From 4367b44305c48e94c79c0cccd7b9afd68302c367 Mon Sep 17 00:00:00 2001
From: Ashley Davis <ashley.davis@cyberark.com>
Date: Mon, 21 Jul 2025 13:48:33 +0100
Subject: [PATCH 1/5] chore: changes to jetstack-agent chart to use new Agent
 image

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
---
 .../jetstack-agent/templates/deployment.yaml  | 28 ++++++++++++++----
 deploy/charts/jetstack-agent/values.yaml      |  4 +--
 hack/install_local_jetstack_secure_chart.sh   | 29 +++++++++++++++++++
 3 files changed, 53 insertions(+), 8 deletions(-)
 create mode 100755 hack/install_local_jetstack_secure_chart.sh

diff --git a/deploy/charts/jetstack-agent/templates/deployment.yaml b/deploy/charts/jetstack-agent/templates/deployment.yaml
index 64b0be22..6c156df4 100644
--- a/deploy/charts/jetstack-agent/templates/deployment.yaml
+++ b/deploy/charts/jetstack-agent/templates/deployment.yaml
@@ -33,14 +33,30 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          {{- if  eq .Values.authentication.type "token" }}
           env:
-            - name: API_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: {{ default "agent-credentials" .Values.authentication.secretName }}
-                  key: {{ default "apitoken" .Values.authentication.secretKey }}
+          {{- if  eq .Values.authentication.type "token" }}
+          - name: API_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: {{ default "agent-credentials" .Values.authentication.secretName }}
+                key: {{ default "apitoken" .Values.authentication.secretKey }}
           {{- end }}
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_UID
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.uid
+          - name: POD_NODE
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
           {{- if not (empty .Values.command) }}
           command:
           {{- range .Values.command }}
diff --git a/deploy/charts/jetstack-agent/values.yaml b/deploy/charts/jetstack-agent/values.yaml
index 351b55a7..5835b9de 100644
--- a/deploy/charts/jetstack-agent/values.yaml
+++ b/deploy/charts/jetstack-agent/values.yaml
@@ -7,11 +7,11 @@ replicaCount: 1
 
 image:
   # -- Default to Open Source image repository
-  repository: quay.io/jetstack/preflight
+  repository: "registry.venafi.cloud/venafi-agent/venafi-agent"
   # -- Defaults to only pull if not already present
   pullPolicy: IfNotPresent
   # -- Overrides the image tag whose default is the chart appVersion
-  tag: "v0.1.43"
+  tag: "v1.6.0"
 
 # -- Specify image pull credentials if using a prviate registry
 imagePullSecrets: []
diff --git a/hack/install_local_jetstack_secure_chart.sh b/hack/install_local_jetstack_secure_chart.sh
new file mode 100755
index 00000000..d19c6fd3
--- /dev/null
+++ b/hack/install_local_jetstack_secure_chart.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+# This script is provided to quickly install the Jetstack Secure Helm chart from the local checkout
+# into a Kind cluster, for testing changes to the legacy chart with Jetstack Secure.
+#
+# This script should be invoked from the root of the repository, e.g.:
+# ./hack/install_local_jetstack_secure_chart.sh
+
+TLSPK_ORG="${TLSPK_ORG:-jetstack}"
+TLSPK_CLUSTER_NAME="jss_test_$(date +"%Y%m%d_%H%M")"
+
+helm install cert-manager oci://quay.io/jetstack/charts/cert-manager:v1.18.2 \
+	--set crds.enabled=true \
+	--namespace cert-manager \
+	--create-namespace \
+	--set 'extraArgs={--dns01-recursive-nameservers-only,--dns01-recursive-nameservers=https://1.1.1.1/dns-query}'
+
+kubectl create namespace jetstack-secure || :
+
+# Get credentials from: https://platform.jetstack.io/org/jetstack/manage/service_accounts
+# Save them as JSON a file named credentials.json
+kubectl create secret generic agent-credentials --namespace jetstack-secure --from-file=credentials.json || :
+
+helm upgrade --install --create-namespace -n jetstack-secure jetstack-agent \
+    ./deploy/charts/jetstack-agent	\
+	--set config.organisation="${TLSPK_ORG}" \
+	--set config.cluster="${TLSPK_CLUSTER_NAME}"

