We want Vault to perform token reviews with Kubernetes even if we are
using an external Vault.
We need to create the ServiceAccount, Secret and ClusterRoleBinding with
the system:auth-delegator role to enable delegated authentication and
authorization checks [1].
These SA and RBAC objects are created when we deploy the Vault server.
In order to enable the creation of these objects when using an external
Vault, we remove the condition on external mode.
User might want to provide a sensible name (in global.serviceAccount.name) to the service
account such as: vault-auth.
refs #376
[1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes
These versions bring a few fixes:
* The action now supports converting the most common bits of markdown syntax into Jira formatting directives
* Replaces Atlassian's comment action, which tries to interpolate bits of text from comments wrapped in {{ github.event_name }} as templates, usually causing an error (in the case I've put there, if I wasn't a vault team member, it would replace the template with `pull_request_target`)
* Remove trailing comma after link that broke the link target Jira selects
* Add configuration options for Vault UI service
- Configure to select active Vault pod only
- Configure to not publish unready address
* Create active label only on HA
* Make serviceAccount name a configuration option
Follow Helm Best Practices when defining serviceAccount names
https://helm.sh/docs/chart_best_practices/#using-rbac-resources
* Use enabled instead of create for consistency
* Add unit tests for user-defined service account name
* ServiceAccount under server
Co-authored-by: David Holsgrove <david@apnic.net>
* Update ServiceAccount in RoleBindings
to address https://github.com/hashicorp/vault-helm/pull/56#pullrequestreview-297856433
Co-authored-by: David Holsgrove <david@apnic.net>
* Update tests for helm template arg --show-only
Co-authored-by: David Holsgrove <david@apnic.net>
* Fix server-serviceaccount tests
* serviceAccount: rename enabled to create
* statefulSet: add tests for serviceAccount
Co-authored-by: Nick Satterly <nick@diabol.se>
Co-authored-by: David Holsgrove <david@apnic.net>
This annotation has been deprecated since Kuberneets 1.8 and the
publishNotReadyAddresses parameter replacing it has been correctly
implemented in Kubernetes 1.11 (see https://github.com/kubernetes/kubernetes/pull/63742)
In latest alpine release (3.12) there was an intentional change
to drop python support without specify required version: python2
or python3.
Signed-off-by: Octavian Ionescu <itavyg@gmail.com>
