Charts CI

```
Updated:
  bitnami/spark:
    - 7.2.2
  cockroach-labs/cockroachdb:
    - 11.2.0
  datadog/datadog:
    - 3.38.1
  external-secrets/external-secrets:
    - 0.9.5
  hashicorp/consul:
    - 1.2.2
  hpe/hpe-csi-driver:
    - 2.4.0
  instana/instana-agent:
    - 1.2.63
  jaeger/jaeger-operator:
    - 2.47.0
  jfrog/artifactory-ha:
    - 107.68.11
  jfrog/artifactory-jcr:
    - 107.68.11
  koor-tech/koor-operator:
    - 0.3.8
  kubecost/cost-analyzer:
    - 1.106.1
  redpanda/redpanda:
    - 5.4.10
  yugabyte/yugabyte:
    - 2.18.3+0
  yugabyte/yugaware:
    - 2.18.3+0
```

charts/bitnami/spark/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 2.10.0
+  version: 2.11.1
-digest: sha256:023ded170632d04528f30332370f34fc8fb96efb2886a01d934cb3bd6e6d2e09
+digest: sha256:ead8f26c76a9ec082f23629a358e8efd8f88d87aaed734bf41febcb8a7bc5d4c
-generated: "2023-09-05T11:36:18.65087+02:00"
+generated: "2023-09-22T06:36:42.731159585Z"

charts/bitnami/spark/Chart.yaml

@@ -6,7 +6,7 @@ annotations:
   category: Infrastructure
   images: |
     - name: spark
-      image: docker.io/bitnami/spark:3.4.1-debian-11-r48
+      image: docker.io/bitnami/spark:3.4.1-debian-11-r71
   licenses: Apache-2.0
 apiVersion: v2
 appVersion: 3.4.1
@@ -30,4 +30,4 @@ maintainers:
 name: spark
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/spark
-version: 7.2.1
+version: 7.2.2

charts/bitnami/spark/README.md

@@ -86,7 +86,7 @@ The command removes all the Kubernetes components associated with the chart and
 | ------------------- | ----------------------------------------------------------------------------------------------------- | --------------------- |
 | `image.registry`    | Spark image registry                                                                                  | `docker.io`           |
 | `image.repository`  | Spark image repository                                                                                | `bitnami/spark`       |
-| `image.tag`         | Spark image tag (immutable tags are recommended)                                                      | `3.4.1-debian-11-r48` |
+| `image.tag`         | Spark image tag (immutable tags are recommended)                                                      | `3.4.1-debian-11-r71` |
 | `image.digest`      | Spark image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""`                  |
 | `image.pullPolicy`  | Spark image pull policy                                                                               | `IfNotPresent`        |
 | `image.pullSecrets` | Specify docker-registry secret names as an array                                                      | `[]`                  |

charts/bitnami/spark/charts/common/Chart.yaml

@@ -2,7 +2,7 @@ annotations:
   category: Infrastructure
   licenses: Apache-2.0
 apiVersion: v2
-appVersion: 2.9.2
+appVersion: 2.11.1
 description: A Library Helm Chart for grouping common logic between bitnami charts.
   This chart is not deployable by itself.
 home: https://bitnami.com
@@ -20,4 +20,4 @@ name: common
 sources:
 - https://github.com/bitnami/charts
 type: library
-version: 2.10.0
+version: 2.11.1

charts/bitnami/spark/charts/common/templates/_images.tpl

@@ -83,3 +83,19 @@ imagePullSecrets:
     {{- end }}
   {{- end }}
 {{- end -}}
+
+{{/*
+Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion)
+{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }}
+*/}}
+{{- define "common.images.version" -}}
+{{- $imageTag := .imageRoot.tag | toString -}}
+{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}}
+{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}}
+    {{- $version := semver $imageTag -}}
+    {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}}
+{{- else -}}
+    {{- print .chart.AppVersion -}}
+{{- end -}}
+{{- end -}}
+

charts/bitnami/spark/charts/common/templates/_labels.tpl

@@ -11,21 +11,13 @@ Kubernetes standard labels
 */}}
 {{- define "common.labels.standard" -}}
 {{- if and (hasKey . "customLabels") (hasKey . "context") -}}
-{{ merge
+{{ merge (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) (dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service "app.kubernetes.io/version" .context.Chart.AppVersion) | toYaml }}
-        (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml)
-        (dict
-            "app.kubernetes.io/name" (include "common.names.name" .context)
-            "helm.sh/chart" (include "common.names.chart" .context)
-            "app.kubernetes.io/instance" .context.Release.Name
-            "app.kubernetes.io/managed-by" .context.Release.Service
-        )
-    | toYaml
-}}
 {{- else -}}
 app.kubernetes.io/name: {{ include "common.names.name" . }}
 helm.sh/chart: {{ include "common.names.chart" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end -}}
 {{- end -}}
 
@@ -40,14 +32,7 @@ overwrote them on metadata.labels fields.
 */}}
 {{- define "common.labels.matchLabels" -}}
 {{- if and (hasKey . "customLabels") (hasKey . "context") -}}
-{{ merge
+{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }}
-        (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance")
-        (dict
-            "app.kubernetes.io/name" (include "common.names.name" .context)
-            "app.kubernetes.io/instance" .context.Release.Name
-        )
-    | toYaml
-}}
 {{- else -}}
 app.kubernetes.io/name: {{ include "common.names.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}

charts/bitnami/spark/charts/common/values.schema.json

@@ -0,0 +1,11 @@
+{
+    "title": "Chart Values",
+    "type": "object",
+    "properties": {
+        "exampleValue": {
+            "type": "string",
+            "description": "",
+            "default": "common-chart"
+        }
+    }
+}

charts/bitnami/spark/values.yaml

@@ -95,7 +95,7 @@ diagnosticMode:
 image:
   registry: docker.io
   repository: bitnami/spark
-  tag: 3.4.1-debian-11-r48
+  tag: 3.4.1-debian-11-r71
   digest: ""
   ## Specify a imagePullPolicy
   ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'

charts/cockroach-labs/cockroachdb/Chart.yaml

@@ -14,4 +14,4 @@ maintainers:
 name: cockroachdb
 sources:
 - https://github.com/cockroachdb/cockroach
-version: 11.1.7
+version: 11.2.0

charts/cockroach-labs/cockroachdb/templates/NOTES.txt

@@ -42,7 +42,7 @@ CockroachDB cluster are:
 Finally, to open up the CockroachDB admin UI, you can port-forward from your
 local machine into one of the instances in the cluster:
 
-    kubectl port-forward {{ template "cockroachdb.fullname" . }}-0 {{ index .Values.conf `http-port` | int64 }}
+    kubectl port-forward -n {{ .Release.Namespace }} {{ template "cockroachdb.fullname" . }}-0 {{ index .Values.conf `http-port` | int64 }} 
 
 Then you can access the admin UI at http{{ if .Values.tls.enabled }}s{{ end }}://localhost:{{ index .Values.conf `http-port` | int64 }}/ in your web browser.
 

