validatedpatterns · mlorenzofr · Dec 18, 2025 · Dec 17, 2025 · mlorenzofr · Dec 18, 2025
diff --git a/charts/zero-trust-workload-identity-manager/templates/SpireAgent.yaml b/charts/zero-trust-workload-identity-manager/templates/SpireAgent.yaml
@@ -3,8 +3,6 @@ kind: SpireAgent
 metadata:
   name: cluster
 spec:
-  trustDomain: {{ tpl .Values.spire.trustDomain $ }}
-  clusterName: {{ .Values.spire.clusterName }}
   nodeAttestor:
     k8sPSATEnabled: {{ .Values.spire.agent.nodeAttestor.k8sPSATEnabled | quote }}
   workloadAttestors:

diff --git a/...ts/zero-trust-workload-identity-manager/templates/SpireOIDCDiscoveryProvider-Ingress.yaml b/...ts/zero-trust-workload-identity-manager/templates/SpireOIDCDiscoveryProvider-Ingress.yaml
@@ -1,4 +1,4 @@
-{{- if not (eq .Values.spire.oidcDiscoveryProvider.ingress.operatorManaged "true") -}}
+{{- if not (eq .Values.spire.oidcDiscoveryProvider.ingress.operatorManaged "true") }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:

diff --git a/charts/zero-trust-workload-identity-manager/templates/SpireOIDCDiscoveryProvider.yaml b/charts/zero-trust-workload-identity-manager/templates/SpireOIDCDiscoveryProvider.yaml
@@ -3,7 +3,5 @@ kind: SpireOIDCDiscoveryProvider
 metadata:
   name: cluster
 spec:
-  trustDomain: {{ tpl .Values.spire.trustDomain $ }}
-  agentSocketName: {{ .Values.spire.oidcDiscoveryProvider.agentSocketName }}
   jwtIssuer: {{ include "zero-trust-workload-identity-manager.jwtIssuer" . }}
-  managedRoute: {{ (.Values.spire.oidcDiscoveryProvider.ingress.operatorManaged | default false) | quote }}
+  managedRoute: {{ (.Values.spire.oidcDiscoveryProvider.ingress.operatorManaged | default true) | quote }}
diff --git a/charts/zero-trust-workload-identity-manager/templates/SpireServer-Ingress.yaml b/charts/zero-trust-workload-identity-manager/templates/SpireServer-Ingress.yaml
@@ -1,16 +1,16 @@
-{{- if .Values.spire.server.ingress.enabled -}}
+{{- if not (eq .Values.spire.server.federation.ingress.operatorManaged "true") }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: spire-server
   namespace: {{ .Release.Namespace }}
-  {{- if .Values.spire.server.ingress.annotations }}
+  {{- if .Values.spire.server.federation.ingress.annotations }}
   annotations:
-  {{- tpl (toYaml .Values.spire.server.ingress.annotations) . | nindent 4 }}
+  {{- tpl (toYaml .Values.spire.server.federation.ingress.annotations) . | nindent 4 }}
   {{- end }}
 spec:
   rules:
-    - host: {{ tpl .Values.spire.server.ingress.host $ }}
+    - host: {{ tpl .Values.spire.server.federation.ingress.host $ }}
       http:
         paths:
           - pathType: ImplementationSpecific

diff --git a/charts/zero-trust-workload-identity-manager/templates/SpireServer.yaml b/charts/zero-trust-workload-identity-manager/templates/SpireServer.yaml
@@ -3,18 +3,27 @@ kind: SpireServer
 metadata:
   name: cluster
 spec:
-  trustDomain: {{ tpl .Values.spire.trustDomain $ }}
-  clusterName: {{ .Values.spire.clusterName }}
   caSubject:
     commonName: {{ .Values.spire.server.ca.commonName }}
     country: {{ .Values.spire.server.ca.country }}
     organization: {{ .Values.spire.server.ca.organization }}
   persistence:
-    {{- include "zero-trust-workload-identity-manager.server.persistence" . | nindent 4 }}
+    size: {{ .Values.spire.server.persistence.size }}
+    accessMode: {{ .Values.spire.server.persistence.accessMode }}
   datastore:
     databaseType: {{ .Values.spire.server.datastore.databaseType }}
     connectionString: {{ .Values.spire.server.datastore.connectionString }}
     maxOpenConns: {{ .Values.spire.server.datastore.maxOpenConns }} 
     maxIdleConns: {{ .Values.spire.server.datastore.maxIdleConns }}
     connMaxLifetime: {{ .Values.spire.server.datastore.connMaxLifetime }}
   jwtIssuer: {{ include "zero-trust-workload-identity-manager.jwtIssuer" . }}
+{{- if (eq .Values.spire.server.federation.ingress.operatorManaged "true") }}
+  federation:
+    bundleEndpoint:
+      profile: {{ .Values.spire.server.federation.bundleEndpoint.profile }}
+{{- if .Values.spire.server.federation.federatesWith }}
+    federatesWith:
+      {{- toYaml .Values.spire.server.federation.federatesWith | nindent 6 }}
+{{- end }}
+    managedRoute: {{ (.Values.spire.server.federation.ingress.operatorManaged | default false) | quote }}
+{{- end }}
diff --git a/charts/zero-trust-workload-identity-manager/templates/ZeroTrustWorkloadIdentityManager.yaml b/charts/zero-trust-workload-identity-manager/templates/ZeroTrustWorkloadIdentityManager.yaml
@@ -0,0 +1,8 @@
+apiVersion: operator.openshift.io/v1alpha1
+kind: ZeroTrustWorkloadIdentityManager
+metadata:
+ name: cluster
+spec:
+ trustDomain: {{ tpl .Values.spire.trustDomain $ }}
+ clusterName: {{ .Values.spire.clusterName }}
+ bundleConfigMap: {{ .Values.spire.bundleConfigMap }}
diff --git a/charts/zero-trust-workload-identity-manager/templates/_helpers.tpl b/charts/zero-trust-workload-identity-manager/templates/_helpers.tpl
@@ -61,21 +61,6 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
-{{/*
-Create the Spire server persistence configuration.
-*/}}
-{{- define "zero-trust-workload-identity-manager.server.persistence" -}}
-{{- if (eq .Values.spire.server.persistence.type "pvc") }}
-size: {{ .Values.spire.server.persistence.size }}
-accessMode: {{ .Values.spire.server.persistence.accessMode }}
-{{- else if (eq .Values.spire.server.persistence.type "hostPath") }}
-hostPath: {{ .Values.spire.server.persistence.hostPath }}
-{{- else }}
-{{- fail (printf "Unsupported persistence type: '%s'. Valid values are 'pvc' or 'hostPath'" .Values.spire.server.persistence.type) }}
-{{- end }}
-type: {{ .Values.spire.server.persistence.type }}
-{{- end }}
-
 {{/*
 Create the name of the service account to use
 */}}

diff --git a/charts/zero-trust-workload-identity-manager/values.yaml b/charts/zero-trust-workload-identity-manager/values.yaml
@@ -4,11 +4,12 @@ global:
 
 spiffe:
   csi:
-    agentSocketPath: "/run/spire/agent-sockets/spire-agent.sock"
+    agentSocketPath: "/run/spire/agent-sockets"
 
 spire:
   trustDomain: "{{ .Values.global.localClusterDomain }}"
   clusterName: "cluster"
+  bundleConfigMap: "spire-bundle"
 
   agent:
     nodeAttestor:
@@ -21,9 +22,8 @@ spire:
         hostCertFileName: ""
 
   oidcDiscoveryProvider:
-    agentSocketName: "spire-agent.sock"
     ingress:
-      operatorManaged: "false"
+      operatorManaged: "true"
       annotations:
         route.openshift.io/termination: reencrypt
       host: "spire-spiffe-oidc-discovery-provider.{{ .Values.global.localClusterDomain }}"
@@ -39,20 +39,23 @@ spire:
     service:
       name: spire-server
       port: 443
-    ingress:
-      enabled: true
-      annotations:
-        route.openshift.io/termination: passthrough
-      host: "spire-server.{{ .Values.global.localClusterDomain }}"
     persistence:
-      type: pvc
       size: 5Gi
       accessMode: ReadWriteOnce
       storageClass: ""
-      hostPath: ""
     datastore:
       databaseType: sqlite3
       connectionString: /run/spire/data/datastore.sqlite3
       maxOpenConns: 100
-      maxIdleConns: 2
-      connMaxLifetime: 3600
+      maxIdleConns: 10
+      connMaxLifetime: 0
+    federation:
+      enabled: "false"
+      federatesWith: []
+      bundleEndpoint:
+        profile: "https_spiffe"
+      ingress:
+        operatorManaged: "true"
+        annotations:
+          route.openshift.io/termination: passthrough
+        host: "spire-server.{{ .Values.global.localClusterDomain }}"
diff --git a/values-hub.yaml b/values-hub.yaml
@@ -89,7 +89,7 @@ clusterGroup:
     zero-trust-workload-identity-manager:
       name: openshift-zero-trust-workload-identity-manager
       namespace: zero-trust-workload-identity-manager
-      channel: tech-preview-v0.2
+      channel: stable-v1
       catalogSource: redhat-marketplace
     compliance-operator:
       name: compliance-operator