From c2033a32efc2f3b00134e7e09a520e2bbfc33de6 Mon Sep 17 00:00:00 2001
From: Richard Wall <richard.wall@cyberark.com>
Date: Tue, 22 Jul 2025 15:48:22 +0100
Subject: [PATCH 2/5] Fix the invalid API group rule for clusterrole
 jetstack-agent-openshift-reader

xref:
 * https://github.com/jetstack/jetstack-secure/pull/620
 * https://github.com/jetstack/jetstack-secure/pull/620/commits/11b22abbb7027e9c68b0c7f15d7abb74fe5a4e73

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
---
 deploy/charts/jetstack-agent/templates/rbac.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/charts/jetstack-agent/templates/rbac.yaml b/deploy/charts/jetstack-agent/templates/rbac.yaml
index 3cb3c2f9..d3b10a71 100644
--- a/deploy/charts/jetstack-agent/templates/rbac.yaml
+++ b/deploy/charts/jetstack-agent/templates/rbac.yaml
@@ -200,7 +200,7 @@ metadata:
   labels:
     {{- include "jetstack-agent.labels" . | nindent 4 }}
 rules:
-  - apiGroups: ["*.openshift.io"]
+  - apiGroups: ["route.openshift.io"]
     resources:
       - routes
     verbs: ["get", "list", "watch"]

From 96cd2c063116f320eba1d53b7ebbde9480afab83 Mon Sep 17 00:00:00 2001
From: Richard Wall <richard.wall@cyberark.com>
Date: Tue, 22 Jul 2025 16:14:39 +0100
Subject: [PATCH 3/5] Update Docker image repo in helm unittest

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
---
 deploy/charts/jetstack-agent/tests/deployment_test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/charts/jetstack-agent/tests/deployment_test.yaml b/deploy/charts/jetstack-agent/tests/deployment_test.yaml
index 72ed79ea..e847dcb7 100644
--- a/deploy/charts/jetstack-agent/tests/deployment_test.yaml
+++ b/deploy/charts/jetstack-agent/tests/deployment_test.yaml
@@ -20,7 +20,7 @@ tests:
       # Check is latest is set as tag that it uses that tag
       - equal:
           path: spec.template.spec.containers[0].image
-          value: quay.io/jetstack/preflight:latest
+          value: registry.venafi.cloud/venafi-agent/venafi-agent:latest
 
   # Check naming works with nameOverride
   - it: Deployment name is set when nameOverride is used

From 6478d30d0a3b3d735ebb4055bbd83b96a9ee4161 Mon Sep 17 00:00:00 2001
From: Richard Wall <richard.wall@cyberark.com>
Date: Tue, 22 Jul 2025 16:27:07 +0100
Subject: [PATCH 4/5] Update jetstack-secure Chart.yaml according to the
 release process documented in README.md

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
---
 deploy/charts/jetstack-agent/Chart.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/deploy/charts/jetstack-agent/Chart.yaml b/deploy/charts/jetstack-agent/Chart.yaml
index 31eb3780..9e78da1b 100644
--- a/deploy/charts/jetstack-agent/Chart.yaml
+++ b/deploy/charts/jetstack-agent/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: jetstack-agent
 description: TLS Protect for Kubernetes Agent
 type: application
-version: 0.4.0
-appVersion: "v0.1.43"
+version: 0.5.0-alpha.0
+appVersion: "v1.6.0"
 home: https://github.com/jetstack/jetstack-secure
 maintainers:
 - name: JSCP and CRE Team

From d3a6b7d96de39f346619491bde41d57350ecba5a Mon Sep 17 00:00:00 2001
From: Richard Wall <richard.wall@cyberark.com>
Date: Tue, 22 Jul 2025 16:47:49 +0100
Subject: [PATCH 5/5] Bump the chart version to 0.5.0

After verifying the release process with an alpha.0 pre-release

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
---
 deploy/charts/jetstack-agent/Chart.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/charts/jetstack-agent/Chart.yaml b/deploy/charts/jetstack-agent/Chart.yaml
index 9e78da1b..556d6a89 100644
--- a/deploy/charts/jetstack-agent/Chart.yaml
+++ b/deploy/charts/jetstack-agent/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: jetstack-agent
 description: TLS Protect for Kubernetes Agent
 type: application
-version: 0.5.0-alpha.0
+version: 0.5.0
 appVersion: "v1.6.0"
 home: https://github.com/jetstack/jetstack-secure
 maintainers: