From f89075e7b9d004dc08b85fcc423b3cd3225811a0 Mon Sep 17 00:00:00 2001
From: Jan <jan.starkl@tttech-digital.com>
Date: Wed, 22 Jan 2025 18:05:47 +0100
Subject: [PATCH 1/6] allow setting the enrollmentJwt from a secret

---
 charts/ziti-router/templates/deployment.yaml |  7 +++++++
 charts/ziti-router/values.yaml               | 13 +++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/charts/ziti-router/templates/deployment.yaml b/charts/ziti-router/templates/deployment.yaml
index e107948f..1aa41f4d 100644
--- a/charts/ziti-router/templates/deployment.yaml
+++ b/charts/ziti-router/templates/deployment.yaml
@@ -59,7 +59,14 @@ spec:
             {{- end }}
           env:
             - name: ZITI_ENROLL_TOKEN
+              {{- if .Values.enrollmentJwtFromSecret }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ required (printf "You must set an enrollmentJwtSecretName, when using enrollmentJwtFromSecret. Try setting --set enrollmentJwtSecretName=myEnrollmentJwtSecret") .Values.enrollmentJwtSecretName }}
+                  key: enrollmentJwt
+              {{- else }}
               value: {{ .Values.enrollmentJwt | quote }}
+              {{- end }}
             # must be true or enroll() will not be called
             - name: ZITI_BOOTSTRAP
               value: "true"
diff --git a/charts/ziti-router/values.yaml b/charts/ziti-router/values.yaml
index ad0e697d..81a93ce3 100644
--- a/charts/ziti-router/values.yaml
+++ b/charts/ziti-router/values.yaml
@@ -249,6 +249,19 @@ csr:
 execMountDir:     /usr/local/bin
 # -- enrollment one time token from the controller's management API
 enrollmentJwt:
+# -- allow for using a secret to specify the enrollment token instead of unsing the enrollmentJwt field
+# if enabled, setting the enrollment token on the enrollmentJwt field has no effect
+enrollmentJwtFromSecret: false
+# -- set the enrollment jwt from a secret
+# The enrollment token secret must be of the following format:
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: myEnrollmentJwtSecret
+# type: Opaque
+# data:
+#   enrollmentJwt:
+enrollmentJwtSecretName: ""
 # -- read-only mountpoint for router identity secret specified in deployment for use by router run container
 identityMountDir: /etc/ziti/identity
 # -- writeable mountpoint where read-only config file is projected to allow router

From eabf1336a4859cd123a0a7e428d88e64626d48e0 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Wed, 22 Jan 2025 17:06:13 +0000
Subject: [PATCH 2/6] helm-docs: automated action

---
 charts/ziti-router/README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/charts/ziti-router/README.md b/charts/ziti-router/README.md
index 286d7c95..405ba965 100644
--- a/charts/ziti-router/README.md
+++ b/charts/ziti-router/README.md
@@ -267,6 +267,8 @@ identity:
 | edge.service.labels | object | `{}` | service labels |
 | edge.service.type | string | `"ClusterIP"` | expose the service as a ClusterIP, NodePort, or LoadBalancer; default is ClusterIP, but you could use NodePort or LoadBalancer instead of an ingress controller |
 | enrollmentJwt | string | `nil` | enrollment one time token from the controller's management API |
+| enrollmentJwtFromSecret | bool | `false` | allow for using a secret to specify the enrollment token instead of unsing the enrollmentJwt field if enabled, setting the enrollment token on the enrollmentJwt field has no effect |
+| enrollmentJwtSecretName | string | `""` | set the enrollment jwt from a secret The enrollment token secret must be of the following format: apiVersion: v1 kind: Secret metadata:   name: myEnrollmentJwtSecret type: Opaque data:   enrollmentJwt: |
 | env | object | `{}` | assign key=value in pod environment |
 | execMountDir | string | `"/usr/local/bin"` | read-only mountpoint for executables (must be in image's executable search PATH) |
 | fabric.metrics.enabled | bool | `false` | configure fabric metrics in the router config |

From 4e28694a9229c0110d0a5754acb329d301975866 Mon Sep 17 00:00:00 2001
From: Jan <jan.starkl@tttech-digital.com>
Date: Wed, 22 Jan 2025 19:15:44 +0100
Subject: [PATCH 3/6] fix spelling mistake in description of
 enrollmentJwtFromSecret property

---
 charts/ziti-router/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/ziti-router/values.yaml b/charts/ziti-router/values.yaml
index 81a93ce3..c3e86b4d 100644
--- a/charts/ziti-router/values.yaml
+++ b/charts/ziti-router/values.yaml
@@ -249,7 +249,7 @@ csr:
 execMountDir:     /usr/local/bin
 # -- enrollment one time token from the controller's management API
 enrollmentJwt:
-# -- allow for using a secret to specify the enrollment token instead of unsing the enrollmentJwt field
+# -- allow for using a secret to specify the enrollment token instead of using the enrollmentJwt field
 # if enabled, setting the enrollment token on the enrollmentJwt field has no effect
 enrollmentJwtFromSecret: false
 # -- set the enrollment jwt from a secret

