65 changed files with 551 additions and 950 deletions
--- a/.github/workflows/pr_build.yaml
+++ b/.github/workflows/pr_build.yaml
@ -6,11 +6,11 @@ on:
  pull_request: {}
  workflow_dispatch: {}
 env:
-  GO_VERSION: 1.24.1
+  GO_VERSION: 1.19.4
  CHANGE_MINIKUBE_NONE_USER: true
 jobs:
  test-all:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-22.04
    timeout-minutes: 30
    steps: 
      - name: Checkout
@ -39,7 +39,7 @@ jobs:
      - run: |
          set -xe
          echo "building: {{github.ref_name}}-$(uname -i)"
-          docker build -t t -f examples/rpms/Dockerfile examples
+          docker build -t t examples/rpms
          docker run -i --rm -v /tmp:/tmp t /bin/bash -c 'cp -a /usr/share/nginx/html/packages /tmp'
      - name: Archive artifacts
        uses: actions/upload-artifact@v4
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -14,15 +14,10 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
-      - name: build
+      - run: |
-        env:
+          set -xe
          RPM_GPG_KEY: ${{ secrets.RPM_GPG_KEY }}
        run: |
          set -e
          echo "building: {{github.ref_name}}-$(uname -i)"
-          printf "%s" "$RPM_GPG_KEY" | base64 -d > /tmp/rpm.priv
+          docker build -t t examples/rpms
          docker build --secret "id=gpg,src=/tmp/rpm.priv" -t t -f examples/rpms/Dockerfile examples
          rm -f /tmp/rpm.priv
          docker run -i --rm -v /tmp:/tmp t /bin/bash -c 'cp -a /usr/share/nginx/html/packages /tmp'
      - name: Archive artifacts
        uses: actions/upload-artifact@v4
@ -35,11 +30,6 @@ jobs:
    runs-on: ubuntu-24.04
    timeout-minutes: 30
    needs: packages
    permissions:
      id-token: write
      contents: write
      pages: write
      packages: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@ -53,42 +43,8 @@ jobs:
        with:
          name: packages-arm
          path: /tmp/packages
      - name: Log in to the Container registry
        uses: docker/login-action@v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: build-state-image
        run: |
          set -e
          sudo apt-get update
          sudo apt-get install -y rsync
          # Fetch previously released packages
          mkdir -p /tmp/oldpackages
          docker run -i --rm -v /tmp:/tmp ghcr.io/spiffe/spire-examples/pages:latest /bin/bash -c 'cp -a /usr/share/nginx/html/RPMS /tmp/oldpackages/ && cp -a /usr/share/nginx/html/DEBS /tmp/oldpackages/'
          # Copy only packages that don't overwrite a previously released package. This prevents rereleasing a package.
          sudo rsync --ignore-existing -rv /tmp/packages/ /tmp/oldpackages/
          sudo mv /tmp/packages /tmp/releasepackages
          sudo mv /tmp/oldpackages /tmp/packages
          # Update repos
          docker build -f examples/rpms/Dockerfile.repos -t ghcr.io/spiffe/spire-examples/pages:latest /tmp/packages
          sudo rm -rf /tmp/packages
          mkdir -p /tmp/packages
          docker run -i --rm -v /tmp:/tmp ghcr.io/spiffe/spire-examples/pages:latest /bin/bash -c 'cp -a /usr/share/nginx/html/RPMS /tmp/packages/ && cp -a /usr/share/nginx/html/DEBS /tmp/packages/'
          # Save a copy of packages/pages for next release
          docker push ghcr.io/spiffe/spire-examples/pages:latest
      - name: Release Files
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
-          gh release upload "${GITHUB_REF#refs/tags/}" examples/rpms/rpm.pub /tmp/releasepackages/*/*/*.rpm /tmp/releasepackages/*/*/*.deb
+          gh release upload "${GITHUB_REF#refs/tags/}" /tmp/packages/*/*/*
      - name: Setup Pages
        uses: actions/configure-pages@v5
      - name: Upload Artifact
        uses: actions/upload-pages-artifact@v3
        with:
          path: /tmp/packages
      - name: Deploy to GitHub Pages
        id: deployment
        uses: actions/deploy-pages@v4
--- a/README.md
+++ b/README.md
@ -12,26 +12,30 @@ The SPIRE project is growing rapidly, and new features are released often. In or
 Examples showing how SPIRE integrates with Envoy.
-* [Envoy SDS Integration](examples/envoy) Use SPIRE to deliver and rotate X509-SVIDs for Envoy
+* [Envoy SDS Integration with SPIRE 1.5.1](examples/envoy) Use SPIRE to deliver and rotate X509-SVIDs for Envoy
 ## Kubernetes
 Examples showing how to deploy SPIRE on Kubernetes. There are several configuration possibilities.
-+ [Simple PSAT](examples/k8s/simple_psat) - This is a simple configuration using the
+ [Simple SAT with SPIRE 1.5.1](examples/k8s/simple_sat) - This is a simple configuration using the Kubernetes
  [service account token (SAT) attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_server_nodeattestor_k8s_sat.md)
  that deploys SPIRE server as a StatefulSet and SPIRE agent as a DaemonSet.
 + [Simple PSAT with SPIRE 1.5.1](examples/k8s/simple_psat) - This is a simple configuration using the
  Kubernetes
-  [projected service account token (PSAT) attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_k8s_psat.md).
+  [projected service account token (PSAT) attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_server_nodeattestor_k8s_psat.md)
-+ [Postgres](examples/k8s/postgres) - This expands on the **Simple PSAT** configuration by
+  that otherwise deploys SPIRE as in the **Simple SAT** example.
 + [Postgres with SPIRE 1.5.1](examples/k8s/postgres) - This expands on the **Simple SAT** configuration by
  moving the SPIRE datastore into a Postgres StatefulSet. The SPIRE server is
  now a stateless Deployment that can be scaled.
-+ [Kustomize](examples/k8s/k7e) - A set of SPIRE examples using [Kustomize](https://kustomize.io/)
+ [Kustomize with SPIRE 1.5.1](examples/k8s/k7e) - A set of SPIRE examples using [Kustomize](https://kustomize.io/)
  as shown at the SPIFFE Community Day in May 2019.
 ## EKS
 Examples showing how to deploy SPIRE on Amazon EKS.
-+ [EKS-based SAT](examples/k8s/eks_psat) - This slightly modifies the **Kubernetes Simple PSAT** configuration to
+ [EKS-based SAT with SPIRE 1.5.1](examples/k8s/eks_sat) - This slightly modifies the **Kubernetes Simple SAT** configuration to
  make it compatible with EKS platform.
 ## SystemD
--- a/examples/envoy/README.md
+++ b/examples/envoy/README.md
@ -1,4 +1,4 @@
-# Envoy 1.17.0 SDS Example with SPIRE
+# Envoy 1.17.0 SDS Example with SPIRE 1.5.1
 [!WARNING]  
 This example is no longer tested regularly. Some assembly may be required. Please let us know if changes are needed.
--- a/examples/envoy/docker/echo/Dockerfile
+++ b/examples/envoy/docker/echo/Dockerfile
@ -1,4 +1,4 @@
-FROM ghcr.io/spiffe/spire-agent:1.11.2 as spire
+FROM ghcr.io/spiffe/spire-agent:1.6.1 as spire
 FROM envoyproxy/envoy:v1.25.1
 RUN mkdir -p /opt/spire/conf/agent
--- a/examples/envoy/docker/spire-server/Dockerfile
+++ b/examples/envoy/docker/spire-server/Dockerfile
@ -1,4 +1,4 @@
-FROM ghcr.io/spiffe/spire-server:1.11.2
+FROM ghcr.io/spiffe/spire-server:1.6.1
 # Override spire configurations
 COPY conf/spire-server.conf /opt/spire/conf/server/server.conf
--- a/examples/envoy/docker/web/Dockerfile
+++ b/examples/envoy/docker/web/Dockerfile
@ -1,4 +1,4 @@
-FROM ghcr.io/spiffe/spire-agent:1.11.2 as spire
+FROM ghcr.io/spiffe/spire-agent:1.6.1 as spire
 FROM envoyproxy/envoy:v1.25.1
 RUN mkdir -p /opt/spire/conf/agent
--- a/examples/k8s/advanced/spire-chart/templates/agent-daemonset.tpl
+++ b/examples/k8s/advanced/spire-chart/templates/agent-daemonset.tpl
@ -23,12 +23,12 @@ spec:
        - name: init
          # This is a small image with wait-for-it, choose whatever image
          # you prefer that waits for a service to be up. This image is built
-          # from https://github.com/chainguard-images/images/blob/main/images/wait-for-it
+          # from https://github.com/lqhl/wait-for-it
-          image: cgr.dev/chainguard/wait-for-it
+          image: gcr.io/spiffe-io/wait-for-it
          args: ["-t", "30", "spire-server:8081"]
      containers:
        - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.11.2
+          image: ghcr.io/spiffe/spire-agent:1.6.1
          args: ["-config", "/run/spire/config/agent.conf"]
          env:
          - name: MY_NODE_NAME
--- a/examples/k8s/advanced/spire-chart/templates/server-statefulset.tpl
+++ b/examples/k8s/advanced/spire-chart/templates/server-statefulset.tpl
@ -21,7 +21,7 @@ spec:
      shareProcessNamespace: true
      containers:
        - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.11.2
+          image: ghcr.io/spiffe/spire-server:1.6.1
          args:
            - -config
            - /run/spire/config/server.conf
--- a/examples/k8s/eks_psat/README.md
+++ b/examples/k8s/eks_psat/README.md
@ -1,18 +1,18 @@
-# SPIRE deployment using PSAT node attestor on EKS
+# SPIRE 1.5.1 deployment using SAT node attestor on EKS
-This configuration is an example of a SPIRE deployment for Kubernetes on EKS. This example is based on the [simple PSAT](../simple_psat/README.md), with minor modifications to make it work on EKS platform.
+This configuration is an example of a SPIRE 1.5.1 deployment for Kubernetes on EKS. This example is based on the [simple SAT](../simple_sat/README.md), with minor modifications to make it work on EKS platform.
-Compare the [simple PSAT server](../simple_psat/spire-server.yaml) configuration with
+Compare the [simple SAT server](../simple_sat/spire-server.yaml) configuration with
-this [EKS PSAT server](spire-server.yaml) to see the differences, which
+this [EKS SAT server](spire-server.yaml) to see the differences, which
 consist of:
-+ Node attestation is done using the [PSAT node attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_k8s_psat.md)
+ Node attestation is done using the [SAT node attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_server_nodeattestor_k8s_sat.md)
 with kubernetes token review validation enabled.
 + As a consequence of the above, volume and volume mounts for validation key are removed.
 + RBAC authorization policies are set to guarantee access to certain Kubernetes resources.
-In the same way, the differences between the [simple PSAT agent](../simple_psat/spire-agent.yaml) and [EKS PSAT server](spire-agent.yaml) are:
+In the same way, the differences between the [simple SAT agent](../simple_sat/spire-agent.yaml) and [EKS SAT server](spire-agent.yaml) are:
-+ Workload attestation is done using the [k8s workload attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_workloadattestor_k8s.md) with the secure port configuration.
+ Workload attestation is done using the [k8s workload attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_agent_workloadattestor_k8s.md) with the secure port configuration.
 + RBAC authorization policies are set to guarantee access to certain Kubernetes resources.
 Both SPIRE agent and server run in the **spire** namespace, using service accounts of **spire-server** and **spire-agent**.
