Adds Agent as a sidecar for the CSI Provider to:
* Cache k8s auth login leases
* Cache secret leases
* Automatically renew renewable leases in the background
* Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset.
Co-authored-by: Kyle Schochenmaier <kyle.schochenmaier@hashicorp.com>
Test with latest kind k8s versions 1.22-1.26. Remove support for old
disruptionbudget and ingress APIs (pre 1.22).
Pin all actions to SHAs, and use the common jira sync.
Update the default Vault version to v1.13.1.
Update chart-verifier used in tests to 1.10.1, also add an openshift
name annotation to Chart.yaml (one of the required checks).
* remove 1.16 from the versions tested in .github/workflows/acceptance.yaml as kind no longer supports creating a k8s 1.16 cluster
* update vault-helm's minimum support k8s version to 1.20 in README and Chart.yaml
* refactor server-ingress's templating and unit tests applied to k8s versions < 1.20
support collecting Vault server metrics by deploying PrometheusOperator
CustomResources.
Co-authored-by: Sam Weston <weston.sam@gmail.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
csi/server.statefulset: custom security context
This adds flexibility to have custom pod template and container
`securityContext` and preserves current default values and behavior.
Fixes https://github.com/hashicorp/vault-helm/issues/663.
This also is a way to address https://github.com/hashicorp/vault-helm/pull/599
so that people can specify, for example, the CSI to run in a privileged
container for OpenShift.
This is a follow-up to https://github.com/hashicorp/vault-helm/pull/750
and builds on the same principles.
Side note: I am not able to run `helm schema-gen` since it is
unmaintained and does not work with M1 Macs.
Allow the injector's pod- and container-level securityContext to be
fully specified by the user, via new options
`injector.securityContext.pod` and
`injector.securityContext.container` with more complete
defaults. Deprecates `injector.uid` and `injector.gid`.
If `injector.uid` or `injector.gid` are set by the user, the old pod
securityContext settings will be used. Otherwise the new defaults and
settings are used.
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Set default object selector for webhooks to exclude injector itself
If `injector.failurePolicy` is set to `Fail`, there is a race condition
where if the mutating webhook config is setup before the injector, then
the injector can fail to start because it tries to inject itself.
We can work around this by ignoring the injector pod in in the webhook
by default.
Thanks to @joeyslalom for the object selector to exclude the pod.
Fixes https://github.com/hashicorp/vault-k8s/issues/258
* Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it
* Issue-#629 removing extra whitespace I added accidently.
* Issue-#629 fixing extra whitespace added.
* Update values.yaml
Co-authored-by: Joaco Muleiro Beltran <joaquinmuleirobeltran@gmail.com>
* Issue #629 adding changelog
Co-authored-by: Joaco Muleiro Beltran <joaquinmuleirobeltran@gmail.com>
- As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled
template was added (and included in vault.mode)
Various templates were updated accordingly, but those that were
already calling vault.mode had an additonal call to
vault.serverEnabled made which was unnecessary
Remove those
VAULT-571 Matching documented behavior and consul
Consul's helm template defaults most of the enabled to the special value
`"-"`, which means to inherit from global. This is what is implied
should happen in Vault as well according to the documentation for the
helm chart:
> [global.enabled] The master enabled/disabled configuration. If this is
> true, most components will be installed by default. If this is false,
> no components will be installed by default and manually opting-in is
> required, such as by setting server.enabled to true.
(https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled)
We also simplified the chart logic using a few template helpers.
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* Prepare default values for MutatingWebhookConfiguration #691
* Add values.yaml values to injector-mutating-webhook.yaml #691
* Duplicate and deprecate top-level webhook settings and put them in a webhook object
* Made the new values default with the fallback to the old values.yaml
* Fix _helpers.tpl to support both old and new webhook annotations
* Add new tests and deprecate old ones for injector webhook configuration
* Old tests now work with old values.yaml
* Add all new fields showing that they have priority over old ones
* Add deprecation note to injector.failurePolicy #691
* Add some tests on top of #396
* convert server-route.yaml to unix newlines
* changelog
Co-authored-by: André Becker <andre@arestless.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* Fix test typo
* Add basic server-test Pod tests
- This covers all existing functionality that matches what's
present in server-statefulset.bats
* Fix server-test helm hook Pod rendering
- Properly adhere to the global.enabled flag and the presence of
the injector.externalVaultAddr setting, the same way that
the servers StatefulSet behaves
* Add volumes and env vars to helm hook test pod
- Uses the same extraEnvironmentVars, volumes and volumeMounts set on
the server statefulset to configure the Vault server test pod used by
the helm test hook
- This is necessary in situations where TLS is configured, but the
certificates are not affiliated with the k8s CA / part of k8s PKI
- Fixes GH-665
* make staticSecretRenderInterval default to empty string
* update values schema to add staticSecretRenderInterval
* add test for default value
* adding changelog entry
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* fix(csi-ds): mountpoint-dir same mountpath in pod
Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>
* Update Chart.yaml
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
Adds the leader-elector container support that was removed in
PR #568. The new vault-k8s uses an internal mechanism for leader
determination, so this is just for backwards compatibility, and can
be removed in the near future.
* mark the endpoint as deprecated
* add a new useContainer option for leaderElector
Default to not deploying the old leader-elector container, unless
injector.leaderElector.useContainer is `true`.
* add configurable values for providersDir and kubeletRootDir
Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
