
 | `autoPopulateDNSNames`      | OPTIONAL | Indicates whether or not to auto populate service DNS names. |
 | `fallback`                  | OPTIONAL | Apply this ID only if there are no other matching non fallback ClusterSPIFFEIDs. |
+| `className`                 | OPTIONAL | The class name of the SPIRE controller manager. |
 
 ## ClusterSPIFFEIDStatus
 

docs/clusterstaticentry-crd.md

@@ -21,6 +21,7 @@ The definition can be found [here](../api/v1alpha1/clusterstaticentry_types.go).
 | `admin`                     | OPTIONAL | Indicates whether the target workload is an admin workload (i.e. can access SPIRE administrative APIs) |
 | `downstream`                | OPTIONAL | Indicates that the entry describes a downstream SPIRE server. |
 | `storeSVID`                 | OPTIONAL | Indicates whether the issued SVID must be stored through an SVIDStore plugin. |
+| `className`                 | OPTIONAL | The class name of the SPIRE controller manager. |
 
 ## ClusterStaticEntryStatus
 

docs/spire-controller-manager-config.md

@@ -2,14 +2,31 @@
 
 The SPIRE Controller Manager configuration is defined [here](../api/v1alpha1/controllermanagerconfig_types.go).
 
-Beyond the standard [controller manager configuration](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/config/v1alpha1#ControllerConfigurationSpec), the following fields are defined:
+Beyond the
+standard [controller manager configuration](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/config/v1alpha1#ControllerConfigurationSpec),
+the following fields are defined: 
 
-| Field                                | Required | Default                                          | Description                                                                                                             |
+| Field                                | Required | Default                                          | Description                                                                                                                                                                                                   |
-| ------------------------------------ | -------- | ------------------------------------------------ | ------------------------------------------------------------------ |
+|--------------------------------------|----------|--------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `clusterName`                        | REQUIRED |                                                  | The name of the cluster |
+| `clusterName`                        | REQUIRED |                                                  | The name of the cluster                                                                                                                                                                                       |
-| `trustDomain`                        | REQUIRED |                                                  | The trust domain name for the cluster |
+| `trustDomain`                        | REQUIRED |                                                  | The trust domain name for the cluster                                                                                                                                                                         |
-| `clusterDomain`                      | OPTIONAL |                                                  | The domain of the cluster, ie `cluster.local`. If not specified will attempt to auto detect. |
+| `clusterDomain`                      | OPTIONAL |                                                  | The domain of the cluster, ie `cluster.local`. If not specified will attempt to auto detect.                                                                                                                  |
-| `ignoreNamespaces`                   | OPTIONAL | `["kube-system", "kube-public", "spire-system"]` | Namespaces that the controllers should ignore |
+| `ignoreNamespaces`                   | OPTIONAL | `["kube-system", "kube-public", "spire-system"]` | Namespaces that the controllers should ignore                                                                                                                                                                 |
-| `validatingWebhookConfigurationName` | OPTIONAL | `spire-controller-manager-webhook`               | The name of the validating admission controller webhook to manage |
+| `validatingWebhookConfigurationName` | OPTIONAL | `spire-controller-manager-webhook`               | The name of the validating admission controller webhook to manage                                                                                                                                             |
 | `gcInterval`                         | OPTIONAL | `10s`                                            | How often the SPIRE state is reconciled when the controller is otherwise idle. This impacts how quickly SPIRE state will converge after CRDs are removed or SPIRE state is mutated underneath the controller. |
-| `spireServerSocketPath`              | OPTIONAL | `/spire-server/api.sock`                         | The path the the SPIRE Server API socket |
+| `spireServerSocketPath`              | OPTIONAL | `/spire-server/api.sock`                         | The path the the SPIRE Server API socket                                                                                                                                                                      |
+| `logLevel`                           | OPTIONAL | `info`                                           | The log level for the controller manager. Supported values are `info`, `error`, `warn` and `debug`.                                                                                                           |
+| `logEncoding`                        | OPTIONAL | `console`                                        | The log encoder for the controller manager. Supported values are `console` and `json`.                                                                                                                        |
+| `className`                          | OPTIONAL |                                                  | Only sync resources that have the specified className set on them.                                                                                                                                            |
+| `watchClassless`                     | OPTIONAL |                                                  | If className is set, also watch for resources that do not have any className set.                                                                                                                             |
+| `staticManifestPath`                 | OPTIONAL |                                                  | If specified, manifests will be read from disk instead of from Kubernetes                                                                                                                                     |
+
+## Kubernetes Mode
+
+By default, all objects are synced from the Kubernetes cluster the spire-controller-manager is running in.
+
+## Static Mode
+
+If `staticManifestPath` is specified, Kubernetes will not be used and instead, manifests are loaded from yaml files located in the specified path and synchronized to the SPIRE server.
+
+In this mode, validating webhooks will be ignored as its not useful without Kubernetes.