@ -42,5 +42,5 @@ The server log shows the attestation result:
 $ kubectl -n spire logs -f spire-server-0
 ```
 ```
-level=info msg="Node attestation request from 192.168.21.111:56628 completed using strategy k8s_psat" subsystem_name=node_api
+level=info msg="Node attestation request from 192.168.21.111:56628 completed using strategy k8s_sat" subsystem_name=node_api
 ```
--- a/examples/k8s/eks_psat/spire-agent.yaml
+++ b/examples/k8s/eks_psat/spire-agent.yaml
@ -52,7 +52,7 @@ data:
    }
    plugins {
-      NodeAttestor "k8s_psat" {
+      NodeAttestor "k8s_sat" {
        plugin_data {
          cluster = "demo-cluster"
        }
@ -125,12 +125,12 @@ spec:
        - name: init
          # This is a small image with wait-for-it, choose whatever image
          # you prefer that waits for a service to be up. This image is built
-          # from https://github.com/chainguard-images/images/blob/main/images/wait-for-it
+          # from https://github.com/lqhl/wait-for-it
-          image: cgr.dev/chainguard/wait-for-it
+          image: gcr.io/spiffe-io/wait-for-it
          args: ["-t", "30", "spire-server:8081"]
      containers:
        - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.11.2
+          image: ghcr.io/spiffe/spire-agent:1.6.1
          args: ["-config", "/run/spire/config/agent.conf"]
          env:
          - name: MY_NODE_NAME
@ -144,8 +144,6 @@ spec:
            - name: spire-agent-socket
              mountPath: /run/spire/sockets
              readOnly: false
            - name: spire-token
              mountPath: /var/run/secrets/tokens
          livenessProbe:
            httpGet:
              path: /live
@ -168,10 +166,3 @@ spec:
          hostPath:
            path: /run/spire/sockets
            type: DirectoryOrCreate
        - name: spire-token
          projected:
            sources:
            - serviceAccountToken:
                path: spire-agent
                expirationSeconds: 7200
                audience: spire-server
--- a/examples/k8s/eks_psat/spire-server.yaml
+++ b/examples/k8s/eks_psat/spire-server.yaml
@ -80,11 +80,12 @@ data:
        }
      }
-      NodeAttestor "k8s_psat" {
+      NodeAttestor "k8s_sat" {
        plugin_data {
          clusters = {
            "demo-cluster" = {
              service_account_allow_list = ["spire:spire-agent"]
              use_token_review_api_validation = true
            }
          }
        }
@ -151,7 +152,7 @@ spec:
      serviceAccountName: spire-server
      containers:
        - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.11.2
+          image: ghcr.io/spiffe/spire-server:1.6.1
          args: ["-config", "/run/spire/config/server.conf"]
          ports:
            - containerPort: 8081
--- a/examples/k8s/k7e/README.md
+++ b/examples/k8s/k7e/README.md
@ -4,7 +4,7 @@ This directory contains various examples of deploying and configuring SPIRE to
 Kubernetes using [kustomize](https://kustomize.io) which is part of Kubectl as
 of 1.14.
-+ [base_minikube_psat](base_minikube_psat) - A base configuration for SPIRE in
+ [base_minikube_sat](base_minikube_sat) - A base configuration for SPIRE in
  minikube using the SAT attestor. This is also the base configuration from
  which all other configurations in this directory are derived.
 + [community_day_2019_may](community_day_2019_may) - This is the demo from
@ -28,7 +28,7 @@ by kubectl, you can use the "kustomize" argument to `kubectl` along with the
 directory of the configuration to apply. For example:
 ```
-$ kubectl kustomize base_minikube_psat
+$ kubectl kustomize base_minikube_sat
 ```
 ## Apply Configuration to Kubernetes
@ -37,5 +37,5 @@ To apply a kustomize configuration with kubectl, use the "-k" option to the
 "apply" option along with the directory of the configuration to apply:
 ```
-$ kubectl apply -k base_minikube_psat
+$ kubectl apply -k base_minikube_sat
 ```
--- a/examples/k8s/k7e/base_minikube_psat/README.md
+++ b/examples/k8s/k7e/base_minikube_psat/README.md
--- a/examples/k8s/k7e/base_minikube_psat/common/spire-namespace.yaml
+++ b/examples/k8s/k7e/base_minikube_psat/common/spire-namespace.yaml
--- a/examples/k8s/k7e/base_minikube_psat/config/spire-agent.conf
+++ b/examples/k8s/k7e/base_minikube_psat/config/spire-agent.conf
@ -9,7 +9,7 @@ agent {
 }
 plugins {
-  NodeAttestor "k8s_psat" {
+  NodeAttestor "k8s_sat" {
    plugin_data {
      cluster = "demo-cluster"
    }
--- a/examples/k8s/k7e/base_minikube_psat/config/spire-server.conf
+++ b/examples/k8s/k7e/base_minikube_psat/config/spire-server.conf
@ -19,10 +19,11 @@ plugins {
    }
  }
-  NodeAttestor "k8s_psat" {
+  NodeAttestor "k8s_sat" {
    plugin_data {
      clusters = {
        "demo-cluster" = {
          service_account_key_file = "/run/k8s-certs/sa.pub"
          service_account_allow_list = ["spire:spire-agent"]
        }
      }
--- a/examples/k8s/k7e/base_minikube_psat/kustomization.yaml
+++ b/examples/k8s/k7e/base_minikube_psat/kustomization.yaml
--- a/examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-deployment.yaml
+++ b/examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-deployment.yaml
@ -23,12 +23,12 @@ spec:
        - name: init
          # This is a small image with wait-for-it, choose whatever image
          # you prefer that waits for a service to be up. This image is built
-          # from https://github.com/chainguard-images/images/blob/main/images/wait-for-it
+          # from https://github.com/lqhl/wait-for-it
-          image: cgr.dev/chainguard/wait-for-it
+          image: gcr.io/spiffe-io/wait-for-it
          args: ["-t", "30", "spire-server:8081"]
      containers:
        - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.11.2
+          image: ghcr.io/spiffe/spire-agent:1.6.1
          imagePullPolicy: Always
          args: ["-config", "/run/spire/config/spire-agent.conf"]
          env:
@ -46,8 +46,6 @@ spec:
            - name: spire-agent-socket
              mountPath: /run/spire/sockets
              readOnly: false
            - name: spire-token
              mountPath: /var/run/secrets/tokens
          livenessProbe:
            httpGet:
              path: /live
@ -73,10 +71,3 @@ spec:
          hostPath:
            path: /run/spire/sockets
            type: DirectoryOrCreate
        - name: spire-token
          projected:
            sources:
            - serviceAccountToken:
                path: spire-agent
                expirationSeconds: 7200
                audience: spire-server
--- a/examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-role.yaml
+++ b/examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-role.yaml
--- a/examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-rolebinding.yaml
+++ b/examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-rolebinding.yaml
--- a/examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-serviceaccount.yaml
+++ b/examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-serviceaccount.yaml
--- a/examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-deployment.yaml
+++ b/examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-deployment.yaml
@ -20,7 +20,7 @@ spec:
      serviceAccountName: spire-server
      containers:
        - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.11.2
+          image: ghcr.io/spiffe/spire-server:1.6.1
          imagePullPolicy: Always
          args: ["-config", "/run/spire/config/spire-server.conf"]
          ports:
--- a/examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-role.yaml
+++ b/examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-role.yaml
@ -8,6 +8,3 @@ rules:
  resources: ["configmaps"]
  resourceNames: ["spire-bundle"]
  verbs: ["get", "patch"]
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
--- a/examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-rolebinding.yaml
+++ b/examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-rolebinding.yaml
--- a/examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-service.yaml
+++ b/examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-service.yaml
--- a/examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-serviceaccount.yaml
+++ b/examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-serviceaccount.yaml
--- a/examples/k8s/k7e/community_day_2019_may/README.md
+++ b/examples/k8s/k7e/community_day_2019_may/README.md
@ -1,10 +1,10 @@
 # Demo from SPIRE Community Day, May 2019
 This example will allow you to recreate the demo from SPIRE Community Day in
-May 2019. To run this example you'll need:
+May, 2019. To run this example you'll need:
 + A working minikube.
-+ `kubectl` version 1.20 or later.
+ `kubectl` version 1.14 or later.
 + The [examples/k8s/k7e](/examples/k8s/k7e) directory tree from the SPIRE github
  repository.
@ -24,11 +24,11 @@ $ watch 'set -x; kubectl get pods -n spire; kubectl get pods'
 ### Deploy SPIRE
-To deploy SPIRE, apply the `base_minikube_psat` configuration from the parent
+To deploy SPIRE, apply the `base_minikube_sat` configuration from the parent
 directory:
 ```
-$ kubectl apply -k ../base_minikube_psat
+$ kubectl apply -k ../base_minikube_sat
 ```
 Within 30 seconds or so, you should now have pods in "Running" status for both
@ -102,13 +102,13 @@ registration entries. We'll create two registration entries:
 First, let's create the `node` registration entry:
 ```
-$ kubectl exec -n spire spire-server-0 -- /opt/spire/bin/spire-server entry create -node -spiffeID spiffe://example.org/cluster -selector k8s_psat:cluster:demo-cluster
+$ kubectl exec -n spire spire-server-0 -- /opt/spire/bin/spire-server entry create -node -spiffeID spiffe://example.org/cluster -selector k8s_sat:cluster:demo-cluster
 Entry ID      : 1685a30f-fb14-4242-a86a-568038407ed7
 SPIFFE ID     : spiffe://example.org/cluster
 Parent ID     : spiffe://example.org/spire/server
 TTL           : 3600
-Selector      : k8s_psat:cluster:demo-cluster
+Selector      : k8s_sat:cluster:demo-cluster
 ```
 Second, we'll create a registration entry for our client workload:
--- a/examples/k8s/k7e/community_day_2019_may/client-deployment.yaml
+++ b/examples/k8s/k7e/community_day_2019_may/client-deployment.yaml
@ -16,7 +16,7 @@ spec:
    spec:
      containers:
        - name: client
-          image: ghcr.io/spiffe/spire-agent:1.11.2
+          image: ghcr.io/spiffe/spire-agent:1.6.1
          imagePullPolicy: Always
          command: ["/opt/spire/bin/spire-agent"]
          args: ["api", "watch", "-socketPath", "/run/spire/sockets/agent.sock"]
--- a/examples/k8s/postgres/README.md
+++ b/examples/k8s/postgres/README.md
@ -1,4 +1,4 @@
-# Postgres SPIRE deployment
+# Postgres SPIRE 1.5.1 deployment
 This configuration is an example of a SPIRE deployment for Kubernetes using
 Postgres as a datastore for the SPIRE server. This configuration provides
@ -8,13 +8,13 @@ better resiliency and allows for scaling up the number of SPIRE servers.
  PersistentVolume.
 + The SPIRE [server](spire-server.yaml) runs as a stateless Deployment.
 + The SPIRE agent runs as a DaemonSet - note this configuration is a symlink
-  to the [simple psat example](../simple_psat/spire-agent.yaml).
+  to the [simple sat example](../simple_sat/spire-agent.yaml).
 Both SPIRE agent and server, along with postgres, run in the **spire**
 namespace, using service accounts of **spire-database**, **spire-server**, and
 **spire-agent**.
-Compare the [simple psat server](../simple_psat/spire-server.yaml) configuration with
+Compare the [simple sat server](../simple_sat/spire-server.yaml) configuration with
 this [postgres backed server](spire-server.yaml) to see the differences, which
 consist of: a Deployment instead of a StatefulSet, a datastore plugin change,
 an InitContainer that waits for postgres to be up, and removal of the
@ -27,11 +27,11 @@ failures and scalability.
 + **stateless** - To run the SPIRE server stateless (as in this example), the
  `UpstreamAuthority` plugin needs to be used.
 + **stateful** - To run the SPIRE server stateful, the directory specified in
-  `data_dir` must be persistent (such as in the [simple psat example](../simple_psat)
+  `data_dir` must be persistent (such as in the [simple sat example](../simple_sat)
  where a StatefulSet and PersistentVolumeClaim are used.
 In this example deployment, the SPIRE server is stateless, using the example
-[dummy upstream authority](https://github.com/spiffe/spire/tree/main/conf/server).
+[dummy upstream authority](https://github.com/spiffe/spire/tree/v1.5.1/conf/server).
 One other **important note**: In a production environment it is very important
 to use a highly available Postgres configuration, unlike this configuration
--- a/examples/k8s/postgres/spire-agent.yaml
+++ b/examples/k8s/postgres/spire-agent.yaml
@ -24,7 +24,7 @@ data:
    }
    plugins {
-      NodeAttestor "k8s_psat" {
+      NodeAttestor "k8s_sat" {
        plugin_data {
          cluster = "demo-cluster"
        }
@ -101,12 +101,12 @@ spec:
        - name: init
          # This is a small image with wait-for-it, choose whatever image
          # you prefer that waits for a service to be up. This image is built
-          # from https://github.com/chainguard-images/images/blob/main/images/wait-for-it
+          # from https://github.com/lqhl/wait-for-it
-          image: cgr.dev/chainguard/wait-for-it
+          image: gcr.io/spiffe-io/wait-for-it
          args: ["-t", "30", "spire-server:8081"]
      containers:
        - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.11.2
+          image: ghcr.io/spiffe/spire-agent:1.6.1
          args: ["-config", "/run/spire/config/agent.conf"]
          env:
          - name: MY_NODE_NAME
@ -120,8 +120,6 @@ spec:
            - name: spire-agent-socket
              mountPath: /run/spire/sockets
              readOnly: false
            - name: spire-token
              mountPath: /var/run/secrets/tokens
          livenessProbe:
            httpGet:
              path: /live
@ -144,10 +142,3 @@ spec:
          hostPath:
            path: /run/spire/sockets
            type: DirectoryOrCreate
        - name: spire-token
          projected:
            sources:
            - serviceAccountToken:
                path: spire-agent
                expirationSeconds: 7200
                audience: spire-server
--- a/examples/k8s/postgres/spire-server.yaml
+++ b/examples/k8s/postgres/spire-server.yaml
@ -6,36 +6,6 @@ metadata:
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: spire-server-cluster-role
 rules:
 - apiGroups: [""]
  resources: ["pods", "nodes"]
  verbs: ["get"]
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
 ---
 # Binds above cluster role to spire-server service account
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: spire-server-cluster-role-binding
 subjects:
 - kind: ServiceAccount
  name: spire-server
  namespace: spire
 roleRef:
  kind: ClusterRole
  name: spire-server-cluster-role
  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: v1
 kind: Secret
 metadata:
@ -76,10 +46,11 @@ data:
        }
      }
-      NodeAttestor "k8s_psat" {
+      NodeAttestor "k8s_sat" {
        plugin_data {
          clusters = {
            "demo-cluster" = {
              service_account_key_file = "/run/k8s-certs/sa.pub"
              service_account_allow_list = ["spire:spire-agent"]
            }
          }
@ -148,12 +119,12 @@ spec:
        - name: init
          # This is a small image with wait-for-it, choose whatever image
          # you prefer that waits for a service to be up. This image is built
-          # from https://github.com/chainguard-images/images/blob/main/images/wait-for-it
+          # from https://github.com/lqhl/wait-for-it
-          image: cgr.dev/chainguard/wait-for-it
+          image: gcr.io/spiffe-io/wait-for-it
          args: ["-t", "30", "spire-database:5432"]
      containers:
        - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.11.2
+          image: ghcr.io/spiffe/spire-server:1.6.1
          args: ["-config", "/run/spire/config/server.conf"]
          ports:
            - containerPort: 8081
--- a/examples/k8s/simple_psat/README.md
+++ b/examples/k8s/simple_psat/README.md
@ -1,6 +1,6 @@
-# Simple SPIRE deployment using PSAT node attestor
+# Simple SPIRE 1.5.1 deployment using PSAT node attestor
-This configuration is an example of a simple SPIRE deployment for Kubernetes that uses [PSAT node attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_k8s_psat.md).
+This configuration is an example of a simple SPIRE 1.5.1 deployment for Kubernetes that uses [PSAT node attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_server_nodeattestor_k8s_psat.md).
 + The SPIRE [server](spire-server.yaml) runs as a StatefulSet using a
  PersistentVolumeClaim.
--- a/examples/k8s/simple_psat/spire-agent.yaml
+++ b/examples/k8s/simple_psat/spire-agent.yaml
@ -129,12 +129,12 @@ spec:
        - name: init
          # This is a small image with wait-for-it, choose whatever image
          # you prefer that waits for a service to be up. This image is built
-          # from https://github.com/chainguard-images/images/blob/main/images/wait-for-it
+          # from https://github.com/lqhl/wait-for-it
-          image: cgr.dev/chainguard/wait-for-it
+          image: gcr.io/spiffe-io/wait-for-it
          args: ["-t", "30", "spire-server:8081"]
      containers:
        - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.11.2
+          image: ghcr.io/spiffe/spire-agent:1.6.1
          args: ["-config", "/run/spire/config/agent.conf"]
          env:
          - name: MY_NODE_NAME
--- a/examples/k8s/simple_psat/spire-server.yaml
+++ b/examples/k8s/simple_psat/spire-server.yaml
@ -154,7 +154,7 @@ spec:
      serviceAccountName: spire-server
      containers:
        - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.11.2
+          image: ghcr.io/spiffe/spire-server:1.6.1
          args: ["-config", "/run/spire/config/server.conf"]
          ports:
            - containerPort: 8081
--- a/examples/k8s/simple_sat/README.md
+++ b/examples/k8s/simple_sat/README.md
@ -0,0 +1,33 @@
 # Simple SPIRE 1.5.1 deployment using SAT node attestor
 This configuration is an example of a simple SPIRE v1.5.1 deployment for Kubernetes that uses [SAT node attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_server_nodeattestor_k8s_sat.md).
 + The SPIRE [server](spire-server.yaml) runs as a StatefulSet using a
  PersistentVolumeClaim.
 + The SPIRE [agent](spire-agent.yaml) runs as a DaemonSet.
 Both SPIRE agent and server run in the **spire** namespace, using service
 accounts of **spire-server** and **spire-agent**.
 ## Usage
 ### Configuration
 + Set trust_domain and the cluster name for the k8s SAT NodeAttestor.
 + Modify the path in the *k8s-sa-cert* volume for SPIRE server as appropriate
  for your deployment - this is the certificate used to verify service accounts
  in the cluster. This example assumes minikube.
 ### Deployment
 Start the server StatefulSet:
 ```
 $ kubectl apply -f spire-server.yaml
 ```
 Start the agent DaemonSet:
 ```
 $ kubectl apply -f spire-agent.yaml
 ```
--- a/examples/k8s/simple_sat/kustomization.yaml
+++ b/examples/k8s/simple_sat/kustomization.yaml
@ -0,0 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: spire
 resources:
 - spire-server.yaml
 - spire-agent.yaml
--- a/examples/k8s/simple_sat/spire-agent.yaml
+++ b/examples/k8s/simple_sat/spire-agent.yaml
@ -0,0 +1,144 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: spire-agent
  namespace: spire
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: spire-agent
  namespace: spire
 data:
  agent.conf: |
    agent {
      data_dir = "/run/spire"
      log_level = "DEBUG"
      server_address = "spire-server"
      server_port = "8081"
      socket_path = "/run/spire/sockets/agent.sock"
      trust_bundle_path = "/run/spire/config/bootstrap.crt"
      trust_domain = "example.org"
    }
    plugins {
      NodeAttestor "k8s_sat" {
        plugin_data {
          cluster = "demo-cluster"
        }
      }
      KeyManager "memory" {
        plugin_data {
        }
      }
      WorkloadAttestor "k8s" {
        plugin_data {
          # Defaults to the secure kubelet port by default.
          # Minikube does not have a cert in the cluster CA bundle that
          # can authenticate the kubelet cert, so skip validation.
          skip_kubelet_verification = true
          node_name_env = "MY_NODE_NAME"
        }
      }
      WorkloadAttestor "unix" {
          plugin_data {
          }
      }
    }
    health_checks {
      listener_enabled = true
      bind_address = "0.0.0.0"
      bind_port = "8080"
      live_path = "/live"
      ready_path = "/ready"
    }
  bootstrap.crt: |
    -----BEGIN CERTIFICATE-----
    MIICHzCCAaSgAwIBAgIJAJjG+BUpVpUbMAoGCCqGSM49BAMEMB4xCzAJBgNVBAYT
    AlVTMQ8wDQYDVQQKDAZTUElGRkUwHhcNMjMwNjA5MjM0OTQxWhcNMjgwNjA3MjM0
    OTQxWjAeMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGU1BJRkZFMHYwEAYHKoZIzj0C
    AQYFK4EEACIDYgAERWdqmbBWmk7iKDFD7MuI8O2oBrXMpfZPC+Nz3dLRPWu44z3C
    51MPk9GJDAoNsqpyZ9sHOnL8I+CdkmE41LqK/rigvKgvlrlqWJjf0/FAM/XLARaW
    rzcpRty42WJgR5Yxo4GtMIGqMB0GA1UdDgQWBBRXKdGnbiP9nul87xm5F30yxRWT
    VjAfBgNVHSMEGDAWgBRXKdGnbiP9nul87xm5F30yxRWTVjAPBgNVHRMBAf8EBTAD
    AQH/MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
    ZTAOBgNVHQ8BAf8EBAMCAQYwGQYDVR0RBBIwEIYOc3BpZmZlOi8vbG9jYWwwCgYI
    KoZIzj0EAwQDaQAwZgIxAKHxaBfSjhDJksGXmgJKkcpepPCYfB58hUc3HkxPy3Zf
    08dfaeAp7UdBCkpU20GSrQIxAJc0FMZs1BSSINku6oYZpsrcCuo7CijAJMLCBLXQ
    VYYO6xcbDgbZVm5MXu3FWTt+7g==
    -----END CERTIFICATE-----
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: spire-agent
  namespace: spire
  labels:
    app: spire-agent
 spec:
  selector:
    matchLabels:
      app: spire-agent
  template:
    metadata:
      namespace: spire
      labels:
        app: spire-agent
    spec:
      hostPID: true
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      serviceAccountName: spire-agent
      initContainers:
        - name: init
          # This is a small image with wait-for-it, choose whatever image
          # you prefer that waits for a service to be up. This image is built
          # from https://github.com/lqhl/wait-for-it
          image: gcr.io/spiffe-io/wait-for-it
          args: ["-t", "30", "spire-server:8081"]
      containers:
        - name: spire-agent
          image: ghcr.io/spiffe/spire-agent:1.6.1
          args: ["-config", "/run/spire/config/agent.conf"]
          env:
          - name: MY_NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
          volumeMounts:
            - name: spire-config
              mountPath: /run/spire/config
              readOnly: true
            - name: spire-agent-socket
              mountPath: /run/spire/sockets
              readOnly: false
          livenessProbe:
            httpGet:
