Add a FAQ and switch rare issue from README to it

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

FAQ.md

@@ -0,0 +1,40 @@
+# Frequently Asked Questions
+
+- [Uninstall is stuck. How do I fix it?](#uninstall-is-stuck-how-do-i-fix-it)
+- [The PSAT plugin is not working](#the-psat-plugin-is-not-working)
+
+## Uninstall is stuck. How do I fix it?
+
+If you uninstall the spiffe csi driver manually before removing the chart, pods can still be using the driver an are unable to mount the csi volume.
+
+To resolve, reinstall the chart before trying to remove it again. 
+
+## The PSAT plugin is not working
+
+The chart requires `Projected Service Account Tokens` which has to be enabled on your k8s api server. In most cases this is already done for you.
+
+> **Note** This is enabled by default with newer versions as shown by the existence of:
+>
+>        - --service-account-issuer
+>        - --service-account-key-file
+>        - --service-account-signing-key-file
+
+See [Service Account Token Volume Projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) in the Kubernetes docs for more details.
+
+To enable Projected Service Account Tokens on Docker for Mac/Windows run the following
+command to SSH into the Docker Desktop K8s VM.
+
+```bash
+docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
+```
+Then add the following to `/etc/kubernetes/manifests/kube-apiserver.yaml`
+```yaml
+spec:
+  containers:
+    - command:
+        - kube-apiserver
+        - --api-audiences=api,spire-server
+        - --service-account-issuer=api,spire-agent
+        - --service-account-key-file=/run/config/pki/sa.pub
+        - --service-account-signing-key-file=/run/config/pki/sa.key
+```

charts/spire/README.md

@@ -23,30 +23,6 @@ A Helm chart for deploying the complete Spire stack including: spire-server, spi
 
 > **Note**: For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden.
 
-## Prerequisites
-
-Please note this chart requires `Projected Service Account Tokens` which has to be enabled on your k8s api server.
-
-To enable Projected Service Account Tokens on Docker for Mac/Windows run the following
-command to SSH into the Docker Desktop K8s VM.
-
-```bash
-docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
-```
-
-Then add the following to `/etc/kubernetes/manifests/kube-apiserver.yaml`
-
-```yaml
-spec:
-  containers:
-    - command:
-        - kube-apiserver
-        - --api-audiences=api,spire-server
-        - --service-account-issuer=api,spire-agent
-        - --service-account-key-file=/run/config/pki/sa.pub
-        - --service-account-signing-key-file=/run/config/pki/sa.key
-```
-
 ## Usage
 
 To utilize Spire in your own workloads you should add the following to your workload:

charts/spire/README.md.gotmpl

@@ -25,30 +25,6 @@
 
 > **Note**: For Kubernetes, we will officially support the last 3 versions as described in [k8s versioning](https://kubernetes.io/releases/version-skew-policy/#supported-versions). Any version before the last 3 we will try to support as long it doesn't bring security issues or any big maintenance burden. 
 
-## Prerequisites
-
-Please note this chart requires `Projected Service Account Tokens` which has to be enabled on your k8s api server.
-
-To enable Projected Service Account Tokens on Docker for Mac/Windows run the following
-command to SSH into the Docker Desktop K8s VM.
-
-```bash
-docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
-```
-
-Then add the following to `/etc/kubernetes/manifests/kube-apiserver.yaml`
-
-```yaml
-spec:
-  containers:
-    - command:
-        - kube-apiserver
-        - --api-audiences=api,spire-server
-        - --service-account-issuer=api,spire-agent
-        - --service-account-key-file=/run/config/pki/sa.pub
-        - --service-account-signing-key-file=/run/config/pki/sa.key
-```
-
 ## Usage
 
 To utilize Spire in your own workloads you should add the following to your workload: