Adds Agent as a sidecar for the CSI Provider to:
* Cache k8s auth login leases
* Cache secret leases
* Automatically renew renewable leases in the background
* Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset.
Co-authored-by: Kyle Schochenmaier <kyle.schochenmaier@hashicorp.com>
Test with latest kind k8s versions 1.22-1.26. Remove support for old
disruptionbudget and ingress APIs (pre 1.22).
Pin all actions to SHAs, and use the common jira sync.
Update the default Vault version to v1.13.1.
Update chart-verifier used in tests to 1.10.1, also add an openshift
name annotation to Chart.yaml (one of the required checks).
* remove 1.16 from the versions tested in .github/workflows/acceptance.yaml as kind no longer supports creating a k8s 1.16 cluster
* update vault-helm's minimum support k8s version to 1.20 in README and Chart.yaml
* refactor server-ingress's templating and unit tests applied to k8s versions < 1.20
support collecting Vault server metrics by deploying PrometheusOperator
CustomResources.
Co-authored-by: Sam Weston <weston.sam@gmail.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
csi/server.statefulset: custom security context
This adds flexibility to have custom pod template and container
`securityContext` and preserves current default values and behavior.
Fixes https://github.com/hashicorp/vault-helm/issues/663.
This also is a way to address https://github.com/hashicorp/vault-helm/pull/599
so that people can specify, for example, the CSI to run in a privileged
container for OpenShift.
This is a follow-up to https://github.com/hashicorp/vault-helm/pull/750
and builds on the same principles.
Side note: I am not able to run `helm schema-gen` since it is
unmaintained and does not work with M1 Macs.
Allow the injector's pod- and container-level securityContext to be
fully specified by the user, via new options
`injector.securityContext.pod` and
`injector.securityContext.container` with more complete
defaults. Deprecates `injector.uid` and `injector.gid`.
If `injector.uid` or `injector.gid` are set by the user, the old pod
securityContext settings will be used. Otherwise the new defaults and
settings are used.
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Prepare for release 0.20.1
Improvements:
* `vault-k8s` updated to 0.16.1
CHANGES:
* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737)
* Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736)
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Set default object selector for webhooks to exclude injector itself
If `injector.failurePolicy` is set to `Fail`, there is a race condition
where if the mutating webhook config is setup before the injector, then
the injector can fail to start because it tries to inject itself.
We can work around this by ignoring the injector pod in in the webhook
by default.
Thanks to @joeyslalom for the object selector to exclude the pod.
Fixes https://github.com/hashicorp/vault-k8s/issues/258
