diff --git a/.github/tests/charts.json b/.github/tests/charts.json
index 09ee23720..62015fc66 100644
--- a/.github/tests/charts.json
+++ b/.github/tests/charts.json
@@ -2,12 +2,12 @@
   {
     "name": "kube-prometheus-stack",
     "repo": "https://prometheus-community.github.io/helm-charts",
-    "version": "46.6.0"
+    "version": "46.8.0"
   },
   {
     "name": "cert-manager",
     "repo": "https://charts.jetstack.io",
-    "version": "v1.12.1"
+    "version": "v1.12.2"
   },
   {
     "name": "ingress-nginx",
@@ -17,11 +17,11 @@
   {
     "name": "mysql",
     "repo": "https://charts.bitnami.com/bitnami",
-    "version": "9.10.1"
+    "version": "9.10.4"
   },
   {
     "name": "postgresql",
     "repo": "https://charts.bitnami.com/bitnami",
-    "version": "12.5.6"
+    "version": "12.5.7"
   }
 ]
diff --git a/.github/tests/production-external-mysql/install.sh b/.github/tests/production-external-mysql/install.sh
index fc979cdef..7bb5d63b4 100755
--- a/.github/tests/production-external-mysql/install.sh
+++ b/.github/tests/production-external-mysql/install.sh
@@ -29,8 +29,6 @@ spire-server:
       password: ${DBPW}
       host: mysql
       port: 3306
-      options:
-      - parseTime: true
 EOF
 
 helm install mysql mysql --namespace "spire-server" --version "$VERSION_MYSQL" --repo "$HELM_REPO_MYSQL" \
diff --git a/README.md b/README.md
index e14c7a5c4..6ccbade74 100644
--- a/README.md
+++ b/README.md
@@ -21,7 +21,7 @@ Unless otherwise noted in an application chart README, the following dependencie
 
 | Dependency | Supported Versions |
 |:-----------|:-------------------|
-| SPIRE      | `1.5.3`+, `1.6.x`  |
+| SPIRE      | `1.6.x`, `1.7.x`   |
 | Helm       | `3.x`              |
 | Kubernetes | `1.22+`            |
 
diff --git a/charts/spire/Chart.yaml b/charts/spire/Chart.yaml
index 8eb82172e..dd1057378 100644
--- a/charts/spire/Chart.yaml
+++ b/charts/spire/Chart.yaml
@@ -3,7 +3,7 @@ name: spire
 description: >
   A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
 type: application
-version: 0.8.1
+version: 0.9.1
 appVersion: "1.7.0"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc", "spire-controller-manager"]
 home: https://github.com/spiffe/helm-charts/tree/main/charts/spire
diff --git a/charts/spire/README.md b/charts/spire/README.md
index fdd9dbb94..ab194cbd8 100644
--- a/charts/spire/README.md
+++ b/charts/spire/README.md
@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 
-![Version: 0.8.1](https://img.shields.io/badge/Version-0.8.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.0](https://img.shields.io/badge/AppVersion-1.7.0-informational?style=flat-square)
+![Version: 0.9.1](https://img.shields.io/badge/Version-0.9.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.0](https://img.shields.io/badge/AppVersion-1.7.0-informational?style=flat-square)
 [![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
 
 A Helm chart for deploying the complete Spire stack including: spire-server, spire-agent, spiffe-csi-driver, spiffe-oidc-discovery-provider and spire-controller-manager.
@@ -235,7 +235,7 @@ Now you can interact with the Spire agent socket from your own application. The
 | spire-agent.fsGroupFix.image.pullPolicy | string | `"Always"` | The image pull policy |
 | spire-agent.fsGroupFix.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from |
 | spire-agent.fsGroupFix.image.repository | string | `"chainguard/bash"` | The repository within the registry |
-| spire-agent.fsGroupFix.image.tag | string | `"latest-20230517"` | Overrides the image tag |
+| spire-agent.fsGroupFix.image.tag | string | `"5.2.15"` | Overrides the image tag |
 | spire-agent.fsGroupFix.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
 | spire-agent.fsGroupFix.resources | object | `{}` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
 | spire-agent.fullnameOverride | string | `""` |  |
@@ -301,6 +301,7 @@ Now you can interact with the Spire agent socket from your own application. The
 | spire-server.controllerManager.enabled | bool | `false` |  |
 | spire-server.controllerManager.identities.dnsNameTemplates | list | `[]` |  |
 | spire-server.controllerManager.identities.enabled | bool | `true` |  |
+| spire-server.controllerManager.identities.federatesWith | list | `[]` |  |
 | spire-server.controllerManager.identities.namespaceSelector | object | `{}` |  |
 | spire-server.controllerManager.identities.podSelector | object | `{}` |  |
 | spire-server.controllerManager.identities.spiffeIDTemplate | string | `"spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"` |  |
diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md
index 27d8994ef..63da2b584 100644
--- a/charts/spire/charts/spire-agent/README.md
+++ b/charts/spire/charts/spire-agent/README.md
@@ -38,7 +38,7 @@ A Helm chart to install the SPIRE agent.
 | fsGroupFix.image.pullPolicy | string | `"Always"` | The image pull policy |
 | fsGroupFix.image.registry | string | `"cgr.dev"` | The OCI registry to pull the image from |
 | fsGroupFix.image.repository | string | `"chainguard/bash"` | The repository within the registry |
-| fsGroupFix.image.tag | string | `"latest-20230517"` | Overrides the image tag |
+| fsGroupFix.image.tag | string | `"5.2.15"` | Overrides the image tag |
 | fsGroupFix.image.version | string | `""` | This value is deprecated in favor of tag. (Will be removed in a future release) |
 | fsGroupFix.resources | object | `{}` | Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
 | fullnameOverride | string | `""` |  |
diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml
index 932e4ff5e..0d6f913db 100644
--- a/charts/spire/charts/spire-agent/values.yaml
+++ b/charts/spire/charts/spire-agent/values.yaml
@@ -122,7 +122,7 @@ fsGroupFix:
     # -- This value is deprecated in favor of tag. (Will be removed in a future release)
     version: ""
     # -- Overrides the image tag
-    tag: latest-20230517
+    tag: 5.2.15
   # -- Specify resource needs as per https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
   resources: {}
 
diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md
index 36bcbe409..810aea884 100644
--- a/charts/spire/charts/spire-server/README.md
+++ b/charts/spire/charts/spire-server/README.md
@@ -50,6 +50,7 @@ A Helm chart to install the SPIRE server.
 | controllerManager.enabled | bool | `false` |  |
 | controllerManager.identities.dnsNameTemplates | list | `[]` |  |
 | controllerManager.identities.enabled | bool | `true` |  |
+| controllerManager.identities.federatesWith | list | `[]` |  |
 | controllerManager.identities.namespaceSelector | object | `{}` |  |
 | controllerManager.identities.podSelector | object | `{}` |  |
 | controllerManager.identities.spiffeIDTemplate | string | `"spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"` |  |
diff --git a/charts/spire/charts/spire-server/templates/_helpers.tpl b/charts/spire/charts/spire-server/templates/_helpers.tpl
index 7df362661..15874a77b 100644
--- a/charts/spire/charts/spire-server/templates/_helpers.tpl
+++ b/charts/spire/charts/spire-server/templates/_helpers.tpl
@@ -114,9 +114,8 @@ Create the name of the service account to use
 {{- $lst = append $lst $entry }}
 {{- end }}
 {{- end }}
-{{- if gt (len $lst) 0 }}
-{{- printf "?%s" (join "&" $lst) }}
-{{- end }}
+{{- $lst = append $lst "parseTime=true" }}
+{{- printf "?%s" (join "&" (uniq $lst)) }}
 {{- end }}
 
 {{- define "spire-server.config-postgresql-options" }}
diff --git a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml
index 5967d313c..69c7c6f0d 100644
--- a/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml
+++ b/charts/spire/charts/spire-server/templates/controller-manager-cluster-ids.yaml
@@ -8,6 +8,10 @@ metadata:
   namespace: {{ include "spire-server.namespace" $root }}
 spec:
   spiffeIDTemplate: {{ .identities.spiffeIDTemplate | quote }}
+  {{- with .identities.federatesWith }}
+  federatesWith:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
   {{- with .identities.podSelector }}
   podSelector:
     {{- toYaml . | nindent 4 }}
diff --git a/charts/spire/charts/spire-server/templates/statefulset.yaml b/charts/spire/charts/spire-server/templates/statefulset.yaml
index 1540dd0d1..842b927ec 100644
--- a/charts/spire/charts/spire-server/templates/statefulset.yaml
+++ b/charts/spire/charts/spire-server/templates/statefulset.yaml
@@ -43,11 +43,11 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       initContainers:
-      {{- if and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.createCA }}
+      {{- if and .Values.upstreamAuthority.certManager.enabled .Values.upstreamAuthority.certManager.ca.create }}
         - name: wait
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: {{ template "spire-server.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }}
+          image: {{ template "spire-lib.kubectl-image" (dict "appVersion" $.Chart.AppVersion "image" .Values.tools.kubectl.image "global" .Values.global "KubeVersion" .Capabilities.KubeVersion.Version) }}
           args:
             - wait
             - --namespace
@@ -56,7 +56,7 @@ spec:
             - --for=condition=ready
             - issuer
             - {{ include "spire-server.fullname" $ }}
-          imagePullPolicy: {{ .Values.controllerManager.validatingWebhookConfiguration.upgradeHook.image.pullPolicy }}
+          imagePullPolicy: {{ .Values.tools.kubectl.image.pullPolicy }}
       {{- end }}
       {{- if gt (len .Values.initContainers) 0 }}
         {{- toYaml .Values.initContainers | nindent 8 }}
diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml
index 17095b012..789824e6f 100644
--- a/charts/spire/charts/spire-server/values.yaml
+++ b/charts/spire/charts/spire-server/values.yaml
@@ -279,6 +279,9 @@ controllerManager:
       #   spiffe.io/spiffe-id: "true"
     dnsNameTemplates: []
       # - '{{ index .PodMeta.Labels "app.kubernetes.io/name" }}.{{ .PodMeta.Namespace }}.svc.cluster.local'
+    federatesWith: []
+    # - example.io
+    # - example.ai
 
   validatingWebhookConfiguration:
     failurePolicy: Fail
diff --git a/examples/external-mysql/values.yaml b/examples/external-mysql/values.yaml
index b33215678..c0a8fff19 100644
--- a/examples/external-mysql/values.yaml
+++ b/examples/external-mysql/values.yaml
@@ -6,5 +6,3 @@ spire-server:
       host: mysql
       port: 3306
       username: spire
-      options:
-        - parseTime: true