              path: /live
              port: 8080
            failureThreshold: 2
            initialDelaySeconds: 15
            periodSeconds: 60
            timeoutSeconds: 3
          readinessProbe:
            httpGet:
              path: /ready
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 5
      volumes:
        - name: spire-config
          configMap:
            name: spire-agent
        - name: spire-agent-socket
          hostPath:
            path: /run/spire/sockets
            type: DirectoryOrCreate
--- a/examples/k8s/simple_sat/spire-server.yaml
+++ b/examples/k8s/simple_sat/spire-server.yaml
@ -0,0 +1,195 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: spire
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: spire-server
  namespace: spire
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: spire-server
  namespace: spire
 type: Opaque
 data:
  bootstrap.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1JR2tBZ0VCQkRCN2FmUTBzS2xuVWZHZ01rcTRnZVFFdlUwOTV1aHJLZzNkVU1pSkQyVVVKNzBYYjVXTThXWmYKMEp3R2ZXVzVjTStnQndZRks0RUVBQ0toWkFOaUFBUkZaMnFac0ZhYVR1SW9NVVBzeTRqdzdhZ0d0Y3lsOWs4TAo0M1BkMHRFOWE3ampQY0xuVXcrVDBZa01DZzJ5cW5KbjJ3YzZjdndqNEoyU1lUalV1b3IrdUtDOHFDK1d1V3BZCm1OL1Q4VUF6OWNzQkZwYXZOeWxHM0xqWlltQkhsakU9Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: spire-server
  namespace: spire
 data:
  server.conf: |
    server {
      bind_address = "0.0.0.0"
      bind_port = "8081"
      trust_domain = "example.org"
      data_dir = "/run/spire/data"
      log_level = "DEBUG"
      ca_subject = {
        country = ["US"],
        organization = ["SPIFFE"],
        common_name = "",
      }
    }
    plugins {
      DataStore "sql" {
        plugin_data {
          database_type = "sqlite3"
          connection_string = "/run/spire/data/datastore.sqlite3"
        }
      }
      NodeAttestor "k8s_sat" {
        plugin_data {
          clusters = {
            "demo-cluster" = {
              service_account_key_file = "/run/k8s-certs/sa.pub"
              service_account_allow_list = ["spire:spire-agent"]
            }
          }
        }
      }
      KeyManager "disk" {
        plugin_data {
          keys_path = "/run/spire/data/keys.json"
        }
      }
      UpstreamAuthority "disk" {
        plugin_data {
          key_file_path = "/run/spire/secrets/bootstrap.key"
          cert_file_path = "/run/spire/config/bootstrap.crt"
        }
      }
    }
    health_checks {
      listener_enabled = true
      bind_address = "0.0.0.0"
      bind_port = "8080"
      live_path = "/live"
      ready_path = "/ready"
    }
  bootstrap.crt: |
    -----BEGIN CERTIFICATE-----
    MIICHzCCAaSgAwIBAgIJAJjG+BUpVpUbMAoGCCqGSM49BAMEMB4xCzAJBgNVBAYT
    AlVTMQ8wDQYDVQQKDAZTUElGRkUwHhcNMjMwNjA5MjM0OTQxWhcNMjgwNjA3MjM0
    OTQxWjAeMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGU1BJRkZFMHYwEAYHKoZIzj0C
    AQYFK4EEACIDYgAERWdqmbBWmk7iKDFD7MuI8O2oBrXMpfZPC+Nz3dLRPWu44z3C
    51MPk9GJDAoNsqpyZ9sHOnL8I+CdkmE41LqK/rigvKgvlrlqWJjf0/FAM/XLARaW
    rzcpRty42WJgR5Yxo4GtMIGqMB0GA1UdDgQWBBRXKdGnbiP9nul87xm5F30yxRWT
    VjAfBgNVHSMEGDAWgBRXKdGnbiP9nul87xm5F30yxRWTVjAPBgNVHRMBAf8EBTAD
    AQH/MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
    ZTAOBgNVHQ8BAf8EBAMCAQYwGQYDVR0RBBIwEIYOc3BpZmZlOi8vbG9jYWwwCgYI
    KoZIzj0EAwQDaQAwZgIxAKHxaBfSjhDJksGXmgJKkcpepPCYfB58hUc3HkxPy3Zf
    08dfaeAp7UdBCkpU20GSrQIxAJc0FMZs1BSSINku6oYZpsrcCuo7CijAJMLCBLXQ
    VYYO6xcbDgbZVm5MXu3FWTt+7g==
    -----END CERTIFICATE-----
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: spire-server
  namespace: spire
  labels:
    app: spire-server
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: spire-server
  serviceName: spire-server
  template:
    metadata:
      namespace: spire
      labels:
        app: spire-server
    spec:
      serviceAccountName: spire-server
      containers:
        - name: spire-server
          image: ghcr.io/spiffe/spire-server:1.6.1
          args: ["-config", "/run/spire/config/server.conf"]
          ports:
            - containerPort: 8081
          volumeMounts:
            - name: spire-config
              mountPath: /run/spire/config
              readOnly: true
            - name: spire-secrets
              mountPath: /run/spire/secrets
              readOnly: true
            - name: spire-data
              mountPath: /run/spire/data
              readOnly: false
            - name: k8s-sa-cert
              mountPath: /run/k8s-certs/sa.pub
              readOnly: true
          livenessProbe:
            httpGet:
              path: /live
              port: 8080
            failureThreshold: 2
            initialDelaySeconds: 15
            periodSeconds: 60
            timeoutSeconds: 3
          readinessProbe:
            httpGet:
              path: /ready
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 5
      volumes:
        - name: spire-config
          configMap:
            name: spire-server
        - name: spire-secrets
          secret:
            secretName: spire-server
        - name: k8s-sa-cert
          hostPath:
            path: /var/lib/minikube/certs/sa.pub
            type: File
  volumeClaimTemplates:
    - metadata:
        name: spire-data
        namespace: spire
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 1Gi
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: spire-server
  namespace: spire
 spec:
  type: NodePort
  ports:
    - name: grpc
      port: 8081
      targetPort: 8081
      protocol: TCP
  selector:
    app: spire-server
--- a/examples/k8s/simple_sat/test.sh
+++ b/examples/k8s/simple_sat/test.sh
@ -0,0 +1,65 @@
 #!/bin/bash
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 bold=$(tput bold) || true
 norm=$(tput sgr0) || true
 red=$(tput setaf 1) || true
 green=$(tput setaf 2) || true
 yellow=$(tput setaf 3) || true
 fail() {
 	echo "${red}$*${norm}."
 	exit 1
 }
 delete-ns() {
 	echo "${bold}Cleaning up...${norm}"
    kubectl delete --ignore-not-found namespace spire > /dev/null
 }
 cleanup() {
    if [ -z "${GOOD}" ]; then
        echo "${yellow}Dumping statefulset/spire-server logs...${norm}"
        kubectl -nspire logs statefulset/spire-server --all-containers
        echo "${yellow}Dumping daemonset/spire-agent logs...${norm}"
        kubectl -nspire logs daemonset/spire-agent --all-containers
    fi
    delete-ns
    if [ -n "${GOOD}" ]; then
        echo "${green}Success.${norm}"
    else
        echo "${red}Failed.${norm}"
    fi
 }
 trap cleanup EXIT
 echo "${bold}Preparing environment...${norm}"
 delete-ns
 kubectl create namespace spire
 echo "${bold}Applying configuration...${norm}"
 kubectl apply -k "${DIR}"
 LOGLINE="Agent attestation request completed"
 for ((i=0;i<120;i++)); do
    if ! kubectl -nspire rollout status statefulset/spire-server; then
        sleep 1
        continue
    fi
    if ! kubectl -nspire rollout status daemonset/spire-agent; then
        sleep 1
        continue
    fi
    if ! kubectl -nspire logs statefulset/spire-server -c spire-server | grep -e "$LOGLINE" ; then
        sleep 1
        continue
    fi
    echo "${bold}Node attested.${norm}"
    GOOD=1
    exit 0
 done
 echo "${red}Timed out waiting for node to attest.${norm}"
 exit 1
--- a/examples/rpms/Dockerfile
+++ b/examples/rpms/Dockerfile
@ -1,28 +1,16 @@
 ARG STEPVER="0.28.2"
 ARG STEPCAVER="0.28.4"
 FROM docker.io/library/almalinux:9 AS rpm-builder
 ARG STEPVER
 ARG STEPCAVER
 WORKDIR /tmp
-COPY rpms/*.spec /tmp
+COPY *.spec /tmp
 ADD rpms/rpm.pub /tmp/rpm.pub
 ADD rpms/rpmmacros /root/.rpmmacros
-COPY systemd /tmp/systemd
+RUN \
-
+  dnf install -y rpmdevtools rpm-build git make && \
 RUN --mount=type=secret,id=gpg \
  mkdir -p /root/rpmbuild/SOURCES && \
  tar -zcvf /root/rpmbuild/SOURCES/spire-extras-systemd.tar.gz systemd && \
  dnf install -y which rpmdevtools rpm-build rpm-sign git make && \
  spectool -g -R spire.spec && \
  rpmbuild -ba spire.spec && \
  spectool -g -R spire-controller-manager.spec && \
  rpmbuild -ba spire-controller-manager.spec && \
  spectool -g -R spiffe-helper.spec && \
  rpmbuild -ba spiffe-helper.spec && \
  spectool -g -R spiffe-step-ssh.spec && \
  rpmbuild -ba spiffe-step-ssh.spec && \
  spectool -g -R spire-ha-agent.spec && \
@ -30,33 +18,14 @@ RUN --mount=type=secret,id=gpg \
  spectool -g -R k8s-spiffe-workload-jwt-exec-auth.spec && \
  rpmbuild -ba k8s-spiffe-workload-jwt-exec-auth.spec && \
  spectool -g -R k8s-spiffe-workload-auth-config.spec && \
-  rpmbuild -ba k8s-spiffe-workload-auth-config.spec && \
+  rpmbuild -ba k8s-spiffe-workload-auth-config.spec
  spectool -g -R spire-server-nodeattestor-tpmdirect.spec && \
  rpmbuild -ba spire-server-nodeattestor-tpmdirect.spec && \
  spectool -g -R spire-agent-nodeattestor-tpmdirect.spec && \
  rpmbuild -ba spire-agent-nodeattestor-tpmdirect.spec && \
  spectool -g -R spire-server-attestor-tpm.spec && \
  rpmbuild -ba spire-server-attestor-tpm.spec && \
  spectool -g -R spire-credentialcomposer-cel.spec && \
  rpmbuild -ba spire-credentialcomposer-cel.spec && \
  spectool -g -R aws-spiffe-workload-helper.spec && \
  rpmbuild -ba aws-spiffe-workload-helper.spec && \
  if [ -f /run/secrets/gpg ]; then \
    gpg --import /run/secrets/gpg && \
    gpg --import rpm.pub && \
    rpm --addsign /root/rpmbuild/RPMS/*/*.rpm; \
  else \
    true; \
  fi
 RUN \
  dnf localinstall -y https://github.com/smallstep/cli/releases/download/v${STEPVER}/step-cli-${STEPVER}-1.$(uname -i).rpm && \
  dnf localinstall -y https://github.com/smallstep/certificates/releases/download/v${STEPCAVER}/step-ca-${STEPCAVER}-1.$(uname -i).rpm && \
  dnf localinstall -y /root/rpmbuild/RPMS/*/*.rpm
 FROM docker.io/library/ubuntu:latest AS deb-builder
 ARG STEPVER
 ARG STEPCAVER
 COPY --from=rpm-builder /root/rpmbuild/RPMS /root/rpmbuild/RPMS
@ -73,9 +42,7 @@ RUN \
 RUN \
  curl -L -o step-cli.deb https://github.com/smallstep/cli/releases/download/v${STEPVER}/step-cli_${STEPVER}-1_$(dpkg --print-architecture).deb && \
  curl -L -o step-ca.deb https://github.com/smallstep/certificates/releases/download/v${STEPCAVER}/step-ca_${STEPCAVER}-1_$(dpkg --print-architecture).deb && \
  apt-get install -y ./step-cli.deb && \
  apt-get install -y ./step-ca.deb && \
  apt-get install -y /root/debbuild/*/*.deb
 FROM docker.io/library/nginx:latest
--- a/examples/rpms/Dockerfile.repos
+++ b/examples/rpms/Dockerfile.repos
@ -1,46 +0,0 @@
 FROM docker.io/library/almalinux:9 AS rpm-builder9
 WORKDIR /tmp
 COPY RPMS /tmp/packages/RPMS
 COPY DEBS /tmp/packages/DEBS
 RUN \
  dnf install -y createrepo_c && \
  mkdir -p /tmp/packages/RPMS/x86_64/el9 && \
  mkdir -p /tmp/packages/RPMS/aarch64/el9 && \
  cd /tmp/packages/RPMS/x86_64 && \
  createrepo -u https://spiffe.github.io/spire-examples/RPMS/x86_64 -o el9/ . && \
  cd /tmp/packages/RPMS/aarch64 && \
  createrepo -u https://spiffe.github.io/spire-examples/RPMS/aarch64 -o el9/ .