charts/cockroach-labs/cockroachdb/templates/job-certSelfSigner.yaml

@@ -30,6 +30,8 @@ spec:
     spec:
     {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
       securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
         runAsGroup: 1000
         runAsUser: 1000
         fsGroup: 1000
@@ -71,5 +73,11 @@ spec:
             value: {{ .Release.Namespace | quote }}
           - name: CLUSTER_DOMAIN
             value: {{ .Values.clusterDomain}}
+        {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:  
+              drop: ["ALL"]
+        {{- end }}
       serviceAccountName: {{ template "selfcerts.fullname" . }}
 {{- end}}

charts/cockroach-labs/cockroachdb/templates/job-cleaner.yaml

@@ -27,6 +27,8 @@ spec:
     spec:
     {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
       securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
         runAsGroup: 1000
         runAsUser: 1000
         fsGroup: 1000
@@ -43,5 +45,11 @@ spec:
           env:
           - name: STATEFULSET_NAME
             value: {{ template "cockroachdb.fullname" . }}
+        {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:  
+              drop: ["ALL"]
+        {{- end }}
       serviceAccountName: {{ template "rotatecerts.fullname" . }}
 {{- end}}

charts/cockroach-labs/cockroachdb/templates/job.init.yaml

@@ -40,6 +40,8 @@ spec:
     {{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
     {{- if and .Values.init.securityContext.enabled }}
       securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
         runAsGroup: 1000
         runAsUser: 1000
         fsGroup: 1000
@@ -72,6 +74,12 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+        {{- if and .Values.init.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:  
+              drop: ["ALL"]
+        {{- end }}
           volumeMounts:
             - name: client-certs
               mountPath: /cockroach-certs/
@@ -247,6 +255,12 @@ spec:
         {{- with .Values.init.resources }}
           resources: {{- toYaml . | nindent 12 }}
         {{- end }}
+        {{- if and .Values.init.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:  
+              drop: ["ALL"]
+        {{- end }}
     {{- if .Values.tls.enabled }}
       volumes:
         - name: client-certs

charts/cockroach-labs/cockroachdb/templates/statefulset.yaml

@@ -65,6 +65,15 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+        {{- if .Values.statefulset.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+        {{- end }}
           volumeMounts:
             - name: certs
               mountPath: /cockroach-certs/
@@ -354,6 +363,8 @@ spec:
       {{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
       {{- if and .Values.securityContext.enabled }}
       securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
         fsGroup: 1000
         runAsGroup: 1000
         runAsUser: 1000

charts/datadog/datadog/CHANGELOG.md

@@ -1,5 +1,29 @@
 # Datadog changelog
 
+## 3.38.1
+
+* Enable Remote Config by default on the host agent only
+
+## 3.38.0
+
+* Default `Agent` and `Cluster-Agent` to `7.47.1` version.
+
+## 3.37.1
+
+* Temporarily revert enabling Remote Config by default
+
+## 3.37.0
+
+* Rename `datadog.securityAgent.compliance.xccdf.enabled` parameter to `datadog.securityAgent.compliance.host_benchmarks.enabled`.
+
+## 3.36.4
+
+* Disable Remote Config on the cluster checks runner
+
+## 3.36.3
+
+* Mount `/etc/passwd` in process agent only if `datadog.processAgent.processCollection` or `datadog.processAgent.processDiscovery` is enabled.
+
 ## 3.36.2
 
 * Update `fips.image.tag` to `0.5.5` which upgrades HAProxy to 2.4.24 and zlib to 1.3

charts/datadog/datadog/Chart.yaml

@@ -19,4 +19,4 @@ name: datadog
 sources:
 - https://app.datadoghq.com/account/settings#agent/kubernetes
 - https://github.com/DataDog/datadog-agent
-version: 3.36.2
+version: 3.38.1

charts/datadog/datadog/README.md

@@ -1,6 +1,6 @@
 # Datadog
 
-![Version: 3.36.2](https://img.shields.io/badge/Version-3.36.2-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
+![Version: 3.38.1](https://img.shields.io/badge/Version-3.38.1-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
 
 [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
 
@@ -449,7 +449,7 @@ helm install <RELEASE_NAME> \
 | agents.image.pullPolicy | string | `"IfNotPresent"` | Datadog Agent image pull policy |
 | agents.image.pullSecrets | list | `[]` | Datadog Agent repository pullSecret (ex: specify docker registry credentials) |
 | agents.image.repository | string | `nil` | Override default registry + image.name for Agent |
-| agents.image.tag | string | `"7.47.0"` | Define the Agent version to use |
+| agents.image.tag | string | `"7.47.1"` | Define the Agent version to use |
 | agents.image.tagSuffix | string | `""` | Suffix to append to Agent tag |
 | agents.localService.forceLocalServiceEnabled | bool | `false` | Force the creation of the internal traffic policy service to target the agent running on the local node. By default, the internal traffic service is created only on Kubernetes 1.22+ where the feature became beta and enabled by default. This option allows to force the creation of the internal traffic service on kubernetes 1.21 where the feature was alpha and required a feature gate to be explicitly enabled. |
 | agents.localService.overrideName | string | `""` | Name of the internal traffic service to target the agent running on the local node |
@@ -490,7 +490,7 @@ helm install <RELEASE_NAME> \
 | clusterAgent.admissionController.failurePolicy | string | `"Ignore"` | Set the failure policy for dynamic admission control.' |
 | clusterAgent.admissionController.mutateUnlabelled | bool | `false` | Enable injecting config without having the pod label 'admission.datadoghq.com/enabled="true"' |
 | clusterAgent.admissionController.port | int | `8000` | Set port of cluster-agent admission controller service |
-| clusterAgent.admissionController.remoteInstrumentation.enabled | bool | `true` | Enable polling and applying library injection using Remote Config. # This feature is in beta, and enables Remote Config in the Cluster Agent. It also requires Cluster Agent version 7.43+. # Enabling this feature grants the Cluster Agent the permissions to patch Deployment objects in the cluster. |
+| clusterAgent.admissionController.remoteInstrumentation.enabled | bool | `false` | Enable polling and applying library injection using Remote Config. # This feature is in beta, and enables Remote Config in the Cluster Agent. It also requires Cluster Agent version 7.43+. # Enabling this feature grants the Cluster Agent the permissions to patch Deployment objects in the cluster. |
 | clusterAgent.admissionController.webhookName | string | `"datadog-webhook"` | Name of the mutatingwebhookconfigurations created by the cluster-agent |
 | clusterAgent.advancedConfd | object | `{}` | Provide additional cluster check configurations. Each key is an integration containing several config files. |
 | clusterAgent.affinity | object | `{}` | Allow the Cluster Agent Deployment to schedule using affinity rules |
@@ -513,7 +513,7 @@ helm install <RELEASE_NAME> \
 | clusterAgent.image.pullPolicy | string | `"IfNotPresent"` | Cluster Agent image pullPolicy |
 | clusterAgent.image.pullSecrets | list | `[]` | Cluster Agent repository pullSecret (ex: specify docker registry credentials) |
 | clusterAgent.image.repository | string | `nil` | Override default registry + image.name for Cluster Agent |
-| clusterAgent.image.tag | string | `"7.47.0"` | Cluster Agent image tag to use |
+| clusterAgent.image.tag | string | `"7.47.1"` | Cluster Agent image tag to use |
 | clusterAgent.livenessProbe | object | Every 15s / 6 KO / 1 OK | Override default Cluster Agent liveness probe settings |
 | clusterAgent.metricsProvider.aggregator | string | `"avg"` | Define the aggregator the cluster agent will use to process the metrics. The options are (avg, min, max, sum) |
 | clusterAgent.metricsProvider.createReaderRbac | bool | `true` | Create `external-metrics-reader` RBAC automatically (to allow HPA to read data from Cluster Agent) |
@@ -563,7 +563,7 @@ helm install <RELEASE_NAME> \
 | clusterChecksRunner.image.pullPolicy | string | `"IfNotPresent"` | Datadog Agent image pull policy |
 | clusterChecksRunner.image.pullSecrets | list | `[]` | Datadog Agent repository pullSecret (ex: specify docker registry credentials) |
 | clusterChecksRunner.image.repository | string | `nil` | Override default registry + image.name for Cluster Check Runners |
-| clusterChecksRunner.image.tag | string | `"7.47.0"` | Define the Agent version to use |
+| clusterChecksRunner.image.tag | string | `"7.47.1"` | Define the Agent version to use |
 | clusterChecksRunner.image.tagSuffix | string | `""` | Suffix to append to Agent tag |
 | clusterChecksRunner.livenessProbe | object | Every 15s / 6 KO / 1 OK | Override default agent liveness probe settings |
 | clusterChecksRunner.networkPolicy.create | bool | `false` | If true, create a NetworkPolicy for the cluster checks runners. DEPRECATED. Use datadog.networkPolicy.create instead |
@@ -698,7 +698,8 @@ helm install <RELEASE_NAME> \
 | datadog.securityAgent.compliance.checkInterval | string | `"20m"` | Compliance check run interval |
 | datadog.securityAgent.compliance.configMap | string | `nil` | Contains CSPM compliance benchmarks that will be used |
 | datadog.securityAgent.compliance.enabled | bool | `false` | Set to true to enable Cloud Security Posture Management (CSPM) |
-| datadog.securityAgent.compliance.xccdf.enabled | bool | `false` | Set to true to enable XCCDF (this feature is supported from Agent 7.45, and requires 160 MB extra memory for the `security-agent` container) |
+| datadog.securityAgent.compliance.host_benchmarks.enabled | bool | `false` | Set to true to enable host benchmarks (this feature is supported from Agent 7.47, and requires 160 MB extra memory for the `security-agent` container) |
+| datadog.securityAgent.compliance.xccdf.enabled | bool | `false` |  |
 | datadog.securityAgent.runtime.activityDump.cgroupDumpTimeout | int | `20` | Set to the desired duration of a single container tracing (in minutes) |
 | datadog.securityAgent.runtime.activityDump.cgroupWaitListSize | int | `0` | Set to the size of the wait list for already traced containers |
 | datadog.securityAgent.runtime.activityDump.enabled | bool | `true` | Set to true to enable the collection of CWS activity dumps |