examples/static.config

@@ -0,0 +1,17 @@
+apiVersion: spire.spiffe.io/v1alpha1
+kind: ControllerManagerConfig
+metadata:
+  name: config
+metrics:
+  bindAddress: 0.0.0.0:8082
+health:
+  healthProbeBindAddress: 0.0.0.0:8083
+entryIDPrefix: scm
+className: scm
+clusterName: scm
+clusterDomain: local
+trustDomain: example.org
+watchClassless: true
+staticManifestPath: /etc/spire/server/main/manifests
+spireServerSocketPath: "/tmp/spire-server/private/api.sock"
+logLevel: info

go.mod

@@ -1,25 +1,27 @@
 module github.com/spiffe/spire-controller-manager
 
-go 1.22.2
+go 1.23.4
 
 require (
 	github.com/go-logr/logr v1.4.2
-	github.com/google/go-cmp v0.6.0
+	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
 	github.com/jpillora/backoff v1.0.0
-	github.com/onsi/ginkgo/v2 v2.20.2
+	github.com/onsi/ginkgo/v2 v2.23.4
-	github.com/onsi/gomega v1.34.2
+	github.com/onsi/gomega v1.37.0
-	github.com/spiffe/go-spiffe/v2 v2.3.0
+	github.com/prometheus/client_golang v1.22.0
-	github.com/spiffe/spire-api-sdk v1.10.4
+	github.com/spiffe/go-spiffe/v2 v2.5.0
-	github.com/stretchr/testify v1.9.0
+	github.com/spiffe/spire-api-sdk v1.12.4
-	google.golang.org/grpc v1.67.1
+	github.com/stretchr/testify v1.10.0
-	google.golang.org/protobuf v1.34.2
+	go.uber.org/zap v1.27.0
-	k8s.io/api v0.31.1
+	google.golang.org/grpc v1.73.0
-	k8s.io/apimachinery v0.31.1
+	google.golang.org/protobuf v1.36.6
-	k8s.io/client-go v0.31.1
+	k8s.io/api v0.32.4
-	k8s.io/component-base v0.31.1
+	k8s.io/apimachinery v0.32.4
-	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
+	k8s.io/client-go v0.32.4
-	sigs.k8s.io/controller-runtime v0.19.0
+	k8s.io/component-base v0.32.4
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
+	sigs.k8s.io/controller-runtime v0.20.4
 )
 
 require (
@@ -28,22 +30,21 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.0 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
-	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/btree v1.1.3 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 // indirect
+	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
-	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -52,34 +53,32 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	github.com/zeebo/errs v1.3.0 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.26.0 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
-	golang.org/x/crypto v0.26.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+	golang.org/x/oauth2 v0.28.0 // indirect
-	golang.org/x/net v0.28.0 // indirect
+	golang.org/x/sync v0.12.0 // indirect
-	golang.org/x/oauth2 v0.22.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
-	golang.org/x/sys v0.24.0 // indirect
+	golang.org/x/term v0.30.0 // indirect
-	golang.org/x/term v0.23.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
-	golang.org/x/text v0.17.0 // indirect
+	golang.org/x/time v0.7.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/tools v0.31.0 // indirect
-	golang.org/x/tools v0.24.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.31.0 // indirect
+	k8s.io/apiextensions-apiserver v0.32.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20240322212309-b815d8309940 // indirect
+	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )

go.sum

@@ -29,17 +29,19 @@ github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
 github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
+github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU=
-github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
+github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
+github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
-github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
+github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
 github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
@@ -53,8 +55,6 @@ github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZ
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -71,6 +71,8 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
+github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
 github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -81,19 +83,17 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 h1:5iH8iuqE5apketRbSFBy+X1V0o+l+8NF1avt4HWl7cA=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
-github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
-github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA=
@@ -102,10 +102,14 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -115,22 +119,24 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4=
+github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
-github.com/onsi/ginkgo/v2 v2.20.2/go.mod h1:K9gyxPIlb+aIvnZ8bd9Ak+YP18w3APlR+5coaZoE2ag=
+github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
-github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8=
+github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
-github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc=
+github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
+github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
-github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
+github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc=
+github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
+github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
@@ -138,37 +144,49 @@ github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spiffe/go-spiffe/v2 v2.3.0 h1:g2jYNb/PDMB8I7mBGL2Zuq/Ur6hUhoroxGQFyD6tTj8=
+github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE=
-github.com/spiffe/go-spiffe/v2 v2.3.0/go.mod h1:Oxsaio7DBgSNqhAO9i/9tLClaVlfRok7zvJnTV8ZyIY=
+github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
-github.com/spiffe/spire-api-sdk v1.10.4 h1:XdRFd2T7tJzq045SF3sxQNIViiXt0rStIa6kzxhSgaM=
+github.com/spiffe/spire-api-sdk v1.12.4 h1:RFMW7aPylHrJOPWY+w+YjElKCRUJPOUAMEyn7w4wLTU=
-github.com/spiffe/spire-api-sdk v1.10.4/go.mod h1:4uuhFlN6KBWjACRP3xXwrOTNnvaLp1zJs8Lribtr4fI=
+github.com/spiffe/spire-api-sdk v1.12.4/go.mod h1:4uuhFlN6KBWjACRP3xXwrOTNnvaLp1zJs8Lribtr4fI=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs=
+github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM=
-github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
+github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
+go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
+go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
+go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
+go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
+go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
+go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
+go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
+go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
-go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
+go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
@@ -184,34 +202,36 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA=
+golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
-golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
-golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
-golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
+golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -220,8 +240,8 @@ golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBn
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
+golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU=
-golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
+golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -234,8 +254,8 @@ google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoA
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 h1:e7S5W7MGGLaSu8j3YjdezkZ+m1/Nm0uRVRMEMGk26Xs=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 h1:e0AIkUUhxyBKh6ssZNrAMeqhA7RKUj42346d1y02i2g=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
@@ -243,8 +263,8 @@ google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8
 google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
+google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
-google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
+google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -258,8 +278,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
@@ -269,35 +289,32 @@ gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU=
+k8s.io/api v0.32.4 h1:kw8Y/G8E7EpNy7gjB8gJZl3KJkNz8HM2YHrZPtAZsF4=
-k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI=
+k8s.io/api v0.32.4/go.mod h1:5MYFvLvweRhyKylM3Es/6uh/5hGp0dg82vP34KifX4g=
-k8s.io/apiextensions-apiserver v0.31.0 h1:fZgCVhGwsclj3qCw1buVXCV6khjRzKC5eCFt24kyLSk=
+k8s.io/apiextensions-apiserver v0.32.1 h1:hjkALhRUeCariC8DiVmb5jj0VjIc1N0DREP32+6UXZw=
-k8s.io/apiextensions-apiserver v0.31.0/go.mod h1:b9aMDEYaEe5sdK+1T0KU78ApR/5ZVp4i56VacZYEHxk=
+k8s.io/apiextensions-apiserver v0.32.1/go.mod h1:sxWIGuGiYov7Io1fAS2X06NjMIk5CbRHc2StSmbaQto=
-k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U=
+k8s.io/apimachinery v0.32.4 h1:8EEksaxA7nd7xWJkkwLDN4SvWS5ot9g6Z/VZb3ju25I=
-k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
+k8s.io/apimachinery v0.32.4/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
-k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0=
+k8s.io/client-go v0.32.4 h1:zaGJS7xoYOYumoWIFXlcVrsiYioRPrXGO7dBfVC5R6M=
-k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg=
+k8s.io/client-go v0.32.4/go.mod h1:k0jftcyYnEtwlFW92xC7MTtFv5BNcZBr+zn9jPlT9Ic=
-k8s.io/component-base v0.31.1 h1:UpOepcrX3rQ3ab5NB6g5iP0tvsgJWzxTyAo20sgYSy8=
+k8s.io/component-base v0.32.4 h1:HuF+2JVLbFS5GODLIfPCb1Td6b+G2HszJoArcWOSr5I=
-k8s.io/component-base v0.31.1/go.mod h1:WGeaw7t/kTsqpVTaCoVEtillbqAhF2/JgvO0LDOMa0w=
+k8s.io/component-base v0.32.4/go.mod h1:10KloJEYw1keU/Xmjfy9TKJqUq7J2mYdiD1VDXoco4o=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20240322212309-b815d8309940 h1:qVoMaQV5t62UUvHe16Q3eb2c5HPzLHYzsi0Tu/xLndo=
+k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y=
-k8s.io/kube-openapi v0.0.0-20240322212309-b815d8309940/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98=
+k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4=
-k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
-k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q=
+sigs.k8s.io/controller-runtime v0.20.4 h1:X3c+Odnxz+iPTRobG4tp092+CvBU9UK0t/bRf+n0DGU=
-sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4=
+sigs.k8s.io/controller-runtime v0.20.4/go.mod h1:xg2XB0K5ShQzAgsoujxuKN4LNXR2LfwwHsPj7Iaw+XY=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
-sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.2 h1:MdmvkGuXi/8io6ixD5wud3vOLwc1rj0aNqRlpuvjmwA=
-sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.2/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=

migration/README.md

@@ -51,7 +51,7 @@ Next deploy the new SPIRE Controller Manager.
 
 ## Delete the Kubernetes Workload Registrar CRD (CRD mode only)
 
-The CRD mode requires an additonal step of removing the SpiffeId CRD. SPIRE Controller Manager uses a different CRD, so this one needs to be removed and resources cleaned up.
+The CRD mode requires an additional step of removing the SpiffeId CRD. SPIRE Controller Manager uses a different CRD, so this one needs to be removed and resources cleaned up.
 
 1. Manually remove the finalizers with the below script. SPIRE Controller Manager will automatically clean up entries, so the finalizers can safely be removed.
 
@@ -228,11 +228,11 @@ For each [ClusterSPIFFEID][1] you want to auto populate DNS names for, set the `
 
 ### Can SPIRE Controller Manager be deployed in a different Pod from SPIRE Server?
 
-This is not supported with SPIRE Controller Manager, they must be in the same Pod. If you require them to be in seperate Pods, please open a [new issue](https://github.com/spiffe/spire-controller-manager/issues/new) with your use case.
+This is not supported with SPIRE Controller Manager, they must be in the same Pod. If you require them to be in separate Pods, please open a [new issue](https://github.com/spiffe/spire-controller-manager/issues/new) with your use case.
 
 ### Can I manually create entries like I could with the CRD Kubernetes Workload Registrar?
 
-This is not currently supported, SPIRE Controller Manager will automatically garbage collect any manually created entries. If you need suppport for manually created entries, please update [#76](https://github.com/spiffe/spire-controller-manager/issues/76) with your use case.
+Yes, but it requires the use of a separate CRD ([ClusterStaticEntry][2]).
 
