nginxinc
diff --git a/‎helm-chart/Chart.yaml
+2-2 b/‎helm-chart/Chart.yaml
+2-2
diff --git a/‎helm-chart/configs/grafana-top-dashboard.json
+4-4 b/‎helm-chart/configs/grafana-top-dashboard.json
+4-4
diff --git a/‎helm-chart/configs/k8s-workload-registrar.conf
+2 b/‎helm-chart/configs/k8s-workload-registrar.conf
+2
diff --git a/‎helm-chart/configs/mesh-config.conf
+17-5 b/‎helm-chart/configs/mesh-config.conf
+17-5
diff --git a/‎helm-chart/configs/spire-server.conf
+3 b/‎helm-chart/configs/spire-server.conf
+3
diff --git a/‎helm-chart/configs/upstreamAuthority/cert-manager-ua.conf
+12 b/‎helm-chart/configs/upstreamAuthority/cert-manager-ua.conf
+12
diff --git a/‎helm-chart/templates/_helpers.tpl
+8-2 b/‎helm-chart/templates/_helpers.tpl
+8-2
diff --git a/‎helm-chart/templates/grafana.yaml
+1-1 b/‎helm-chart/templates/grafana.yaml
+1-1
diff --git a/‎helm-chart/templates/jaeger.yaml
+7-3 b/‎helm-chart/templates/jaeger.yaml
+7-3
diff --git a/‎helm-chart/templates/nats.yaml
+1-1 b/‎helm-chart/templates/nats.yaml
+1-1
diff --git a/‎helm-chart/templates/nginx-mesh-api.yaml
+49 b/‎helm-chart/templates/nginx-mesh-api.yaml
+49
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: nginx-service-mesh
 description: NGINX Service Mesh
-version: 0.3.1
-appVersion: 1.3.1
+version: 0.4.0
+appVersion: 1.4.0
 kubeVersion: ">= 1.18-0"
 icon: https://raw.githubusercontent.com/nginxinc/nginx-service-mesh/master/helm-chart/chart-icon.png
@@ -310,7 +310,7 @@
           "alertThreshold": true
         },
         "percentage": false,
-        "pluginVersion": "8.1.7",
+        "pluginVersion": "8.3.4",
         "pointradius": 5,
         "points": false,
         "renderer": "flot",
@@ -405,7 +405,7 @@
           "alertThreshold": true
         },
         "percentage": false,
-        "pluginVersion": "8.1.7",
+        "pluginVersion": "8.3.4",
         "pointradius": 5,
         "points": false,
         "renderer": "flot",
@@ -502,7 +502,7 @@
           "alertThreshold": true
         },
         "percentage": false,
-        "pluginVersion": "8.1.7",
+        "pluginVersion": "8.3.4",
         "pointradius": 2,
         "points": false,
         "renderer": "flot",
@@ -596,7 +596,7 @@
           "alertThreshold": true
         },
         "percentage": false,
-        "pluginVersion": "8.1.7",
+        "pluginVersion": "8.3.4",
         "pointradius": 2,
         "points": false,
         "renderer": "flot",
 
