Merge pull request #23 from ipsavitsky/fix-agent-uri

Add the `.injector.agentImage.registry` to the image path

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,46 @@
+---
+name: Bug report
+about: Let us know about a bug!
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+<!-- Please reserve GitHub issues for bug reports and feature requests.
+
+**Please note**: We take OpenBao's security and our users' trust very seriously. If
+you believe you have found a security issue in OpenBao Helm, _please responsibly disclose_
+by contacting us at [openbao-security@lists.lfedge.org](mailto:openbao-security@lists.lfedge.org).
+
+-->
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Install chart
+2. Run bao command
+3. See error (openbao logs, etc.)
+
+Other useful info to include: openbao pod logs, `kubectl describe statefulset openbao` and `kubectl get statefulset openbao -o yaml` output
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Environment**
+* Kubernetes version:
+  * Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.):
+  * Other configuration options or runtime services (istio, etc.):
+* openbao-helm version:
+
+Chart values:
+
+```yaml
+# Paste your user-supplied values here (`helm get values <release>`).
+# Be sure to scrub any sensitive values!
+```
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+contact_links:
+  - name: Ask a question
+    url: https://chat.lfx.linuxfoundation.org/#/room/#openbao-questions:chat.lfx.linuxfoundation.org

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/actions/setup-test-tools/action.yaml

@@ -0,0 +1,24 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+name: Setup common testing tools
+description: Install bats and python-yq
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+      with:
+        node-version: '16'
+    - run: npm install -g bats@${BATS_VERSION}
+      shell: bash
+      env:
+        BATS_VERSION: '1.8.2'
+    - run: bats -v
+      shell: bash
+    - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+      with:
+        python-version: '3.10'
+    - run: pip install yq
+      shell: bash
+permissions:
+  contents: read

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/acceptance.yaml

@@ -0,0 +1,22 @@
+name: Acceptance Tests
+on: [push, workflow_dispatch]
+jobs:
+  kind:
+    strategy:
+      fail-fast: false
+      matrix:
+        kind-k8s-version: [1.27.11, 1.28.7, 1.29.2]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Setup test tools
+        uses: ./.github/actions/setup-test-tools
+      - name: Create K8s Kind Cluster
+        uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0
+        with:
+          config: test/kind/config.yaml
+          node_image: kindest/node:v${{ matrix.kind-k8s-version }}
+          version: v0.22.0
+      - run: bats --tap --timing ./test/acceptance
+permissions:
+  contents: read

.github/workflows/lint-chart.yml

@@ -0,0 +1,47 @@
+name: Lint and Test Chart
+
+on:
+  pull_request:
+    paths:
+      - 'charts/**'
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: "0"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.6.1
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Run chart-testing (lint)
+        id: lint
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct lint --target-branch ${{ github.event.repository.default_branch }}
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.10.0
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run chart-testing (install)
+        id: install
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct install --target-branch ${{ github.event.repository.default_branch }}

.github/workflows/release-chart.yml

@@ -0,0 +1,38 @@
+name: Release
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'charts/**'
+
+jobs:
+  release:
+    environment: helm-release
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3.5
+        id: helm-install
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run chart-releaser
+        id: helm-release
+        uses: helm/chart-releaser-action@v1.6.0
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_GENERATE_RELEASE_NOTES: true

.github/workflows/tests.yaml

@@ -0,0 +1,24 @@
+name: Tests
+on: [push, workflow_dispatch]
+jobs:
+  bats-unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: ./.github/actions/setup-test-tools
+      - run: bats --tap --timing ./test/unit
+  chart-verifier:
+    runs-on: ubuntu-latest
+    env:
+      CHART_VERIFIER_VERSION: "1.13.7"
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Setup test tools
+        uses: ./.github/actions/setup-test-tools
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version: "1.22.5"
+      - run: go install "github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}"
+      - run: bats --tap --timing ./test/chart
+permissions:
+  contents: read

.gitignore

@@ -4,3 +4,11 @@
 terraform.tfstate*
 terraform.tfvars
 values.dev.yaml
+vaul-helm-dev-creds.json
+./test/acceptance/vaul-helm-dev-creds.json
+./test/terraform/vaul-helm-dev-creds.json
+./test/unit/vaul-helm-dev-creds.json
+./test/acceptance/values.yaml
+./test/acceptance/values.yml
+.idea
+scratch/

.helmignore

@@ -1,4 +0,0 @@
-.git/
-.terraform/
-bin/
-test/

CHANGELOG.md

@@ -1,14 +1,531 @@
-## 0.2.0 (September 26, 2018)
+## Unreleased
 
-FEATURES:
+Bugs:
+* injector: add missing `get` `nodes` permission to ClusterRole [GH-1005](https://github.com/hashicorp/vault-helm/pull/1005)
 
-  * `syncCatalog` can install the [service catalog sync](https://www.hashicorp.com/blog/consul-and-kubernetes-service-catalog-sync)
-    functionality.
+## 0.27.0 (November 16, 2023)
 
-IMPROVEMENTS:
+Changes:
 
-  * server: support `storageClass` [GH-7]
+* Default `vault` version updated to 1.15.2
 