charts/datadog/datadog/ci/security-agent-compliance-values.yaml

@@ -10,5 +10,5 @@ securityAgent:
     enabled: true
     # Set an empty configMap so that we don't try to mount one
     configMap:
-    xccdf:
+    host_benchmarks:
       enabled: true

charts/datadog/datadog/templates/NOTES.txt

@@ -476,3 +476,13 @@ You have enabled creataion of PodSecurityPolicy, however PSP have been removed f
 
 You should deactivate these options: clusterAgent.podSecurity.podSecurityPolicy.create and/or agents.podSecurity.podSecurityPolicy.create
 {{- end }}
+
+{{- if .Values.datadog.securityAgent.compliance.xccdf.enabled }}
+#################################################################
+####               WARNING: Deprecation notice               ####
+#################################################################
+
+You are using the datadog.securityAgent.compliance.xccdf.enabled parameter which has been replaced by datadog.securityAgent.compliance.host_benchmarks.enabled.
+This version still supports both but the support of the old name will be dropped in the next major version of our Helm chart.
+More information about this change: https://github.com/DataDog/helm-charts/pull/1161
+{{- end }}

charts/datadog/datadog/templates/_container-process-agent.yaml

@@ -88,9 +88,11 @@
       mountPath: /host/sys/fs/cgroup
       mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }}
       readOnly: true
+    {{- if or .Values.datadog.processAgent.processCollection .Values.datadog.processAgent.processDiscovery}}
     - name: passwd
       mountPath: /etc/passwd
       readOnly: true
+    {{- end }}
     - name: procdir
       mountPath: /host/proc
       mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }}

charts/datadog/datadog/templates/_container-security-agent.yaml

@@ -34,9 +34,11 @@
     {{- if .Values.datadog.securityAgent.compliance.enabled }}
     - name: DD_COMPLIANCE_CONFIG_CHECK_INTERVAL
       value: {{ .Values.datadog.securityAgent.compliance.checkInterval | quote }}
-    {{- if .Values.datadog.securityAgent.compliance.xccdf.enabled }}
+    {{- if or .Values.datadog.securityAgent.compliance.xccdf.enabled .Values.datadog.securityAgent.compliance.host_benchmarks.enabled }}
     - name: DD_COMPLIANCE_CONFIG_XCCDF_ENABLED
-      value:  {{ .Values.datadog.securityAgent.compliance.xccdf.enabled | quote }}
+      value:  "true"
+    - name: DD_COMPLIANCE_CONFIG_HOST_BENCHMARKS_ENABLED
+      value:  "true"
     {{- end }}
     - name: HOST_ROOT
       value: /host/root

charts/datadog/datadog/templates/agent-clusterchecks-deployment.yaml

@@ -185,6 +185,8 @@ spec:
             value: "false"
           - name: DD_APM_ENABLED
             value: "false"
+          - name: DD_REMOTE_CONFIGURATION_ENABLED
+            value: "false"
           - name: DD_HOSTNAME
             valueFrom:
               fieldRef:

charts/datadog/datadog/values.yaml

@@ -532,7 +532,7 @@ datadog:
   processAgent:
     # datadog.processAgent.enabled -- Set this to true to enable live process monitoring agent
 
-    ## Note: /etc/passwd is automatically mounted to allow username resolution.
+    ## Note: /etc/passwd is automatically mounted when `processCollection` or `processDiscovery` is enabled.
     ## ref: https://docs.datadoghq.com/graphing/infrastructure/process/#kubernetes-daemonset
     enabled: true
 
@@ -666,10 +666,14 @@ datadog:
       # datadog.securityAgent.compliance.checkInterval -- Compliance check run interval
       checkInterval: 20m
 
-      # datadog.securityAgent.compliance.xccdf.enabled -- Set to true to enable XCCDF (this feature is supported from Agent 7.45, and requires 160 MB extra memory for the `security-agent` container)
+      # DEPRECATED. Use datadog.securityAgent.compliance.host_benchmarks.enabled instead.
       xccdf:
         enabled: false
 
+      # datadog.securityAgent.compliance.host_benchmarks.enabled -- Set to true to enable host benchmarks (this feature is supported from Agent 7.47, and requires 160 MB extra memory for the `security-agent` container)
+      host_benchmarks:
+        enabled: false
+
     runtime:
       # datadog.securityAgent.runtime.enabled -- Set to true to enable Cloud Workload Security (CWS)
       enabled: false
@@ -816,7 +820,7 @@ clusterAgent:
     name: cluster-agent
 
     # clusterAgent.image.tag -- Cluster Agent image tag to use
-    tag: 7.47.0
+    tag: 7.47.1
 
     # clusterAgent.image.digest -- Cluster Agent image digest to use, takes precedence over tag if specified
     digest: ""
@@ -978,7 +982,7 @@ clusterAgent:
       # clusterAgent.admissionController.remoteInstrumentation.enabled -- Enable polling and applying library injection using Remote Config.
       ## This feature is in beta, and enables Remote Config in the Cluster Agent. It also requires Cluster Agent version 7.43+.
       ## Enabling this feature grants the Cluster Agent the permissions to patch Deployment objects in the cluster.
-      enabled: true
+      enabled: false
 
     # clusterAgent.admissionController.port -- Set port of cluster-agent admission controller service
     port: 8000
@@ -1224,7 +1228,7 @@ agents:
     name: agent
 
     # agents.image.tag -- Define the Agent version to use
-    tag: 7.47.0
+    tag: 7.47.1
 
     # agents.image.digest -- Define Agent image digest to use, takes precedence over tag if specified
     digest: ""
@@ -1690,7 +1694,7 @@ clusterChecksRunner:
     name: agent
 
     # clusterChecksRunner.image.tag -- Define the Agent version to use
-    tag: 7.47.0
+    tag: 7.47.1
 
     # clusterChecksRunner.image.digest -- Define Agent image digest to use, takes precedence over tag if specified
     digest: ""

charts/external-secrets/external-secrets/Chart.yaml

@@ -4,7 +4,7 @@ annotations:
   catalog.cattle.io/kube-version: '>= 1.19.0-0'
   catalog.cattle.io/release-name: external-secrets
 apiVersion: v2
-appVersion: v0.9.4
+appVersion: v0.9.5
 description: External secret management for Kubernetes
 home: https://github.com/external-secrets/external-secrets
 icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png
@@ -17,4 +17,4 @@ maintainers:
   name: mcavoyk
 name: external-secrets
 type: application
-version: 0.9.4
+version: 0.9.5

charts/external-secrets/external-secrets/README.md

@@ -4,7 +4,7 @@
 
 [//]: # (README.md generated by gotmpl. DO NOT EDIT.)
 
-![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.9.4](https://img.shields.io/badge/Version-0.9.4-informational?style=flat-square)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.9.5](https://img.shields.io/badge/Version-0.9.5-informational?style=flat-square)
 
 External secret management for Kubernetes
 

charts/external-secrets/external-secrets/templates/cert-controller-deployment.yaml

@@ -23,7 +23,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
-        {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 8 }}
+        {{- include "external-secrets-cert-controller.labels" . | nindent 8 }}
         {{- with .Values.certController.podLabels }}
           {{- toYaml . | nindent 8 }}
         {{- end }}

charts/external-secrets/external-secrets/templates/crds/acraccesstoken.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.12.1
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: acraccesstokens.generators.external-secrets.io
 spec:
   group: generators.external-secrets.io

charts/external-secrets/external-secrets/templates/crds/clusterexternalsecret.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.12.1
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: clusterexternalsecrets.external-secrets.io
 spec:
   group: external-secrets.io
@@ -433,6 +433,9 @@ spec:
                       - type
                     type: object
                   type: array
+                externalSecretName:
+                  description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
+                  type: string
                 failedNamespaces:
                   description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
                   items:

charts/external-secrets/external-secrets/templates/crds/clustersecretstore.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.12.1
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: clustersecretstores.external-secrets.io
 spec:
   group: external-secrets.io

charts/external-secrets/external-secrets/templates/crds/ecrauthorizationtoken.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.12.1
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: ecrauthorizationtokens.generators.external-secrets.io
 spec:
   group: generators.external-secrets.io

charts/external-secrets/external-secrets/templates/crds/externalsecret.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.12.1
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: externalsecrets.external-secrets.io
 spec:
   group: external-secrets.io

charts/external-secrets/external-secrets/templates/crds/fake.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.12.1
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: fakes.generators.external-secrets.io
 spec:
   group: generators.external-secrets.io

charts/external-secrets/external-secrets/templates/crds/gcraccesstoken.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.12.1
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: gcraccesstokens.generators.external-secrets.io
 spec:
   group: generators.external-secrets.io

charts/external-secrets/external-secrets/templates/crds/password.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.12.1
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: passwords.generators.external-secrets.io
 spec:
   group: generators.external-secrets.io

charts/external-secrets/external-secrets/templates/crds/pushsecret.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.12.1
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: pushsecrets.external-secrets.io
 spec:
   group: external-secrets.io
@@ -70,6 +70,9 @@ spec:
                           - remoteRef
                           - secretKey
                         type: object
+                      metadata:
+                        description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation.
+                        x-kubernetes-preserve-unknown-fields: true
                     required:
                       - match
                     type: object
@@ -198,6 +201,9 @@ spec:
                             - remoteRef
                             - secretKey
                           type: object
+                        metadata:
+                          description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation.
+                          x-kubernetes-preserve-unknown-fields: true
                       required:
                         - match
                       type: object

charts/external-secrets/external-secrets/templates/crds/secretstore.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.12.1
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: secretstores.external-secrets.io
 spec:
   group: external-secrets.io

charts/external-secrets/external-secrets/templates/crds/vaultdynamicsecret.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.12.1
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: vaultdynamicsecrets.generators.external-secrets.io
 spec:
   group: generators.external-secrets.io

charts/external-secrets/external-secrets/templates/deployment.yaml

@@ -23,7 +23,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
-        {{- include "external-secrets.selectorLabels" . | nindent 8 }}
+        {{- include "external-secrets.labels" . | nindent 8 }}
         {{- with .Values.podLabels }}
           {{- toYaml . | nindent 8 }}
         {{- end }}

charts/external-secrets/external-secrets/templates/servicemonitor.yaml

@@ -1,11 +1,11 @@
-{{- if .Values.serviceMonitor.enabled }}
+{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.serviceMonitor.enabled -}}
 apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "external-secrets.fullname" . }}-metrics
   namespace: {{ .Release.Namespace | quote }}
   labels:
-    {{- include "external-secrets.selectorLabels" . | nindent 4 }}
+    {{- include "external-secrets.labels" . | nindent 4 }}
 spec:
   type: ClusterIP
   ports:

charts/external-secrets/external-secrets/templates/webhook-deployment.yaml

@@ -23,7 +23,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
-        {{- include "external-secrets-webhook.selectorLabels" . | nindent 8 }}
+        {{- include "external-secrets-webhook.labels" . | nindent 8 }}
         {{- with .Values.webhook.podLabels }}
           {{- toYaml . | nindent 8 }}
         {{- end }}

charts/external-secrets/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap

@@ -7,8 +7,8 @@ should match snapshot of default values:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: external-secrets-cert-controller
-        app.kubernetes.io/version: v0.9.4
+        app.kubernetes.io/version: v0.9.5
-        helm.sh/chart: external-secrets-0.9.4
+        helm.sh/chart: external-secrets-0.9.5
       name: RELEASE-NAME-external-secrets-cert-controller
       namespace: NAMESPACE
     spec:
@@ -22,7 +22,10 @@ should match snapshot of default values:
         metadata:
           labels:
             app.kubernetes.io/instance: RELEASE-NAME
+            app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: external-secrets-cert-controller
+            app.kubernetes.io/version: v0.9.5
+            helm.sh/chart: external-secrets-0.9.5
         spec:
           automountServiceAccountToken: true
           containers:
@@ -35,7 +38,7 @@ should match snapshot of default values:
                 - --secret-namespace=NAMESPACE
                 - --metrics-addr=:8080
                 - --healthz-addr=:8081
-              image: ghcr.io/external-secrets/external-secrets:v0.9.4
+              image: ghcr.io/external-secrets/external-secrets:v0.9.5
               imagePullPolicy: IfNotPresent
               name: cert-controller
               ports:

charts/external-secrets/external-secrets/tests/__snapshot__/controller_test.yaml.snap

@@ -7,8 +7,8 @@ should match snapshot of default values:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: external-secrets
-        app.kubernetes.io/version: v0.9.4
+        app.kubernetes.io/version: v0.9.5
-        helm.sh/chart: external-secrets-0.9.4
+        helm.sh/chart: external-secrets-0.9.5
       name: RELEASE-NAME-external-secrets
       namespace: NAMESPACE
     spec:
@@ -22,13 +22,16 @@ should match snapshot of default values:
         metadata:
           labels:
             app.kubernetes.io/instance: RELEASE-NAME
+            app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: external-secrets
+            app.kubernetes.io/version: v0.9.5
+            helm.sh/chart: external-secrets-0.9.5
         spec:
           automountServiceAccountToken: true
           containers:
             - args:
                 - --concurrent=1
-              image: ghcr.io/external-secrets/external-secrets:v0.9.4
+              image: ghcr.io/external-secrets/external-secrets:v0.9.5
               imagePullPolicy: IfNotPresent
               name: external-secrets
               ports:

charts/external-secrets/external-secrets/tests/__snapshot__/crds_test.yaml.snap

@@ -4,7 +4,7 @@ should match snapshot of default values:
     kind: CustomResourceDefinition
     metadata:
       annotations:
-        controller-gen.kubebuilder.io/version: v0.12.1
+        controller-gen.kubebuilder.io/version: v0.13.0
       name: secretstores.external-secrets.io
     spec:
       conversion:

charts/external-secrets/external-secrets/tests/__snapshot__/webhook_test.yaml.snap

@@ -7,8 +7,8 @@ should match snapshot of default values:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: external-secrets-webhook
-        app.kubernetes.io/version: v0.9.4
+        app.kubernetes.io/version: v0.9.5
-        helm.sh/chart: external-secrets-0.9.4
+        helm.sh/chart: external-secrets-0.9.5
       name: RELEASE-NAME-external-secrets-webhook
       namespace: NAMESPACE
     spec:
@@ -22,7 +22,10 @@ should match snapshot of default values:
         metadata:
           labels:
             app.kubernetes.io/instance: RELEASE-NAME
+            app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: external-secrets-webhook
+            app.kubernetes.io/version: v0.9.5
+            helm.sh/chart: external-secrets-0.9.5
         spec:
           automountServiceAccountToken: true
           containers:
@@ -34,7 +37,7 @@ should match snapshot of default values:
                 - --check-interval=5m
                 - --metrics-addr=:8080
                 - --healthz-addr=:8081
-              image: ghcr.io/external-secrets/external-secrets:v0.9.4
+              image: ghcr.io/external-secrets/external-secrets:v0.9.5
               imagePullPolicy: IfNotPresent
               name: webhook
               ports:
@@ -78,8 +81,8 @@ should match snapshot of default values:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: external-secrets-webhook
-        app.kubernetes.io/version: v0.9.4
+        app.kubernetes.io/version: v0.9.5
         external-secrets.io/component: webhook
-        helm.sh/chart: external-secrets-0.9.4
+        helm.sh/chart: external-secrets-0.9.5
       name: RELEASE-NAME-external-secrets-webhook
       namespace: NAMESPACE

charts/external-secrets/external-secrets/tests/service_monitor_test.yaml

@@ -0,0 +1,34 @@
+suite: test service monitor
+templates: 
+  - servicemonitor.yaml
+tests:
+  - it: should render service monitor when APIVersions is present and serviceMonitor is enabled
+    set:
+      serviceMonitor.enabled: true
+    capabilities:
+      apiVersions:
+        - "monitoring.coreos.com/v1"
+    asserts:
+      - hasDocuments:
+          count: 6
+  - it: should not render service monitor when APIVersions is not present but serviceMonitor is enabled
+    set:
+      serviceMonitor.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: should not render service monitor when APIVersions is present and serviceMonitor is disabled
+    set:
+      serviceMonitor.enabled: false
+    capabilities:
+      apiVersions:
+        - "monitoring.coreos.com/v1"
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: should not render service monitor when APIVersions is not present and serviceMonitor is disabled
+    set:
+      serviceMonitor.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0

charts/hashicorp/consul/Chart.yaml

@@ -1,11 +1,11 @@
 annotations:
   artifacthub.io/images: |
     - name: consul
-      image: hashicorp/consul:1.16.1
+      image: hashicorp/consul:1.16.2
     - name: consul-k8s-control-plane
-      image: hashicorp/consul-k8s-control-plane:1.2.1
+      image: hashicorp/consul-k8s-control-plane:1.2.2
     - name: consul-dataplane
-      image: hashicorp/consul-dataplane:1.2.1
+      image: hashicorp/consul-dataplane:1.2.2
     - name: envoy
       image: envoyproxy/envoy:v1.25.9
   artifacthub.io/license: MPL-2.0
@@ -25,7 +25,7 @@ annotations:
   catalog.cattle.io/kube-version: '>=1.22.0-0'
   catalog.cattle.io/release-name: consul
 apiVersion: v2
-appVersion: 1.16.1
+appVersion: 1.16.2
 description: Official HashiCorp Consul Chart
 home: https://www.consul.io
 icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png
@@ -34,4 +34,4 @@ name: consul
 sources:
 - https://github.com/hashicorp/consul
 - https://github.com/hashicorp/consul-k8s
-version: 1.2.1
+version: 1.2.2

charts/hashicorp/consul/templates/_helpers.tpl

@@ -22,6 +22,8 @@ securityContext:
   capabilities:
     drop:
     - ALL
+    add:
+    - NET_BIND_SERVICE
   runAsNonRoot: true
   seccompProfile:
     type: RuntimeDefault

charts/hashicorp/consul/templates/api-gateway-controller-deployment.yaml

@@ -38,6 +38,9 @@ spec:
         "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }}
         {{- if .Values.global.secretsBackend.vault.agentAnnotations }}
         {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
+        {{ end }}
+       {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
+        "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
         {{- end }}
         {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }}
         "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}"

charts/hashicorp/consul/templates/client-daemonset.yaml

@@ -75,6 +75,9 @@ spec:
         {{- if .Values.global.secretsBackend.vault.agentAnnotations }}
         {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
         {{- end }}
+       {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
+        "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
+        {{- end }}
         {{- if and .Values.global.enterpriseLicense.secretName (not .Values.global.acls.manageSystemACLs) }}
         {{- with .Values.global.enterpriseLicense }}
         "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}"

charts/hashicorp/consul/templates/connect-inject-deployment.yaml

@@ -84,6 +84,9 @@ spec:
         {{- if .Values.global.secretsBackend.vault.agentAnnotations }}
         {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
         {{- end }}
+       {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
+        "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
+        {{- end }}
         {{- end }}
     spec:
       serviceAccountName: {{ template "consul.fullname" . }}-connect-injector

charts/hashicorp/consul/templates/crd-controlplanerequestlimits.yaml

@@ -1,18 +1,21 @@
 {{- if .Values.connectInject.enabled }}
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
-  name: controlplanerequestlimits.consul.hashicorp.com
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: controlplanerequestlimits.consul.hashicorp.com
 spec:
   group: consul.hashicorp.com
   names:

charts/hashicorp/consul/templates/crd-exportedservices.yaml

@@ -1,18 +1,21 @@
 {{- if .Values.connectInject.enabled }}
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
-  name: exportedservices.consul.hashicorp.com
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: exportedservices.consul.hashicorp.com
 spec:
   group: consul.hashicorp.com
   names:

charts/hashicorp/consul/templates/crd-gatewayclassconfigs.yaml

@@ -1,18 +1,20 @@
 {{- if .Values.connectInject.enabled }}
----
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
-  name: gatewayclassconfigs.consul.hashicorp.com
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: gatewayclassconfigs.consul.hashicorp.com
 spec:
   group: consul.hashicorp.com
   names:
@@ -78,7 +80,61 @@ spec:
                     maximum: 8
                     minimum: 1
                     type: integer
+                  resources:
+                    description: Resources defines the resource requirements for the
+                      gateway.
+                    properties:
+                      claims:
+                        description: "Claims lists the names of resources, defined
+                          in spec.resourceClaims, that are used by this container.
+                          \n This is an alpha field and requires enabling the DynamicResourceAllocation
+                          feature gate. \n This field is immutable. It can only be
+                          set for containers."
+                        items:
+                          description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                          properties:
+                            name:
+                              description: Name must match the name of one entry in
+                                pod.spec.resourceClaims of the Pod where this field
+                                is used. It makes that resource available inside a
+                                container.
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        type: array
+                        x-kubernetes-list-map-keys:
+                        - name
+                        x-kubernetes-list-type: map
+                      limits:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: 'Limits describes the maximum amount of compute
+                          resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                        type: object
+                      requests:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: 'Requests describes the minimum amount of compute
+                          resources required. If Requests is omitted for a container,
+                          it defaults to Limits if that is explicitly specified, otherwise
+                          to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                        type: object
+                    type: object
                 type: object
+              mapPrivilegedContainerPorts:
+                description: The value to add to privileged ports ( ports < 1024)
+                  for gateway containers
+                format: int32
+                type: integer
               nodeSelector:
                 additionalProperties:
                   type: string
@@ -86,6 +142,10 @@ spec:
                   pod to fit on a node. Selector which must match a node''s labels
                   for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
                 type: object
+              openshiftSCCName:
+                description: The name of the OpenShift SecurityContextConstraints
+                  resource for this gateway class to use.
+                type: string
               podSecurityPolicy:
                 description: The name of an existing Kubernetes PodSecurityPolicy
                   to bind to the managed ServiceAccount if ACLs are managed.
@@ -138,19 +198,6 @@ spec:
                       type: string
                   type: object
                 type: array
-              openshiftSCCName:
-                description: The name of an existing SecurityContextConstraints
-                  resource to bind to the managed role when running on OpenShift.
-                type: string
-              mapPrivilegedContainerPorts:
-                type: integer
-                format: int32
-                minimum: 0
-                maximum: 64512
-                description: mapPrivilegedContainerPorts is the value which Consul will add to privileged container port
-                  values (ports < 1024) defined on a Gateway when the number is greater than 0. This cannot be more than
-                  64512 as the highest privileged port is 1023, which would then map to 65535, which is the highest 
-                  valid port number.
             type: object
         type: object
     served: true

charts/hashicorp/consul/templates/crd-gatewayclasses.yaml

@@ -6,14 +6,15 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
-    gateway.networking.k8s.io/bundle-version: v0.6.2
-    gateway.networking.k8s.io/channel: experimental
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    gateway.networking.k8s.io/bundle-version: v0.6.2
+    gateway.networking.k8s.io/channel: experimental
+  creationTimestamp: null
   name: gatewayclasses.gateway.networking.k8s.io
 spec:
   group: gateway.networking.k8s.io

charts/hashicorp/consul/templates/crd-gateways.yaml

@@ -6,14 +6,15 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
-    gateway.networking.k8s.io/bundle-version: v0.6.2
-    gateway.networking.k8s.io/channel: experimental
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    gateway.networking.k8s.io/bundle-version: v0.6.2
+    gateway.networking.k8s.io/channel: experimental
+  creationTimestamp: null
   name: gateways.gateway.networking.k8s.io
 spec:
   group: gateway.networking.k8s.io

charts/hashicorp/consul/templates/crd-grpcroutes.yaml

@@ -6,14 +6,15 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
-    gateway.networking.k8s.io/bundle-version: v0.6.2
-    gateway.networking.k8s.io/channel: experimental
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    gateway.networking.k8s.io/bundle-version: v0.6.2
+    gateway.networking.k8s.io/channel: experimental
+  creationTimestamp: null
   name: grpcroutes.gateway.networking.k8s.io
 spec:
   group: gateway.networking.k8s.io

charts/hashicorp/consul/templates/crd-httproutes.yaml

@@ -6,14 +6,15 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
-    gateway.networking.k8s.io/bundle-version: v0.6.2
-    gateway.networking.k8s.io/channel: experimental
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    gateway.networking.k8s.io/bundle-version: v0.6.2
+    gateway.networking.k8s.io/channel: experimental
+  creationTimestamp: null
   name: httproutes.gateway.networking.k8s.io
 spec:
   group: gateway.networking.k8s.io

charts/hashicorp/consul/templates/crd-ingressgateways.yaml

@@ -1,18 +1,21 @@
 {{- if .Values.connectInject.enabled }}
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
-  name: ingressgateways.consul.hashicorp.com
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: ingressgateways.consul.hashicorp.com
 spec:
   group: consul.hashicorp.com
   names:
@@ -78,6 +81,43 @@ spec:
                       while waiting for a connection to be established.
                     format: int32
                     type: integer
+                  passiveHealthCheck:
+                    description: PassiveHealthCheck configuration determines how upstream
+                      proxy instances will be monitored for removal from the load
+                      balancing pool.
+                    properties:
+                      baseEjectionTime:
+                        description: The base time that a host is ejected for. The
+                          real time is equal to the base time multiplied by the number
+                          of times the host has been ejected and is capped by max_ejection_time
+                          (Default 300s). Defaults to 30s.
+                        type: string
+                      enforcingConsecutive5xx:
+                        description: EnforcingConsecutive5xx is the % chance that
+                          a host will be actually ejected when an outlier status is
+                          detected through consecutive 5xx. This setting can be used
+                          to disable ejection or to ramp it up slowly. Ex. Setting
+                          this to 10 will make it a 10% chance that the host will
+                          be ejected.
+                        format: int32
+                        type: integer
+                      interval:
+                        description: Interval between health check analysis sweeps.
+                          Each sweep may remove hosts or return hosts to the pool.
+                          Ex. setting this to "10s" will set the interval to 10 seconds.
+                        type: string
+                      maxEjectionPercent:
+                        description: The maximum % of an upstream cluster that can
+                          be ejected due to outlier detection. Defaults to 10% but
+                          will eject at least one host regardless of the value.
+                        format: int32
+                        type: integer
+                      maxFailures:
+                        description: MaxFailures is the count of consecutive failures
+                          that results in a host being removed from the pool.
+                        format: int32
+                        type: integer
+                    type: object
                 type: object
               listeners:
                 description: Listeners declares what ports the ingress gateway should
@@ -157,6 +197,47 @@ spec:
                               service is located. Partitioning is a Consul Enterprise
                               feature.
                             type: string
+                          passiveHealthCheck:
+                            description: PassiveHealthCheck configuration determines
+                              how upstream proxy instances will be monitored for removal
+                              from the load balancing pool.
+                            properties:
+                              baseEjectionTime:
+                                description: The base time that a host is ejected
+                                  for. The real time is equal to the base time multiplied
+                                  by the number of times the host has been ejected
+                                  and is capped by max_ejection_time (Default 300s).
+                                  Defaults to 30s.
+                                type: string
+                              enforcingConsecutive5xx:
+                                description: EnforcingConsecutive5xx is the % chance
+                                  that a host will be actually ejected when an outlier
+                                  status is detected through consecutive 5xx. This
+                                  setting can be used to disable ejection or to ramp
+                                  it up slowly. Ex. Setting this to 10 will make it
+                                  a 10% chance that the host will be ejected.
+                                format: int32
+                                type: integer
+                              interval:
+                                description: Interval between health check analysis
+                                  sweeps. Each sweep may remove hosts or return hosts
+                                  to the pool. Ex. setting this to "10s" will set
+                                  the interval to 10 seconds.
+                                type: string
+                              maxEjectionPercent:
+                                description: The maximum % of an upstream cluster
+                                  that can be ejected due to outlier detection. Defaults
+                                  to 10% but will eject at least one host regardless
+                                  of the value.
+                                format: int32
+                                type: integer
+                              maxFailures:
+                                description: MaxFailures is the count of consecutive
+                                  failures that results in a host being removed from
+                                  the pool.
+                                format: int32
+                                type: integer
+                            type: object
                           requestHeaders:
                             description: Allow HTTP header manipulation to be configured.
                             properties:

charts/hashicorp/consul/templates/crd-jwtproviders.yaml

@@ -1,18 +1,21 @@
 {{- if .Values.connectInject.enabled }}
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
-  name: jwtproviders.consul.hashicorp.com
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: jwtproviders.consul.hashicorp.com
 spec:
   group: consul.hashicorp.com
   names:
@@ -120,6 +123,66 @@ spec:
                           the proxy listener will wait for the JWKS to be fetched
                           before being activated. \n Default value is false."
                         type: boolean
+                      jwksCluster:
+                        description: "JWKSCluster defines how the specified Remote JWKS
+                          URI is to be fetched."
+                        properties:
+                          connectTimeout:
+                            description: "The timeout for new network connections to hosts
+                              in the cluster. \n If not set, a default value of 5s will be
+                              used."
+                            format: int64
+                            type: integer
+                          discoveryType:
+                            description: "DiscoveryType refers to the service discovery type
+                              to use for resolving the cluster. \n Defaults to STRICT_DNS."
+                            type: string
+                          tlsCertificates:
+                            description: "TLSCertificates refers to the data containing
+                              certificate authority certificates to use in verifying a presented
+                              peer certificate."
+                            properties:
+                              caCertificateProviderInstance:
+                                description: "CaCertificateProviderInstance Certificate provider
+                                  instance for fetching TLS certificates."
+                                properties:
+                                  instanceName:
+                                    description: "InstanceName refers to the certificate provider
+                                      instance name. \n The default value is 'default'."
+                                    type: string
+                                  certificateName:
+                                    description: "CertificateName is used to specify certificate 
+                                      instances or types. For example, \"ROOTCA\" to specify a 
+                                      root-certificate (validation context) or \"example.com\" 
+                                      to specify a certificate for a particular domain. \n 
+                                      The default value is the empty string."
+                                    type: string
+                                type: object
+                              trustedCA:
+                                description: "TrustedCA defines TLS certificate data containing
+                                  certificate authority certificates to use in verifying a presented
+                                  peer certificate. \n Exactly one of Filename, EnvironmentVariable, 
+                                  InlineString or InlineBytes must be specified."
+                                properties:
+                                  filename:
+                                    description: "The name of the file on the local system to use a
+                                      data source for trusted CA certificates."
+                                    type: string
+                                  environmentVariable:
+                                    description: "The environment variable on the local system to use
+                                      a data source for trusted CA certificates."
+                                    type: string
+                                  inlineString: 
+                                    description: "A string to inline in the configuration for use as 
+                                      a data source for trusted CA certificates."
+                                    type: string
+                                  inlineBytes:
+                                    description: "A sequence of bytes to inline in the configuration 
+                                      for use as a data source for trusted CA certificates."
+                                    type: string
+                                type: object
+                            type: object
+                        type: object
                       requestTimeoutMs:
                         description: RequestTimeoutMs is the number of milliseconds
                           to time out when making a request for the JWKS.

charts/hashicorp/consul/templates/crd-meshes.yaml

@@ -1,18 +1,21 @@
 {{- if .Values.connectInject.enabled }}
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
-  name: meshes.consul.hashicorp.com
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: meshes.consul.hashicorp.com
 spec:
   group: consul.hashicorp.com
   names:

charts/hashicorp/consul/templates/crd-meshservices.yaml

@@ -1,18 +1,20 @@
 {{- if .Values.connectInject.enabled }}
----
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
-  name: meshservices.consul.hashicorp.com
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: meshservices.consul.hashicorp.com
 spec:
   group: consul.hashicorp.com
   names:

charts/hashicorp/consul/templates/crd-peeringacceptors.yaml

@@ -1,18 +1,21 @@
 {{- if and .Values.connectInject.enabled .Values.global.peering.enabled }}
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
-  name: peeringacceptors.consul.hashicorp.com
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: peeringacceptors.consul.hashicorp.com
 spec:
   group: consul.hashicorp.com
   names:

charts/hashicorp/consul/templates/crd-peeringdialers.yaml

@@ -1,18 +1,21 @@
 {{- if and .Values.connectInject.enabled .Values.global.peering.enabled }}
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
-  name: peeringdialers.consul.hashicorp.com
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: peeringdialers.consul.hashicorp.com
 spec:
   group: consul.hashicorp.com
   names:

charts/hashicorp/consul/templates/crd-proxydefaults.yaml

@@ -1,18 +1,21 @@
 {{- if .Values.connectInject.enabled }}
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
-  name: proxydefaults.consul.hashicorp.com
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: proxydefaults.consul.hashicorp.com
 spec:
   group: consul.hashicorp.com
   names:

charts/hashicorp/consul/templates/crd-samenessgroups.yaml

@@ -1,18 +1,21 @@
 {{- if .Values.connectInject.enabled }}
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
-  name: samenessgroups.consul.hashicorp.com
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: samenessgroups.consul.hashicorp.com
 spec:
   group: consul.hashicorp.com
   names:

charts/hashicorp/consul/templates/crd-servicedefaults.yaml

@@ -1,18 +1,21 @@
 {{- if .Values.connectInject.enabled }}
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
-  name: servicedefaults.consul.hashicorp.com
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: servicedefaults.consul.hashicorp.com
 spec:
   group: consul.hashicorp.com
   names:
@@ -291,18 +294,22 @@ spec:
                               The real time is equal to the base time multiplied by
                               the number of times the host has been ejected and is
                               capped by max_ejection_time (Default 300s). Defaults
-                              to 30000ms or 30s.
+                              to 30s.
                             type: string
                           enforcingConsecutive5xx:
                             description: EnforcingConsecutive5xx is the % chance that
                               a host will be actually ejected when an outlier status
                               is detected through consecutive 5xx. This setting can
                               be used to disable ejection or to ramp it up slowly.
+                              Ex. Setting this to 10 will make it a 10% chance that
+                              the host will be ejected.
                             format: int32
                             type: integer
                           interval:
                             description: Interval between health check analysis sweeps.
                               Each sweep may remove hosts or return hosts to the pool.
+                              Ex. setting this to "10s" will set the interval to 10
+                              seconds.
                             type: string
                           maxEjectionPercent:
                             description: The maximum % of an upstream cluster that
@@ -408,19 +415,22 @@ spec:
                                 The real time is equal to the base time multiplied
                                 by the number of times the host has been ejected and
                                 is capped by max_ejection_time (Default 300s). Defaults
-                                to 30000ms or 30s.
+                                to 30s.
                               type: string
                             enforcingConsecutive5xx:
                               description: EnforcingConsecutive5xx is the % chance
                                 that a host will be actually ejected when an outlier
                                 status is detected through consecutive 5xx. This setting
                                 can be used to disable ejection or to ramp it up slowly.
+                                Ex. Setting this to 10 will make it a 10% chance that
+                                the host will be ejected.
                               format: int32
                               type: integer
                             interval:
                               description: Interval between health check analysis
                                 sweeps. Each sweep may remove hosts or return hosts
-                                to the pool.
+                                to the pool. Ex. setting this to "10s" will set the
+                                interval to 10 seconds.
                               type: string
                             maxEjectionPercent:
                               description: The maximum % of an upstream cluster that

charts/hashicorp/consul/templates/crd-serviceintentions.yaml

@@ -1,18 +1,21 @@
 {{- if .Values.connectInject.enabled }}
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
-  name: serviceintentions.consul.hashicorp.com
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: serviceintentions.consul.hashicorp.com
 spec:
   group: consul.hashicorp.com
   names:

charts/hashicorp/consul/templates/crd-serviceresolvers.yaml

@@ -1,18 +1,21 @@
 {{- if .Values.connectInject.enabled }}
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
-  name: serviceresolvers.consul.hashicorp.com
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: serviceresolvers.consul.hashicorp.com
 spec:
   group: consul.hashicorp.com
   names:

charts/hashicorp/consul/templates/crd-servicerouters.yaml

@@ -1,18 +1,21 @@
 {{- if .Values.connectInject.enabled }}
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
-  name: servicerouters.consul.hashicorp.com
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: servicerouters.consul.hashicorp.com
 spec:
   group: consul.hashicorp.com
   names:

charts/hashicorp/consul/templates/crd-servicesplitters.yaml

@@ -1,18 +1,21 @@
 {{- if .Values.connectInject.enabled }}
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
-  name: servicesplitters.consul.hashicorp.com
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: servicesplitters.consul.hashicorp.com
 spec:
   group: consul.hashicorp.com
   names:

charts/hashicorp/consul/templates/crd-tcproutes.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }}
+{{- if and .Values.connectInject.enabled (or .Values.connectInject.apiGateway.manageExternalCRDs .Values.connectInject.apiGateway.manageNonStandardCRDs ) }}
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
@@ -7,15 +7,15 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
-    gateway.networking.k8s.io/bundle-version: v0.6.2
-    gateway.networking.k8s.io/channel: experimental
-  creationTimestamp: null
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    gateway.networking.k8s.io/bundle-version: v0.6.2
+    gateway.networking.k8s.io/channel: experimental
+  creationTimestamp: null
   name: tcproutes.gateway.networking.k8s.io
 spec:
   group: gateway.networking.k8s.io

charts/hashicorp/consul/templates/crd-terminatinggateways.yaml

@@ -1,18 +1,21 @@
 {{- if .Values.connectInject.enabled }}
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
-  name: terminatinggateways.consul.hashicorp.com
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: terminatinggateways.consul.hashicorp.com
 spec:
   group: consul.hashicorp.com
   names:

charts/hashicorp/consul/templates/crd-tlsroutes.yaml

@@ -7,15 +7,15 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
-    gateway.networking.k8s.io/bundle-version: v0.6.2
-    gateway.networking.k8s.io/channel: experimental
-  creationTimestamp: null
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    gateway.networking.k8s.io/bundle-version: v0.6.2
+    gateway.networking.k8s.io/channel: experimental
+  creationTimestamp: null
   name: tlsroutes.gateway.networking.k8s.io
 spec:
   group: gateway.networking.k8s.io

charts/hashicorp/consul/templates/crd-udproutes.yaml

@@ -7,15 +7,15 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
-    gateway.networking.k8s.io/bundle-version: v0.6.2
-    gateway.networking.k8s.io/channel: experimental
-  creationTimestamp: null
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: crd
+    gateway.networking.k8s.io/bundle-version: v0.6.2
+    gateway.networking.k8s.io/channel: experimental
+  creationTimestamp: null
   name: udproutes.gateway.networking.k8s.io
 spec:
   group: gateway.networking.k8s.io

charts/hashicorp/consul/templates/gateway-cleanup-job.yaml

@@ -31,9 +31,6 @@ spec:
         {{- end }}
       annotations:
         "consul.hashicorp.com/connect-inject": "false"
-        {{- if .Values.global.acls.annotations }}
-          {{- tpl .Values.global.acls.annotations . | nindent 8 }}
-        {{- end }}
     spec:
       restartPolicy: Never
       serviceAccountName: {{ template "consul.fullname" . }}-gateway-cleanup
@@ -58,8 +55,4 @@ spec:
       tolerations:
         {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }}
       {{- end }}
-      {{- if .Values.global.acls.nodeSelector }}
-      nodeSelector:
-        {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }}
-      {{- end }}
 {{- end }}

charts/hashicorp/consul/templates/gateway-resources-configmap.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.connectInject.enabled }}
+# Configuration of Gateway Resources Job which creates managed Gateway configuration.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "consul.fullname" . }}-gateway-resources-config
+  namespace: {{ .Release.Namespace }}
+  labels: 
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    component: gateway-resources
+data:
+  {{- if .Values.connectInject.apiGateway.managedGatewayClass.resources }}
+  resources.json: |
+    {{ toJson .Values.connectInject.apiGateway.managedGatewayClass.resources }}
+  {{- end }}
+{{- end }}

charts/hashicorp/consul/templates/gateway-resources-job.yaml

@@ -31,9 +31,6 @@ spec:
         {{- end }}
       annotations:
         "consul.hashicorp.com/connect-inject": "false"
-        {{- if .Values.global.acls.annotations }}
-          {{- tpl .Values.global.acls.annotations . | nindent 8 }}
-        {{- end }}
     spec:
       restartPolicy: Never
       serviceAccountName: {{ template "consul.fullname" . }}-gateway-resources
@@ -111,12 +108,16 @@ spec:
             limits:
               memory: "50Mi"
               cpu: "50m"
+          volumeMounts:
+            - name: config
+              mountPath: /consul/config
+              readOnly: true
       {{- if .Values.global.acls.tolerations }}
       tolerations:
         {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }}
       {{- end }}
-      {{- if .Values.global.acls.nodeSelector }}
+      volumes:
-      nodeSelector:
+        - name: config
-        {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }}
+          configMap:
-      {{- end }}
+            name: {{ template "consul.fullname" . }}-gateway-resources-config
 {{- end }}

charts/hashicorp/consul/templates/ingress-gateways-deployment.yaml

@@ -125,6 +125,9 @@ spec:
         {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }}
         {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }}
         {{- end }}
+        {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
+        "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}"
+        {{- end }}
         {{- end }}
         {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }}
         "prometheus.io/scrape": "true"

charts/hashicorp/consul/templates/ingress-gateways-podsecuritypolicy.yaml

@@ -21,6 +21,8 @@ spec:
   # but we can provide it for defense in depth.
   requiredDropCapabilities:
     - ALL
+  defaultAddCapabilities:
+    - NET_BIND_SERVICE
   # Allow core volume types.
   volumes:
     - 'configMap'

charts/hashicorp/consul/templates/mesh-gateway-deployment.yaml

@@ -70,6 +70,9 @@ spec:
         {{- if .Values.global.secretsBackend.vault.agentAnnotations }}
         {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
         {{- end }}
+       {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
+        "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
+        {{- end }}
         {{- end }}
         {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }}
         "prometheus.io/scrape": "true"

charts/hashicorp/consul/templates/mesh-gateway-podsecuritypolicy.yaml

@@ -18,6 +18,8 @@ spec:
   # but we can provide it for defense in depth.
   requiredDropCapabilities:
     - ALL
+  defaultAddCapabilities:
+    - NET_BIND_SERVICE
   # Allow core volume types.
   volumes:
     - 'configMap'

charts/hashicorp/consul/templates/partition-init-job.yaml

@@ -59,6 +59,9 @@ spec:
         {{- if .Values.global.secretsBackend.vault.agentAnnotations }}
         {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
         {{- end }}
+       {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
+        "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
+        {{- end }}
         {{- end }}
     spec:
       restartPolicy: Never

charts/hashicorp/consul/templates/server-acl-init-job.yaml

@@ -49,6 +49,10 @@ spec:
         {{- if .Values.global.acls.annotations }}
           {{- tpl .Values.global.acls.annotations . | nindent 8 }}
         {{- end }}
+        {{- if .Values.global.argocd.enabled }}
+        "argocd.argoproj.io/hook": "Sync"
+        "argocd.argoproj.io/hook-delete-policy": "HookSucceeded"
+        {{- end }}
         {{- if .Values.global.secretsBackend.vault.enabled }}
 
         {{- /* Run the Vault agent as both an init container and sidecar.
@@ -93,6 +97,9 @@ spec:
         {{- if .Values.global.secretsBackend.vault.agentAnnotations }}
         {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
         {{- end }}
+       {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
+        "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
+        {{- end }}
         {{- end }}
     spec:
       restartPolicy: Never
@@ -143,9 +150,12 @@ spec:
               fieldPath: metadata.name
         # Extract the Vault namespace from the Vault agent annotations.
         {{- if .Values.global.secretsBackend.vault.enabled }}
-        {{- if .Values.global.secretsBackend.vault.agentAnnotations }}
+        {{- if and (.Values.global.secretsBackend.vault.agentAnnotations) (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace") }}
         - name: VAULT_NAMESPACE
           value: {{ get (tpl .Values.global.secretsBackend.vault.agentAnnotations . | fromYaml) "vault.hashicorp.com/namespace" }}
+        {{- else if .Values.global.secretsBackend.vault.vaultNamespace }}
+        - name: VAULT_NAMESPACE
+          value: {{ .Values.global.secretsBackend.vault.vaultNamespace }}
         {{- end }}
         {{- end }}
         {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }}

charts/hashicorp/consul/templates/server-config-configmap.yaml

@@ -72,6 +72,9 @@ data:
               "ca_file": "/consul/vault-ca/tls.crt",
               {{- end }}
               "intermediate_pki_path": "{{ .connectCA.intermediatePKIPath }}",
+              {{- if (and (.vaultNamespace) (not (contains "namespace" (default "" .connectCA.additionalConfig)))) }}
+              "namespace": "{{ .vaultNamespace }}",
+              {{- end }}
               "root_pki_path": "{{ .connectCA.rootPKIPath }}",
               "auth_method": {
                 "type": "kubernetes",
@@ -198,16 +201,7 @@ data:
         "sink": {
           {{- range $index, $element := .Values.server.auditLogs.sinks }}
           {{- if ne $index 0 }},{{end}}
-          "{{ $element.name }}": {
+          "{{ get $element "name" }}": {{ omit $element "name" | toJson }}
-            {{- $firstKeyValuePair := false }}
-            {{- range $k, $v := $element }}
-              {{- if ne $k "name" }}
-              {{- if ne $firstKeyValuePair false }},{{end}}
-              {{- $firstKeyValuePair = true }}
-              "{{ $k }}": "{{ $v }}"
-              {{- end }}
-            {{- end }}
-          }
           {{- end }}
         }
       }