Add OpenShift beta support (#319)

* Initial commit * Added openshift flag * added self signed certificate for service annotation * added OpenShift flag * Added OpenShift flag * cleanup * Cleanup * Further cleanup * Further cleanup * reverted security context on injector * Extra corrections * cleanup * Removed Raft config for OpenShift, removed generated certs for ha and standby services * Add openshift flag to global block, route disabled by default, condition for injector in network policy * Added Unit tests for OpenShift * Fixed unit test for HA statefulset for OpenShift * Removed debug log level from stateful set * Added port 8201 to networkpolicy * Updated injector image * Add openshift beta support * Add openshift beta support * Remove comments from configs * Remove vault-k8s note from values * Change route to use active service when HA Co-authored-by: Radu Domnu <radu.domnu@sixdx.com> Co-authored-by: Radu Domnu <radu.domnu@gmail.com>
2020-06-02 22:10:41 -04:00 · 2020-06-02 22:10:41 -04:00 · 853cb06842
commit 853cb06842
parent 7f7fb7bad0
23 changed files with 382 additions and 49 deletions
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@ -318,6 +318,21 @@ Sets extra ingress annotations
  {{- end }}
 {{- end -}}
 {{/*
 Sets extra route annotations
 */}}
 {{- define "vault.route.annotations" -}}
  {{- if .Values.server.route.annotations }}
  annotations:
    {{- $tp := typeOf .Values.server.route.annotations }}
    {{- if eq $tp "string" }}
      {{- tpl .Values.server.route.annotations . | nindent 4 }}
    {{- else }}
      {{- toYaml .Values.server.route.annotations | nindent 4 }}
    {{- end }}
  {{- end }}
 {{- end -}}
 {{/*
 Sets extra vault server Service annotations
 */}}
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@ -31,10 +31,12 @@ spec:
      priorityClassName: {{ .Values.injector.priorityClassName }}
      {{- end }}
      serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
      {{- if not .Values.global.openshift }}
      securityContext:
        runAsNonRoot: true
        runAsGroup: {{ .Values.injector.gid | default 1000 }}
        runAsUser: {{ .Values.injector.uid | default 100 }}
      {{- end }}
      containers:
        - name: sidecar-injector
          {{ template "injector.resources" . }}
@ -70,6 +72,10 @@ spec:
              value: {{ .Values.injector.logFormat | default "standard" }}
            - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN
              value: "{{ .Values.injector.revokeOnShutdown | default false }}"
            {{- if .Values.global.openshift }}
            - name: AGENT_INJECT_SET_SECURITY_CONTEXT
              value: "false"
            {{- end }}
            {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }}
          args:
            - agent-inject
--- a/templates/injector-network-policy.yaml
+++ b/templates/injector-network-policy.yaml
@ -0,0 +1,21 @@
 {{- if .Values.global.openshift }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: {{ template "vault.fullname" . }}-agent-injector
  labels:
    app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
 spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
      app.kubernetes.io/instance: {{ .Release.Name }}
      component: webhook
  ingress:
    - from:
        - namespaceSelector: {}
      ports:
      - port: 8080
        protocol: TCP
 {{ end }}
--- a/templates/server-ingress.yaml
+++ b/templates/server-ingress.yaml
@ -1,3 +1,4 @@
 {{- if not .Values.global.openshift }}
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
 {{- if .Values.server.ingress.enabled -}}
@ -49,3 +50,4 @@ spec:
  {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}
--- a/templates/server-network-policy.yaml
+++ b/templates/server-network-policy.yaml
@ -0,0 +1,22 @@
 {{- if .Values.global.openshift }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: {{ template "vault.fullname" . }}
  labels:
    app.kubernetes.io/name: {{ template "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
 spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: {{ template "vault.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
  ingress:
    - from:
        - namespaceSelector: {}
      ports:
      - port: 8200
        protocol: TCP
      - port: 8201
        protocol: TCP
 {{ end }}
--- a/templates/server-route.yaml
+++ b/templates/server-route.yaml
@ -0,0 +1,33 @@
 {{- if .Values.global.openshift }}
 {{- if ne .mode "external" }}
 {{- if .Values.server.route.enabled -}}
 {{- $serviceName := include "vault.fullname" . -}}
 {{- if eq .mode "ha" }}
 {{- $serviceName = printf "%s-%s" $serviceName "active" -}}
 {{- end }}
 kind: Route
 apiVersion: route.openshift.io/v1
 metadata:
  name: {{ template "vault.fullname" . }}
  labels:
    helm.sh/chart: {{ include "vault.chart" . }}
    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    {{- with .Values.server.route.labels }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- template "vault.route.annotations" . }}
 spec:
  host: {{ .Values.server.route.host }}
  to:
    kind: Service
    name: {{ $serviceName }}
    weight: 100
  port:
    targetPort: 8200
  tls:
    termination: passthrough
 {{- end }}
 {{- end }}
 {{- end }}
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@ -45,13 +45,17 @@ spec:
      {{ if  .Values.server.shareProcessNamespace }}
      shareProcessNamespace: true
      {{ end }}
      {{- if not .Values.global.openshift }}
      securityContext:
        runAsNonRoot: true
        runAsGroup: {{ .Values.server.gid | default 1000 }}
        runAsUser: {{ .Values.server.uid | default 100 }}
        fsGroup: {{ .Values.server.gid | default 1000 }}
      {{- end }}
      volumes:
        {{ template "vault.volumes" . }}
        - name: home
          emptyDir: {}
      {{- if .Values.server.extraInitContainers }}
      initContainers:
        {{ toYaml .Values.server.extraInitContainers | nindent 8}}
@ -100,11 +104,15 @@ spec:
                fieldRef:
                  fieldPath: metadata.name
            {{- end }}
            - name: HOME
              value: "/home/vault"
            {{ template "vault.envs" . }}
            {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
            {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
          volumeMounts:
          {{ template "vault.mounts" . }}
            - name: home
              mountPath: /home/vault
          ports:
            - containerPort: 8200
              name: {{ include "vault.scheme" . }}
--- a/test/acceptance/injector-test/pg-deployment.yaml
+++ b/test/acceptance/injector-test/pg-deployment.yaml
@ -41,7 +41,7 @@ spec:
            - name: POSTGRES_PASSWORD
              value: password
          volumeMounts:
-            - mountPath: "/var/lib/postgresql/data"
+            - mountPath: "/var/lib/postgresql"
              name: "pgdata"
            - mountPath: "/docker-entrypoint-initdb.d"
              name: "pgconf"
--- a/test/acceptance/server-dev.bats
+++ b/test/acceptance/server-dev.bats
@ -19,7 +19,7 @@ load _helpers
  # Volume Mounts
  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
    jq -r '.spec.template.spec.containers[0].volumeMounts | length')
-  [ "${volumeCount}" == "0" ]
+  [ "${volumeCount}" == "1" ]
  # Service
  local service=$(kubectl get service "$(name_prefix)" --output json |
--- a/test/acceptance/server-ha-enterprise-dr.bats
+++ b/test/acceptance/server-ha-enterprise-dr.bats
@ -7,7 +7,7 @@ load _helpers
  helm install "$(name_prefix)-east" \
    --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.4.0_ent' \
+    --set='server.image.tag=1.4.2_ent' \
    --set='injector.enabled=false' \
    --set='server.ha.enabled=true' \
    --set='server.ha.raft.enabled=true' .
@ -76,7 +76,7 @@ load _helpers
  helm install "$(name_prefix)-west" \
    --set='injector.enabled=false' \
    --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.4.0_ent' \
+    --set='server.image.tag=1.4.2_ent' \
    --set='server.ha.enabled=true' \
    --set='server.ha.raft.enabled=true' .
  wait_for_running "$(name_prefix)-west-0"
--- a/test/acceptance/server-ha-enterprise-perf.bats
+++ b/test/acceptance/server-ha-enterprise-perf.bats
@ -8,7 +8,7 @@ load _helpers
  helm install "$(name_prefix)-east" \
    --set='injector.enabled=false' \
    --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.4.0_ent' \
+    --set='server.image.tag=1.4.2_ent' \
    --set='server.ha.enabled=true' \
    --set='server.ha.raft.enabled=true' .
  wait_for_running "$(name_prefix)-east-0"
@ -76,7 +76,7 @@ load _helpers
  helm install "$(name_prefix)-west" \
    --set='injector.enabled=false' \
    --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.4.0_ent' \
+    --set='server.image.tag=1.4.2_ent' \
    --set='server.ha.enabled=true' \
    --set='server.ha.raft.enabled=true' .
  wait_for_running "$(name_prefix)-west-0"
--- a/test/acceptance/server-ha-raft.bats
+++ b/test/acceptance/server-ha-raft.bats
@ -27,12 +27,12 @@ load _helpers
  # Volume Mounts
  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
    jq -r '.spec.template.spec.containers[0].volumeMounts | length')
-  [ "${volumeCount}" == "2" ]
+  [ "${volumeCount}" == "3" ]
  # Volumes
  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
    jq -r '.spec.template.spec.volumes | length')
-  [ "${volumeCount}" == "1" ]
+  [ "${volumeCount}" == "2" ]
  local volume=$(kubectl get statefulset "$(name_prefix)" --output json |
    jq -r '.spec.template.spec.volumes[0].configMap.name')
--- a/test/acceptance/server-ha.bats
+++ b/test/acceptance/server-ha.bats
@ -26,12 +26,12 @@ load _helpers
  # Volume Mounts
  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
    jq -r '.spec.template.spec.containers[0].volumeMounts | length')
-  [ "${volumeCount}" == "1" ]
+  [ "${volumeCount}" == "2" ]
  # Volumes
  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
    jq -r '.spec.template.spec.volumes | length')
-  [ "${volumeCount}" == "1" ]
+  [ "${volumeCount}" == "2" ]
  local volume=$(kubectl get statefulset "$(name_prefix)" --output json |
    jq -r '.spec.template.spec.volumes[0].configMap.name')
--- a/test/acceptance/server.bats
+++ b/test/acceptance/server.bats
@ -34,7 +34,7 @@ load _helpers
  # Volume Mounts
  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
    jq -r '.spec.template.spec.containers[0].volumeMounts | length')
-  [ "${volumeCount}" == "2" ]
+  [ "${volumeCount}" == "3" ]
  local mountName=$(kubectl get statefulset "$(name_prefix)" --output json |
    jq -r '.spec.template.spec.containers[0].volumeMounts[0].name')
@ -47,17 +47,12 @@ load _helpers
  # Volumes
  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
    jq -r '.spec.template.spec.volumes | length')
-  [ "${volumeCount}" == "1" ]
+  [ "${volumeCount}" == "2" ]
  local volume=$(kubectl get statefulset "$(name_prefix)" --output json |
    jq -r '.spec.template.spec.volumes[0].configMap.name')
  [ "${volume}" == "$(name_prefix)-config" ]
  # Security Context
  local fsGroup=$(kubectl get statefulset "$(name_prefix)" --output json |
    jq -r '.spec.template.spec.securityContext.fsGroup')
  [ "${fsGroup}" == "1000" ]
  # Service
  local service=$(kubectl get service "$(name_prefix)" --output json |
    jq -r '.spec.clusterIP')
--- a/test/unit/injector-deployment.bats
+++ b/test/unit/injector-deployment.bats
@ -322,6 +322,19 @@ load _helpers
  [ "${actual}" = "true" ]
 }
@test "injector/deployment: disable security context when openshift enabled" {
  cd `chart_dir`
  local object=$(helm template \
      --show-only templates/injector-deployment.yaml  \
      --set 'global.openshift=true' \
      . | tee /dev/stderr |
      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
  local actual=$(echo $object |
    yq -r '.[9].name' | tee /dev/stderr)
  [ "${actual}" = "AGENT_INJECT_SET_SECURITY_CONTEXT" ]
 }
 #--------------------------------------------------------------------
 # extraEnvironmentVars
@ -447,3 +460,25 @@ load _helpers
      yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
 #--------------------------------------------------------------------
 # OpenShift
@test "injector/deployment: OpenShift - runAsUser disabled" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-deployment.yaml  \
      --set 'global.openshift=true' \
      . | tee /dev/stderr |
      yq '.spec.template.spec.securityContext.runAsUser | length > 0' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
@test "injector/deployment: OpenShift - runAsGroup disabled" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/injector-deployment.yaml  \
      --set 'global.openshift=true' \
      . | tee /dev/stderr |
      yq '.spec.template.spec.securityContext.runAsGroup | length > 0' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
--- a/test/unit/server-dev-statefulset.bats
+++ b/test/unit/server-dev-statefulset.bats
@ -249,19 +249,19 @@ load _helpers
      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
  local actual=$(echo $object |
-     yq -r '.[11].name' | tee /dev/stderr)
+    yq -r '.[12].name' | tee /dev/stderr)
  [ "${actual}" = "FOO" ]
  local actual=$(echo $object |
-      yq -r '.[11].value' | tee /dev/stderr)
+      yq -r '.[12].value' | tee /dev/stderr)
  [ "${actual}" = "bar" ]
  local actual=$(echo $object |
-      yq -r '.[12].name' | tee /dev/stderr)
+      yq -r '.[13].name' | tee /dev/stderr)
  [ "${actual}" = "FOOBAR" ]
  local actual=$(echo $object |
-      yq -r '.[12].value' | tee /dev/stderr)
+      yq -r '.[13].value' | tee /dev/stderr)
  [ "${actual}" = "foobar" ]
 }
@ -282,23 +282,25 @@ load _helpers
      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
  local actual=$(echo $object |
-      yq -r '.[10].name' | tee /dev/stderr)
+      yq -r '.[11].name' | tee /dev/stderr)
  [ "${actual}" = "ENV_FOO_0" ]
  local actual=$(echo $object |
-      yq -r '.[10].valueFrom.secretKeyRef.name' | tee /dev/stderr)
+      yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr)
  [ "${actual}" = "secret_name_0" ]
  local actual=$(echo $object |
-      yq -r '.[10].valueFrom.secretKeyRef.key' | tee /dev/stderr)
+      yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr)
  [ "${actual}" = "secret_key_0" ]
  local actual=$(echo $object |
-      yq -r '.[11].name' | tee /dev/stderr)
+      yq -r '.[12].name' | tee /dev/stderr)
  [ "${actual}" = "ENV_FOO_1" ]
  local actual=$(echo $object |
-      yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr)
+      yq -r '.[12].valueFrom.secretKeyRef.name' | tee /dev/stderr)
  [ "${actual}" = "secret_name_1" ]
  local actual=$(echo $object |
-      yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr)
+      yq -r '.[12].valueFrom.secretKeyRef.key' | tee /dev/stderr)
  [ "${actual}" = "secret_key_1" ]
 }
--- a/test/unit/server-ha-active-service.bats
+++ b/test/unit/server-ha-active-service.bats
--- a/test/unit/server-ha-standby-service.bats
+++ b/test/unit/server-ha-standby-service.bats
--- a/test/unit/server-ha-statefulset.bats
+++ b/test/unit/server-ha-statefulset.bats
@ -349,19 +349,19 @@ load _helpers
      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
  local actual=$(echo $object |
-     yq -r '.[10].name' | tee /dev/stderr)
+     yq -r '.[11].name' | tee /dev/stderr)
  [ "${actual}" = "FOO" ]
  local actual=$(echo $object |
-      yq -r '.[10].value' | tee /dev/stderr)
+      yq -r '.[11].value' | tee /dev/stderr)
  [ "${actual}" = "bar" ]
  local actual=$(echo $object |
-      yq -r '.[11].name' | tee /dev/stderr)
+      yq -r '.[12].name' | tee /dev/stderr)
  [ "${actual}" = "FOOBAR" ]
  local actual=$(echo $object |
-      yq -r '.[11].value' | tee /dev/stderr)
+      yq -r '.[12].value' | tee /dev/stderr)
  [ "${actual}" = "foobar" ]
 }
@ -383,23 +383,23 @@ load _helpers
      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
  local actual=$(echo $object |
-      yq -r '.[10].name' | tee /dev/stderr)
+      yq -r '.[11].name' | tee /dev/stderr)
  [ "${actual}" = "ENV_FOO_0" ]
  local actual=$(echo $object |
-      yq -r '.[10].valueFrom.secretKeyRef.name' | tee /dev/stderr)
+      yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr)
  [ "${actual}" = "secret_name_0" ]
  local actual=$(echo $object |
-      yq -r '.[10].valueFrom.secretKeyRef.key' | tee /dev/stderr)
+      yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr)
  [ "${actual}" = "secret_key_0" ]
  local actual=$(echo $object |
-      yq -r '.[11].name' | tee /dev/stderr)
+      yq -r '.[12].name' | tee /dev/stderr)
  [ "${actual}" = "ENV_FOO_1" ]
  local actual=$(echo $object |
-      yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr)
+      yq -r '.[12].valueFrom.secretKeyRef.name' | tee /dev/stderr)
  [ "${actual}" = "secret_name_1" ]
  local actual=$(echo $object |
-      yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr)
+      yq -r '.[12].valueFrom.secretKeyRef.key' | tee /dev/stderr)
  [ "${actual}" = "secret_key_1" ]
 }
@ -643,3 +643,26 @@ load _helpers
      yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
  [ "${actual}" = "2000" ]
 }
 #--------------------------------------------------------------------
 # OpenShift
@test "server/ha-statefulset: OpenShift - runAsUser disabled" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-statefulset.yaml  \
      --set 'global.openshift=true' \
      . | tee /dev/stderr |
      yq '.spec.template.spec.securityContext.runAsUser | length > 0' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
@test "server/ha-statefulset: OpenShift - runAsGroup disabled" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-statefulset.yaml  \
      --set 'global.openshift=true' \
      . | tee /dev/stderr |
      yq '.spec.template.spec.securityContext.runAsGroup | length > 0' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
--- a/test/unit/server-network-policy.bats
+++ b/test/unit/server-network-policy.bats
@ -0,0 +1,22 @@
 #!/usr/bin/env bats
 load _helpers
@test "server/network-policy: OpenShift - disabled by default" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/server-network-policy.yaml  \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
@test "server/network-policy: OpenShift - enabled if OpenShift" {
  cd `chart_dir`
  local actual=$( (helm template \
      --set 'global.openshift=true' \
      --show-only templates/server-network-policy.yaml  \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
--- a/test/unit/server-route.bats
+++ b/test/unit/server-route.bats
@ -0,0 +1,116 @@
 #!/usr/bin/env bats
 load _helpers
@test "server/route: OpenShift - disabled by default" {
  cd `chart_dir`
  local actual=$( (helm template \
      --set 'global.openshift=true' \
      --show-only templates/server-route.yaml  \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
@test "server/route: OpenShift -disable by injector.externalVaultAddr" {
  cd `chart_dir`
  local actual=$( (helm template \
      --show-only templates/server-route.yaml  \
      --set 'global.openshift=true' \
      --set 'server.route.enabled=true' \
      --set 'injector.externalVaultAddr=http://vault-outside' \
      . || echo "---") | tee /dev/stderr |
      yq 'length > 0' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
@test "server/route: OpenShift - checking host entry gets added and path is /" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-route.yaml \
      --set 'global.openshift=true' \
      --set 'server.route.enabled=true' \
      --set 'server.route.host=test.com' \
      . | tee /dev/stderr |
      yq  -r '.spec.host' | tee /dev/stderr)
  [ "${actual}" = 'test.com' ]
 }
@test "server/route: OpenShift - vault backend should be added when I specify a path" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-route.yaml \
      --set 'global.openshift=true' \
      --set 'server.route.enabled=true' \
      --set 'server.route.host=test.com' \
      . | tee /dev/stderr |
      yq  -r '.spec.to.name  | length > 0' | tee /dev/stderr)
  [ "${actual}" = "true" ]
 }
@test "server/route: OpenShift - labels gets added to object" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-route.yaml \
      --set 'global.openshift=true' \
      --set 'server.route.enabled=true' \
      --set 'server.route.labels.traffic=external' \
      --set 'server.route.labels.team=dev' \
      . | tee /dev/stderr |
      yq -r '.metadata.labels.traffic' | tee /dev/stderr)
  [ "${actual}" = "external" ]
 }
@test "server/route: OpenShift - annotations added to object - string" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-route.yaml \
      --set 'global.openshift=true' \
      --set 'server.route.enabled=true' \
      --set 'server.route.annotations=kubernetes.io/route.class: haproxy' \
      . | tee /dev/stderr |
      yq -r '.metadata.annotations["kubernetes.io/route.class"]' | tee /dev/stderr)
  [ "${actual}" = "haproxy" ]
 }
@test "server/route: OpenShift - annotations added to object - yaml" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-route.yaml \
      --set 'global.openshift=true' \
      --set 'server.route.enabled=true' \
      --set server.route.annotations."kubernetes\.io/route\.class"=haproxy \
      . | tee /dev/stderr |
      yq -r '.metadata.annotations["kubernetes.io/route.class"]' | tee /dev/stderr)
  [ "${actual}" = "haproxy" ]
 }
@test "server/route: OpenShift - route points to main service by default" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-route.yaml \
      --set 'global.openshift=true' \
      --set 'server.route.enabled=true' \
      . | tee /dev/stderr |
      yq -r '.spec.to.name' | tee /dev/stderr)
  [ "${actual}" = "RELEASE-NAME-vault" ]
 }
@test "server/route: OpenShift - route points to active service by when HA" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-route.yaml \
      --set 'global.openshift=true' \
      --set 'server.route.enabled=true' \
      --set 'server.ha.enabled=true' \
      . | tee /dev/stderr |
      yq -r '.spec.to.name' | tee /dev/stderr)
  [ "${actual}" = "RELEASE-NAME-vault-active" ]
 }
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@ -384,19 +384,19 @@ load _helpers
      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
  local actual=$(echo $object |
-     yq -r '.[10].name' | tee /dev/stderr)
+     yq -r '.[11].name' | tee /dev/stderr)
  [ "${actual}" = "FOO" ]
  local actual=$(echo $object |
-      yq -r '.[10].value' | tee /dev/stderr)
+      yq -r '.[11].value' | tee /dev/stderr)
  [ "${actual}" = "bar" ]
  local actual=$(echo $object |
-      yq -r '.[11].name' | tee /dev/stderr)
+      yq -r '.[12].name' | tee /dev/stderr)
  [ "${actual}" = "FOOBAR" ]
  local actual=$(echo $object |
-      yq -r '.[11].value' | tee /dev/stderr)
+      yq -r '.[12].value' | tee /dev/stderr)
  [ "${actual}" = "foobar" ]
  local object=$(helm template \
@ -407,19 +407,19 @@ load _helpers
      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
  local actual=$(echo $object |
-     yq -r '.[10].name' | tee /dev/stderr)
+     yq -r '.[11].name' | tee /dev/stderr)
  [ "${actual}" = "FOO" ]
  local actual=$(echo $object |
-      yq -r '.[10].value' | tee /dev/stderr)
+      yq -r '.[11].value' | tee /dev/stderr)
  [ "${actual}" = "bar" ]
  local actual=$(echo $object |
-      yq -r '.[11].name' | tee /dev/stderr)
+      yq -r '.[12].name' | tee /dev/stderr)
  [ "${actual}" = "FOOBAR" ]
  local actual=$(echo $object |
-      yq -r '.[11].value' | tee /dev/stderr)
+      yq -r '.[12].value' | tee /dev/stderr)
  [ "${actual}" = "foobar" ]
 }
@ -1049,7 +1049,6 @@ load _helpers
  [ "${actual}" = "true" ]
 }
 #--------------------------------------------------------------------
 # postStart
@test "server/standalone-StatefulSet: postStart disabled by default" {
  cd `chart_dir`
@ -1069,3 +1068,26 @@ load _helpers
      yq -r '.spec.template.spec.containers[0].lifecycle.postStart.exec.command[0]' | tee /dev/stderr)
  [ "${actual}" = "/bin/sh" ]
 }
 #--------------------------------------------------------------------
 # OpenShift
@test "server/standalone-StatefulSet: OpenShift - runAsUser disabled" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-statefulset.yaml  \
      --set 'global.openshift=true' \
      . | tee /dev/stderr |
      yq '.spec.template.spec.securityContext.runAsUser | length > 0' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
@test "server/standalone-StatefulSet: OpenShift - runAsGroup disabled" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/server-statefulset.yaml  \
      --set 'global.openshift=true' \
      . | tee /dev/stderr |
      yq '.spec.template.spec.securityContext.runAsGroup | length > 0' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
--- a/values.yaml
+++ b/values.yaml
@ -10,6 +10,8 @@ global:
  #   - name: image-pull-secret
  # TLS for end-to-end encrypted transport
  tlsDisable: true
  # Beta Feature: If deploying to OpenShift
  openshift: false
 injector:
  # True if you want to enable vault agent injection.
@ -22,7 +24,7 @@ injector:
  # image sets the repo and tag of the vault-k8s image to use for the injector.
  image:
    repository: "hashicorp/vault-k8s"
-    tag: "0.3.0"
+    tag: "0.4.0"
    pullPolicy: IfNotPresent
  # agentImage sets the repo and tag of the Vault image to use for the Vault Agent
@ -30,7 +32,7 @@ injector:
  # required.
  agentImage:
    repository: "vault"
-    tag: "1.4.0"
+    tag: "1.4.2"
  # Mount Path of the Vault Kubernetes Auth Method.
  authPath: "auth/kubernetes"
@ -113,7 +115,7 @@ server:
  image:
    repository: "vault"
-    tag: "1.4.0"
+    tag: "1.4.2"
    # Overrides the default Image Pull Policy
    pullPolicy: IfNotPresent
@ -132,6 +134,8 @@ server:
  # Ingress allows ingress services to be created to allow external access
  # from Kubernetes to access Vault pods.
  # If deployment is on OpenShift, the following block is ignored.
  # In order to expose the service, use the route section below
  ingress:
    enabled: false
    labels: {}
@ -152,6 +156,13 @@ server:
    #    hosts:
    #      - chart-example.local
  # OpenShift only - create a route to expose the service
  # The created route will be of type passthrough
  route:
    enabled: false
    labels: {}
    annotations: {}
    host: chart-example.local
  # authDelegator enables a cluster role binding to be attached to the service
  # account.  This cluster role binding can be used to setup Kubernetes auth