* feat: allow server netPol to specify podSelector
* feat(test): add podSelector NetworkPolicy unittest
* chore: introduce server.networkPolicy.ingress
As suggested let users template the whole ingress object for the
networkPolicy than only the podSelector.
Co-authored-by: tvoran <444265+tvoran@users.noreply.github.com>
---------
Co-authored-by: tvoran <444265+tvoran@users.noreply.github.com>
This variable is used to set the persistentVolumeClaimRetentionPolicy
value in the server-statefulset.yaml template, which is used to
configure the retention policy for the PVCs used by the server
statefulset.
Pin github actions to the latest trusted versions, test with k8s
1.24-1.28, update vault and vault-k8s defaults to latest releases.
---------
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* Prepare for 0.25.0 release
* Update CSI acceptance test assertion
Starting in 1.4.0, the CSI provider caches Vault tokens locally. The main thing
we want to check is that the Agent cache is being used so that it's doing the
renewal legwork for any leased secrets, so check for the renewal log message instead
because CSI won't auth over and over anymore.
Support for prometheus-operator was added in
https://github.com/hashicorp/vault-helm/pull/772 and a default empty
set of rules was defined as an empty map `{}`. However, as evidenced
by the commented out rule examples below that very same values.yaml,
this is expected to be a list, so `rules:` value should be set to an
empty list `[]`.
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Vitaliy <vitaliyf@users.noreply.github.com>
Adds Agent as a sidecar for the CSI Provider to:
* Cache k8s auth login leases
* Cache secret leases
* Automatically renew renewable leases in the background
* Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset.
Co-authored-by: Kyle Schochenmaier <kyle.schochenmaier@hashicorp.com>
Test with latest kind k8s versions 1.22-1.26. Remove support for old
disruptionbudget and ingress APIs (pre 1.22).
Pin all actions to SHAs, and use the common jira sync.
Update the default Vault version to v1.13.1.
Update chart-verifier used in tests to 1.10.1, also add an openshift
name annotation to Chart.yaml (one of the required checks).
support collecting Vault server metrics by deploying PrometheusOperator
CustomResources.
Co-authored-by: Sam Weston <weston.sam@gmail.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
csi/server.statefulset: custom security context
This adds flexibility to have custom pod template and container
`securityContext` and preserves current default values and behavior.
Fixes https://github.com/hashicorp/vault-helm/issues/663.
This also is a way to address https://github.com/hashicorp/vault-helm/pull/599
so that people can specify, for example, the CSI to run in a privileged
container for OpenShift.
This is a follow-up to https://github.com/hashicorp/vault-helm/pull/750
and builds on the same principles.
Side note: I am not able to run `helm schema-gen` since it is
unmaintained and does not work with M1 Macs.
Allow the injector's pod- and container-level securityContext to be
fully specified by the user, via new options
`injector.securityContext.pod` and
`injector.securityContext.container` with more complete
defaults. Deprecates `injector.uid` and `injector.gid`.
If `injector.uid` or `injector.gid` are set by the user, the old pod
securityContext settings will be used. Otherwise the new defaults and
settings are used.
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Prepare for release 0.20.1
Improvements:
* `vault-k8s` updated to 0.16.1
CHANGES:
* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737)
* Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736)
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Set default object selector for webhooks to exclude injector itself
If `injector.failurePolicy` is set to `Fail`, there is a race condition
where if the mutating webhook config is setup before the injector, then
the injector can fail to start because it tries to inject itself.
We can work around this by ignoring the injector pod in in the webhook
by default.
Thanks to @joeyslalom for the object selector to exclude the pod.
Fixes https://github.com/hashicorp/vault-k8s/issues/258