-## 0.1.0
+Features:
+
+* server: Support setting `persistentVolumeClaimRetentionPolicy` on the StatefulSet [GH-965](https://github.com/hashicorp/vault-helm/pull/965)
+* server: Support setting labels on PVCs [GH-969](https://github.com/hashicorp/vault-helm/pull/969)
+* server: Support setting ingress rules for networkPolicy [GH-877](https://github.com/hashicorp/vault-helm/pull/877)
+
+Improvements:
+
+* Support exec in the server liveness probe [GH-971](https://github.com/hashicorp/vault-helm/pull/971)
+
+## 0.26.1 (October 30, 2023)
+
+Bugs:
+* Fix templating of `server.ha.replicas` when set via override file. The `0.26.0` chart would ignore `server.ha.replicas` and always deploy 3 server replicas when `server.ha.enabled=true` unless overridden by command line when issuing the helm command: `--set server.ha.replicas=<some_number>`. Fixed in [GH-961](https://github.com/hashicorp/vault-helm/pull/961)
+
+## 0.26.0 (October 27, 2023)
+
+Changes:
+* Default `vault` version updated to 1.15.1
+* Default `vault-k8s` version updated to 1.3.1
+* Default `vault-csi-provider` version updated to 1.4.1
+* Tested with Kubernetes versions 1.24-1.28
+* server: OpenShift default readiness probe returns 204 when uninitialized [GH-966](https://github.com/hashicorp/vault-helm/pull/966)
+
+Features:
+* server: Add support for dual stack clusters [GH-833](https://github.com/hashicorp/vault-helm/pull/833)
+* server: Support `hostAliases` for the StatefulSet pods [GH-955](https://github.com/hashicorp/vault-helm/pull/955)
+* server: Add `server.service.active.annotations` and `server.service.standby.annotations` [GH-896](https://github.com/hashicorp/vault-helm/pull/896)
+* server: Add long-lived service account token option [GH-923](https://github.com/hashicorp/vault-helm/pull/923)
+
+Bugs:
+* csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909)
+
+Improvements:
+* global: Add `global.namespace` to override the helm installation namespace. [GH-909](https://github.com/hashicorp/vault-helm/pull/909)
+* server: use vault.fullname in Helm test [GH-912](https://github.com/hashicorp/vault-helm/pull/912)
+* server: Allow scaling HA replicas to zero [GH-943](https://github.com/hashicorp/vault-helm/pull/943)
+
+## 0.25.0 (June 26, 2023)
+
+Changes:
+* Latest Kubernetes version tested is now 1.27
+* server: Headless service ignores `server.service.publishNotReadyAddresses` setting and always sets it as `true` [GH-902](https://github.com/hashicorp/vault-helm/pull/902)
+* `vault` updated to 1.14.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
+* `vault-csi-provider` updated to 1.4.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
+
+Improvements:
+* CSI: Make `nodeSelector` and `affinity` configurable for CSI daemonset's pods [GH-862](https://github.com/hashicorp/vault-helm/pull/862)
+* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798)
+* Minimum kubernetes version for chart reverted to 1.20.0 to allow installation on clusters older than the oldest tested version [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
+
+Bugs:
+* server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886)
+
+## 0.24.1 (April 17, 2023)
+
+Bugs:
+* csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions [GH-872](https://github.com/hashicorp/vault-helm/pull/872)
+
+## 0.24.0 (April 6, 2023)
+
+Changes:
+* Earliest Kubernetes version tested is now 1.22
+* `vault` updated to 1.13.1 [GH-863](https://github.com/hashicorp/vault-helm/pull/863)
+* `vault-k8s` updated to 1.2.1 [GH-868](https://github.com/hashicorp/vault-helm/pull/868)
+* `vault-csi-provider` updated to 1.3.0 [GH-749](https://github.com/hashicorp/vault-helm/pull/749)
+
+Features:
+* server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841)
+* server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831)
+* injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852)
+* csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals [GH-749](https://github.com/hashicorp/vault-helm/pull/749)
+
+## 0.23.0 (November 28th, 2022)
+
+Changes:
+* `vault` updated to 1.12.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
+* `vault-k8s` updated to 1.1.0 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
+* `vault-csi-provider` updated to 1.2.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
+
+Features:
+* server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806)
+* server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811)
+* server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811)
+* server: Add `server.service.instanceSelector.enabled` option to allow selecting pods outside the helm chart deployment [GH-813](https://github.com/hashicorp/vault-helm/pull/813)
+
+Bugs:
+* server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810)
+
+## 0.22.1 (October 26th, 2022)
+
+Changes:
+* `vault` updated to 1.12.0 [GH-803](https://github.com/hashicorp/vault-helm/pull/803)
+* `vault-k8s` updated to 1.0.1 [GH-803](https://github.com/hashicorp/vault-helm/pull/803)
+
+## 0.22.0 (September 8th, 2022)
+
+Features:
+* Add PrometheusOperator support for collecting Vault server metrics. [GH-772](https://github.com/hashicorp/vault-helm/pull/772)
+
+Changes:
+* `vault-k8s` to 1.0.0 [GH-784](https://github.com/hashicorp/vault-helm/pull/784)
+* Test against Kubernetes 1.25 [GH-784](https://github.com/hashicorp/vault-helm/pull/784)
+* `vault` updated to 1.11.3 [GH-785](https://github.com/hashicorp/vault-helm/pull/785)
+
+## 0.21.0 (August 10th, 2022)
+
+CHANGES:
+* `vault-k8s` updated to 0.17.0. [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
+* `vault-csi-provider` updated to 1.2.0 [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
+* `vault` updated to 1.11.2 [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
+* Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744)
+* Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745)
+* CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745)
+
+Features:
+* server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
+* csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
+* injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
+* Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610)
+* Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753)
+
+## 0.20.1 (May 25th, 2022)
+CHANGES:
+* `vault-k8s` updated to 0.16.1 [GH-739](https://github.com/hashicorp/vault-helm/pull/739)
+
+Improvements:
+* Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736)
+
+Bugs:
+* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737)
+
+## 0.20.0 (May 16th, 2022)
+
+CHANGES:
+* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
+* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
+* Vault default image to 1.10.3
+* CSI provider default image to 1.1.0
+* Vault K8s default image to 0.16.0
+* Earliest Kubernetes version tested is now 1.16
+* Helm 3.6+ now required
+
+Features:
+* Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652)
+
+Improvements:
+* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690)
+* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683)
+* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710)
+* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709)
+* server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694)
+* server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684)
+* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692)
+
+## 0.19.0 (January 20th, 2022)
+
+CHANGES:
+* Vault image default 1.9.2
+* Vault K8s image default 0.14.2
+
+Features:
+* Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653)
+* Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659)
+* Added configurable update strategy for injector [GH-661](https://github.com/hashicorp/vault-helm/pull/661)
+* csi: ability to set priorityClassName for CSI daemonset pods [GH-670](https://github.com/hashicorp/vault-helm/pull/670)
+
+Improvements:
+* Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679)
+* Add volumes and env vars to helm hook test pod [GH-673](https://github.com/hashicorp/vault-helm/pull/673)
+* Make TLS configurable for OpenShift routes [GH-686](https://github.com/hashicorp/vault-helm/pull/686)
+
+## 0.18.0 (November 17th, 2021)
+
+CHANGES:
+* Removed support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector since vault-k8s now uses an internal mechanism to determine leadership [GH-649](https://github.com/hashicorp/vault-helm/pull/649)
+* Vault image default 1.9.0
+* Vault K8s image default 0.14.1
+
+Improvements:
+* Added templateConfig.staticSecretRenderInterval chart option for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621)
+
+## 0.17.1 (October 25th, 2021)
+
+Improvements:
+  * Add option for Ingress PathType [GH-634](https://github.com/hashicorp/vault-helm/pull/634)
+
+## 0.17.0 (October 21st, 2021)
+
+KNOWN ISSUES:
+* The chart will fail to deploy on Kubernetes 1.19+ with `server.ingress.enabled=true` because no `pathType` is set
+
+CHANGES:
+* Vault image default 1.8.4
+* Vault K8s image default 0.14.0
+
+Improvements:
+* Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590)
+* Support setting the `externalTrafficPolicy` for `LoadBalancer` and `NodePort` service types [GH-626](https://github.com/hashicorp/vault-helm/pull/626)
+* Support setting ingressClassName on server Ingress [GH-630](https://github.com/hashicorp/vault-helm/pull/630)
+
+Bugs:
+* Ensure `kubeletRootDir` volume path and mounts are the same when `csi.daemonSet.kubeletRootDir` is overridden [GH-628](https://github.com/hashicorp/vault-helm/pull/628)
+
+## 0.16.1 (September 29th, 2021)
+
+CHANGES:
+* Vault image default 1.8.3
+* Vault K8s image default 0.13.1
+
+## 0.16.0 (September 16th, 2021)
+
+CHANGES:
+* Support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector will be removed in version 0.18.0 of this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set `useContainer=true`.
+
+Improvements:
+ * Make CSI provider `hostPaths` configurable via `csi.daemonSet.providersDir` and `csi.daemonSet.kubeletRootDir` [GH-603](https://github.com/hashicorp/vault-helm/pull/603)
+ * Support vault-k8s internal leader election [GH-568](https://github.com/hashicorp/vault-helm/pull/568) [GH-607](https://github.com/hashicorp/vault-helm/pull/607)
+
+## 0.15.0 (August 23rd, 2021)
+
+Improvements:
+* Add imagePullSecrets on server test [GH-572](https://github.com/hashicorp/vault-helm/pull/572)
+* Add injector.webhookAnnotations chart option [GH-584](https://github.com/hashicorp/vault-helm/pull/584)
+
+## 0.14.0 (July 28th, 2021)
+
+Features:
+* Added templateConfig.exitOnRetryFailure chart option for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560)
+
+Improvements:
+* Support configuring pod tolerations, pod affinity, and node selectors as YAML [GH-565](https://github.com/hashicorp/vault-helm/pull/565)
+* Set the default vault image to come from the hashicorp organization [GH-567](https://github.com/hashicorp/vault-helm/pull/567)
+* Add support for running the acceptance tests against a local `kind` cluster [GH-567](https://github.com/hashicorp/vault-helm/pull/567)
+* Add `server.ingress.activeService` to configure if the ingress should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570)
+* Add `server.route.activeService` to configure if the route should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570)
+* Support configuring `global.imagePullSecrets` from a string array [GH-576](https://github.com/hashicorp/vault-helm/pull/576)
+
+
+## 0.13.0 (June 17th, 2021)
+
+Improvements:
+* Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531)
+* Added server.enterpriseLicense option [GH-547](https://github.com/hashicorp/vault-helm/pull/547)
+* Added OpenShift overrides [GH-549](https://github.com/hashicorp/vault-helm/pull/549)
+
+Bugs:
+* Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537)
+* Fix server.ha.disruptionBudget.maxUnavailable schema [GH-535](https://github.com/hashicorp/vault-helm/pull/535)
+* Added webhook-certs volume mount to sidecar injector [GH-545](https://github.com/hashicorp/vault-helm/pull/545)
+
+## 0.12.0 (May 25th, 2021)
+
+Features:
+* Pass additional arguments to `vault-csi-provider` using `csi.extraArgs` [GH-526](https://github.com/hashicorp/vault-helm/pull/526)
+
+Improvements:
+* Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510)
+* Added values json schema [GH-513](https://github.com/hashicorp/vault-helm/pull/513)
+* Ability to set tolerations for CSI daemonset pods [GH-521](https://github.com/hashicorp/vault-helm/pull/521)
+* UI target port is now configurable [GH-437](https://github.com/hashicorp/vault-helm/pull/437)
+
+Bugs:
+* CSI: `global.imagePullSecrets` are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519)
+
+## 0.11.0 (April 14th, 2021)
+
+Features:
+* Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486)
+* Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471)
+* Injector port is now configurable [GH-489](https://github.com/hashicorp/vault-helm/pull/489)
+* Injector Vault Agent resource defaults are now configurable [GH-493](https://github.com/hashicorp/vault-helm/pull/493)
+* Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460)
+* Log level and format can now be set directly using `server.logFormat` and `server.logLevel` [GH-488](https://github.com/hashicorp/vault-helm/pull/488)
+
+Improvements:
+* Added `https` name to injector service port [GH-495](https://github.com/hashicorp/vault-helm/pull/495)
+
+Bugs:
+* CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486)
+
+## 0.10.0 (March 25th, 2021)
+
+Features:
+* Add support for [Vault CSI provider](https://github.com/hashicorp/vault-csi-provider) [GH-461](https://github.com/hashicorp/vault-helm/pull/461)
+
+Improvements:
+* `objectSelector` can now be set on the mutating admission webhook [GH-456](https://github.com/hashicorp/vault-helm/pull/456)
+
+## 0.9.1 (February 2nd, 2021)
+
+Bugs:
+* Injector: fix labels for default anti-affinity rule [GH-441](https://github.com/hashicorp/vault-helm/pull/441), [GH-442](https://github.com/hashicorp/vault-helm/pull/442)
+* Set VAULT_DEV_LISTEN_ADDRESS in dev mode [GH-446](https://github.com/hashicorp/vault-helm/pull/446)
+
+## 0.9.0 (January 5th, 2021)
+
+Features:
+* Injector now supports configurable number of replicas [GH-436](https://github.com/hashicorp/vault-helm/pull/436)
+* Injector now supports auto TLS for multiple replicas using leader elections [GH-436](https://github.com/hashicorp/vault-helm/pull/436)
+
+Improvements:
+* Dev mode now supports `server.extraArgs` [GH-421](https://github.com/hashicorp/vault-helm/pull/421)
+* Dev mode root token is now configurable with `server.dev.devRootToken` [GH-415](https://github.com/hashicorp/vault-helm/pull/415)
+* ClusterRoleBinding updated to `v1` [GH-395](https://github.com/hashicorp/vault-helm/pull/395)
+* MutatingWebhook updated to `v1` [GH-408](https://github.com/hashicorp/vault-helm/pull/408)
+* Injector service now supports `injector.service.annotations` [425](https://github.com/hashicorp/vault-helm/pull/425)
+* Injector now supports `injector.extraLabels` [428](https://github.com/hashicorp/vault-helm/pull/428)
+* Added `allowPrivilegeEscalation: false` to Vault and Injector containers [429](https://github.com/hashicorp/vault-helm/pull/429)
+* Network Policy now supports `server.networkPolicy.egress` [389](https://github.com/hashicorp/vault-helm/pull/389)
+
+## 0.8.0 (October 20th, 2020)
+
+Improvements:
+* Make server NetworkPolicy independent of OpenShift [GH-381](https://github.com/hashicorp/vault-helm/pull/381)
+* Added configurables for all probe values [GH-387](https://github.com/hashicorp/vault-helm/pull/387)
+* MountPath for audit and data storage is now configurable [GH-393](https://github.com/hashicorp/vault-helm/pull/393)
+* Annotations can now be added to the Injector pods [GH-394](https://github.com/hashicorp/vault-helm/pull/394)
+* The injector can now be configured with a failurePolicy [GH-400](https://github.com/hashicorp/vault-helm/pull/400)
+* Added additional environment variables for rendering within Vault config [GH-398](https://github.com/hashicorp/vault-helm/pull/398)
+* Service account for Vault K8s auth is automatically created when `injector.externalVaultAddr` is set [GH-392](https://github.com/hashicorp/vault-helm/pull/392)
+
+Bugs:
+* Fixed install output using Helm V2 command [GH-378](https://github.com/hashicorp/vault-helm/pull/378)
+
+## 0.7.0 (August 24th, 2020)
+
+Features:
+* Added `volumes` and `volumeMounts` for mounting _any_ type of volume [GH-314](https://github.com/hashicorp/vault-helm/pull/314).
+* Added configurable to enable prometheus telemetery exporter for Vault Agent Injector [GH-372](https://github.com/hashicorp/vault-helm/pull/372)
+
+Improvements:
+* Added `defaultMode` configurable to `extraVolumes`[GH-321](https://github.com/hashicorp/vault-helm/pull/321)
+* Option to install and use PodSecurityPolicy's for vault server and injector [GH-177](https://github.com/hashicorp/vault-helm/pull/177)
+* `VAULT_API_ADDR` is now configurable [GH-290](https://github.com/hashicorp/vault-helm/pull/290)
+* Removed deprecated tolerate unready endpoint annotations [GH-363](https://github.com/hashicorp/vault-helm/pull/363)
+* Add an option to set annotations on the StatefulSet [GH-199](https://github.com/hashicorp/vault-helm/pull/199)
+* Make the vault server serviceAccount name a configuration option [GH-367](https://github.com/hashicorp/vault-helm/pull/367)
+* Removed annotation striction from `dev` mode [GH-371](https://github.com/hashicorp/vault-helm/pull/371)
+* Add an option to set annotations on PVCs [GH-364](https://github.com/hashicorp/vault-helm/pull/364)
+* Added service configurables for UI [GH-285](https://github.com/hashicorp/vault-helm/pull/285)
+
+Bugs:
+* Fix python dependency in test image [GH-337](https://github.com/hashicorp/vault-helm/pull/337)
+* Fix caBundle not being quoted causing validation issues with Helm 3 [GH-352](https://github.com/hashicorp/vault-helm/pull/352)
+* Fix injector network policy being rendered when injector is not enabled [GH-358](https://github.com/hashicorp/vault-helm/pull/358)
+
+## 0.6.0 (June 3rd, 2020)
+
+Features:
+* Added `extraInitContainers` to define init containers for the Vault cluster [GH-258](https://github.com/hashicorp/vault-helm/pull/258)
+* Added `postStart` lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready [GH-315](https://github.com/hashicorp/vault-helm/pull/315)
+* Beta: Added OpenShift support [GH-319](https://github.com/hashicorp/vault-helm/pull/319)
+
+Improvements:
+* Server configs can now be defined in YAML.  Multi-line string configs are still compatible [GH-213](https://github.com/hashicorp/vault-helm/pull/213)
+* Removed IPC_LOCK privileges since swap is disabled on containers [[GH-198](https://github.com/hashicorp/vault-helm/pull/198)]
+* Use port names that map to vault.scheme [[GH-223](https://github.com/hashicorp/vault-helm/pull/223)]
+* Allow both yaml and multi-line string annotations [[GH-272](https://github.com/hashicorp/vault-helm/pull/272)]
+* Added configurable to set the Raft node name to hostname [[GH-269](https://github.com/hashicorp/vault-helm/pull/269)]
+* Support setting priorityClassName on pods [[GH-282](https://github.com/hashicorp/vault-helm/pull/282)]
+* Added support for ingress apiVersion `networking.k8s.io/v1beta1` [[GH-310](https://github.com/hashicorp/vault-helm/pull/310)]
+* Added configurable to change service type for the HA active service [GH-317](https://github.com/hashicorp/vault-helm/pull/317)
+
+Bugs:
+* Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)]
+* Fixed annotations for HA standby/active services [[GH-268](https://github.com/hashicorp/vault-helm/pull/268)]
+* Updated some value defaults to match their use in templates [[GH-309](https://github.com/hashicorp/vault-helm/pull/309)]
+* Use active service on ingress when ha [[GH-270](https://github.com/hashicorp/vault-helm/pull/270)]
+* Fixed bug where pull secrets weren't being used for injector image [GH-298](https://github.com/hashicorp/vault-helm/pull/298)
+
+## 0.5.0 (April 9th, 2020)
+
+Features:
+
+* Added Raft support for HA mode [[GH-228](https://github.com/hashicorp/vault-helm/pull/229)]
+* Now supports Vault Enterprise [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)]
+* Added K8s Service Registration for HA modes [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)]
+
+* Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)]
+* Added environment variables for logging and revocation on Vault Agent Injector [[GH-219](https://github.com/hashicorp/vault-helm/pull/219)]
+* Option to set environment variables for the injector deployment [[GH-232](https://github.com/hashicorp/vault-helm/pull/232)]
+* Added affinity, tolerations, and nodeSelector options for the injector deployment [[GH-234](https://github.com/hashicorp/vault-helm/pull/234)]
+* Made all annotations multi-line strings [[GH-227](https://github.com/hashicorp/vault-helm/pull/227)]
+
+## 0.4.0 (February 21st, 2020)
+
+Improvements:
+
+* Allow process namespace sharing between Vault and sidecar containers [[GH-174](https://github.com/hashicorp/vault-helm/pull/174)]
+* Added configurable to change updateStrategy [[GH-172](https://github.com/hashicorp/vault-helm/pull/172)]
+* Added sleep in the preStop lifecycle step [[GH-188](https://github.com/hashicorp/vault-helm/pull/188)]
+* Updated chart and tests to Helm 3 [[GH-195](https://github.com/hashicorp/vault-helm/pull/195)]
+* Adds Values.injector.externalVaultAddr to use the injector with an external vault [[GH-207](https://github.com/hashicorp/vault-helm/pull/207)]
+
+Bugs:
+
+* Fix bug where Vault lifecycle was appended after extra containers. [[GH-179](https://github.com/hashicorp/vault-helm/pull/179)]
+
+## 0.3.3 (January 14th, 2020)
+
+Security:
+
+* Added `server.extraArgs` to allow loading of additional Vault configurations containing sensitive settings [GH-175](https://github.com/hashicorp/vault-helm/issues/175)
+
+Bugs:
+
+* Fixed injection bug where wrong environment variables were being used for manually mounted TLS files
+
+## 0.3.2 (January 8th, 2020)
+
+Bugs:
+
+* Fixed injection bug where TLS Skip Verify was true by default [VK8S-35]
+
+## 0.3.1 (January 2nd, 2020)
+
+Bugs:
+
+* Fixed injection bug causing kube-system pods to be rejected [VK8S-14]
+
+## 0.3.0 (December 19th, 2019)
+
+Features:
+
+* Extra containers can now be added to the Vault pods
+* Added configurability of pod probes
+* Added Vault Agent Injector
+
+Improvements:
+
+* Moved `global.image` to `server.image`
+* Changed UI service template to route pods that aren't ready via `publishNotReadyAddresses: true`
+* Added better HTTP/HTTPS scheme support to http probes
+* Added configurable node port for Vault service
+* `server.authDelegator` is now enabled by default
+
+Bugs:
+
+* Fixed upgrade bug by removing chart label which contained the version
+* Fixed typo on `serviceAccount` (was `serviceaccount`)
+* Fixed readiness/liveliness HTTP probe default to accept standbys
+
+## 0.2.1 (November 12th, 2019)
+
+Bugs:
+
+* Removed `readOnlyRootFilesystem` causing issues when validating deployments
+
+## 0.2.0 (October 29th, 2019)
+
+Features:
+
+* Added load balancer support
+* Added ingress support
+* Added configurable for service types (ClusterIP, NodePort, LoadBalancer, etc)
+* Removed root requirements, now runs as Vault user
+
+Improvements:
+
+* Added namespace value to all rendered objects
+* Made ports configurable in services
+* Added the ability to add custom annotations to services
+* Added docker image for running bats test in CircleCI
+* Removed restrictions around `dev` mode such as annotations
+* `readOnlyRootFilesystem` is now configurable
+* Image Pull Policy is now configurable
+
+Bugs:
+
+* Fixed selector bugs related to Helm label updates (services, affinities, and pod disruption)
+* Fixed bug where audit storage was not being mounted in HA mode
+* Fixed bug where Vault pod wasn't receiving SIGTERM signals
+
+
+## 0.1.2 (August 22nd, 2019)
+
+Features:
+
+* Added `extraSecretEnvironmentVars` to allow users to mount secrets as
+  environment variables
+* Added `tlsDisable` configurable to change HTTP protocols from HTTP/HTTPS
+  depending on the value
+* Added `serviceNodePort` to configure a NodePort value when setting `serviceType`
+  to "NodePort"
+
+Improvements:
+
+* Changed UI port to 8200 for better HTTP protocol support
+* Added `path` to `extraVolumes` to define where the volume should be
+  mounted.  Defaults to `/vault/userconfig`
+* Upgraded Vault to 1.2.2
+
+Bugs:
+
+* Fixed bug where upgrade would fail because immutable labels were being
+  changed (Helm Version label)
+* Fixed bug where UI service used wrong selector after updating helm labels
+* Added `VAULT_API_ADDR` env to Vault pod to fixed bug where Vault thinks
+  Consul is the active node
+* Removed `step-down` preStop since it requires authentication.  Shutdown signal
+  sent by Kube acts similar to `step-down`
+
+
+## 0.1.1 (August 7th, 2019)
+
+Features:
+
+* Added `authDelegator` Cluster Role Binding to Vault service account for
+  bootstrapping Kube auth method
+
+Improvements:
+
+* Added `server.service.clusterIP` to `values.yml` so users can toggle
+  the Vault service to headless by using the value `None`.
+* Upgraded Vault to 1.2.1
+
+## 0.1.0 (August 6th, 2019)
 
 Initial release

CONTRIBUTING.md

@@ -0,0 +1,248 @@
+# Contributing to OpenBao Helm
+
+**Please note:** We take OpenBao's security and our users' trust very seriously.
+If you believe you have found a security issue in OpenBao, please responsibly
+disclose by contacting us at openbao-security@lists.lfedge.org.
+
+**First:** if you're unsure or afraid of _anything_, just ask or submit the
+issue or pull request anyways. You won't be yelled at for giving it your best
+effort. The worst that can happen is that you'll be politely asked to change
+something. We appreciate any sort of contributions, and don't want a wall of
+rules to get in the way of that.
+
+That said, if you want to ensure that a pull request is likely to be merged,
+talk to us! You can find out our thoughts and ensure that your contribution
+won't clash or be obviated by OpenBao's normal direction. A great way to do this
+is via the [Linux Foundation Element chat server][1], or [mailing list][2].
+
+This document will cover what we're looking for in terms of reporting issues.
+By addressing all the points we're looking for, it raises the chances we can
+quickly merge or address your contributions.
+
+[1]: https://chat.lfx.linuxfoundation.org
+[2]: https://lists.lfedge.org/g/openbao
+
+## Issues
+
+### Reporting an Issue
+
+* Make sure you test against the latest released version. It is possible
+  we already fixed the bug you're experiencing. Even better is if you can test
+  against `main`, as bugs are fixed regularly but new versions are only
+  released every few months.
+
+* Provide steps to reproduce the issue, and if possible include the expected
+  results as well as the actual results. Please provide text, not screen shots!
+
+* Respond as promptly as possible to any questions made by the OpenBao
+  team to your issue. Stale issues will be closed periodically.
+
+### Issue Lifecycle
+
+1. The issue is reported.
+
+2. The issue is verified and categorized by a OpenBao Helm collaborator.
+   Categorization is done via tags. For example, bugs are marked as "bugs".
+
+3. Unless it is critical, the issue may be left for a period of time (sometimes
+   many weeks), giving outside contributors -- maybe you!? -- a chance to
+   address the issue.
+
+4. The issue is addressed in a pull request or commit. The issue will be
+   referenced in the commit message so that the code that fixes it is clearly
+   linked.
+
+5. The issue is closed. Sometimes, valid issues will be closed to keep
+   the issue tracker clean. The issue is still indexed and available for
+   future viewers, or can be re-opened if necessary.
+
+## Testing
+
+The Helm chart ships with both unit and acceptance tests.
+
+The unit tests don't require any active Kubernetes cluster and complete
+very quickly. These should be used for fast feedback during development.
+The acceptance tests require a Kubernetes cluster with a configured `kubectl`.
+
+### Test Using Docker Container
+
+The following are the instructions for running bats tests using a Docker container.
+
+#### Prerequisites
+
+* Docker installed
+* `openbao-helm` checked out locally
+
+#### Test
+
+**Note:** the following commands should be run from the `openbao-helm` directory.
+
+First, build the Docker image for running the tests:
+
+```shell
+docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t openbao-helm-test
+```
+Next, execute the tests with the following commands:
+```shell
+docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit
+```
+It's possible to only run specific bats tests using regular expressions.
+For example, the following will run only tests with "injector" in the name:
+```shell
+docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit -f "injector"
+```
+
+### Test Manually
+The following are the instructions for running bats tests on your workstation.
+#### Prerequisites
+* [Bats](https://github.com/bats-core/bats-core)
+  ```bash
+  brew install bats-core
+  ```
+* [yq](https://pypi.org/project/yq/)
+  ```bash
+  brew install python-yq
+  ```
+* [helm](https://helm.sh)
+  ```bash
+  brew install kubernetes-helm
+  ```
+
+#### Test
+
+To run the unit tests:
+
+    bats ./test/unit
+
+To run the acceptance tests:
+
+    bats ./test/acceptance
+
+If the acceptance tests fail, deployed resources in the Kubernetes cluster
+may not be properly cleaned up. We recommend recycling the Kubernetes cluster to
+start from a clean slate.
+
+**Note:** There is a Terraform configuration in the
+[`test/terraform/`](https://github.com/openbao/openbao-helm/tree/main/test/terraform) directory
+that can be used to quickly bring up a GKE cluster and configure
+`kubectl` and `helm` locally. This can be used to quickly spin up a test
+cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes
+cluster.
+
+### Writing Unit Tests
+
+Changes to the Helm chart should be accompanied by appropriate unit tests.
+
+#### Formatting
+
+- Put tests in the test file in the same order as the variables appear in the `values.yaml`.
+- Start tests for a chart value with a header that says what is being tested, like this:
+    ```
+    #--------------------------------------------------------------------
+    # annotations
+    ```
+
+- Name the test based on what it's testing in the following format (this will be its first line):
+    ```
+    @test "<section being tested>: <short description of the test case>" {
+    ```
+
+    When adding tests to an existing file, the first section will be the same as the other tests in the file.
+
+#### Test Details
+
+[Bats](https://github.com/bats-core/bats-core) provides a way to run commands in a shell and inspect the output in an automated way.
+In all of the tests in this repo, the base command being run is [helm template](https://docs.helm.sh/helm/#helm-template) which turns the templated files into straight yaml output.
+In this way, we're able to test that the various conditionals in the templates render as we would expect.
+
+Each test defines the files that should be rendered using the `--show-only` flag, then it might adjust chart values by adding `--set` flags as well.
+The output from this `helm template` command is then piped to [yq](https://pypi.org/project/yq/).
+`yq` allows us to pull out just the information we're interested in, either by referencing its position in the yaml file directly or giving information about it (like its length).
+The `-r` flag can be used with `yq` to return a raw string instead of a quoted one which is especially useful when looking for an exact match.
+
+The test passes or fails based on the conditional at the end that is in square brackets, which is a comparison of our expected value and the output of  `helm template` piped to `yq`.
+
+The `| tee /dev/stderr ` pieces direct any terminal output of the `helm template` and `yq` commands to stderr so that it doesn't interfere with `bats`.
+
+#### Test Examples
+
+Here are some examples of common test patterns:
+
+- Check that a value is disabled by default
+
+    ```
+    @test "ui/Service: no type by default" {
+      cd `chart_dir`
+      local actual=$(helm template \
+          --show-only templates/ui-service.yaml  \
+          . | tee /dev/stderr |
+          yq -r '.spec.type' | tee /dev/stderr)
+      [ "${actual}" = "null" ]
+    }
+    ```
+
+    In this example, nothing is changed from the default templates (no `--set` flags), then we use `yq` to retrieve the value we're checking, `.spec.type`.
+    This output is then compared against our expected value (`null` in this case) in the assertion `[ "${actual}" = "null" ]`.
+
+
+- Check that a template value is rendered to a specific value
+    ```
+    @test "ui/Service: specified type" {
+      cd `chart_dir`
+      local actual=$(helm template \
+          --show-only templates/ui-service.yaml  \
+          --set 'ui.serviceType=LoadBalancer' \
+          . | tee /dev/stderr |
+          yq -r '.spec.type' | tee /dev/stderr)
+      [ "${actual}" = "LoadBalancer" ]
+    }
+    ```
+
+    This is very similar to the last example, except we've changed a default value with the `--set` flag and correspondingly changed the expected value.
+
+- Check that a template value contains several values
+    ```
+	@test "server/standalone-StatefulSet: custom resources" {
+	  cd `chart_dir`
+	  local actual=$(helm template \
+		  --show-only templates/server-statefulset.yaml  \
+		  --set 'server.standalone.enabled=true' \
+		  --set 'server.resources.requests.memory=256Mi' \
+		  --set 'server.resources.requests.cpu=250m' \
+		  . | tee /dev/stderr |
+		  yq -r '.spec.template.spec.containers[0].resources.requests.memory' | tee /dev/stderr)
+	  [ "${actual}" = "256Mi" ]
+
+	  local actual=$(helm template \
+		  --show-only templates/server-statefulset.yaml  \
+		  --set 'server.standalone.enabled=true' \
+		  --set 'server.resources.limits.memory=256Mi' \
+		  --set 'server.resources.limits.cpu=250m' \
+		  . | tee /dev/stderr |
+		  yq -r '.spec.template.spec.containers[0].resources.limits.memory' | tee /dev/stderr)
+	  [ "${actual}" = "256Mi" ]
+    ```
+
+    *Note:* If testing more than two conditions, it would be good to separate the `helm template` part of the command from the `yq` sections to reduce redundant work.
+
+- Check that an entire template file is not rendered
+    ```
+    @test "syncCatalog/Deployment: disabled by default" {
+      cd `chart_dir`
+      local actual=$( (helm template \
+          --show-only templates/server-statefulset.yaml  \
+          --set 'global.enabled=false' \
+          . || echo "---") | tee /dev/stderr |
+          yq 'length > 0' | tee /dev/stderr)
+      [ "${actual}" = "false" ]
+    }
+    ```
+    Here we are check the length of the command output to see if the anything is rendered.
+    This style can easily be switched to check that a file is rendered instead.
+
+## Contributor License Agreement
+
+We require that all contributors sign our Contributor License Agreement ("CLA")
+before we can accept the contribution.
+
+[Learn more about why HashiCorp requires a CLA and what the CLA includes](https://www.hashicorp.com/cla)

Chart.yaml

@@ -1,8 +0,0 @@
-apiVersion: v1
-name: vault
-version: 0.1.0
-description: Install and configure Vault on Kubernetes.
-home: https://www.vaultproject.io
-sources:
-  - https://github.com/hashicorp/vault
-  - https://github.com/hashicorp/vault-helm

LICENSE

@@ -1,3 +1,5 @@
+Copyright (c) 2018 HashiCorp, Inc.
+
 Mozilla Public License, version 2.0
 
 1. Definitions

Makefile

@@ -1,6 +1,100 @@
-TEST_IMAGE?=consul-helm-test
+TEST_IMAGE?=openbao-helm-test
+GOOGLE_CREDENTIALS?=openbao-helm-test.json
+CLOUDSDK_CORE_PROJECT?=openbao-helm-dev-246514
+# set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats
+ACCEPTANCE_TESTS?=acceptance
 
-test-docker:
-	@docker build --rm -t '$(TEST_IMAGE)' -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR)
+# filter bats unit tests to run.
+UNIT_TESTS_FILTER?='.*'
 
-.PHONY: test-docker
+# set to 'true' to run acceptance tests locally in a kind cluster
+LOCAL_ACCEPTANCE_TESTS?=false
+
+# kind cluster name
+KIND_CLUSTER_NAME?=openbao-helm
+
+# kind k8s version
+KIND_K8S_VERSION?=v1.29.2
+
+# Generate json schema for chart values. See test/README.md for more details.
+values-schema:
+	helm schema-gen values.yaml > values.schema.json
+
+test-image:
+	@docker build --rm -t $(TEST_IMAGE) -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR)
+
+test-unit:
+	@docker run --rm -it -v ${PWD}:/helm-test $(TEST_IMAGE) bats -f $(UNIT_TESTS_FILTER) /helm-test/test/unit
+
+test-bats: test-unit test-acceptance
+
+test: test-image test-bats
+
+# run acceptance tests on GKE
+# set google project/credential vars above
+test-acceptance:
+ifeq ($(LOCAL_ACCEPTANCE_TESTS),true)
+	make setup-kind acceptance
+else
+	@docker run -it -v ${PWD}:/helm-test \
+	-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
+	-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
+	-e KUBECONFIG=/helm-test/.kube/config \
+	-w /helm-test \
+	$(TEST_IMAGE) \
+	make acceptance
+endif
+
+# destroy GKE cluster using terraform
+test-destroy:
+	@docker run -it -v ${PWD}:/helm-test \
+	-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
+	-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
+	-w /helm-test \
+	$(TEST_IMAGE) \
+	make destroy-cluster
+
+# provision GKE cluster using terraform
+test-provision:
+	@docker run -it -v ${PWD}:/helm-test \
+	-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
+	-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
+	-e KUBECONFIG=/helm-test/.kube/config \
+	-w /helm-test \
+	$(TEST_IMAGE) \
+	make provision-cluster
+
+# this target is for running the acceptance tests
+# it is run in the docker container above when the test-acceptance target is invoked
+acceptance:
+ifneq ($(LOCAL_ACCEPTANCE_TESTS),true)
+	gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS}
+endif
+	bats --tap --timing test/${ACCEPTANCE_TESTS}
+
+# this target is for provisioning the GKE cluster
+# it is run in the docker container above when the test-provision target is invoked
+provision-cluster:
+	gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS}
+	terraform init test/terraform
+	terraform apply -var project=${CLOUDSDK_CORE_PROJECT} -var init_cli=true -auto-approve test/terraform
+
+# this target is for removing the GKE cluster
+# it is run in the docker container above when the test-destroy target is invoked
+destroy-cluster:
+	terraform destroy -auto-approve
+
+# create a kind cluster for running the acceptance tests locally
+setup-kind:
+	kind get clusters | grep -q "^${KIND_CLUSTER_NAME}$$" || \
+	kind create cluster \
+	--image kindest/node:${KIND_K8S_VERSION} \
+	--name ${KIND_CLUSTER_NAME}  \
+	--config $(CURDIR)/test/kind/config.yaml
+	kubectl config use-context kind-${KIND_CLUSTER_NAME}
+
+# delete the kind cluster
+delete-kind:
+	kind delete cluster --name ${KIND_CLUSTER_NAME} || :
+
+.PHONY: values-schema test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster

README.md

@@ -1,72 +1,34 @@
-# Vault Helm Chart
+# OpenBao Helm Chart
 
-------
-## WIP - forked from vault-Helm and under heavy development
-------
+> :warning: **Please note**: We take OpenBao's security and our users' trust very seriously. If
+you believe you have found a security issue in OpenBao Helm, _please responsibly disclose_
+by contacting us at [openbao-security@lists.lfedge.org](mailto:openbao-security@lists.lfedge.org).
 
-This repository contains the official HashiCorp Helm chart for installing
-and configuring Vault on Kubernetes. This chart supports multiple use
-cases of Vault on Kubernetes depending on the values provided.
-
-For full documentation on this Helm chart along with all the ways you can
-use Vault with Kubernetes, please see the
-[Vault and Kubernetes documentation](https://www.vault.io/docs/platform/k8s/index.html).
+This repository contains the OpenBao Helm chart for installing
+and configuring OpenBao on Kubernetes. This chart supports multiple use
+cases of OpenBao on Kubernetes depending on the values provided.
 
 ## Prerequisites
 
-To use the charts here, [Helm](https://helm.sh/) must be installed in your
-Kubernetes cluster. Setting up Kubernetes and Helm and is outside the scope
-of this README. Please refer to the Kubernetes and Helm documentation.
+To use the charts here, [Helm](https://helm.sh/) must be configured for your
+Kubernetes cluster. Setting up Kubernetes and Helm is outside the scope of
+this README. Please refer to the Kubernetes and Helm documentation.
 
 The versions required are:
 
-  * **Helm 2.10+** - This is the earliest version of Helm tested. It is possible
-    it works with earlier versions but this chart is untested for those versions.
-  * **Kubernetes 1.9+** - This is the earliest version of Kubernetes tested.
+  * **Helm 3.12+** - Earliest verison tested
+  * **Kubernetes 1.28+** - This is the earliest version of Kubernetes tested.
     It is possible that this chart works with earlier versions but it is
-    untested. Other versions verified are Kubernetes 1.10, 1.11.
+    untested.
 
 ## Usage
 
-For now, we do not host a chart repository. To use the charts, you must
-download this repository and unpack it into a directory. Either
-[download a tagged release](https://github.com/hashicorp/vault-helm/releases) or
-use `git checkout` to a tagged release.
-Assuming this repository was unpacked into the directory `vault-helm`, the chart can
-then be installed directly:
+To install the latest version of this chart, add the OpenBao helm repository and run `helm install`:
 
-    helm install ./vault-helm
+```console
+helm repo add openbao https://openbao.github.io/openbao-helm
 
-Please see the many options supported in the `values.yaml`
-file. These are also fully documented directly on the
-[Vault website](https://www.vault.io/docs/platform/k8s/helm.html).
+helm install openbao openbao/openbao
+```
 
-## Testing
-
-The Helm chart ships with both unit and acceptance tests.
-
-The unit tests don't require any active Kubernetes cluster and complete
-very quickly. These should be used for fast feedback during development.
-The acceptance tests require a Kubernetes cluster with a configured `kubectl`.
-Both require [Bats](https://github.com/bats-core/bats-core) and `helm` to be
-installed and available on the CLI. The unit tests also require the correct
-version of [yq](https://pypi.org/project/yq/) if running locally.
-
-To run the unit tests:
-
-    bats ./test/unit
-
-To run the acceptance tests:
-
-    bats ./test/acceptance
-
-If the acceptance tests fail, deployed resources in the Kubernetes cluster
-may not be properly cleaned up. We recommend recycling the Kubernetes cluster to
-start from a clean slate.
-
-**Note:** There is a Terraform configuration in the
-[test/terraform/ directory](https://github.com/hashicorp/vault-helm/tree/master/test/terraform)
-that can be used to quickly bring up a GKE cluster and configure
-`kubectl` and `helm` locally. This can be used to quickly spin up a test
-cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes
-cluster.
+Please see the many options supported in the [`values.yaml`](./charts/openbao/values.yaml) file. These are also fully documented directly in the [openbao README](./charts/openbao/README.md) along with more detailed installation instructions.

charts/openbao/.helmignore

@@ -0,0 +1,28 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.terraform/
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+
+# CI and test
+.circleci/
+.github/
+.gitlab-ci.yml
+test/

charts/openbao/Chart.yaml

@@ -0,0 +1,31 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+apiVersion: v2
+name: openbao
+version: 0.6.0
+appVersion: v2.0.2
+kubeVersion: ">= 1.27.0-0"
+description: Official OpenBao Chart
+home: https://github.com/openbao/openbao-helm
+icon: https://github.com/openbao/artwork/blob/main/color/openbao-color.svg
+keywords:
+  [
+    "vault",
+    "openbao",
+    "security",
+    "encryption",
+    "secrets",
+    "management",
+    "automation",
+    "infrastructure",
+  ]
+sources:
+  - https://github.com/openbao/openbao-helm
+annotations:
+  charts.openshift.io/name: Openbao
+
+maintainers:
+  - name: OpenBao
+    email: openbao-security@lists.lfedge.org
+    url: https://openbao.org

charts/openbao/README.md

@@ -0,0 +1,294 @@
+# openbao
+
+![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![AppVersion: v2.0.2](https://img.shields.io/badge/AppVersion-v2.0.2-informational?style=flat-square)
+
+Official OpenBao Chart
+
+**Homepage:** <https://github.com/openbao/openbao-helm>
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| OpenBao | <openbao-security@lists.lfedge.org> | <https://openbao.org> |
+
+## Source Code
+
+* <https://github.com/openbao/openbao-helm>
+
+## Requirements
+
+Kubernetes: `>= 1.27.0-0`
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| csi.agent.enabled | bool | `true` |  |
+| csi.agent.extraArgs | list | `[]` |  |
+| csi.agent.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" |
+| csi.agent.image.registry | string | `"quay.io"` | image registry to use for agent image |
+| csi.agent.image.repository | string | `"openbao/openbao"` | image repo to use for agent image |
+| csi.agent.image.tag | string | `"2.0.2"` | image tag to use for agent image |
+| csi.agent.logFormat | string | `"standard"` |  |
+| csi.agent.logLevel | string | `"info"` |  |
+| csi.agent.resources | object | `{}` |  |
+| csi.daemonSet.annotations | object | `{}` |  |
+| csi.daemonSet.extraLabels | object | `{}` |  |
+| csi.daemonSet.kubeletRootDir | string | `"/var/lib/kubelet"` |  |
+| csi.daemonSet.providersDir | string | `"/etc/kubernetes/secrets-store-csi-providers"` |  |
+| csi.daemonSet.securityContext.container | object | `{}` |  |
+| csi.daemonSet.securityContext.pod | object | `{}` |  |
+| csi.daemonSet.updateStrategy.maxUnavailable | string | `""` |  |
+| csi.daemonSet.updateStrategy.type | string | `"RollingUpdate"` |  |
+| csi.debug | bool | `false` |  |
+| csi.enabled | bool | `false` | True if you want to install a secrets-store-csi-driver-provider-vault daemonset.  Requires installing the secrets-store-csi-driver separately, see: https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver  With the driver and provider installed, you can mount OpenBao secrets into volumes similar to the OpenBao Agent injector, and you can also sync those secrets into Kubernetes secrets. |
+| csi.extraArgs | list | `[]` |  |
+| csi.hmacSecretName | string | `""` |  |
+| csi.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for csi image. if tag is "latest", set to "Always" |
+| csi.image.registry | string | `"docker.io"` | image registry to use for csi image |
+| csi.image.repository | string | `"hashicorp/vault-csi-provider"` | image repo to use for csi image |
+| csi.image.tag | string | `"1.4.0"` | image tag to use for csi image |
+| csi.livenessProbe.failureThreshold | int | `2` |  |
+| csi.livenessProbe.initialDelaySeconds | int | `5` |  |
+| csi.livenessProbe.periodSeconds | int | `5` |  |
+| csi.livenessProbe.successThreshold | int | `1` |  |
+| csi.livenessProbe.timeoutSeconds | int | `3` |  |
+| csi.pod.affinity | object | `{}` |  |
+| csi.pod.annotations | object | `{}` |  |
+| csi.pod.extraLabels | object | `{}` |  |
+| csi.pod.nodeSelector | object | `{}` |  |
+| csi.pod.tolerations | list | `[]` |  |
+| csi.priorityClassName | string | `""` |  |
+| csi.readinessProbe.failureThreshold | int | `2` |  |
+| csi.readinessProbe.initialDelaySeconds | int | `5` |  |
+| csi.readinessProbe.periodSeconds | int | `5` |  |
+| csi.readinessProbe.successThreshold | int | `1` |  |
+| csi.readinessProbe.timeoutSeconds | int | `3` |  |
+| csi.resources | object | `{}` |  |
+| csi.serviceAccount.annotations | object | `{}` |  |
+| csi.serviceAccount.extraLabels | object | `{}` |  |
+| csi.volumeMounts | list | `[]` | volumeMounts is a list of volumeMounts for the main server container. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. |
+| csi.volumes | list | `[]` | volumes is a list of volumes made available to all containers. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. |
+| global.enabled | bool | `true` | enabled is the master enabled switch. Setting this to true or false will enable or disable all the components within this chart by default. |
+| global.externalVaultAddr | string | `""` | External openbao server address for the injector and CSI provider to use. Setting this will disable deployment of a openbao server. |
+| global.imagePullSecrets | list | `[]` | Image pull secret to use for registry authentication. Alternatively, the value may be specified as an array of strings. |
+| global.namespace | string | `""` | The namespace to deploy to. Defaults to the `helm` installation namespace. |
+| global.openshift | bool | `false` | If deploying to OpenShift |
+| global.psp | object | `{"annotations":"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName:  runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName:  runtime/default\n","enable":false}` | Create PodSecurityPolicy for pods |
+| global.psp.annotations | string | `"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName:  runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName:  runtime/default\n"` | Annotation for PodSecurityPolicy. This is a multi-line templated string map, and can also be set as YAML. |
+| global.serverTelemetry.prometheusOperator | bool | `false` | Enable integration with the Prometheus Operator See the top level serverTelemetry section below before enabling this feature. |
+| global.tlsDisable | bool | `true` | TLS for end-to-end encrypted transport |
+| injector.affinity | string | `"podAntiAffinity:\n  requiredDuringSchedulingIgnoredDuringExecution:\n    - labelSelector:\n        matchLabels:\n          app.kubernetes.io/name: {{ template \"openbao.name\" . }}-agent-injector\n          app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n          component: webhook\n      topologyKey: kubernetes.io/hostname\n"` |  |
+| injector.agentDefaults.cpuLimit | string | `"500m"` |  |
+| injector.agentDefaults.cpuRequest | string | `"250m"` |  |
+| injector.agentDefaults.memLimit | string | `"128Mi"` |  |
+| injector.agentDefaults.memRequest | string | `"64Mi"` |  |
+| injector.agentDefaults.template | string | `"map"` |  |
+| injector.agentDefaults.templateConfig.exitOnRetryFailure | bool | `true` |  |
+| injector.agentDefaults.templateConfig.staticSecretRenderInterval | string | `""` |  |
+| injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.2"}` | agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent containers.  This should be set to the official OpenBao image.  OpenBao 1.3.1+ is required. |
+| injector.agentImage.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" |
+| injector.agentImage.registry | string | `"quay.io"` | image registry to use for agent image |
+| injector.agentImage.repository | string | `"openbao/openbao"` | image repo to use for agent image |
+| injector.agentImage.tag | string | `"2.0.2"` | image tag to use for agent image |
+| injector.annotations | object | `{}` |  |
+| injector.authPath | string | `"auth/kubernetes"` |  |
+| injector.certs.caBundle | string | `""` |  |
+| injector.certs.certName | string | `"tls.crt"` |  |
+| injector.certs.keyName | string | `"tls.key"` |  |
+| injector.certs.secretName | string | `nil` |  |
+| injector.enabled | string | `"-"` | True if you want to enable openbao agent injection. @default: global.enabled |
+| injector.externalVaultAddr | string | `""` | Deprecated: Please use global.externalVaultAddr instead. |
+| injector.extraEnvironmentVars | object | `{}` |  |
+| injector.extraLabels | object | `{}` |  |
+| injector.failurePolicy | string | `"Ignore"` |  |
+| injector.hostNetwork | bool | `false` |  |
+| injector.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for k8s image. if tag is "latest", set to "Always" |
+| injector.image.registry | string | `"docker.io"` | image registry to use for k8s image |
+| injector.image.repository | string | `"hashicorp/vault-k8s"` | image repo to use for k8s image |
+| injector.image.tag | string | `"1.4.2"` | image tag to use for k8s image |
+| injector.leaderElector | object | `{"enabled":true}` | If multiple replicas are specified, by default a leader will be determined so that only one injector attempts to create TLS certificates. |
+| injector.livenessProbe.failureThreshold | int | `2` | When a probe fails, Kubernetes will try failureThreshold times before giving up |
+| injector.livenessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates |
+| injector.livenessProbe.periodSeconds | int | `2` | How often (in seconds) to perform the probe |
+| injector.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed |
+| injector.livenessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. |
+| injector.logFormat | string | `"standard"` | Configures the log format of the injector. Supported log formats: "standard", "json". |
+| injector.logLevel | string | `"info"` | Configures the log verbosity of the injector. Supported log levels include: trace, debug, info, warn, error |
+| injector.metrics | object | `{"enabled":false}` | If true, will enable a node exporter metrics endpoint at /metrics. |
+| injector.namespaceSelector | object | `{}` |  |
+| injector.nodeSelector | object | `{}` |  |
+| injector.objectSelector | object | `{}` |  |
+| injector.podDisruptionBudget | object | `{}` |  |
+| injector.port | int | `8080` | Configures the port the injector should listen on |
+| injector.priorityClassName | string | `""` |  |
+| injector.readinessProbe.failureThreshold | int | `2` | When a probe fails, Kubernetes will try failureThreshold times before giving up |
+| injector.readinessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates |
+| injector.readinessProbe.periodSeconds | int | `2` | How often (in seconds) to perform the probe |
+| injector.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed |
+| injector.readinessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. |
+| injector.replicas | int | `1` |  |
+| injector.resources | object | `{}` |  |
+| injector.revokeOnShutdown | bool | `false` |  |
+| injector.securityContext.container | object | `{}` |  |
+| injector.securityContext.pod | object | `{}` |  |
+| injector.service.annotations | object | `{}` |  |
+| injector.serviceAccount.annotations | object | `{}` |  |
+| injector.startupProbe.failureThreshold | int | `12` | When a probe fails, Kubernetes will try failureThreshold times before giving up |
+| injector.startupProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates |
+| injector.startupProbe.periodSeconds | int | `5` | How often (in seconds) to perform the probe |
+| injector.startupProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed |
+| injector.startupProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. |
+| injector.strategy | object | `{}` |  |
+| injector.tolerations | list | `[]` |  |
+| injector.topologySpreadConstraints | list | `[]` |  |
+| injector.webhook.annotations | object | `{}` |  |
+| injector.webhook.failurePolicy | string | `"Ignore"` |  |
+| injector.webhook.matchPolicy | string | `"Exact"` |  |
+| injector.webhook.namespaceSelector | object | `{}` |  |
+| injector.webhook.objectSelector | string | `"matchExpressions:\n- key: app.kubernetes.io/name\n  operator: NotIn\n  values:\n  - {{ template \"openbao.name\" . }}-agent-injector\n"` |  |
+| injector.webhook.timeoutSeconds | int | `30` |  |
+| injector.webhookAnnotations | object | `{}` |  |
+| server.affinity | string | `"podAntiAffinity:\n  requiredDuringSchedulingIgnoredDuringExecution:\n    - labelSelector:\n        matchLabels:\n          app.kubernetes.io/name: {{ template \"openbao.name\" . }}\n          app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n          component: server\n      topologyKey: kubernetes.io/hostname\n"` |  |
+| server.annotations | object | `{}` |  |
+| server.auditStorage.accessMode | string | `"ReadWriteOnce"` |  |
+| server.auditStorage.annotations | object | `{}` |  |
+| server.auditStorage.enabled | bool | `false` |  |
+| server.auditStorage.labels | object | `{}` |  |
+| server.auditStorage.mountPath | string | `"/openbao/audit"` |  |
+| server.auditStorage.size | string | `"10Gi"` |  |
+| server.auditStorage.storageClass | string | `nil` |  |
+| server.authDelegator.enabled | bool | `true` |  |
+| server.configAnnotation | bool | `false` |  |
+| server.dataStorage.accessMode | string | `"ReadWriteOnce"` |  |
+| server.dataStorage.annotations | object | `{}` |  |
+| server.dataStorage.enabled | bool | `true` |  |
+| server.dataStorage.labels | object | `{}` |  |
+| server.dataStorage.mountPath | string | `"/openbao/data"` |  |
+| server.dataStorage.size | string | `"10Gi"` |  |
+| server.dataStorage.storageClass | string | `nil` |  |
+| server.dev.devRootToken | string | `"root"` |  |
+| server.dev.enabled | bool | `false` |  |
+| server.enabled | string | `"-"` |  |
+| server.extraArgs | string | `""` | extraArgs is a string containing additional OpenBao server arguments. |
+| server.extraContainers | string | `nil` |  |
+| server.extraEnvironmentVars | object | `{}` |  |
+| server.extraInitContainers | list | `[]` | extraInitContainers is a list of init containers. Specified as a YAML list. This is useful if you need to run a script to provision TLS certificates or write out configuration files in a dynamic way. |
+| server.extraLabels | object | `{}` |  |
+| server.extraPorts | list | `[]` | extraPorts is a list of extra ports. Specified as a YAML list. This is useful if you need to add additional ports to the statefulset in dynamic way. |
+| server.extraSecretEnvironmentVars | list | `[]` |  |
+| server.extraVolumes | list | `[]` |  |
+| server.ha.apiAddr | string | `nil` |  |
+| server.ha.clusterAddr | string | `nil` |  |
+| server.ha.config | string | `"ui = true\n\nlistener \"tcp\" {\n  tls_disable = 1\n  address = \"[::]:8200\"\n  cluster_address = \"[::]:8201\"\n}\nstorage \"consul\" {\n  path = \"openbao\"\n  address = \"HOST_IP:8500\"\n}\n\nservice_registration \"kubernetes\" {}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n#   project     = \"openbao-helm-dev-246514\"\n#   region      = \"global\"\n#   key_ring    = \"openbao-helm-unseal-kr\"\n#   crypto_key  = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics.\n# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.\n# You may wish to enable unauthenticated metrics in the listener block above.\n#telemetry {\n#  prometheus_retention_time = \"30s\"\n#  disable_hostname = true\n#}\n"` |  |
+| server.ha.disruptionBudget.enabled | bool | `true` |  |
+| server.ha.disruptionBudget.maxUnavailable | string | `nil` |  |
+| server.ha.enabled | bool | `false` |  |
+| server.ha.raft.config | string | `"ui = true\n\nlistener \"tcp\" {\n  tls_disable = 1\n  address = \"[::]:8200\"\n  cluster_address = \"[::]:8201\"\n  # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n  #telemetry {\n  #  unauthenticated_metrics_access = \"true\"\n  #}\n}\n\nstorage \"raft\" {\n  path = \"/openbao/data\"\n}\n\nservice_registration \"kubernetes\" {}\n"` |  |
+| server.ha.raft.enabled | bool | `false` |  |
+| server.ha.raft.setNodeId | bool | `false` |  |
+| server.ha.replicas | int | `3` |  |
+| server.hostAliases | list | `[]` |  |
+| server.hostNetwork | bool | `false` |  |
+| server.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for server image. if tag is "latest", set to "Always" |
+| server.image.registry | string | `"quay.io"` | image registry to use for server image |
+| server.image.repository | string | `"openbao/openbao"` | image repo to use for server image |
+| server.image.tag | string | `"2.0.2"` | image tag to use for server image |
+| server.ingress.activeService | bool | `true` |  |
+| server.ingress.annotations | object | `{}` |  |
+| server.ingress.enabled | bool | `false` |  |
+| server.ingress.extraPaths | list | `[]` |  |
+| server.ingress.hosts[0].host | string | `"chart-example.local"` |  |
+| server.ingress.hosts[0].paths | list | `[]` |  |
+| server.ingress.ingressClassName | string | `""` |  |
+| server.ingress.labels | object | `{}` |  |
+| server.ingress.pathType | string | `"Prefix"` |  |
+| server.ingress.tls | list | `[]` |  |
+| server.livenessProbe.enabled | bool | `false` |  |
+| server.livenessProbe.execCommand | list | `[]` |  |
+| server.livenessProbe.failureThreshold | int | `2` |  |
+| server.livenessProbe.initialDelaySeconds | int | `60` |  |
+| server.livenessProbe.path | string | `"/v1/sys/health?standbyok=true"` |  |
+| server.livenessProbe.periodSeconds | int | `5` |  |
+| server.livenessProbe.port | int | `8200` |  |
+| server.livenessProbe.successThreshold | int | `1` |  |
+| server.livenessProbe.timeoutSeconds | int | `3` |  |
+| server.logFormat | string | `""` |  |
+| server.logLevel | string | `""` |  |
+| server.networkPolicy.egress | list | `[]` |  |
+| server.networkPolicy.enabled | bool | `false` |  |
+| server.networkPolicy.ingress[0].from[0].namespaceSelector | object | `{}` |  |
+| server.networkPolicy.ingress[0].ports[0].port | int | `8200` |  |
+| server.networkPolicy.ingress[0].ports[0].protocol | string | `"TCP"` |  |
+| server.networkPolicy.ingress[0].ports[1].port | int | `8201` |  |
+| server.networkPolicy.ingress[0].ports[1].protocol | string | `"TCP"` |  |
+| server.nodeSelector | object | `{}` |  |
+| server.persistentVolumeClaimRetentionPolicy | object | `{}` |  |
+| server.postStart | list | `[]` |  |
+| server.preStopSleepSeconds | int | `5` |  |
+| server.priorityClassName | string | `""` |  |
+| server.readinessProbe.enabled | bool | `true` |  |
+| server.readinessProbe.failureThreshold | int | `2` |  |
+| server.readinessProbe.initialDelaySeconds | int | `5` |  |
+| server.readinessProbe.periodSeconds | int | `5` |  |
+| server.readinessProbe.port | int | `8200` |  |
+| server.readinessProbe.successThreshold | int | `1` |  |
+| server.readinessProbe.timeoutSeconds | int | `3` |  |
+| server.resources | object | `{}` |  |
+| server.route.activeService | bool | `true` |  |
+| server.route.annotations | object | `{}` |  |
+| server.route.enabled | bool | `false` |  |
+| server.route.host | string | `"chart-example.local"` |  |
+| server.route.labels | object | `{}` |  |
+| server.route.tls.termination | string | `"passthrough"` |  |
+| server.service.active.annotations | object | `{}` |  |
+| server.service.active.enabled | bool | `true` |  |
+| server.service.annotations | object | `{}` |  |
+| server.service.enabled | bool | `true` |  |
+| server.service.externalTrafficPolicy | string | `"Cluster"` |  |
+| server.service.instanceSelector.enabled | bool | `true` |  |
+| server.service.ipFamilies | list | `[]` |  |
+| server.service.ipFamilyPolicy | string | `""` |  |
+| server.service.port | int | `8200` |  |
+| server.service.publishNotReadyAddresses | bool | `true` |  |
+| server.service.standby.annotations | object | `{}` |  |
+| server.service.standby.enabled | bool | `true` |  |
+| server.service.targetPort | int | `8200` |  |
+| server.serviceAccount.annotations | object | `{}` |  |
+| server.serviceAccount.create | bool | `true` |  |
+| server.serviceAccount.createSecret | bool | `false` |  |
+| server.serviceAccount.extraLabels | object | `{}` |  |
+| server.serviceAccount.name | string | `""` |  |
+| server.serviceAccount.serviceDiscovery.enabled | bool | `true` |  |
+| server.shareProcessNamespace | bool | `false` | shareProcessNamespace enables process namespace sharing between OpenBao and the extraContainers This is useful if OpenBao must be signaled, e.g. to send a SIGHUP for a log rotation |
+| server.standalone.config | string | `"ui = true\n\nlistener \"tcp\" {\n  tls_disable = 1\n  address = \"[::]:8200\"\n  cluster_address = \"[::]:8201\"\n  # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n  #telemetry {\n  #  unauthenticated_metrics_access = \"true\"\n  #}\n}\nstorage \"file\" {\n  path = \"/openbao/data\"\n}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n#   project     = \"openbao-helm-dev\"\n#   region      = \"global\"\n#   key_ring    = \"openbao-helm-unseal-kr\"\n#   crypto_key  = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics in your config.\n#telemetry {\n#  prometheus_retention_time = \"30s\"\n#  disable_hostname = true\n#}\n"` |  |
+| server.standalone.enabled | string | `"-"` |  |
+| server.statefulSet.annotations | object | `{}` |  |
+| server.statefulSet.securityContext.container | object | `{}` |  |
+| server.statefulSet.securityContext.pod | object | `{}` |  |
+| server.terminationGracePeriodSeconds | int | `10` |  |
+| server.tolerations | list | `[]` |  |
+| server.topologySpreadConstraints | list | `[]` |  |
+| server.updateStrategyType | string | `"OnDelete"` |  |
+| server.volumeMounts | string | `nil` |  |
+| server.volumes | string | `nil` |  |
+| serverTelemetry.prometheusRules.enabled | bool | `false` |  |
+| serverTelemetry.prometheusRules.rules | list | `[]` |  |
+| serverTelemetry.prometheusRules.selectors | object | `{}` |  |
+| serverTelemetry.serviceMonitor.enabled | bool | `false` |  |
+| serverTelemetry.serviceMonitor.interval | string | `"30s"` |  |
+| serverTelemetry.serviceMonitor.scrapeTimeout | string | `"10s"` |  |
+| serverTelemetry.serviceMonitor.selectors | object | `{}` |  |
+| ui.activeOpenbaoPodOnly | bool | `false` |  |
+| ui.annotations | object | `{}` |  |
+| ui.enabled | bool | `false` |  |
+| ui.externalPort | int | `8200` |  |
+| ui.externalTrafficPolicy | string | `"Cluster"` |  |
+| ui.publishNotReadyAddresses | bool | `true` |  |
+| ui.serviceIPFamilies | list | `[]` |  |
+| ui.serviceIPFamilyPolicy | string | `""` |  |
+| ui.serviceNodePort | string | `nil` |  |
+| ui.serviceType | string | `"ClusterIP"` |  |
+| ui.targetPort | int | `8200` |  |
+

charts/openbao/templates/NOTES.txt

@@ -0,0 +1,14 @@
+
+Thank you for installing OpenBao!
+
+Now that you have deployed OpenBao, you should look over the docs on using
+OpenBao with Kubernetes available here:
+
+https://openbao.org/docs/
+
+
+Your release is named {{ .Release.Name }}. To learn more about the release, try:
+
+  $ helm status {{ .Release.Name }}
+  $ helm get manifest {{ .Release.Name }}
+

charts/openbao/templates/csi-agent-configmap.yaml

@@ -0,0 +1,34 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.csiEnabled" . -}}
+{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "openbao.fullname" . }}-csi-provider-agent-config
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+data:
+  config.hcl: |
+    vault {
+        {{- if .Values.global.externalVaultAddr }}
+        "address" = "{{ .Values.global.externalVaultAddr }}"
+        {{- else }}
+        "address" = "{{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}"
+        {{- end }}
+    }
+
+    cache {}
+
+    listener "unix" {
+        address = "/var/run/vault/agent.sock"
+        tls_disable = true
+    }
+{{- end }}

charts/openbao/templates/csi-clusterrole.yaml

@@ -0,0 +1,23 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.csiEnabled" . -}}
+{{- if .csiEnabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+{{- end }}

charts/openbao/templates/csi-clusterrolebinding.yaml

@@ -0,0 +1,24 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.csiEnabled" . -}}
+{{- if .csiEnabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "openbao.fullname" . }}-csi-provider-clusterrolebinding
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: {{ template "openbao.fullname" . }}-csi-provider
+  namespace: {{ include "openbao.namespace" . }}
+{{- end }}

charts/openbao/templates/csi-daemonset.yaml

@@ -0,0 +1,157 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.csiEnabled" . -}}
+{{- if .csiEnabled -}}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ template "openbao.fullname" . }}-csi-provider
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- if  .Values.csi.daemonSet.extraLabels -}}
+      {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}}
+    {{- end -}}
+  {{ template "csi.daemonSet.annotations" . }}
+spec:
+  updateStrategy:
+    type: {{ .Values.csi.daemonSet.updateStrategy.type }}
+    {{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
+    rollingUpdate:
+      maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
+    {{- end }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ template "openbao.name" . }}-csi-provider
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- if  .Values.csi.pod.extraLabels -}}
+          {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}}
+        {{- end -}}
+      {{ template "csi.pod.annotations" . }}
+    spec:
+      {{ template "csi.daemonSet.securityContext.pod" . }}
+      {{- if .Values.csi.priorityClassName }}
+      priorityClassName: {{ .Values.csi.priorityClassName }}
+      {{- end }}
+      serviceAccountName: {{ template "openbao.fullname" . }}-csi-provider
+      {{- template "csi.pod.tolerations" . }}
+      {{- template "csi.pod.nodeselector" . }}
+      {{- template "csi.pod.affinity" . }}
+      containers:
+        - name: {{ include "openbao.name" . }}-csi-provider
+          {{ template "csi.resources" . }}
+          {{ template "csi.daemonSet.securityContext.container" . }}
+          image: "{{ .Values.csi.image.registry | default "docker.io" }}/{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}"
+          imagePullPolicy: {{ .Values.csi.image.pullPolicy }}
+          args:
+            - --endpoint=/provider/vault.sock
+            - --debug={{ .Values.csi.debug }}
+            {{- if .Values.csi.hmacSecretName }}
+            - --hmac-secret-name={{ .Values.csi.hmacSecretName }}
+            {{- else }}
+            - --hmac-secret-name={{- include "openbao.name" . }}-csi-provider-hmac-key
+            {{- end }}
+            {{- if .Values.csi.extraArgs }}
+            {{- toYaml .Values.csi.extraArgs | nindent 12 }}
+            {{- end }}
+          env:
+            - name: VAULT_ADDR
+            {{- if eq (.Values.csi.agent.enabled | toString) "true" }}
+              value: "unix:///var/run/vault/agent.sock"
+            {{- else if .Values.global.externalVaultAddr }}
+              value: "{{ .Values.global.externalVaultAddr }}"
+            {{- else }}
+              value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
+            {{- end }}
+          volumeMounts:
+            - name: providervol
+              mountPath: "/provider"
+            {{- if eq (.Values.csi.agent.enabled | toString) "true" }}
+            - name: agent-unix-socket
+              mountPath: /var/run/vault
+            {{- end }}
+            {{- if .Values.csi.volumeMounts }}
+              {{- toYaml .Values.csi.volumeMounts | nindent 12}}
+            {{- end }}
+          livenessProbe:
+            httpGet:
+              path: /health/ready
+              port: 8080
+            failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }}
+            initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }}
+            successThreshold: {{ .Values.csi.livenessProbe.successThreshold }}
+            timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }}
+          readinessProbe:
+            httpGet:
+              path: /health/ready
+              port: 8080
+            failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }}
+            initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }}
+            successThreshold: {{ .Values.csi.readinessProbe.successThreshold }}
+            timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }}
+        {{- if eq (.Values.csi.agent.enabled | toString) "true" }}
+        - name: {{ include "openbao.name" . }}-agent
+          image: "{{ .Values.csi.agent.image.registry | default "docker.io" }}/{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}"
+          imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }}
+          {{ template "csi.agent.resources" . }}
+          command:
+            - bao
+          args:
+            - agent
+            - -config=/etc/vault/config.hcl
+            {{- if .Values.csi.agent.extraArgs }}
+            {{- toYaml .Values.csi.agent.extraArgs | nindent 12 }}
+            {{- end }}
+          ports:
+            - containerPort: 8200
+          env:
+            - name: BAO_LOG_LEVEL
+              value: "{{ .Values.csi.agent.logLevel }}"
+            - name: BAO_LOG_FORMAT
+              value: "{{ .Values.csi.agent.logFormat }}"
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsUser: 100
+            runAsGroup: 1000
+          volumeMounts:
+            - name: agent-config
+              mountPath: /etc/vault/config.hcl
+              subPath: config.hcl
+              readOnly: true
+            - name: agent-unix-socket
+              mountPath: /var/run/vault
+            {{- if .Values.csi.volumeMounts }}
+            {{- toYaml .Values.csi.volumeMounts | nindent 12 }}
+            {{- end }}
+        {{- end }}
+      volumes:
+        - name: providervol
+          hostPath:
+            path: {{ .Values.csi.daemonSet.providersDir }}
+        {{- if eq (.Values.csi.agent.enabled | toString) "true" }}
+        - name: agent-config
+          configMap:
+            name: {{ template "openbao.fullname" . }}-csi-provider-agent-config
+        - name: agent-unix-socket
+          emptyDir:
+            medium: Memory
+        {{- end }}
+        {{- if .Values.csi.volumes }}
+        {{- toYaml .Values.csi.volumes | nindent 8}}
+        {{- end }}
+      {{- include "imagePullSecrets" . | nindent 6 }}
+{{- end }}

charts/openbao/templates/csi-role.yaml

@@ -0,0 +1,32 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.csiEnabled" . -}}
+{{- if .csiEnabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "openbao.fullname" . }}-csi-provider-role
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get"]
+  resourceNames:
+    {{- if .Values.csi.hmacSecretName }}
+    - {{ .Values.csi.hmacSecretName }}
+    {{- else }}
+    - {{ include "openbao.name" . }}-csi-provider-hmac-key
+    {{- end }}
+# 'create' permissions cannot be restricted by resource name:
+# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
+{{- end }}

charts/openbao/templates/csi-rolebinding.yaml

@@ -0,0 +1,25 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.csiEnabled" . -}}
+{{- if .csiEnabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "openbao.fullname" . }}-csi-provider-rolebinding
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "openbao.fullname" . }}-csi-provider-role
+subjects:
+- kind: ServiceAccount
+  name: {{ template "openbao.fullname" . }}-csi-provider
+  namespace: {{ include "openbao.namespace" . }}
+{{- end }}

charts/openbao/templates/csi-serviceaccount.yaml

@@ -0,0 +1,21 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.csiEnabled" . -}}
+{{- if .csiEnabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "openbao.fullname" . }}-csi-provider
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- if  .Values.csi.serviceAccount.extraLabels -}}
+      {{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}}
+    {{- end -}}
+  {{ template "csi.serviceAccount.annotations" . }}
+{{- end }}

charts/openbao/templates/injector-certs-secret.yaml

@@ -0,0 +1,19 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: openbao-injector-certs
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+{{- end }}

charts/openbao/templates/injector-clusterrole.yaml

@@ -0,0 +1,30 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations"]
+  verbs:
+    - "get"
+    - "list"
+    - "watch"
+    - "patch"
+{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs:
+    - "get"
+{{ end }}
+{{ end }}

charts/openbao/templates/injector-clusterrolebinding.yaml

@@ -0,0 +1,24 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector-binding
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: {{ template "openbao.fullname" . }}-agent-injector
+  namespace: {{ include "openbao.namespace" . }}
+{{ end }}

charts/openbao/templates/injector-deployment.yaml

@@ -0,0 +1,179 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+# Deployment for the injector
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    component: webhook
+spec:
+  replicas: {{ .Values.injector.replicas }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      component: webhook
+  {{ template "injector.strategy" . }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        component: webhook
+        {{- if  .Values.injector.extraLabels -}}
+          {{- toYaml .Values.injector.extraLabels | nindent 8 -}}
+        {{- end -}}
+      {{ template "injector.annotations" . }}
+    spec:
+      {{ template "injector.affinity" . }}
+      {{ template "injector.topologySpreadConstraints" . }}
+      {{ template "injector.tolerations" . }}
+      {{ template "injector.nodeselector" . }}
+      {{- if .Values.injector.priorityClassName }}
+      priorityClassName: {{ .Values.injector.priorityClassName }}
+      {{- end }}
+      serviceAccountName: "{{ template "openbao.fullname" . }}-agent-injector"
+      {{ template "injector.securityContext.pod" . -}}
+      {{- if not .Values.global.openshift }}
+      hostNetwork: {{ .Values.injector.hostNetwork }}
+      {{- end }}
+      containers:
+        - name: sidecar-injector
+          {{ template "injector.resources" . }}
+          image: "{{ .Values.injector.image.registry | default "docker.io" }}/{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
+          imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
+          {{- template "injector.securityContext.container" . }}
+          env:
+            - name: AGENT_INJECT_LISTEN
+              value: {{ printf ":%v" .Values.injector.port  }}
+            - name: AGENT_INJECT_LOG_LEVEL
+              value: {{ .Values.injector.logLevel | default "info" }}
+            - name: AGENT_INJECT_VAULT_ADDR
+            {{- if .Values.global.externalVaultAddr }}
+              value: "{{ .Values.global.externalVaultAddr }}"
+            {{- else if .Values.injector.externalVaultAddr }}
+              value: "{{ .Values.injector.externalVaultAddr }}"
+            {{- else }}
+              value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
+            {{- end }}
+            - name: AGENT_INJECT_VAULT_AUTH_PATH
+              value: {{ .Values.injector.authPath }}
+            - name: AGENT_INJECT_VAULT_IMAGE
+              value: "{{ .Values.injector.image.registry | default "quay.io" }}/{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
+            {{- if .Values.injector.certs.secretName }}
+            - name: AGENT_INJECT_TLS_CERT_FILE
+              value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}"
+            - name: AGENT_INJECT_TLS_KEY_FILE
+              value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}"
+            {{- else }}
+            - name: AGENT_INJECT_TLS_AUTO
+              value: {{ template "openbao.fullname" . }}-agent-injector-cfg
+            - name: AGENT_INJECT_TLS_AUTO_HOSTS
+              value: {{ template "openbao.fullname" . }}-agent-injector-svc,{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }},{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }}.svc
+            {{- end }}
+            - name: AGENT_INJECT_LOG_FORMAT
+              value: {{ .Values.injector.logFormat | default "standard" }}
+            - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN
+              value: "{{ .Values.injector.revokeOnShutdown | default false }}"
+            {{- if .Values.global.openshift }}
+            - name: AGENT_INJECT_SET_SECURITY_CONTEXT
+              value: "false"
+            {{- end }}
+            {{- if .Values.injector.metrics.enabled }}
+            - name: AGENT_INJECT_TELEMETRY_PATH
+              value: "/metrics"
+            {{- end }}
+            {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+            - name: AGENT_INJECT_USE_LEADER_ELECTOR
+              value: "true"
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            {{- end }}
+            - name: AGENT_INJECT_CPU_REQUEST
+              value: "{{ .Values.injector.agentDefaults.cpuRequest }}"
+            - name: AGENT_INJECT_CPU_LIMIT
+              value: "{{ .Values.injector.agentDefaults.cpuLimit }}"
+            - name: AGENT_INJECT_MEM_REQUEST
+              value: "{{ .Values.injector.agentDefaults.memRequest }}"
+            - name: AGENT_INJECT_MEM_LIMIT
+              value: "{{ .Values.injector.agentDefaults.memLimit }}"
+            {{- if .Values.injector.agentDefaults.ephemeralRequest }}
+            - name: AGENT_INJECT_EPHEMERAL_REQUEST
+              value: "{{ .Values.injector.agentDefaults.ephemeralRequest }}"
+            {{- end }}
+            {{- if .Values.injector.agentDefaults.ephemeralLimit }}
+            - name: AGENT_INJECT_EPHEMERAL_LIMIT
+              value: "{{ .Values.injector.agentDefaults.ephemeralLimit }}"
+            {{- end }}
+            - name: AGENT_INJECT_DEFAULT_TEMPLATE
+              value: "{{ .Values.injector.agentDefaults.template }}"
+            - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE
+              value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}"
+            {{- if .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}
+            - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL
+              value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}"
+            {{- end }}
+            {{- include "openbao.extraEnvironmentVars" .Values.injector | nindent 12 }}
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          args:
+            - agent-inject
+            - 2>&1
+          livenessProbe:
+            httpGet:
+              path: /health/ready
+              port: {{ .Values.injector.port }}
+              scheme: HTTPS
+            failureThreshold: {{ .Values.injector.livenessProbe.failureThreshold }}
+            initialDelaySeconds: {{ .Values.injector.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.injector.livenessProbe.periodSeconds }}
+            successThreshold: {{ .Values.injector.livenessProbe.successThreshold }}
+            timeoutSeconds: {{ .Values.injector.livenessProbe.timeoutSeconds }}
+          readinessProbe:
+            httpGet:
+              path: /health/ready
+              port: {{ .Values.injector.port }}
+              scheme: HTTPS
+            failureThreshold: {{ .Values.injector.readinessProbe.failureThreshold }}
+            initialDelaySeconds: {{ .Values.injector.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.injector.readinessProbe.periodSeconds }}
+            successThreshold: {{ .Values.injector.readinessProbe.successThreshold }}
+            timeoutSeconds: {{ .Values.injector.readinessProbe.timeoutSeconds }}
+          startupProbe:
+            httpGet:
+              path: /health/ready
+              port: {{ .Values.injector.port }}
+              scheme: HTTPS
+            failureThreshold: {{ .Values.injector.startupProbe.failureThreshold }}
+            initialDelaySeconds: {{ .Values.injector.startupProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.injector.startupProbe.periodSeconds }}
+            successThreshold: {{ .Values.injector.startupProbe.successThreshold }}
+            timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }}
+{{- if .Values.injector.certs.secretName }}
+          volumeMounts:
+            - name: webhook-certs
+              mountPath: /etc/webhook/certs
+              readOnly: true
+{{- end }}
+{{- if .Values.injector.certs.secretName }}
+      volumes:
+        - name: webhook-certs
+          secret:
+            secretName: "{{ .Values.injector.certs.secretName }}"
+{{- end }}
+      {{- include "imagePullSecrets" . | nindent 6 }}
+{{ end }}

charts/openbao/templates/injector-disruptionbudget.yaml

@@ -0,0 +1,25 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- if .Values.injector.podDisruptionBudget }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    component: webhook
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      component: webhook
+  {{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }}
+{{- end -}}

charts/openbao/templates/injector-mutating-webhook.yaml

@@ -0,0 +1,44 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
+apiVersion: admissionregistration.k8s.io/v1
+{{- else }}
+apiVersion: admissionregistration.k8s.io/v1beta1
+{{- end }}
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector-cfg
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  {{- template "injector.webhookAnnotations" . }}
+webhooks:
+  - name: vault.hashicorp.com
+    failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }}
+    matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }}
+    sideEffects: None
+    timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }}
+    admissionReviewVersions: ["v1", "v1beta1"]
+    clientConfig:
+      service:
+        name: {{ template "openbao.fullname" . }}-agent-injector-svc
+        namespace: {{ include "openbao.namespace" . }}
+        path: "/mutate"
+      caBundle: {{ .Values.injector.certs.caBundle | quote }}
+    rules:
+      - operations: ["CREATE", "UPDATE"]
+        apiGroups: [""]
+        apiVersions: ["v1"]
+        resources: ["pods"]
+{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }}
+    namespaceSelector:
+{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}}
+{{ end }}
+{{- template "injector.objectSelector" . -}}
+{{ end }}

charts/openbao/templates/injector-network-policy.yaml

@@ -0,0 +1,29 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if eq (.Values.global.openshift | toString) "true" }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector
+  labels:
+    app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      component: webhook
+  ingress:
+    - from:
+        - namespaceSelector: {}
+      ports:
+      - port: 8080
+        protocol: TCP
+{{ end }}
+{{ end }}

charts/openbao/templates/injector-psp-role.yaml

@@ -0,0 +1,25 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if eq (.Values.global.psp.enable | toString) "true" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector-psp
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+    - {{ template "openbao.fullname" . }}-agent-injector
+{{- end }}
+{{- end }}

charts/openbao/templates/injector-psp-rolebinding.yaml

@@ -0,0 +1,26 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if eq (.Values.global.psp.enable | toString) "true" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector-psp
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  kind: Role
+  name: {{ template "openbao.fullname" . }}-agent-injector-psp
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "openbao.fullname" . }}-agent-injector
+{{- end }}
+{{- end }}

charts/openbao/templates/injector-psp.yaml

@@ -0,0 +1,51 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if eq (.Values.global.psp.enable | toString) "true" }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- template "openbao.psp.annotations" . }}
+spec:
+  privileged: false
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  volumes:
+    - configMap
+    - emptyDir
+    - projected
+    - secret
+    - downwardAPI
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    # Require the container to run without root privileges.
+    rule: MustRunAsNonRoot
+  seLinux:
+    # This policy assumes the nodes are using AppArmor rather than SELinux.
+    rule: RunAsAny
+  supplementalGroups:
+    rule: MustRunAs
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: MustRunAs
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}
+{{- end }}

charts/openbao/templates/injector-role.yaml

@@ -0,0 +1,34 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets", "configmaps"]
+    verbs:
+      - "create"
+      - "get"
+      - "watch"
+      - "list"
+      - "update"
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs:
+      - "get"
+      - "patch"
+      - "delete"
+{{- end }}
+{{- end }}

charts/openbao/templates/injector-rolebinding.yaml

@@ -0,0 +1,27 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-binding
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "openbao.fullname" . }}-agent-injector
+    namespace: {{ include "openbao.namespace" . }}
+{{- end }}
+{{- end }}

charts/openbao/templates/injector-service.yaml

@@ -0,0 +1,27 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector-svc
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  {{ template "injector.service.annotations" . }}
+spec:
+  ports:
+  - name: https
+    port: 443
+    targetPort: {{ .Values.injector.port }}
+  selector:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    component: webhook
+{{- end }}

charts/openbao/templates/injector-serviceaccount.yaml

@@ -0,0 +1,18 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  {{ template "injector.serviceAccount.annotations" . }}
+{{ end }}

charts/openbao/templates/prometheus-prometheusrules.yaml

@@ -0,0 +1,31 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ if and (.Values.serverTelemetry.prometheusRules.rules)
+     (or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) )
+}}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ template "openbao.fullname" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
+    {{- $selectors := .Values.serverTelemetry.prometheusRules.selectors }}
+    {{- if $selectors }}
+    {{- toYaml $selectors | nindent 4 }}
+    {{- else }}
+    release: prometheus
+    {{- end }}
+spec:
+  groups:
+  - name: {{ include "openbao.fullname" . }}
+    rules:
+      {{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }}
+{{- end }}

charts/openbao/templates/prometheus-servicemonitor.yaml

@@ -0,0 +1,49 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "openbao.fullname" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
+    {{- $selectors := .Values.serverTelemetry.serviceMonitor.selectors }}
+    {{- if $selectors }}
+    {{- toYaml $selectors | nindent 4 }}
+    {{- else }}
+    release: prometheus
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "openbao.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      {{- if eq .mode "ha" }}
+      openbao-active: "true"
+      {{- else }}
+      openbao-internal: "true"
+      {{- end }}
+  endpoints:
+  - port: {{ include "openbao.scheme" . }}
+    interval: {{ .Values.serverTelemetry.serviceMonitor.interval }}
+    scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }}
+    scheme: {{ include "openbao.scheme" . | lower }}
+    path: /v1/sys/metrics
+    params:
+      format:
+      - prometheus
+    tlsConfig:
+      insecureSkipVerify: true
+  namespaceSelector:
+    matchNames:
+      - {{ include "openbao.namespace" . }}
+{{ end }}

charts/openbao/templates/server-clusterrolebinding.yaml

@@ -0,0 +1,29 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.serverAuthDelegator" . }}
+{{- if .serverAuthDelegator -}}
+{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "openbao.fullname" . }}-server-binding
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: {{ template "openbao.serviceAccount.name" . }}
+  namespace: {{ include "openbao.namespace" . }}
+{{ end }}

charts/openbao/templates/server-config-configmap.yaml

@@ -0,0 +1,31 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if ne .mode "external" }}
+{{- if .serverEnabled -}}
+{{- if ne .mode "dev" -}}
+{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "openbao.fullname" . }}-config
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.server.includeConfigAnnotation }}
+  annotations:
+    vault.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }}
+{{- end }}
+data:
+  extraconfig-from-values.hcl: |-
+    {{ template "openbao.config" . }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/openbao/templates/server-discovery-role.yaml

@@ -0,0 +1,26 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if .serverEnabled -}}
+{{- if eq .mode "ha" }}
+{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "openbao.fullname" . }}-discovery-role
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "watch", "list", "update", "patch"]
+{{ end }}
+{{ end }}
+{{ end }}

charts/openbao/templates/server-discovery-rolebinding.yaml

@@ -0,0 +1,34 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if .serverEnabled -}}
+{{- if eq .mode "ha" }}
+{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
+{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+{{- end }}
+kind: RoleBinding
+metadata:
+  name: {{ template "openbao.fullname" . }}-discovery-rolebinding
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "openbao.fullname" . }}-discovery-role
+subjects:
+- kind: ServiceAccount
+  name: {{ template "openbao.serviceAccount.name" . }}
+  namespace: {{ include "openbao.namespace" . }}
+{{ end }}
+{{ end }}
+{{ end }}

charts/openbao/templates/server-disruptionbudget.yaml

@@ -0,0 +1,31 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if ne .mode "external" -}}
+{{- if .serverEnabled -}}
+{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
+# PodDisruptionBudget to prevent degrading the server cluster through
+# voluntary cluster changes.
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "openbao.fullname" . }}
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  maxUnavailable: {{ template "openbao.pdb.maxUnavailable" . }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "openbao.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      component: server
+{{- end -}}
+{{- end -}}
+{{- end -}}

charts/openbao/templates/server-ha-active-service.yaml

@@ -0,0 +1,64 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if ne .mode "external" }}
+{{- template "openbao.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
+{{- if eq .mode "ha" }}
+{{- if eq (.Values.server.service.active.enabled | toString) "true" }}
+# Service for active OpenBao pod
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "openbao.fullname" . }}-active
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    openbao-active: "true"
+  annotations:
+{{- template "openbao.service.active.annotations" . }}
+{{- template "openbao.service.annotations" . }}
+spec:
+  {{- if .Values.server.service.type}}
+  type: {{ .Values.server.service.type }}
+  {{- end}}
+  {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
+  {{- if .Values.server.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.server.service.ipFamilies }}
+  ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.server.service.clusterIP }}
+  clusterIP: {{ .Values.server.service.clusterIP }}
+  {{- end }}
+  {{- include "service.externalTrafficPolicy" .Values.server.service }}
+  publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
+  ports:
+    - name: {{ include "openbao.scheme" . }}
+      port: {{ .Values.server.service.port }}
+      targetPort: {{ .Values.server.service.targetPort }}
+      {{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
+      nodePort: {{ .Values.server.service.activeNodePort }}
+      {{- end }}
+    - name: https-internal
+      port: 8201
+      targetPort: 8201
+  selector:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- end }}
+    component: server
+    openbao-active: "true"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/openbao/templates/server-ha-standby-service.yaml

@@ -0,0 +1,63 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if ne .mode "external" }}
+{{- template "openbao.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
+{{- if eq .mode "ha" }}
+{{- if eq (.Values.server.service.standby.enabled | toString) "true" }}
+# Service for standby OpenBao pod
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "openbao.fullname" . }}-standby
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  annotations:
+{{- template "openbao.service.standby.annotations" . }}
+{{- template "openbao.service.annotations" . }}
+spec:
+  {{- if .Values.server.service.type}}
+  type: {{ .Values.server.service.type }}
+  {{- end}}
+  {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
+  {{- if .Values.server.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.server.service.ipFamilies }}
+  ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.server.service.clusterIP }}
+  clusterIP: {{ .Values.server.service.clusterIP }}
+  {{- end }}
+  {{- include "service.externalTrafficPolicy" .Values.server.service }}
+  publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
+  ports:
+    - name: {{ include "openbao.scheme" . }}
+      port: {{ .Values.server.service.port }}
+      targetPort: {{ .Values.server.service.targetPort }}
+      {{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
+      nodePort: {{ .Values.server.service.standbyNodePort }}
+      {{- end }}
+    - name: https-internal
+      port: 8201
+      targetPort: 8201
+  selector:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- end }}
+    component: server
+    openbao-active: "false"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/openbao/templates/server-headless-service.yaml

@@ -0,0 +1,47 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if ne .mode "external" }}
+{{- template "openbao.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
+# Service for OpenBao cluster
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "openbao.fullname" . }}-internal
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    openbao-internal: "true"
+  annotations:
+{{ template "openbao.service.annotations" .}}
+spec:
+  {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
+  {{- if .Values.server.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.server.service.ipFamilies }}
+  ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
+  clusterIP: None
+  publishNotReadyAddresses: true
+  ports:
+    - name: "{{ include "openbao.scheme" . }}"
+      port: {{ .Values.server.service.port }}
+      targetPort: {{ .Values.server.service.targetPort }}
+    - name: https-internal
+      port: 8201
+      targetPort: 8201
+  selector:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    component: server
+{{- end }}
+{{- end }}

charts/openbao/templates/server-ingress.yaml

@@ -0,0 +1,69 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- if not .Values.global.openshift }}
+{{ template "openbao.mode" . }}
+{{- if ne .mode "external" }}
+{{- if .Values.server.ingress.enabled -}}
+{{- $extraPaths := .Values.server.ingress.extraPaths -}}
+{{- $serviceName := include "openbao.fullname" . -}}
+{{- template "openbao.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
+{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }}
+{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
+{{- end }}
+{{- $servicePort := .Values.server.service.port -}}
+{{- $pathType := .Values.server.ingress.pathType -}}
+{{- $kubeVersion := .Capabilities.KubeVersion.Version }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ template "openbao.fullname" . }}
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- with .Values.server.ingress.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- template "openbao.ingress.annotations" . }}
+spec:
+{{- if .Values.server.ingress.tls }}
+  tls:
+  {{- range .Values.server.ingress.tls }}
+    - hosts:
+      {{- range .hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .secretName }}
+  {{- end }}
+{{- end }}
+{{- if .Values.server.ingress.ingressClassName }}
+  ingressClassName: {{ .Values.server.ingress.ingressClassName }}
+{{- end }}
+  rules:
+  {{- range .Values.server.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+{{ if $extraPaths }}
+{{ toYaml $extraPaths | indent 10 }}
+{{- end }}
+        {{- range (.paths | default (list "/")) }}
+          - path: {{ . }}
+            pathType: {{ $pathType }}
+            backend:
+              service:
+                name: {{ $serviceName }}
+                port:
+                  number: {{ $servicePort }}
+        {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/openbao/templates/server-network-policy.yaml

@@ -0,0 +1,24 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- if eq (.Values.server.networkPolicy.enabled | toString) "true"  }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "openbao.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ template "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "openbao.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }}
+  {{- if .Values.server.networkPolicy.egress }}
+  egress:
+  {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }}
+  {{ end }}
+{{ end }}

charts/openbao/templates/server-psp-role.yaml

@@ -0,0 +1,25 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if .serverEnabled -}}
+{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "openbao.fullname" . }}-psp
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+    - {{ template "openbao.fullname" . }}
+{{- end }}
+{{- end }}

charts/openbao/templates/server-psp-rolebinding.yaml

@@ -0,0 +1,26 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if .serverEnabled -}}
+{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "openbao.fullname" . }}-psp
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  kind: Role
+  name: {{ template "openbao.fullname" . }}-psp
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "openbao.fullname" . }}
+{{- end }}
+{{- end }}

charts/openbao/templates/server-psp.yaml

@@ -0,0 +1,54 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if .serverEnabled -}}
+{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "openbao.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- template "openbao.psp.annotations" . }}
+spec:
+  privileged: false
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  volumes:
+    - configMap
+    - emptyDir
+    - projected
+    - secret
+    - downwardAPI
+    {{- if eq (.Values.server.dataStorage.enabled | toString) "true" }}
+    - persistentVolumeClaim
+    {{- end }}
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    # Require the container to run without root privileges.
+    rule: MustRunAsNonRoot
+  seLinux:
+    # This policy assumes the nodes are using AppArmor rather than SELinux.
+    rule: RunAsAny
+  supplementalGroups:
+    rule: MustRunAs
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: MustRunAs
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}
+{{- end }}

charts/openbao/templates/server-route.yaml

@@ -0,0 +1,39 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- if .Values.global.openshift }}
+{{- if ne .mode "external" }}
+{{- if .Values.server.route.enabled -}}
+{{- $serviceName := include "openbao.fullname" . -}}
+{{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }}
+{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
+{{- end }}
+kind: Route
+apiVersion: route.openshift.io/v1
+metadata:
+  name: {{ template "openbao.fullname" . }}
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- with .Values.server.route.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- template "openbao.route.annotations" . }}
+spec:
+  host: {{ .Values.server.route.host }}
+  to:
+    kind: Service
+    name: {{ $serviceName }}
+    weight: 100
+  port:
+    targetPort: 8200
+  tls:
+    {{- toYaml .Values.server.route.tls | nindent  4 }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/openbao/templates/server-service.yaml

@@ -0,0 +1,59 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if ne .mode "external" }}
+{{- template "openbao.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
+# Service for OpenBao cluster
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "openbao.fullname" . }}
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  annotations:
+{{ template "openbao.service.annotations" .}}
+spec:
+  {{- if .Values.server.service.type}}
+  type: {{ .Values.server.service.type }}
+  {{- end}}
+  {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
+  {{- if .Values.server.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.server.service.ipFamilies }}
+  ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.server.service.clusterIP }}
+  clusterIP: {{ .Values.server.service.clusterIP }}
+  {{- end }}
+  {{- include "service.externalTrafficPolicy" .Values.server.service }}
+  # We want the servers to become available even if they're not ready
+  # since this DNS is also used for join operations.
+  publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
+  ports:
+    - name: {{ include "openbao.scheme" . }}
+      port: {{ .Values.server.service.port }}
+      targetPort: {{ .Values.server.service.targetPort }}
+      {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
+      nodePort: {{ .Values.server.service.nodePort }}
+      {{- end }}
+    - name: https-internal
+      port: 8201
+      targetPort: 8201
+  selector:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- end }}
+    component: server
+{{- end }}
+{{- end }}

charts/openbao/templates/server-serviceaccount-secret.yaml

@@ -0,0 +1,21 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.serverServiceAccountSecretCreationEnabled" . }}
+{{- if .serverServiceAccountSecretCreationEnabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "openbao.serviceAccount.name" . }}-token
+  namespace: {{ include "openbao.namespace" . }}
+  annotations:
+    kubernetes.io/service-account.name: {{ template "openbao.serviceAccount.name" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+type: kubernetes.io/service-account-token
+{{ end }}

charts/openbao/templates/server-serviceaccount.yaml

@@ -0,0 +1,22 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.serverServiceAccountEnabled" . }}
+{{- if .serverServiceAccountEnabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "openbao.serviceAccount.name" . }}
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- if  .Values.server.serviceAccount.extraLabels -}}
+      {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}}
+    {{- end -}}
+  {{ template "openbao.serviceAccount.annotations" . }}
+{{ end }}

