Adds Agent as a sidecar for the CSI Provider to:
* Cache k8s auth login leases
* Cache secret leases
* Automatically renew renewable leases in the background
csi/server.statefulset: custom security context
This adds flexibility to have custom pod template and container
`securityContext` and preserves current default values and behavior.
Fixes https://github.com/hashicorp/vault-helm/issues/663.
This also is a way to address https://github.com/hashicorp/vault-helm/pull/599
so that people can specify, for example, the CSI to run in a privileged
container for OpenShift.
This is a follow-up to https://github.com/hashicorp/vault-helm/pull/750
and builds on the same principles.
Side note: I am not able to run `helm schema-gen` since it is
unmaintained and does not work with M1 Macs.
VAULT-571 Matching documented behavior and consul
Consul's helm template defaults most of the enabled to the special value
`"-"`, which means to inherit from global. This is what is implied
should happen in Vault as well according to the documentation for the
helm chart:
> [global.enabled] The master enabled/disabled configuration. If this is
> true, most components will be installed by default. If this is false,
> no components will be installed by default and manually opting-in is
> required, such as by setting server.enabled to true.
(https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled)
We also simplified the chart logic using a few template helpers.
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* add configurable values for providersDir and kubeletRootDir
Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
* fix serviceaccount and clusterrole name reference (full name)
* add server.enabled option, align with documentation
* add unit tests
* update server.enabled behaviour to explicit true and update tests