From 02d006ebf865ed37931fea74367d5ac513ed133d Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Wed, 22 Jan 2025 18:16:05 +0000
Subject: [PATCH 4/6] helm-docs: automated action

---
 charts/ziti-router/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/ziti-router/README.md b/charts/ziti-router/README.md
index 405ba965..45a2a2a1 100644
--- a/charts/ziti-router/README.md
+++ b/charts/ziti-router/README.md
@@ -267,7 +267,7 @@ identity:
 | edge.service.labels | object | `{}` | service labels |
 | edge.service.type | string | `"ClusterIP"` | expose the service as a ClusterIP, NodePort, or LoadBalancer; default is ClusterIP, but you could use NodePort or LoadBalancer instead of an ingress controller |
 | enrollmentJwt | string | `nil` | enrollment one time token from the controller's management API |
-| enrollmentJwtFromSecret | bool | `false` | allow for using a secret to specify the enrollment token instead of unsing the enrollmentJwt field if enabled, setting the enrollment token on the enrollmentJwt field has no effect |
+| enrollmentJwtFromSecret | bool | `false` | allow for using a secret to specify the enrollment token instead of using the enrollmentJwt field if enabled, setting the enrollment token on the enrollmentJwt field has no effect |
 | enrollmentJwtSecretName | string | `""` | set the enrollment jwt from a secret The enrollment token secret must be of the following format: apiVersion: v1 kind: Secret metadata:   name: myEnrollmentJwtSecret type: Opaque data:   enrollmentJwt: |
 | env | object | `{}` | assign key=value in pod environment |
 | execMountDir | string | `"/usr/local/bin"` | read-only mountpoint for executables (must be in image's executable search PATH) |

From e97c22fe87313be047501aa2157cdbb7bce77b4e Mon Sep 17 00:00:00 2001
From: Kenneth Bingham <kenneth.bingham@netfoundry.io>
Date: Wed, 22 Jan 2025 16:35:06 -0500
Subject: [PATCH 5/6] codespell

---
 charts/ziti-controller/templates/ca-router-ctrl-identity.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/ziti-controller/templates/ca-router-ctrl-identity.yaml b/charts/ziti-controller/templates/ca-router-ctrl-identity.yaml
index 6504339a..5e560226 100644
--- a/charts/ziti-controller/templates/ca-router-ctrl-identity.yaml
+++ b/charts/ziti-controller/templates/ca-router-ctrl-identity.yaml
@@ -2,7 +2,7 @@
 # CA to issue the controller's router control plane identity. This CA issues the
 # server certificate that is presented by the controller to routers when they
 # connect to the controller's "ctrl" endpoint, i.e. the router control plane. The
-# same server certificate is re-used as a default identity if an alternative
+# same server certificate is reused as a default identity if an alternative
 # identity is not configured for a particular server TLS binding, e.g., web
 # binding for the client API.
 ######

From 6503cb9f1724e4d5b1d64acaab04caf1c94cc2b7 Mon Sep 17 00:00:00 2001
From: Kenneth Bingham <kenneth.bingham@netfoundry.io>
Date: Thu, 23 Jan 2025 09:58:38 -0500
Subject: [PATCH 6/6] bump router chart version

---
 charts/ziti-router/Chart.yaml | 2 +-
 charts/ziti-router/README.md  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/ziti-router/Chart.yaml b/charts/ziti-router/Chart.yaml
index b11bc7dd..abe1e7e6 100644
--- a/charts/ziti-router/Chart.yaml
+++ b/charts/ziti-router/Chart.yaml
@@ -3,4 +3,4 @@ appVersion: 1.1.16
 description: Host an OpenZiti router in Kubernetes
 name: ziti-router
 type: application
-version: 1.1.4
+version: 1.1.5
diff --git a/charts/ziti-router/README.md b/charts/ziti-router/README.md
index 45a2a2a1..3f0285fa 100644
--- a/charts/ziti-router/README.md
+++ b/charts/ziti-router/README.md
@@ -1,7 +1,7 @@
 <!-- README.md generated by helm-docs from README.md.gotmpl -->
 # ziti-router
 
-![Version: 1.1.4](https://img.shields.io/badge/Version-1.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.16](https://img.shields.io/badge/AppVersion-1.1.16-informational?style=flat-square)
+![Version: 1.1.5](https://img.shields.io/badge/Version-1.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.16](https://img.shields.io/badge/AppVersion-1.1.16-informational?style=flat-square)
 
 Host an OpenZiti router in Kubernetes