nginxinc
diff --git a/Diff for: ‎helm-chart/Chart.yaml
+3-3 b/Diff for: ‎helm-chart/Chart.yaml
+3-3
diff --git a/Diff for: ‎helm-chart/configs/k8s-workload-registrar.conf
+1-1 b/Diff for: ‎helm-chart/configs/k8s-workload-registrar.conf
+1-1
diff --git a/Diff for: ‎helm-chart/configs/mesh-config.conf
+9-2 b/Diff for: ‎helm-chart/configs/mesh-config.conf
+9-2
diff --git a/Diff for: ‎helm-chart/configs/spire-server.conf
+8 b/Diff for: ‎helm-chart/configs/spire-server.conf
+8
diff --git a/Diff for: ‎helm-chart/crds/spiffeid.spiffe.io_spiffeids.yaml
+107 b/Diff for: ‎helm-chart/crds/spiffeid.spiffe.io_spiffeids.yaml
+107
diff --git a/Diff for: ‎helm-chart/templates/_helpers.tpl
+12-4 b/Diff for: ‎helm-chart/templates/_helpers.tpl
+12-4
diff --git a/Diff for: ‎helm-chart/templates/nats.yaml
+9-2 b/Diff for: ‎helm-chart/templates/nats.yaml
+9-2
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: nginx-service-mesh
 description: NGINX Service Mesh
-version: 0.2.1
-appVersion: 1.2.1
-kubeVersion: "1.16-0 - 1.21-0"
+version: 0.3.0
+appVersion: 1.3.0
+kubeVersion: ">= 1.18-0"
 icon: https://raw.githubusercontent.com/nginxinc/nginx-service-mesh/master/helm-chart/chart-icon.png
@@ -6,4 +6,4 @@ pod_controller = true
 add_svc_dns_name = true
 mode = "crd"
 webhook_enabled = true
-webhook_cert_dir = "/tmp/k8s-webhook-server/serving-certs"
+identity_template_label = "spiffe.io/spiffeid"
@@ -6,12 +6,19 @@
       "port": 443
     },
     "autoInjectorPort": 9443,
+    "environment": {{ quote .Values.environment }},
     "injection": {
-      "disabledNamespaces": {{ .Values.autoInjection.disabledNamespaces }},
-      "enabledNamespaces": {{ .Values.autoInjection.enabledNamespaces }},
+      "disabledNamespaces": [{{ range $idx, $elem := .Values.autoInjection.disabledNamespaces }}{{if $idx}},{{end}}{{quote .}}{{end}}],
+      "enabledNamespaces": [{{ range $idx, $elem := .Values.autoInjection.enabledNamespaces }}{{if $idx}},{{end}}{{quote .}}{{end}}],
       "isAutoInjectEnabled": {{ not .Values.autoInjection.disable }}
     },
     "loadBalancingMethod": {{ quote .Values.nginxLBMethod }},
+    "mtls": {
+      "mode": {{ quote .Values.mtls.mode }},
+      "caTTL": {{ quote .Values.mtls.caTTL }},
+      "svidTTL": {{ quote .Values.mtls.svidTTL }},
+      "caKeyType": {{ quote .Values.mtls.caKeyType }}
+    },
     "mtlsMode": {{ quote .Values.mtls.mode }},
     "namespace": {{ quote .Release.Namespace }},
     "nginxErrorLogLevel": {{ quote .Values.nginxErrorLogLevel }},
 
@@ -1,6 +1,7 @@
 server {
   bind_address = "0.0.0.0"
   bind_port = "8081"
+  ca_key_type = {{ quote .Values.mtls.caKeyType }}
   ca_ttl = {{ quote .Values.mtls.caTTL }}
   data_dir = "/run/spire/data"
   log_level = "DEBUG"
@@ -59,3 +60,10 @@ plugins {
   {{ end }}
 