 ### How do i see SPIRE Controller Manager logs?
 
@@ -245,7 +245,7 @@ $ kubectl logs spire-server-0 -n spire -c spire-controller-manager
 2022-12-13T00:41:21.844Z	INFO	webhook-manager	Webhook configuration patched with CABundle
 ```
 
-### I'm using CRD mode Kubernetes Workload Registrar and it gets stuck deleting the SpiffeId CRD. What do I do?
+### I'm using CRD mode Kubernetes Workload Registrar, and it gets stuck deleting the SpiffeId CRD. What do I do?
 
 This can happen if the Kubernetes Workload Registrar is deleted before all the SpiffeId custom resources are removed. To get around this, manually remove the finalizers with the below script and try deleting the CRD again.
 
@@ -261,10 +261,11 @@ done
 
 ### Why can't Kubernetes Workload Registrar entries be reused with SPIRE Controller Manager?
 
-SPIRE Controller Manager uses a different scheme for parenting SPIFFE IDs. Though it is technically possible to modify all the entries, its a lot easier to just allow SPIRE Controller Manager to automatically replace the entries.
+SPIRE Controller Manager uses a different scheme for parenting SPIFFE IDs. Though it is technically possible to modify all the entries, it's a lot easier to just allow SPIRE Controller Manager to automatically replace the entries.
 
-### What happens if a Pod is deployed while I'm in the middle of this cutover?
+### What happens if a Pod is deployed while I'm in the middle of this cut-over?
 
 SPIRE Controller Manager will reconcile the state of the system when it starts up. Any new Pods deployed after Kubernetes Workload Registrar is deleted and before SPIRE Controller Manager is up will have entries created when SPIRE Controller Manager is up.
 
 [1]: docs/clusterspiffeid-crd.md
+[2]: docs/clusterstaticentry-crd.md

migration/config/spire-server.yaml

@@ -176,7 +176,7 @@ spec:
       shareProcessNamespace: true
       containers:
         - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.7.2
+          image: ghcr.io/spiffe/spire-server:1.11.1
           imagePullPolicy: IfNotPresent
           args: ["-config", "/run/spire/server/config/server.conf"]
           ports:
@@ -190,7 +190,7 @@ spec:
             - name: spire-server-socket
               mountPath: /tmp/spire-server/private
         - name: spire-controller-manager
-          image: ghcr.io/spiffe/spire-controller-manager:nightly
+          image: ghcr.io/spiffe/spire-controller-manager:0.6.2
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 9443

pkg/metrics/controller_runtime.go

@@ -0,0 +1,18 @@
+package metrics
+
+import "github.com/prometheus/client_golang/prometheus"
+
+const (
+	StaticEntryFailures = "cluster_static_entry_failures"
+)
+
+var (
+	PromCounters = map[string]prometheus.Counter{
+		StaticEntryFailures: prometheus.NewGauge(
+			prometheus.GaugeOpts{
+				Name: StaticEntryFailures,
+				Help: "Number of cluster static entry render failures",
+			},
+		),
+	}
+)

pkg/spireentry/logging.go

@@ -92,7 +92,7 @@ func stringList(ss []string) string {
 func renderList(n int, fn func(i int, w io.StringWriter)) string {
 	var builder strings.Builder
 	builder.WriteRune('[')
-	for i := 0; i < n; i++ {
+	for i := range n {
 		if i > 0 {
 			builder.WriteRune(',')
 		}

pkg/spireentry/reconciler.go

@@ -31,6 +31,7 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/google/uuid"
+	"github.com/prometheus/client_golang/prometheus"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"google.golang.org/grpc/codes"
 	corev1 "k8s.io/api/core/v1"
@@ -42,6 +43,7 @@ import (
 
 	spirev1alpha1 "github.com/spiffe/spire-controller-manager/api/v1alpha1"
 	"github.com/spiffe/spire-controller-manager/pkg/k8sapi"
+	"github.com/spiffe/spire-controller-manager/pkg/metrics"
 	"github.com/spiffe/spire-controller-manager/pkg/namespace"
 	"github.com/spiffe/spire-controller-manager/pkg/reconciler"
 	"github.com/spiffe/spire-controller-manager/pkg/spireapi"
@@ -50,12 +52,12 @@ import (
 const (
 	// joinTokenSpiffePrefix is the prefix that is the part of the parent SPIFFE ID for join token entries.
 	// Ref: https://github.com/spiffe/spire/blob/v1.8.7/pkg/server/api/agent/v1/service.go#L714
-	// nolint: gosec // not a credential
+	//nolint: gosec // not a credential
 	joinTokenSpiffePrefix = "/spire/agent/join_token/"
 
 	// joinTokenSelectorType is the selector type used in the selector for join token entries.
 	// Ref: https://github.com/spiffe/spire/blob/v1.8.7/pkg/server/api/agent/v1/service.go#L515
-	// nolint: gosec // not a credential
+	//nolint: gosec // not a credential
 	joinTokenSelectorType = "spiffe_id"
 )
 
@@ -73,6 +75,7 @@ type ReconcilerConfig struct {
 	Reconcile            spirev1alpha1.ReconcileConfig
 	EntryIDPrefix        string
 	EntryIDPrefixCleanup *string
+	StaticManifestPath   *string
 
 	// GCInterval how long to sit idle (i.e. untriggered) before doing
 	// another reconcile.
@@ -81,7 +84,9 @@ type ReconcilerConfig struct {
 
 func Reconciler(config ReconcilerConfig) reconciler.Reconciler {
 	r := &entryReconciler{
-		config: config,
+		config:             config,
+		promCounter:        metrics.PromCounters,
+		staticManifestPath: config.StaticManifestPath,
 	}
 	return reconciler.New(reconciler.Config{
 		Kind:       "entry",
@@ -94,7 +99,9 @@ type entryReconciler struct {
 	config ReconcilerConfig
 
 	unsupportedFields        map[spireapi.Field]struct{}
+	promCounter              map[string]prometheus.Counter
 	nextGetUnsupportedFields time.Time
+	staticManifestPath       *string
 }
 
 func (r *entryReconciler) reconcile(ctx context.Context) {
@@ -199,6 +206,9 @@ func (r *entryReconciler) reconcile(ctx context.Context) {
 			continue
 		}
 		clusterStaticEntry.Status = clusterStaticEntry.NextStatus
+		if r.config.K8sClient == nil {
+			continue
+		}
 		if err := r.config.K8sClient.Status().Update(ctx, &clusterStaticEntry.ClusterStaticEntry); err == nil {
 			log.Info("Updated status")
 		} else {
@@ -303,7 +313,13 @@ func (r *entryReconciler) getUnsupportedFields(ctx context.Context) (map[spireap
 }
 
 func (r *entryReconciler) listClusterStaticEntries(ctx context.Context) ([]*ClusterStaticEntry, error) {
-	clusterStaticEntries, err := k8sapi.ListClusterStaticEntries(ctx, r.config.K8sClient)
+	var clusterStaticEntries []spirev1alpha1.ClusterStaticEntry
+	var err error
+	if r.config.K8sClient != nil {
+		clusterStaticEntries, err = k8sapi.ListClusterStaticEntries(ctx, r.config.K8sClient)
+	} else {
+		clusterStaticEntries, err = spirev1alpha1.ListClusterStaticEntries(ctx, *r.staticManifestPath)
+	}
 	if err != nil {
 		return nil, err
 	}
@@ -350,6 +366,7 @@ func (r *entryReconciler) addClusterStaticEntryEntriesState(ctx context.Context,
 		if err != nil {
 			log.Error(err, "Failed to render ClusterStaticEntry")
 			clusterStaticEntry.NextStatus.Rendered = false
+			r.promCounter[metrics.StaticEntryFailures].Add(1)
 			continue
 		}
 		clusterStaticEntry.NextStatus.Rendered = true

pkg/spirefederationrelationship/reconciler.go

@@ -32,10 +32,11 @@ import (
 )
 
 type ReconcilerConfig struct {
-	TrustDomainClient spireapi.TrustDomainClient
+	TrustDomainClient  spireapi.TrustDomainClient
-	K8sClient         client.Client
+	K8sClient          client.Client
-	ClassName         string
+	ClassName          string
-	WatchClassless    bool
+	WatchClassless     bool
+	StaticManifestPath *string
 
 	// GCInterval how long to sit idle (i.e. untriggered) before doing
 	// another reconcile.
@@ -46,27 +47,29 @@ func Reconciler(config ReconcilerConfig) reconciler.Reconciler {
 	return reconciler.New(reconciler.Config{
 		Kind: "federation relationship",
 		Reconcile: func(ctx context.Context) {
-			Reconcile(ctx, config.TrustDomainClient, config.K8sClient, config.ClassName, config.WatchClassless)
+			Reconcile(ctx, config.TrustDomainClient, config.K8sClient, config.ClassName, config.WatchClassless, config.StaticManifestPath)
 		},
 		GCInterval: config.GCInterval,
 	})
 }
 
-func Reconcile(ctx context.Context, trustDomainClient spireapi.TrustDomainClient, k8sClient client.Client, className string, watchClassless bool) {
+func Reconcile(ctx context.Context, trustDomainClient spireapi.TrustDomainClient, k8sClient client.Client, className string, watchClassless bool, staticManifestPath *string) {
 	r := &federationRelationshipReconciler{
-		trustDomainClient: trustDomainClient,
+		trustDomainClient:  trustDomainClient,
-		k8sClient:         k8sClient,
+		k8sClient:          k8sClient,
-		className:         className,
+		className:          className,
-		watchClassless:    watchClassless,
+		watchClassless:     watchClassless,
+		staticManifestPath: staticManifestPath,
 	}
 	r.reconcile(ctx)
 }
 
 type federationRelationshipReconciler struct {
-	trustDomainClient spireapi.TrustDomainClient
+	trustDomainClient  spireapi.TrustDomainClient
-	k8sClient         client.Client
+	k8sClient          client.Client
-	className         string
+	className          string
-	watchClassless    bool
+	watchClassless     bool
+	staticManifestPath *string
 }
 
 func (r *federationRelationshipReconciler) reconcile(ctx context.Context) {
@@ -135,7 +138,13 @@ func (r *federationRelationshipReconciler) listFederationRelationships(ctx conte
 func (r *federationRelationshipReconciler) listClusterFederatedTrustDomains(ctx context.Context) (map[spiffeid.TrustDomain]*clusterFederatedTrustDomainState, error) {
 	log := log.FromContext(ctx)
 
-	clusterFederatedTrustDomains, err := k8sapi.ListClusterFederatedTrustDomains(ctx, r.k8sClient)
+	var clusterFederatedTrustDomains []spirev1alpha1.ClusterFederatedTrustDomain
+	var err error
+	if r.k8sClient != nil {
+		clusterFederatedTrustDomains, err = k8sapi.ListClusterFederatedTrustDomains(ctx, r.k8sClient)
+	} else {
+		clusterFederatedTrustDomains, err = spirev1alpha1.ListClusterFederatedTrustDomains(ctx, *r.staticManifestPath)
+	}
 	if err != nil {
 		return nil, err
 	}

pkg/spirefederationrelationship/reconciler_test.go

@@ -191,7 +191,7 @@ func TestReconcile(t *testing.T) {
 			ctx := log.IntoContext(context.Background(), logrtesting.NewTestLogger(t))
 
 			k8sClient := k8stest.NewClientBuilder(t).WithRuntimeObjects(tt.withObjects...).Build()
-			spirefederationrelationship.Reconcile(ctx, tdc, k8sClient, "", false)
+			spirefederationrelationship.Reconcile(ctx, tdc, k8sClient, "", false, nil)
 			assert.Equal(t, tt.expectFRs, tdc.getFederationRelationships())
 		})
 	}

pkg/webhookmanager/manager.go

@@ -169,6 +169,10 @@ func (m *Manager) Start(ctx context.Context) error {
 	}
 }
 
+func (m *Manager) NeedLeaderElection() bool {
+	return false
+}
+
 func (m *Manager) mintX509SVIDIfNeeded(ctx context.Context, store cache.Store) error {
 	log := log.FromContext(ctx)
 
@@ -364,7 +368,7 @@ func dnsNamesEqual(a, b []string) bool {
 	if len(a) != len(b) {
 		return false
 	}
-	for i := 0; i < len(a); i++ {
+	for i := range a {
 		if a[i] != b[i] {
 			return false
 		}