hashicorp
diff --git a/‎.github/actions/integration-test/action.yml
Lines changed: 2 additions & 1 deletion b/‎.github/actions/integration-test/action.yml
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/pull_request_template.md
Lines changed: 11 additions & 0 deletions b/‎.github/pull_request_template.md
Lines changed: 11 additions & 0 deletions
diff --git a/‎.github/workflows/build.yaml
Lines changed: 7 additions & 7 deletions b/‎.github/workflows/build.yaml
Lines changed: 7 additions & 7 deletions
diff --git a/‎.github/workflows/jira.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/jira.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.go-version
Lines changed: 1 addition & 1 deletion b/‎.go-version
Lines changed: 1 addition & 1 deletion
diff --git a/‎.release/security-scan.hcl
Lines changed: 15 additions & 12 deletions b/‎.release/security-scan.hcl
Lines changed: 15 additions & 12 deletions
diff --git a/‎Dockerfile
Lines changed: 2 additions & 2 deletions b/‎Dockerfile
Lines changed: 2 additions & 2 deletions
diff --git a/‎chart/templates/_helpers.tpl
Lines changed: 14 additions & 0 deletions b/‎chart/templates/_helpers.tpl
Lines changed: 14 additions & 0 deletions
diff --git a/‎chart/templates/deployment.yaml
Lines changed: 10 additions & 0 deletions b/‎chart/templates/deployment.yaml
Lines changed: 10 additions & 0 deletions
diff --git a/‎chart/templates/hook-upgrade-crds.yaml
Lines changed: 3 additions & 0 deletions b/‎chart/templates/hook-upgrade-crds.yaml
Lines changed: 3 additions & 0 deletions
@@ -67,7 +67,7 @@ runs:
         cluster_name: ${{ inputs.kind-cluster-name }}
         config: test/integration/kind/config.yaml
         node_image: kindest/node:v${{ inputs.k8s-version }}
-        version: "v0.27.0"
+        version: "v0.30.0"
     - name: Create kind export log root
       id: create_kind_export_log_root
       shell: bash
@@ -101,6 +101,7 @@ runs:
         HCP_PROJECT_ID: ${{ inputs.hcp-project-id }}
         HCP_CLIENT_ID: ${{ inputs.hcp-client-id }}
         HCP_CLIENT_SECRET: ${{ inputs.hcp-client-secret }}
+        SKIP_HCPVSAPPS_TESTS: "true"
         GITHUB_TOKEN: ${{ inputs.github-token }}
         # used by scripts that fetch build tools from GH
         GH_GET_RETRIES: 5
 
@@ -0,0 +1,11 @@
+## PCI review checklist
+
+<!-- heimdall_github_prtemplate:grc-pci_dss-2024-01-05 -->
+
+- [ ] I have documented a clear reason for, and description of, the change I am making.
+
+- [ ] If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
+
+- [ ] If applicable, I've documented the impact of any changes to security controls.
+
+  Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.
@@ -89,7 +89,7 @@ jobs:
       - run: npm install -g bats@${BATS_VERSION}
         shell: bash
         env:
-          BATS_VERSION: '1.10.0'
+          BATS_VERSION: '1.12.0'
       - run: bats -v
         shell: bash
       - run: make unit-test
@@ -348,11 +348,11 @@ jobs:
       - run: echo "setting versions"
     outputs:
       # JSON encoded array of k8s versions
-      K8S_VERSIONS: '["1.32.3", "1.31.6", "1.30.10", "1.29.14", "1.28.15"]'
-      VAULT_N: "1.19.0"
-      VAULT_N_1: "1.18.5"
-      VAULT_N_2: "1.17.12"
-      VAULT_LTS_1: "1.16.16"
+      K8S_VERSIONS: '["1.33.4", "1.32.8", "1.31.12", "1.30.13", "1.29.14"]'
+      VAULT_N: "1.20.3"
+      VAULT_N_1: "1.19.9"
+      VAULT_N_2: "1.18.14"
+      VAULT_LTS_1: "1.16.25"
   oom-tests:
     runs-on: ubuntu-latest
     needs:
@@ -375,7 +375,7 @@ jobs:
       - name: Install kind
         uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
         with:
-          version: "v0.27.0"
+          version: "v0.30.0"
           install_only: true
       - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
         id: setup-helm
 
