Merge branch 'main' into topology

2022-04-28 10:26:20 -07:00 · 2022-04-28 10:26:20 -07:00 · 4c752a9f1d
commit 4c752a9f1d
parent fb3126b864 9b43054901
81 changed files with 1552 additions and 258 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -77,7 +77,7 @@ jobs:
                -X POST \
                -H 'Content-Type: application/json' \
                -H 'Accept: application/json' \
-                -d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \
+                -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \
                "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline"
      - slack/status:
          fail_only: true
@ -85,16 +85,7 @@ jobs:
 workflows:
  version: 2
-  build_and_test:
+  # Note: unit and acceptance tests are now being run in GitHub Actions
    jobs:
      - bats-unit-test
      - chart-verifier
      - acceptance:
          requires:
            - bats-unit-test
          filters:
            branches:
              only: main
  update-helm-charts-index:
    jobs:
      - update-helm-charts-index:
--- a/.github/workflows/acceptance.yaml
+++ b/.github/workflows/acceptance.yaml
@ -0,0 +1,34 @@
 name: Acceptance Tests
 on:
  push:
    branches:
      - main
  workflow_dispatch: {}
 jobs:
  kind:
    strategy:
      fail-fast: false
      matrix:
        kind-k8s-version: [1.16.15, 1.20.15, 1.21.10, 1.22.7, 1.23.4]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Setup test tools
        uses: ./.github/workflows/setup-test-tools
      - name: Create K8s Kind Cluster
        uses: helm/kind-action@v1.2.0
        with:
          config: test/kind/config.yaml
          node_image: kindest/node:v${{ matrix.kind-k8s-version }}
      # Skip CSI tests if K8s version < 1.16.x
      - run: echo K8S_MINOR=$(kubectl version -o json | jq -r .serverVersion.minor) >> $GITHUB_ENV
      - if: ${{ env.K8S_MINOR < 16 }}
        run: echo "SKIP_CSI=true" >> $GITHUB_ENV
      - run: bats ./test/acceptance -t
        env:
          VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
--- a/.github/workflows/setup-test-tools/action.yaml
+++ b/.github/workflows/setup-test-tools/action.yaml
@ -0,0 +1,18 @@
 name: Setup common testing tools
 description: Install bats and python-yq
 runs:
  using: "composite"
  steps:
    - uses: actions/setup-node@v2
      with:
        node-version: '14'
    - run: npm install -g bats@${BATS_VERSION}
      shell: bash
      env:
        BATS_VERSION: '1.5.0'
    - run: bats -v
      shell: bash
    - uses: actions/setup-python@v2
    - run: pip install yq
      shell: bash
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@ -0,0 +1,25 @@
 name: Tests
 on: [push, workflow_dispatch]
 jobs:
  bats-unit-tests:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: ./.github/workflows/setup-test-tools
      - run: bats ./test/unit -t
  chart-verifier:
    runs-on: ubuntu-latest
    env:
      CHART_VERIFIER_VERSION: '1.2.1'
    steps:
      - uses: actions/checkout@v2
      - name: Setup test tools
        uses: ./.github/workflows/setup-test-tools
      - uses: actions/setup-go@v2
        with:
          go-version: '1.17.4'
      - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}
      - run: bats ./test/chart -t
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,35 @@
 ## Unreleased
 CHANGES:
 * `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
 * Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
 * Vault default image to 1.9.3
 * CSI provider default image to 1.1.0
 * Earliest Kubernetes version tested is now 1.16
 Improvements:
 * CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690)
 * Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683)
 * Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710)
 * Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709)
 ## 0.19.0 (January 20th, 2022)
 CHANGES:
 * Vault image default 1.9.2
 * Vault K8s image default 0.14.2
 Features:
 * Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653)
 * Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659)
 * Added configurable update strategy for injector [GH-661](https://github.com/hashicorp/vault-helm/pull/661)
 * csi: ability to set priorityClassName for CSI daemonset pods [GH-670](https://github.com/hashicorp/vault-helm/pull/670)
 Improvements:
 * Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679)
 * Add volumes and env vars to helm hook test pod [GH-673](https://github.com/hashicorp/vault-helm/pull/673)
 * Make TLS configurable for OpenShift routes [GH-686](https://github.com/hashicorp/vault-helm/pull/686)
 ## 0.18.0 (November 17th, 2021)
 CHANGES:
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -13,13 +13,14 @@ rules to get in the way of that.
 That said, if you want to ensure that a pull request is likely to be merged,
 talk to us! You can find out our thoughts and ensure that your contribution
 won't clash or be obviated by Vault's normal direction. A great way to do this
-is via the [Vault Google Group][2]. Sometimes Vault devs are in `#vault-tool`
+is via the [Vault Discussion Forum][1].
 on Freenode, too.
 This document will cover what we're looking for in terms of reporting issues.
 By addressing all the points we're looking for, it raises the chances we can
 quickly merge or address your contributions.
 [1]: https://discuss.hashicorp.com/c/vault
 ## Issues
 ### Reporting an Issue
@ -237,3 +238,10 @@ Here are some examples of common test patterns:
    ```
    Here we are check the length of the command output to see if the anything is rendered.
    This style can easily be switched to check that a file is rendered instead.
 ## Contributor License Agreement
 We require that all contributors sign our Contributor License Agreement ("CLA")
 before we can accept the contribution.
 [Learn more about why HashiCorp requires a CLA and what the CLA includes](https://www.hashicorp.com/cla)
--- a/Chart.yaml
+++ b/Chart.yaml
@ -1,8 +1,8 @@
 apiVersion: v2
 name: vault
-version: 0.18.0
+version: 0.19.0
-appVersion: 1.9.0
+appVersion: 1.9.3
-kubeVersion: ">= 1.14.0-0"
+kubeVersion: ">= 1.16.0-0"
 description: Official HashiCorp Vault Chart
 home: https://www.vaultproject.io
 icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
--- a/README.md
+++ b/README.md
@ -22,7 +22,7 @@ The versions required are:
  * **Helm 3.0+** - This is the earliest version of Helm tested. It is possible
    it works with earlier versions but this chart is untested for those versions.
-  * **Kubernetes 1.14+** - This is the earliest version of Kubernetes tested.
+  * **Kubernetes 1.16+** - This is the earliest version of Kubernetes tested.
    It is possible that this chart works with earlier versions but it is
    untested.
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@ -31,6 +31,50 @@ Expand the name of the chart.
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/*
 Compute if the csi driver is enabled.
 */}}
 {{- define "vault.csiEnabled" -}}
 {{- $_ := set . "csiEnabled" (or
  (eq (.Values.csi.enabled | toString) "true")
  (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
 {{- end -}}
 {{/*
 Compute if the injector is enabled.
 */}}
 {{- define "vault.injectorEnabled" -}}
 {{- $_ := set . "injectorEnabled" (or
  (eq (.Values.injector.enabled | toString) "true")
  (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
 {{- end -}}
 {{/*
 Compute if the server is enabled.
 */}}
 {{- define "vault.serverEnabled" -}}
 {{- $_ := set . "serverEnabled" (or
  (eq (.Values.server.enabled | toString) "true")
  (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
 {{- end -}}
 {{/*
 Compute if the server service is enabled.
 */}}
 {{- define "vault.serverServiceEnabled" -}}
 {{- template "vault.serverEnabled" . -}}
 {{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}}
 {{- end -}}
 {{/*
 Compute if the ui is enabled.
 */}}
 {{- define "vault.uiEnabled" -}}
 {{- $_ := set . "uiEnabled" (or
  (eq (.Values.ui.enabled | toString) "true")
  (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
 {{- end -}}
 {{/*
 Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
 This defaults to (n/2)-1 where n is the number of members of the server cluster.
@ -51,9 +95,10 @@ Set the variable 'mode' to the server mode requested by the user to simplify
 template logic.
 */}}
 {{- define "vault.mode" -}}
  {{- template "vault.serverEnabled" . -}}
  {{- if .Values.injector.externalVaultAddr -}}
    {{- $_ := set . "mode" "external" -}}
-  {{- else if ne (.Values.server.enabled | toString) "true" -}}
+  {{- else if not .serverEnabled -}}
    {{- $_ := set . "mode" "external" -}}
  {{- else if eq (.Values.server.dev.enabled | toString) "true" -}}
    {{- $_ := set . "mode" "dev" -}}
@ -339,6 +384,21 @@ Sets the injector node selector for pod placement
  {{- end }}
 {{- end -}}
 {{/*
 Sets the injector deployment update strategy
 */}}
 {{- define "injector.strategy" -}}
  {{- if .Values.injector.strategy }}
  strategy:
  {{- $tp := typeOf .Values.injector.strategy }}
  {{- if eq $tp "string" }}
    {{ tpl .Values.injector.strategy . | nindent 4 | trim }}
  {{- else }}
    {{- toYaml .Values.injector.strategy | nindent 4 }}
  {{- end }}
  {{- end }}
 {{- end -}}
 {{/*
 Sets extra pod annotations
 */}}
@ -388,13 +448,13 @@ Sets extra injector service annotations
 Sets extra injector webhook annotations
 */}}
 {{- define "injector.webhookAnnotations" -}}
-  {{- if .Values.injector.webhookAnnotations }}
+  {{- if or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)  }}
  annotations:
-    {{- $tp := typeOf .Values.injector.webhookAnnotations }}
+    {{- $tp := typeOf (or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)) }}
    {{- if eq $tp "string" }}
-      {{- tpl .Values.injector.webhookAnnotations . | nindent 4 }}
+      {{- tpl (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) . | nindent 4 }}
    {{- else }}
-      {{- toYaml .Values.injector.webhookAnnotations | nindent 4 }}
+      {{- toYaml (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) | nindent 4 }}
    {{- end }}
  {{- end }}
 {{- end -}}
--- a/templates/csi-clusterrole.yaml
+++ b/templates/csi-clusterrole.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.csiEnabled" . -}}
 {{- if .csiEnabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
--- a/templates/csi-clusterrolebinding.yaml
+++ b/templates/csi-clusterrolebinding.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.csiEnabled" . -}}
 {{- if .csiEnabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
--- a/templates/csi-daemonset.yaml
+++ b/templates/csi-daemonset.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.csiEnabled" . -}}
 {{- if .csiEnabled -}}
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@ -8,6 +9,9 @@ metadata:
    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    {{- if  .Values.csi.daemonSet.extraLabels -}}
      {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}}
    {{- end -}}
  {{ template "csi.daemonSet.annotations" . }}
 spec:
  updateStrategy:
@ -25,8 +29,14 @@ spec:
      labels:
        app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider
        app.kubernetes.io/instance: {{ .Release.Name }}
        {{- if  .Values.csi.pod.extraLabels -}}
          {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}}
        {{- end -}}
      {{ template "csi.pod.annotations" . }}
    spec:
      {{- if .Values.csi.priorityClassName }}
      priorityClassName: {{ .Values.csi.priorityClassName }}
      {{- end }}
      serviceAccountName: {{ template "vault.fullname" . }}-csi-provider
      {{- template "csi.pod.tolerations" . }}
      containers:
--- a/templates/csi-serviceaccount.yaml
+++ b/templates/csi-serviceaccount.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.csiEnabled" . -}}
 {{- if .csiEnabled -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@ -8,5 +9,8 @@ metadata:
    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    {{- if  .Values.csi.serviceAccount.extraLabels -}}
      {{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}}
    {{- end -}}
  {{ template "csi.serviceAccount.annotations" . }}
 {{- end }}
--- a/templates/injector-certs-secret.yaml
+++ b/templates/injector-certs-secret.yaml
@ -1,10 +1,14 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: vault-injector-certs
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 {{- end }}
--- a/templates/injector-clusterrole.yaml
+++ b/templates/injector-clusterrole.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@ -10,7 +11,7 @@ metadata:
 rules:
 - apiGroups: ["admissionregistration.k8s.io"]
  resources: ["mutatingwebhookconfigurations"]
-  verbs: 
+  verbs:
    - "get"
    - "list"
    - "watch"
--- a/templates/injector-clusterrolebinding.yaml
+++ b/templates/injector-clusterrolebinding.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 # Deployment for the injector
 apiVersion: apps/v1
 kind: Deployment
@ -17,6 +18,7 @@ spec:
      app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
      app.kubernetes.io/instance: {{ .Release.Name }}
      component: webhook
  {{ template "injector.strategy" . }}
  template:
    metadata:
      labels:
--- a/templates/injector-disruptionbudget.yaml
+++ b/templates/injector-disruptionbudget.yaml
@ -0,0 +1,20 @@
 {{- if .Values.injector.podDisruptionBudget }}
 apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }}
 kind: PodDisruptionBudget
 metadata:
  name: {{ template "vault.fullname" . }}-agent-injector
  namespace: {{ .Release.Namespace }}
  labels:
    helm.sh/chart: {{ include "vault.chart" . }}
    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    component: webhook
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
      app.kubernetes.io/instance: {{ .Release.Name }}
      component: webhook
  {{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }}
 {{- end -}}
--- a/templates/injector-mutating-webhook.yaml
+++ b/templates/injector-mutating-webhook.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
 apiVersion: admissionregistration.k8s.io/v1
 {{- else }}
@ -14,10 +15,11 @@ metadata:
  {{- template "injector.webhookAnnotations" . }}
 webhooks:
  - name: vault.hashicorp.com
    failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }}
    matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }}
    sideEffects: None
-    admissionReviewVersions:
+    timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }}
-    - "v1beta1"
+    admissionReviewVersions: ["v1", "v1beta1"]
    - "v1"
    clientConfig:
      service:
        name: {{ template "vault.fullname" . }}-agent-injector-svc
@ -29,15 +31,12 @@ webhooks:
        apiGroups: [""]
        apiVersions: ["v1"]
        resources: ["pods"]
-{{- if .Values.injector.namespaceSelector }}
+{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }}
    namespaceSelector:
-{{ toYaml .Values.injector.namespaceSelector | indent 6}}
+{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}}
 {{ end }}
-{{- if .Values.injector.objectSelector }}
+{{- if or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) }}
    objectSelector:
-{{ toYaml .Values.injector.objectSelector | indent 6}}
+{{ toYaml (((.Values.injector.webhook)).objectSelector | default .Values.injector.objectSelector) | indent 6}}
 {{ end }}
 {{- with .Values.injector.failurePolicy }}
    failurePolicy: {{.}}
 {{ end }}
 {{ end }}
--- a/templates/injector-network-policy.yaml
+++ b/templates/injector-network-policy.yaml
@ -1,4 +1,6 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 {{- if eq (.Values.global.openshift | toString) "true" }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@ -19,3 +21,4 @@ spec:
      - port: 8080
        protocol: TCP
 {{ end }}
 {{ end }}
--- a/templates/injector-psp-role.yaml
+++ b/templates/injector-psp-role.yaml
@ -1,4 +1,6 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 {{- if eq (.Values.global.psp.enable | toString) "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@ -15,3 +17,4 @@ rules:
  resourceNames:
    - {{ template "vault.fullname" . }}-agent-injector
 {{- end }}
 {{- end }}
--- a/templates/injector-psp-rolebinding.yaml
+++ b/templates/injector-psp-rolebinding.yaml
@ -1,4 +1,6 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 {{- if eq (.Values.global.psp.enable | toString) "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@ -16,3 +18,4 @@ subjects:
  - kind: ServiceAccount
    name: {{ template "vault.fullname" . }}-agent-injector
 {{- end }}
 {{- end }}
--- a/templates/injector-psp.yaml
+++ b/templates/injector-psp.yaml
@ -1,4 +1,6 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 {{- if eq (.Values.global.psp.enable | toString) "true" }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@ -41,3 +43,4 @@ spec:
        max: 65535
  readOnlyRootFilesystem: false
 {{- end }}
 {{- end }}
--- a/templates/injector-role.yaml
+++ b/templates/injector-role.yaml
@ -1,8 +1,11 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
@ -23,3 +26,4 @@ rules:
      - "patch"
      - "delete"
 {{- end }}
 {{- end }}
--- a/templates/injector-rolebinding.yaml
+++ b/templates/injector-rolebinding.yaml
@ -1,8 +1,11 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
@ -16,3 +19,4 @@ subjects:
    name: {{ template "vault.fullname" . }}-agent-injector
    namespace: {{ .Release.Namespace }}
 {{- end }}
 {{- end }}
--- a/templates/injector-service.yaml
+++ b/templates/injector-service.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 apiVersion: v1
 kind: Service
 metadata:
--- a/templates/injector-serviceaccount.yaml
+++ b/templates/injector-serviceaccount.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
--- a/templates/server-clusterrolebinding.yaml
+++ b/templates/server-clusterrolebinding.yaml
@ -1,5 +1,6 @@
 {{ template "vault.mode" . }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true") }}
+{{- if .serverEnabled -}}
 {{- if and (ne .mode "") (eq (.Values.server.authDelegator.enabled | toString) "true") }}
 {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
 apiVersion: rbac.authorization.k8s.io/v1
 {{- else }}
@ -22,3 +23,4 @@ subjects:
  name: {{ template "vault.serviceAccount.name" . }}
  namespace: {{ .Release.Namespace }}
 {{ end }}
 {{ end }}
--- a/templates/server-config-configmap.yaml
+++ b/templates/server-config-configmap.yaml
@ -1,6 +1,7 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}}
+{{- if .serverEnabled -}}
 {{- if ne .mode "dev" -}}
 {{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
 apiVersion: v1
 kind: ConfigMap
@ -36,3 +37,4 @@ data:
 {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}
--- a/templates/server-discovery-role.yaml
+++ b/templates/server-discovery-role.yaml
@ -1,6 +1,7 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- if .serverEnabled -}}
 {{- if eq .mode "ha" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@ -17,3 +18,4 @@ rules:
  verbs: ["get", "watch", "list", "update", "patch"]
 {{ end }}
 {{ end }}
 {{ end }}
--- a/templates/server-discovery-rolebinding.yaml
+++ b/templates/server-discovery-rolebinding.yaml
@ -1,6 +1,7 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- if .serverEnabled -}}
 {{- if eq .mode "ha" }}
 {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
 apiVersion: rbac.authorization.k8s.io/v1
 {{- else }}
@ -25,3 +26,4 @@ subjects:
  namespace: {{ .Release.Namespace }}
 {{ end }}
 {{ end }}
 {{ end }}
--- a/templates/server-disruptionbudget.yaml
+++ b/templates/server-disruptionbudget.yaml
@ -1,9 +1,10 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" -}}
-{{- if and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
+{{- if .serverEnabled -}}
 {{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
 # PodDisruptionBudget to prevent degrading the server cluster through
 # voluntary cluster changes.
-apiVersion: policy/v1beta1
+apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }}
 kind: PodDisruptionBudget
 metadata:
  name: {{ template "vault.fullname" . }}
@ -22,3 +23,4 @@ spec:
      component: server
 {{- end -}}
 {{- end -}}
 {{- end -}}
--- a/templates/server-ha-active-service.yaml
+++ b/templates/server-ha-active-service.yaml
@ -1,6 +1,8 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.serverServiceEnabled" . -}}
 {{- if .serverServiceEnabled -}}
 {{- if eq .mode "ha" }}
 # Service for active Vault pod
 apiVersion: v1
 kind: Service
@ -22,7 +24,7 @@ spec:
  clusterIP: {{ .Values.server.service.clusterIP }}
  {{- end }}
  {{- include "service.externalTrafficPolicy" .Values.server.service }}
-  publishNotReadyAddresses: true
+  publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
  ports:
    - name: {{ include "vault.scheme" . }}
      port: {{ .Values.server.service.port }}
@ -40,3 +42,4 @@ spec:
    vault-active: "true"
 {{- end }}
 {{- end }}
 {{- end }}
--- a/templates/server-ha-standby-service.yaml
+++ b/templates/server-ha-standby-service.yaml
@ -1,6 +1,8 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.serverServiceEnabled" . -}}
 {{- if .serverServiceEnabled -}}
 {{- if eq .mode "ha" }}
 # Service for standby Vault pod
 apiVersion: v1
 kind: Service
@ -22,7 +24,7 @@ spec:
  clusterIP: {{ .Values.server.service.clusterIP }}
  {{- end }}
  {{- include "service.externalTrafficPolicy" .Values.server.service }}
-  publishNotReadyAddresses: true
+  publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
  ports:
    - name: {{ include "vault.scheme" . }}
      port: {{ .Values.server.service.port }}
@ -40,3 +42,4 @@ spec:
    vault-active: "false"
 {{- end }}
 {{- end }}
 {{- end }}
--- a/templates/server-headless-service.yaml
+++ b/templates/server-headless-service.yaml
@ -1,6 +1,7 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.serverServiceEnabled" . -}}
 {{- if .serverServiceEnabled -}}
 # Service for Vault cluster
 apiVersion: v1
 kind: Service
@ -16,7 +17,7 @@ metadata:
 {{ template "vault.service.annotations" .}}
 spec:
  clusterIP: None
-  publishNotReadyAddresses: true
+  publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
  ports:
    - name: "{{ include "vault.scheme" . }}"
      port: {{ .Values.server.service.port }}
--- a/templates/server-ingress.yaml
+++ b/templates/server-ingress.yaml
@ -4,7 +4,9 @@
 {{- if .Values.server.ingress.enabled -}}
 {{- $extraPaths := .Values.server.ingress.extraPaths -}}
 {{- $serviceName := include "vault.fullname" . -}}
-{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.ingress.activeService | toString) "true") }}
+{{- template "vault.serverServiceEnabled" . -}}
 {{- if .serverServiceEnabled -}}
 {{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }}
 {{- $serviceName = printf "%s-%s" $serviceName "active" -}}
 {{- end }}
 {{- $servicePort := .Values.server.service.port -}}
@ -72,3 +74,4 @@ spec:
 {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}
--- a/templates/server-psp-role.yaml
+++ b/templates/server-psp-role.yaml
@ -1,5 +1,6 @@
 {{ template "vault.mode" . }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
+{{- if .serverEnabled -}}
 {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@ -16,3 +17,4 @@ rules:
  resourceNames:
    - {{ template "vault.fullname" . }}
 {{- end }}
 {{- end }}
--- a/templates/server-psp-rolebinding.yaml
+++ b/templates/server-psp-rolebinding.yaml
@ -1,5 +1,6 @@
 {{ template "vault.mode" . }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
+{{- if .serverEnabled -}}
 {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@ -17,3 +18,4 @@ subjects:
  - kind: ServiceAccount
    name: {{ template "vault.fullname" . }}
 {{- end }}
 {{- end }}
--- a/templates/server-psp.yaml
+++ b/templates/server-psp.yaml
@ -1,5 +1,6 @@
 {{ template "vault.mode" . }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
+{{- if .serverEnabled -}}
 {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@ -45,3 +46,4 @@ spec:
        max: 65535
  readOnlyRootFilesystem: false
 {{- end }}
 {{- end }}
--- a/templates/server-route.yaml
+++ b/templates/server-route.yaml
@ -9,6 +9,7 @@ kind: Route
 apiVersion: route.openshift.io/v1
 metadata:
  name: {{ template "vault.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    helm.sh/chart: {{ include "vault.chart" . }}
    app.kubernetes.io/name: {{ include "vault.name" . }}
@ -27,7 +28,7 @@ spec:
  port:
    targetPort: 8200
  tls:
-    termination: passthrough
+    {{- toYaml .Values.server.route.tls | nindent  4 }}
 {{- end }}
 {{- end }}
 {{- end }}
--- a/templates/server-service.yaml
+++ b/templates/server-service.yaml
@ -1,6 +1,7 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.serverServiceEnabled" . -}}
 {{- if .serverServiceEnabled -}}
 # Service for Vault cluster
 apiVersion: v1
 kind: Service
@ -24,7 +25,7 @@ spec:
  {{- include "service.externalTrafficPolicy" .Values.server.service }}
  # We want the servers to become available even if they're not ready
  # since this DNS is also used for join operations.
-  publishNotReadyAddresses: true
+  publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
  ports:
    - name: {{ include "vault.scheme" . }}
      port: {{ .Values.server.service.port }}
--- a/templates/server-serviceaccount.yaml
+++ b/templates/server-serviceaccount.yaml
@ -1,5 +1,5 @@
 {{ template "vault.mode" . }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
+{{- if .serverEnabled -}}
 {{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }}
 apiVersion: v1
 kind: ServiceAccount
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@ -1,6 +1,7 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
+{{- if ne .mode "" }}
 {{- if .serverEnabled -}}
 # StatefulSet to run the actual vault server cluster.
 apiVersion: apps/v1
 kind: StatefulSet
@ -42,7 +43,7 @@ spec:
      {{- if .Values.server.priorityClassName }}
      priorityClassName: {{ .Values.server.priorityClassName }}
      {{- end }}
-      terminationGracePeriodSeconds: 10
+      terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }}
      serviceAccountName: {{ template "vault.serviceAccount.name" . }}
      {{ if  .Values.server.shareProcessNamespace }}
      shareProcessNamespace: true
@ -109,7 +110,11 @@ spec:
                fieldRef:
                  fieldPath: metadata.name
            - name: VAULT_CLUSTER_ADDR
              {{- if .Values.server.ha.clusterAddr }}
              value: {{ .Values.server.ha.clusterAddr }}
              {{- else }}
              value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201"
              {{- end }}
            {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }}
            - name: VAULT_RAFT_NODE_ID
              valueFrom:
@ -207,3 +212,4 @@ spec:
  {{ template "vault.volumeclaims" . }}
 {{ end }}
 {{ end }}
 {{ end }}
--- a/templates/tests/server-test.yaml
+++ b/templates/tests/server-test.yaml
@ -1,4 +1,6 @@
-{{- if .Values.server.enabled }}
+{{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
 {{- if .serverEnabled -}}
 apiVersion: v1
 kind: Pod
 metadata:
@ -15,6 +17,7 @@ spec:
      env:
        - name: VAULT_ADDR
          value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
        {{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }}
      command:
        - /bin/sh
        - -c
@ -35,6 +38,14 @@ spec:
          fi
          exit 0
-
+      volumeMounts:
        {{- if .Values.server.volumeMounts }}
          {{- toYaml .Values.server.volumeMounts | nindent 8}}
        {{- end }}
  volumes:
    {{- if .Values.server.volumes }}
      {{- toYaml .Values.server.volumes | nindent 4}}
    {{- end }}
  restartPolicy: Never
 {{- end }}
 {{- end }}
--- a/templates/ui-service.yaml
+++ b/templates/ui-service.yaml
@ -1,7 +1,8 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.uiEnabled" . -}}
-{{- if eq (.Values.ui.enabled | toString) "true" }}
+{{- if .uiEnabled -}}
 apiVersion: v1
 kind: Service
 metadata:
@ -34,4 +35,3 @@ spec:
  {{- include "service.loadBalancer" .Values.ui }}
 {{- end -}}
 {{- end }}
 {{- end }}
--- a/test/acceptance/_helpers.bash
+++ b/test/acceptance/_helpers.bash
@ -40,35 +40,37 @@ helm_install_ha() {
        ${BATS_TEST_DIRNAME}/../..
 }
-# wait for consul to be running
+# wait for consul to be ready
 wait_for_running_consul() {
    kubectl wait --for=condition=Ready --timeout=5m pod -l app=consul,component=client
 }
 wait_for_sealed_vault() {
    POD_NAME=$1
    check() {
-        # This requests the pod and checks whether the status is running
+        sealed_status=$(kubectl exec $1 -- vault status -format=json | jq -r '.sealed')
-        # and the ready state is true. If so, it outputs the name. Otherwise
+        if [ "$sealed_status" == "true" ]; then
-        # it outputs empty. Therefore, to check for success, check for nonzero
+            return 0
-        # string length.
+        fi
-        kubectl get pods -l component=client -o json | \
+        return 1
            jq -r '.items[0] | select(
                .status.phase == "Running" and
                ([ .status.conditions[] | select(.type == "Ready" and .status == "True") ] | length) == 1
            ) | .metadata.name'
    }
    for i in $(seq 60); do
-        if [ -n "$(check ${POD_NAME})" ]; then
+        if check ${POD_NAME}; then
-            echo "consul clients are ready."
+            echo "Vault on ${POD_NAME} is running."
            return
        fi
-        echo "Waiting for ${POD_NAME} to be ready..."
+        echo "Waiting for Vault on ${POD_NAME} to be running..."
        sleep 2
    done
-    echo "consul clients never became ready."
+    echo "Vault on ${POD_NAME} never became running."
    return 1
 }
-# wait for a pod to be ready
+# wait for a pod to be running
 wait_for_running() {
    POD_NAME=$1
--- a/test/acceptance/csi.bats
+++ b/test/acceptance/csi.bats
@ -2,18 +2,27 @@
 load _helpers
 check_skip_csi() {
  if [ ! -z ${SKIP_CSI} ]; then
    skip "Skipping CSI tests"
  fi
 }
@test "csi: testing deployment" {
  check_skip_csi
  cd `chart_dir`
  kubectl delete namespace acceptance --ignore-not-found=true
  kubectl create namespace acceptance
  # Install Secrets Store CSI driver
-  CSI_DRIVER_VERSION=0.2.0
+  CSI_DRIVER_VERSION=1.0.0
-  helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/v${CSI_DRIVER_VERSION}/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \
+  helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \
    --wait --timeout=5m \
    --namespace=acceptance \
-    --set linux.image.pullPolicy="IfNotPresent"
+    --set linux.image.pullPolicy="IfNotPresent" \
    --set syncSecret.enabled=true
  # Install Vault and Vault provider
  helm install vault \
    --wait --timeout=5m \
@ -49,6 +58,8 @@ load _helpers
 # Clean up
 teardown() {
  check_skip_csi
  if [[ ${CLEANUP:-true} == "true" ]]
  then
      echo "helm/pvc teardown"
--- a/test/acceptance/server-ha-enterprise-dr.bats
+++ b/test/acceptance/server-ha-enterprise-dr.bats
@ -7,7 +7,7 @@ load _helpers
  helm install "$(name_prefix)-east" \
    --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.9.0_ent' \
+    --set='server.image.tag=1.9.3-ent' \
    --set='injector.enabled=false' \
    --set='server.ha.enabled=true' \
    --set='server.ha.raft.enabled=true' \
@ -15,9 +15,7 @@ load _helpers
  wait_for_running "$(name_prefix)-east-0"
  # Sealed, not initialized
-  local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
+  wait_for_sealed_vault $(name_prefix)-east-0
    jq -r '.sealed' )
  [ "${sealed_status}" == "true" ]
  local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
    jq -r '.initialized')
@ -50,7 +48,7 @@ load _helpers
      fi
  done
-  # Sealed, not initialized
+  # Unsealed, initialized
  local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
    jq -r '.sealed' )
  [ "${sealed_status}" == "false" ]
@ -77,16 +75,14 @@ load _helpers
  helm install "$(name_prefix)-west" \
    --set='injector.enabled=false' \
    --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.9.0_ent' \
+    --set='server.image.tag=1.9.3-ent' \
    --set='server.ha.enabled=true' \
    --set='server.ha.raft.enabled=true' \
    --set='server.enterpriseLicense.secretName=vault-license' .
  wait_for_running "$(name_prefix)-west-0"
  # Sealed, not initialized
-  local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
+  wait_for_sealed_vault $(name_prefix)-west-0
    jq -r '.sealed' )
  [ "${sealed_status}" == "true" ]
  local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
    jq -r '.initialized')
@ -119,7 +115,7 @@ load _helpers
      fi
  done
-  # Sealed, not initialized
+  # Unsealed, initialized
  local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
    jq -r '.sealed' )
  [ "${sealed_status}" == "false" ]
--- a/test/acceptance/server-ha-enterprise-perf.bats
+++ b/test/acceptance/server-ha-enterprise-perf.bats
@ -8,16 +8,14 @@ load _helpers
  helm install "$(name_prefix)-east" \
    --set='injector.enabled=false' \
    --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.9.0_ent' \
+    --set='server.image.tag=1.9.3-ent' \
    --set='server.ha.enabled=true' \
    --set='server.ha.raft.enabled=true' \
    --set='server.enterpriseLicense.secretName=vault-license' .
  wait_for_running "$(name_prefix)-east-0"
  # Sealed, not initialized
-  local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
+  wait_for_sealed_vault $(name_prefix)-east-0
    jq -r '.sealed' )
  [ "${sealed_status}" == "true" ]
  local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
    jq -r '.initialized')
@ -50,7 +48,7 @@ load _helpers
      fi
  done
-  # Sealed, not initialized
+  # Unsealed, initialized
  local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
    jq -r '.sealed' )
  [ "${sealed_status}" == "false" ]
@ -77,16 +75,14 @@ load _helpers
  helm install "$(name_prefix)-west" \
    --set='injector.enabled=false' \
    --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.9.0_ent' \
+    --set='server.image.tag=1.9.3-ent' \
    --set='server.ha.enabled=true' \
    --set='server.ha.raft.enabled=true' \
    --set='server.enterpriseLicense.secretName=vault-license' .
  wait_for_running "$(name_prefix)-west-0"
  # Sealed, not initialized
-  local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
+  wait_for_sealed_vault $(name_prefix)-west-0
    jq -r '.sealed' )
  [ "${sealed_status}" == "true" ]
  local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
    jq -r '.initialized')
@ -119,7 +115,7 @@ load _helpers
      fi
  done
-  # Sealed, not initialized
+  # Unsealed, initialized
  local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
    jq -r '.sealed' )
  [ "${sealed_status}" == "false" ]
--- a/test/acceptance/server-ha-raft.bats
+++ b/test/acceptance/server-ha-raft.bats
@ -11,9 +11,7 @@ load _helpers
  wait_for_running $(name_prefix)-0
  # Sealed, not initialized
-  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
+  wait_for_sealed_vault $(name_prefix)-0
    jq -r '.sealed' )
  [ "${sealed_status}" == "true" ]
  local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
    jq -r '.initialized')
@ -112,6 +110,10 @@ setup() {
 teardown() {
  if [[ ${CLEANUP:-true} == "true" ]]
  then
      # If the test failed, print some debug output
      if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then
          kubectl logs -l app.kubernetes.io/name=vault
      fi
      helm delete vault
      kubectl delete --all pvc
      kubectl delete namespace acceptance --ignore-not-found=true
--- a/test/acceptance/server-ha.bats
+++ b/test/acceptance/server-ha.bats
@ -10,9 +10,7 @@ load _helpers
  wait_for_running $(name_prefix)-0
  # Sealed, not initialized
-  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
+  wait_for_sealed_vault $(name_prefix)-0
    jq -r '.sealed' )
  [ "${sealed_status}" == "true" ]
  local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
    jq -r '.initialized')
@ -91,7 +89,7 @@ setup() {
  helm install consul \
    https://github.com/hashicorp/consul-helm/archive/v0.28.0.tar.gz \
-    --set 'ui.enabled=false' \
+    --set 'ui.enabled=false'
  wait_for_running_consul
 }
@ -100,6 +98,11 @@ setup() {
 teardown() {
  if [[ ${CLEANUP:-true} == "true" ]]
  then
      # If the test failed, print some debug output
      if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then
          kubectl logs -l app=consul
          kubectl logs -l app.kubernetes.io/name=vault
      fi
      helm delete vault
      helm delete consul
      kubectl delete --all pvc
--- a/test/acceptance/server.bats
+++ b/test/acceptance/server.bats
@ -13,9 +13,7 @@ load _helpers
  wait_for_running $(name_prefix)-0
  # Sealed, not initialized
-  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
+  wait_for_sealed_vault $(name_prefix)-0
    jq -r '.sealed' )
  [ "${sealed_status}" == "true" ]
  local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
    jq -r '.initialized')
--- a/test/kind/config.yaml
+++ b/test/kind/config.yaml
@ -5,3 +5,16 @@ nodes:
 - role: worker
 - role: worker
 - role: worker
 # These apiServer settings are included for running the CSI provider on K8s
 # prior to 1.21
 kubeadmConfigPatches:
  - |
    apiVersion: kubeadm.k8s.io/v1beta2
    kind: ClusterConfiguration
    metadata:
      name: config
    apiServer:
      extraArgs:
        "service-account-issuer": "https://kubernetes.default.svc.cluster.local"
        "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key"
        "service-account-api-audiences": "https://kubernetes.default.svc.cluster.local"
--- a/test/unit/csi-clusterrole.bats
+++ b/test/unit/csi-clusterrole.bats
@ -29,5 +29,5 @@ load _helpers
      --set "csi.enabled=true" \
      . | tee /dev/stderr |
      yq -r '.metadata.name' | tee /dev/stderr)
-  [ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ]
+  [ "${actual}" = "release-name-vault-csi-provider-clusterrole" ]
 }
--- a/test/unit/csi-clusterrolebinding.bats
+++ b/test/unit/csi-clusterrolebinding.bats
@ -29,7 +29,7 @@ load _helpers
      --set "csi.enabled=true" \
      . | tee /dev/stderr |
      yq -r '.roleRef.name' | tee /dev/stderr)
-  [ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ]
+  [ "${actual}" = "release-name-vault-csi-provider-clusterrole" ]
 }
 # ClusterRoleBinding service account name
@ -40,5 +40,5 @@ load _helpers
      --set "csi.enabled=true" \
      . | tee /dev/stderr |
      yq -r '.subjects[0].name' | tee /dev/stderr)
-  [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ]
+  [ "${actual}" = "release-name-vault-csi-provider" ]
 }
--- a/test/unit/csi-daemonset.bats
+++ b/test/unit/csi-daemonset.bats
@ -27,7 +27,30 @@ load _helpers
      --set "global.enabled=false" \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
+  [ "${actual}" = "true" ]
 }
 # priorityClassName
@test "csi/daemonset: priorityClassName not set by default" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/csi-daemonset.yaml  \
      --set "csi.enabled=true" \
      . | tee /dev/stderr |
      yq '.spec.template.spec | .priorityClassName? == null' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
@test "csi/daemonset: priorityClassName can be set" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/csi-daemonset.yaml  \
      --set 'csi.priorityClassName=armaggeddon' \
      --set "csi.enabled=true" \
      . | tee /dev/stderr |
      yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
 # serviceAccountName reference name
@ -38,7 +61,7 @@ load _helpers
      --set "csi.enabled=true" \
      . | tee /dev/stderr |
      yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr)
-  [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ]
+  [ "${actual}" = "release-name-vault-csi-provider" ]
 }
 # Image
@ -295,6 +318,32 @@ load _helpers
  [ "${actual}" = "true" ]
 }
 #--------------------------------------------------------------------
 # Extra Labels
@test "csi/daemonset: specify csi.daemonSet.extraLabels" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/csi-daemonset.yaml \
      --set 'csi.enabled=true' \
      --set 'csi.daemonSet.extraLabels.foo=bar' \
      . | tee /dev/stderr |
      yq -r '.metadata.labels.foo' | tee /dev/stderr)
  [ "${actual}" = "bar" ]
 }
@test "csi/daemonset: specify csi.pod.extraLabels" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/csi-daemonset.yaml \
      --set 'csi.enabled=true' \
      --set 'csi.pod.extraLabels.foo=bar' \
      . | tee /dev/stderr |
      yq -r '.spec.template.metadata.labels.foo' | tee /dev/stderr)
  [ "${actual}" = "bar" ]
 }
 #--------------------------------------------------------------------
 # volumes
--- a/test/unit/csi-serviceaccount.bats
+++ b/test/unit/csi-serviceaccount.bats
@ -29,7 +29,7 @@ load _helpers
      --set "csi.enabled=true" \
      . | tee /dev/stderr |
      yq -r '.metadata.name' | tee /dev/stderr)
-  [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ]
+  [ "${actual}" = "release-name-vault-csi-provider" ]
 }
@test "csi/serviceAccount: specify annotations" {
@ -56,4 +56,19 @@ load _helpers
      . | tee /dev/stderr |
      yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
  [ "${actual}" = "bar" ]
-}
+}
 # serviceAccount extraLabels
@test "csi/serviceAccount: specify csi.serviceAccount.extraLabels" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/csi-serviceaccount.yaml \
      --set 'csi.enabled=true' \
      --set 'csi.serviceAccount.extraLabels.foo=bar' \
      . | tee /dev/stderr |
      yq -r '.metadata.labels.foo' | tee /dev/stderr)
  [ "${actual}" = "bar" ]
 }
--- a/test/unit/injector-deployment.bats
+++ b/test/unit/injector-deployment.bats
@ -26,12 +26,22 @@ load _helpers
  local actual=$( (helm template \
      --show-only templates/injector-deployment.yaml  \
      --set 'global.enabled=false' \
      --set 'injector.enabled=true' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
@test "injector/deployment: enable with injector.enabled true and global.enabled false" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-deployment.yaml  \
      --set 'injector.enabled=true' \
      --set 'global.enabled=false' \
      . | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
@test "injector/deployment: image defaults to injector.image" {
  cd `chart_dir`
  local actual=$(helm template \
@ -157,7 +167,7 @@ load _helpers
  local value=$(echo $object |
      yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO")) | .[] .value' | tee /dev/stderr)
-  [ "${value}" = "RELEASE-NAME-vault-agent-injector-cfg" ]
+  [ "${value}" = "release-name-vault-agent-injector-cfg" ]
  # helm template does uses current context namespace and ignores namespace flags, so
  # discover the targeted namespace so we can check the rendered value correctly.
@ -165,7 +175,7 @@ load _helpers
  local value=$(echo $object |
      yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO_HOSTS")) | .[] .value' | tee /dev/stderr)
-  [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.${namespace:-default},RELEASE-NAME-vault-agent-injector-svc.${namespace:-default}.svc" ]
+  [ "${value}" = "release-name-vault-agent-injector-svc,release-name-vault-agent-injector-svc.${namespace:-default},release-name-vault-agent-injector-svc.${namespace:-default}.svc" ]
 }
@test "injector/deployment: manual TLS adds volume mount" {
@ -742,3 +752,32 @@ load _helpers
      yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL")) | .[] .value' | tee /dev/stderr)
  [ "${value}" = "1m" ]
 }
@test "injector/deployment: strategy default" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-deployment.yaml  \
      . | tee /dev/stderr |
      yq -r '.spec.strategy' | tee /dev/stderr)
  [ "${actual}" = "null" ]
 }
@test "injector/deployment: strategy set as string" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-deployment.yaml  \
      --set="injector.strategy=testing"  \
      . | tee /dev/stderr |
      yq -r '.spec.strategy' | tee /dev/stderr)
  [ "${actual}" = "testing" ]
 }
@test "injector/deployment: strategy can be set as YAML" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-deployment.yaml \
      --set 'injector.strategy.rollingUpdate.maxUnavailable=1' \
      . | tee /dev/stderr |
      yq -r '.spec.strategy.rollingUpdate.maxUnavailable' | tee /dev/stderr)
  [ "${actual}" = "1" ]
 }
--- a/test/unit/injector-disruptionbudget.bats
+++ b/test/unit/injector-disruptionbudget.bats
@ -0,0 +1,54 @@
 #!/usr/bin/env bats
 load _helpers
@test "injector/DisruptionBudget: disabled by default" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/injector-disruptionbudget.yaml \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-disruptionbudget.yaml \
      --set 'injector.podDisruptionBudget.minAvailable=2' \
      . | tee /dev/stderr |
      yq '.spec.minAvailable == 2' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget maxUnavailable" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-disruptionbudget.yaml \
      --set 'injector.podDisruptionBudget.maxUnavailable=3' \
      . | tee /dev/stderr |
      yq '.spec.maxUnavailable == 3' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
@test "injector/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-disruptionbudget.yaml \
      --set 'injector.podDisruptionBudget.minAvailable=2' \
      --kube-version 1.19.5 \
      . | tee /dev/stderr |
      yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
@test "injector/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-disruptionbudget.yaml \
      --set 'injector.podDisruptionBudget.minAvailable=2' \
      --kube-version 1.22.5 \
      . | tee /dev/stderr |
      yq '.apiVersion == "policy/v1"' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
--- a/test/unit/injector-leader-elector.bats
+++ b/test/unit/injector-leader-elector.bats
@ -87,6 +87,17 @@ load _helpers
  [ "${actual}" = "true" ]
 }
@test "injector/certs-secret: namespace is set" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/injector-certs-secret.yaml \
      --set "injector.replicas=2" \
      --namespace foo \
      . || echo "---") | tee /dev/stderr |
      yq '.metadata.namespace' | tee /dev/stderr)
  [ "${actual}" = "\"foo\"" ]
 }
@test "injector/role: created/skipped as appropriate" {
  cd `chart_dir`
  local actual=$( (helm template \
@ -127,6 +138,17 @@ load _helpers
  [ "${actual}" = "true" ]
 }
@test "injector/role: namespace is set" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/injector-role.yaml \
      --set "injector.replicas=2" \
      --namespace foo \
      . || echo "---") | tee /dev/stderr |
      yq '.metadata.namespace' | tee /dev/stderr)
  [ "${actual}" = "\"foo\"" ]
 }
