Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
445 commits 11 branches 48 tags 1.4 MiB
Commit graph

197 commits

Author SHA1 Message Date
Theron Voran
3b1bb783be
Add server.ingress.ingressClassName (#630) 
Co-authored-by: Joel Cressy <joel@jtcressy.net>
 2021-10-21 09:23:45 -07:00
Toni Tauro
6914c4d877
fix(csi-ds): mountpoint-dir same mountpath in pod (#628) 
* fix(csi-ds): mountpoint-dir same mountpath in pod

Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>

* Update Chart.yaml

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
 2021-10-19 15:06:07 -04:00
Ben Ash
d96a4287fa
Feat: add externalTrafficPolicy support (#626) 
- externalTrafficPolicy can be set for both the ui and server services.
  It is only supported for NodePort or LoadBalancer service types.
 2021-10-18 09:45:52 -04:00
Vladislav Rumjantsev
72c485dd2c
ingress stable networking api (#590) 
* Moved ingress to stable networking api

* lower versions support

* ingress disabled by default

* added tests for old k8s
 2021-10-08 17:13:21 -07:00
Theron Voran
5a864f7cbb
Adding support for the old leader-elector (#607) 
Adds the leader-elector container support that was removed in
PR #568. The new vault-k8s uses an internal mechanism for leader
determination, so this is just for backwards compatibility, and can
be removed in the near future.

* mark the endpoint as deprecated

* add a new useContainer option for leaderElector

Default to not deploying the old leader-elector container, unless
injector.leaderElector.useContainer is `true`.
 2021-09-15 18:43:04 -07:00
Toni Tauro
23e0348842
feat(csi): make provider hostPaths configurable (#603) 
*  add configurable values for providersDir and kubeletRootDir

Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
 2021-09-15 14:12:24 -04:00
Theron Voran
d31f942d3e
Support vault-k8s internal leader election (#568) 2021-08-31 15:16:06 -07:00
Theron Voran
f7ab37fd50
Add injector.webhookAnnotations chart option (#584) 2021-08-16 13:49:26 -07:00
Maxime Bruneau
c9c23b1a9b
Add imagePullSecrets on server test (#572) 
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
 2021-08-11 17:01:58 -07:00
Ben Ash
64b4d88c72
feature: imagePullSecrets from string array. (#576) 
* allow configuring imagePullSecrets from an array of strings in
  addition to the already supported array of maps
 2021-07-23 12:05:24 -04:00
Jason O'Donnell
255cdc7d26
Add ingress/route configurable to specify active/general service (#570) 
* Add ingress/route configurable to specify active/general service

* Update test/unit/server-ingress.bats

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>

* values.schema.json

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
 2021-07-15 14:15:46 -04:00
Ben Ash
1e4709cc46
feature: Support configuring various properties as YAML directly. (#565) 
* feature: Support configuring various properties as YAML directly.
Supported properties include: pod tolerations, pod affinity, and node selectors.
 2021-07-07 19:07:58 -04:00
Calvin Leung Huang
14d1f97edd
injector: add templateConfig.exitOnRetryFailure annotation (#560) 
* injector: add templateConfig.exitOnRetryFailure annotation

* update values.schema.json
 2021-07-06 09:49:48 -07:00
Theron Voran
4d23074cd3
Adding server.enterpriseLicense (#547) 
Sets up a vault-enterprise license for autoloading on vault
startup. Mounts an existing secret to /vault/license and sets
VAULT_LICENSE_PATH appropriately.
 2021-06-11 13:29:30 -07:00
Ricardo Gândara Pinto
d27121c223
Added webhook-certs volume mount to sidecar injector (#545) 
* Removed webhook-certs volume mount from leader-elector container

* Added test: injector deployment manual TLS adds volume mount
 2021-06-10 15:32:22 -07:00
Theron Voran
3593739160
Adding helm test for vault server (#531) 
Also adds acceptance test for 'helm test' and updates the
chart-verifier version.
 2021-05-27 17:09:50 -07:00
Iñigo Horcajo
4c71c268b9
Add UI targetPort option (#437) 
Use custom `targetPort` for UI service. See the usecase in https://github.com/hashicorp/vault-helm/issues/385#issuecomment-749560213
 2021-05-25 10:20:23 -04:00
Tom Proctor
030d3cd89d
Add extraArgs value for CSI (#526) 2021-05-21 12:48:21 +01:00
mehmetsalgar
0ab15dfb84
[Issue-520] tolerations for csi-daemonset (#521) 
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
 2021-05-17 17:14:19 -07:00
mehmetsalgar
92aed2cbee
Add ImagePullSecrets to CSI daemonset (#519) 2021-05-12 12:06:54 +01:00
Tom Proctor
be1721fc84
Remove redundant logic (#434) 2021-04-14 14:53:52 +01:00
Javier Criado Marcos
088ce89dc1
[injector] Add port name in injector service (#495) 
* [injector] Add port name in injector service

* [injector] Hardcore port to https
 2021-04-13 11:20:31 -04:00
Jason O'Donnell
bf5783ef6b
Add injector agent default overrides (#493) 
* Add injector agent default overrides

* Update test/unit/injector-deployment.bats

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update test/unit/injector-deployment.bats

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update test/unit/injector-deployment.bats

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
 2021-04-12 17:01:14 -04:00
Hamza ZOUHAIR
d8c2d2058c
Custom value of agent port (#489) 
* configure the agent port

* add unit test

* remove default

* remove default

* Update values.yaml

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
 2021-04-12 16:59:38 -04:00
Jason O'Donnell
ec67b5dd45
Add logLevel and logFormat values for Vault (#488) 
* Add logLevel and logFormat values for Vault

* Add configurable tests

* Update order of log levels

* Update values.yaml

* Update per review

* Update test/unit/server-statefulset.bats

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* Update test/unit/server-statefulset.bats

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
 2021-04-08 11:18:16 -04:00
Sam Marshall
bfbeba256a
feat(ingress): Extra paths to prepend to the ingress host configuration for annotation based services (#460) 
Refs #361
 2021-04-08 10:09:19 -04:00
Paul Witt
a2a07b2a02
add hostNetwork value to injector deployment (#471) 
* add hostNetwork value to injector deployment

* adding unit tests
 2021-04-08 10:03:56 -04:00
Arie Lev
7a71c0fec4
fix csi helm deployment (#486) 
* fix serviceaccount and clusterrole name reference (full name)

* add server.enabled option, align with documentation

* add unit tests

* update server.enabled behaviour to explicit true and update tests
 2021-04-06 14:56:11 +01:00
Jason O'Donnell
7fd6959cdc
Add volumes and mounts support for CSI (#479) 
* Remove extraVolumes from CSI, add volumes and mounts

* Add better example
 2021-03-25 10:21:21 -04:00
Tom Proctor
102f9e49e2
Target vault-csi-provider release 0.1.0 (#475) 2021-03-25 09:02:36 -04:00
Tom Proctor
4c1d79f46e
Add CSI secrets store provider (#461) 2021-03-19 14:14:38 +00:00
guru1306
690ee410ef
Add objectSelector to webhookconfiguration (#456) 2021-02-19 23:02:04 -05:00
Theron Voran
69a3dc618d
Set VAULT_DEV_LISTEN_ADDRESS in dev mode (#446) 
Binds vault to 0.0.0.0 in dev mode so that external traffic is
accepted.
 2021-01-15 15:42:50 -08:00
Jason O'Donnell
3cc33172d9
Add extra time to initial probe delay (#440) 2021-01-05 13:51:28 -05:00
Tom Proctor
e6b4969acc
Support deploying multiple injector replicas with auto-TLS (#436) 2021-01-05 11:14:00 +00:00
Volodymyr Stoiko
f8e6aab4ee
Allow configurable egress for server network policy (#389) 
* Allow configurable egress

* Add test for networkpolicy egress in server

* Allow egress configuration

* Fix test

* Fix networkPolicy test

* Fix test
 2020-12-16 12:30:24 -05:00
Jason O'Donnell
cc20c0b3c1
Add allowPrivilegeEscalation=false to pods (#429) 
* Add allowPrivilegeEscalation=false to pods

* Add openshift check

* Add injector openshift check
 2020-12-14 14:14:29 -05:00
Logi
a11a75d1b5
support extraLabels for vault-agent-injector (#428) 
* support extraLabels for vault-agent-injector

* added unit test for extraLabels

* fix test

* added injector.extraLabels as empty map to values file
 2020-12-07 11:28:06 -05:00
Bruno FERNANDO
73e90a1308
feat: add annotations to injector service (#425) 2020-12-07 10:31:54 -05:00
Yong Wen Chua
94adad8335
Update mutating webhook API Version (#408) 
* Update mutating webhook API Version

* Set to ignore by default

* Remove extra `-`

* Add required fields
 2020-12-07 10:18:25 -05:00
Piotr Hryszko
e2b609817f
don't set VAULT_DEV_ROOT_TOKEN_ID by default in dev mode (#415) 
* don't set VAULT_DEV_ROOT_TOKEN_ID by default in dev mode

* don't template environment variables that no longer exist

* fix tests after removing VAULT_DEV_ROOT_TOKEN_ID env variable

* removed a typo

* allow overriding VAULT_DEV_ROOT_TOKEN_ID in dev mode

* correct ambiguous description

* don't set default values in templates for visibility, update tests and set uncomment devRootToken in values.yaml

* Update devRootToken description
 2020-12-07 10:09:38 -05:00
Chris Pieper
f780877e1d
Update rbac api version to v1 (#395) 
* fix(rbac): update api version on rbac

* Update templates/server-clusterrolebinding.yaml

Co-authored-by: Yong Wen Chua <lawliet89@users.noreply.github.com>

* Update server-discovery-rolebinding.yaml

Co-authored-by: Yong Wen Chua <lawliet89@users.noreply.github.com>
 2020-12-07 10:07:02 -05:00
Jason O'Donnell
a8c42428b0
Add extraArgs support to dev mode (#421) 2020-11-30 16:31:02 -05:00
Jean-François Roche
c45f9b997d
Enable Vault to review kube tokens when using external Vault (#392) 
We want Vault to perform token reviews with Kubernetes even if we are
using an external Vault.

We need to create the ServiceAccount, Secret and ClusterRoleBinding with
the system:auth-delegator role to enable delegated authentication and
authorization checks [1].

These SA and RBAC objects are created when we deploy the Vault server.
In order to enable the creation of these objects when using an external
Vault, we remove the condition on external mode.

User might want to provide a sensible name (in global.serviceAccount.name) to the service
account such as: vault-auth.

refs #376

[1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes
 2020-10-20 09:34:48 -04:00
gw0
29a77e82d1
Improve config variables (#398) 2020-10-16 10:47:31 -04:00
Ori Rawlings
5eb0ba5865
Add configurable failurePolicy for injector's webhook (#400) 
Fixes #399
 2020-10-13 09:20:06 -04:00
Michael Parker
1968526f0d
add ability to set pod annotations for injector (#394) 
* add ability to set pod annotations for injector

* add missing unit tests
 2020-10-01 11:06:53 -04:00
Jason O'Donnell
13ef8db3b5
Add configurable mountPath for audit/data storage (#393) 2020-10-01 09:32:46 -04:00
Volodymyr Stoiko
66ea34c702
Allow explicit network policy enablement (#381) 
* Disable default network policy

* Make network policy configurable by explicit flag only
 2020-09-15 23:40:56 -07:00
Jason O'Donnell
fc8ebfdd4e
Add configurable probe values (#387) 
* Add configurable probe values

* Remove template defaults

* Update values.yaml

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* Update values.yaml

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* Update values.yaml

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Switch timeout and period defaults

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
 2020-09-15 16:24:38 -04:00