VAULT-571 Matching documented behavior and consul (#703)

VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-03-21 09:50:23 -07:00 · 2022-03-21 09:50:23 -07:00 · 710915952e
commit 710915952e
parent 56a253ba97
47 changed files with 229 additions and 64 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,6 +1,8 @@
 ## Unreleased

 CHANGES:
+* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
+* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
 * Vault default image to 1.9.3
 * CSI provider default image to 1.0.0

--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@ -31,6 +31,50 @@ Expand the name of the chart.
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}

+{{/*
+Compute if the csi driver is enabled.
+*/}}
+{{- define "vault.csiEnabled" -}}
+{{- $_ := set . "csiEnabled" (or
+  (eq (.Values.csi.enabled | toString) "true")
+  (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
+{{- end -}}
+
+{{/*
+Compute if the injector is enabled.
+*/}}
+{{- define "vault.injectorEnabled" -}}
+{{- $_ := set . "injectorEnabled" (or
+  (eq (.Values.injector.enabled | toString) "true")
+  (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
+{{- end -}}
+
+{{/*
+Compute if the server is enabled.
+*/}}
+{{- define "vault.serverEnabled" -}}
+{{- $_ := set . "serverEnabled" (or
+  (eq (.Values.server.enabled | toString) "true")
+  (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
+{{- end -}}
+
+{{/*
+Compute if the server service is enabled.
+*/}}
+{{- define "vault.serverServiceEnabled" -}}
+{{- template "vault.serverEnabled" . -}}
+{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}}
+{{- end -}}
+
+{{/*
+Compute if the ui is enabled.
+*/}}
+{{- define "vault.uiEnabled" -}}
+{{- $_ := set . "uiEnabled" (or
+  (eq (.Values.ui.enabled | toString) "true")
+  (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
+{{- end -}}
+
 {{/*
 Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
 This defaults to (n/2)-1 where n is the number of members of the server cluster.
@ -51,9 +95,10 @@ Set the variable 'mode' to the server mode requested by the user to simplify
 template logic.
 */}}
 {{- define "vault.mode" -}}
+  {{- template "vault.serverEnabled" . -}}
  {{- if .Values.injector.externalVaultAddr -}}
    {{- $_ := set . "mode" "external" -}}
-  {{- else if ne (.Values.server.enabled | toString) "true" -}}
+  {{- else if not .serverEnabled -}}
    {{- $_ := set . "mode" "external" -}}
  {{- else if eq (.Values.server.dev.enabled | toString) "true" -}}
    {{- $_ := set . "mode" "dev" -}}
--- a/templates/csi-clusterrole.yaml
+++ b/templates/csi-clusterrole.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.csiEnabled" . -}}
+{{- if .csiEnabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
--- a/templates/csi-clusterrolebinding.yaml
+++ b/templates/csi-clusterrolebinding.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.csiEnabled" . -}}
+{{- if .csiEnabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
--- a/templates/csi-daemonset.yaml
+++ b/templates/csi-daemonset.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.csiEnabled" . -}}
+{{- if .csiEnabled -}}
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
--- a/templates/csi-serviceaccount.yaml
+++ b/templates/csi-serviceaccount.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.csiEnabled" . -}}
+{{- if .csiEnabled -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
--- a/templates/injector-certs-secret.yaml
+++ b/templates/injector-certs-secret.yaml
@ -1,4 +1,6 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
 apiVersion: v1
 kind: Secret
 metadata:
@ -9,3 +11,4 @@ metadata:
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
+{{- end }}
--- a/templates/injector-clusterrole.yaml
+++ b/templates/injector-clusterrole.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@ -10,7 +11,7 @@ metadata:
 rules:
 - apiGroups: ["admissionregistration.k8s.io"]
  resources: ["mutatingwebhookconfigurations"]
-  verbs: 
+  verbs:
    - "get"
    - "list"
    - "watch"
--- a/templates/injector-clusterrolebinding.yaml
+++ b/templates/injector-clusterrolebinding.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
 # Deployment for the injector
 apiVersion: apps/v1
 kind: Deployment
--- a/templates/injector-mutating-webhook.yaml
+++ b/templates/injector-mutating-webhook.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
 {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
 apiVersion: admissionregistration.k8s.io/v1
 {{- else }}
--- a/templates/injector-network-policy.yaml
+++ b/templates/injector-network-policy.yaml
@ -1,4 +1,6 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if eq (.Values.global.openshift | toString) "true" }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@ -19,3 +21,4 @@ spec:
      - port: 8080
        protocol: TCP
 {{ end }}
+{{ end }}
--- a/templates/injector-psp-role.yaml
+++ b/templates/injector-psp-role.yaml
@ -1,4 +1,6 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if eq (.Values.global.psp.enable | toString) "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@ -15,3 +17,4 @@ rules:
  resourceNames:
    - {{ template "vault.fullname" . }}-agent-injector
 {{- end }}
+{{- end }}
--- a/templates/injector-psp-rolebinding.yaml
+++ b/templates/injector-psp-rolebinding.yaml
@ -1,4 +1,6 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if eq (.Values.global.psp.enable | toString) "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@ -16,3 +18,4 @@ subjects:
  - kind: ServiceAccount
    name: {{ template "vault.fullname" . }}-agent-injector
 {{- end }}
+{{- end }}
--- a/templates/injector-psp.yaml
+++ b/templates/injector-psp.yaml
@ -1,4 +1,6 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if eq (.Values.global.psp.enable | toString) "true" }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@ -41,3 +43,4 @@ spec:
        max: 65535
  readOnlyRootFilesystem: false
 {{- end }}
+{{- end }}
--- a/templates/injector-role.yaml
+++ b/templates/injector-role.yaml
@ -1,4 +1,6 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@ -24,3 +26,4 @@ rules:
      - "patch"
      - "delete"
 {{- end }}
+{{- end }}
--- a/templates/injector-rolebinding.yaml
+++ b/templates/injector-rolebinding.yaml
@ -1,4 +1,6 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@ -17,3 +19,4 @@ subjects:
    name: {{ template "vault.fullname" . }}-agent-injector
    namespace: {{ .Release.Namespace }}
 {{- end }}
+{{- end }}
--- a/templates/injector-service.yaml
+++ b/templates/injector-service.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
 apiVersion: v1
 kind: Service
 metadata:
--- a/templates/injector-serviceaccount.yaml
+++ b/templates/injector-serviceaccount.yaml
@ -1,4 +1,5 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
--- a/templates/server-clusterrolebinding.yaml
+++ b/templates/server-clusterrolebinding.yaml
@ -1,5 +1,7 @@
 {{ template "vault.mode" . }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true") }}
+{{- template "vault.serverEnabled" . -}}
+{{- if .serverEnabled -}}
+{{- if and (ne .mode "") (eq (.Values.server.authDelegator.enabled | toString) "true") }}
 {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
 apiVersion: rbac.authorization.k8s.io/v1
 {{- else }}
@ -22,3 +24,4 @@ subjects:
  name: {{ template "vault.serviceAccount.name" . }}
  namespace: {{ .Release.Namespace }}
 {{ end }}
+{{ end }}
--- a/templates/server-config-configmap.yaml
+++ b/templates/server-config-configmap.yaml
@ -1,6 +1,8 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}}
+{{- template "vault.serverEnabled" . -}}
+{{- if .serverEnabled -}}
+{{- if ne .mode "dev" -}}
 {{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
 apiVersion: v1
 kind: ConfigMap
@ -36,3 +38,4 @@ data:
 {{- end }}
 {{- end }}
 {{- end }}
+{{- end }}
--- a/templates/server-discovery-role.yaml
+++ b/templates/server-discovery-role.yaml
@ -1,6 +1,8 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.serverEnabled" . -}}
+{{- if .serverEnabled -}}
+{{- if eq .mode "ha" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@ -17,3 +19,4 @@ rules:
  verbs: ["get", "watch", "list", "update", "patch"]
 {{ end }}
 {{ end }}
+{{ end }}
--- a/templates/server-discovery-rolebinding.yaml
+++ b/templates/server-discovery-rolebinding.yaml
@ -1,6 +1,8 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.serverEnabled" . -}}
+{{- if .serverEnabled -}}
+{{- if eq .mode "ha" }}
 {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
 apiVersion: rbac.authorization.k8s.io/v1
 {{- else }}
@ -25,3 +27,4 @@ subjects:
  namespace: {{ .Release.Namespace }}
 {{ end }}
 {{ end }}
+{{ end }}
--- a/templates/server-disruptionbudget.yaml
+++ b/templates/server-disruptionbudget.yaml
@ -1,6 +1,8 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" -}}
-{{- if and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
+{{- template "vault.serverEnabled" . -}}
+{{- if .serverEnabled -}}
+{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
 # PodDisruptionBudget to prevent degrading the server cluster through
 # voluntary cluster changes.
 apiVersion: policy/v1beta1
@ -22,3 +24,4 @@ spec:
      component: server
 {{- end -}}
 {{- end -}}
+{{- end -}}
--- a/templates/server-ha-active-service.yaml
+++ b/templates/server-ha-active-service.yaml
@ -1,6 +1,8 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
+{{- if eq .mode "ha" }}
 # Service for active Vault pod
 apiVersion: v1
 kind: Service
@ -40,3 +42,4 @@ spec:
    vault-active: "true"
 {{- end }}
 {{- end }}
+{{- end }}
--- a/templates/server-ha-standby-service.yaml
+++ b/templates/server-ha-standby-service.yaml
@ -1,6 +1,8 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
+{{- if eq .mode "ha" }}
 # Service for standby Vault pod
 apiVersion: v1
 kind: Service
@ -40,3 +42,4 @@ spec:
    vault-active: "false"
 {{- end }}
 {{- end }}
+{{- end }}
--- a/templates/server-headless-service.yaml
+++ b/templates/server-headless-service.yaml
@ -1,6 +1,7 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
 # Service for Vault cluster
 apiVersion: v1
 kind: Service
--- a/templates/server-ingress.yaml
+++ b/templates/server-ingress.yaml
@ -4,7 +4,9 @@
 {{- if .Values.server.ingress.enabled -}}
 {{- $extraPaths := .Values.server.ingress.extraPaths -}}
 {{- $serviceName := include "vault.fullname" . -}}
-{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.ingress.activeService | toString) "true") }}
+{{- template "vault.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
+{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }}
 {{- $serviceName = printf "%s-%s" $serviceName "active" -}}
 {{- end }}
 {{- $servicePort := .Values.server.service.port -}}
@ -72,3 +74,4 @@ spec:
 {{- end }}
 {{- end }}
 {{- end }}
+{{- end }}
--- a/templates/server-psp-role.yaml
+++ b/templates/server-psp-role.yaml
@ -1,5 +1,7 @@
 {{ template "vault.mode" . }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
+{{- template "vault.serverEnabled" . -}}
+{{- if .serverEnabled -}}
+{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@ -16,3 +18,4 @@ rules:
  resourceNames:
    - {{ template "vault.fullname" . }}
 {{- end }}
+{{- end }}
--- a/templates/server-psp-rolebinding.yaml
+++ b/templates/server-psp-rolebinding.yaml
@ -1,5 +1,7 @@
 {{ template "vault.mode" . }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
+{{- template "vault.serverEnabled" . -}}
+{{- if .serverEnabled -}}
+{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@ -17,3 +19,4 @@ subjects:
  - kind: ServiceAccount
    name: {{ template "vault.fullname" . }}
 {{- end }}
+{{- end }}
--- a/templates/server-psp.yaml
+++ b/templates/server-psp.yaml
@ -1,5 +1,7 @@
 {{ template "vault.mode" . }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
+{{- template "vault.serverEnabled" . -}}
+{{- if .serverEnabled -}}
+{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@ -45,3 +47,4 @@ spec:
        max: 65535
  readOnlyRootFilesystem: false
 {{- end }}
+{{- end }}
--- a/templates/server-service.yaml
+++ b/templates/server-service.yaml
@ -1,6 +1,7 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
 # Service for Vault cluster
 apiVersion: v1
 kind: Service
--- a/templates/server-serviceaccount.yaml
+++ b/templates/server-serviceaccount.yaml
@ -1,5 +1,6 @@
 {{ template "vault.mode" . }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.serverEnabled" . -}}
+{{- if .serverEnabled -}}
 {{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }}
 apiVersion: v1
 kind: ServiceAccount
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@ -1,6 +1,8 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
+{{- if ne .mode "" }}
+{{- template "vault.serverEnabled" . -}}
+{{- if .serverEnabled -}}
 # StatefulSet to run the actual vault server cluster.
 apiVersion: apps/v1
 kind: StatefulSet
@ -206,3 +208,4 @@ spec:
  {{ template "vault.volumeclaims" . }}
 {{ end }}
 {{ end }}
+{{ end }}
--- a/templates/tests/server-test.yaml
+++ b/templates/tests/server-test.yaml
@ -1,6 +1,7 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.serverEnabled" . -}}
+{{- if .serverEnabled -}}
 apiVersion: v1
 kind: Pod
 metadata:
--- a/templates/ui-service.yaml
+++ b/templates/ui-service.yaml
@ -1,7 +1,8 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
-{{- if eq (.Values.ui.enabled | toString) "true" }}
+{{- template "vault.uiEnabled" . -}}
+{{- if .uiEnabled -}}
+
 apiVersion: v1
 kind: Service
 metadata:
@ -34,4 +35,3 @@ spec:
  {{- include "service.loadBalancer" .Values.ui }}
 {{- end -}}
 {{- end }}
-{{- end }}
--- a/test/unit/csi-daemonset.bats
+++ b/test/unit/csi-daemonset.bats
@ -27,7 +27,7 @@ load _helpers
      --set "global.enabled=false" \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
+  [ "${actual}" = "true" ]
 }

 # priorityClassName
--- a/test/unit/injector-deployment.bats
+++ b/test/unit/injector-deployment.bats
@ -26,12 +26,22 @@ load _helpers
  local actual=$( (helm template \
      --show-only templates/injector-deployment.yaml  \
      --set 'global.enabled=false' \
-      --set 'injector.enabled=true' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }

+@test "injector/deployment: enable with injector.enabled true and global.enabled false" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'injector.enabled=true' \
+      --set 'global.enabled=false' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
@test "injector/deployment: image defaults to injector.image" {
  cd `chart_dir`
  local actual=$(helm template \
--- a/test/unit/injector-psp-role.bats
+++ b/test/unit/injector-psp-role.bats
@ -22,7 +22,7 @@ load _helpers
  [ "${actual}" = "true" ]
 }

-@test "injector/PodSecurityPolicy-Role: disable with global.enabled" {
+@test "injector/PodSecurityPolicy-Role: ignore global.enabled" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/injector-psp-role.yaml  \
@ -31,5 +31,5 @@ load _helpers
      --set 'global.psp.enable=true' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
+  [ "${actual}" = "true" ]
 }
--- a/test/unit/injector-psp-rolebinding.bats
+++ b/test/unit/injector-psp-rolebinding.bats
@ -22,7 +22,7 @@ load _helpers
  [ "${actual}" = "true" ]
 }

-@test "injector/PodSecurityPolicy-RoleBinding: disable with global.enabled" {
+@test "injector/PodSecurityPolicy-RoleBinding: ignore global.enabled" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/injector-psp-rolebinding.yaml  \
@ -31,5 +31,5 @@ load _helpers
      --set 'global.psp.enable=true' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
+  [ "${actual}" = "true" ]
 }
--- a/test/unit/injector-psp.bats
+++ b/test/unit/injector-psp.bats
@ -22,7 +22,7 @@ load _helpers
  [ "${actual}" = "true" ]
 }

-@test "injector/PodSecurityPolicy: disable with global.enabled" {
+@test "injector/PodSecurityPolicy: ignore global.enabled" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/injector-psp.yaml  \
@ -31,7 +31,7 @@ load _helpers
      --set 'global.psp.enable=true' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
+  [ "${actual}" = "true" ]
 }

@test "injector/PodSecurityPolicy: annotations are templated correctly by default" {
--- a/test/unit/injector-service.bats
+++ b/test/unit/injector-service.bats
@ -52,7 +52,7 @@ load _helpers
      --set 'injector.enabled=true' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
+  [ "${actual}" = "true" ]
 }

@test "injector/Service: generic annotations" {
--- a/test/unit/schema.bats
+++ b/test/unit/schema.bats
@ -7,9 +7,9 @@ load _helpers
 # schema, setting it as a string fails 'helm template'.
@test "schema: csi enabled datatype" {
  cd `chart_dir`
-  run helm template . --set csi.enabled="nope"
+  run helm template . --set csi.enabled="123"
  [ "$status" -eq 1 ]
-  [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: boolean, given: string" ]
+  [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: [boolean,string], given: integer" ]

  run helm template . --set csi.enabled=true
  [ "$status" -eq 0 ]
@ -17,9 +17,9 @@ load _helpers

@test "schema: injector enabled datatype" {
  cd `chart_dir`
-  run helm template . --set injector.enabled="nope"
+  run helm template . --set injector.enabled="123"
  [ "$status" -eq 1 ]
-  [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: boolean, given: string" ]
+  [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: [boolean,string], given: integer" ]

  run helm template . --set injector.enabled=true
  [ "$status" -eq 0 ]
@ -27,9 +27,9 @@ load _helpers

@test "schema: server enabled datatype" {
  cd `chart_dir`
-  run helm template . --set server.enabled="nope"
+  run helm template . --set server.enabled="123"
  [ "$status" -eq 1 ]
-  [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: boolean, given: string" ]
+  [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: [boolean,string], given: integer" ]

  run helm template . --set server.enabled=true
  [ "$status" -eq 0 ]
@ -37,9 +37,9 @@ load _helpers

@test "schema: ui enabled datatype" {
  cd `chart_dir`
-  run helm template . --set ui.enabled="nope"
+  run helm template . --set ui.enabled="123"
  [ "$status" -eq 1 ]
-  [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: boolean, given: string" ]
+  [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: [boolean,string], given: integer" ]

  run helm template . --set ui.enabled=true
  [ "$status" -eq 0 ]
--- a/test/unit/server-test.bats
+++ b/test/unit/server-test.bats
@ -66,12 +66,23 @@ load _helpers
  [ "${actual}" = "true" ]
 }

+@test "server/standalone-server-test-Pod: not disabled with global.enabled" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/tests/server-test.yaml  \
+      --set 'global.enabled=false' \
+      --set 'server.enabled=true' \
+      --set 'server.standalone.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
@test "server/standalone-server-test-Pod: disable with global.enabled" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/tests/server-test.yaml  \
      --set 'global.enabled=false' \
-      --set 'server.standalone.enabled=true' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "false" ]
--- a/test/unit/ui-service.bats
+++ b/test/unit/ui-service.bats
@ -53,6 +53,18 @@ load _helpers
  [ "${actual}" = "false" ]
 }

+@test "ui/Service: 'disable with global, enable with ui.enabled'" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/ui-service.yaml  \
+      --set 'global.enabled=false' \
+      --set 'server.enabled=true' \
+      --set 'ui.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
@test "ui/Service: disable with injector.externalVaultAddr" {
  cd `chart_dir`
  local actual=$( (helm template \
--- a/values.schema.json
+++ b/values.schema.json
@ -43,7 +43,10 @@
                    "type": "boolean"
                },
                "enabled": {
-                    "type": "boolean"
+                    "type": [
+                        "boolean",
+                        "string"
+                    ]
                },
                "extraArgs": {
                    "type": "array"
@ -266,7 +269,10 @@
                    }
                },
                "enabled": {
-                    "type": "boolean"
+                    "type": [
+                        "boolean",
+                        "string"
+                    ]
                },
                "externalVaultAddr": {
                    "type": "string"
@ -507,7 +513,10 @@
                    }
                },
                "enabled": {
-                    "type": "boolean"
+                    "type": [
+                        "boolean",
+                        "string"
+                    ]
                },
                "enterpriseLicense": {
                    "type": "object",
@ -874,7 +883,10 @@
                    ]
                },
                "enabled": {
-                    "type": "boolean"
+                    "type": [
+                        "boolean",
+                        "string"
+                    ]
                },
                "externalPort": {
                    "type": "integer"
--- a/values.yaml
+++ b/values.yaml
@ -26,7 +26,8 @@ global:

 injector:
  # True if you want to enable vault agent injection.
-  enabled: true
+  # @default: global.enabled
+  enabled: "-"

  replicas: 1

@ -266,8 +267,9 @@ injector:
  #   type: RollingUpdate

 server:
-  # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details
-  enabled: true
+  # If true, or "-" with global.enabled true, Vault server will be installed.
+  # See vault.mode in _helpers.tpl for implementation details.
+  enabled: "-"

  # [Enterprise Only] This value refers to a Kubernetes secret that you have
  # created that contains your enterprise license. If you are not using an
@ -878,7 +880,7 @@ csi:
    # This should be a YAML map of the labels to apply to the csi provider pod
    extraLabels: {}

-   
+

  # Priority class for csi pods
  priorityClassName: ""