@@ -14,4 +14,4 @@ jobs:
       JIRA_SYNC_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }}
       JIRA_SYNC_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }}
     with:
-      teams-array: '["ecosystem", "foundations-eco", "vault-eco"]'
+      teams-array: '["vault-eco-infra"]'
@@ -1 +1 @@
-1.23.6
+1.24.7
@@ -1,22 +1,16 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: BUSL-1.1
 
-container {
-	dependencies = true
-	alpine_secdb = true
-	secrets {
-		all = true
-	}
-}
-
 binary {
+	go_stdlib  = true // Scan the Go standard library used to build the binary.
+	go_modules = true // Scan the Go modules included in the binary.
+	osv        = true // Use the OSV vulnerability database.
+	oss_index  = true // And use OSS Index vulnerability database.
+
 	secrets {
 		all = true
 	}
-	go_modules   = true
-	osv          = true
-	oss_index    = false
-	nvd          = false
+
 	triage {
 		suppress {
 			vulnerabilities = [
@@ -29,3 +23,12 @@ binary {
 		}
 	}
 }
+
+container {
+	dependencies = true // Scan any installed packages for vulnerabilities.
+	osv          = true // Use the OSV vulnerability database.
+
+	secrets {
+		all = true
+	}
+}
@@ -94,12 +94,12 @@ ENTRYPOINT ["/vault-secrets-operator"]
 
 # ubi build image
 # -----------------------------------
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5 AS build-ubi
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.6 AS build-ubi
 RUN microdnf --refresh --assumeyes upgrade ca-certificates
 
 # ubi release image
 # -----------------------------------
-FROM registry.access.redhat.com/ubi9/ubi-micro:9.5 AS release-ubi
+FROM registry.access.redhat.com/ubi9/ubi-micro:9.6 AS release-ubi
 
 ENV BIN_NAME=vault-secrets-operator
 ARG PRODUCT_VERSION
 
@@ -345,3 +345,17 @@ clientCache numLocks
 {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+topologySpreadConstraints appends the "vso.chart.selectorLabels" to .Values.controller.topologySpreadConstraints if no labelSelector was specified
+*/}}
+{{- define "vso.topologySpreadConstraints" -}}
+{{- $defaultLabelSelector := dict "labelSelector" (dict "matchLabels" (include "vso.chart.selectorLabels" . | fromYaml)) -}}
+{{- range $topologySpreadConstraint := .Values.controller.topologySpreadConstraints -}}
+{{- if hasKey $topologySpreadConstraint "labelSelector" -}}
+{{- $topologySpreadConstraint | list | toYaml -}}
+{{- else -}}
+{{- merge $topologySpreadConstraint $defaultLabelSelector | list | toYaml -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
@@ -141,6 +141,9 @@ spec:
         volumeMounts:
         - mountPath: /var/run/podinfo
           name: podinfo
+      {{- if .Values.controller.priorityClassName }}
+      priorityClassName: {{ .Values.controller.priorityClassName }}
+      {{- end }}
       securityContext:
         {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
       serviceAccountName: {{ include "vso.chart.fullname" . }}-controller-manager
@@ -161,6 +164,10 @@ spec:
       affinity:
       {{- toYaml .Values.controller.affinity | nindent 8 }}
       {{- end }}
+      {{- if .Values.controller.topologySpreadConstraints }}
+      topologySpreadConstraints:
+      {{- include "vso.topologySpreadConstraints" . | nindent 8 }}
+      {{- end }}
       volumes:
       - downwardAPI:
           items:
@@ -220,6 +227,9 @@ spec:
         securityContext:
         {{- toYaml .| nindent 10 }}
         {{- end}}
+      {{- if .Values.controller.priorityClassName }}
+      priorityClassName: {{ .Values.controller.priorityClassName }}
+      {{- end }}
       restartPolicy: Never
       {{- with .Values.controller.nodeSelector }}
       nodeSelector:
 
@@ -106,6 +106,9 @@ spec:
         securityContext:
         {{- toYaml .| nindent 10 }}
         {{- end}}
+      {{- if .Values.controller.priorityClassName }}
+      priorityClassName: {{ .Values.controller.priorityClassName }}
+      {{- end }}
       restartPolicy: Never
       {{- with .Values.controller.nodeSelector }}
       nodeSelector: