csi/server.statefulset: custom security context
This adds flexibility to have custom pod template and container
`securityContext` and preserves current default values and behavior.
Fixes https://github.com/hashicorp/vault-helm/issues/663.
This also is a way to address https://github.com/hashicorp/vault-helm/pull/599
so that people can specify, for example, the CSI to run in a privileged
container for OpenShift.
This is a follow-up to https://github.com/hashicorp/vault-helm/pull/750
and builds on the same principles.
Side note: I am not able to run `helm schema-gen` since it is
unmaintained and does not work with M1 Macs.
Allow the injector's pod- and container-level securityContext to be
fully specified by the user, via new options
`injector.securityContext.pod` and
`injector.securityContext.container` with more complete
defaults. Deprecates `injector.uid` and `injector.gid`.
If `injector.uid` or `injector.gid` are set by the user, the old pod
securityContext settings will be used. Otherwise the new defaults and
settings are used.
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
VAULT-571 Matching documented behavior and consul
Consul's helm template defaults most of the enabled to the special value
`"-"`, which means to inherit from global. This is what is implied
should happen in Vault as well according to the documentation for the
helm chart:
> [global.enabled] The master enabled/disabled configuration. If this is
> true, most components will be installed by default. If this is false,
> no components will be installed by default and manually opting-in is
> required, such as by setting server.enabled to true.
(https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled)
We also simplified the chart logic using a few template helpers.
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* make staticSecretRenderInterval default to empty string
* update values schema to add staticSecretRenderInterval
* add test for default value
* adding changelog entry
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Adds the leader-elector container support that was removed in
PR #568. The new vault-k8s uses an internal mechanism for leader
determination, so this is just for backwards compatibility, and can
be removed in the near future.
* mark the endpoint as deprecated
* add a new useContainer option for leaderElector
Default to not deploying the old leader-elector container, unless
injector.leaderElector.useContainer is `true`.
* configure the agent port
* add unit test
* remove default
* remove default
* Update values.yaml
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Initial commit
* Added openshift flag
* added self signed certificate for service annotation
* added OpenShift flag
* Added OpenShift flag
* cleanup
* Cleanup
* Further cleanup
* Further cleanup
* reverted security context on injector
* Extra corrections
* cleanup
* Removed Raft config for OpenShift, removed generated certs for ha and standby services
* Add openshift flag to global block, route disabled by default, condition for injector in network policy
* Added Unit tests for OpenShift
* Fixed unit test for HA statefulset for OpenShift
* Removed debug log level from stateful set
* Added port 8201 to networkpolicy
* Updated injector image
* Add openshift beta support
* Add openshift beta support
* Remove comments from configs
* Remove vault-k8s note from values
* Change route to use active service when HA
Co-authored-by: Radu Domnu <radu.domnu@sixdx.com>
Co-authored-by: Radu Domnu <radu.domnu@gmail.com>
Adds affinity, tolerations, and nodeSelector options for the
injector deployment that are separate from those options on the vault
server statefulset.
Co-authored-by: Sergei Shishov <sergei.shishov@dubizzle.com>
Uses Values.injector.externalVaultAddr to control the vault address
env variable and server yaml rendering.
If injector.externalVaultAddr is empty, both the injector and vault
are deployed, with the injector using the local vault. If
injector.externalVaultAddr is not empty, only the injector is
deployed, and it uses the vault at the address specified in
injector.externalVaultAddr.
Update chart and tests to Helm 3
Co-authored-by: Matt Piekunka <mpiekunk@users.noreply.github.com>
Co-authored-by: Mike Brancato <mbrancato@users.noreply.github.com>