 }
+
+health_checks {
+  listener_enabled = true
+  bind_address = "0.0.0.0"
+  live_path = "/live"
+  ready_path = "/ready"
+}
@@ -0,0 +1,107 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: spiffeids.spiffeid.spiffe.io
+  labels:
+    app.kubernetes.io/part-of: nginx-service-mesh
+spec:
+  group: spiffeid.spiffe.io
+  names:
+    kind: SpiffeID
+    listKind: SpiffeIDList
+    plural: spiffeids
+    singular: spiffeid
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        description: SpiffeID is the Schema for the spiffeid API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: SpiffeIDSpec defines the desired state of SpiffeID
+            properties:
+              dnsNames:
+                items:
+                  type: string
+                type: array
+              federatesWith:
+                items:
+                  type: string
+                type: array
+              parentId:
+                type: string
+              selector:
+                properties:
+                  arbitrary:
+                    description: Arbitrary selectors
+                    items:
+                      type: string
+                    type: array
+                  containerImage:
+                    description: Container image to match for this spiffe ID
+                    type: string
+                  containerName:
+                    description: Container name to match for this spiffe ID
+                    type: string
+                  namespace:
+                    description: Namespace to match for this spiffe ID
+                    type: string
+                  nodeName:
+                    description: Node name to match for this spiffe ID
+                    type: string
+                  podLabel:
+                    additionalProperties:
+                      type: string
+                    description: Pod label name/value to match for this spiffe ID
+                    type: object
+                  podName:
+                    description: Pod name to match for this spiffe ID
+                    type: string
+                  podUid:
+                    description: Pod UID to match for this spiffe ID
+                    type: string
+                  serviceAccount:
+                    description: ServiceAccount to match for this spiffe ID
+                    type: string
+                  cluster:
+                    description: The k8s_psat cluster name
+                    type: string
+                  agent_node_uid:
+                    description: UID of the node
+                    type: string
+                type: object
+              spiffeId:
+                type: string
+            required:
+            - parentId
+            - selector
+            - spiffeId
+            type: object
+          status:
+            description: SpiffeIDStatus defines the observed state of SpiffeID
+            properties:
+              entryId:
+                description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
+                  of cluster Important: Run "make" to regenerate code after modifying
+                  this file'
+                type: string
+            type: object
+        type: object
@@ -40,10 +40,18 @@ prometheus.{{.Release.Namespace}}.svc.cluster.local:9090
 {{- if not .Values.registry.disablePublicImages }}gcr.io/spiffe-io{{ else }}{{ .Values.registry.server }}{{ end }}
 {{- end }}
 
+{{- define "node-driver.image-server" -}}
+{{- if not .Values.registry.disablePublicImages }}quay.io/k8scsi{{ else }}{{ .Values.registry.server }}{{ end }}
+{{- end }}
+
 {{- define "hook.image-server" -}}
 {{- if not .Values.registry.disablePublicImages }}bitnami{{ else }}{{ .Values.registry.server }}{{ end }}
 {{- end }}
 
+{{- define "ubuntu.image-server" -}}
+{{- if not .Values.registry.disablePublicImages }}{{ else }}{{ .Values.registry.server }}/{{ end }}
+{{- end }}
+
 {{- define "registry-key-name" -}}
 nginx-mesh-registry-key
 {{- end }}
@@ -75,8 +83,8 @@ nginx-mesh-registry-key
 Define the name of the key where the Upstream Authority secret data is stored.
 */}}
 {{- define "ua-secret-name" -}}
-{{- if .Values.mtls.upstreamAuthority.awsPCA -}}
-credentials
+{{- if .Values.mtls.upstreamAuthority.awsPCA -}} {{- if .Values.mtls.upstreamAuthority.awsPCA.awsAccessKeyID -}}
+credentials {{- end }}
 {{- else if .Values.mtls.upstreamAuthority.disk -}}
 upstreamCA.key
 {{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}}
@@ -88,8 +96,8 @@ upstreamClient.key{{ end }}
 Define the name of the mount path where the Upstream Authority secret data is stored.
 */}}
 {{- define "ua-secret-mountpath" -}}
-{{- if .Values.mtls.upstreamAuthority.awsPCA -}}
-/root/.aws
+{{- if and .Values.mtls.upstreamAuthority.awsPCA -}} {{- if .Values.mtls.upstreamAuthority.awsPCA.awsAccessKeyID -}}
+/root/.aws {{- end }}
 {{- else if .Values.mtls.upstreamAuthority.disk -}}
 /run/spire/secrets
 {{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}}
 
@@ -53,6 +53,7 @@ spec:
       labels:
         app.kubernetes.io/name: nats-server
         app.kubernetes.io/part-of: nginx-service-mesh
+        spiffe.io/spiffeid: "true"
     spec:
       serviceAccountName: nats
       volumes:
@@ -63,10 +64,16 @@ spec:
         emptyDir: {}
       - name: tls
         emptyDir: {}
-      - hostPath:
+      - name: spire-agent-socket
+        {{ if eq .Values.environment "openshift" -}}
+        csi:
+          driver: wlapi-mounter.spire.nginx.com
+          readOnly: true
+        {{- else -}}
+        hostPath:
           path: "/run/spire/sockets"
           type: DirectoryOrCreate
-        name: spire-agent-socket
+        {{- end }}
       shareProcessNamespace: true
       terminationGracePeriodSeconds: 60
       imagePullSecrets: