From e2711a2002df36caef2efc3878806a2b9f29952d Mon Sep 17 00:00:00 2001
From: Tom Proctor <tomhjp@users.noreply.github.com>
Date: Mon, 26 Jun 2023 16:00:04 +0100
Subject: [PATCH] Prepare for 0.25.0 release (#916)

* Prepare for 0.25.0 release
* Update CSI acceptance test assertion

Starting in 1.4.0, the CSI provider caches Vault tokens locally. The main thing
we want to check is that the Agent cache is being used so that it's doing the
renewal legwork for any leased secrets, so check for the renewal log message instead
because CSI won't auth over and over anymore.
---
 CHANGELOG.md                                   | 11 +++++++----
 Chart.yaml                                     |  6 +++---
 test/acceptance/csi.bats                       |  6 +++---
 test/acceptance/server-ha-enterprise-dr.bats   |  4 ++--
 test/acceptance/server-ha-enterprise-perf.bats |  4 ++--
 values.openshift.yaml                          |  4 ++--
 values.yaml                                    |  8 ++++----
 7 files changed, 23 insertions(+), 20 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index eabf9fe..f3c466f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,11 +1,17 @@
 ## Unreleased
 
+## 0.25.0 (June 26, 2023)
+
 Changes:
 * Latest Kubernetes version tested is now 1.27
 * server: Headless service ignores `server.service.publishNotReadyAddresses` setting and always sets it as `true` [GH-902](https://github.com/hashicorp/vault-helm/pull/902)
+* `vault` updated to 1.14.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
+* `vault-csi-provider` updated to 1.4.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
 
-Features:
+Improvements:
 * CSI: Make `nodeSelector` and `affinity` configurable for CSI daemonset's pods [GH-862](https://github.com/hashicorp/vault-helm/pull/862)
+* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798)
+* Minimum kubernetes version for chart reverted to 1.20.0 to allow installation on clusters older than the oldest tested version [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
 
 Bugs:
 * server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886)
@@ -45,9 +51,6 @@ Features:
 Bugs:
 * server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810)
 
-Improvements:
-* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798)
-
 ## 0.22.1 (October 26th, 2022)
 
 Changes:
diff --git a/Chart.yaml b/Chart.yaml
index 1803a52..104b05f 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -3,9 +3,9 @@
 
 apiVersion: v2
 name: vault
-version: 0.24.1
-appVersion: 1.13.1
-kubeVersion: ">= 1.22.0-0"
+version: 0.25.0
+appVersion: 1.14.0
+kubeVersion: ">= 1.20.0-0"
 description: Official HashiCorp Vault Chart
 home: https://www.vaultproject.io
 icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats
index d454364..aa6edc4 100644
--- a/test/acceptance/csi.bats
+++ b/test/acceptance/csi.bats
@@ -55,16 +55,16 @@ load _helpers
 
   for i in $(seq 10); do
     sleep 2
-    if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent | grep "returning cached response: path=/v1/auth/kubernetes/login")" ]; then
+    if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
         echo "Agent returned a cached login response"
         return
     fi
 
-    echo "Waiting for a cached response from Agent..."
+    echo "Waiting to confirm the Agent is renewing CSI's auth token..."
   done
 
   # Print the logs and fail the test
-  echo "Failed to find a log for a cached Agent response"
+  echo "Failed to find a log for the Agent renewing CSI's auth token"
   kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent
   kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-csi-provider
   exit 1
diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats
index 911cf8d..264be67 100644
--- a/test/acceptance/server-ha-enterprise-dr.bats
+++ b/test/acceptance/server-ha-enterprise-dr.bats
@@ -7,7 +7,7 @@ load _helpers
 
   helm install "$(name_prefix)-east" \
     --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.13.1-ent' \
+    --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \
     --set='injector.enabled=false' \
     --set='server.ha.enabled=true' \
     --set='server.ha.raft.enabled=true' \
@@ -75,7 +75,7 @@ load _helpers
   helm install "$(name_prefix)-west" \
     --set='injector.enabled=false' \
     --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.13.1-ent' \
+    --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \
     --set='server.ha.enabled=true' \
     --set='server.ha.raft.enabled=true' \
     --set='server.enterpriseLicense.secretName=vault-license' .
diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats
index c63f763..15025c9 100644
--- a/test/acceptance/server-ha-enterprise-perf.bats
+++ b/test/acceptance/server-ha-enterprise-perf.bats
@@ -8,7 +8,7 @@ load _helpers
   helm install "$(name_prefix)-east" \
     --set='injector.enabled=false' \
     --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.13.1-ent' \
+    --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \
     --set='server.ha.enabled=true' \
     --set='server.ha.raft.enabled=true' \
     --set='server.enterpriseLicense.secretName=vault-license' .
@@ -75,7 +75,7 @@ load _helpers
   helm install "$(name_prefix)-west" \
     --set='injector.enabled=false' \
     --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.13.1-ent' \
+    --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \
     --set='server.ha.enabled=true' \
     --set='server.ha.raft.enabled=true' \
     --set='server.enterpriseLicense.secretName=vault-license' .
diff --git a/values.openshift.yaml b/values.openshift.yaml
index da71dcf..6e575e4 100644
--- a/values.openshift.yaml
+++ b/values.openshift.yaml
@@ -13,9 +13,9 @@ injector:
 
   agentImage:
     repository: "registry.connect.redhat.com/hashicorp/vault"
-    tag: "1.13.1-ubi"
+    tag: "1.14.0-ubi"
 
 server:
   image:
     repository: "registry.connect.redhat.com/hashicorp/vault"
-    tag: "1.13.1-ubi"
+    tag: "1.14.0-ubi"
diff --git a/values.yaml b/values.yaml
index 15852c8..58eb8a2 100644
--- a/values.yaml
+++ b/values.yaml
@@ -73,7 +73,7 @@ injector:
   # required.
   agentImage:
     repository: "hashicorp/vault"
-    tag: "1.13.1"
+    tag: "1.14.0"
 
   # The default values for the injected Vault Agent containers.
   agentDefaults:
@@ -374,7 +374,7 @@ server:
 
   image:
     repository: "hashicorp/vault"
-    tag: "1.13.1"
+    tag: "1.14.0"
     # Overrides the default Image Pull Policy
     pullPolicy: IfNotPresent
 
@@ -1001,7 +1001,7 @@ csi:
 
   image:
     repository: "hashicorp/vault-csi-provider"
-    tag: "1.3.0"
+    tag: "1.4.0"
     pullPolicy: IfNotPresent
 
   # volumes is a list of volumes made available to all containers. These are rendered
@@ -1086,7 +1086,7 @@ csi:
 
     image:
       repository: "hashicorp/vault"
-      tag: "1.13.1"
+      tag: "1.14.0"
       pullPolicy: IfNotPresent
 
     logFormat: standard