 FROM docker.io/library/almalinux:10 AS rpm-builder10
 WORKDIR /tmp
 COPY RPMS /tmp/packages/RPMS
 RUN \
  dnf install -y createrepo_c && \
  mkdir -p /tmp/packages/RPMS/x86_64/el10 && \
  mkdir -p /tmp/packages/RPMS/aarch64/el10 && \
  cd /tmp/packages/RPMS/x86_64 && \
  createrepo -u https://spiffe.github.io/spire-examples/RPMS/x86_64 -o el10/ . && \
  cd /tmp/packages/RPMS/aarch64 && \
  createrepo -u https://spiffe.github.io/spire-examples/RPMS/aarch64 -o el10/ .
 FROM docker.io/library/almalinux:8 AS rpm-builder8
 WORKDIR /tmp
 COPY RPMS /tmp/packages/RPMS
 RUN \
  dnf install -y createrepo_c && \
  mkdir -p /tmp/packages/RPMS/x86_64/el8 && \
  mkdir -p /tmp/packages/RPMS/aarch64/el8 && \
  cd /tmp/packages/RPMS/x86_64 && \
  createrepo -u https://spiffe.github.io/spire-examples/RPMS/x86_64 -o el8/ . && \
  cd /tmp/packages/RPMS/aarch64 && \
  createrepo -u https://spiffe.github.io/spire-examples/RPMS/aarch64 -o el8/ .
 FROM docker.io/library/nginx:latest
 RUN rm -rf /usr/share/nginx/html/*
 COPY --from=rpm-builder9 /tmp/packages/RPMS /usr/share/nginx/html/RPMS
 COPY --from=rpm-builder9 /tmp/packages/DEBS /usr/share/nginx/html/DEBS
 COPY --from=rpm-builder10 /tmp/packages/RPMS/x86_64/el10 /usr/share/nginx/html/RPMS/x86_64/el10
 COPY --from=rpm-builder10 /tmp/packages/RPMS/aarch64/el10 /usr/share/nginx/html/RPMS/aarch64/el10
 COPY --from=rpm-builder8 /tmp/packages/RPMS/x86_64/el8 /usr/share/nginx/html/RPMS/x86_64/el8
 COPY --from=rpm-builder8 /tmp/packages/RPMS/aarch64/el8 /usr/share/nginx/html/RPMS/aarch64/el8
--- a/examples/rpms/aws-spiffe-workload-helper.spec
+++ b/examples/rpms/aws-spiffe-workload-helper.spec
@ -1,54 +0,0 @@
 ##############################################################################
 #
 # To you, dear reader:
 #
 # If you are a normal user, we recommend not reading further. Its probably not
 # the file your looking for.
 #
 # If you are looking at using this file as a base for your own work, please
 # don't. It is a horrible example. Please look elsewhere.
 #
 # If you are a package maintainer, please read on. We recognize this spec file
 # is blasphemous, a terrible abomination, a crime against nature, and more. We
 # regret needing to produce it, but had to in order to attract enough users to
 # find you. We beseech thee, kind and generous package maintainer, please help
 # us mend our wicked ways by joining us and help us produce proper packaging.
 # You are our only hope.
 #
 ##############################################################################
 %define ARCH %(echo %{_arch} | sed s/aarch64/arm64/)
 Summary:    AWS SPIFFE Workload Helper
 Name:       aws-spiffe-workload-helper
 Version:    0.0.4
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
 Source0:    https://github.com/spiffe/aws-spiffe-workload-helper/releases/download/v%{version}/aws-spiffe-workload-helper_Linux_%{ARCH}.tar.gz
 %global __strip /bin/true
 %description
 AWS SPIFFE Workload Helper
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}
 %prep
 %setup -c
 %build
 %install
 mkdir -p "%{buildroot}/usr/bin"
 cp -a aws-spiffe-workload-helper %{buildroot}/usr/bin
 %clean
 rm -rf %{buildroot}
 %files
 /usr/bin/aws-spiffe-workload-helper
--- a/examples/rpms/k8s-spiffe-workload-auth-config.spec
+++ b/examples/rpms/k8s-spiffe-workload-auth-config.spec
@ -19,32 +19,19 @@
 %define ARCH %(echo %{_arch} | sed s/aarch64/arm64/)
-Summary:    Kubernetes SPIFFE Workload Auth Config
+Summary:    K8s SPIFFE Workload Auth Config
 Name:       k8s-spiffe-workload-auth-config
-Version:    0.2.1
+Version:    0.0.8
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
 Source0:    https://github.com/spiffe/k8s-spiffe-workload-auth-config/releases/download/v%{version}/k8s-spiffe-workload-auth-config_Linux_%{ARCH}.tar.gz
-Requires:  spiffe-helper
+#FIXME This still needs upstream changes to package
-
+#Requires: spiffe-helper
 %global __strip /bin/true
 %description
-Kubernetes SPIFFE Workload Auth Config
+K8s SPIFFE Workload Auth Config
 %package -n k8s-spiffe-oidc-discovery-provider
 Summary: Kubernetes SPIFFE OIDC Discovery Provider
 Requires: spiffe-helper spiffe-oidc-discovery-provider
 %description -n k8s-spiffe-oidc-discovery-provider
 Kubernetes SPIFFE OIDC Discovery Provider
 %package -n k8s-spire-agent
 Summary: Kubernetes SPIRE Agent
 Requires: spiffe-helper
 %description -n k8s-spire-agent
 Kubernetes SPIRE Agent
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}
@ -60,15 +47,10 @@ mkdir -p "%{buildroot}/usr/bin"
 mkdir -p "%{buildroot}/etc/spiffe"
 mkdir -p "%{buildroot}/etc/kubernetes"
 mkdir -p "%{buildroot}/usr/lib/systemd/system"
 mkdir -p "%{buildroot}/usr/libexec/spiffe/k8s-oidc-discovery-provider"
 cp -a k8s-spiffe-workload-auth-config %{buildroot}/usr/bin
-cp -a config/k8s-spiffe-workload-auth-config.env %{buildroot}/etc/spiffe/k8s-workload-auth-config.env
+cp -a config/k8s-spiffe-workload-auth-config.env %{buildroot}/etc/spiffe
 cp -a config/auth-config.yaml %{buildroot}/etc/kubernetes/
 cp -a config/k8s-spiffe-oidc-discovery-provider-helper.conf %{buildroot}/usr/libexec/spiffe/k8s-oidc-discovery-provider/helper.conf
 cp -a config/k8s-spiffe-oidc-discovery-provider.conf %{buildroot}/etc/spiffe/k8s-oidc-discovery-provider.conf
 cp -a systemd/k8s-spiffe-workload-auth-config.service %{buildroot}/usr/lib/systemd/system
 cp -a systemd/k8s-spiffe-oidc-discovery-provider.service %{buildroot}/usr/lib/systemd/system
 cp -a systemd/k8s-spire-agent@.service %{buildroot}/usr/lib/systemd/system
 %clean
 rm -rf %{buildroot}
@ -76,13 +58,5 @@ rm -rf %{buildroot}
 %files
 /usr/bin/k8s-spiffe-workload-auth-config
 /usr/lib/systemd/system/k8s-spiffe-workload-auth-config.service
-%config(noreplace) /etc/spiffe/k8s-workload-auth-config.env
+%config(noreplace) /etc/spiffe/k8s-spiffe-workload-auth-config.env
 %config(noreplace) /etc/kubernetes/auth-config.yaml
 %files -n k8s-spiffe-oidc-discovery-provider
 /usr/lib/systemd/system/k8s-spiffe-oidc-discovery-provider.service
 /usr/libexec/spiffe/k8s-oidc-discovery-provider/helper.conf
 %config(noreplace) /etc/spiffe/k8s-oidc-discovery-provider.conf
 %files -n k8s-spire-agent
 /usr/lib/systemd/system/k8s-spire-agent@.service
--- a/examples/rpms/k8s-spiffe-workload-jwt-exec-auth.spec
+++ b/examples/rpms/k8s-spiffe-workload-jwt-exec-auth.spec
@ -21,15 +21,13 @@
 Summary:    K8s SPIFFE Workload JWT Exec Auth Plugin
 Name:       k8s-spiffe-workload-jwt-exec-auth
-Version:    0.0.7
+Version:    0.0.4
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
 Source0:    https://github.com/spiffe/k8s-spiffe-workload-jwt-exec-auth/releases/download/v%{version}/k8s-spiffe-workload-jwt-exec-auth_Linux_%{ARCH}.tar.gz
 %global __strip /bin/true
 %description
 K8s SPIFFE Workload JWT Exec Auth Plugin
--- a/examples/rpms/rpm.pub
+++ b/examples/rpms/rpm.pub
@ -1,51 +0,0 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBGefjVIBEACpBWcQ51kffvULrryaeZNNnOEBzQdEEwoV85YVzTaugzbIYZlh
 csF8IpBbEKAclVBbnT27HVdop+OtRJ2qMIxnCc+onWNZwnXDacKzzKOzj4cfZVhM
 LecdmPI6vJWJIyF/nnkh5/x+7e7RWAG/+4dxfMKOGQN6ReUFWDpQQxf3XqRYdlV/
 /KE25gFqBmn9aoG2C3KjlT6m2cKWySMEGFRkSBDXiY5OaQ99+AJJ0Qhe4t4lcm2Q
 e5ow7Y7UbmSHf2Kj9DF8heJQNJWqC8SbdWmBzyxQ9cbTnC3xN7vo1PQgfXZ9xEkI
 BZhF4YCen2vbpKuUPRbVXEnOPlehwAAeHLeqm0Au4GIF367rULi6/WR1L1ohFAc/
 /55byXoSJX3tvLK3QE546yC1VzGubt0Mb2lHeYlEuuNF+QKxIjSkHg5qoyk40JvB
 greij5TBcXSGAYNzTwfm5CgxZmmtcoSSGUR/Gcg7wDSc/FDa2hJ4Aczh5Yn6b2h4
 A4dgR7u3tu1z0CVJsPbV70nrjbLK4F/PMiPouyG4STowiCOfz2G+pjsZpqIGENPp
 9xkUUt+T4bu4s+0TulLmcZ/evMsYrGVvqBRAf+joJZM9h6/RSOq9y2QHZCTBC0Kd
 njxISJ3T/AEA7lWKHt1xE8rdhSKoJeBBUTRLRCVCGivY8YdToT0/sbJvGwARAQAB
 tBdTUElSRS1FWEFNUExFUyBQYWNrYWdlc4kCUgQTAQgAPBYhBOCDvv82eL8HHATG
 AdNMNfirI2ZFBQJnn41SAhsDBQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAK
 CRDTTDX4qyNmRUh6D/43aSnn5beKm26L/rHxMV+rwGu4i7lwSY6jNXvaZueuGpBt
 IUiZbD4JFLHO2mCNvq3gbCVlOCT19qBFotQeJBbIXpK0ChMhupXrQQKOSj1qMbIb
 lX5c7LPRb08SmMKXsC2pgy8FvdtZb3VVn94UgU4mP13EWcMAztOXAXd9C+QjhsI4
 rvv+m1CKnL16/wFpy+gdIJK6K4r7O5UVyM+rOhQArswbfLdOGMxspsR7OLzqghJ4
 9IHWHAB+nNsXDgc2yb4OQi80zMf4n5iSuyu4hUTOBwScWamiFyOfvbVKFDwmNUCd
 QlO0wwsh7xflXSpi9nHNrCfKWkt7xyKt49gkz905NNaKZBeBtwR6FZ8rN4dDSSbU
 ybxamRLLD61WuEGGvCFwkUEUtCAPRYKLDaHnJGK7FNHwhfvyL4D4puWOkIeZYmqS
 UbuScNvnRGuYm/ursT6Wh2SkvN/j8oYjf8IP2VUkglbPMeW+gfa1pNrwtg3Ig4Yp
 Y+0JwCW5b4ZubupdReTG0uixWWxsTyasnutC0vIY99nto/A+RY2evlbwdwATMDce
 sdNVPh3IWOsGO1pd83xJyU8aIU+BiVJZ4lgCHIBO1mKmAyjjmWG6XhhqErkcR2A/
 gTwtQe0NuVeA8TYWigQ3gfHXfvVPL/7I45InDuUSHa+Dqa1sldjkEQSEMNMhSbkC
 DQRnn41SARAA1uHjcC8y+45h8HV6OHugHbRYKkVUXfROBUpCyQ6JQw0cj7sSdRXY
 XGW6Gk485v/PCKm2KdGleNCZAi/nrFnUcqO8enu3jU5fb0A/4PbmfTco08LuP6iw
 6dxoSKmALj15sVLw+4rPz3QmdS9op/WimDQ84UTJwCZMUV9knCudhAM4tuVrDfxn
 f8OjstOqkjGCY2jaey2hVKu7lUCBQ1r03kLqvPd99my4B+StcnTFmZTR3bNFUsGz
 dbHJzStj+fa1omu2Lqh8DCfvAyvHnM43v0s0+FMph9hhgK189bMwUX96QfH3/hr1
 07/G8s5PSxaoIQxMNwlIMwFVS683earb0l5DLbWbUFK9/HKrssurwITCbWAPh5z2
 wju0VewGXYgAX6+qr4xLUCB/R058Z9px5p4V/+yBWmQzhFgCaORnU1B3R+tapUcD
 LhC8khM7sHRL40pToOqPCjPg8YiD16sppeZts2ndLbAatSLtFtgHzYH9+C4GWatM
 SYpzmvqNBPYTfq8tVjTWi/R74GgfFHAAguSQyFnG/JhAeVyMWUb0QiYo/ihjjjGZ
 u5DxTkd3MgYuy8XRJ4RY1Mw4U4A2z1zTvn3MS/97d0VheJXdDRBts9RpZa7EGmsA
 KezlkJ001qCZRn46E4V8u4O6PehgcemClvYpCJjWBt95avAgcheZV8EAEQEAAYkC
 NgQYAQgAIBYhBOCDvv82eL8HHATGAdNMNfirI2ZFBQJnn41SAhsMAAoJENNMNfir
 I2ZFVFgP/1wc9HbFGfDY9xXIWlZ+Xp02llgJuv3EEvXRV+bsr7baylGzpnzyT+/x
 /WAxW+RFp6NiSqxg3QX7NKSDuxYwMcwJO0Gek9k5JmUW2m4f0JGjZUuX+EBG8nlr
 YT+ZpObb/pqidbNS0rFR7Nltfs0wM+/a583T/1Iy+7C2DNgP64lProI6ugEVVEhy
 SpqTLrm1mGq3cC6Nrd0pO572QiR7IVmaW0LwzWSscHL2c+wyE1ebutxX3uiopy7U
 swqww40YphYprZXDYF94mnVUrRBVTeytQ7RvS1MFZkkhYP5I3IKMt1nCaDL6IPAu
 alh+CUpQYCjjVPJGBIT+fnLvyiJpHk4xKwVBpN4l4i+rzzWfavEitEQTQPao8h11
 ftwgfkqAwhfVqgQLJXeZcST6OoMI8N8TTX1NPepbQPrmiLv1Trs44KtwpW9X4amu
 neYNfZjfU7Q0WM64yXKKvZAC2hQOXgkyufe6iQ/rNHsXMwq98f/Q7XElCt1OYS4x
 TxwtxbI6AoQm/JxhsI99hA+s/YCWTvwMplqNGDEF9t7DGPv+27qnN4L79miST3lv
 kwXmlnDER7rjJRv7bP5x+80/ZGybyzfMCOluE0SAXQbYoXTYISr430YVI2yQ1/47
 1402Cky2VgHj+fmI1lHqsz/xLESk5gUG4AKTr0HBPd6AOQ7dGW0u
 =mnaT
 -----END PGP PUBLIC KEY BLOCK-----
--- a/examples/rpms/rpmmacros
+++ b/examples/rpms/rpmmacros
@ -1,3 +0,0 @@
 %_signature gpg
 %_gpg_name SPIRE-EXAMPLES Packages
 %_gpgbin /usr/bin/gpg
--- a/examples/rpms/spiffe-helper.spec
+++ b/examples/rpms/spiffe-helper.spec
@ -1,53 +0,0 @@
 ##############################################################################
 #
 # To you, dear reader:
 #
 # If you are a normal user, we recommend not reading further. Its probably not
 # the file your looking for.
 #
 # If you are looking at using this file as a base for your own work, please
 # don't. It is a horrible example. Please look elsewhere.
 #
 # If you are a package maintainer, please read on. We recognize this spec file
 # is blasphemous, a terrible abomination, a crime against nature, and more. We
 # regret needing to produce it, but had to in order to attract enough users to
 # find you. We beseech thee, kind and generous package maintainer, please help
 # us mend our wicked ways by joining us and help us produce proper packaging.
 # You are our only hope.
 #
 ##############################################################################
 %define ARCH %(echo %{_arch} | sed s/aarch64/arm64/)
 Summary:    SPIFFE Helper
 Name:       spiffe-helper
 Version:    0.10.0
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
 Source0:    https://github.com/spiffe/spiffe-helper/releases/download/v%{version}/spiffe-helper_v%{version}_Linux-%{ARCH}.tar.gz
 %global __strip /bin/true
 %description
 SPIFFE Helper
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}
 %prep
 %setup -c
 %build
 %install
 mkdir -p %{buildroot}/usr/bin
 cp spiffe-helper %{buildroot}/usr/bin
 %clean
 rm -rf %{buildroot}
 %files
 /usr/bin/spiffe-helper
--- a/examples/rpms/spiffe-step-ssh.spec
+++ b/examples/rpms/spiffe-step-ssh.spec
@ -21,27 +21,19 @@
 Summary:    SPIFFE Step SSH
 Name:       spiffe-step-ssh
-Version:    0.0.9
+Version:    0.0.5
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
 Source0:    https://github.com/spiffe/spiffe-step-ssh/archive/refs/tags/v%{version}.tar.gz
 Requires:   step-cli
-Requires:   spiffe-helper
+#FIXME This still needs upstream changes to package
-
+#Requires: spiffe-helper
 %global __strip /bin/true
 %description
 SPIFFE Step SSH
 %package -n spiffe-step-ssh-server
 Summary: SPIFFE Step SSH Server
 Requires: step-ca
 Requires: spiffe-helper
 %description -n spiffe-step-ssh-server
 SPIFFE Step SSH Server
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}
@ -54,7 +46,6 @@ SPIFFE Step SSH Server
 %install
 cd spiffe-step-ssh-%{version}
 make install DESTDIR="%{buildroot}"
 make install-server DESTDIR="%{buildroot}"
 %clean
 rm -rf %{buildroot}
@ -65,14 +56,3 @@ rm -rf %{buildroot}
 /usr/lib/systemd/system/spiffe-step-ssh@.service
 /usr/lib/systemd/system/spiffe-step-ssh-cleanup.service
 %config(noreplace) /etc/spiffe/step-ssh
 %files -n spiffe-step-ssh-server
 /usr/lib/systemd/system/spiffe-step-ssh-server@.service
 /usr/lib/systemd/system/spiffe-step-ssh-fetchca@.service
 /usr/libexec/spiffe/step-ssh-server/main
 /usr/libexec/spiffe/step-ssh-server/ssh_x5c.tpl
 /usr/libexec/spiffe/step-ssh-server/nginx-fetchca.conf
 /usr/libexec/spiffe/step-ssh-server/helper-fetchca.conf
 /usr/sbin/setup-spiffe-step-ssh-server
 /usr/sbin/spiffe-step-ssh-get-cert-authority
 %config(noreplace) /etc/spiffe/step-ssh-server
--- a/examples/rpms/spire-agent-nodeattestor-tpmdirect.spec
+++ b/examples/rpms/spire-agent-nodeattestor-tpmdirect.spec
@ -1,58 +0,0 @@
 ##############################################################################
 #
 # To you, dear reader:
 #
 # If you are a normal user, we recommend not reading further. Its probably not
 # the file your looking for.
 #
 # If you are looking at using this file as a base for your own work, please
 # don't. It is a horrible example. Please look elsewhere.
 #
 # If you are a package maintainer, please read on. We recognize this spec file
 # is blasphemous, a terrible abomination, a crime against nature, and more. We
 # regret needing to produce it, but had to in order to attract enough users to
 # find you. We beseech thee, kind and generous package maintainer, please help
 # us mend our wicked ways by joining us and help us produce proper packaging.
 # You are our only hope.
 #
 ##############################################################################
 %define ARCH %(echo %{_arch} | sed s/aarch64/arm64/ | sed s/x86_64/amd64/)
 Summary:    SPIRE Agent Node Attestor TPM Direct
 Name:       spire-agent-nodeattestor-tpmdirect
 Version:    1.9.0
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
 Source0:    https://github.com/spiffe/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_tpm_attestor_agent_linux_%{ARCH}_v%{version}.tar.gz
 Source1:    https://github.com/spiffe/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_get_tpm_pubhash_linux_%{ARCH}_v%{version}.tar.gz
 %global __strip /bin/true
 %description
 SPIRE Agent Node Attestor TPM Direct
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}
 %prep
 %setup -c
 %setup -T -D -a 1
 %build
 %install
 mkdir -p "%{buildroot}/usr/bin"
 mkdir -p "%{buildroot}/usr/libexec/spire/plugins"
 cp -a tpm_attestor_agent %{buildroot}/usr/libexec/spire/plugins/agent-nodeattestor-tpmdirect
