* Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset.
Co-authored-by: Kyle Schochenmaier <kyle.schochenmaier@hashicorp.com>
csi/server.statefulset: custom security context
This adds flexibility to have custom pod template and container
`securityContext` and preserves current default values and behavior.
Fixes https://github.com/hashicorp/vault-helm/issues/663.
This also is a way to address https://github.com/hashicorp/vault-helm/pull/599
so that people can specify, for example, the CSI to run in a privileged
container for OpenShift.
This is a follow-up to https://github.com/hashicorp/vault-helm/pull/750
and builds on the same principles.
Side note: I am not able to run `helm schema-gen` since it is
unmaintained and does not work with M1 Macs.
* Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it
* Issue-#629 removing extra whitespace I added accidently.
* Issue-#629 fixing extra whitespace added.
* Update values.yaml
Co-authored-by: Joaco Muleiro Beltran <joaquinmuleirobeltran@gmail.com>
* Issue #629 adding changelog
Co-authored-by: Joaco Muleiro Beltran <joaquinmuleirobeltran@gmail.com>
- As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled
template was added (and included in vault.mode)
Various templates were updated accordingly, but those that were
already calling vault.mode had an additonal call to
vault.serverEnabled made which was unnecessary
Remove those
VAULT-571 Matching documented behavior and consul
Consul's helm template defaults most of the enabled to the special value
`"-"`, which means to inherit from global. This is what is implied
should happen in Vault as well according to the documentation for the
helm chart:
> [global.enabled] The master enabled/disabled configuration. If this is
> true, most components will be installed by default. If this is false,
> no components will be installed by default and manually opting-in is
> required, such as by setting server.enabled to true.
(https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled)
We also simplified the chart logic using a few template helpers.
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Sets up a vault-enterprise license for autoloading on vault
startup. Mounts an existing secret to /vault/license and sets
VAULT_LICENSE_PATH appropriately.
* Make serviceAccount name a configuration option
Follow Helm Best Practices when defining serviceAccount names
https://helm.sh/docs/chart_best_practices/#using-rbac-resources
* Use enabled instead of create for consistency
* Add unit tests for user-defined service account name
* ServiceAccount under server
Co-authored-by: David Holsgrove <david@apnic.net>
* Update ServiceAccount in RoleBindings
to address https://github.com/hashicorp/vault-helm/pull/56#pullrequestreview-297856433
Co-authored-by: David Holsgrove <david@apnic.net>
* Update tests for helm template arg --show-only
Co-authored-by: David Holsgrove <david@apnic.net>
* Fix server-serviceaccount tests
* serviceAccount: rename enabled to create
* statefulSet: add tests for serviceAccount
Co-authored-by: Nick Satterly <nick@diabol.se>
Co-authored-by: David Holsgrove <david@apnic.net>
* Initial commit
* Added openshift flag
* added self signed certificate for service annotation
* added OpenShift flag
* Added OpenShift flag
* cleanup
* Cleanup
* Further cleanup
* Further cleanup
* reverted security context on injector
* Extra corrections
* cleanup
* Removed Raft config for OpenShift, removed generated certs for ha and standby services
* Add openshift flag to global block, route disabled by default, condition for injector in network policy
* Added Unit tests for OpenShift
* Fixed unit test for HA statefulset for OpenShift
* Removed debug log level from stateful set
* Added port 8201 to networkpolicy
* Updated injector image
* Add openshift beta support
* Add openshift beta support
* Remove comments from configs
* Remove vault-k8s note from values
* Change route to use active service when HA
Co-authored-by: Radu Domnu <radu.domnu@sixdx.com>
Co-authored-by: Radu Domnu <radu.domnu@gmail.com>
* use port names that map to vault.scheme
* prefix internal/replication port names with vault.scheme
* port names must be 'no more than 15 characters'
* test vault server service port names are prefixed with vault scheme
* test vault server statefulset port names are prefixed with vault scheme
* test vault ui service port names are prefixed with vault scheme
* formatting: replace double quote with single quote
* uncomment accidentally-commented lines
* always set internal port name to https-internal, since it is always https
* prefix headless service internal port name with https
Uses Values.injector.externalVaultAddr to control the vault address
env variable and server yaml rendering.
If injector.externalVaultAddr is empty, both the injector and vault
are deployed, with the injector using the local vault. If
injector.externalVaultAddr is not empty, only the injector is
deployed, and it uses the vault at the address specified in
injector.externalVaultAddr.
Update chart and tests to Helm 3
Co-authored-by: Matt Piekunka <mpiekunk@users.noreply.github.com>
Co-authored-by: Mike Brancato <mbrancato@users.noreply.github.com>
livenessProbe
* Set the scheme for vault.scheme to ensure that the check works if tls enabled or not
* Allow a configurable value initialDelaySeconds rather than the set 5 seconds
* Set the default initialDelaySeconds to 60 seconds before the probe starts to allow for vault unsealing
* Set the path to /v1/sys/health?standbyok=true to ensure a 200 response on standbys
readinessProbe
* Set the path comment to /v1/sys/health?standbyok=true to ensure a 200 response on standbys
* Set the scheme for vault.scheme to ensure that the check works if tls enabled or not
* Statefulset liveness probe path check set to /v1/sys/health?standbyok=true
* Server Statefulset test added for livenessProbe.initialDelaySeconds
* use a standard way to define image repo and tag
Signed-off-by: Janusz Bialy <jbialy@gmail.com>
* add tests
Signed-off-by: Janusz Bialy <jbialy@gmail.com>
* bump chart version
Signed-off-by: Janusz Bialy <jbialy@gmail.com>
* Revert "bump chart version"
This reverts commit 74cbc984a7d4cf9098acf78977cdc8598c557550.
Signed-off-by: Janusz Bialy <jbialy@gmail.com>
* nest image block inside server
Signed-off-by: Janusz Bialy <jbialy@gmail.com>
* add image pull policy and pull secrets
Signed-off-by: Janusz Bialy <jbialy@gmail.com>
* add unit tests
Signed-off-by: Janusz Bialy <jbialy@gmail.com>