@test "injector/rolebinding: created/skipped as appropriate" {
  cd `chart_dir`
  local actual=$( (helm template \
@ -166,3 +188,14 @@ load _helpers
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
@test "injector/rolebinding: namespace is set" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/injector-rolebinding.yaml \
      --set "injector.replicas=2" \
      --namespace foo \
      . || echo "---") | tee /dev/stderr |
      yq '.metadata.namespace' | tee /dev/stderr)
  [ "${actual}" = "\"foo\"" ]
 }
--- a/test/unit/injector-mutating-webhook.bats
+++ b/test/unit/injector-mutating-webhook.bats
@ -53,18 +53,191 @@ load _helpers
  [ "${actual}" = "\"\"" ]
 }
-@test "injector/MutatingWebhookConfiguration: namespaceSelector empty by default" {
+@test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default (deprecated)" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml  \
      --set 'injector.enabled=true' \
      --set 'injector.webhook=null' \
      --namespace foo \
      . | tee /dev/stderr |
      yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
  [ "${actual}" = "\"Ignore\"" ]
 }
@test "injector/MutatingWebhookConfiguration: can set failurePolicy (deprecated)" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml  \
      --set 'injector.enabled=true' \
      --set 'injector.webhook=null' \
      --set 'injector.failurePolicy=Fail' \
      . | tee /dev/stderr |
      yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
  [ "${actual}" = "\"Fail\"" ]
 }
@test "injector/MutatingWebhookConfiguration: webhook.failurePolicy 'Ignore' by default" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml  \
      --set 'injector.enabled=true' \
      --set 'injector.failurePolicy=Invalid' \
      . | tee /dev/stderr |
      yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
  [ "${actual}" = "\"Ignore\"" ]
 }
@test "injector/MutatingWebhookConfiguration: can set webhook.failurePolicy" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml  \
      --set 'injector.enabled=true' \
      --set 'injector.webhook.failurePolicy=Fail' \
      --set 'injector.failurePolicy=Invalid' \
      . | tee /dev/stderr |
      yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
  [ "${actual}" = "\"Fail\"" ]
 }
@test "injector/MutatingWebhookConfiguration: webhook.matchPolicy 'Exact' by default" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml  \
      --set 'injector.enabled=true' \
      . | tee /dev/stderr |
      yq '.webhooks[0].matchPolicy' | tee /dev/stderr)
  [ "${actual}" = "\"Exact\"" ]
 }
@test "injector/MutatingWebhookConfiguration: can set webhook.matchPolicy" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml  \
      --set 'injector.enabled=true' \
      --set 'injector.webhook.matchPolicy=Equivalent' \
      . | tee /dev/stderr |
      yq '.webhooks[0].matchPolicy' | tee /dev/stderr)
  [ "${actual}" = "\"Equivalent\"" ]
 }
@test "injector/MutatingWebhookConfiguration: timeoutSeconds by default 30" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml  \
      --set 'injector.enabled=true' \
      --set 'injector.webhook=null' \
      . | tee /dev/stderr |
      yq '.webhooks[0].timeoutSeconds' | tee /dev/stderr)
  [ "${actual}" = "30" ]
 }
@test "injector/MutatingWebhookConfiguration: can set webhook.timeoutSeconds" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml  \
      --set 'injector.enabled=true' \
      --set 'injector.webhook.timeoutSeconds=50' \
      . | tee /dev/stderr |
      yq '.webhooks[0].timeoutSeconds' | tee /dev/stderr)
  [ "${actual}" = "50" ]
 }
 #--------------------------------------------------------------------
 # annotations
@test "injector/MutatingWebhookConfiguration: default webhookAnnotations (deprecated)" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml \
      --set 'injector.enabled=true' \
      --set 'injector.webhook=null' \
      . | tee /dev/stderr |
      yq -r '.metadata.annotations' | tee /dev/stderr)
  [ "${actual}" = "null" ]
 }
@test "injector/MutatingWebhookConfiguration: specify webhookAnnotations yaml (deprecated)" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml \
      --set 'injector.enabled=true' \
      --set 'injector.webhook=null' \
      --set 'injector.webhookAnnotations.foo=bar' \
      . | tee /dev/stderr |
      yq -r '.metadata.annotations.foo' | tee /dev/stderr)
  [ "${actual}" = "bar" ]
 }
@test "injector/MutatingWebhookConfiguration: specify webhookAnnotations yaml string (deprecated)" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml \
      --set 'injector.enabled=true' \
      --set 'injector.webhook=null' \
      --set 'injector.webhookAnnotations=foo: bar' \
      . | tee /dev/stderr |
      yq -r '.metadata.annotations.foo' | tee /dev/stderr)
  [ "${actual}" = "bar" ]
 }
@test "injector/MutatingWebhookConfiguration: default webhook.annotations" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml \
      --set 'injector.enabled=true' \
      . | tee /dev/stderr |
      yq -r '.metadata.annotations' | tee /dev/stderr)
  [ "${actual}" = "null" ]
 }
@test "injector/MutatingWebhookConfiguration: specify webhook.annotations yaml" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml \
      --set 'injector.enabled=true' \
      --set 'injector.webhook.annotations.foo=bar' \
      --set 'injector.webhookAnnotations.invalid=invalid' \
      . | tee /dev/stderr |
      yq -r '.metadata.annotations.foo' | tee /dev/stderr)
  [ "${actual}" = "bar" ]
 }
@test "injector/MutatingWebhookConfiguration: specify webhook.annotations yaml string" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml \
      --set 'injector.enabled=true' \
      --set 'injector.webhook.annotations=foo: bar' \
      --set 'injector.webhookAnnotations=invalid: invalid' \
      . | tee /dev/stderr |
      yq -r '.metadata.annotations.foo' | tee /dev/stderr)
  [ "${actual}" = "bar" ]
 }
 #--------------------------------------------------------------------
 # namespaceSelector
@test "injector/MutatingWebhookConfiguration: namespaceSelector empty by default (deprecated)" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml  \
      --set 'injector.enabled=true' \
      --set 'injector.webhook=null' \
      --namespace foo \
      . | tee /dev/stderr |
      yq '.webhooks[0].namespaceSelector' | tee /dev/stderr)
  [ "${actual}" = "null" ]
 }
-@test "injector/MutatingWebhookConfiguration: can set namespaceSelector" {
+@test "injector/MutatingWebhookConfiguration: can set namespaceSelector (deprecated)" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml  \
@ -76,7 +249,59 @@ load _helpers
  [ "${actual}" = "true" ]
 }
-@test "injector/MutatingWebhookConfiguration: objectSelector empty by default" {
+@test "injector/MutatingWebhookConfiguration: webhook.namespaceSelector empty by default" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml  \
      --set 'injector.enabled=true' \
      --namespace foo \
      . | tee /dev/stderr |
      yq '.webhooks[0].namespaceSelector' | tee /dev/stderr)
  [ "${actual}" = "null" ]
 }
@test "injector/MutatingWebhookConfiguration: can set set webhook.namespaceSelector" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml  \
      --set 'injector.enabled=true' \
      --set 'injector.webhook.namespaceSelector.matchLabels.injector=true' \
      --set 'injector.namespaceSelector.matchLabels.injector=false' \
      . | tee /dev/stderr |
      yq '.webhooks[0].namespaceSelector.matchLabels.injector' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
 #--------------------------------------------------------------------
 # objectSelector
@test "injector/MutatingWebhookConfiguration: objectSelector empty by default (deprecated)" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml  \
      --set 'injector.enabled=true' \
      --set 'injector.webhook=null' \
      --namespace foo \
      . | tee /dev/stderr |
      yq '.webhooks[0].objectSelector' | tee /dev/stderr)
  [ "${actual}" = "null" ]
 }
@test "injector/MutatingWebhookConfiguration: can set objectSelector (deprecated)" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml  \
      --set 'injector.enabled=true' \
      --set 'injector.webhook=null' \
      --set 'injector.objectSelector.matchLabels.injector=true' \
      . | tee /dev/stderr |
      yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
@test "injector/MutatingWebhookConfiguration: webhook.objectSelector empty by default" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml  \
@ -87,69 +312,15 @@ load _helpers
  [ "${actual}" = "null" ]
 }
-@test "injector/MutatingWebhookConfiguration: can set objectSelector" {
+@test "injector/MutatingWebhookConfiguration: can set webhook.objectSelector" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml  \
      --set 'injector.enabled=true' \
-      --set 'injector.objectSelector.matchLabels.injector=true' \
+      --set 'injector.webhook.objectSelector.matchLabels.injector=true' \
      --set 'injector.objectSelector.matchLabels.injector=false' \
      . | tee /dev/stderr |
      yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr)
  [ "${actual}" = "true" ]
-}
+}
@test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml  \
      --set 'injector.enabled=true' \
      --namespace foo \
      . | tee /dev/stderr |
      yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
  [ "${actual}" = "\"Ignore\"" ]
 }
@test "injector/MutatingWebhookConfiguration: can set failurePolicy" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml  \
      --set 'injector.enabled=true' \
      --set 'injector.failurePolicy=Fail' \
      . | tee /dev/stderr |
      yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
  [ "${actual}" = "\"Fail\"" ]
 }
 #--------------------------------------------------------------------
 # annotations
@test "injector/MutatingWebhookConfiguration: default annotations" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml \
      . | tee /dev/stderr |
      yq -r '.metadata.annotations' | tee /dev/stderr)
  [ "${actual}" = "null" ]
 }
@test "injector/MutatingWebhookConfiguration: specify annotations yaml" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml \
      --set 'injector.webhookAnnotations.foo=bar' \
      . | tee /dev/stderr |
      yq -r '.metadata.annotations.foo' | tee /dev/stderr)
  [ "${actual}" = "bar" ]
 }
@test "injector/MutatingWebhookConfiguration: specify annotations yaml string" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-mutating-webhook.yaml \
      --set 'injector.webhookAnnotations=foo: bar' \
      . | tee /dev/stderr |
      yq -r '.metadata.annotations.foo' | tee /dev/stderr)
  [ "${actual}" = "bar" ]
 }
--- a/test/unit/injector-psp-role.bats
+++ b/test/unit/injector-psp-role.bats
@ -22,7 +22,7 @@ load _helpers
  [ "${actual}" = "true" ]
 }
-@test "injector/PodSecurityPolicy-Role: disable with global.enabled" {
+@test "injector/PodSecurityPolicy-Role: ignore global.enabled" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/injector-psp-role.yaml  \
@ -31,5 +31,5 @@ load _helpers
      --set 'global.psp.enable=true' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
+  [ "${actual}" = "true" ]
 }
--- a/test/unit/injector-psp-rolebinding.bats
+++ b/test/unit/injector-psp-rolebinding.bats
@ -22,7 +22,7 @@ load _helpers
  [ "${actual}" = "true" ]
 }
-@test "injector/PodSecurityPolicy-RoleBinding: disable with global.enabled" {
+@test "injector/PodSecurityPolicy-RoleBinding: ignore global.enabled" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/injector-psp-rolebinding.yaml  \
@ -31,5 +31,5 @@ load _helpers
      --set 'global.psp.enable=true' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
+  [ "${actual}" = "true" ]
 }
--- a/test/unit/injector-psp.bats
+++ b/test/unit/injector-psp.bats
@ -22,7 +22,7 @@ load _helpers
  [ "${actual}" = "true" ]
 }
-@test "injector/PodSecurityPolicy: disable with global.enabled" {
+@test "injector/PodSecurityPolicy: ignore global.enabled" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/injector-psp.yaml  \
@ -31,7 +31,7 @@ load _helpers
      --set 'global.psp.enable=true' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
+  [ "${actual}" = "true" ]
 }
@test "injector/PodSecurityPolicy: annotations are templated correctly by default" {
--- a/test/unit/injector-service.bats
+++ b/test/unit/injector-service.bats
@ -52,7 +52,7 @@ load _helpers
      --set 'injector.enabled=true' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
+  [ "${actual}" = "true" ]
 }
@test "injector/Service: generic annotations" {
--- a/test/unit/schema.bats
+++ b/test/unit/schema.bats
@ -7,9 +7,9 @@ load _helpers
 # schema, setting it as a string fails 'helm template'.
@test "schema: csi enabled datatype" {
  cd `chart_dir`
-  run helm template . --set csi.enabled="nope"
+  run helm template . --set csi.enabled="123"
  [ "$status" -eq 1 ]
-  [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: boolean, given: string" ]
+  [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: [boolean,string], given: integer" ]
  run helm template . --set csi.enabled=true
  [ "$status" -eq 0 ]
@ -17,9 +17,9 @@ load _helpers
@test "schema: injector enabled datatype" {
  cd `chart_dir`
-  run helm template . --set injector.enabled="nope"
+  run helm template . --set injector.enabled="123"
  [ "$status" -eq 1 ]
-  [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: boolean, given: string" ]
+  [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: [boolean,string], given: integer" ]
  run helm template . --set injector.enabled=true
  [ "$status" -eq 0 ]
@ -27,9 +27,9 @@ load _helpers
@test "schema: server enabled datatype" {
  cd `chart_dir`
-  run helm template . --set server.enabled="nope"
+  run helm template . --set server.enabled="123"
  [ "$status" -eq 1 ]
-  [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: boolean, given: string" ]
+  [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: [boolean,string], given: integer" ]
  run helm template . --set server.enabled=true
  [ "$status" -eq 0 ]
@ -37,9 +37,9 @@ load _helpers
@test "schema: ui enabled datatype" {
  cd `chart_dir`
-  run helm template . --set ui.enabled="nope"
+  run helm template . --set ui.enabled="123"
  [ "$status" -eq 1 ]
-  [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: boolean, given: string" ]
+  [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: [boolean,string], given: integer" ]
  run helm template . --set ui.enabled=true
  [ "$status" -eq 0 ]
--- a/test/unit/server-ha-active-service.bats
+++ b/test/unit/server-ha-active-service.bats
@ -197,3 +197,20 @@ load _helpers
  [ "${actual}" = "null" ]
 }
@test "server/ha-active-Service: publishNotReadyAddresses can be changed" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-ha-active-service.yaml \
      --set 'server.ha.enabled=true' \
      . | tee /dev/stderr |
      yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
  [ "${actual}" = "true" ]
  local actual=$(helm template \
      --show-only templates/server-ha-active-service.yaml \
      --set 'server.ha.enabled=true' \
      --set 'server.service.publishNotReadyAddresses=false' \
      . | tee /dev/stderr |
      yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
--- a/test/unit/server-ha-disruptionbudget.bats
+++ b/test/unit/server-ha-disruptionbudget.bats
@ -16,7 +16,7 @@ load _helpers
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/server-disruptionbudget.yaml  \
-      --set 'globa.enabled=false' \
+      --set 'global.enabled=false' \
      --set 'server.ha.enabled=false' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
@ -96,4 +96,28 @@ load _helpers
      . | tee /dev/stderr |
      yq '.spec.maxUnavailable' | tee /dev/stderr)
  [ "${actual}" = "2" ]
 }
@test "server/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-disruptionbudget.yaml \
      --set 'server.ha.enabled=true' \
      --set 'server.ha.replicas=1' \
      --kube-version 1.19.5 \
      . | tee /dev/stderr |
      yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
@test "server/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-disruptionbudget.yaml \
      --set 'server.ha.enabled=true' \
      --set 'server.ha.replicas=1' \
      --kube-version 1.22.5 \
      . | tee /dev/stderr |
      yq '.apiVersion == "policy/v1"' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
--- a/test/unit/server-ha-standby-service.bats
+++ b/test/unit/server-ha-standby-service.bats
@ -208,3 +208,20 @@ load _helpers
  [ "${actual}" = "null" ]
 }
@test "server/ha-standby-Service: publishNotReadyAddresses can be changed" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-ha-standby-service.yaml \
      --set 'server.ha.enabled=true' \
      . | tee /dev/stderr |
      yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
  [ "${actual}" = "true" ]
  local actual=$(helm template \
      --show-only templates/server-ha-standby-service.yaml \
      --set 'server.ha.enabled=true' \
      --set 'server.service.publishNotReadyAddresses=false' \
      . | tee /dev/stderr |
      yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
--- a/test/unit/server-ha-statefulset.bats
+++ b/test/unit/server-ha-statefulset.bats
@ -417,7 +417,7 @@ load _helpers
 #--------------------------------------------------------------------
 # VAULT_CLUSTER_ADDR renders
-@test "server/ha-StatefulSet: cluster addr renders" {
+@test "server/ha-StatefulSet: clusterAddr not set" {
  cd `chart_dir`
  local object=$(helm template \
      --show-only templates/server-statefulset.yaml  \
@ -428,7 +428,52 @@ load _helpers
  local value=$(echo $object |
      yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
-  [ "${value}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ]
+  [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ]
 }
@test "server/ha-StatefulSet: clusterAddr set to null" {
  cd `chart_dir`
  local object=$(helm template \
      --show-only templates/server-statefulset.yaml  \
      --set 'server.ha.enabled=true' \
      --set 'server.ha.raft.enabled=true' \
       --set 'server.ha.clusterAddr=null' \
      . | tee /dev/stderr |
      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
  local value=$(echo $object |
      yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
  [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ]
 }
@test "server/ha-StatefulSet: clusterAddr set to custom url" {
  cd `chart_dir`
  local object=$(helm template \
      --show-only templates/server-statefulset.yaml  \
      --set 'server.ha.enabled=true' \
      --set 'server.ha.raft.enabled=true' \
       --set 'server.ha.clusterAddr=https://test.example.com:8201' \
      . | tee /dev/stderr |
      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
  local value=$(echo $object |
      yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
  [ "${value}" = 'https://test.example.com:8201' ]
 }
@test "server/ha-StatefulSet: clusterAddr set to custom url with environment variable" {
  cd `chart_dir`
  local object=$(helm template \
      --show-only templates/server-statefulset.yaml  \
      --set 'server.ha.enabled=true' \
      --set 'server.ha.raft.enabled=true' \
       --set 'server.ha.clusterAddr=http://$(HOSTNAME).release-name-vault-internal:8201' \
      . | tee /dev/stderr |
      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
  local value=$(echo $object |
      yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr)
  [ "${value}" = 'http://$(HOSTNAME).release-name-vault-internal:8201' ]
 }
 #--------------------------------------------------------------------
--- a/test/unit/server-headless-service.bats
+++ b/test/unit/server-headless-service.bats
@ -0,0 +1,19 @@
 #!/usr/bin/env bats
 load _helpers
@test "server/headless-Service: publishNotReadyAddresses can be changed" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-headless-service.yaml \
      . | tee /dev/stderr |
      yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
  [ "${actual}" = "true" ]
  local actual=$(helm template \
      --show-only templates/server-headless-service.yaml \
      --set 'server.service.publishNotReadyAddresses=false' \
      . | tee /dev/stderr |
      yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
--- a/test/unit/server-ingress.bats
+++ b/test/unit/server-ingress.bats
@ -165,7 +165,7 @@ load _helpers
      --set 'server.service.enabled=true' \
      . | tee /dev/stderr |
      yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr)
-  [ "${actual}" = "RELEASE-NAME-vault-active" ]
+  [ "${actual}" = "release-name-vault-active" ]
 }
@test "server/ingress: uses regular service when configured with ha - yaml" {
@ -180,7 +180,7 @@ load _helpers
      --set 'server.service.enabled=true' \
      . | tee /dev/stderr |
      yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr)
-  [ "${actual}" = "RELEASE-NAME-vault" ]
+  [ "${actual}" = "release-name-vault" ]
 }
@test "server/ingress: uses regular service when not ha - yaml" {
@ -194,7 +194,7 @@ load _helpers
      --set 'server.service.enabled=true' \
      . | tee /dev/stderr |
      yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr)
-  [ "${actual}" = "RELEASE-NAME-vault" ]
+  [ "${actual}" = "release-name-vault" ]
 }
@test "server/ingress: k8s 1.18.3 uses regular service when not ha - yaml" {
@ -209,7 +209,7 @@ load _helpers
      --kube-version 1.18.3 \
      . | tee /dev/stderr |
      yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr)
-  [ "${actual}" = "RELEASE-NAME-vault" ]
+  [ "${actual}" = "release-name-vault" ]
 }
@test "server/ingress: uses regular service when not ha and activeService is true - yaml" {
@ -224,7 +224,7 @@ load _helpers
      --set 'server.service.enabled=true' \
      . | tee /dev/stderr |
      yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr)
-  [ "${actual}" = "RELEASE-NAME-vault" ]
+  [ "${actual}" = "release-name-vault" ]
 }
@test "server/ingress: pathType is added to Kubernetes version == 1.19.0" {
--- a/test/unit/server-route.bats
+++ b/test/unit/server-route.bats
@ -99,7 +99,7 @@ load _helpers
      --set 'server.route.enabled=true' \
      . | tee /dev/stderr |
      yq -r '.spec.to.name' | tee /dev/stderr)
-  [ "${actual}" = "RELEASE-NAME-vault" ]
+  [ "${actual}" = "release-name-vault" ]
 }
@test "server/route: OpenShift - route points to main service when not ha and activeService is true" {
@ -112,7 +112,7 @@ load _helpers
      --set 'server.route.activeService=true' \
      . | tee /dev/stderr |
      yq -r '.spec.to.name' | tee /dev/stderr)
-  [ "${actual}" = "RELEASE-NAME-vault" ]
+  [ "${actual}" = "release-name-vault" ]
 }
@test "server/route: OpenShift - route points to active service by when HA by default" {
@ -125,7 +125,7 @@ load _helpers
      --set 'server.ha.enabled=true' \
      . | tee /dev/stderr |
      yq -r '.spec.to.name' | tee /dev/stderr)
-  [ "${actual}" = "RELEASE-NAME-vault-active" ]
+  [ "${actual}" = "release-name-vault-active" ]
 }
@test "server/route: OpenShift - route points to general service by when HA when configured" {
@ -139,5 +139,43 @@ load _helpers
      --set 'server.ha.enabled=true' \
      . | tee /dev/stderr |
      yq -r '.spec.to.name' | tee /dev/stderr)
-  [ "${actual}" = "RELEASE-NAME-vault" ]
+  [ "${actual}" = "release-name-vault" ]
 }
@test "server/route: OpenShift - route termination mode set to default passthrough" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-route.yaml \
      --set 'global.openshift=true' \
      --set 'server.route.enabled=true' \
      . | tee /dev/stderr |
      yq -r '.spec.tls.termination' | tee /dev/stderr)
  [ "${actual}" = "passthrough" ]
 }
@test "server/route: OpenShift - route termination mode set to edge" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-route.yaml \
      --set 'global.openshift=true' \
      --set 'server.route.enabled=true' \
      --set 'server.route.tls.termination=edge' \
      . | tee /dev/stderr |
      yq -r '.spec.tls.termination' | tee /dev/stderr)
  [ "${actual}" = "edge" ]
 }
@test "server/route: OpenShift - route custom tls entry" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-route.yaml \
      --set 'global.openshift=true' \
      --set 'server.route.enabled=true' \
      --set 'server.route.tls.insecureEdgeTerminationPolicy=Redirect' \
      . | tee /dev/stderr |
      yq -r '.spec.tls.insecureEdgeTerminationPolicy' | tee /dev/stderr)
  [ "${actual}" = "Redirect" ]
 }
--- a/test/unit/server-service.bats
+++ b/test/unit/server-service.bats
@ -175,6 +175,13 @@ load _helpers
      . | tee /dev/stderr |
      yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
  [ "${actual}" = "true" ]
  local actual=$(helm template \
      --show-only templates/server-service.yaml \
      --set 'server.service.publishNotReadyAddresses=false' \
      . | tee /dev/stderr |
      yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
@test "server/Service: type empty by default" {
--- a/test/unit/server-serviceaccount.bats
+++ b/test/unit/server-serviceaccount.bats
@ -26,7 +26,7 @@ load _helpers
      --set 'server.dev.enabled=true' \
      . | tee /dev/stderr |
      yq -r '.metadata.name' | tee /dev/stderr)
-  [ "${actual}" = "RELEASE-NAME-vault" ]
+  [ "${actual}" = "release-name-vault" ]
 }
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@ -537,7 +537,7 @@ load _helpers
  cd `chart_dir`
  local object=$(helm template \
      --show-only templates/server-statefulset.yaml  \
-      --set 'server.stanadlone.enabled=true' \
+      --set 'server.standalone.enabled=true' \
      --set 'server.extraEnvironmentVars.FOO=bar' \
      --set 'server.extraEnvironmentVars.FOOBAR=foobar' \
      . | tee /dev/stderr |
@ -1408,6 +1408,27 @@ load _helpers
  [[ "${actual}" = *"foobar"* ]]
 }
 #--------------------------------------------------------------------
 # terminationGracePeriodSeconds
@test "server/standalone-StatefulSet: terminationGracePeriodSeconds default" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-statefulset.yaml \
      . | tee /dev/stderr |
       yq -r '.spec.template.spec.terminationGracePeriodSeconds' | tee /dev/stderr)
  [[ "${actual}" = "10" ]]
 }
@test "server/standalone-StatefulSet: terminationGracePeriodSeconds 30" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-statefulset.yaml \
      --set 'server.terminationGracePeriodSeconds=30' \
      . | tee /dev/stderr |
       yq -r '.spec.template.spec.terminationGracePeriodSeconds' | tee /dev/stderr)
  [[ "${actual}" = "30" ]]
 }
 #--------------------------------------------------------------------
 # preStop
@test "server/standalone-StatefulSet: preStop sleep duration default" {
@ -1642,7 +1663,7 @@ load _helpers
      --set 'server.serviceAccount.create=true' \
      . | tee /dev/stderr |
      yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr)
-  [ "${actual}" = "RELEASE-NAME-vault" ]
+  [ "${actual}" = "release-name-vault" ]
 }
--- a/test/unit/server-test.bats
+++ b/test/unit/server-test.bats
@ -0,0 +1,252 @@
 #!/usr/bin/env bats
 load _helpers
 #--------------------------------------------------------------------
 # disable / enable server deployment
@test "server/server-test-Pod: disabled server.enabled" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'server.enabled=false' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
@test "server/server-test-Pod: disabled server.enabled random string" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'server.enabled=blabla' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
@test "server/server-test-Pod: enabled server.enabled explicit true" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'server.enabled=true' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
 #--------------------------------------------------------------------
@test "server/standalone-server-test-Pod: default server.standalone.enabled" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/tests/server-test.yaml  \
      . | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
@test "server/standalone-server-test-Pod: enable with server.standalone.enabled true" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'server.standalone.enabled=true' \
      . | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
@test "server/ha-server-test-Pod: enable with server.ha.enabled true" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'server.ha.enabled=true' \
      . | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
@test "server/standalone-server-test-Pod: not disabled with global.enabled" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'global.enabled=false' \
      --set 'server.enabled=true' \
      --set 'server.standalone.enabled=true' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
@test "server/standalone-server-test-Pod: disable with global.enabled" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'global.enabled=false' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
@test "server/standalone-server-test-Pod: disable with injector.externalVaultAddr" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'injector.externalVaultAddr=http://vault-outside' \
      --set 'server.standalone.enabled=true' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
@test "server/standalone-server-test-Pod: image defaults to server.image.repository:tag" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'server.image.repository=foo' \
      --set 'server.image.tag=1.2.3' \
      . | tee /dev/stderr |
      yq -r '.spec.containers[0].image' | tee /dev/stderr)
  [ "${actual}" = "foo:1.2.3" ]
  local actual=$(helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'server.image.repository=foo' \
      --set 'server.image.tag=1.2.3' \
      --set 'server.standalone.enabled=true' \
      . | tee /dev/stderr |
      yq -r '.spec.containers[0].image' | tee /dev/stderr)
  [ "${actual}" = "foo:1.2.3" ]
 }
@test "server/standalone-server-test-Pod: image tag defaults to latest" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'server.image.repository=foo' \
      --set 'server.image.tag=' \
      . | tee /dev/stderr |
      yq -r '.spec.containers[0].image' | tee /dev/stderr)
  [ "${actual}" = "foo:latest" ]
  local actual=$(helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'server.image.repository=foo' \
      --set 'server.image.tag=' \
      --set 'server.standalone.enabled=true' \
      . | tee /dev/stderr |
      yq -r '.spec.containers[0].image' | tee /dev/stderr)
  [ "${actual}" = "foo:latest" ]
 }
@test "server/standalone-server-test-Pod: default imagePullPolicy" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/tests/server-test.yaml  \
      . | tee /dev/stderr |
      yq -r '.spec.containers[0].imagePullPolicy' | tee /dev/stderr)
  [ "${actual}" = "IfNotPresent" ]
 }
@test "server/standalone-server-test-Pod: Custom imagePullPolicy" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'server.image.pullPolicy=Always' \
      . | tee /dev/stderr |
      yq -r '.spec.containers[0].imagePullPolicy' | tee /dev/stderr)
  [ "${actual}" = "Always" ]
 }
 #--------------------------------------------------------------------
 # resources
@test "server/standalone-server-test-Pod: default resources" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'server.standalone.enabled=true' \
      . | tee /dev/stderr |
      yq -r '.spec.containers[0].resources' | tee /dev/stderr)
  [ "${actual}" = "null" ]
 }
 #--------------------------------------------------------------------
 # volumes
@test "server/standalone-server-test-Pod: server.volumes adds volume" {
  cd `chart_dir`
  # Test that it defines it
  local object=$(helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'server.volumes[0].name=plugins' \
      --set 'server.volumes[0].emptyDir=\{\}' \
      . | tee /dev/stderr |
      yq -r '.spec.volumes[] | select(.name == "plugins")' | tee /dev/stderr)
  local actual=$(echo $object |
      yq -r '.emptyDir' | tee /dev/stderr)
  [ "${actual}" = "{}" ]
 }
 #--------------------------------------------------------------------
 # volumeMounts
@test "server/standalone-server-test-Pod: server.volumeMounts adds volumeMount" {
  cd `chart_dir`
  # Test that it defines it
  local object=$(helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'server.volumeMounts[0].name=plugins' \
      --set 'server.volumeMounts[0].mountPath=/usr/local/libexec/vault' \
      --set 'server.volumeMounts[0].readOnly=true' \
      . | tee /dev/stderr |
      yq -r '.spec.containers[0].volumeMounts[] | select(.name == "plugins")' | tee /dev/stderr)
  local actual=$(echo $object |
      yq -r '.mountPath' | tee /dev/stderr)
  [ "${actual}" = "/usr/local/libexec/vault" ]
  local actual=$(echo $object |
      yq -r '.readOnly' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
 #--------------------------------------------------------------------
 # extraEnvironmentVars
@test "server/standalone-server-test-Pod: set extraEnvironmentVars" {
  cd `chart_dir`
  local object=$(helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'server.standalone.enabled=true' \
      --set 'server.extraEnvironmentVars.FOO=bar' \
      --set 'server.extraEnvironmentVars.FOOBAR=foobar' \
      . | tee /dev/stderr |
      yq -r '.spec.containers[0].env' | tee /dev/stderr)
  local name=$(echo $object |
      yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr)
  [ "${name}" = "bar" ]
  local name=$(echo $object |
      yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr)
  [ "${name}" = "foobar" ]
  local object=$(helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'server.extraEnvironmentVars.FOO=bar' \
      --set 'server.extraEnvironmentVars.FOOBAR=foobar' \
      . | tee /dev/stderr |
      yq -r '.spec.containers[0].env' | tee /dev/stderr)
  local name=$(echo $object |
      yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr)
  [ "${name}" = "bar" ]
  local name=$(echo $object |
      yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr)
  [ "${name}" = "foobar" ]
 }
--- a/test/unit/ui-service.bats
+++ b/test/unit/ui-service.bats
@ -53,6 +53,18 @@ load _helpers
  [ "${actual}" = "false" ]
 }
@test "ui/Service: 'disable with global, enable with ui.enabled'" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/ui-service.yaml  \
      --set 'global.enabled=false' \
      --set 'server.enabled=true' \
      --set 'ui.enabled=true' \
      . | tee /dev/stderr |
      yq -r 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
@test "ui/Service: disable with injector.externalVaultAddr" {
  cd `chart_dir`
  local actual=$( (helm template \
--- a/values.openshift.yaml
+++ b/values.openshift.yaml
@ -6,13 +6,13 @@ global:
 injector:
  image:
    repository: "registry.connect.redhat.com/hashicorp/vault-k8s"
-    tag: "0.14.1-ubi"
+    tag: "0.14.2-ubi"
  agentImage:
    repository: "registry.connect.redhat.com/hashicorp/vault"
-    tag: "1.9.0-ubi"
+    tag: "1.9.3-ubi"
 server:
  image:
    repository: "registry.connect.redhat.com/hashicorp/vault"
-    tag: "1.9.0-ubi"
+    tag: "1.9.3-ubi"
--- a/values.schema.json
+++ b/values.schema.json
@ -14,6 +14,15 @@
                                "string"
                            ]
                        },
                        "extraLabels": {
                            "type": "object"
                        },
                        "kubeletRootDir": {
                            "type": "string"
                        },
                        "providersDir": {
                            "type": "string"
                        },
                        "updateStrategy": {
                            "type": "object",
                            "properties": {
@ -24,20 +33,20 @@
                                    "type": "string"
                                }
                            }
                        },
                        "providersDir": {
                          "type": "string"
                        },
                        "kubeletRootDir": {
                          "type": "string"
                        }
                    }
                },
                "priorityClassName": {
                    "type": "string"
                },
                "debug": {
                    "type": "boolean"
                },
                "enabled": {
-                    "type": "boolean"
+                    "type": [
                        "boolean",
                        "string"
                    ]
                },
                "extraArgs": {
                    "type": "array"
@ -85,6 +94,9 @@
                                "string"
                            ]
                        },
                        "extraLabels": {
                            "type": "object"
                        },
                        "tolerations": {
                            "type": [
                                "null",
@ -125,6 +137,9 @@
                                "object",
                                "string"
                            ]
                        },
                        "extraLabels": {
                            "type": "object"
                        }
                    }
                },
@ -254,7 +269,10 @@
                    }
                },
                "enabled": {
-                    "type": "boolean"
+                    "type": [
                        "boolean",
                        "string"
                    ]
                },
                "externalVaultAddr": {
                    "type": "string"
@ -320,6 +338,9 @@
                "objectSelector": {
                    "type": "object"
                },
                "podDisruptionBudget": {
                    "type": "object"
                },
                "port": {
                    "type": "integer"
                },
@ -346,6 +367,12 @@
                        }
                    }
                },
                "strategy": {
                    "type": [
                        "object",
                        "string"
                    ]
                },
                "tolerations": {
                    "type": [
                        "null",
@ -360,6 +387,32 @@
                        "string"
                    ]
                },
                "webhook": {
                    "type": "object",
                    "properties": {
                        "annotations": {
                            "type": [
                                "object",
                                "string"
                            ]
                        },
                        "failurePolicy": {
                            "type": "string"
                        },
                        "matchPolicy": {
                            "type": "string"
                        },
                        "namespaceSelector": {
                            "type": "object"
                        },
                        "objectSelector": {
                            "type": "object"
                        },
                        "timeoutSeconds": {
                            "type": "integer"
                        }
                    }
                },
                "webhookAnnotations": {
                    "type": [
                        "object",
@ -467,7 +520,10 @@
                    }
                },
                "enabled": {
-                    "type": "boolean"
+                    "type": [
                        "boolean",
                        "string"
                    ]
                },
                "enterpriseLicense": {
                    "type": "object",
@ -517,7 +573,10 @@
                            ]
                        },
                        "config": {
-                            "type": "string"
+                            "type": [
                                "string",
                                "object"
                            ]
                        },
                        "disruptionBudget": {
                            "type": "object",
@ -540,7 +599,10 @@
                            "type": "object",
                            "properties": {
                                "config": {
-                                    "type": "string"
+                                    "type": [
                                        "string",
                                        "object"
                                    ]
                                },
                                "enabled": {
                                    "type": "boolean"
@ -607,6 +669,9 @@
                        "labels": {
                            "type": "object"
                        },
                        "pathType": {
                            "type": "string"
                        },
                        "tls": {
                            "type": "array"
                        }
@ -732,6 +797,12 @@
                        "enabled": {
                            "type": "boolean"
                        },
                        "publishNotReadyAddresses": {
                            "type": "boolean"
                        },
                        "externalTrafficPolicy": {
                            "type": "string"
                        },
                        "port": {
                            "type": "integer"
                        },
@ -764,7 +835,10 @@
                    "type": "object",
                    "properties": {
                        "config": {
-                            "type": "string"
+                            "type": [
                                "string",
                                "object"
                            ]
                        },
                        "enabled": {
                            "type": [
@ -785,6 +859,9 @@
                        }
                    }
                },
                "terminationGracePeriodSeconds": {
                    "type": "integer"
                },
                "tolerations": {
                    "type": [
                        "null",
@ -822,11 +899,17 @@
                    ]
                },
                "enabled": {
-                    "type": "boolean"
+                    "type": [
                        "boolean",
                        "string"
                    ]
                },
                "externalPort": {
                    "type": "integer"
                },
                "externalTrafficPolicy": {
                    "type": "string"
                },
                "publishNotReadyAddresses": {
                    "type": "boolean"
                },
--- a/values.yaml
+++ b/values.yaml
@ -26,7 +26,8 @@ global:
 injector:
  # True if you want to enable vault agent injection.
-  enabled: true
+  # @default: global.enabled
  enabled: "-"
  replicas: 1
@ -49,7 +50,7 @@ injector:
  # image sets the repo and tag of the vault-k8s image to use for the injector.
  image:
    repository: "hashicorp/vault-k8s"
-    tag: "0.14.1"
+    tag: "0.14.2"
    pullPolicy: IfNotPresent
  # agentImage sets the repo and tag of the Vault image to use for the Vault Agent
@ -57,7 +58,7 @@ injector:
  # required.
  agentImage:
    repository: "hashicorp/vault"
-    tag: "1.9.0"
+    tag: "1.9.3"
  # The default values for the injected Vault Agent containers.
  agentDefaults:
@ -90,6 +91,61 @@ injector:
  # Configures all Vault Agent sidecars to revoke their token when shutting down
  revokeOnShutdown: false
  webhook: 
    # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
    # API Version of the WebHook.
    # To block pod creation while webhook is unavailable, set the policy to `Fail` below.
    # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
    #
    failurePolicy: Ignore
    # matchPolicy specifies the approach to accepting changes based on the rules of 
    # the MutatingWebhookConfiguration.
    # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy
    # for more details.
    #
    matchPolicy: Exact
    # timeoutSeconds is the amount of seconds before the webhook request will be ignored
    # or fails.
    # If it is ignored or fails depends on the failurePolicy
    # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts
    # for more details.
    #
    timeoutSeconds: 30
    # namespaceSelector is the selector for restricting the webhook to only
    # specific namespaces.
    # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
    # for more details.
    # Example:
    # namespaceSelector:
    #    matchLabels:
    #      sidecar-injector: enabled
    namespaceSelector: {}
    # objectSelector is the selector for restricting the webhook to only
    # specific labels.
    # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
    # for more details.
    # Example:
    # objectSelector:
    #    matchLabels:
    #      vault-sidecar-injector: enabled
    objectSelector: {}
    # Extra annotations to attach to the webhook
    annotations: {}
  # Deprecated: please use 'webhook.failurePolicy' instead
  # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
  # API Version of the WebHook.
  # To block pod creation while webhook is unavailable, set the policy to `Fail` below.
  # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
  #
  failurePolicy: Ignore
  # Deprecated: please use 'webhook.namespaceSelector' instead
  # namespaceSelector is the selector for restricting the webhook to only
  # specific namespaces.
  # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
@ -99,6 +155,8 @@ injector:
  #    matchLabels:
  #      sidecar-injector: enabled
  namespaceSelector: {}
  # Deprecated: please use 'webhook.objectSelector' instead
  # objectSelector is the selector for restricting the webhook to only
  # specific labels.
  # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
@ -109,13 +167,7 @@ injector:
  #      vault-sidecar-injector: enabled
  objectSelector: {}
-  # Configures failurePolicy of the webhook. The "unspecified" default behaviour deoends on the
+  # Deprecated: please use 'webhook.annotations' instead
  # API Version of the WebHook.
  # To block pod creation while webhook is unavailable, set the policy to `Fail` below.
  # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
  #
  failurePolicy: Ignore
  # Extra annotations to attach to the webhook
  webhookAnnotations: {}
@ -205,9 +257,25 @@ injector:
    # Extra annotations to attach to the injector service
    annotations: {}
  # A disruption budget limits the number of pods of a replicated application
  # that are down simultaneously from voluntary disruptions
  podDisruptionBudget: {}
  # podDisruptionBudget:
  #   maxUnavailable: 1
  # strategy for updating the deployment. This can be a multi-line string or a
  # YAML map.
  strategy: {}
  # strategy: |
  #   rollingUpdate:
  #     maxSurge: 25%
  #     maxUnavailable: 25%
  #   type: RollingUpdate
 server:
-  # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details
+  # If true, or "-" with global.enabled true, Vault server will be installed.
-  enabled: true
+  # See vault.mode in _helpers.tpl for implementation details.
  enabled: "-"
  # [Enterprise Only] This value refers to a Kubernetes secret that you have
  # created that contains your enterprise license. If you are not using an
@ -227,7 +295,7 @@ server:
  image:
    repository: "hashicorp/vault"
-    tag: "1.9.0"
+    tag: "1.9.3"
    # Overrides the default Image Pull Policy
    pullPolicy: IfNotPresent
@ -296,7 +364,7 @@ server:
    #      - chart-example.local
  # OpenShift only - create a route to expose the service
-  # The created route will be of type passthrough
+  # By default the created route will be of type passthrough
  route:
    enabled: false
@ -307,6 +375,11 @@ server:
    labels: {}
    annotations: {}
    host: chart-example.local
    # tls will be passed directly to the route's TLS config, which
    # can be used to configure other termination methods that terminate
    # TLS at the router
    tls:
      termination: passthrough
  # authDelegator enables a cluster role binding to be attached to the service
  # account.  This cluster role binding can be used to setup Kubernetes auth
@ -374,6 +447,10 @@ server:
    # Number of seconds after which the probe times out.
    timeoutSeconds: 3
  # Optional duration in seconds the pod needs to terminate gracefully.
  # See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  terminationGracePeriodSeconds: 10
  # Used to set the sleep time during the preStop step
  preStopSleepSeconds: 5
@ -494,6 +571,9 @@ server:
    # or NodePort.
    #type: ClusterIP
    # Do not wait for pods to be ready
    publishNotReadyAddresses: true
    # The externalTrafficPolicy can be set to either Cluster or Local
    # and is only valid for LoadBalancer and NodePort service types.
    # The default value is Cluster.
@ -531,7 +611,7 @@ server:
    annotations: {}
  # This configures the Vault Statefulset to create a PVC for audit
-  # logs.  Once Vault is deployed, initialized and unseal, Vault must
+  # logs.  Once Vault is deployed, initialized and unsealed, Vault must
  # be configured to use this for audit logs.  This will be mounted to
  # /vault/audit
  # See https://www.vaultproject.io/docs/audit/index.html to know more
@ -612,6 +692,11 @@ server:
    # If set to null, this will be set to the Pod IP Address
    apiAddr: null
    # Set the cluster_addr confuguration for Vault HA
    # See https://www.vaultproject.io/docs/configuration#cluster_addr
    # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201
    clusterAddr: null
    # Enables Vault's integrated Raft storage.  Unlike the typical HA modes where
    # Vault's persistence is external (such as Consul), enabling Raft mode will create
    # persistent volumes for Vault to store data according to the configuration under server.dataStorage.
@ -752,7 +837,7 @@ csi:
  image:
    repository: "hashicorp/vault-csi-provider"
-    tag: "0.3.0"
+    tag: "1.1.0"
    pullPolicy: IfNotPresent
  # volumes is a list of volumes made available to all containers. These are rendered
@ -793,6 +878,9 @@ csi:
    providersDir: "/etc/kubernetes/secrets-store-csi-providers"
    # Kubelet host path
    kubeletRootDir: "/var/lib/kubelet"
    # Extra labels to attach to the vault-csi-provider daemonSet
    # This should be a YAML map of the labels to apply to the csi provider daemonSet
    extraLabels: {}
  pod:
    # Extra annotations for the provider pods. This can either be YAML or a
@ -805,12 +893,25 @@ csi:
    # in a PodSpec.
    tolerations: []
    # Extra labels to attach to the vault-csi-provider pod
    # This should be a YAML map of the labels to apply to the csi provider pod
    extraLabels: {}
  # Priority class for csi pods
  priorityClassName: ""
  serviceAccount:
    # Extra annotations for the serviceAccount definition. This can either be
    # YAML or a YAML-formatted multi-line templated string map of the
    # annotations to apply to the serviceAccount.
    annotations: {}
    # Extra labels to attach to the vault-csi-provider serviceAccount
    # This should be a YAML map of the labels to apply to the csi provider serviceAccount
    extraLabels: {}
  # Used to configure readinessProbe for the pods.
  readinessProbe:
    # When a probe fails, Kubernetes will try failureThreshold times before giving up