 cp -a get_tpm_pubhash %{buildroot}/usr/bin/get-tpm-pubhash
 %clean
 rm -rf %{buildroot}
 %files
 /usr/bin/get-tpm-pubhash
 /usr/libexec/spire/plugins/agent-nodeattestor-tpmdirect
--- a/examples/rpms/spire-controller-manager.spec
+++ b/examples/rpms/spire-controller-manager.spec
@ -1,74 +0,0 @@
 ##############################################################################
 #
 # To you, dear reader:
 #
 # If you are a normal user, we recommend not reading further. Its probably not
 # the file your looking for.
 #
 # If you are looking at using this file as a base for your own work, please
 # don't. It is a horrible example. Please look elsewhere.
 #
 # If you are a package maintainer, please read on. We recognize this spec file
 # is blasphemous, a terrible abomination, a crime against nature, and more. We
 # regret needing to produce it, but had to in order to attract enough users to
 # find you. We beseech thee, kind and generous package maintainer, please help
 # us mend our wicked ways by joining us and help us produce proper packaging.
 # You are our only hope.
 #
 ##############################################################################
 %define ARCH %(echo %{_arch} | sed s/aarch64/arm64/ | sed s/x86_64/amd64/)
 Summary:    SPIRE Controller Manager
 Name:       spire-controller-manager
 Version:    0.6.2
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
 Requires:   spire-common
 #FIXME Switch to binaries once released
 Source0:    https://github.com/spiffe/spire-controller-manager/archive/refs/tags/v%{version}.tar.gz
 Source1:    spire-extras-systemd.tar.gz
 %global __strip /bin/true
 %description
 SPIRE Controller Manager
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}
 %prep
 %setup
 %setup -T -D -a 1
 %build
 curl -L -o go.tar.gz https://go.dev/dl/go1.24.2.linux-%{ARCH}.tar.gz
 tar -xvf go.tar.gz
 export PATH=$PATH:$(pwd)/go/bin
 export CGO_ENABLED=0
 go build -o spire-controller-manager cmd/main.go
 %install
 mkdir -p %{buildroot}/usr/bin
 cp spire-controller-manager %{buildroot}/usr/bin
 cd systemd
 make install DESTDIR="%{buildroot}"
 rm -f "%{buildroot}/etc/spiffe/default-trust-domain.env"
 rm -f "%{buildroot}/etc/spire/agent/default".*
 rm -f "%{buildroot}/etc/spire/server/default".*
 rm -f "%{buildroot}/usr/lib/systemd/system/spire-agent"*
 rm -f "%{buildroot}/usr/lib/systemd/system/spire-server"*
 rm -f "%{buildroot}/usr/lib/systemd/system/spire.target"
 rm -f "%{buildroot}/usr/libexec/spire/server/start.sh"
 %clean
 rm -rf %{buildroot}
 %files
 /usr/lib/systemd/system/spire-controller-manager@.service
 /usr/bin/spire-controller-manager
 /usr/libexec/spire/controller-manager/start.sh
 %config(noreplace) /etc/spire/controller-manager/default.conf
--- a/examples/rpms/spire-credentialcomposer-cel.spec
+++ b/examples/rpms/spire-credentialcomposer-cel.spec
@ -1,53 +0,0 @@
 ##############################################################################
 #
 # To you, dear reader:
 #
 # If you are a normal user, we recommend not reading further. Its probably not
 # the file your looking for.
 #
 # If you are looking at using this file as a base for your own work, please
 # don't. It is a horrible example. Please look elsewhere.
 #
 # If you are a package maintainer, please read on. We recognize this spec file
 # is blasphemous, a terrible abomination, a crime against nature, and more. We
 # regret needing to produce it, but had to in order to attract enough users to
 # find you. We beseech thee, kind and generous package maintainer, please help
 # us mend our wicked ways by joining us and help us produce proper packaging.
 # You are our only hope.
 #
 ##############################################################################
 %define ARCH %(echo %{_arch} | sed s/aarch64/arm64/)
 Summary:    SPIRE Credential Composer CEL
 Name:       spire-credentialcomposer-cel
 Version:    0.0.2
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
 Source0:    https://github.com/spiffe/spire-credentialcomposer-cel/releases/download/v%{version}/spire-credentialcomposer-cel_Linux_%{ARCH}.tar.gz
 %global __strip /bin/true
 %description
 SPIRE Credential Composer CEL
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}
 %prep
 %setup -c
 %build
 %install
 mkdir -p "%{buildroot}/usr/libexec/spire/plugins"
 cp -a spire-credentialcomposer-cel %{buildroot}/usr/libexec/spire/plugins/credentialcomposer-cel
 %clean
 rm -rf %{buildroot}
 %files
 /usr/libexec/spire/plugins/credentialcomposer-cel
--- a/examples/rpms/spire-examples.repo
+++ b/examples/rpms/spire-examples.repo
@ -1,5 +0,0 @@
 [spire-examples]
 name=spire-examples rpms
 baseurl=https://spiffe.github.io/spire-examples/RPMS/$basearch/el$releasever
 enabled=1
 gpgcheck=0
--- a/examples/rpms/spire-ha-agent.spec
+++ b/examples/rpms/spire-ha-agent.spec
@ -21,7 +21,7 @@
 Summary:    SPIRE HA Agent
 Name:       spire-ha-agent
-Version:    0.0.13
+Version:    0.0.11
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
@ -29,14 +29,13 @@ URL:        https://spiffe.io
 Source0:    https://github.com/spiffe/spire-ha-agent/releases/download/v%{version}/spire-ha-agent_Linux_%{ARCH}.tar.gz
 Source1:    https://github.com/spiffe/spire-ha-agent/releases/download/v%{version}/spire-trust-sync-helper_Linux_%{ARCH}.tar.gz
 %global __strip /bin/true
 %description
 SPIRE HA Agent
 %package -n spire-trust-sync
 Summary: SPIRE Trust Sync
-Requires: spiffe-helper
+#FIXME This still needs upstream changes to package
 #Requires: spiffe-helper
 %description -n spire-trust-sync
 SPIRE Trust Sync
--- a/examples/rpms/spire-server-attestor-tpm.spec
+++ b/examples/rpms/spire-server-attestor-tpm.spec
@ -1,101 +0,0 @@
 ##############################################################################
 #
 # To you, dear reader:
 #
 # If you are a normal user, we recommend not reading further. Its probably not
 # the file your looking for.
 #
 # If you are looking at using this file as a base for your own work, please
 # don't. It is a horrible example. Please look elsewhere.
 #
 # If you are a package maintainer, please read on. We recognize this spec file
 # is blasphemous, a terrible abomination, a crime against nature, and more. We
 # regret needing to produce it, but had to in order to attract enough users to
 # find you. We beseech thee, kind and generous package maintainer, please help
 # us mend our wicked ways by joining us and help us produce proper packaging.
 # You are our only hope.
 #
 ##############################################################################
 %define ARCH %(echo %{_arch} | sed s/aarch64/arm64/)
 Summary:    SPIRE Server Attestor TPM Sign
 Name:       spire-server-attestor-tpm-sign
 Version:    0.0.4
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
 Source0:    https://github.com/spiffe/spire-server-attestor-tpm/releases/download/v%{version}/spire-server-attestor-tpm-sign_Linux_%{ARCH}.tar.gz
 Source1:    https://github.com/spiffe/spire-server-attestor-tpm/releases/download/v%{version}/spire-server-attestor-tpm-signer-http_Linux_%{ARCH}.tar.gz
 Source2:    https://github.com/spiffe/spire-server-attestor-tpm/releases/download/v%{version}/spire-server-attestor-tpm-signer-unix_Linux_%{ARCH}.tar.gz
 Source3:    https://github.com/spiffe/spire-server-attestor-tpm/releases/download/v%{version}/spire-server-attestor-tpm-verifier_Linux_%{ARCH}.tar.gz
 %global __strip /bin/true
 %description
 SPIRE Server Attestor TPM Sign
 %package -n spire-server-attestor-tpm-signer-http
 Summary: SPIRE Server Attestor TPM Signer HTTP service
 Requires: spire-server-attestor-tpm-signer-unix
 %description -n spire-server-attestor-tpm-signer-http
 SPIRE Server Attestor TPM Signer HTTP service
 %package -n spire-server-attestor-tpm-signer-unix
 Summary: SPIRE Server Attestor TPM Signer Unix service
 %description -n spire-server-attestor-tpm-signer-unix
 SPIRE Server Attestor TPM Signer Unix service
 %package -n spire-server-attestor-tpm-verifier
 Summary: SPIRE Server Attestor TPM Verifier service
 %description -n spire-server-attestor-tpm-verifier
 SPIRE Server Attestor TPM Verifier service
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}
 %prep
 %setup -c
 %setup -T -D -a 1
 %setup -T -D -a 2
 %setup -T -D -a 3
 %build
 %install
 mkdir -p %{buildroot}/usr/bin
 mkdir -p %{buildroot}/usr/lib/systemd/system
 mkdir -p %{buildroot}/etc/spire/server-attestor-tpm
 cp -a spire-server-attestor-tpm-sign %{buildroot}/usr/bin
 cp -a spire-server-attestor-tpm-signer-http %{buildroot}/usr/bin
 cp -a spire-server-attestor-tpm-signer-unix %{buildroot}/usr/bin
 cp -a spire-server-attestor-tpm-verifier %{buildroot}/usr/bin
 cp -a systemd/spire-server-attestor-tpm-signer-http.service %{buildroot}/usr/lib/systemd/system
 cp -a systemd/spire-server-attestor-tpm-signer-unix.service %{buildroot}/usr/lib/systemd/system
 cp -a systemd/spire-server-attestor-tpm-verifier.service %{buildroot}/usr/lib/systemd/system
 cp -a conf/signer-http.conf %{buildroot}/etc/spire/server-attestor-tpm/
 cp -a conf/signer-unix.conf %{buildroot}/etc/spire/server-attestor-tpm/
 cp -a conf/verifier.conf %{buildroot}/etc/spire/server-attestor-tpm/
 %clean
 rm -rf %{buildroot}
 %files
 /usr/bin/spire-server-attestor-tpm-sign
 %files -n spire-server-attestor-tpm-signer-http
 /usr/bin/spire-server-attestor-tpm-signer-http
 /usr/lib/systemd/system/spire-server-attestor-tpm-signer-http.service
 %config(noreplace) /etc/spire/server-attestor-tpm/signer-http.conf
 %files -n spire-server-attestor-tpm-signer-unix
 /usr/bin/spire-server-attestor-tpm-signer-unix
 /usr/lib/systemd/system/spire-server-attestor-tpm-signer-unix.service
 %config(noreplace) /etc/spire/server-attestor-tpm/signer-unix.conf
 %files -n spire-server-attestor-tpm-verifier
 /usr/bin/spire-server-attestor-tpm-verifier
 /usr/lib/systemd/system/spire-server-attestor-tpm-verifier.service
 %config(noreplace) /etc/spire/server-attestor-tpm/verifier.conf
--- a/examples/rpms/spire-server-nodeattestor-tpmdirect.spec
+++ b/examples/rpms/spire-server-nodeattestor-tpmdirect.spec
@ -1,53 +0,0 @@
 ##############################################################################
 #
 # To you, dear reader:
 #
 # If you are a normal user, we recommend not reading further. Its probably not
 # the file your looking for.
 #
 # If you are looking at using this file as a base for your own work, please
 # don't. It is a horrible example. Please look elsewhere.
 #
 # If you are a package maintainer, please read on. We recognize this spec file
 # is blasphemous, a terrible abomination, a crime against nature, and more. We
 # regret needing to produce it, but had to in order to attract enough users to
 # find you. We beseech thee, kind and generous package maintainer, please help
 # us mend our wicked ways by joining us and help us produce proper packaging.
 # You are our only hope.
 #
 ##############################################################################
 %define ARCH %(echo %{_arch} | sed s/aarch64/arm64/ | sed s/x86_64/amd64/)
 Summary:    SPIRE Server Node Attestor TPM Direct
 Name:       spire-server-nodeattestor-tpmdirect
 Version:    1.9.0
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
 Source0:    https://github.com/spiffe/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_tpm_attestor_server_linux_%{ARCH}_v%{version}.tar.gz
 %global __strip /bin/true
 %description
 SPIRE Server Node Attestor TPM Direct
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}
 %prep
 %setup -c
 %build
 %install
 mkdir -p "%{buildroot}/usr/libexec/spire/plugins"
 cp -a tpm_attestor_server %{buildroot}/usr/libexec/spire/plugins/server-nodeattestor-tpmdirect
 %clean
 rm -rf %{buildroot}
 %files
 /usr/libexec/spire/plugins/server-nodeattestor-tpmdirect
--- a/examples/rpms/spire.spec
+++ b/examples/rpms/spire.spec
@ -21,16 +21,13 @@
 Summary:    SPIRE components
 Name:       spire-common
-Version:    1.12.4
+Version:    1.11.1
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
 Source0:    https://github.com/spiffe/spire/releases/download/v%{version}/spire-%{version}-linux-%{ARCH}-musl.tar.gz
 Source1:    https://github.com/spiffe/spire/releases/download/v%{version}/spire-extras-%{version}-linux-%{ARCH}-musl.tar.gz
 Source2:    spire-extras-systemd.tar.gz
 %global __strip /bin/true
 %description
 SPIRE Common
@ -82,7 +79,6 @@ SPIFFE OIDC Discovery Provider
 %setup -c
 %setup -T -D -a 1
 %setup -T -D -a 2
 %build
@ -91,11 +87,10 @@ SPIFFE OIDC Discovery Provider
 mkdir -p "%{buildroot}/bin"
 cp "spire-%{version}"/bin/* "%{buildroot}/bin"
 cp "spire-extras-%{version}"/bin/oidc-discovery-provider "%{buildroot}/bin/spiffe-oidc-discovery-provider"
-cd systemd
+git clone https://github.com/spiffe/spire-examples
 cd spire-examples
 cd examples/systemd
 make install DESTDIR="%{buildroot}"
 rm -f "%{buildroot}/etc/spire/controller-manager/default.conf"
 rm -f "%{buildroot}/usr/lib/systemd/system/spire-controller-manager@.service"
 rm -f "%{buildroot}/usr/libexec/spire/controller-manager/start.sh"
 %clean
 rm -rf %{buildroot}
@ -107,9 +102,7 @@ rm -rf %{buildroot}
 %files -n spire-server
 /usr/lib/systemd/system/spire-server@.service
 /bin/spire-server
 /usr/libexec/spire/server/start.sh
 %config(noreplace) /etc/spire/server/default.conf
 %config(noreplace) /etc/spire/server/default.env
 %files -n spire-agent
 /usr/lib/systemd/system/spire-agent@.service
--- a/examples/systemd/Makefile
+++ b/examples/systemd/Makefile
@ -4,13 +4,7 @@ default:
 install:
 	mkdir -p $(DESTDIR)/usr/lib/systemd/system/
 	mkdir -p $(DESTDIR)/usr/libexec/spire/server/
 	mkdir -p $(DESTDIR)/usr/libexec/spire/controller-manager/
 	install scripts/server/start.sh $(DESTDIR)/usr/libexec/spire/server/
 	install scripts/controller-manager/start.sh $(DESTDIR)/usr/libexec/spire/controller-manager/
 	install system/* $(DESTDIR)/usr/lib/systemd/system/
 	([ ! -f $(DESTDIR)/etc/spire/agent/default.conf ] && mkdir -p $(DESTDIR)/etc/spire/agent && install conf/agent/default.conf $(DESTDIR)/etc/spire/agent/default.conf) || true
 	([ ! -f $(DESTDIR)/etc/spire/server/default.conf ] && mkdir -p $(DESTDIR)/etc/spire/server && install conf/server/default.conf $(DESTDIR)/etc/spire/server/default.conf) || true
 	([ ! -f $(DESTDIR)/etc/spire/server/default.env ] && mkdir -p $(DESTDIR)/etc/spire/server && install conf/server/default.env $(DESTDIR)/etc/spire/server/default.env) || true
 	([ ! -f $(DESTDIR)/etc/spire/controller-manager/default.conf ] && mkdir -p $(DESTDIR)/etc/spire/controller-manager && install conf/controller-manager/default.conf $(DESTDIR)/etc/spire/controller-manager/default.conf) || true
 	([ ! -f $(DESTDIR)/etc/spiffe/default-trust-domain.env ] && mkdir -p $(DESTDIR)/etc/spiffe && install conf/spiffe/default-trust-domain.env $(DESTDIR)/etc/spiffe/default-trust-domain.env) || true
--- a/examples/systemd/conf/controller-manager/default.conf
+++ b/examples/systemd/conf/controller-manager/default.conf
@ -1,16 +0,0 @@
 apiVersion: spire.spiffe.io/v1alpha1
 kind: ControllerManagerConfig
 metadata:
  name: config
 metrics:
  bindAddress: 0.0.0.0:9123
 health:
  healthProbeBindAddress: 0.0.0.0:9124
 trustDomain: "${SPIFFE_TRUST_DOMAIN}"
 entryIDPrefix: "scm-${INSTANCE}"
 clusterName: "scm-${INSTANCE}"
 clusterDomain: local
 watchClassless: true
 spireServerSocketPath: "/var/run/spire/server/sockets/${SYSTEMD_INSTANCE}/private/api.sock"
 staticManifestPath: "/etc/spire/server/${SYSTEMD_INSTANCE}/manifests"
 logLevel: info
--- a/examples/systemd/conf/server/default.conf
+++ b/examples/systemd/conf/server/default.conf
@ -1,9 +1,9 @@
 server {
-    bind_address = "${SPIRE_BIND_ADDRESS}"
+    bind_address = "0.0.0.0"
-    bind_port = "${SPIRE_BIND_PORT}"
+    bind_port = "8081"
    trust_domain = "${SPIFFE_TRUST_DOMAIN}"
    jwt_issuer = "https://oidc-discovery-provider.${SPIFFE_TRUST_DOMAIN}"
-    log_level = "${SPIRE_LOG_LEVEL}"
+    log_level = "DEBUG"
    ca_ttl = "168h"
    default_x509_svid_ttl = "48h"
 }
--- a/examples/systemd/conf/server/default.env
+++ b/examples/systemd/conf/server/default.env
@ -1,3 +0,0 @@
 SPIRE_BIND_ADDRESS=0.0.0.0
 SPIRE_BIND_PORT=8081
 SPIRE_LOG_LEVEL=DEBUG
--- a/examples/systemd/scripts/controller-manager/start.sh
+++ b/examples/systemd/scripts/controller-manager/start.sh
@ -1,17 +0,0 @@
 #!/bin/bash
 # Set default variables
 export INSTANCE="${INSTANCE:-${SYSTEMD_INSTANCE}}"
 export SCM_CLASSNAME="${SCM_CLASSNAME:-scm-${SYSTEMD_INSTANCE}}"
 export SCM_ENTRYID_PREFIX="${SCM_ENTRYID_PREFIX:-${SCM_CLASSNAME}}"
 export SCM_CLUSTERNAME="${SCM_CLUSTERNAME:-${SCM_CLASSNAME}}"
 mkdir -p "/var/lib/spire/controller-manager/${SYSTEMD_INSTANCE}"
 if [ -f "/etc/spire/controller-manager/${SYSTEMD_INSTANCE}.conf" ]; then
 	cp -a "/etc/spire/controller-manager/${SYSTEMD_INSTANCE}.conf" "/var/lib/spire/controller-manager/${SYSTEMD_INSTANCE}/config"
 else
 	cp -a /etc/spire/controller-manager/default.conf "/var/lib/spire/controller-manager/${SYSTEMD_INSTANCE}/config"
 fi
 /bin/spire-controller-manager -config "/var/lib/spire/controller-manager/${SYSTEMD_INSTANCE}/config" -expand-env
--- a/examples/systemd/scripts/server/start.sh
+++ b/examples/systemd/scripts/server/start.sh
@ -1,18 +0,0 @@
 #!/bin/bash
 # Set default variables
 export INSTANCE="${INSTANCE:-${SYSTEMD_INSTANCE}}"
 mkdir -p "/var/lib/spire/server/${SYSTEMD_INSTANCE}" "/run/spire/server/${SYSTEMD_INSTANCE}/private" "/etc/spire/server/${SYSTEMD_INSTANCE}/tpm-direct/certs" "/etc/spire/server/${SYSTEMD_INSTANCE}/tpm-direct/hashes"
 if [ -f "/etc/spire/server/${SYSTEMD_INSTANCE}/config" ]; then
 	cp -a "/etc/spire/server/${SYSTEMD_INSTANCE}/config" "/var/lib/spire/server/${SYSTEMD_INSTANCE}/config"
 else
 	if [ -f "/etc/spire/server/${SYSTEMD_INSTANCE}.conf" ]; then
 		cp -a "/etc/spire/server/${SYSTEMD_INSTANCE}.conf" "/var/lib/spire/server/${SYSTEMD_INSTANCE}/config"
 	else
 		cp -a "/etc/spire/server/default.conf" "/var/lib/spire/server/${SYSTEMD_INSTANCE}/config"
 	fi
 fi
 /bin/spire-server run -config "/var/lib/spire/server/${SYSTEMD_INSTANCE}/config" -dataDir "/var/lib/spire/server/${SYSTEMD_INSTANCE}" -socketPath "/run/spire/server/sockets/${SYSTEMD_INSTANCE}/private/api.sock" -expandEnv
--- a/examples/systemd/system/spire-controller-manager@.service
+++ b/examples/systemd/system/spire-controller-manager@.service
@ -1,47 +0,0 @@
 [Unit]
 Description=SPIRE Controller Manager Daemon %i
 PartOf=spire-server.target
 After=network-online.target local-fs.target time-sync.target
 Before=remote-fs-pre.target
 Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target spire-server.target
 StartLimitIntervalSec=0
 [Service]
 WorkingDirectory=/var/lib/spire/controller-manager/%i
 StateDirectory=spire/controller-manager/%i
 RuntimeDirectory=spire/controller-manager/sockets/%i
 RuntimeDirectoryPreserve=true
 ConfigurationDirectory=spire/controller-manager
 EnvironmentFile=-/etc/spiffe/default-trust-domain.env
 EnvironmentFile=-/etc/spiffe/server/default.env
 EnvironmentFile=-/etc/spire/server/%i.env
 EnvironmentFile=-/etc/spire/server/%i/env
 EnvironmentFile=-/etc/spire/controller-manager/%i.env
 EnvironmentFile=-/etc/spire/server/%i/controller-manager.env
 Environment=SYSTEMD_INSTANCE=%i
 ExecStart=/usr/libexec/spire/controller-manager/start.sh
 # https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
 LockPersonality=true
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=false
 # Needed by plugins
 PrivateTmp=false
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectSystem=strict
 ReadOnlyPaths=/
 Restart=always
 RestartSec=5s
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
 RestrictNamespaces=true
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
 TasksMax=infinity
 [Install]
 WantedBy=spire-server.target
--- a/examples/systemd/system/spire-server@.service
+++ b/examples/systemd/system/spire-server@.service
@ -12,11 +12,11 @@ RuntimeDirectory=spire/server/sockets/%i
 RuntimeDirectoryPreserve=true
 ConfigurationDirectory=spire/server
 EnvironmentFile=-/etc/spiffe/default-trust-domain.env
 EnvironmentFile=-/etc/spire/server/default.env
 EnvironmentFile=-/etc/spire/server/%i.env
-EnvironmentFile=-/etc/spire/server/%i/env
+Environment=INSTANCE=%i
-Environment=SYSTEMD_INSTANCE=%i
+ExecStart=/bin/spire-server run -config /var/lib/spire/server/%i/config -dataDir /var/lib/spire/server/%i -socketPath /run/spire/server/sockets/%i/private/api.sock -expandEnv
-ExecStart=/usr/libexec/spire/server/start.sh
+ExecStartPre=mkdir -p /var/lib/spire/server/%i /run/spire/server/%i/private /etc/spire/server/%i/tpm-direct/hashes
 ExecStartPre=/bin/bash -c "if [ -f /etc/spire/server/%i.conf ]; then cp -a /etc/spire/server/%i.conf /var/lib/spire/server/%i/config; else cp -a /etc/spire/server/default.conf /var/lib/spire/server/%i/config; fi"
 # https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
 LockPersonality=true
 MemoryDenyWriteExecute=true