@@ -6,4 +6,6 @@ pod_controller = true
 add_svc_dns_name = true
 mode = "crd"
 webhook_enabled = true
+webhook_cert_dir = "/tmp/k8s-webhook-server/serving-certs"
 identity_template_label = "spiffe.io/spiffeid"
+dns_name_templates = ["{{`{{ .Pod.Name}}`}}", "{{`{{ .Pod.ServiceAccount }}`}}.{{`{{ .Pod.Namespace }}`}}.svc"]
@@ -1,12 +1,13 @@
 {
     "accessControlMode": {{ quote .Values.accessControlMode }},
     "api": {
-      "address": {{ printf "nginx-mesh-api.%s" .Release.Namespace }},
+      "address": {{ printf "nginx-mesh-api.%s" .Release.Namespace | quote }},
       "containerPort": 8443,
       "port": 443
     },
     "autoInjectorPort": 9443,
     "environment": {{ quote .Values.environment }},
+    "isUDPEnabled": {{ .Values.enableUDP }},
     "injection": {
       "disabledNamespaces": [{{ range $idx, $elem := .Values.autoInjection.disabledNamespaces }}{{if $idx}},{{end}}{{quote .}}{{end}}],
       "enabledNamespaces": [{{ range $idx, $elem := .Values.autoInjection.enabledNamespaces }}{{if $idx}},{{end}}{{quote .}}{{end}}],
@@ -35,6 +36,8 @@
         "incomingTcp": 8904,
         "incomingTcpDeny": 8905,
         "incomingTcpPermissive": 8907,
+        "outgoingUdp": 8908,
+        "incomingUdp": 8909,
         "metrics": 8887,
         "outgoing": 8889,
         "outgoingDefaultEgress": 8894,
@@ -50,18 +53,27 @@
     },
     "registryKeyName": {{ if (include "docker-config-json" .) }}{{ include "registry-key-name" . | quote }}{{ else }}""{{ end }},
     "sidecarImage": {
-      "image": {{ printf "%s/nginx-mesh-sidecar:%s" .Values.registry.server .Values.registry.imageTag }},
+      "image": {{ printf "%s/nginx-mesh-sidecar:%s" .Values.registry.server .Values.registry.imageTag | quote }},
       "name": "nginx-mesh-sidecar"
     },
     "sidecarInitImage": {
-      "image": {{ printf "%s/nginx-mesh-init:%s" .Values.registry.server .Values.registry.imageTag }},
+      "image": {{ printf "%s/nginx-mesh-init:%s" .Values.registry.server .Values.registry.imageTag | quote }},
       "name": "nginx-mesh-init"
     },
-    "tracing": {
+    "tracing": {{if .Values.tracing }}{
       "backend": {{ quote .Values.tracing.backend }},
       "backendAddress": {{ include "tracing.address" . | quote }},
       "isEnabled": {{ not .Values.tracing.disable }},
       "sampleRate": {{ .Values.tracing.sampleRate }}
-    },
+    },{{ else }}{},{{ end }}
+    "telemetry": {{ if .Values.telemetry }}{
+        "exporters": {
+            "otlp": {
+                "host": {{ quote .Values.telemetry.exporters.otlp.host }},
+                "port": {{ .Values.telemetry.exporters.otlp.port }}
+            }
+        },
+        "samplerRatio": {{ .Values.telemetry.samplerRatio }}
+    },{{ else }}{},{{ end }}
     "trustDomain": {{ quote .Values.mtls.trustDomain }}
   }
@@ -57,13 +57,16 @@ plugins {
   {{ tpl (.Files.Get "configs/upstreamAuthority/disk-ua.conf") . }}
   {{ else if .Values.mtls.upstreamAuthority.vault }}
   {{ tpl (.Files.Get "configs/upstreamAuthority/vault-ua.conf") . }}
+  {{ else if .Values.mtls.upstreamAuthority.certManager }}
+  {{ tpl (.Files.Get "configs/upstreamAuthority/cert-manager-ua.conf") . }}
   {{ end }}
 
 }
 
 health_checks {
   listener_enabled = true
   bind_address = "0.0.0.0"
+  bind_port = "8082"
   live_path = "/live"
   ready_path = "/ready"
 }
@@ -0,0 +1,12 @@
+UpstreamAuthority "cert-manager" {
+    plugin_data {
+        namespace = {{ quote .Values.mtls.upstreamAuthority.certManager.namespace }}
+        issuer_name = {{ quote .Values.mtls.upstreamAuthority.certManager.issuerName }}
+        {{- if .Values.mtls.upstreamAuthority.certManager.issuerKind }}
+        issuer_kind = {{ quote .Values.mtls.upstreamAuthority.certManager.issuerKind }}{{ end }}
+        {{- if .Values.mtls.upstreamAuthority.certManager.issuerGroup }}
+        issuer_group = {{ quote .Values.mtls.upstreamAuthority.certManager.issuerGroup }}{{ end }}
+        {{- if .Values.mtls.upstreamAuthority.certManager.kubeConfig }}
+        kube_config_file = "/run/spire/secrets/cert-manager-kubeconfig"{{ end }}
+    }
+}
@@ -89,6 +89,8 @@ credentials {{- end }}
 upstreamCA.key
 {{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}}
 upstreamClient.key{{ end }}
+{{- else if .Values.mtls.upstreamAuthority.certManager }}{{ if .Values.mtls.upstreamAuthority.certManager.kubeConfig -}}
+cert-manager-kubeconfig{{ end }}
 {{- end }}
 {{- end }}
 
@@ -102,6 +104,8 @@ Define the name of the mount path where the Upstream Authority secret data is st
 /run/spire/secrets
 {{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}}
 /run/spire/secrets{{ end }}
+{{- else if .Values.mtls.upstreamAuthority.certManager }}{{ if .Values.mtls.upstreamAuthority.certManager.kubeConfig -}}
+/run/spire/secrets{{ end }}
 {{- end }}
 {{- end }}
 
@@ -128,15 +132,17 @@ upstreamBundle.crt: {{ quote .Values.mtls.upstreamAuthority.awsPCA.supplementalB
 {{- end }}
 
 {{/*
-Define the Upstream Authority key to be stored in the Secret.
+Define the Upstream Authority value to be stored in the Secret.
 */}}
-{{- define "ua-upstream-key" -}}
+{{- define "ua-secret-value" -}}
 {{- if .Values.mtls.upstreamAuthority.awsPCA -}}
 {{ tpl (.Files.Get "configs/upstreamAuthority/aws-credentials.conf") . | b64enc }}
 {{- else if .Values.mtls.upstreamAuthority.disk -}}
 {{ .Values.mtls.upstreamAuthority.disk.key | b64enc }}
 {{- else if .Values.mtls.upstreamAuthority.vault }}{{ if .Values.mtls.upstreamAuthority.vault.certAuth -}}
 {{ .Values.mtls.upstreamAuthority.vault.certAuth.clientKey | b64enc }}{{ end }}
+{{- else if .Values.mtls.upstreamAuthority.certManager }}{{ if .Values.mtls.upstreamAuthority.certManager.kubeConfig -}}
+{{ .Values.mtls.upstreamAuthority.certManager.kubeConfig | b64enc }}{{ end }}
 {{- end }}
 {{- end }}
 
 
@@ -100,7 +100,7 @@ spec:
       serviceAccountName: grafana
       containers:
       - name: grafana
-        image: {{ include "grafana.image-server" . }}/grafana:8.1.7
+        image: {{ include "grafana.image-server" . }}/grafana:8.3.4
         imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
         ports:
         - containerPort: 3000
 
@@ -1,4 +1,4 @@
-{{- if (and (not .Values.tracing.disable) (eq .Values.tracing.backend "jaeger") (eq .Values.tracing.address "")) }}
+{{- if .Values.tracing }} {{ if (and (not .Values.tracing.disable) (eq .Values.tracing.backend "jaeger") (eq .Values.tracing.address "")) }}
 ---
 apiVersion: v1
 kind: Service
@@ -20,6 +20,10 @@ spec:
     port: 6831
     targetPort: 6831
     protocol: UDP
+  - name: collector-http
+    port: 14268
+    protocol: TCP
+    targetPort: 14268
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -47,10 +51,10 @@ spec:
       - name: {{ include "registry-key-name" . }}
       containers:
       - name: jaeger
-        image: {{ include "jaeger.image-server" . }}/all-in-one:1.26.0
+        image: {{ include "jaeger.image-server" . }}/all-in-one:1.31.0
         imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
         ports:
         - containerPort: 16686
         - containerPort: 6831
           protocol: UDP
-{{- end }}
+{{- end }}{{- end }}
@@ -103,7 +103,7 @@ spec:
         - name: spire-agent-socket
           mountPath: "/run/spire/sockets"
       - name: nats-server
-        image: {{ include "nats.image-server" . }}nats:2.4.0-alpine3.14
+        image: {{ include "nats.image-server" . }}nats:2.7.2-alpine3.15
         imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
         ports:
         - containerPort: 4222
 
@@ -164,6 +164,36 @@ subjects:
   name: nginx-mesh-api
   namespace: {{ .Release.Namespace }}
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: nginx-mesh-api-svc.internal.builtin.nsm.nginx
+  labels:
+    app.kubernetes.io/part-of: nginx-service-mesh
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: nginx-mesh-api
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: nginx-mesh-api-svc.internal.builtin.nsm.nginx
+  labels:
+    app.kubernetes.io/part-of: nginx-service-mesh
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+  - kind: ServiceAccount
+    name: nginx-mesh-api
+    namespace: {{ .Release.Namespace }}
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -374,6 +404,23 @@ spec:
           path: "/run/spire/sockets"
           type: DirectoryOrCreate
         {{- end }}
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  labels:
+    app.kubernetes.io/part-of: nginx-service-mesh
+    spiffe.io/apiservice: "true"
+  name: v1alpha1.nsm.nginx.com
+spec:
+  group: nsm.nginx.com
+  groupPriorityMinimum: 100
+  service:
+    name: nginx-mesh-api
+    namespace: {{ .Release.Namespace}}
+    port: 443
+  version: v1alpha1
+  versionPriority: 100
 {{- if eq .Values.environment "openshift" }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -476,6 +523,8 @@ allowPrivilegedContainer: false
 allowedCapabilities:
 - NET_ADMIN
 - NET_RAW
+- SYS_RESOURCE
+- SYS_ADMIN
 seLinuxContext:
   type: RunAsAny
 runAsUser: