Support PodSecurityPolicy (#177)

* Add PSP for server

* Add PSP for Injector

* Allow annotations to be templated

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

templates/_helpers.tpl

@@ -348,6 +348,21 @@ Sets extra vault server Service annotations
   {{- end }}
 {{- end -}}
 
+{{/*
+Sets PodSecurityPolicy annotations
+*/}}
+{{- define "vault.psp.annotations" -}}
+  {{- if .Values.global.psp.annotations }}
+  annotations:
+    {{- $tp := typeOf .Values.global.psp.annotations }}
+    {{- if eq $tp "string" }}
+      {{- tpl .Values.global.psp.annotations . | nindent 4 }}
+    {{- else }}
+      {{- toYaml .Values.global.psp.annotations | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
 {{/*
 Set's the container resources if the user has set any.
 */}}

templates/injector-psp-role.yaml

@@ -0,0 +1,17 @@
+{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "vault.fullname" . }}-agent-injector-psp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+    - {{ template "vault.fullname" . }}-agent-injector
+{{- end }}

templates/injector-psp-rolebinding.yaml

@@ -0,0 +1,18 @@
+{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "vault.fullname" . }}-agent-injector-psp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  kind: Role
+  name: {{ template "vault.fullname" . }}-agent-injector-psp
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "vault.fullname" . }}-agent-injector
+{{- end }}

templates/injector-psp.yaml

@@ -0,0 +1,43 @@
+{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "vault.fullname" . }}-agent-injector
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- template "vault.psp.annotations" . }}
+spec:
+  privileged: false
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  volumes:
+    - configMap
+    - emptyDir
+    - projected
+    - secret
+    - downwardAPI
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    # Require the container to run without root privileges.
+    rule: MustRunAsNonRoot
+  seLinux:
+    # This policy assumes the nodes are using AppArmor rather than SELinux.
+    rule: RunAsAny
+  supplementalGroups:
+    rule: MustRunAs
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: MustRunAs
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}

templates/server-psp-role.yaml

@@ -0,0 +1,18 @@
+{{ template "vault.mode" . }}
+{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "vault.fullname" . }}-psp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+    - {{ template "vault.fullname" . }}
+{{- end }}

templates/server-psp-rolebinding.yaml

@@ -0,0 +1,19 @@
+{{ template "vault.mode" . }}
+{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "vault.fullname" . }}-psp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  kind: Role
+  name: {{ template "vault.fullname" . }}-psp
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "vault.fullname" . }}
+{{- end }}

templates/server-psp.yaml

@@ -0,0 +1,47 @@
+{{ template "vault.mode" . }}
+{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "vault.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- template "vault.psp.annotations" . }}
+spec:
+  privileged: false
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  volumes:
+    - configMap
+    - emptyDir
+    - projected
+    - secret
+    - downwardAPI
+    {{- if eq (.Values.server.dataStorage.enabled | toString) "true" }}
+    - persistentVolumeClaim
+    {{- end }}
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    # Require the container to run without root privileges.
+    rule: MustRunAsNonRoot
+  seLinux:
+    # This policy assumes the nodes are using AppArmor rather than SELinux.
+    rule: RunAsAny
+  supplementalGroups:
+    rule: MustRunAs
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: MustRunAs
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}

test/unit/injector-psp-role.bats

@@ -0,0 +1,35 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "injector/PodSecurityPolicy-Role: PodSecurityPolicy-Role not enabled by default" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/injector-psp-role.yaml  \
+      . || echo "---" ) | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "injector/PodSecurityPolicy-Role: enable with injector.enabled and global.psp.enable" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-psp-role.yaml  \
+      --set 'injector.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "injector/PodSecurityPolicy-Role: disable with global.enabled" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/injector-psp-role.yaml  \
+      --set 'global.enabled=false' \
+      --set 'injector.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}

test/unit/injector-psp-rolebinding.bats

@@ -0,0 +1,35 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "injector/PodSecurityPolicy-RoleBinding: PodSecurityPolicy-RoleBinding not enabled by default" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/injector-psp-rolebinding.yaml  \
+      . || echo "---" ) | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "injector/PodSecurityPolicy-RoleBinding: enable with injector.enabled and global.psp.enable" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-psp-rolebinding.yaml  \
+      --set 'injector.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "injector/PodSecurityPolicy-RoleBinding: disable with global.enabled" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/injector-psp-rolebinding.yaml  \
+      --set 'global.enabled=false' \
+      --set 'injector.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}

test/unit/injector-psp.bats

@@ -0,0 +1,70 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "injector/PodSecurityPolicy: PodSecurityPolicy not enabled by default" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/injector-psp.yaml  \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "injector/PodSecurityPolicy: enable with injector.enabled and global.psp.enable" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-psp.yaml  \
+      --set 'injector.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "injector/PodSecurityPolicy: disable with global.enabled" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/injector-psp.yaml  \
+      --set 'global.enabled=false' \
+      --set 'injector.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "injector/PodSecurityPolicy: annotations are templated correctly by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-psp.yaml  \
+      --set 'injector.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq '.metadata.annotations | length == 4' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "injector/PodSecurityPolicy: annotations are added - string" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-psp.yaml  \
+      --set 'injector.enabled=true' \
+      --set 'global.psp.enable=true' \
+      --set 'global.psp.annotations=vault-is: amazing' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
+  [ "${actual}" = "amazing" ]
+}
+
+@test "injector/PodSecurityPolicy: annotations are added - object" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-psp.yaml  \
+      --set 'injector.enabled=true' \
+      --set 'global.psp.enable=true' \
+      --set 'global.psp.annotations.vault-is=amazing' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
+  [ "${actual}" = "amazing" ]
+}

test/unit/server-psp-role.bats

@@ -0,0 +1,111 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/PSP-Role: PSP-Role not enabled by default" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-psp-role.yaml \
+      --set 'server.dev.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-psp-role.yaml \
+      --set 'server.ha.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-psp-role.yaml \
+      --set 'server.standalone.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/PSP-Role: PSP-Role can be enabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-psp-role.yaml \
+      --set 'server.dev.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-psp-role.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-psp-role.yaml \
+      --set 'server.standalone.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "server/PSP-Role: disable with global.enabled false" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-psp-role.yaml  \
+      --set 'server.dev.enabled=true' \
+      --set 'global.enabled=false' \
+      --set 'global.psp.enable=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-psp-role.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'global.enabled=false' \
+      --set 'global.psp.enable=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-psp-role.yaml  \
+      --set 'server.standalone.enabled=true' \
+      --set 'global.enabled=false' \
+      --set 'global.psp.enable=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/PSP-Role: disable with global.psp.enable false" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-psp-role.yaml  \
+      --set 'server.dev.enabled=true' \
+      --set 'global.psp.enable=false' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-psp-role.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'global.psp.enable=false' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-psp-role.yaml  \
+      --set 'server.standalone.enabled=true' \
+      --set 'global.psp.enable=false' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}

test/unit/server-psp-rolebinding.bats

@@ -0,0 +1,111 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/PSP-RoleBinding: PSP-RoleBinding not enabled by default" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-psp-rolebinding.yaml \
+      --set 'server.dev.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-psp-rolebinding.yaml \
+      --set 'server.ha.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-psp-rolebinding.yaml \
+      --set 'server.standalone.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/PSP-RoleBinding: PSP-RoleBinding can be enabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-psp-rolebinding.yaml \
+      --set 'server.dev.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-psp-rolebinding.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-psp-rolebinding.yaml \
+      --set 'server.standalone.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "server/PSP-RoleBinding: disable with global.enabled false" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-psp-rolebinding.yaml  \
+      --set 'server.dev.enabled=true' \
+      --set 'global.enabled=false' \
+      --set 'global.psp.enable=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-psp-rolebinding.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'global.enabled=false' \
+      --set 'global.psp.enable=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-psp-rolebinding.yaml  \
+      --set 'server.standalone.enabled=true' \
+      --set 'global.enabled=false' \
+      --set 'global.psp.enable=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/PSP-RoleBinding: disable with global.psp.enable false" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-psp-rolebinding.yaml  \
+      --set 'server.dev.enabled=true' \
+      --set 'global.psp.enable=false' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-psp-rolebinding.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'global.psp.enable=false' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-psp-rolebinding.yaml  \
+      --set 'server.standalone.enabled=true' \
+      --set 'global.psp.enable=false' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}

test/unit/server-psp.bats

@@ -0,0 +1,285 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/PodSecurityPolicy: PodSecurityPolicy not enabled by default" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-psp.yaml \
+      --set 'server.dev.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-psp.yaml \
+      --set 'server.ha.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-psp.yaml \
+      --set 'server.standalone.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/PodSecurityPolicy: PodSecurityPolicy can be enabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml \
+      --set 'server.dev.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml \
+      --set 'server.standalone.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "server/PodSecurityPolicy: PodSecurityPolicy annotations are templated correctly" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml \
+      --set 'server.dev.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq '.metadata.annotations | length == 4' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq '.metadata.annotations | length == 4' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml \
+      --set 'server.standalone.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq '.metadata.annotations | length == 4' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "server/PodSecurityPolicy: annotations are added - string" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml  \
+      --set 'server.dev.enabled=true' \
+      --set 'global.psp.enable=true' \
+      --set 'global.psp.annotations=vault-is: amazing' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
+  [ "${actual}" = "amazing" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'global.psp.enable=true' \
+      --set 'global.psp.annotations=vault-is: amazing' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
+  [ "${actual}" = "amazing" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml  \
+      --set 'server.standalone.enabled=true' \
+      --set 'global.psp.enable=true' \
+      --set 'global.psp.annotations=vault-is: amazing' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
+  [ "${actual}" = "amazing" ]
+}
+
+@test "server/PodSecurityPolicy: annotations are added - object" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml  \
+      --set 'server.dev.enabled=true' \
+      --set 'global.psp.enable=true' \
+      --set 'global.psp.annotations.vault-is=amazing' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
+  [ "${actual}" = "amazing" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'global.psp.enable=true' \
+      --set 'global.psp.annotations.vault-is=amazing' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
+  [ "${actual}" = "amazing" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml  \
+      --set 'server.standalone.enabled=true' \
+      --set 'global.psp.enable=true' \
+      --set 'global.psp.annotations.vault-is=amazing' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
+  [ "${actual}" = "amazing" ]
+}
+
+@test "server/PodSecurityPolicy: disable with global.enabled false" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-psp.yaml  \
+      --set 'server.dev.enabled=true' \
+      --set 'global.enabled=false' \
+      --set 'global.psp.enable=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-psp.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'global.enabled=false' \
+      --set 'global.psp.enable=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-psp.yaml  \
+      --set 'server.standalone.enabled=true' \
+      --set 'global.enabled=false' \
+      --set 'global.psp.enable=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/PodSecurityPolicy: disable with global.psp.enable false" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-psp.yaml  \
+      --set 'server.dev.enabled=true' \
+      --set 'global.psp.enable=false' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-psp.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'global.psp.enable=false' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-psp.yaml  \
+      --set 'server.standalone.enabled=true' \
+      --set 'global.psp.enable=false' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/PodSecurityPolicy: PodSecurityPolicy allows PVC by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml \
+      --set 'server.dev.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml \
+      --set 'server.standalone.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "server/PodSecurityPolicy: PodSecurityPolicy allows PVC with dataStorage" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml \
+      --set 'server.dev.enabled=true' \
+      --set 'global.psp.enable=true' \
+      --set 'server.dataStorage.enabled=true' \
+      . | tee /dev/stderr |
+      yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'global.psp.enable=true' \
+      --set 'server.dataStorage.enabled=true' \
+      . | tee /dev/stderr |
+      yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml \
+      --set 'server.standalone.enabled=true' \
+      --set 'global.psp.enable=true' \
+      --set 'server.dataStorage.enabled=true' \
+      . | tee /dev/stderr |
+      yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "server/PodSecurityPolicy: PodSecurityPolicy does not allow PVC without dataStorage" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml \
+      --set 'server.dev.enabled=true' \
+      --set 'global.psp.enable=true' \
+      --set 'server.dataStorage.enabled=false' \
+      . | tee /dev/stderr |
+      yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'global.psp.enable=true' \
+      --set 'server.dataStorage.enabled=false' \
+      . | tee /dev/stderr |
+      yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-psp.yaml \
+      --set 'server.standalone.enabled=true' \
+      --set 'global.psp.enable=true' \
+      --set 'server.dataStorage.enabled=false' \
+      . | tee /dev/stderr |
+      yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}

values.yaml

@@ -12,6 +12,16 @@ global:
   tlsDisable: true
   # Beta Feature: If deploying to OpenShift
   openshift: false
+  # Create PodSecurityPolicy for pods
+  psp:
+    enable: false
+    # Annotation for PodSecurityPolicy.
+    # This is a multi-line templated string map, and can also be set as YAML.
+    annotations: |
+      seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default
+      apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+      seccomp.security.alpha.kubernetes.io/defaultProfileName:  runtime/default
+      apparmor.security.beta.kubernetes.io/defaultProfileName:  runtime/default
 
 injector:
   # True if you want to enable vault agent injection.