update changelog

Prepare for release 0.26.1
2023-10-30 14:04:35 -05:00 · 2023-10-30 13:12:24 -05:00
137 changed files with 1779 additions and 1853 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -9,9 +9,9 @@ assignees: ''

 <!-- Please reserve GitHub issues for bug reports and feature requests.

-**Please note**: We take OpenBao's security and our users' trust very seriously. If
-you believe you have found a security issue in OpenBao Helm, _please responsibly disclose_
-by contacting us at [openbao-security@lists.lfedge.org](mailto:openbao-security@lists.lfedge.org).
+For questions, the best place to get answers is on our [discussion forum](https://discuss.hashicorp.com/c/vault), as they will get more visibility from experienced users than the issue tracker.
+
+Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault Helm, _please responsibly disclose_ by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).

 -->

@ -21,19 +21,19 @@ A clear and concise description of what the bug is.
 **To Reproduce**
 Steps to reproduce the behavior:
 1. Install chart
-2. Run bao command
-3. See error (openbao logs, etc.)
+2. Run vault command
+3. See error (vault logs, etc.)

-Other useful info to include: openbao pod logs, `kubectl describe statefulset openbao` and `kubectl get statefulset openbao -o yaml` output
+Other useful info to include: vault pod logs, `kubectl describe statefulset vault` and `kubectl get statefulset vault -o yaml` output

 **Expected behavior**
 A clear and concise description of what you expected to happen.

 **Environment**
-* Kubernetes version:
+* Kubernetes version: 
  * Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.):
  * Other configuration options or runtime services (istio, etc.):
-* openbao-helm version:
+* vault-helm version:

 Chart values:

--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -3,4 +3,5 @@

 contact_links:
  - name: Ask a question
-    url: https://chat.lfx.linuxfoundation.org/#/room/#openbao-questions:chat.lfx.linuxfoundation.org
+    url: https://discuss.hashicorp.com/c/vault
+    about: For increased visibility, please post questions on the discussion forum, and tag with `k8s`
--- a/.github/workflows/acceptance.yaml
+++ b/.github/workflows/acceptance.yaml
@ -5,18 +5,20 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        kind-k8s-version: [1.27.11, 1.28.7, 1.29.2]
+        kind-k8s-version: [1.24.15, 1.25.11, 1.26.6, 1.27.3, 1.28.0]
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
      - name: Setup test tools
        uses: ./.github/actions/setup-test-tools
      - name: Create K8s Kind Cluster
-        uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
        with:
          config: test/kind/config.yaml
          node_image: kindest/node:v${{ matrix.kind-k8s-version }}
-          version: v0.22.0
+          version: v0.20.0
      - run: bats --tap --timing ./test/acceptance
+        env:
+          VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
 permissions:
  contents: read
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@ -0,0 +1,14 @@
+# If the repository is public, be sure to change to GitHub hosted runners
+name: Lint GitHub Actions Workflows
+on:
+  push:
+    paths:
+      - .github/workflows/**.yml
+  pull_request:
+    paths:
+      - .github/workflows/**.yml
+permissions:
+  contents: read
+jobs:
+  actionlint:
+    uses: hashicorp/vault-workflows-common/.github/workflows/actionlint.yaml@main
--- a/.github/workflows/jira.yaml
+++ b/.github/workflows/jira.yaml
@ -0,0 +1,17 @@
+name: Jira Sync
+on:
+  issues:
+    types: [opened, closed, deleted, reopened]
+  pull_request_target:
+    types: [opened, closed, reopened]
+  issue_comment: # Also triggers when commenting on a PR from the conversation view
+    types: [created]
+jobs:
+  sync:
+    uses: hashicorp/vault-workflows-common/.github/workflows/jira.yaml@main
+    secrets:
+      JIRA_SYNC_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }}
+      JIRA_SYNC_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }}
+      JIRA_SYNC_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }}
+    with:
+      teams-array: '["ecosystem", "foundations-eco"]'
--- a/.github/workflows/lint-chart.yml
+++ b/.github/workflows/lint-chart.yml
@ -1,47 +0,0 @@
-name: Lint and Test Chart
-
-on:
-  pull_request:
-    paths:
-      - 'charts/**'
-
-permissions:
-  contents: read
-
-jobs:
-  lint:
-    name: Lint
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: "0"
-
-      - name: Install Helm
-        uses: azure/setup-helm@v4
-
-      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.6.1
-
-      - name: Run chart-testing (list-changed)
-        id: list-changed
-        run: |
-          changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
-          if [[ -n "$changed" ]]; then
-            echo "changed=true" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Run chart-testing (lint)
-        id: lint
-        if: steps.list-changed.outputs.changed == 'true'
-        run: ct lint --target-branch ${{ github.event.repository.default_branch }}
-
-      - name: Create kind cluster
-        uses: helm/kind-action@v1.10.0
-        if: steps.list-changed.outputs.changed == 'true'
-
-      - name: Run chart-testing (install)
-        id: install
-        if: steps.list-changed.outputs.changed == 'true'
-        run: ct install --target-branch ${{ github.event.repository.default_branch }}
--- a/.github/workflows/release-chart.yml
+++ b/.github/workflows/release-chart.yml
@ -1,38 +0,0 @@
-name: Release
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - 'charts/**'
-
-jobs:
-  release:
-    environment: helm-release
-    permissions:
-      contents: write
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Configure Git
-        run: |
-          git config user.name "$GITHUB_ACTOR"
-          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
-
-      - name: Install Helm
-        uses: azure/setup-helm@v3.5
-        id: helm-install
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Run chart-releaser
-        id: helm-release
-        uses: helm/chart-releaser-action@v1.6.0
-        env:
-          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-          CR_GENERATE_RELEASE_NOTES: true
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@ -4,20 +4,20 @@ jobs:
  bats-unit-tests:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
      - uses: ./.github/actions/setup-test-tools
      - run: bats --tap --timing ./test/unit
  chart-verifier:
    runs-on: ubuntu-latest
    env:
-      CHART_VERIFIER_VERSION: "1.13.7"
+      CHART_VERIFIER_VERSION: '1.13.0'
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
      - name: Setup test tools
        uses: ./.github/actions/setup-test-tools
-      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
-          go-version: "1.22.5"
+          go-version: '1.21.3'
      - run: go install "github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}"
      - run: bats --tap --timing ./test/chart
 permissions:
--- a/.github/workflows/update-helm-charts-index.yml
+++ b/.github/workflows/update-helm-charts-index.yml
@ -0,0 +1,40 @@
+name: update-helm-charts-index
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+
+permissions:
+  contents: read
+
+jobs:
+  update-helm-charts-index:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - name: verify Chart version matches tag version
+        run: |-
+          export TAG=${{ github.ref_name }}
+          git_tag="${TAG#v}"
+          chart_tag=$(yq -r '.version' Chart.yaml)
+          if [ "${git_tag}" != "${chart_tag}" ]; then
+            echo "chart version (${chart_tag}) did not match git version (${git_tag})"
+            exit 1
+          fi
+      - name: update helm-charts index
+        id: update
+        env:
+          GH_TOKEN: ${{ secrets.HELM_CHARTS_GITHUB_TOKEN }}
+        run: |-
+          gh workflow run publish-charts.yml \
+            --repo hashicorp/helm-charts \
+            --ref main \
+            -f SOURCE_TAG="${{ github.ref_name }}" \
+            -f SOURCE_REPO="${{ github.repository }}"
+      - uses: hashicorp/actions-slack-status@v1
+        if: ${{always()}}
+        with:
+          success-message: "vault-helm charts index update triggered successfully. View the run <https://github.com/hashicorp/helm-charts/actions/workflows/publish-charts.yml|here>."
+          failure-message: "vault-helm charts index update trigger failed."
+          status: ${{job.status}}
+          slack-webhook-url: ${{secrets.SLACK_WEBHOOK_URL}}
--- a/.gitignore
+++ b/.gitignore
@ -11,4 +11,3 @@ vaul-helm-dev-creds.json
 ./test/acceptance/values.yaml
 ./test/acceptance/values.yml
 .idea
-scratch/
--- a/charts/openbao/.helmignore
+++ b/charts/openbao/.helmignore
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,24 +1,5 @@
 ## Unreleased

-Bugs:
-* injector: add missing `get` `nodes` permission to ClusterRole [GH-1005](https://github.com/hashicorp/vault-helm/pull/1005)
-
-## 0.27.0 (November 16, 2023)
-
-Changes:
-
-* Default `vault` version updated to 1.15.2
-
-Features:
-
-* server: Support setting `persistentVolumeClaimRetentionPolicy` on the StatefulSet [GH-965](https://github.com/hashicorp/vault-helm/pull/965)
-* server: Support setting labels on PVCs [GH-969](https://github.com/hashicorp/vault-helm/pull/969)
-* server: Support setting ingress rules for networkPolicy [GH-877](https://github.com/hashicorp/vault-helm/pull/877)
-
-Improvements:
-
-* Support exec in the server liveness probe [GH-971](https://github.com/hashicorp/vault-helm/pull/971)
-
 ## 0.26.1 (October 30, 2023)

 Bugs:
--- a/1
+++ b/1
@ -0,0 +1 @@
+* @hashicorp/vault-ecosystem-foundations
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,8 +1,8 @@
-# Contributing to OpenBao Helm
+# Contributing to Vault Helm

-**Please note:** We take OpenBao's security and our users' trust very seriously.
-If you believe you have found a security issue in OpenBao, please responsibly
-disclose by contacting us at openbao-security@lists.lfedge.org.
+**Please note:** We take Vault's security and our users' trust very seriously.
+If you believe you have found a security issue in Vault, please responsibly
+disclose by contacting us at security@hashicorp.com.

 **First:** if you're unsure or afraid of _anything_, just ask or submit the
 issue or pull request anyways. You won't be yelled at for giving it your best
@ -12,15 +12,14 @@ rules to get in the way of that.

 That said, if you want to ensure that a pull request is likely to be merged,
 talk to us! You can find out our thoughts and ensure that your contribution
-won't clash or be obviated by OpenBao's normal direction. A great way to do this
-is via the [Linux Foundation Element chat server][1], or [mailing list][2].
+won't clash or be obviated by Vault's normal direction. A great way to do this
+is via the [Vault Discussion Forum][1].

 This document will cover what we're looking for in terms of reporting issues.
 By addressing all the points we're looking for, it raises the chances we can
 quickly merge or address your contributions.

-[1]: https://chat.lfx.linuxfoundation.org
-[2]: https://lists.lfedge.org/g/openbao
+[1]: https://discuss.hashicorp.com/c/vault

 ## Issues

@ -34,14 +33,14 @@ quickly merge or address your contributions.
 * Provide steps to reproduce the issue, and if possible include the expected
  results as well as the actual results. Please provide text, not screen shots!

-* Respond as promptly as possible to any questions made by the OpenBao
+* Respond as promptly as possible to any questions made by the Vault
  team to your issue. Stale issues will be closed periodically.

 ### Issue Lifecycle

 1. The issue is reported.

-2. The issue is verified and categorized by a OpenBao Helm collaborator.
+2. The issue is verified and categorized by a Vault Helm collaborator.
   Categorization is done via tags. For example, bugs are marked as "bugs".

 3. Unless it is critical, the issue may be left for a period of time (sometimes
@ -71,25 +70,25 @@ The following are the instructions for running bats tests using a Docker contain
 #### Prerequisites

 * Docker installed
-* `openbao-helm` checked out locally
+* `vault-helm` checked out locally

 #### Test

-**Note:** the following commands should be run from the `openbao-helm` directory.
+**Note:** the following commands should be run from the `vault-helm` directory.

 First, build the Docker image for running the tests:

 ```shell
-docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t openbao-helm-test
+docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test
 ```
 Next, execute the tests with the following commands:
 ```shell
-docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit
+docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit
 ```
-It's possible to only run specific bats tests using regular expressions.
+It's possible to only run specific bats tests using regular expressions. 
 For example, the following will run only tests with "injector" in the name:
 ```shell
-docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit -f "injector"
+docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit -f "injector"
 ```

 ### Test Manually
@ -123,7 +122,7 @@ may not be properly cleaned up. We recommend recycling the Kubernetes cluster to
 start from a clean slate.

 **Note:** There is a Terraform configuration in the
-[`test/terraform/`](https://github.com/openbao/openbao-helm/tree/main/test/terraform) directory
+[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory
 that can be used to quickly bring up a GKE cluster and configure
 `kubectl` and `helm` locally. This can be used to quickly spin up a test
 cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes
--- a/Chart.yaml
+++ b/Chart.yaml
@ -0,0 +1,19 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+apiVersion: v2
+name: vault
+version: 0.26.1
+appVersion: 1.15.1
+kubeVersion: ">= 1.20.0-0"
+description: Official HashiCorp Vault Chart
+home: https://www.vaultproject.io
+icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
+keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"]
+sources:
+  - https://github.com/hashicorp/vault
+  - https://github.com/hashicorp/vault-helm
+  - https://github.com/hashicorp/vault-k8s
+  - https://github.com/hashicorp/vault-csi-provider
+annotations:
+  charts.openshift.io/name: HashiCorp Vault
--- a/11
+++ b/11
@ -1,6 +1,6 @@
-TEST_IMAGE?=openbao-helm-test
-GOOGLE_CREDENTIALS?=openbao-helm-test.json
-CLOUDSDK_CORE_PROJECT?=openbao-helm-dev-246514
+TEST_IMAGE?=vault-helm-test
+GOOGLE_CREDENTIALS?=vault-helm-test.json
+CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514
 # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats
 ACCEPTANCE_TESTS?=acceptance

@ -11,10 +11,10 @@ UNIT_TESTS_FILTER?='.*'
 LOCAL_ACCEPTANCE_TESTS?=false

 # kind cluster name
-KIND_CLUSTER_NAME?=openbao-helm
+KIND_CLUSTER_NAME?=vault-helm

 # kind k8s version
-KIND_K8S_VERSION?=v1.29.2
+KIND_K8S_VERSION?=v1.26.3

 # Generate json schema for chart values. See test/README.md for more details.
 values-schema:
@ -40,6 +40,7 @@ else
 	-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
 	-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
 	-e KUBECONFIG=/helm-test/.kube/config \
+	-e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \
 	-w /helm-test \
 	$(TEST_IMAGE) \
 	make acceptance
--- a/README.md
+++ b/README.md
@ -1,12 +1,16 @@
-# OpenBao Helm Chart
+# Vault Helm Chart

-> :warning: **Please note**: We take OpenBao's security and our users' trust very seriously. If
-you believe you have found a security issue in OpenBao Helm, _please responsibly disclose_
-by contacting us at [openbao-security@lists.lfedge.org](mailto:openbao-security@lists.lfedge.org).
+> :warning: **Please note**: We take Vault's security and our users' trust very seriously. If 
+you believe you have found a security issue in Vault Helm, _please responsibly disclose_ 
+by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).

-This repository contains the OpenBao Helm chart for installing
-and configuring OpenBao on Kubernetes. This chart supports multiple use
-cases of OpenBao on Kubernetes depending on the values provided.
+This repository contains the official HashiCorp Helm chart for installing
+and configuring Vault on Kubernetes. This chart supports multiple use
+cases of Vault on Kubernetes depending on the values provided.
+
+For full documentation on this Helm chart along with all the ways you can
+use Vault with Kubernetes, please see the
+[Vault and Kubernetes documentation](https://developer.hashicorp.com/vault/docs/platform/k8s).

 ## Prerequisites

@ -16,19 +20,24 @@ this README. Please refer to the Kubernetes and Helm documentation.

 The versions required are:

-  * **Helm 3.12+** - Earliest verison tested
-  * **Kubernetes 1.28+** - This is the earliest version of Kubernetes tested.
+  * **Helm 3.6+**
+  * **Kubernetes 1.22+** - This is the earliest version of Kubernetes tested.
    It is possible that this chart works with earlier versions but it is
    untested.

 ## Usage

-To install the latest version of this chart, add the OpenBao helm repository and run `helm install`:
+To install the latest version of this chart, add the Hashicorp helm repository
+and run `helm install`:

 ```console
-helm repo add openbao https://openbao.github.io/openbao-helm
+$ helm repo add hashicorp https://helm.releases.hashicorp.com
+"hashicorp" has been added to your repositories

-helm install openbao openbao/openbao
+$ helm install vault hashicorp/vault
 ```

-Please see the many options supported in the [`values.yaml`](./charts/openbao/values.yaml) file. These are also fully documented directly in the [openbao README](./charts/openbao/README.md) along with more detailed installation instructions.
+Please see the many options supported in the `values.yaml` file. These are also
+fully documented directly on the [Vault
+website](https://developer.hashicorp.com/vault/docs/platform/k8s/helm) along with more
+detailed installation instructions.
--- a/charts/openbao/Chart.yaml
+++ b/charts/openbao/Chart.yaml
@ -1,31 +0,0 @@
-# Copyright (c) HashiCorp, Inc.
-# SPDX-License-Identifier: MPL-2.0
-
-apiVersion: v2
-name: openbao
-version: 0.6.0
-appVersion: v2.0.2
-kubeVersion: ">= 1.27.0-0"
-description: Official OpenBao Chart
-home: https://github.com/openbao/openbao-helm
-icon: https://github.com/openbao/artwork/blob/main/color/openbao-color.svg
-keywords:
-  [
-    "vault",
-    "openbao",
-    "security",
-    "encryption",
-    "secrets",
-    "management",
-    "automation",
-    "infrastructure",
-  ]
-sources:
-  - https://github.com/openbao/openbao-helm
-annotations:
-  charts.openshift.io/name: Openbao
-
-maintainers:
-  - name: OpenBao
-    email: openbao-security@lists.lfedge.org
-    url: https://openbao.org
--- a/charts/openbao/README.md
+++ b/charts/openbao/README.md
@ -1,294 +0,0 @@
-# openbao
-
-![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![AppVersion: v2.0.2](https://img.shields.io/badge/AppVersion-v2.0.2-informational?style=flat-square)
-
-Official OpenBao Chart
-
-**Homepage:** <https://github.com/openbao/openbao-helm>
-
-## Maintainers
-
-| Name | Email | Url |
-| ---- | ------ | --- |
-| OpenBao | <openbao-security@lists.lfedge.org> | <https://openbao.org> |
-
-## Source Code
-
-* <https://github.com/openbao/openbao-helm>
-
-## Requirements
-
-Kubernetes: `>= 1.27.0-0`
-
-## Values
-
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| csi.agent.enabled | bool | `true` |  |
-| csi.agent.extraArgs | list | `[]` |  |
-| csi.agent.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" |
-| csi.agent.image.registry | string | `"quay.io"` | image registry to use for agent image |
-| csi.agent.image.repository | string | `"openbao/openbao"` | image repo to use for agent image |
-| csi.agent.image.tag | string | `"2.0.2"` | image tag to use for agent image |
-| csi.agent.logFormat | string | `"standard"` |  |
-| csi.agent.logLevel | string | `"info"` |  |
-| csi.agent.resources | object | `{}` |  |
-| csi.daemonSet.annotations | object | `{}` |  |
-| csi.daemonSet.extraLabels | object | `{}` |  |
-| csi.daemonSet.kubeletRootDir | string | `"/var/lib/kubelet"` |  |
-| csi.daemonSet.providersDir | string | `"/etc/kubernetes/secrets-store-csi-providers"` |  |
-| csi.daemonSet.securityContext.container | object | `{}` |  |
-| csi.daemonSet.securityContext.pod | object | `{}` |  |
-| csi.daemonSet.updateStrategy.maxUnavailable | string | `""` |  |
-| csi.daemonSet.updateStrategy.type | string | `"RollingUpdate"` |  |
-| csi.debug | bool | `false` |  |
-| csi.enabled | bool | `false` | True if you want to install a secrets-store-csi-driver-provider-vault daemonset.  Requires installing the secrets-store-csi-driver separately, see: https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver  With the driver and provider installed, you can mount OpenBao secrets into volumes similar to the OpenBao Agent injector, and you can also sync those secrets into Kubernetes secrets. |
-| csi.extraArgs | list | `[]` |  |
-| csi.hmacSecretName | string | `""` |  |
-| csi.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for csi image. if tag is "latest", set to "Always" |
-| csi.image.registry | string | `"docker.io"` | image registry to use for csi image |
-| csi.image.repository | string | `"hashicorp/vault-csi-provider"` | image repo to use for csi image |
-| csi.image.tag | string | `"1.4.0"` | image tag to use for csi image |
-| csi.livenessProbe.failureThreshold | int | `2` |  |
-| csi.livenessProbe.initialDelaySeconds | int | `5` |  |
-| csi.livenessProbe.periodSeconds | int | `5` |  |
-| csi.livenessProbe.successThreshold | int | `1` |  |
-| csi.livenessProbe.timeoutSeconds | int | `3` |  |
-| csi.pod.affinity | object | `{}` |  |
-| csi.pod.annotations | object | `{}` |  |
-| csi.pod.extraLabels | object | `{}` |  |
-| csi.pod.nodeSelector | object | `{}` |  |
-| csi.pod.tolerations | list | `[]` |  |
-| csi.priorityClassName | string | `""` |  |
-| csi.readinessProbe.failureThreshold | int | `2` |  |
-| csi.readinessProbe.initialDelaySeconds | int | `5` |  |
-| csi.readinessProbe.periodSeconds | int | `5` |  |
-| csi.readinessProbe.successThreshold | int | `1` |  |
-| csi.readinessProbe.timeoutSeconds | int | `3` |  |
-| csi.resources | object | `{}` |  |
-| csi.serviceAccount.annotations | object | `{}` |  |
-| csi.serviceAccount.extraLabels | object | `{}` |  |
-| csi.volumeMounts | list | `[]` | volumeMounts is a list of volumeMounts for the main server container. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. |
-| csi.volumes | list | `[]` | volumes is a list of volumes made available to all containers. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. |
-| global.enabled | bool | `true` | enabled is the master enabled switch. Setting this to true or false will enable or disable all the components within this chart by default. |
-| global.externalVaultAddr | string | `""` | External openbao server address for the injector and CSI provider to use. Setting this will disable deployment of a openbao server. |
-| global.imagePullSecrets | list | `[]` | Image pull secret to use for registry authentication. Alternatively, the value may be specified as an array of strings. |
-| global.namespace | string | `""` | The namespace to deploy to. Defaults to the `helm` installation namespace. |
-| global.openshift | bool | `false` | If deploying to OpenShift |
-| global.psp | object | `{"annotations":"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName:  runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName:  runtime/default\n","enable":false}` | Create PodSecurityPolicy for pods |
-| global.psp.annotations | string | `"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName:  runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName:  runtime/default\n"` | Annotation for PodSecurityPolicy. This is a multi-line templated string map, and can also be set as YAML. |
-| global.serverTelemetry.prometheusOperator | bool | `false` | Enable integration with the Prometheus Operator See the top level serverTelemetry section below before enabling this feature. |
-| global.tlsDisable | bool | `true` | TLS for end-to-end encrypted transport |
-| injector.affinity | string | `"podAntiAffinity:\n  requiredDuringSchedulingIgnoredDuringExecution:\n    - labelSelector:\n        matchLabels:\n          app.kubernetes.io/name: {{ template \"openbao.name\" . }}-agent-injector\n          app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n          component: webhook\n      topologyKey: kubernetes.io/hostname\n"` |  |
-| injector.agentDefaults.cpuLimit | string | `"500m"` |  |
-| injector.agentDefaults.cpuRequest | string | `"250m"` |  |
-| injector.agentDefaults.memLimit | string | `"128Mi"` |  |
-| injector.agentDefaults.memRequest | string | `"64Mi"` |  |
-| injector.agentDefaults.template | string | `"map"` |  |
-| injector.agentDefaults.templateConfig.exitOnRetryFailure | bool | `true` |  |
-| injector.agentDefaults.templateConfig.staticSecretRenderInterval | string | `""` |  |
-| injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.2"}` | agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent containers.  This should be set to the official OpenBao image.  OpenBao 1.3.1+ is required. |
-| injector.agentImage.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" |
-| injector.agentImage.registry | string | `"quay.io"` | image registry to use for agent image |
-| injector.agentImage.repository | string | `"openbao/openbao"` | image repo to use for agent image |
-| injector.agentImage.tag | string | `"2.0.2"` | image tag to use for agent image |
-| injector.annotations | object | `{}` |  |
-| injector.authPath | string | `"auth/kubernetes"` |  |
-| injector.certs.caBundle | string | `""` |  |
-| injector.certs.certName | string | `"tls.crt"` |  |
-| injector.certs.keyName | string | `"tls.key"` |  |
-| injector.certs.secretName | string | `nil` |  |
-| injector.enabled | string | `"-"` | True if you want to enable openbao agent injection. @default: global.enabled |
-| injector.externalVaultAddr | string | `""` | Deprecated: Please use global.externalVaultAddr instead. |
-| injector.extraEnvironmentVars | object | `{}` |  |
-| injector.extraLabels | object | `{}` |  |
-| injector.failurePolicy | string | `"Ignore"` |  |
-| injector.hostNetwork | bool | `false` |  |
-| injector.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for k8s image. if tag is "latest", set to "Always" |
-| injector.image.registry | string | `"docker.io"` | image registry to use for k8s image |
-| injector.image.repository | string | `"hashicorp/vault-k8s"` | image repo to use for k8s image |
-| injector.image.tag | string | `"1.4.2"` | image tag to use for k8s image |
-| injector.leaderElector | object | `{"enabled":true}` | If multiple replicas are specified, by default a leader will be determined so that only one injector attempts to create TLS certificates. |
-| injector.livenessProbe.failureThreshold | int | `2` | When a probe fails, Kubernetes will try failureThreshold times before giving up |
-| injector.livenessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates |
-| injector.livenessProbe.periodSeconds | int | `2` | How often (in seconds) to perform the probe |
-| injector.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed |
-| injector.livenessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. |
-| injector.logFormat | string | `"standard"` | Configures the log format of the injector. Supported log formats: "standard", "json". |
-| injector.logLevel | string | `"info"` | Configures the log verbosity of the injector. Supported log levels include: trace, debug, info, warn, error |
-| injector.metrics | object | `{"enabled":false}` | If true, will enable a node exporter metrics endpoint at /metrics. |
-| injector.namespaceSelector | object | `{}` |  |
-| injector.nodeSelector | object | `{}` |  |
-| injector.objectSelector | object | `{}` |  |
-| injector.podDisruptionBudget | object | `{}` |  |
-| injector.port | int | `8080` | Configures the port the injector should listen on |
-| injector.priorityClassName | string | `""` |  |
-| injector.readinessProbe.failureThreshold | int | `2` | When a probe fails, Kubernetes will try failureThreshold times before giving up |
-| injector.readinessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates |
-| injector.readinessProbe.periodSeconds | int | `2` | How often (in seconds) to perform the probe |
-| injector.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed |
-| injector.readinessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. |
-| injector.replicas | int | `1` |  |
-| injector.resources | object | `{}` |  |
-| injector.revokeOnShutdown | bool | `false` |  |
-| injector.securityContext.container | object | `{}` |  |
-| injector.securityContext.pod | object | `{}` |  |
-| injector.service.annotations | object | `{}` |  |
-| injector.serviceAccount.annotations | object | `{}` |  |
-| injector.startupProbe.failureThreshold | int | `12` | When a probe fails, Kubernetes will try failureThreshold times before giving up |
-| injector.startupProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates |
-| injector.startupProbe.periodSeconds | int | `5` | How often (in seconds) to perform the probe |
-| injector.startupProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed |
-| injector.startupProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. |
-| injector.strategy | object | `{}` |  |
-| injector.tolerations | list | `[]` |  |
-| injector.topologySpreadConstraints | list | `[]` |  |
-| injector.webhook.annotations | object | `{}` |  |
-| injector.webhook.failurePolicy | string | `"Ignore"` |  |
-| injector.webhook.matchPolicy | string | `"Exact"` |  |
-| injector.webhook.namespaceSelector | object | `{}` |  |
-| injector.webhook.objectSelector | string | `"matchExpressions:\n- key: app.kubernetes.io/name\n  operator: NotIn\n  values:\n  - {{ template \"openbao.name\" . }}-agent-injector\n"` |  |
-| injector.webhook.timeoutSeconds | int | `30` |  |
-| injector.webhookAnnotations | object | `{}` |  |
-| server.affinity | string | `"podAntiAffinity:\n  requiredDuringSchedulingIgnoredDuringExecution:\n    - labelSelector:\n        matchLabels:\n          app.kubernetes.io/name: {{ template \"openbao.name\" . }}\n          app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n          component: server\n      topologyKey: kubernetes.io/hostname\n"` |  |
-| server.annotations | object | `{}` |  |
-| server.auditStorage.accessMode | string | `"ReadWriteOnce"` |  |
-| server.auditStorage.annotations | object | `{}` |  |
-| server.auditStorage.enabled | bool | `false` |  |
-| server.auditStorage.labels | object | `{}` |  |
-| server.auditStorage.mountPath | string | `"/openbao/audit"` |  |
-| server.auditStorage.size | string | `"10Gi"` |  |
-| server.auditStorage.storageClass | string | `nil` |  |
-| server.authDelegator.enabled | bool | `true` |  |
-| server.configAnnotation | bool | `false` |  |
-| server.dataStorage.accessMode | string | `"ReadWriteOnce"` |  |
-| server.dataStorage.annotations | object | `{}` |  |
-| server.dataStorage.enabled | bool | `true` |  |
-| server.dataStorage.labels | object | `{}` |  |
-| server.dataStorage.mountPath | string | `"/openbao/data"` |  |
-| server.dataStorage.size | string | `"10Gi"` |  |
-| server.dataStorage.storageClass | string | `nil` |  |
-| server.dev.devRootToken | string | `"root"` |  |
-| server.dev.enabled | bool | `false` |  |
-| server.enabled | string | `"-"` |  |
-| server.extraArgs | string | `""` | extraArgs is a string containing additional OpenBao server arguments. |
-| server.extraContainers | string | `nil` |  |
-| server.extraEnvironmentVars | object | `{}` |  |
-| server.extraInitContainers | list | `[]` | extraInitContainers is a list of init containers. Specified as a YAML list. This is useful if you need to run a script to provision TLS certificates or write out configuration files in a dynamic way. |
-| server.extraLabels | object | `{}` |  |
-| server.extraPorts | list | `[]` | extraPorts is a list of extra ports. Specified as a YAML list. This is useful if you need to add additional ports to the statefulset in dynamic way. |
-| server.extraSecretEnvironmentVars | list | `[]` |  |
-| server.extraVolumes | list | `[]` |  |
-| server.ha.apiAddr | string | `nil` |  |
-| server.ha.clusterAddr | string | `nil` |  |
-| server.ha.config | string | `"ui = true\n\nlistener \"tcp\" {\n  tls_disable = 1\n  address = \"[::]:8200\"\n  cluster_address = \"[::]:8201\"\n}\nstorage \"consul\" {\n  path = \"openbao\"\n  address = \"HOST_IP:8500\"\n}\n\nservice_registration \"kubernetes\" {}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n#   project     = \"openbao-helm-dev-246514\"\n#   region      = \"global\"\n#   key_ring    = \"openbao-helm-unseal-kr\"\n#   crypto_key  = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics.\n# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.\n# You may wish to enable unauthenticated metrics in the listener block above.\n#telemetry {\n#  prometheus_retention_time = \"30s\"\n#  disable_hostname = true\n#}\n"` |  |
-| server.ha.disruptionBudget.enabled | bool | `true` |  |
-| server.ha.disruptionBudget.maxUnavailable | string | `nil` |  |
-| server.ha.enabled | bool | `false` |  |
-| server.ha.raft.config | string | `"ui = true\n\nlistener \"tcp\" {\n  tls_disable = 1\n  address = \"[::]:8200\"\n  cluster_address = \"[::]:8201\"\n  # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n  #telemetry {\n  #  unauthenticated_metrics_access = \"true\"\n  #}\n}\n\nstorage \"raft\" {\n  path = \"/openbao/data\"\n}\n\nservice_registration \"kubernetes\" {}\n"` |  |
-| server.ha.raft.enabled | bool | `false` |  |
-| server.ha.raft.setNodeId | bool | `false` |  |
-| server.ha.replicas | int | `3` |  |
-| server.hostAliases | list | `[]` |  |
-| server.hostNetwork | bool | `false` |  |
-| server.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for server image. if tag is "latest", set to "Always" |
-| server.image.registry | string | `"quay.io"` | image registry to use for server image |
-| server.image.repository | string | `"openbao/openbao"` | image repo to use for server image |
-| server.image.tag | string | `"2.0.2"` | image tag to use for server image |
-| server.ingress.activeService | bool | `true` |  |
-| server.ingress.annotations | object | `{}` |  |
-| server.ingress.enabled | bool | `false` |  |
-| server.ingress.extraPaths | list | `[]` |  |
-| server.ingress.hosts[0].host | string | `"chart-example.local"` |  |
-| server.ingress.hosts[0].paths | list | `[]` |  |
-| server.ingress.ingressClassName | string | `""` |  |
-| server.ingress.labels | object | `{}` |  |
-| server.ingress.pathType | string | `"Prefix"` |  |
-| server.ingress.tls | list | `[]` |  |
-| server.livenessProbe.enabled | bool | `false` |  |
-| server.livenessProbe.execCommand | list | `[]` |  |
-| server.livenessProbe.failureThreshold | int | `2` |  |
-| server.livenessProbe.initialDelaySeconds | int | `60` |  |
-| server.livenessProbe.path | string | `"/v1/sys/health?standbyok=true"` |  |
-| server.livenessProbe.periodSeconds | int | `5` |  |
-| server.livenessProbe.port | int | `8200` |  |
-| server.livenessProbe.successThreshold | int | `1` |  |
-| server.livenessProbe.timeoutSeconds | int | `3` |  |
-| server.logFormat | string | `""` |  |
-| server.logLevel | string | `""` |  |
-| server.networkPolicy.egress | list | `[]` |  |
-| server.networkPolicy.enabled | bool | `false` |  |
-| server.networkPolicy.ingress[0].from[0].namespaceSelector | object | `{}` |  |
-| server.networkPolicy.ingress[0].ports[0].port | int | `8200` |  |
-| server.networkPolicy.ingress[0].ports[0].protocol | string | `"TCP"` |  |
-| server.networkPolicy.ingress[0].ports[1].port | int | `8201` |  |
-| server.networkPolicy.ingress[0].ports[1].protocol | string | `"TCP"` |  |
-| server.nodeSelector | object | `{}` |  |
-| server.persistentVolumeClaimRetentionPolicy | object | `{}` |  |
-| server.postStart | list | `[]` |  |
-| server.preStopSleepSeconds | int | `5` |  |
-| server.priorityClassName | string | `""` |  |
-| server.readinessProbe.enabled | bool | `true` |  |
-| server.readinessProbe.failureThreshold | int | `2` |  |
-| server.readinessProbe.initialDelaySeconds | int | `5` |  |
-| server.readinessProbe.periodSeconds | int | `5` |  |
-| server.readinessProbe.port | int | `8200` |  |
-| server.readinessProbe.successThreshold | int | `1` |  |
-| server.readinessProbe.timeoutSeconds | int | `3` |  |
-| server.resources | object | `{}` |  |
-| server.route.activeService | bool | `true` |  |
-| server.route.annotations | object | `{}` |  |
-| server.route.enabled | bool | `false` |  |
-| server.route.host | string | `"chart-example.local"` |  |
-| server.route.labels | object | `{}` |  |
-| server.route.tls.termination | string | `"passthrough"` |  |
-| server.service.active.annotations | object | `{}` |  |
-| server.service.active.enabled | bool | `true` |  |
-| server.service.annotations | object | `{}` |  |
-| server.service.enabled | bool | `true` |  |
-| server.service.externalTrafficPolicy | string | `"Cluster"` |  |
-| server.service.instanceSelector.enabled | bool | `true` |  |
-| server.service.ipFamilies | list | `[]` |  |
-| server.service.ipFamilyPolicy | string | `""` |  |
-| server.service.port | int | `8200` |  |
-| server.service.publishNotReadyAddresses | bool | `true` |  |
-| server.service.standby.annotations | object | `{}` |  |
-| server.service.standby.enabled | bool | `true` |  |
-| server.service.targetPort | int | `8200` |  |
-| server.serviceAccount.annotations | object | `{}` |  |
-| server.serviceAccount.create | bool | `true` |  |
-| server.serviceAccount.createSecret | bool | `false` |  |
-| server.serviceAccount.extraLabels | object | `{}` |  |
-| server.serviceAccount.name | string | `""` |  |
-| server.serviceAccount.serviceDiscovery.enabled | bool | `true` |  |
-| server.shareProcessNamespace | bool | `false` | shareProcessNamespace enables process namespace sharing between OpenBao and the extraContainers This is useful if OpenBao must be signaled, e.g. to send a SIGHUP for a log rotation |
-| server.standalone.config | string | `"ui = true\n\nlistener \"tcp\" {\n  tls_disable = 1\n  address = \"[::]:8200\"\n  cluster_address = \"[::]:8201\"\n  # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n  #telemetry {\n  #  unauthenticated_metrics_access = \"true\"\n  #}\n}\nstorage \"file\" {\n  path = \"/openbao/data\"\n}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n#   project     = \"openbao-helm-dev\"\n#   region      = \"global\"\n#   key_ring    = \"openbao-helm-unseal-kr\"\n#   crypto_key  = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics in your config.\n#telemetry {\n#  prometheus_retention_time = \"30s\"\n#  disable_hostname = true\n#}\n"` |  |
-| server.standalone.enabled | string | `"-"` |  |
-| server.statefulSet.annotations | object | `{}` |  |
-| server.statefulSet.securityContext.container | object | `{}` |  |
-| server.statefulSet.securityContext.pod | object | `{}` |  |
-| server.terminationGracePeriodSeconds | int | `10` |  |
-| server.tolerations | list | `[]` |  |
-| server.topologySpreadConstraints | list | `[]` |  |
-| server.updateStrategyType | string | `"OnDelete"` |  |
-| server.volumeMounts | string | `nil` |  |
-| server.volumes | string | `nil` |  |
-| serverTelemetry.prometheusRules.enabled | bool | `false` |  |
-| serverTelemetry.prometheusRules.rules | list | `[]` |  |
-| serverTelemetry.prometheusRules.selectors | object | `{}` |  |
-| serverTelemetry.serviceMonitor.enabled | bool | `false` |  |
-| serverTelemetry.serviceMonitor.interval | string | `"30s"` |  |
-| serverTelemetry.serviceMonitor.scrapeTimeout | string | `"10s"` |  |
-| serverTelemetry.serviceMonitor.selectors | object | `{}` |  |
-| ui.activeOpenbaoPodOnly | bool | `false` |  |
-| ui.annotations | object | `{}` |  |
-| ui.enabled | bool | `false` |  |
-| ui.externalPort | int | `8200` |  |
-| ui.externalTrafficPolicy | string | `"Cluster"` |  |
-| ui.publishNotReadyAddresses | bool | `true` |  |
-| ui.serviceIPFamilies | list | `[]` |  |
-| ui.serviceIPFamilyPolicy | string | `""` |  |
-| ui.serviceNodePort | string | `nil` |  |
-| ui.serviceType | string | `"ClusterIP"` |  |
-| ui.targetPort | int | `8200` |  |
-
--- a/charts/openbao/templates/NOTES.txt
+++ b/charts/openbao/templates/NOTES.txt
@ -1,14 +0,0 @@
-
-Thank you for installing OpenBao!
-
-Now that you have deployed OpenBao, you should look over the docs on using
-OpenBao with Kubernetes available here:
-
-https://openbao.org/docs/
-
-
-Your release is named {{ .Release.Name }}. To learn more about the release, try:
-
-  $ helm status {{ .Release.Name }}
-  $ helm get manifest {{ .Release.Name }}
-
--- a/charts/openbao/templates/csi-rolebinding.yaml
+++ b/charts/openbao/templates/csi-rolebinding.yaml
@ -1,25 +0,0 @@
-{{/*
-Copyright (c) HashiCorp, Inc.
-SPDX-License-Identifier: MPL-2.0
-*/}}
-
-{{- template "openbao.csiEnabled" . -}}
-{{- if .csiEnabled -}}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ template "openbao.fullname" . }}-csi-provider-rolebinding
-  namespace: {{ include "openbao.namespace" . }}
-  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ template "openbao.fullname" . }}-csi-provider-role
-subjects:
- kind: ServiceAccount
-  name: {{ template "openbao.fullname" . }}-csi-provider
-  namespace: {{ include "openbao.namespace" . }}
-{{- end }}
--- a/charts/openbao/templates/server-config-configmap.yaml
+++ b/charts/openbao/templates/server-config-configmap.yaml
@ -1,31 +0,0 @@
-{{/*
-Copyright (c) HashiCorp, Inc.
-SPDX-License-Identifier: MPL-2.0
-*/}}
-
-{{ template "openbao.mode" . }}
-{{- if ne .mode "external" }}
-{{- if .serverEnabled -}}
-{{- if ne .mode "dev" -}}
-{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ template "openbao.fullname" . }}-config
-  namespace: {{ include "openbao.namespace" . }}
-  labels:
-    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- if .Values.server.includeConfigAnnotation }}
-  annotations:
-    vault.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }}
-{{- end }}
-data:
-  extraconfig-from-values.hcl: |-
-    {{ template "openbao.config" . }}
-{{- end }}
-{{- end }}
-{{- end }}
-{{- end }}
--- a/charts/openbao/templates/server-serviceaccount-secret.yaml
+++ b/charts/openbao/templates/server-serviceaccount-secret.yaml
@ -1,21 +0,0 @@
-{{/*
-Copyright (c) HashiCorp, Inc.
-SPDX-License-Identifier: MPL-2.0
-*/}}
-
-{{ template "openbao.serverServiceAccountSecretCreationEnabled" . }}
-{{- if .serverServiceAccountSecretCreationEnabled -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ template "openbao.serviceAccount.name" . }}-token
-  namespace: {{ include "openbao.namespace" . }}
-  annotations:
-    kubernetes.io/service-account.name: {{ template "openbao.serviceAccount.name" . }}
-  labels:
-    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-type: kubernetes.io/service-account-token
-{{ end }}
--- a/templates/NOTES.txt
+++ b/templates/NOTES.txt
@ -0,0 +1,14 @@
+
+Thank you for installing HashiCorp Vault!
+
+Now that you have deployed Vault, you should look over the docs on using
+Vault with Kubernetes available here:
+
+https://developer.hashicorp.com/vault/docs
+
+
+Your release is named {{ .Release.Name }}. To learn more about the release, try:
+
+  $ helm status {{ .Release.Name }}
+  $ helm get manifest {{ .Release.Name }}
+
--- a/charts/openbao/templates/_helpers.tpl
+++ b/charts/openbao/templates/_helpers.tpl
@ -9,7 +9,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to
 this (by the DNS naming spec). If release name contains chart name it will
 be used as a full name.
 */}}
-{{- define "openbao.fullname" -}}
+{{- define "vault.fullname" -}}
 {{- if .Values.fullnameOverride -}}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
@ -25,28 +25,28 @@ be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "openbao.chart" -}}
+{{- define "vault.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}

 {{/*
 Expand the name of the chart.
 */}}
-{{- define "openbao.name" -}}
+{{- define "vault.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}

 {{/*
 Allow the release namespace to be overridden
 */}}
-{{- define "openbao.namespace" -}}
+{{- define "vault.namespace" -}}
 {{- default .Release.Namespace .Values.global.namespace -}}
 {{- end -}}

 {{/*
 Compute if the csi driver is enabled.
 */}}
-{{- define "openbao.csiEnabled" -}}
+{{- define "vault.csiEnabled" -}}
 {{- $_ := set . "csiEnabled" (or
  (eq (.Values.csi.enabled | toString) "true")
  (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -55,7 +55,7 @@ Compute if the csi driver is enabled.
 {{/*
 Compute if the injector is enabled.
 */}}
-{{- define "openbao.injectorEnabled" -}}
+{{- define "vault.injectorEnabled" -}}
 {{- $_ := set . "injectorEnabled" (or
  (eq (.Values.injector.enabled | toString) "true")
  (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -64,7 +64,7 @@ Compute if the injector is enabled.
 {{/*
 Compute if the server is enabled.
 */}}
-{{- define "openbao.serverEnabled" -}}
+{{- define "vault.serverEnabled" -}}
 {{- $_ := set . "serverEnabled" (or
  (eq (.Values.server.enabled | toString) "true")
  (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -73,7 +73,7 @@ Compute if the server is enabled.
 {{/*
 Compute if the server serviceaccount is enabled.
 */}}
-{{- define "openbao.serverServiceAccountEnabled" -}}
+{{- define "vault.serverServiceAccountEnabled" -}}
 {{- $_ := set . "serverServiceAccountEnabled"
  (and
    (eq (.Values.server.serviceAccount.create | toString) "true" )
@ -85,7 +85,7 @@ Compute if the server serviceaccount is enabled.
 {{/*
 Compute if the server serviceaccount should have a token created and mounted to the serviceaccount.
 */}}
-{{- define "openbao.serverServiceAccountSecretCreationEnabled" -}}
+{{- define "vault.serverServiceAccountSecretCreationEnabled" -}}
 {{- $_ := set . "serverServiceAccountSecretCreationEnabled"
  (and
    (eq (.Values.server.serviceAccount.create | toString) "true")
@ -96,7 +96,7 @@ Compute if the server serviceaccount should have a token created and mounted to
 {{/*
 Compute if the server auth delegator serviceaccount is enabled.
 */}}
-{{- define "openbao.serverAuthDelegator" -}}
+{{- define "vault.serverAuthDelegator" -}}
 {{- $_ := set . "serverAuthDelegator"
  (and
    (eq (.Values.server.authDelegator.enabled | toString) "true" )
@ -110,15 +110,15 @@ Compute if the server auth delegator serviceaccount is enabled.
 {{/*
 Compute if the server service is enabled.
 */}}
-{{- define "openbao.serverServiceEnabled" -}}
-{{- template "openbao.serverEnabled" . -}}
+{{- define "vault.serverServiceEnabled" -}}
+{{- template "vault.serverEnabled" . -}}
 {{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}}
 {{- end -}}

 {{/*
 Compute if the ui is enabled.
 */}}
-{{- define "openbao.uiEnabled" -}}
+{{- define "vault.uiEnabled" -}}
 {{- $_ := set . "uiEnabled" (or
  (eq (.Values.ui.enabled | toString) "true")
  (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
@ -129,7 +129,7 @@ Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
 This defaults to (n/2)-1 where n is the number of members of the server cluster.
 Add a special case for replicas=1, where it should default to 0 as well.
 */}}
-{{- define "openbao.pdb.maxUnavailable" -}}
+{{- define "vault.pdb.maxUnavailable" -}}
 {{- if eq (int .Values.server.ha.replicas) 1 -}}
 {{ 0 }}
 {{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}}
@ -143,8 +143,8 @@ Add a special case for replicas=1, where it should default to 0 as well.
 Set the variable 'mode' to the server mode requested by the user to simplify
 template logic.
 */}}
-{{- define "openbao.mode" -}}
-  {{- template "openbao.serverEnabled" . -}}
+{{- define "vault.mode" -}}
+  {{- template "vault.serverEnabled" . -}}
  {{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}}
    {{- $_ := set . "mode" "external" -}}
  {{- else if not .serverEnabled -}}
@ -163,7 +163,7 @@ template logic.
 {{/*
 Set's the replica count based on the different modes configured by user
 */}}
-{{- define "openbao.replicas" -}}
+{{- define "vault.replicas" -}}
  {{ if eq .mode "standalone" }}
    {{- default 1 -}}
  {{ else if eq .mode "ha" }}
@ -182,11 +182,11 @@ Set's up configmap mounts if this isn't a dev deployment and the user
 defined a custom configuration.  Additionally iterates over any
 extra volumes the user may have specified (such as a secret with TLS).
 */}}
-{{- define "openbao.volumes" -}}
+{{- define "vault.volumes" -}}
  {{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }}
        - name: config
          configMap:
-            name: {{ template "openbao.fullname" . }}-config
+            name: {{ template "vault.fullname" . }}-config
  {{ end }}
  {{- range .Values.server.extraVolumes }}
        - name: userconfig-{{ .name }}
@ -201,34 +201,40 @@ extra volumes the user may have specified (such as a secret with TLS).
  {{- if .Values.server.volumes }}
    {{- toYaml .Values.server.volumes | nindent 8}}
  {{- end }}
+  {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
+        - name: vault-license
+          secret:
+            secretName: {{ .Values.server.enterpriseLicense.secretName }}
+            defaultMode: 0440
+  {{- end }}
 {{- end -}}

 {{/*
-Set's the args for custom command to render the OpenBao configuration
+Set's the args for custom command to render the Vault configuration
 file with IP addresses to make the out of box experience easier
 for users looking to use this chart with Consul Helm.
 */}}
-{{- define "openbao.args" -}}
+{{- define "vault.args" -}}
  {{ if or (eq .mode "standalone") (eq .mode "ha") }}
          - |
-            cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
+            cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
            [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
            [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
            [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
            [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
            [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
            [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
-            /usr/local/bin/docker-entrypoint.sh bao server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }}
+            /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }}
   {{ else if eq .mode "dev" }}
          - |
-            /usr/local/bin/docker-entrypoint.sh bao server -dev {{ .Values.server.extraArgs }}
+            /usr/local/bin/docker-entrypoint.sh vault server -dev {{ .Values.server.extraArgs }}
  {{ end }}
 {{- end -}}

 {{/*
 Set's additional environment variables based on the mode.
 */}}
-{{- define "openbao.envs" -}}
+{{- define "vault.envs" -}}
  {{ if eq .mode "dev" }}
            - name: VAULT_DEV_ROOT_TOKEN_ID
              value: {{ .Values.server.dev.devRootToken }}
@ -241,7 +247,7 @@ Set's additional environment variables based on the mode.
 Set's which additional volumes should be mounted to the container
 based on the mode configured.
 */}}
-{{- define "openbao.mounts" -}}
+{{- define "vault.mounts" -}}
  {{ if eq (.Values.server.auditStorage.enabled | toString) "true" }}
            - name: audit
              mountPath: {{ .Values.server.auditStorage.mountPath }}
@ -254,16 +260,21 @@ based on the mode configured.
  {{ end }}
  {{ if and (ne .mode "dev") (or (.Values.server.standalone.config)  (.Values.server.ha.config)) }}
            - name: config
-              mountPath: /openbao/config
+              mountPath: /vault/config
  {{ end }}
  {{- range .Values.server.extraVolumes }}
            - name: userconfig-{{ .name }}
              readOnly: true
-              mountPath: {{ .path | default "/openbao/userconfig" }}/{{ .name }}
+              mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }}
  {{- end }}
  {{- if .Values.server.volumeMounts }}
    {{- toYaml .Values.server.volumeMounts | nindent 12}}
  {{- end }}
+  {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
+            - name: vault-license
+              mountPath: /vault/license
+              readOnly: true
+  {{- end }}
 {{- end -}}

 {{/*
@ -271,14 +282,13 @@ Set's up the volumeClaimTemplates when data or audit storage is required.  HA
 might not use data storage since Consul is likely it's backend, however, audit
 storage might be desired by the user.
 */}}
-{{- define "openbao.volumeclaims" -}}
+{{- define "vault.volumeclaims" -}}
  {{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }}
  volumeClaimTemplates:
      {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }}
    - metadata:
        name: data
-        {{- include "openbao.dataVolumeClaim.annotations" . | nindent 6 }}
-        {{- include "openbao.dataVolumeClaim.labels" . | nindent 6 }}
+        {{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }}
      spec:
        accessModes:
          - {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }}
@ -292,8 +302,7 @@ storage might be desired by the user.
      {{- if eq (.Values.server.auditStorage.enabled | toString) "true" }}
    - metadata:
        name: audit
-        {{- include "openbao.auditVolumeClaim.annotations" . | nindent 6 }}
-        {{- include "openbao.auditVolumeClaim.labels" . | nindent 6 }}
+        {{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }}
      spec:
        accessModes:
          - {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }}
@ -310,7 +319,7 @@ storage might be desired by the user.
 {{/*
 Set's the affinity for pod placement when running in standalone and HA modes.
 */}}
-{{- define "openbao.affinity" -}}
+{{- define "vault.affinity" -}}
  {{- if and (ne .mode "dev") .Values.server.affinity }}
      affinity:
        {{ $tp := typeOf .Values.server.affinity }}
@ -340,7 +349,7 @@ Sets the injector affinity for pod placement
 {{/*
 Sets the topologySpreadConstraints when running in standalone and HA modes.
 */}}
-{{- define "openbao.topologySpreadConstraints" -}}
+{{- define "vault.topologySpreadConstraints" -}}
  {{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }}
      topologySpreadConstraints:
        {{ $tp := typeOf .Values.server.topologySpreadConstraints }}
@ -371,7 +380,7 @@ Sets the injector topologySpreadConstraints for pod placement
 {{/*
 Sets the toleration for pod placement when running in standalone and HA modes.
 */}}
-{{- define "openbao.tolerations" -}}
+{{- define "vault.tolerations" -}}
  {{- if and (ne .mode "dev") .Values.server.tolerations }}
      tolerations:
      {{- $tp := typeOf .Values.server.tolerations }}
@ -401,7 +410,7 @@ Sets the injector toleration for pod placement
 {{/*
 Set's the node selector for pod placement when running in standalone and HA modes.
 */}}
-{{- define "openbao.nodeselector" -}}
+{{- define "vault.nodeselector" -}}
  {{- if and (ne .mode "dev") .Values.server.nodeSelector }}
      nodeSelector:
      {{- $tp := typeOf .Values.server.nodeSelector }}
@ -446,12 +455,9 @@ Sets the injector deployment update strategy
 {{/*
 Sets extra pod annotations
 */}}
-{{- define "openbao.annotations" }}
-      annotations:
-  {{- if .Values.server.includeConfigAnnotation }}
-        openbao.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }}
-  {{- end }}
+{{- define "vault.annotations" -}}
  {{- if .Values.server.annotations }}
+      annotations:
        {{- $tp := typeOf .Values.server.annotations }}
        {{- if eq $tp "string" }}
          {{- tpl .Values.server.annotations . | nindent 8 }}
@ -555,7 +561,7 @@ securityContext for the statefulset pod template.
 {{- end -}}

 {{/*
-securityContext for the statefulset openbao container
+securityContext for the statefulset vault container
 */}}
 {{- define "server.statefulSet.securityContext.container" -}}
  {{- if .Values.server.statefulSet.securityContext.container }}
@ -622,7 +628,7 @@ Set's the injector webhook objectSelector
 {{/*
 Sets extra ui service annotations
 */}}
-{{- define "openbao.ui.annotations" -}}
+{{- define "vault.ui.annotations" -}}
  {{- if .Values.ui.annotations }}
  annotations:
    {{- $tp := typeOf .Values.ui.annotations }}
@ -637,9 +643,9 @@ Sets extra ui service annotations
 {{/*
 Create the name of the service account to use
 */}}
-{{- define "openbao.serviceAccount.name" -}}
+{{- define "vault.serviceAccount.name" -}}
 {{- if .Values.server.serviceAccount.create -}}
-    {{ default (include "openbao.fullname" .) .Values.server.serviceAccount.name }}
+    {{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }}
 {{- else -}}
    {{ default "default" .Values.server.serviceAccount.name }}
 {{- end -}}
@ -648,7 +654,7 @@ Create the name of the service account to use
 {{/*
 Sets extra service account annotations
 */}}
-{{- define "openbao.serviceAccount.annotations" -}}
+{{- define "vault.serviceAccount.annotations" -}}
  {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }}
  annotations:
    {{- $tp := typeOf .Values.server.serviceAccount.annotations }}
@ -663,7 +669,7 @@ Sets extra service account annotations
 {{/*
 Sets extra ingress annotations
 */}}
-{{- define "openbao.ingress.annotations" -}}
+{{- define "vault.ingress.annotations" -}}
  {{- if .Values.server.ingress.annotations }}
  annotations:
    {{- $tp := typeOf .Values.server.ingress.annotations }}
@ -678,7 +684,7 @@ Sets extra ingress annotations
 {{/*
 Sets extra route annotations
 */}}
-{{- define "openbao.route.annotations" -}}
+{{- define "vault.route.annotations" -}}
  {{- if .Values.server.route.annotations }}
  annotations:
    {{- $tp := typeOf .Values.server.route.annotations }}
@ -691,9 +697,9 @@ Sets extra route annotations
 {{- end -}}

 {{/*
-Sets extra openbao server Service annotations
+Sets extra vault server Service annotations
 */}}
-{{- define "openbao.service.annotations" -}}
+{{- define "vault.service.annotations" -}}
  {{- if .Values.server.service.annotations }}
    {{- $tp := typeOf .Values.server.service.annotations }}
    {{- if eq $tp "string" }}
@ -705,9 +711,9 @@ Sets extra openbao server Service annotations
 {{- end -}}

 {{/*
-Sets extra openbao server Service (active) annotations
+Sets extra vault server Service (active) annotations
 */}}
-{{- define "openbao.service.active.annotations" -}}
+{{- define "vault.service.active.annotations" -}}
  {{- if .Values.server.service.active.annotations }}
    {{- $tp := typeOf .Values.server.service.active.annotations }}
    {{- if eq $tp "string" }}
@ -718,9 +724,9 @@ Sets extra openbao server Service (active) annotations
  {{- end }}
 {{- end -}}
 {{/*
-Sets extra openbao server Service annotations
+Sets extra vault server Service annotations
 */}}
-{{- define "openbao.service.standby.annotations" -}}
+{{- define "vault.service.standby.annotations" -}}
  {{- if .Values.server.service.standby.annotations }}
    {{- $tp := typeOf .Values.server.service.standby.annotations }}
    {{- if eq $tp "string" }}
@ -734,7 +740,7 @@ Sets extra openbao server Service annotations
 {{/*
 Sets PodSecurityPolicy annotations
 */}}
-{{- define "openbao.psp.annotations" -}}
+{{- define "vault.psp.annotations" -}}
  {{- if .Values.global.psp.annotations }}
  annotations:
    {{- $tp := typeOf .Values.global.psp.annotations }}
@ -749,7 +755,7 @@ Sets PodSecurityPolicy annotations
 {{/*
 Sets extra statefulset annotations
 */}}
-{{- define "openbao.statefulSet.annotations" -}}
+{{- define "vault.statefulSet.annotations" -}}
  {{- if .Values.server.statefulSet.annotations }}
  annotations:
    {{- $tp := typeOf .Values.server.statefulSet.annotations }}
@ -764,7 +770,7 @@ Sets extra statefulset annotations
 {{/*
 Sets VolumeClaim annotations for data volume
 */}}
-{{- define "openbao.dataVolumeClaim.annotations" -}}
+{{- define "vault.dataVolumeClaim.annotations" -}}
  {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.annotations) }}
  annotations:
    {{- $tp := typeOf .Values.server.dataStorage.annotations }}
@ -776,25 +782,10 @@ Sets VolumeClaim annotations for data volume
  {{- end }}
 {{- end -}}

-{{/*
-Sets VolumeClaim labels for data volume
-*/}}
-{{- define "openbao.dataVolumeClaim.labels" -}}
-  {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.labels) }}
-  labels:
-    {{- $tp := typeOf .Values.server.dataStorage.labels }}
-    {{- if eq $tp "string" }}
-      {{- tpl .Values.server.dataStorage.labels . | nindent 4 }}
-    {{- else }}
-      {{- toYaml .Values.server.dataStorage.labels | nindent 4 }}
-    {{- end }}
-  {{- end }}
-{{- end -}}
-
 {{/*
 Sets VolumeClaim annotations for audit volume
 */}}
-{{- define "openbao.auditVolumeClaim.annotations" -}}
+{{- define "vault.auditVolumeClaim.annotations" -}}
  {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.annotations) }}
  annotations:
    {{- $tp := typeOf .Values.server.auditStorage.annotations }}
@ -806,25 +797,10 @@ Sets VolumeClaim annotations for audit volume
  {{- end }}
 {{- end -}}

-{{/*
-Sets VolumeClaim labels for audit volume
-*/}}
-{{- define "openbao.auditVolumeClaim.labels" -}}
-  {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.labels) }}
-  labels:
-    {{- $tp := typeOf .Values.server.auditStorage.labels }}
-    {{- if eq $tp "string" }}
-      {{- tpl .Values.server.auditStorage.labels . | nindent 4 }}
-    {{- else }}
-      {{- toYaml .Values.server.auditStorage.labels | nindent 4 }}
-    {{- end }}
-  {{- end }}
-{{- end -}}
-
 {{/*
 Set's the container resources if the user has set any.
 */}}
-{{- define "openbao.resources" -}}
+{{- define "vault.resources" -}}
  {{- if .Values.server.resources -}}
          resources:
 {{ toYaml .Values.server.resources | indent 12}}
@ -983,7 +959,7 @@ Sets extra CSI service account annotations
 {{/*
 Inject extra environment vars in the format key:value, if populated
 */}}
-{{- define "openbao.extraEnvironmentVars" -}}
+{{- define "vault.extraEnvironmentVars" -}}
 {{- if .extraEnvironmentVars -}}
 {{- range $key, $value := .extraEnvironmentVars }}
 - name: {{ printf "%s" $key | replace "." "_" | upper | quote }}
@ -995,7 +971,7 @@ Inject extra environment vars in the format key:value, if populated
 {{/*
 Inject extra environment populated by secrets, if populated
 */}}
-{{- define "openbao.extraSecretEnvironmentVars" -}}
+{{- define "vault.extraSecretEnvironmentVars" -}}
 {{- if .extraSecretEnvironmentVars -}}
 {{- range .extraSecretEnvironmentVars }}
 - name: {{ .envName }}
@ -1008,7 +984,7 @@ Inject extra environment populated by secrets, if populated
 {{- end -}}

 {{/* Scheme for health check and local endpoint */}}
-{{- define "openbao.scheme" -}}
+{{- define "vault.scheme" -}}
 {{- if .Values.global.tlsDisable -}}
 {{ "http" }}
 {{- else -}}
@ -1067,28 +1043,3 @@ Supported inputs are Values.ui
 {{- end -}}
 {{- end }}
 {{- end -}}
-
-{{/*
-config file from values
-*/}}
-{{- define "openbao.config" -}}
-  {{- if or (eq .mode "ha") (eq .mode "standalone") }}
-  {{- $type := typeOf (index .Values.server .mode).config }}
-  {{- if eq $type "string" }}
-    disable_mlock = true
-  {{- if eq .mode "standalone" }}
-    {{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
-  {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }}
-    {{ tpl .Values.server.ha.config . | nindent 4 | trim }}
-  {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
-    {{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }}
-  {{ end }}
-  {{- else }}
-  {{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
-{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }}
-  {{- else }}
-{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }}
-  {{- end }}
-  {{- end }}
-  {{- end }}
-{{- end -}}
--- a/charts/openbao/templates/csi-agent-configmap.yaml
+++ b/charts/openbao/templates/csi-agent-configmap.yaml
@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.csiEnabled" . -}}
+{{- template "vault.csiEnabled" . -}}
 {{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ template "openbao.fullname" . }}-csi-provider-agent-config
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-csi-provider-agent-config
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 data:
@ -21,7 +21,7 @@ data:
        {{- if .Values.global.externalVaultAddr }}
        "address" = "{{ .Values.global.externalVaultAddr }}"
        {{- else }}
-        "address" = "{{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}"
+        "address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}"
        {{- end }}
    }

--- a/charts/openbao/templates/csi-clusterrole.yaml
+++ b/charts/openbao/templates/csi-clusterrole.yaml
@ -3,14 +3,14 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.csiEnabled" . -}}
+{{- template "vault.csiEnabled" . -}}
 {{- if .csiEnabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole
+  name: {{ template "vault.fullname" . }}-csi-provider-clusterrole
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 rules:
--- a/charts/openbao/templates/csi-clusterrolebinding.yaml
+++ b/charts/openbao/templates/csi-clusterrolebinding.yaml
@ -3,22 +3,22 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.csiEnabled" . -}}
+{{- template "vault.csiEnabled" . -}}
 {{- if .csiEnabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ template "openbao.fullname" . }}-csi-provider-clusterrolebinding
+  name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole
+  name: {{ template "vault.fullname" . }}-csi-provider-clusterrole
 subjects:
 - kind: ServiceAccount
-  name: {{ template "openbao.fullname" . }}-csi-provider
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-csi-provider
+  namespace: {{ include "vault.namespace" . }}
 {{- end }}
--- a/charts/openbao/templates/csi-daemonset.yaml
+++ b/charts/openbao/templates/csi-daemonset.yaml
@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.csiEnabled" . -}}
+{{- template "vault.csiEnabled" . -}}
 {{- if .csiEnabled -}}
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  name: {{ template "openbao.fullname" . }}-csi-provider
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-csi-provider
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    {{- if  .Values.csi.daemonSet.extraLabels -}}
@ -27,12 +27,12 @@ spec:
    {{- end }}
  selector:
    matchLabels:
-      app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+      app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
      app.kubernetes.io/instance: {{ .Release.Name }}
  template:
    metadata:
      labels:
-        app.kubernetes.io/name: {{ template "openbao.name" . }}-csi-provider
+        app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider
        app.kubernetes.io/instance: {{ .Release.Name }}
        {{- if  .Values.csi.pod.extraLabels -}}
          {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}}
@ -43,15 +43,15 @@ spec:
      {{- if .Values.csi.priorityClassName }}
      priorityClassName: {{ .Values.csi.priorityClassName }}
      {{- end }}
-      serviceAccountName: {{ template "openbao.fullname" . }}-csi-provider
+      serviceAccountName: {{ template "vault.fullname" . }}-csi-provider
      {{- template "csi.pod.tolerations" . }}
      {{- template "csi.pod.nodeselector" . }}
      {{- template "csi.pod.affinity" . }}
      containers:
-        - name: {{ include "openbao.name" . }}-csi-provider
+        - name: {{ include "vault.name" . }}-csi-provider
          {{ template "csi.resources" . }}
          {{ template "csi.daemonSet.securityContext.container" . }}
-          image: "{{ .Values.csi.image.registry | default "docker.io" }}/{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}"
+          image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}"
          imagePullPolicy: {{ .Values.csi.image.pullPolicy }}
          args:
            - --endpoint=/provider/vault.sock
@ -59,7 +59,7 @@ spec:
            {{- if .Values.csi.hmacSecretName }}
            - --hmac-secret-name={{ .Values.csi.hmacSecretName }}
            {{- else }}
-            - --hmac-secret-name={{- include "openbao.name" . }}-csi-provider-hmac-key
+            - --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key
            {{- end }}
            {{- if .Values.csi.extraArgs }}
            {{- toYaml .Values.csi.extraArgs | nindent 12 }}
@ -71,7 +71,7 @@ spec:
            {{- else if .Values.global.externalVaultAddr }}
              value: "{{ .Values.global.externalVaultAddr }}"
            {{- else }}
-              value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
+              value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
            {{- end }}
          volumeMounts:
            - name: providervol
@ -102,12 +102,12 @@ spec:
            successThreshold: {{ .Values.csi.readinessProbe.successThreshold }}
            timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }}
        {{- if eq (.Values.csi.agent.enabled | toString) "true" }}
-        - name: {{ include "openbao.name" . }}-agent
-          image: "{{ .Values.csi.agent.image.registry | default "docker.io" }}/{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}"
+        - name: {{ include "vault.name" . }}-agent
+          image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}"
          imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }}
          {{ template "csi.agent.resources" . }}
          command:
-            - bao
+            - vault
          args:
            - agent
            - -config=/etc/vault/config.hcl
@ -117,9 +117,9 @@ spec:
          ports:
            - containerPort: 8200
          env:
-            - name: BAO_LOG_LEVEL
+            - name: VAULT_LOG_LEVEL
              value: "{{ .Values.csi.agent.logLevel }}"
-            - name: BAO_LOG_FORMAT
+            - name: VAULT_LOG_FORMAT
              value: "{{ .Values.csi.agent.logFormat }}"
          securityContext:
            runAsNonRoot: true
@ -145,7 +145,7 @@ spec:
        {{- if eq (.Values.csi.agent.enabled | toString) "true" }}
        - name: agent-config
          configMap:
-            name: {{ template "openbao.fullname" . }}-csi-provider-agent-config
+            name: {{ template "vault.fullname" . }}-csi-provider-agent-config
        - name: agent-unix-socket
          emptyDir:
            medium: Memory
--- a/charts/openbao/templates/csi-role.yaml
+++ b/charts/openbao/templates/csi-role.yaml
@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.csiEnabled" . -}}
+{{- template "vault.csiEnabled" . -}}
 {{- if .csiEnabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ template "openbao.fullname" . }}-csi-provider-role
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-csi-provider-role
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 rules:
@ -22,7 +22,7 @@ rules:
    {{- if .Values.csi.hmacSecretName }}
    - {{ .Values.csi.hmacSecretName }}
    {{- else }}
-    - {{ include "openbao.name" . }}-csi-provider-hmac-key
+    - {{ include "vault.name" . }}-csi-provider-hmac-key
    {{- end }}
 # 'create' permissions cannot be restricted by resource name:
 # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
--- a/templates/csi-rolebinding.yaml
+++ b/templates/csi-rolebinding.yaml
@ -0,0 +1,25 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.csiEnabled" . -}}
+{{- if .csiEnabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "vault.fullname" . }}-csi-provider-rolebinding
+  namespace: {{ include "vault.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "vault.fullname" . }}-csi-provider-role
+subjects:
+- kind: ServiceAccount
+  name: {{ template "vault.fullname" . }}-csi-provider
+  namespace: {{ include "vault.namespace" . }}
+{{- end }}
--- a/charts/openbao/templates/csi-serviceaccount.yaml
+++ b/charts/openbao/templates/csi-serviceaccount.yaml
@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.csiEnabled" . -}}
+{{- template "vault.csiEnabled" . -}}
 {{- if .csiEnabled -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ template "openbao.fullname" . }}-csi-provider
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-csi-provider
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    {{- if  .Values.csi.serviceAccount.extraLabels -}}
--- a/charts/openbao/templates/injector-certs-secret.yaml
+++ b/charts/openbao/templates/injector-certs-secret.yaml
@ -3,17 +3,17 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.injectorEnabled" . -}}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: openbao-injector-certs
-  namespace: {{ include "openbao.namespace" . }}
+  name: vault-injector-certs
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
-{{- end }}
+{{- end }}
--- a/charts/openbao/templates/injector-clusterrole.yaml
+++ b/charts/openbao/templates/injector-clusterrole.yaml
@ -3,14 +3,14 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.injectorEnabled" . -}}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole
+  name: {{ template "vault.fullname" . }}-agent-injector-clusterrole
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 rules:
@ -21,10 +21,4 @@ rules:
    - "list"
    - "watch"
    - "patch"
-{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
- apiGroups: [""]
-  resources: ["nodes"]
-  verbs:
-    - "get"
-{{ end }}
 {{ end }}
--- a/charts/openbao/templates/injector-clusterrolebinding.yaml
+++ b/charts/openbao/templates/injector-clusterrolebinding.yaml
@ -3,22 +3,22 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.injectorEnabled" . -}}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ template "openbao.fullname" . }}-agent-injector-binding
+  name: {{ template "vault.fullname" . }}-agent-injector-binding
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole
+  name: {{ template "vault.fullname" . }}-agent-injector-clusterrole
 subjects:
 - kind: ServiceAccount
-  name: {{ template "openbao.fullname" . }}-agent-injector
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-agent-injector
+  namespace: {{ include "vault.namespace" . }}
 {{ end }}
--- a/charts/openbao/templates/injector-deployment.yaml
+++ b/charts/openbao/templates/injector-deployment.yaml
@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.injectorEnabled" . -}}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 # Deployment for the injector
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ template "openbao.fullname" . }}-agent-injector
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-agent-injector
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    component: webhook
@ -20,14 +20,14 @@ spec:
  replicas: {{ .Values.injector.replicas }}
  selector:
    matchLabels:
-      app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
+      app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
      app.kubernetes.io/instance: {{ .Release.Name }}
      component: webhook
  {{ template "injector.strategy" . }}
  template:
    metadata:
      labels:
-        app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
+        app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
        app.kubernetes.io/instance: {{ .Release.Name }}
        component: webhook
        {{- if  .Values.injector.extraLabels -}}
@ -42,7 +42,7 @@ spec:
      {{- if .Values.injector.priorityClassName }}
      priorityClassName: {{ .Values.injector.priorityClassName }}
      {{- end }}
-      serviceAccountName: "{{ template "openbao.fullname" . }}-agent-injector"
+      serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
      {{ template "injector.securityContext.pod" . -}}
      {{- if not .Values.global.openshift }}
      hostNetwork: {{ .Values.injector.hostNetwork }}
@ -50,7 +50,7 @@ spec:
      containers:
        - name: sidecar-injector
          {{ template "injector.resources" . }}
-          image: "{{ .Values.injector.image.registry | default "docker.io" }}/{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
+          image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
          imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
          {{- template "injector.securityContext.container" . }}
          env:
@ -64,12 +64,12 @@ spec:
            {{- else if .Values.injector.externalVaultAddr }}
              value: "{{ .Values.injector.externalVaultAddr }}"
            {{- else }}
-              value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
+              value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
            {{- end }}
            - name: AGENT_INJECT_VAULT_AUTH_PATH
              value: {{ .Values.injector.authPath }}
            - name: AGENT_INJECT_VAULT_IMAGE
-              value: "{{ .Values.injector.image.registry | default "quay.io" }}/{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
+              value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
            {{- if .Values.injector.certs.secretName }}
            - name: AGENT_INJECT_TLS_CERT_FILE
              value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}"
@ -77,9 +77,9 @@ spec:
              value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}"
            {{- else }}
            - name: AGENT_INJECT_TLS_AUTO
-              value: {{ template "openbao.fullname" . }}-agent-injector-cfg
+              value: {{ template "vault.fullname" . }}-agent-injector-cfg
            - name: AGENT_INJECT_TLS_AUTO_HOSTS
-              value: {{ template "openbao.fullname" . }}-agent-injector-svc,{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }},{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }}.svc
+              value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }}.svc
            {{- end }}
            - name: AGENT_INJECT_LOG_FORMAT
              value: {{ .Values.injector.logFormat | default "standard" }}
@ -125,7 +125,7 @@ spec:
            - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL
              value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}"
            {{- end }}
-            {{- include "openbao.extraEnvironmentVars" .Values.injector | nindent 12 }}
+            {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }}
            - name: POD_NAME
              valueFrom:
                fieldRef:
--- a/charts/openbao/templates/injector-disruptionbudget.yaml
+++ b/charts/openbao/templates/injector-disruptionbudget.yaml
@ -7,18 +7,18 @@ SPDX-License-Identifier: MPL-2.0
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
-  name: {{ template "openbao.fullname" . }}-agent-injector
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-agent-injector
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    component: webhook
 spec:
  selector:
    matchLabels:
-      app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
+      app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
      app.kubernetes.io/instance: {{ .Release.Name }}
      component: webhook
  {{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }}
--- a/charts/openbao/templates/injector-mutating-webhook.yaml
+++ b/charts/openbao/templates/injector-mutating-webhook.yaml
@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.injectorEnabled" . -}}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
 apiVersion: admissionregistration.k8s.io/v1
@ -12,9 +12,9 @@ apiVersion: admissionregistration.k8s.io/v1beta1
 {{- end }}
 kind: MutatingWebhookConfiguration
 metadata:
-  name: {{ template "openbao.fullname" . }}-agent-injector-cfg
+  name: {{ template "vault.fullname" . }}-agent-injector-cfg
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
  {{- template "injector.webhookAnnotations" . }}
@ -27,8 +27,8 @@ webhooks:
    admissionReviewVersions: ["v1", "v1beta1"]
    clientConfig:
      service:
-        name: {{ template "openbao.fullname" . }}-agent-injector-svc
-        namespace: {{ include "openbao.namespace" . }}
+        name: {{ template "vault.fullname" . }}-agent-injector-svc
+        namespace: {{ include "vault.namespace" . }}
        path: "/mutate"
      caBundle: {{ .Values.injector.certs.caBundle | quote }}
    rules:
--- a/charts/openbao/templates/injector-network-policy.yaml
+++ b/charts/openbao/templates/injector-network-policy.yaml
@ -3,20 +3,20 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.injectorEnabled" . -}}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 {{- if eq (.Values.global.openshift | toString) "true" }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: {{ template "openbao.fullname" . }}-agent-injector
+  name: {{ template "vault.fullname" . }}-agent-injector
  labels:
-    app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
+    app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
 spec:
  podSelector:
    matchLabels:
-      app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
+      app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
      app.kubernetes.io/instance: {{ .Release.Name }}
      component: webhook
  ingress:
--- a/charts/openbao/templates/injector-psp-role.yaml
+++ b/charts/openbao/templates/injector-psp-role.yaml
@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.injectorEnabled" . -}}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 {{- if eq (.Values.global.psp.enable | toString) "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ template "openbao.fullname" . }}-agent-injector-psp
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-agent-injector-psp
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 rules:
@ -20,6 +20,6 @@ rules:
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
-    - {{ template "openbao.fullname" . }}-agent-injector
+    - {{ template "vault.fullname" . }}-agent-injector
 {{- end }}
 {{- end }}
--- a/charts/openbao/templates/injector-psp-rolebinding.yaml
+++ b/charts/openbao/templates/injector-psp-rolebinding.yaml
@ -3,24 +3,24 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.injectorEnabled" . -}}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 {{- if eq (.Values.global.psp.enable | toString) "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ template "openbao.fullname" . }}-agent-injector-psp
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-agent-injector-psp
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 roleRef:
  kind: Role
-  name: {{ template "openbao.fullname" . }}-agent-injector-psp
+  name: {{ template "vault.fullname" . }}-agent-injector-psp
  apiGroup: rbac.authorization.k8s.io
 subjects:
  - kind: ServiceAccount
-    name: {{ template "openbao.fullname" . }}-agent-injector
+    name: {{ template "vault.fullname" . }}-agent-injector
 {{- end }}
 {{- end }}
--- a/charts/openbao/templates/injector-psp.yaml
+++ b/charts/openbao/templates/injector-psp.yaml
@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.injectorEnabled" . -}}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 {{- if eq (.Values.global.psp.enable | toString) "true" }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
-  name: {{ template "openbao.fullname" . }}-agent-injector
+  name: {{ template "vault.fullname" . }}-agent-injector
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- template "openbao.psp.annotations" . }}
+{{- template "vault.psp.annotations" . }}
 spec:
  privileged: false
  # Required to prevent escalations to root.
--- a/charts/openbao/templates/injector-role.yaml
+++ b/charts/openbao/templates/injector-role.yaml
@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.injectorEnabled" . -}}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 rules:
--- a/charts/openbao/templates/injector-rolebinding.yaml
+++ b/charts/openbao/templates/injector-rolebinding.yaml
@ -3,25 +3,25 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.injectorEnabled" . -}}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-binding
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
-  name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role
+  name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
 subjects:
  - kind: ServiceAccount
-    name: {{ template "openbao.fullname" . }}-agent-injector
-    namespace: {{ include "openbao.namespace" . }}
+    name: {{ template "vault.fullname" . }}-agent-injector
+    namespace: {{ include "vault.namespace" . }}
 {{- end }}
 {{- end }}
--- a/charts/openbao/templates/injector-service.yaml
+++ b/charts/openbao/templates/injector-service.yaml
@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.injectorEnabled" . -}}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ template "openbao.fullname" . }}-agent-injector-svc
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-agent-injector-svc
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
  {{ template "injector.service.annotations" . }}
@ -21,7 +21,7 @@ spec:
    port: 443
    targetPort: {{ .Values.injector.port }}
  selector:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
    component: webhook
 {{- end }}
--- a/charts/openbao/templates/injector-serviceaccount.yaml
+++ b/charts/openbao/templates/injector-serviceaccount.yaml
@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{- template "openbao.injectorEnabled" . -}}
+{{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ template "openbao.fullname" . }}-agent-injector
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-agent-injector
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
  {{ template "injector.serviceAccount.annotations" . }}
--- a/charts/openbao/templates/prometheus-prometheusrules.yaml
+++ b/charts/openbao/templates/prometheus-prometheusrules.yaml
@ -10,10 +10,10 @@ SPDX-License-Identifier: MPL-2.0
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
-  name: {{ template "openbao.fullname" . }}
+  name: {{ template "vault.fullname" . }}
  labels:
-    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
@ -25,7 +25,7 @@ metadata:
    {{- end }}
 spec:
  groups:
-  - name: {{ include "openbao.fullname" . }}
+  - name: {{ include "vault.fullname" . }}
    rules:
      {{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }}
 {{- end }}
--- a/charts/openbao/templates/prometheus-servicemonitor.yaml
+++ b/charts/openbao/templates/prometheus-servicemonitor.yaml
@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{ template "openbao.mode" . }}
+{{ template "vault.mode" . }}
 {{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }}
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
-  name: {{ template "openbao.fullname" . }}
+  name: {{ template "vault.fullname" . }}
  labels:
-    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
@ -25,18 +25,18 @@ metadata:
 spec:
  selector:
    matchLabels:
-      app.kubernetes.io/name: {{ template "openbao.name" . }}
+      app.kubernetes.io/name: {{ template "vault.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
      {{- if eq .mode "ha" }}
-      openbao-active: "true"
+      vault-active: "true"
      {{- else }}
-      openbao-internal: "true"
+      vault-internal: "true"
      {{- end }}
  endpoints:
-  - port: {{ include "openbao.scheme" . }}
+  - port: {{ include "vault.scheme" . }}
    interval: {{ .Values.serverTelemetry.serviceMonitor.interval }}
    scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }}
-    scheme: {{ include "openbao.scheme" . | lower }}
+    scheme: {{ include "vault.scheme" . | lower }}
    path: /v1/sys/metrics
    params:
      format:
@ -45,5 +45,5 @@ spec:
      insecureSkipVerify: true
  namespaceSelector:
    matchNames:
-      - {{ include "openbao.namespace" . }}
+      - {{ include "vault.namespace" . }}
 {{ end }}
--- a/charts/openbao/templates/server-clusterrolebinding.yaml
+++ b/charts/openbao/templates/server-clusterrolebinding.yaml
@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{ template "openbao.serverAuthDelegator" . }}
+{{ template "vault.serverAuthDelegator" . }}
 {{- if .serverAuthDelegator -}}
 {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
 apiVersion: rbac.authorization.k8s.io/v1
@ -12,10 +12,10 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
 {{- end }}
 kind: ClusterRoleBinding
 metadata:
-  name: {{ template "openbao.fullname" . }}-server-binding
+  name: {{ template "vault.fullname" . }}-server-binding
  labels:
-    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 roleRef:
@ -24,6 +24,6 @@ roleRef:
  name: system:auth-delegator
 subjects:
 - kind: ServiceAccount
-  name: {{ template "openbao.serviceAccount.name" . }}
-  namespace: {{ include "openbao.namespace" . }}
-{{ end }}
+  name: {{ template "vault.serviceAccount.name" . }}
+  namespace: {{ include "vault.namespace" . }}
+{{ end }}
--- a/templates/server-config-configmap.yaml
+++ b/templates/server-config-configmap.yaml
@ -0,0 +1,45 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
+{{- if .serverEnabled -}}
+{{- if ne .mode "dev" -}}
+{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "vault.fullname" . }}-config
+  namespace: {{ include "vault.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+data:
+  extraconfig-from-values.hcl: |-
+  {{- if or (eq .mode "ha") (eq .mode "standalone") }}
+  {{- $type := typeOf (index .Values.server .mode).config }}
+  {{- if eq $type "string" }}
+    disable_mlock = true
+  {{- if eq .mode "standalone" }}
+    {{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
+  {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }}
+    {{ tpl .Values.server.ha.config . | nindent 4 | trim }}
+  {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
+    {{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }}
+  {{ end }}
+  {{- else }}
+  {{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
+{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }}
+  {{- else }}
+{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
--- a/charts/openbao/templates/server-discovery-role.yaml
+++ b/charts/openbao/templates/server-discovery-role.yaml
@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{ template "openbao.mode" . }}
+{{ template "vault.mode" . }}
 {{- if .serverEnabled -}}
 {{- if eq .mode "ha" }}
 {{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  namespace: {{ include "openbao.namespace" . }}
-  name: {{ template "openbao.fullname" . }}-discovery-role
+  namespace: {{ include "vault.namespace" . }}
+  name: {{ template "vault.fullname" . }}-discovery-role
  labels:
-    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 rules:
--- a/charts/openbao/templates/server-discovery-rolebinding.yaml
+++ b/charts/openbao/templates/server-discovery-rolebinding.yaml
@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{ template "openbao.mode" . }}
+{{ template "vault.mode" . }}
 {{- if .serverEnabled -}}
 {{- if eq .mode "ha" }}
 {{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
@ -14,21 +14,21 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
 {{- end }}
 kind: RoleBinding
 metadata:
-  name: {{ template "openbao.fullname" . }}-discovery-rolebinding
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-discovery-rolebinding
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
-  name: {{ template "openbao.fullname" . }}-discovery-role
+  name: {{ template "vault.fullname" . }}-discovery-role
 subjects:
 - kind: ServiceAccount
-  name: {{ template "openbao.serviceAccount.name" . }}
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.serviceAccount.name" . }}
+  namespace: {{ include "vault.namespace" . }}
 {{ end }}
 {{ end }}
 {{ end }}
--- a/charts/openbao/templates/server-disruptionbudget.yaml
+++ b/charts/openbao/templates/server-disruptionbudget.yaml
@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{ template "openbao.mode" . }}
+{{ template "vault.mode" . }}
 {{- if ne .mode "external" -}}
 {{- if .serverEnabled -}}
 {{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
@ -12,18 +12,18 @@ SPDX-License-Identifier: MPL-2.0
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
-  name: {{ template "openbao.fullname" . }}
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
-  maxUnavailable: {{ template "openbao.pdb.maxUnavailable" . }}
+  maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }}
  selector:
    matchLabels:
-      app.kubernetes.io/name: {{ include "openbao.name" . }}
+      app.kubernetes.io/name: {{ include "vault.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
      component: server
 {{- end -}}
--- a/charts/openbao/templates/server-ha-active-service.yaml
+++ b/charts/openbao/templates/server-ha-active-service.yaml
@ -3,27 +3,27 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{ template "openbao.mode" . }}
+{{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- template "openbao.serverServiceEnabled" . -}}
+{{- template "vault.serverServiceEnabled" . -}}
 {{- if .serverServiceEnabled -}}
 {{- if eq .mode "ha" }}
 {{- if eq (.Values.server.service.active.enabled | toString) "true" }}
-# Service for active OpenBao pod
+# Service for active Vault pod
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ template "openbao.fullname" . }}-active
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-active
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    openbao-active: "true"
+    vault-active: "true"
  annotations:
-{{- template "openbao.service.active.annotations" . }}
-{{- template "openbao.service.annotations" . }}
+{{- template "vault.service.active.annotations" . }}
+{{- template "vault.service.annotations" . }}
 spec:
  {{- if .Values.server.service.type}}
  type: {{ .Values.server.service.type }}
@ -42,7 +42,7 @@ spec:
  {{- include "service.externalTrafficPolicy" .Values.server.service }}
  publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
  ports:
-    - name: {{ include "openbao.scheme" . }}
+    - name: {{ include "vault.scheme" . }}
      port: {{ .Values.server.service.port }}
      targetPort: {{ .Values.server.service.targetPort }}
      {{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
@ -52,12 +52,12 @@ spec:
      port: 8201
      targetPort: 8201
  selector:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    {{- end }}
    component: server
-    openbao-active: "true"
+    vault-active: "true"
 {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/openbao/templates/server-ha-standby-service.yaml
+++ b/charts/openbao/templates/server-ha-standby-service.yaml
@ -3,26 +3,26 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{ template "openbao.mode" . }}
+{{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- template "openbao.serverServiceEnabled" . -}}
+{{- template "vault.serverServiceEnabled" . -}}
 {{- if .serverServiceEnabled -}}
 {{- if eq .mode "ha" }}
 {{- if eq (.Values.server.service.standby.enabled | toString) "true" }}
-# Service for standby OpenBao pod
+# Service for standby Vault pod
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ template "openbao.fullname" . }}-standby
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-standby
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
  annotations:
-{{- template "openbao.service.standby.annotations" . }}
-{{- template "openbao.service.annotations" . }}
+{{- template "vault.service.standby.annotations" . }}
+{{- template "vault.service.annotations" . }}
 spec:
  {{- if .Values.server.service.type}}
  type: {{ .Values.server.service.type }}
@ -41,7 +41,7 @@ spec:
  {{- include "service.externalTrafficPolicy" .Values.server.service }}
  publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
  ports:
-    - name: {{ include "openbao.scheme" . }}
+    - name: {{ include "vault.scheme" . }}
      port: {{ .Values.server.service.port }}
      targetPort: {{ .Values.server.service.targetPort }}
      {{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
@ -51,12 +51,12 @@ spec:
      port: 8201
      targetPort: 8201
  selector:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    {{- end }}
    component: server
-    openbao-active: "false"
+    vault-active: "false"
 {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/openbao/templates/server-headless-service.yaml
+++ b/charts/openbao/templates/server-headless-service.yaml
@ -3,24 +3,24 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{ template "openbao.mode" . }}
+{{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- template "openbao.serverServiceEnabled" . -}}
+{{- template "vault.serverServiceEnabled" . -}}
 {{- if .serverServiceEnabled -}}
-# Service for OpenBao cluster
+# Service for Vault cluster
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ template "openbao.fullname" . }}-internal
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-internal
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    openbao-internal: "true"
+    vault-internal: "true"
  annotations:
-{{ template "openbao.service.annotations" .}}
+{{ template "vault.service.annotations" .}}
 spec:
  {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
  {{- if .Values.server.service.ipFamilyPolicy }}
@ -33,14 +33,14 @@ spec:
  clusterIP: None
  publishNotReadyAddresses: true
  ports:
-    - name: "{{ include "openbao.scheme" . }}"
+    - name: "{{ include "vault.scheme" . }}"
      port: {{ .Values.server.service.port }}
      targetPort: {{ .Values.server.service.targetPort }}
    - name: https-internal
      port: 8201
      targetPort: 8201
  selector:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    component: server
 {{- end }}
--- a/charts/openbao/templates/server-ingress.yaml
+++ b/charts/openbao/templates/server-ingress.yaml
@ -4,12 +4,12 @@ SPDX-License-Identifier: MPL-2.0
 */}}

 {{- if not .Values.global.openshift }}
-{{ template "openbao.mode" . }}
+{{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
 {{- if .Values.server.ingress.enabled -}}
 {{- $extraPaths := .Values.server.ingress.extraPaths -}}
-{{- $serviceName := include "openbao.fullname" . -}}
-{{- template "openbao.serverServiceEnabled" . -}}
+{{- $serviceName := include "vault.fullname" . -}}
+{{- template "vault.serverServiceEnabled" . -}}
 {{- if .serverServiceEnabled -}}
 {{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }}
 {{- $serviceName = printf "%s-%s" $serviceName "active" -}}
@ -20,17 +20,17 @@ SPDX-License-Identifier: MPL-2.0
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: {{ template "openbao.fullname" . }}
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    {{- with .Values.server.ingress.labels }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
-  {{- template "openbao.ingress.annotations" . }}
+  {{- template "vault.ingress.annotations" . }}
 spec:
 {{- if .Values.server.ingress.tls }}
  tls:
--- a/charts/openbao/templates/server-network-policy.yaml
+++ b/charts/openbao/templates/server-network-policy.yaml
@ -7,16 +7,23 @@ SPDX-License-Identifier: MPL-2.0
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: {{ template "openbao.fullname" . }}
+  name: {{ template "vault.fullname" . }}
  labels:
-    app.kubernetes.io/name: {{ template "openbao.name" . }}
+    app.kubernetes.io/name: {{ template "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
 spec:
  podSelector:
    matchLabels:
-      app.kubernetes.io/name: {{ template "openbao.name" . }}
+      app.kubernetes.io/name: {{ template "vault.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
-  ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }}
+  ingress:
+    - from:
+        - namespaceSelector: {}
+      ports:
+      - port: 8200
+        protocol: TCP
+      - port: 8201
+        protocol: TCP
  {{- if .Values.server.networkPolicy.egress }}
  egress:
  {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }}
--- a/charts/openbao/templates/server-psp-role.yaml
+++ b/charts/openbao/templates/server-psp-role.yaml
@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{ template "openbao.mode" . }}
+{{ template "vault.mode" . }}
 {{- if .serverEnabled -}}
 {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ template "openbao.fullname" . }}-psp
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-psp
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 rules:
@ -20,6 +20,6 @@ rules:
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
-    - {{ template "openbao.fullname" . }}
+    - {{ template "vault.fullname" . }}
 {{- end }}
 {{- end }}
--- a/charts/openbao/templates/server-psp-rolebinding.yaml
+++ b/charts/openbao/templates/server-psp-rolebinding.yaml
@ -3,24 +3,24 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{ template "openbao.mode" . }}
+{{ template "vault.mode" . }}
 {{- if .serverEnabled -}}
 {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ template "openbao.fullname" . }}-psp
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-psp
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 roleRef:
  kind: Role
-  name: {{ template "openbao.fullname" . }}-psp
+  name: {{ template "vault.fullname" . }}-psp
  apiGroup: rbac.authorization.k8s.io
 subjects:
  - kind: ServiceAccount
-    name: {{ template "openbao.fullname" . }}
+    name: {{ template "vault.fullname" . }}
 {{- end }}
 {{- end }}
--- a/charts/openbao/templates/server-psp.yaml
+++ b/charts/openbao/templates/server-psp.yaml
@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{ template "openbao.mode" . }}
+{{ template "vault.mode" . }}
 {{- if .serverEnabled -}}
 {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
-  name: {{ template "openbao.fullname" . }}
+  name: {{ template "vault.fullname" . }}
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- template "openbao.psp.annotations" . }}
+{{- template "vault.psp.annotations" . }}
 spec:
  privileged: false
  # Required to prevent escalations to root.
--- a/charts/openbao/templates/server-route.yaml
+++ b/charts/openbao/templates/server-route.yaml
@ -6,24 +6,24 @@ SPDX-License-Identifier: MPL-2.0
 {{- if .Values.global.openshift }}
 {{- if ne .mode "external" }}
 {{- if .Values.server.route.enabled -}}
-{{- $serviceName := include "openbao.fullname" . -}}
+{{- $serviceName := include "vault.fullname" . -}}
 {{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }}
 {{- $serviceName = printf "%s-%s" $serviceName "active" -}}
 {{- end }}
 kind: Route
 apiVersion: route.openshift.io/v1
 metadata:
-  name: {{ template "openbao.fullname" . }}
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    {{- with .Values.server.route.labels }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
-  {{- template "openbao.route.annotations" . }}
+  {{- template "vault.route.annotations" . }}
 spec:
  host: {{ .Values.server.route.host }}
  to:
--- a/charts/openbao/templates/server-service.yaml
+++ b/charts/openbao/templates/server-service.yaml
@ -3,23 +3,23 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{ template "openbao.mode" . }}
+{{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- template "openbao.serverServiceEnabled" . -}}
+{{- template "vault.serverServiceEnabled" . -}}
 {{- if .serverServiceEnabled -}}
-# Service for OpenBao cluster
+# Service for Vault cluster
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ template "openbao.fullname" . }}
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
  annotations:
-{{ template "openbao.service.annotations" .}}
+{{ template "vault.service.annotations" .}}
 spec:
  {{- if .Values.server.service.type}}
  type: {{ .Values.server.service.type }}
@ -40,7 +40,7 @@ spec:
  # since this DNS is also used for join operations.
  publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
  ports:
-    - name: {{ include "openbao.scheme" . }}
+    - name: {{ include "vault.scheme" . }}
      port: {{ .Values.server.service.port }}
      targetPort: {{ .Values.server.service.targetPort }}
      {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
@ -50,7 +50,7 @@ spec:
      port: 8201
      targetPort: 8201
  selector:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    {{- end }}
--- a/templates/server-serviceaccount-secret.yaml
+++ b/templates/server-serviceaccount-secret.yaml
@ -0,0 +1,21 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "vault.serverServiceAccountSecretCreationEnabled" . }}
+{{- if .serverServiceAccountSecretCreationEnabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "vault.serviceAccount.name" . }}-token
+  namespace: {{ include "vault.namespace" . }}
+  annotations:
+    kubernetes.io/service-account.name: {{ template "vault.serviceAccount.name" . }}
+  labels:
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+type: kubernetes.io/service-account-token
+{{ end }}
--- a/charts/openbao/templates/server-serviceaccount.yaml
+++ b/charts/openbao/templates/server-serviceaccount.yaml
@ -3,20 +3,20 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{ template "openbao.serverServiceAccountEnabled" . }}
+{{ template "vault.serverServiceAccountEnabled" . }}
 {{- if .serverServiceAccountEnabled -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ template "openbao.serviceAccount.name" . }}
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.serviceAccount.name" . }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    {{- if  .Values.server.serviceAccount.extraLabels -}}
      {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}}
    {{- end -}}
-  {{ template "openbao.serviceAccount.annotations" . }}
+  {{ template "vault.serviceAccount.annotations" . }}
 {{ end }}
--- a/charts/openbao/templates/server-statefulset.yaml
+++ b/charts/openbao/templates/server-statefulset.yaml
@ -3,56 +3,53 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{ template "openbao.mode" . }}
+{{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
 {{- if ne .mode "" }}
 {{- if .serverEnabled -}}
-# StatefulSet to run the actual openbao server cluster.
+# StatefulSet to run the actual vault server cluster.
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  name: {{ template "openbao.fullname" . }}
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
-  {{- template "openbao.statefulSet.annotations" . }}
+  {{- template "vault.statefulSet.annotations" . }}
 spec:
-  serviceName: {{ template "openbao.fullname" . }}-internal
+  serviceName: {{ template "vault.fullname" . }}-internal
  podManagementPolicy: Parallel
-  replicas: {{ template "openbao.replicas" . }}
+  replicas: {{ template "vault.replicas" . }}
  updateStrategy:
    type: {{ .Values.server.updateStrategyType }}
-  {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }}
-  persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }}
-  {{- end }}
  selector:
    matchLabels:
-      app.kubernetes.io/name: {{ template "openbao.name" . }}
+      app.kubernetes.io/name: {{ template "vault.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
      component: server
  template:
    metadata:
      labels:
-        helm.sh/chart: {{ template "openbao.chart" . }}
-        app.kubernetes.io/name: {{ template "openbao.name" . }}
+        helm.sh/chart: {{ template "vault.chart" . }}
+        app.kubernetes.io/name: {{ template "vault.name" . }}
        app.kubernetes.io/instance: {{ .Release.Name }}
        component: server
        {{- if  .Values.server.extraLabels -}}
          {{- toYaml .Values.server.extraLabels | nindent 8 -}}
        {{- end -}}
-      {{ template "openbao.annotations" . }}
+      {{ template "vault.annotations" . }}
    spec:
-      {{ template "openbao.affinity" . }}
-      {{ template "openbao.topologySpreadConstraints" . }}
-      {{ template "openbao.tolerations" . }}
-      {{ template "openbao.nodeselector" . }}
+      {{ template "vault.affinity" . }}
+      {{ template "vault.topologySpreadConstraints" . }}
+      {{ template "vault.tolerations" . }}
+      {{ template "vault.nodeselector" . }}
      {{- if .Values.server.priorityClassName }}
      priorityClassName: {{ .Values.server.priorityClassName }}
      {{- end }}
      terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }}
-      serviceAccountName: {{ template "openbao.serviceAccount.name" . }}
+      serviceAccountName: {{ template "vault.serviceAccount.name" . }}
      {{ if  .Values.server.shareProcessNamespace }}
      shareProcessNamespace: true
      {{ end }}
@ -61,7 +58,7 @@ spec:
      hostNetwork: {{ .Values.server.hostNetwork }}
      {{- end }}
      volumes:
-        {{ template "openbao.volumes" . }}
+        {{ template "vault.volumes" . }}
        - name: home
          emptyDir: {}
      {{- if .Values.server.hostAliases }}
@ -73,14 +70,14 @@ spec:
        {{ toYaml .Values.server.extraInitContainers | nindent 8}}
      {{- end }}
      containers:
-        - name: openbao
-          {{ template "openbao.resources" . }}
-          image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
+        - name: vault
+          {{ template "vault.resources" . }}
+          image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
          imagePullPolicy: {{ .Values.server.image.pullPolicy }}
          command:
          - "/bin/sh"
          - "-ec"
-          args: {{ template "openbao.args" . }}
+          args: {{ template "vault.args" . }}
          {{- template "server.statefulSet.securityContext.container" . }}
          env:
            - name: HOST_IP
@ -91,21 +88,21 @@ spec:
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
-            - name: BAO_K8S_POD_NAME
+            - name: VAULT_K8S_POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
-            - name: BAO_K8S_NAMESPACE
+            - name: VAULT_K8S_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
-            - name: BAO_ADDR
-              value: "{{ include "openbao.scheme" . }}://127.0.0.1:8200"
-            - name: BAO_API_ADDR
+            - name: VAULT_ADDR
+              value: "{{ include "vault.scheme" . }}://127.0.0.1:8200"
+            - name: VAULT_API_ADDR
              {{- if .Values.server.ha.apiAddr }}
              value: {{ .Values.server.ha.apiAddr }}
              {{- else }}
-              value: "{{ include "openbao.scheme" . }}://$(POD_IP):8200"
+              value: "{{ include "vault.scheme" . }}://$(POD_IP):8200"
              {{- end }}
            - name: SKIP_CHOWN
              value: "true"
@ -115,42 +112,46 @@ spec:
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
-            - name: BAO_CLUSTER_ADDR
+            - name: VAULT_CLUSTER_ADDR
              {{- if .Values.server.ha.clusterAddr }}
              value: {{ .Values.server.ha.clusterAddr | quote }}
              {{- else }}
-              value: "https://$(HOSTNAME).{{ template "openbao.fullname" . }}-internal:8201"
+              value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201"
              {{- end }}
            {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }}
-            - name: BAO_RAFT_NODE_ID
+            - name: VAULT_RAFT_NODE_ID
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            {{- end }}
            - name: HOME
-              value: "/home/openbao"
+              value: "/home/vault"
            {{- if .Values.server.logLevel }}
-            - name: BAO_LOG_LEVEL
+            - name: VAULT_LOG_LEVEL
              value: "{{ .Values.server.logLevel }}"
            {{- end }}
            {{- if .Values.server.logFormat }}
-            - name: BAO_LOG_FORMAT
+            - name: VAULT_LOG_FORMAT
              value: "{{ .Values.server.logFormat }}"
            {{- end }}
-            {{ template "openbao.envs" . }}
-            {{- include "openbao.extraEnvironmentVars" .Values.server | nindent 12 }}
-            {{- include "openbao.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
+            {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
+            - name: VAULT_LICENSE_PATH
+              value: /vault/license/{{ .Values.server.enterpriseLicense.secretKey }}
+            {{- end }}
+            {{ template "vault.envs" . }}
+            {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
+            {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
          volumeMounts:
-          {{ template "openbao.mounts" . }}
+          {{ template "vault.mounts" . }}
            - name: home
-              mountPath: /home/openbao
+              mountPath: /home/vault
          ports:
            - containerPort: 8200
-              name: {{ include "openbao.scheme" . }}
+              name: {{ include "vault.scheme" . }}
            - containerPort: 8201
              name: https-internal
            - containerPort: 8202
-              name: {{ include "openbao.scheme" . }}-rep
+              name: {{ include "vault.scheme" . }}-rep
          {{- if .Values.server.extraPorts -}}
          {{ toYaml .Values.server.extraPorts | nindent 12}}
          {{- end }}
@ -160,15 +161,15 @@ spec:
            httpGet:
              path: {{ .Values.server.readinessProbe.path | quote }}
              port: {{ .Values.server.readinessProbe.port }}
-              scheme: {{ include "openbao.scheme" . | upper }}
+              scheme: {{ include "vault.scheme" . | upper }}
            {{- else }}
-            # Check status; unsealed openbao servers return 0
+            # Check status; unsealed vault servers return 0
            # The exit code reflects the seal status:
            #   0 - unsealed
            #   1 - error
            #   2 - sealed
            exec:
-              command: ["/bin/sh", "-ec", "bao status -tls-skip-verify"]
+              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
            {{- end }}
            failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }}
            initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }}
@ -178,18 +179,10 @@ spec:
          {{- end }}
          {{- if .Values.server.livenessProbe.enabled }}
          livenessProbe:
-            {{- if .Values.server.livenessProbe.execCommand }}
-            exec:
-              command:
-                {{- range (.Values.server.livenessProbe.execCommand) }}
-                - {{ . | quote }}
-                {{- end }}
-            {{- else }}
            httpGet:
              path: {{ .Values.server.livenessProbe.path | quote }}
              port: {{ .Values.server.livenessProbe.port }}
-              scheme: {{ include "openbao.scheme" . | upper }}
-            {{- end }}
+              scheme: {{ include "vault.scheme" . | upper }}
            failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }}
            initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }}
            periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }}
@ -197,7 +190,7 @@ spec:
            timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }}
          {{- end }}
          lifecycle:
-            # openbao container doesn't receive SIGTERM from Kubernetes
+            # Vault container doesn't receive SIGTERM from Kubernetes
            # and after the grace period ends, Kube sends SIGKILL.  This
            # causes issues with graceful shutdowns such as deregistering itself
            # from Consul (zombie services).
@ -208,7 +201,7 @@ spec:
                  # Adding a sleep here to give the pod eviction a
                  # chance to propagate, so requests will not be made
                  # to this pod while it's terminating
-                  "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof bao)",
+                  "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)",
                ]
            {{- if .Values.server.postStart }}
            postStart:
@ -222,7 +215,7 @@ spec:
          {{ toYaml .Values.server.extraContainers | nindent 8}}
        {{- end }}
      {{- include "imagePullSecrets" . | nindent 6 }}
-  {{ template "openbao.volumeclaims" . }}
+  {{ template "vault.volumeclaims" . }}
 {{ end }}
 {{ end }}
 {{ end }}
--- a/charts/openbao/templates/tests/server-test.yaml
+++ b/charts/openbao/templates/tests/server-test.yaml
@ -3,42 +3,42 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{ template "openbao.mode" . }}
+{{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
 {{- if .serverEnabled -}}
 apiVersion: v1
 kind: Pod
 metadata:
-  name: {{ template "openbao.fullname" . }}-server-test
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-server-test
+  namespace: {{ include "vault.namespace" . }}
  annotations:
    "helm.sh/hook": test
 spec:
  {{- include "imagePullSecrets" . | nindent 2 }}
  containers:
    - name: {{ .Release.Name }}-server-test
-      image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
+      image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
      imagePullPolicy: {{ .Values.server.image.pullPolicy }}
      env:
        - name: VAULT_ADDR
-          value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
-        {{- include "openbao.extraEnvironmentVars" .Values.server | nindent 8 }}
+          value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
+        {{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }}
      command:
        - /bin/sh
        - -c
        - |
-          echo "Checking for sealed info in 'bao status' output"
+          echo "Checking for sealed info in 'vault status' output"
          ATTEMPTS=10
          n=0
          until [ "$n" -ge $ATTEMPTS ]
          do
            echo "Attempt" $n...
-            bao status -format yaml | grep -E '^sealed: (true|false)' && break
+            vault status -format yaml | grep -E '^sealed: (true|false)' && break
            n=$((n+1))
            sleep 5
          done
          if [ $n -ge $ATTEMPTS ]; then
-            echo "timed out looking for sealed info in 'bao status' output"
+            echo "timed out looking for sealed info in 'vault status' output"
            exit 1
          fi

--- a/charts/openbao/templates/ui-service.yaml
+++ b/charts/openbao/templates/ui-service.yaml
@ -3,22 +3,22 @@ Copyright (c) HashiCorp, Inc.
 SPDX-License-Identifier: MPL-2.0
 */}}

-{{ template "openbao.mode" . }}
+{{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- template "openbao.uiEnabled" . -}}
+{{- template "vault.uiEnabled" . -}}
 {{- if .uiEnabled -}}

 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ template "openbao.fullname" . }}-ui
-  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "vault.fullname" . }}-ui
+  namespace: {{ include "vault.namespace" . }}
  labels:
-    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "openbao.name" . }}-ui
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}-ui
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
-  {{- template "openbao.ui.annotations" . }}
+  {{- template "vault.ui.annotations" . }}
 spec:
  {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
  {{- if .Values.ui.serviceIPFamilyPolicy }}
@ -29,15 +29,15 @@ spec:
  {{- end }}
  {{- end }}
  selector:
-    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    component: server
-    {{- if and (.Values.ui.activeOpenbaoPodOnly) (eq .mode "ha") }}
-    openbao-active: "true"
+    {{- if and (.Values.ui.activeVaultPodOnly) (eq .mode "ha") }}
+    vault-active: "true"
    {{- end }}
  publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }}
  ports:
-    - name: {{ include "openbao.scheme" . }}
+    - name: {{ include "vault.scheme" . }}
      port: {{ .Values.ui.externalPort }}
      targetPort: {{ .Values.ui.targetPort }}
      {{- if .Values.ui.serviceNodePort }}
--- a/test/README.md
+++ b/test/README.md
@ -1,9 +1,11 @@
-# OpenBao Helm Tests
+# Vault Helm Tests

-## Running OpenBao Helm Acceptance tests
+## Running Vault Helm Acceptance tests

 The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance or in a kind cluster.

+Note that for the Vault Enterprise tests to pass, a `VAULT_LICENSE_CI` environment variable needs to be set to the contents of a valid Vault Enterprise license.
+
 ### Running in a GKE cluster

 * Set the `GOOGLE_CREDENTIALS` and `CLOUDSDK_CORE_PROJECT` variables at the top of the file. `GOOGLE_CREDENTIALS` should contain the local path to your Google Cloud Platform account credentials in JSON format. `CLOUDSDK_CORE_PROJECT` should be set to the ID of your GCP project.
@ -47,7 +49,7 @@ editing will be required, since several properties accept multiple data types.

 ## Helm test

-OpenBao Helm also contains a simple helm test under
+Vault Helm also contains a simple helm test under
 [templates/tests/](../templates/tests/) that may be run against a helm release:

    helm test <RELEASE_NAME>
--- a/test/acceptance/_helpers.bash
+++ b/test/acceptance/_helpers.bash
@ -3,15 +3,15 @@

 # name_prefix returns the prefix of the resources within Kubernetes.
 name_prefix() {
-    printf "openbao"
+    printf "vault"
 }

 # chart_dir returns the directory for the chart
 chart_dir() {
-    echo ${BATS_TEST_DIRNAME}/../../charts/openbao
+    echo ${BATS_TEST_DIRNAME}/../..
 }

-# helm_install installs the openbao chart. This will source overridable
+# helm_install installs the vault chart. This will source overridable
 # values from the "values.yaml" file in this directory. This can be set
 # by CI or other environments to do test-specific overrides. Note that its
 # easily possible to break tests this way so be careful.
@ -22,11 +22,11 @@ helm_install() {
    fi

    helm install -f ${values} \
-        --name openbao \
-        ${BATS_TEST_DIRNAME}/../../charts/openbao
+        --name vault \
+        ${BATS_TEST_DIRNAME}/../..
 }

-# helm_install_ha installs the openbao chart using HA mode. This will source
+# helm_install_ha installs the vault chart using HA mode. This will source
 # overridable values from the "values.yaml" file in this directory. This can be
 # set by CI or other environments to do test-specific overrides. Note that its
 # easily possible to break tests this way so be careful.
@ -37,10 +37,10 @@ helm_install_ha() {
    fi

    helm install -f ${values} \
-        --name openbao \
+        --name vault \
        --set 'server.enabled=false' \
        --set 'serverHA.enabled=true' \
-        ${BATS_TEST_DIRNAME}/../../charts/openbao
+        ${BATS_TEST_DIRNAME}/../..
 }

 # wait for consul to be ready
@ -52,7 +52,7 @@ wait_for_sealed_vault() {
    POD_NAME=$1

    check() {
-        sealed_status=$(kubectl exec $1 -- bao status -format=json | jq -r '.sealed')
+        sealed_status=$(kubectl exec $1 -- vault status -format=json | jq -r '.sealed')
        if [ "$sealed_status" == "true" ]; then
            return 0
        fi
@ -61,15 +61,15 @@ wait_for_sealed_vault() {

    for i in $(seq 60); do
        if check ${POD_NAME}; then
-            echo "OpenBao on ${POD_NAME} is running."
+            echo "Vault on ${POD_NAME} is running."
            return
        fi

-        echo "Waiting for OpenBao on ${POD_NAME} to be running..."
+        echo "Waiting for Vault on ${POD_NAME} to be running..."
        sleep 2
    done

-    echo "OpenBao on ${POD_NAME} never became running."
+    echo "Vault on ${POD_NAME} never became running."
    return 1
 }

@ -144,7 +144,7 @@ wait_for_complete_job() {
        # string length.
        kubectl get job $1 -o json | \
            jq -r 'select(
-                .status.succeeded == 1
+                .status.succeeded == 1 
            ) | .metadata.namespace + "/" + .metadata.name'
    }

--- a/test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
+++ b/test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
@ -1,7 +1,7 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0

-# The "Hello World" OpenBao SecretProviderClass
+# The "Hello World" Vault SecretProviderClass
 apiVersion: secrets-store.csi.x-k8s.io/v1
 kind: SecretProviderClass
 metadata:
--- a/test/acceptance/csi-test/openbao-policy.hcl
+++ b/test/acceptance/csi-test/openbao-policy.hcl
--- a/test/acceptance/csi.bats
+++ b/test/acceptance/csi.bats
@ -18,11 +18,11 @@ load _helpers
    --wait --timeout=5m \
    --namespace=acceptance \
    --set linux.image.pullPolicy="IfNotPresent" \
-    --set tokenRequests[0].audience="openbao" \
+    --set tokenRequests[0].audience="vault" \
    --set enableSecretRotation=true \
    --set rotationPollInterval=5s
-  # Install OpenBao and OpenBao provider
-  helm install openbao \
+  # Install Vault and Vault provider
+  helm install vault \
    --wait --timeout=5m \
    --namespace=acceptance \
    --set="server.dev.enabled=true" \
@ -31,23 +31,23 @@ load _helpers
    --set="csi.agent.logLevel=debug" \
    --set="injector.enabled=false" \
    .
-  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao
-  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider
+  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault
+  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider

  # Set up k8s auth and a kv secret.
-  cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy -
-  kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes
-  kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \
+  cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy -
+  kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes
+  kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \
    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"'
-  kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \
+  kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \
    bound_service_account_names=nginx \
    bound_service_account_namespaces=acceptance \
    policies=kv-policy \
    ttl=20m
-  kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1
+  kubectl --namespace=acceptance exec vault-0 -- vault kv put secret/kv1 bar1=hello1

-  kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
-  kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml
+  kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml
+  kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml
  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx

  result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar)
@ -55,7 +55,7 @@ load _helpers

  for i in $(seq 10); do
    sleep 2
-    if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
+    if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
        echo "Agent returned a cached login response"
        return
    fi
@ -65,8 +65,8 @@ load _helpers

  # Print the logs and fail the test
  echo "Failed to find a log for the Agent renewing CSI's auth token"
-  kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent
-  kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider
+  kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent
+  kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-csi-provider
  exit 1
 }

@ -75,7 +75,7 @@ teardown() {
  if [[ ${CLEANUP:-true} == "true" ]]
  then
      echo "helm/pvc teardown"
-      helm --namespace=acceptance delete openbao
+      helm --namespace=acceptance delete vault
      helm --namespace=acceptance delete secrets-store-csi-driver
      kubectl delete --all pvc
      kubectl delete namespace acceptance
--- a/test/acceptance/helm-test.bats
+++ b/test/acceptance/helm-test.bats
@ -20,7 +20,7 @@ teardown() {
  if [[ ${CLEANUP:-true} == "true" ]]
  then
      echo "helm/pvc teardown"
-      helm delete openbao
+      helm delete vault
      kubectl delete --all pvc
      kubectl delete namespace acceptance --ignore-not-found=true
  fi
--- a/test/acceptance/injector-leader-elector.bats
+++ b/test/acceptance/injector-leader-elector.bats
@ -13,9 +13,9 @@ load _helpers
    --wait \
    --timeout=5m \
    --set="injector.replicas=3" .
-  kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=openbao-agent-injector --timeout=5m
+  kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=vault-agent-injector --timeout=5m

-  pods=($(kubectl get pods -l app.kubernetes.io/name=openbao-agent-injector -o json | jq -r '.items[] | .metadata.name'))
+  pods=($(kubectl get pods -l app.kubernetes.io/name=vault-agent-injector -o json | jq -r '.items[] | .metadata.name'))
  [ "${#pods[@]}" == 3 ]

  leader=''
@ -45,8 +45,8 @@ teardown() {
  if [[ ${CLEANUP:-true} == "true" ]]
  then
      echo "helm/pvc teardown"
-      helm delete openbao
+      helm delete vault
      kubectl delete --all pvc
      kubectl delete namespace acceptance
  fi
-}
+}
--- a/test/acceptance/injector-test/bootstrap.sh
+++ b/test/acceptance/injector-test/bootstrap.sh
@ -5,40 +5,40 @@

 OUTPUT=/tmp/output.txt

-bao operator init -n 1 -t 1 >> ${OUTPUT?}
+vault operator init -n 1 -t 1 >> ${OUTPUT?}

 unseal=$(cat ${OUTPUT?} | grep "Unseal Key 1:" | sed -e "s/Unseal Key 1: //g")
 root=$(cat ${OUTPUT?} | grep "Initial Root Token:" | sed -e "s/Initial Root Token: //g")

-bao operator unseal ${unseal?}
+vault operator unseal ${unseal?}

-bao login -no-print ${root?}
+vault login -no-print ${root?}

-bao policy write db-backup /openbao/userconfig/test/pgdump-policy.hcl
+vault policy write db-backup /vault/userconfig/test/pgdump-policy.hcl

-bao auth enable kubernetes
+vault auth enable kubernetes

-bao write auth/kubernetes/config \
+vault write auth/kubernetes/config \
   token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
   kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
   kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

-bao write auth/kubernetes/role/db-backup \
+vault write auth/kubernetes/role/db-backup \
    bound_service_account_names=pgdump \
    bound_service_account_namespaces=acceptance \
    policies=db-backup \
    ttl=1h

-bao secrets enable database
+vault secrets enable database

-bao write database/config/postgresql \
+vault write database/config/postgresql \
    plugin_name=postgresql-database-plugin \
    allowed_roles="db-backup" \
    connection_url="postgresql://{{username}}:{{password}}@postgres:5432/mydb?sslmode=disable" \
-    username="openbao" \
-    password="openbao"
+    username="vault" \
+    password="vault"

-bao write database/roles/db-backup \
+vault write database/roles/db-backup \
    db_name=postgresql \
    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
        GRANT CONNECT ON DATABASE mydb TO \"{{name}}\"; \
--- a/test/acceptance/injector-test/job.yaml
+++ b/test/acceptance/injector-test/job.yaml
@ -32,11 +32,11 @@ spec:
    spec:
      serviceAccountName: pgdump
      containers:
-        - name: pgdump
-          image: postgres:11.5
-          command:
-            - "/bin/sh"
-            - "-ec"
-          args:
-            - "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout"
+      - name: pgdump
+        image: postgres:11.5
+        command:
+          - "/bin/sh"
+          - "-ec"
+        args:
+          - "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout"
      restartPolicy: Never
--- a/test/acceptance/injector-test/pg-deployment.yaml
+++ b/test/acceptance/injector-test/pg-deployment.yaml
@ -38,7 +38,7 @@ spec:
            - containerPort: 5432
          env:
            - name: POSTGRES_DB
-              value: mydb
+              value: mydb 
            - name: POSTGRES_USER
              value: postgres
            - name: POSTGRES_PASSWORD
@ -52,7 +52,7 @@ spec:
        - name: pgdata
          emptyDir: {}
        - name: pgconf
-          configMap:
+          configMap: 
            name: "pg-init"
 ---
 apiVersion: v1
@ -63,10 +63,10 @@ metadata:
    app: postgres
 data:
  setup.sql: |
-    CREATE ROLE openbao;
-    ALTER ROLE openbao WITH SUPERUSER LOGIN PASSWORD 'openbao';
-
-    \c mydb
+    CREATE ROLE vault;
+    ALTER ROLE vault WITH SUPERUSER LOGIN PASSWORD 'vault';
+    
+    \c mydb 
    CREATE SCHEMA app;
    CREATE TABLE app.inventory(id int);
    INSERT INTO app.inventory(id) VALUES (0);
--- a/test/acceptance/injector.bats
+++ b/test/acceptance/injector.bats
@ -4,20 +4,20 @@ load _helpers

@test "injector: testing deployment" {
  cd `chart_dir`
-
+  
  kubectl delete namespace acceptance --ignore-not-found=true
  kubectl create namespace acceptance
  kubectl config set-context --current --namespace=acceptance

-  kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml
+  kubectl create -f ./test/acceptance/injector-test/pg-deployment.yaml
  sleep 5
  wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}")

  kubectl create secret generic test \
-    --from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \
-    --from-file ../../test/acceptance/injector-test/bootstrap.sh
+    --from-file ./test/acceptance/injector-test/pgdump-policy.hcl \
+    --from-file ./test/acceptance/injector-test/bootstrap.sh 

-  kubectl label secret test app=openbao-agent-demo
+  kubectl label secret test app=vault-agent-demo

  helm install "$(name_prefix)" \
    --set="server.extraVolumes[0].type=secret" \
@ -26,20 +26,20 @@ load _helpers

  wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}")

-  kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh"
+  kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /vault/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh"
  sleep 5

    # Sealed, not initialized
-  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
    jq -r '.sealed' )
  [ "${sealed_status}" == "false" ]

-  local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
    jq -r '.initialized')
-  [ "${init_status}" == "true" ]
+  [ "${init_status}" == "true" ] 


-  kubectl create -f ../../test/acceptance/injector-test/job.yaml
+  kubectl create -f ./test/acceptance/injector-test/job.yaml
  wait_for_complete_job "pgdump"
 }

@ -48,9 +48,9 @@ teardown() {
  if [[ ${CLEANUP:-true} == "true" ]]
  then
      echo "helm/pvc teardown"
-      helm delete openbao
+      helm delete vault
      kubectl delete --all pvc
-      kubectl delete secret test
+      kubectl delete secret test 
      kubectl delete job pgdump
      kubectl delete deployment postgres
      kubectl delete namespace acceptance
--- a/test/acceptance/server-annotations.bats
+++ b/test/acceptance/server-annotations.bats
@ -8,7 +8,7 @@ load _helpers
  kubectl create namespace acceptance
  kubectl config set-context --current --namespace=acceptance

-  helm install "$(name_prefix)" -f ../../test/acceptance/server-test/annotations-overrides.yaml .
+  helm install "$(name_prefix)" -f ./test/acceptance/server-test/annotations-overrides.yaml .
  wait_for_running $(name_prefix)-0

  # service annotations
--- a/test/acceptance/server-dev.bats
+++ b/test/acceptance/server-dev.bats
@ -43,11 +43,11 @@ load _helpers
  [ "${ports}" == "8201" ]

  # Sealed, not initialized
-  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
    jq -r '.sealed' )
  [ "${sealed_status}" == "false" ]

-  local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
    jq -r '.initialized')
  [ "${init_status}" == "true" ]
 }
@ -57,7 +57,7 @@ teardown() {
  if [[ ${CLEANUP:-true} == "true" ]]
  then
      echo "helm/pvc teardown"
-      helm delete openbao
+      helm delete vault
      kubectl delete --all pvc
      kubectl delete namespace acceptance --ignore-not-found=true
  fi
--- a/test/acceptance/server-ha-enterprise-dr.bats
+++ b/test/acceptance/server-ha-enterprise-dr.bats
@ -0,0 +1,166 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/ha-enterprise-raft: testing DR deployment" {
+  cd `chart_dir`
+
+  helm install "$(name_prefix)-east" \
+    --set='server.image.repository=hashicorp/vault-enterprise' \
+    --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \
+    --set='injector.enabled=false' \
+    --set='server.ha.enabled=true' \
+    --set='server.ha.raft.enabled=true' \
+    --set='server.enterpriseLicense.secretName=vault-license' .
+  wait_for_running "$(name_prefix)-east-0"
+
+  # Sealed, not initialized
+  wait_for_sealed_vault $(name_prefix)-east-0
+
+  local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "false" ]
+
+  # Vault Init
+  local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \
+    vault operator init -format=json -n 1 -t 1)
+
+  local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
+  [ "${primary_token}" != "" ]
+
+  local primary_root=$(echo ${init} | jq -r '.root_token')
+  [ "${primary_root}" != "" ]
+
+  kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token}
+  wait_for_ready "$(name_prefix)-east-0"
+
+  sleep 10
+
+  # Vault Unseal
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
+  for pod in "${pods[@]}"
+  do
+      if [[ ${pod?} != "$(name_prefix)-east-0" ]]
+      then
+          kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200
+          kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
+          wait_for_ready "${pod}"
+      fi
+  done
+
+  # Unsealed, initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "false" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "true" ]
+
+  kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root}
+
+  local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json |
+    jq -r '.data.config.servers | length')
+  [ "${raft_status}" == "3" ]
+
+  kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/dr/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201
+
+  local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/dr/primary/secondary-token id=secondary -format=json)
+  [ "${secondary}" != "" ]
+
+  local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token')
+  [ "${secondary_replica_token}" != "" ]
+
+  # Install vault-west
+  helm install "$(name_prefix)-west" \
+    --set='injector.enabled=false' \
+    --set='server.image.repository=hashicorp/vault-enterprise' \
+    --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \
+    --set='server.ha.enabled=true' \
+    --set='server.ha.raft.enabled=true' \
+    --set='server.enterpriseLicense.secretName=vault-license' .
+  wait_for_running "$(name_prefix)-west-0"
+
+  # Sealed, not initialized
+  wait_for_sealed_vault $(name_prefix)-west-0
+
+  local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "false" ]
+
+  # Vault Init
+  local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \
+    vault operator init -format=json -n 1 -t 1)
+
+  local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
+  [ "${secondary_token}" != "" ]
+
+  local secondary_root=$(echo ${init} | jq -r '.root_token')
+  [ "${secondary_root}" != "" ]
+
+  kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token}
+  wait_for_ready "$(name_prefix)-west-0"
+
+  sleep 10
+
+  # Vault Unseal
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name'))
+  for pod in "${pods[@]}"
+  do
+      if [[ ${pod?} != "$(name_prefix)-west-0" ]]
+      then
+          kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200
+          kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token}
+          wait_for_ready "${pod}"
+      fi
+  done
+
+  # Unsealed, initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "false" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "true" ]
+
+  kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root}
+
+  local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json |
+    jq -r '.data.config.servers | length')
+  [ "${raft_status}" == "3" ]
+
+  kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/dr/secondary/enable token=${secondary_replica_token}
+
+  sleep 10
+
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name'))
+  for pod in "${pods[@]}"
+  do
+      if [[ ${pod?} != "$(name_prefix)-west-0" ]]
+      then
+          kubectl delete pod "${pod?}"
+          wait_for_running "${pod?}"
+          kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
+          wait_for_ready "${pod}"
+      fi
+  done
+}
+
+setup() {
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
+  kubectl config set-context --current --namespace=acceptance
+  kubectl create secret generic vault-license --from-literal license=$VAULT_LICENSE_CI
+}
+
+#cleanup
+teardown() {
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+	  helm delete vault-east
+	  helm delete vault-west
+	  kubectl delete --all pvc
+	  kubectl delete namespace acceptance --ignore-not-found=true
+  fi
+}
--- a/test/acceptance/server-ha-enterprise-perf.bats
+++ b/test/acceptance/server-ha-enterprise-perf.bats
@ -0,0 +1,164 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/ha-enterprise-raft: testing performance replica deployment" {
+  cd `chart_dir`
+
+  helm install "$(name_prefix)-east" \
+    --set='injector.enabled=false' \
+    --set='server.image.repository=hashicorp/vault-enterprise' \
+    --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \
+    --set='server.ha.enabled=true' \
+    --set='server.ha.raft.enabled=true' \
+    --set='server.enterpriseLicense.secretName=vault-license' .
+  wait_for_running "$(name_prefix)-east-0"
+
+  # Sealed, not initialized
+  wait_for_sealed_vault $(name_prefix)-east-0
+
+  local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "false" ]
+
+  # Vault Init
+  local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \
+    vault operator init -format=json -n 1 -t 1)
+
+  local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
+  [ "${primary_token}" != "" ]
+
+  local primary_root=$(echo ${init} | jq -r '.root_token')
+  [ "${primary_root}" != "" ]
+
+  kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token}
+  wait_for_ready "$(name_prefix)-east-0"
+
+  sleep 30
+
+  # Vault Unseal
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
+  for pod in "${pods[@]}"
+  do
+      if [[ ${pod?} != "$(name_prefix)-east-0" ]]
+      then
+          kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200
+          kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
+          wait_for_ready "${pod}"
+      fi
+  done
+
+  # Unsealed, initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "false" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "true" ]
+
+  kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root}
+
+  local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json |
+    jq -r '.data.config.servers | length')
+  [ "${raft_status}" == "3" ]
+
+  kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/performance/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201
+
+  local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/performance/primary/secondary-token id=secondary -format=json)
+  [ "${secondary}" != "" ]
+
+  local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token')
+  [ "${secondary_replica_token}" != "" ]
+
+  # Install vault-west
+  helm install "$(name_prefix)-west" \
+    --set='injector.enabled=false' \
+    --set='server.image.repository=hashicorp/vault-enterprise' \
+    --set="server.image.tag=$(yq -r '.server.image.tag' values.yaml)-ent" \
+    --set='server.ha.enabled=true' \
+    --set='server.ha.raft.enabled=true' \
+    --set='server.enterpriseLicense.secretName=vault-license' .
+  wait_for_running "$(name_prefix)-west-0"
+
+  # Sealed, not initialized
+  wait_for_sealed_vault $(name_prefix)-west-0
+
+  local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "false" ]
+
+  # Vault Init
+  local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \
+    vault operator init -format=json -n 1 -t 1)
+
+  local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
+  [ "${secondary_token}" != "" ]
+
+  local secondary_root=$(echo ${init} | jq -r '.root_token')
+  [ "${secondary_root}" != "" ]
+
+  kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token}
+  wait_for_ready "$(name_prefix)-west-0"
+
+  sleep 30
+
+  # Vault Unseal
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name'))
+  for pod in "${pods[@]}"
+  do
+      if [[ ${pod?} != "$(name_prefix)-west-0" ]]
+      then
+          kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200
+          kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token}
+          wait_for_ready "${pod}"
+      fi
+  done
+
+  # Unsealed, initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "false" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "true" ]
+
+  kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root}
+
+  local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json |
+    jq -r '.data.config.servers | length')
+  [ "${raft_status}" == "3" ]
+
+  kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/performance/secondary/enable token=${secondary_replica_token}
+
+  sleep 30
+
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name'))
+  for pod in "${pods[@]}"
+  do
+      if [[ ${pod?} != "$(name_prefix)-west-0" ]]
+      then
+          kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
+          wait_for_ready "${pod}"
+      fi
+  done
+}
+
+setup() {
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
+  kubectl config set-context --current --namespace=acceptance
+  kubectl create secret generic vault-license --from-literal license=$VAULT_LICENSE_CI
+}
+
+#cleanup
+teardown() {
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+      helm delete vault-east
+      helm delete vault-west
+      kubectl delete --all pvc
+      kubectl delete namespace acceptance --ignore-not-found=true
+  fi
+}
--- a/test/acceptance/server-ha-raft.bats
+++ b/test/acceptance/server-ha-raft.bats
@ -13,7 +13,7 @@ load _helpers
  # Sealed, not initialized
  wait_for_sealed_vault $(name_prefix)-0

-  local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
    jq -r '.initialized')
  [ "${init_status}" == "false" ]

@ -57,45 +57,45 @@ load _helpers
    jq -r '.spec.ports[1].port')
  [ "${ports}" == "8201" ]

-  # OpenBao Init
+  # Vault Init
  local init=$(kubectl exec -ti "$(name_prefix)-0" -- \
-    bao operator init -format=json -n 1 -t 1)
+    vault operator init -format=json -n 1 -t 1)

  local token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
  [ "${token}" != "" ]
-
+  
  local root=$(echo ${init} | jq -r '.root_token')
  [ "${root}" != "" ]

-  kubectl exec -ti openbao-0 -- bao operator unseal ${token}
+  kubectl exec -ti vault-0 -- vault operator unseal ${token}
  wait_for_ready "$(name_prefix)-0"

  sleep 5

-  # OpenBao Unseal
-  local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
+  # Vault Unseal
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
  for pod in "${pods[@]}"
  do
      if [[ ${pod?} != "$(name_prefix)-0" ]]
      then
-          kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200
-          kubectl exec -ti ${pod} -- bao operator unseal ${token}
+          kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200
+          kubectl exec -ti ${pod} -- vault operator unseal ${token}
          wait_for_ready "${pod}"
      fi
  done

  # Sealed, not initialized
-  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
    jq -r '.sealed' )
  [ "${sealed_status}" == "false" ]

-  local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
    jq -r '.initialized')
  [ "${init_status}" == "true" ]

-  kubectl exec "$(name_prefix)-0" -- bao login ${root}
+  kubectl exec "$(name_prefix)-0" -- vault login ${root}

-  local raft_status=$(kubectl exec "$(name_prefix)-0" -- bao operator raft list-peers -format=json |
+  local raft_status=$(kubectl exec "$(name_prefix)-0" -- vault operator raft list-peers -format=json | 
    jq -r '.data.config.servers | length')
  [ "${raft_status}" == "3" ]
 }
@ -112,9 +112,9 @@ teardown() {
  then
      # If the test failed, print some debug output
      if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then
-          kubectl logs -l app.kubernetes.io/name=openbao
+          kubectl logs -l app.kubernetes.io/name=vault
      fi
-      helm delete openbao
+      helm delete vault
      kubectl delete --all pvc
      kubectl delete namespace acceptance --ignore-not-found=true
  fi
--- a/test/acceptance/server-ha.bats
+++ b/test/acceptance/server-ha.bats
@ -0,0 +1,121 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/ha: testing deployment" {
+  cd `chart_dir`
+
+  helm install "$(name_prefix)" \
+    --set='server.ha.enabled=true' .
+  wait_for_running $(name_prefix)-0
+
+  # Sealed, not initialized
+  wait_for_sealed_vault $(name_prefix)-0
+
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "false" ]
+
+  # Replicas
+  local replicas=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.replicas')
+  [ "${replicas}" == "3" ]
+
+  # Volume Mounts
+  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.containers[0].volumeMounts | length')
+  [ "${volumeCount}" == "2" ]
+
+  # Volumes
+  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.volumes | length')
+  [ "${volumeCount}" == "2" ]
+
+  local volume=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.volumes[0].configMap.name')
+  [ "${volume}" == "$(name_prefix)-config" ]
+
+  # Service
+  local service=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.clusterIP')
+  [ "${service}" != "None" ]
+
+  local service=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.type')
+  [ "${service}" == "ClusterIP" ]
+
+  local ports=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.ports | length')
+  [ "${ports}" == "2" ]
+
+  local ports=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.ports[0].port')
+  [ "${ports}" == "8200" ]
+
+  local ports=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.ports[1].port')
+  [ "${ports}" == "8201" ]
+
+  # Vault Init
+  local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
+    vault operator init -format=json -n 1 -t 1 | \
+    jq -r '.unseal_keys_b64[0]')
+  [ "${token}" != "" ]
+
+  # Vault Unseal
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
+  for pod in "${pods[@]}"
+  do
+      kubectl exec -ti ${pod} -- vault operator unseal ${token}
+  done
+
+  wait_for_ready "$(name_prefix)-0"
+
+  # Sealed, not initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "false" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "true" ]
+}
+
+# setup a consul env
+setup() {
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
+  kubectl config set-context --current --namespace=acceptance
+
+  helm repo add hashicorp https://helm.releases.hashicorp.com
+  helm repo update
+
+  CONSUL_HELM_VERSION=v0.48.0
+
+  K8S_MAJOR=$(kubectl version --output=json | jq -r .serverVersion.major)
+  K8S_MINOR=$(kubectl version --output=json | jq -r .serverVersion.minor)
+  if [ \( $K8S_MAJOR -eq 1 \) -a \( $K8S_MINOR -le 20 \) ]; then
+    CONSUL_HELM_VERSION=v0.32.1
+  fi
+  helm install consul hashicorp/consul \
+    --version $CONSUL_HELM_VERSION \
+    --set 'ui.enabled=false'
+
+  wait_for_running_consul
+}
+
+#cleanup
+teardown() {
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+      # If the test failed, print some debug output
+      if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then
+          kubectl logs -l app=consul
+          kubectl logs -l app.kubernetes.io/name=vault
+      fi
+      helm delete vault
+      helm delete consul
+      kubectl delete --all pvc
+      kubectl delete namespace acceptance --ignore-not-found=true
+  fi
+}
--- a/test/acceptance/server-telemetry.bats
+++ b/test/acceptance/server-telemetry.bats
@ -19,7 +19,7 @@ load _helpers

  helm install \
    --wait \
-    --values ../../test/acceptance/server-test/telemetry.yaml \
+    --values ./test/acceptance/server-test/telemetry.yaml \
    "$(name_prefix)" .

  wait_for_running $(name_prefix)-0
@ -27,31 +27,31 @@ load _helpers
  # Sealed, not initialized
  wait_for_sealed_vault $(name_prefix)-0

-  # OpenBao Init
+  # Vault Init
  local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
-    bao operator init -format=json -n 1 -t 1 | \
+    vault operator init -format=json -n 1 -t 1 | \
    jq -r '.unseal_keys_b64[0]')
  [ "${token}" != "" ]

-  # OpenBao Unseal
-  local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
+  # Vault Unseal
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
  for pod in "${pods[@]}"
  do
-      kubectl exec -ti ${pod} -- bao operator unseal ${token}
+      kubectl exec -ti ${pod} -- vault operator unseal ${token}
  done

  wait_for_ready "$(name_prefix)-0"

  # Unsealed, initialized
-  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
    jq -r '.sealed' )
  [ "${sealed_status}" == "false" ]

-  local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
    jq -r '.initialized')
  [ "${init_status}" == "true" ]

-  # unfortunately it can take up to 2 minutes for the openbao prometheus job to appear
+  # unfortunately it can take up to 2 minutes for the vault prometheus job to appear
  # TODO: investigate how reduce this.
  local job_labels
  local tries=0
@ -62,7 +62,7 @@ load _helpers
        -- wget -q -O - http://127.0.0.1:9090/api/v1/label/job/values) | tee /dev/stderr )

      # Ensure the expected job label was picked up by Prometheus
-      [ "$(echo "${job_labels}" | jq 'any(.data[]; . == "openbao-internal")')" = "true" ] && break
+      [ "$(echo "${job_labels}" | jq 'any(.data[]; . == "vault-internal")')" = "true" ] && break

      ((++tries))
      sleep .5
@ -72,7 +72,7 @@ load _helpers
  # Ensure the expected job is "up"
  local job_up=$( ( kubectl exec -n acceptance svc/prometheus-kube-prometheus-prometheus \
    -c prometheus \
-    -- wget -q -O - 'http://127.0.0.1:9090/api/v1/query?query=up{job="openbao-internal"}' ) | \
+    -- wget -q -O - 'http://127.0.0.1:9090/api/v1/query?query=up{job="vault-internal"}' ) | \
    tee /dev/stderr )
  [ "$(echo "${job_up}" | jq '.data.result[0].value[1]')" = \"1\" ]
 }
--- a/test/acceptance/server-test/telemetry.yaml
+++ b/test/acceptance/server-test/telemetry.yaml
@ -17,7 +17,7 @@ server:
      }

      storage "file" {
-        path = "/openbao/data"
+        path = "/vault/data"
      }

      telemetry {
--- a/test/acceptance/server.bats
+++ b/test/acceptance/server.bats
@ -15,7 +15,7 @@ load _helpers
  # Sealed, not initialized
  wait_for_sealed_vault $(name_prefix)-0

-  local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
    jq -r '.initialized')
  [ "${init_status}" == "false" ]

@ -40,7 +40,7 @@ load _helpers

  local mountPath=$(kubectl get statefulset "$(name_prefix)" --output json |
    jq -r '.spec.template.spec.containers[0].volumeMounts[0].mountPath')
-  [ "${mountPath}" == "/openbao/data" ]
+  [ "${mountPath}" == "/vault/data" ]

  # Volumes
  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
@ -72,27 +72,27 @@ load _helpers
    jq -r '.spec.ports[1].port')
  [ "${ports}" == "8201" ]

-  # OpenBao Init
+  # Vault Init
  local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
-    bao operator init -format=json -n 1 -t 1 | \
+    vault operator init -format=json -n 1 -t 1 | \
    jq -r '.unseal_keys_b64[0]')
  [ "${token}" != "" ]

-  # OpenBao Unseal
-  local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
+  # Vault Unseal
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
  for pod in "${pods[@]}"
  do
-      kubectl exec -ti ${pod} -- bao operator unseal ${token}
+      kubectl exec -ti ${pod} -- vault operator unseal ${token}
  done

  wait_for_ready "$(name_prefix)-0"

  # Unsealed, initialized
-  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
    jq -r '.sealed' )
  [ "${sealed_status}" == "false" ]

-  local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
    jq -r '.initialized')
  [ "${init_status}" == "true" ]
 }
@ -102,7 +102,7 @@ teardown() {
  if [[ ${CLEANUP:-true} == "true" ]]
  then
      echo "helm/pvc teardown"
-      helm delete openbao
+      helm delete vault
      kubectl delete --all pvc
      kubectl delete namespace acceptance --ignore-not-found=true
  fi
--- a/test/chart/_helpers.bash
+++ b/test/chart/_helpers.bash
@ -3,7 +3,7 @@

 # chart_dir returns the directory for the chart
 chart_dir() {
-    echo ${BATS_TEST_DIRNAME}/../../charts/openbao
+    echo ${BATS_TEST_DIRNAME}/../..
 }

 # check_result checks if the specified test passed
--- a/test/chart/verifier.bats
+++ b/test/chart/verifier.bats
@ -5,8 +5,8 @@ load _helpers
 setup_file() {
    cd `chart_dir`
    export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json"
-    export CHART_VOLUME=openbao-helm-chart-src
-    local IMAGE="quay.io/redhat-certification/chart-verifier:1.13.7"
+    export CHART_VOLUME=vault-helm-chart-src
+    local IMAGE="quay.io/redhat-certification/chart-verifier:1.10.1"
    # chart-verifier requires an openshift version if a cluster isn't available
    local OPENSHIFT_VERSION="4.12"
    local DISABLED_TESTS="chart-testing"
--- a/test/docker/Test.dockerfile
+++ b/test/docker/Test.dockerfile
@ -28,11 +28,7 @@ RUN apk update && apk add --no-cache --virtual .build-deps \
    jq

 # yq
-RUN python3 -m venv venv && \
-    . venv/bin/activate && \
-    pip install yq && \
-    ln -s $PWD/venv/bin/yq /usr/local/bin/yq && \
-    deactivate
+RUN pip install yq

 # gcloud
 RUN curl -OL https://dl.google.com/dl/cloudsdk/channels/rapid/install_google_cloud_sdk.bash && \
--- a/test/terraform/main.tf
+++ b/test/terraform/main.tf
@ -19,7 +19,7 @@ data "google_service_account" "gcpapi" {
 }

 resource "google_container_cluster" "cluster" {
-  name               = "openbao-helm-dev-${random_id.suffix.dec}"
+  name               = "vault-helm-dev-${random_id.suffix.dec}"
  project            = "${var.project}"
  enable_legacy_abac = true
  initial_node_count = 3
--- a/test/terraform/variables.tf
+++ b/test/terraform/variables.tf
@ -2,7 +2,7 @@
 # SPDX-License-Identifier: MPL-2.0

 variable "project" {
-  default = "openbao-helm-dev-246514"
+  default = "vault-helm-dev-246514"

  description = <<EOF
 Google Cloud Project to launch resources in. This project must have GKE
--- a/test/unit/_helpers.bash
+++ b/test/unit/_helpers.bash
@ -3,5 +3,5 @@

 # chart_dir returns the directory for the chart
 chart_dir() {
-    echo ${BATS_TEST_DIRNAME}/../../charts/openbao
+    echo ${BATS_TEST_DIRNAME}/../..
 }
--- a/test/unit/csi-agent-configmap.bats
+++ b/test/unit/csi-agent-configmap.bats
@ -18,7 +18,7 @@ load _helpers
      --set "csi.enabled=true" \
      . | tee /dev/stderr |
      yq -r '.metadata.name' | tee /dev/stderr)
-  [ "${actual}" = "release-name-openbao-csi-provider-agent-config" ]
+  [ "${actual}" = "release-name-vault-csi-provider-agent-config" ]
 }

@test "csi/Agent-ConfigMap: namespace" {
@ -40,25 +40,25 @@ load _helpers
  [ "${actual}" = "bar" ]
 }

-@test "csi/Agent-ConfigMap: OpenBao addr not affected by injector setting" {
+@test "csi/Agent-ConfigMap: Vault addr not affected by injector setting" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/csi-agent-configmap.yaml \
      --set "csi.enabled=true" \
      --release-name not-external-test \
-      --set 'injector.externalVaultAddr=http://openbao-outside' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
      . | tee /dev/stderr |
      yq -r '.data["config.hcl"]' | tee /dev/stderr)
-  echo "${actual}" | grep "http://not-external-test-openbao.default.svc:8200"
+  echo "${actual}" | grep "http://not-external-test-vault.default.svc:8200"
 }

-@test "csi/Agent-ConfigMap: OpenBao addr correctly set for externalVaultAddr" {
+@test "csi/Agent-ConfigMap: Vault addr correctly set for externalVaultAddr" {
  cd `chart_dir`
  local actual=$(helm template \
      --show-only templates/csi-agent-configmap.yaml \
      --set "csi.enabled=true" \
-      --set 'global.externalVaultAddr=http://openbao-outside' \
+      --set 'global.externalVaultAddr=http://vault-outside' \
      . | tee /dev/stderr |
      yq -r '.data["config.hcl"]' | tee /dev/stderr)
-  echo "${actual}" | grep "http://openbao-outside"
-}
+  echo "${actual}" | grep "http://vault-outside"
+}
--- a/test/unit/csi-clusterrole.bats
+++ b/test/unit/csi-clusterrole.bats
@ -29,5 +29,5 @@ load _helpers
      --set "csi.enabled=true" \
      . | tee /dev/stderr |
      yq -r '.metadata.name' | tee /dev/stderr)
-  [ "${actual}" = "release-name-openbao-csi-provider-clusterrole" ]
-}
+  [ "${actual}" = "release-name-vault-csi-provider-clusterrole" ]
+}
--- a/test/unit/csi-clusterrolebinding.bats
+++ b/test/unit/csi-clusterrolebinding.bats
@ -29,7 +29,7 @@ load _helpers
      --set "csi.enabled=true" \
      . | tee /dev/stderr |
      yq -r '.roleRef.name' | tee /dev/stderr)
-  [ "${actual}" = "release-name-openbao-csi-provider-clusterrole" ]
+  [ "${actual}" = "release-name-vault-csi-provider-clusterrole" ]
 }

 # ClusterRoleBinding service account name
@ -40,7 +40,7 @@ load _helpers
      --set "csi.enabled=true" \
      . | tee /dev/stderr |
      yq -r '.subjects[0].name' | tee /dev/stderr)
-  [ "${actual}" = "release-name-openbao-csi-provider" ]
+  [ "${actual}" = "release-name-vault-csi-provider" ]
 }

 # ClusterRoleBinding service account namespace
@ -61,4 +61,4 @@ load _helpers
      . | tee /dev/stderr |
      yq -r '.subjects[0].namespace' | tee /dev/stderr)
  [ "${actual}" = "bar" ]
-}
+}
--- a/test/unit/csi-daemonset.bats
+++ b/test/unit/csi-daemonset.bats
@ -81,7 +81,7 @@ load _helpers
      --set "csi.enabled=true" \
      . | tee /dev/stderr |
      yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr)
-  [ "${actual}" = "release-name-openbao-csi-provider" ]
+  [ "${actual}" = "release-name-vault-csi-provider" ]
 }

 # Image
@ -101,13 +101,13 @@ load _helpers

  local actual=$(echo $object |
      yq -r '.[0].image' | tee /dev/stderr)
-  [ "${actual}" = "docker.io/Image1:0.0.1" ]
+  [ "${actual}" = "Image1:0.0.1" ]
  local actual=$(echo $object |
      yq -r '.[0].imagePullPolicy' | tee /dev/stderr)
  [ "${actual}" = "PullPolicy1" ]
  local actual=$(echo $object |
      yq -r '.[1].image' | tee /dev/stderr)
-  [ "${actual}" = "quay.io/Image2:0.0.2" ]
+  [ "${actual}" = "Image2:0.0.2" ]
  local actual=$(echo $object |
      yq -r '.[1].imagePullPolicy' | tee /dev/stderr)
  [ "${actual}" = "PullPolicy2" ]
@ -196,7 +196,7 @@ load _helpers
      --set "csi.enabled=true" \
      . | tee /dev/stderr |
      yq -r '.spec.template.spec.containers[0].args[2]' | tee /dev/stderr)
-  [ "${actual}" = "--hmac-secret-name=openbao-csi-provider-hmac-key" ]
+  [ "${actual}" = "--hmac-secret-name=vault-csi-provider-hmac-key" ]

  local actual=$(helm template \
      --show-only templates/csi-daemonset.yaml \
@ -666,7 +666,7 @@ load _helpers
  local object=$(helm template \
      --show-only templates/csi-daemonset.yaml \
      --set 'csi.enabled=true' \
-      --set 'global.externalVaultAddr=http://openbao-outside' \
+      --set 'global.externalVaultAddr=http://vault-outside' \
      . | tee /dev/stderr |
      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)

@ -682,13 +682,13 @@ load _helpers
      --set 'csi.enabled=true' \
      --set 'csi.agent.enabled=false' \
      --release-name not-external-test \
-      --set 'injector.externalVaultAddr=http://openbao-outside' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
      . | tee /dev/stderr |
      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)

  local value=$(echo $object |
      yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
-  [ "${value}" = "http://not-external-test-openbao.default.svc:8200" ]
+  [ "${value}" = "http://not-external-test-vault.default.svc:8200" ]
 }

@test "csi/daemonset: with global.externalVaultAddr" {
@ -697,13 +697,13 @@ load _helpers
      --show-only templates/csi-daemonset.yaml \
      --set 'csi.enabled=true' \
      --set 'csi.agent.enabled=false' \
-      --set 'global.externalVaultAddr=http://openbao-outside' \
+      --set 'global.externalVaultAddr=http://vault-outside' \
      . | tee /dev/stderr |
      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)

  local value=$(echo $object |
      yq -r 'map(select(.name=="VAULT_ADDR")) | .[] .value' | tee /dev/stderr)
-  [ "${value}" = "http://openbao-outside" ]
+  [ "${value}" = "http://vault-outside" ]
 }

 #--------------------------------------------------------------------
@ -796,7 +796,7 @@ load _helpers
      yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr)

  local value=$(echo $object |
-      yq -r 'map(select(.name=="BAO_LOG_LEVEL")) | .[] .value' | tee /dev/stderr)
+      yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr)
  [ "${value}" = "error" ]
 }

@ -810,7 +810,7 @@ load _helpers
      yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr)

  local value=$(echo $object |
-      yq -r 'map(select(.name=="BAO_LOG_FORMAT")) | .[] .value' | tee /dev/stderr)
+      yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr)
  [ "${value}" = "json" ]
 }

--- a/test/unit/csi-role.bats
+++ b/test/unit/csi-role.bats
@ -18,13 +18,13 @@ load _helpers
      --set "csi.enabled=true" \
      . | tee /dev/stderr |
      yq -r '.metadata.name' | tee /dev/stderr)
-  [ "${actual}" = "release-name-openbao-csi-provider-role" ]
+  [ "${actual}" = "release-name-vault-csi-provider-role" ]
  local actual=$(helm template \
      --show-only templates/csi-role.yaml \
      --set "csi.enabled=true" \
      . | tee /dev/stderr |
      yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr)
-  [ "${actual}" = "openbao-csi-provider-hmac-key" ]
+  [ "${actual}" = "vault-csi-provider-hmac-key" ]
 }

@test "csi/Role: namespace" {
@ -55,4 +55,4 @@ load _helpers
      . | tee /dev/stderr |
      yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr)
  [ "${actual}" = "foo" ]
-}
+}
--- a/test/unit/csi-rolebinding.bats
+++ b/test/unit/csi-rolebinding.bats
@ -18,7 +18,7 @@ load _helpers
      --set "csi.enabled=true" \
      . | tee /dev/stderr |
      yq -r '.metadata.name' | tee /dev/stderr)
-  [ "${actual}" = "release-name-openbao-csi-provider-rolebinding" ]
+  [ "${actual}" = "release-name-vault-csi-provider-rolebinding" ]
 }

@test "csi/RoleBinding: namespace" {
@ -38,4 +38,4 @@ load _helpers
      . | tee /dev/stderr |
      yq -r '.metadata.namespace' | tee /dev/stderr)
  [ "${actual}" = "bar" ]
-}
+}
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
Kyle Schochenmaier	8f8d31e23c	update changelog	2023-10-30 14:04:35 -05:00
Kyle Schochenmaier	0649ecb27b	Prepare for release 0.26.1	2023-10-30 13:12:24 -05:00