charts/openbao/templates/server-statefulset.yaml

@@ -0,0 +1,228 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if ne .mode "external" }}
+{{- if ne .mode "" }}
+{{- if .serverEnabled -}}
+# StatefulSet to run the actual openbao server cluster.
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ template "openbao.fullname" . }}
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  {{- template "openbao.statefulSet.annotations" . }}
+spec:
+  serviceName: {{ template "openbao.fullname" . }}-internal
+  podManagementPolicy: Parallel
+  replicas: {{ template "openbao.replicas" . }}
+  updateStrategy:
+    type: {{ .Values.server.updateStrategyType }}
+  {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }}
+  persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "openbao.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      component: server
+  template:
+    metadata:
+      labels:
+        helm.sh/chart: {{ template "openbao.chart" . }}
+        app.kubernetes.io/name: {{ template "openbao.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        component: server
+        {{- if  .Values.server.extraLabels -}}
+          {{- toYaml .Values.server.extraLabels | nindent 8 -}}
+        {{- end -}}
+      {{ template "openbao.annotations" . }}
+    spec:
+      {{ template "openbao.affinity" . }}
+      {{ template "openbao.topologySpreadConstraints" . }}
+      {{ template "openbao.tolerations" . }}
+      {{ template "openbao.nodeselector" . }}
+      {{- if .Values.server.priorityClassName }}
+      priorityClassName: {{ .Values.server.priorityClassName }}
+      {{- end }}
+      terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }}
+      serviceAccountName: {{ template "openbao.serviceAccount.name" . }}
+      {{ if  .Values.server.shareProcessNamespace }}
+      shareProcessNamespace: true
+      {{ end }}
+      {{- template "server.statefulSet.securityContext.pod" . }}
+      {{- if not .Values.global.openshift }}
+      hostNetwork: {{ .Values.server.hostNetwork }}
+      {{- end }}
+      volumes:
+        {{ template "openbao.volumes" . }}
+        - name: home
+          emptyDir: {}
+      {{- if .Values.server.hostAliases }}
+      hostAliases:
+        {{ toYaml .Values.server.hostAliases | nindent 8}}
+      {{- end }}
+      {{- if .Values.server.extraInitContainers }}
+      initContainers:
+        {{ toYaml .Values.server.extraInitContainers | nindent 8}}
+      {{- end }}
+      containers:
+        - name: openbao
+          {{ template "openbao.resources" . }}
+          image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
+          imagePullPolicy: {{ .Values.server.image.pullPolicy }}
+          command:
+          - "/bin/sh"
+          - "-ec"
+          args: {{ template "openbao.args" . }}
+          {{- template "server.statefulSet.securityContext.container" . }}
+          env:
+            - name: HOST_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.hostIP
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: BAO_K8S_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: BAO_K8S_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: BAO_ADDR
+              value: "{{ include "openbao.scheme" . }}://127.0.0.1:8200"
+            - name: BAO_API_ADDR
+              {{- if .Values.server.ha.apiAddr }}
+              value: {{ .Values.server.ha.apiAddr }}
+              {{- else }}
+              value: "{{ include "openbao.scheme" . }}://$(POD_IP):8200"
+              {{- end }}
+            - name: SKIP_CHOWN
+              value: "true"
+            - name: SKIP_SETCAP
+              value: "true"
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: BAO_CLUSTER_ADDR
+              {{- if .Values.server.ha.clusterAddr }}
+              value: {{ .Values.server.ha.clusterAddr | quote }}
+              {{- else }}
+              value: "https://$(HOSTNAME).{{ template "openbao.fullname" . }}-internal:8201"
+              {{- end }}
+            {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }}
+            - name: BAO_RAFT_NODE_ID
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            {{- end }}
+            - name: HOME
+              value: "/home/openbao"
+            {{- if .Values.server.logLevel }}
+            - name: BAO_LOG_LEVEL
+              value: "{{ .Values.server.logLevel }}"
+            {{- end }}
+            {{- if .Values.server.logFormat }}
+            - name: BAO_LOG_FORMAT
+              value: "{{ .Values.server.logFormat }}"
+            {{- end }}
+            {{ template "openbao.envs" . }}
+            {{- include "openbao.extraEnvironmentVars" .Values.server | nindent 12 }}
+            {{- include "openbao.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
+          volumeMounts:
+          {{ template "openbao.mounts" . }}
+            - name: home
+              mountPath: /home/openbao
+          ports:
+            - containerPort: 8200
+              name: {{ include "openbao.scheme" . }}
+            - containerPort: 8201
+              name: https-internal
+            - containerPort: 8202
+              name: {{ include "openbao.scheme" . }}-rep
+          {{- if .Values.server.extraPorts -}}
+          {{ toYaml .Values.server.extraPorts | nindent 12}}
+          {{- end }}
+          {{- if .Values.server.readinessProbe.enabled }}
+          readinessProbe:
+            {{- if .Values.server.readinessProbe.path }}
+            httpGet:
+              path: {{ .Values.server.readinessProbe.path | quote }}
+              port: {{ .Values.server.readinessProbe.port }}
+              scheme: {{ include "openbao.scheme" . | upper }}
+            {{- else }}
+            # Check status; unsealed openbao servers return 0
+            # The exit code reflects the seal status:
+            #   0 - unsealed
+            #   1 - error
+            #   2 - sealed
+            exec:
+              command: ["/bin/sh", "-ec", "bao status -tls-skip-verify"]
+            {{- end }}
+            failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }}
+            initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.server.readinessProbe.periodSeconds }}
+            successThreshold: {{ .Values.server.readinessProbe.successThreshold }}
+            timeoutSeconds: {{ .Values.server.readinessProbe.timeoutSeconds }}
+          {{- end }}
+          {{- if .Values.server.livenessProbe.enabled }}
+          livenessProbe:
+            {{- if .Values.server.livenessProbe.execCommand }}
+            exec:
+              command:
+                {{- range (.Values.server.livenessProbe.execCommand) }}
+                - {{ . | quote }}
+                {{- end }}
+            {{- else }}
+            httpGet:
+              path: {{ .Values.server.livenessProbe.path | quote }}
+              port: {{ .Values.server.livenessProbe.port }}
+              scheme: {{ include "openbao.scheme" . | upper }}
+            {{- end }}
+            failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }}
+            initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }}
+            successThreshold: {{ .Values.server.livenessProbe.successThreshold }}
+            timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }}
+          {{- end }}
+          lifecycle:
+            # openbao container doesn't receive SIGTERM from Kubernetes
+            # and after the grace period ends, Kube sends SIGKILL.  This
+            # causes issues with graceful shutdowns such as deregistering itself
+            # from Consul (zombie services).
+            preStop:
+              exec:
+                command: [
+                  "/bin/sh", "-c",
+                  # Adding a sleep here to give the pod eviction a
+                  # chance to propagate, so requests will not be made
+                  # to this pod while it's terminating
+                  "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof bao)",
+                ]
+            {{- if .Values.server.postStart }}
+            postStart:
+              exec:
+                command:
+                {{- range (.Values.server.postStart) }}
+                - {{ . | quote }}
+                {{- end }}
+            {{- end }}
+        {{- if .Values.server.extraContainers }}
+          {{ toYaml .Values.server.extraContainers | nindent 8}}
+        {{- end }}
+      {{- include "imagePullSecrets" . | nindent 6 }}
+  {{ template "openbao.volumeclaims" . }}
+{{ end }}
+{{ end }}
+{{ end }}

charts/openbao/templates/tests/server-test.yaml

@@ -0,0 +1,56 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if ne .mode "external" }}
+{{- if .serverEnabled -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "openbao.fullname" . }}-server-test
+  namespace: {{ include "openbao.namespace" . }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  {{- include "imagePullSecrets" . | nindent 2 }}
+  containers:
+    - name: {{ .Release.Name }}-server-test
+      image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
+      imagePullPolicy: {{ .Values.server.image.pullPolicy }}
+      env:
+        - name: VAULT_ADDR
+          value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
+        {{- include "openbao.extraEnvironmentVars" .Values.server | nindent 8 }}
+      command:
+        - /bin/sh
+        - -c
+        - |
+          echo "Checking for sealed info in 'bao status' output"
+          ATTEMPTS=10
+          n=0
+          until [ "$n" -ge $ATTEMPTS ]
+          do
+            echo "Attempt" $n...
+            bao status -format yaml | grep -E '^sealed: (true|false)' && break
+            n=$((n+1))
+            sleep 5
+          done
+          if [ $n -ge $ATTEMPTS ]; then
+            echo "timed out looking for sealed info in 'bao status' output"
+            exit 1
+          fi
+
+          exit 0
+      volumeMounts:
+        {{- if .Values.server.volumeMounts }}
+          {{- toYaml .Values.server.volumeMounts | nindent 8}}
+        {{- end }}
+  volumes:
+    {{- if .Values.server.volumes }}
+      {{- toYaml .Values.server.volumes | nindent 4}}
+    {{- end }}
+  restartPolicy: Never
+{{- end }}
+{{- end }}

charts/openbao/templates/ui-service.yaml

@@ -0,0 +1,50 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if ne .mode "external" }}
+{{- template "openbao.uiEnabled" . -}}
+{{- if .uiEnabled -}}
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "openbao.fullname" . }}-ui
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-ui
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  {{- template "openbao.ui.annotations" . }}
+spec:
+  {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
+  {{- if .Values.ui.serviceIPFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.ui.serviceIPFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.ui.serviceIPFamilies }}
+  ipFamilies: {{ .Values.ui.serviceIPFamilies | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
+  selector:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    component: server
+    {{- if and (.Values.ui.activeOpenbaoPodOnly) (eq .mode "ha") }}
+    openbao-active: "true"
+    {{- end }}
+  publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }}
+  ports:
+    - name: {{ include "openbao.scheme" . }}
+      port: {{ .Values.ui.externalPort }}
+      targetPort: {{ .Values.ui.targetPort }}
+      {{- if .Values.ui.serviceNodePort }}
+      nodePort: {{ .Values.ui.serviceNodePort }}
+      {{- end }}
+  type: {{ .Values.ui.serviceType }}
+  {{- include "service.externalTrafficPolicy" .Values.ui }}
+  {{- include "service.loadBalancer" .Values.ui }}
+{{- end -}}
+{{- end }}

charts/openbao/values.openshift.yaml

@@ -0,0 +1,26 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+# These overrides are appropriate defaults for deploying this chart on OpenShift
+
+global:
+  openshift: true
+
+injector:
+  image:
+    repository: "registry.connect.redhat.com/hashicorp/vault-k8s"
+    tag: "1.3.1-ubi"
+
+  agentImage:
+    registry: "quay.io"
+    repository: "openbao/openbao"
+    tag: "v2.0.2-ubi"
+
+server:
+  image:
+    registry: "quay.io"
+    repository: "openbao/openbao"
+    tag: "v2.0.2-ubi"
+
+  readinessProbe:
+    path: "/v1/sys/health?uninitcode=204"

templates/_helpers.tpl

@@ -1,44 +0,0 @@
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to
-this (by the DNS naming spec). If release name contains chart name it will
-be used as a full name.
-*/}}
-{{- define "vault.fullname" -}}
-{{- if .Values.fullnameOverride -}}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "vault.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "vault.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
-This defaults to (n/2)-1 where n is the number of members of the server cluster.
-*/}}
-{{- define "vault.pdb.maxUnavailable" -}}
-{{- if .Values.server.disruptionBudget.maxUnavailable -}}
-{{ .Values.server.disruptionBudget.maxUnavailable -}}
-{{- else -}}
-{{- ceil (sub (div (int .Values.server.replicas) 2) 1) -}}
-{{- end -}}
-{{- end -}}

templates/dns-service.yaml

@@ -1,27 +0,0 @@
-# Service for Vault DNS.
-## TODO: verify for Vault
-#{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.global.enabled)) }}
-#apiVersion: v1
-#kind: Service
-#metadata:
-#  name: {{ template "vault.fullname" . }}-dns
-#  labels:
-#    app: {{ template "vault.name" . }}
-#    chart: {{ template "vault.chart" . }}
-#    heritage: {{ .Release.Service }}
-#    release: {{ .Release.Name }}
-#spec:
-#  ports:
-#    - name: dns-tcp
-#      port: 53
-#      protocol: "TCP"
-#      targetPort: dns-tcp
-#    - name: dns-udp
-#      port: 53
-#      protocol: "UDP"
-#      targetPort: dns-udp
-#  selector:
-#    app: {{ template "vault.name" . }}
-#    release: "{{ .Release.Name }}"
-#    hasDNS: "true"
-#{{- end }}

templates/server-config-configmap.yaml

@@ -1,15 +0,0 @@
-# StatefulSet to run the actual vault server cluster.
-{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ template "vault.fullname" . }}-server-config
-  labels:
-    app: {{ template "vault.name" . }}
-    chart: {{ template "vault.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-data:
-  extra-from-values.hcl: |-
-{{ tpl .Values.server.extraConfig . | indent 4 }}
-{{- end }}

templates/server-service.yaml

@@ -1,35 +0,0 @@
-# Headless service for Vault server DNS entries. This service should only
-# point to Vault servers. For access to an agent, one should assume that
-# the agent is installed locally on the node and the NODE_IP should be used.
-# If the node can't run a Vault agent, then this service can be used to
-# communicate directly to a server agent.
-# TODO: verify for Vault
-{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "vault.fullname" . }}-server
-  labels:
-    app: {{ template "vault.name" . }}
-    chart: {{ template "vault.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-  annotations:
-    # This must be set in addition to publishNotReadyAddresses due
-    # to an open issue where it may not work:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
-spec:
-  clusterIP: None
-  # We want the servers to become available even if they're not ready
-  # since this DNS is also used for join operations.
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-  selector:
-    app: {{ template "vault.name" . }}
-    release: "{{ .Release.Name }}"
-    component: server
-{{- end }}

templates/server-statefulset.yaml

@@ -1,123 +0,0 @@
-# StatefulSet to run the actual vault server cluster.
-{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: {{ template "vault.fullname" . }}-server
-  labels:
-    app: {{ template "vault.name" . }}
-    chart: {{ template "vault.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-spec:
-  serviceName: {{ template "vault.fullname" . }}-server
-  podManagementPolicy: Parallel
-  replicas: {{ .Values.server.replicas }}
-  selector:
-    matchLabels:
-      app: {{ template "vault.name" . }}
-      chart: {{ template "vault.chart" . }}
-      release: {{ .Release.Name }}
-      component: server
-  template:
-    metadata:
-      labels:
-        app: {{ template "vault.name" . }}
-        chart: {{ template "vault.chart" . }}
-        release: {{ .Release.Name }}
-        component: server
-    spec:
-      affinity:
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchLabels:
-                  app: {{ template "vault.name" . }}
-                  release: "{{ .Release.Name }}"
-                  component: server
-              topologyKey: kubernetes.io/hostname
-      terminationGracePeriodSeconds: 10
-      securityContext:
-        fsGroup: 1000
-      volumes:
-        - name: config
-          configMap:
-            name: {{ template "vault.fullname" . }}-server-config
-        {{- range .Values.server.extraVolumes }}
-        - name: userconfig-{{ .name }}
-          {{ .type }}:
-            {{- if (eq .type "configMap") }}
-            name: {{ .name }}
-            {{- else if (eq .type "secret") }}
-            secretName: {{ .name }}
-            {{- end }}
-        {{- end }}
-      containers:
-        - name: vault
-          securityContext:
-            fsGroup: 1000
-            # TODO: confirm Vault needs this
-            privileged: true
-          image: "{{ default .Values.global.image .Values.server.image }}"
-          env:
-            - name: POD_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.podIP
-            - name: NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: VAULT_ADDR 
-              value: "http://localhost:8200"
-          command:
-            - "vault"
-            - "server"
-            - "-config=/vault/config/"
-          volumeMounts:
-            - name: data
-              mountPath: /vault/data
-            - name: config
-              mountPath: /vault/config
-            {{- range .Values.server.extraVolumes }}
-            - name: userconfig-{{ .name }}
-              readOnly: true
-              mountPath: /vault/userconfig/{{ .name }}
-            {{- end }}
-          lifecycle:
-            preStop:
-              exec:
-                command:
-                - vault step-down
-          ports:
-            - containerPort: 8200
-              name: http
-          #readinessProbe:
-          #  # NOTE(mitchellh): when our HTTP status endpoints support the
-          #  # proper status codes, we should switch to that. This is temporary.
-          #  # TODO: verify for Vault
-          #  #exec:
-          #  #  command:
-          #  #    - "/bin/sh"
-          #  #    - "-ec"
-          #  #    - |
-          #  #      curl http://127.0.0.1:8500/v1/status/leader 2>/dev/null | \
-          #  #      grep -E '".+"'
-          #  failureThreshold: 2
-          #  initialDelaySeconds: 5
-          #  periodSeconds: 3
-          #  successThreshold: 1
-          #  timeoutSeconds: 5
-  volumeClaimTemplates:
-    - metadata:
-        name: data
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: {{ .Values.server.storage }}
-        {{- if .Values.server.storageClass }}
-        storageClassName: {{ .Values.server.storageClass }}
-        {{- end }}
-{{- end }}

templates/ui-service.yaml

@@ -1,29 +0,0 @@
-# Headless service for Vault server DNS entries. This service should only
-# point to Vault servers. For access to an agent, one should assume that
-# the agent is installed locally on the node and the NODE_IP should be used.
-# If the node can't run a Vault agent, then this service can be used to
-# communicate directly to a server agent.
-{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "vault.fullname" . }}-ui
-  labels:
-    app: {{ template "vault.name" . }}
-    chart: {{ template "vault.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-spec:
-  selector:
-    app: {{ template "vault.name" . }}
-    release: "{{ .Release.Name }}"
-    component: server
-  type: LoadBalancer
-  ports:
-    - name: http
-      port: 80
-      targetPort: 8200
-  {{- if .Values.ui.service.type }}
-  type: {{ .Values.ui.service.type }}
-  {{- end }}
-{{- end }}

test/README.md

@@ -0,0 +1,53 @@
+# OpenBao Helm Tests
+
+## Running OpenBao Helm Acceptance tests
+
+The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance or in a kind cluster.
+
+### Running in a GKE cluster
+
+* Set the `GOOGLE_CREDENTIALS` and `CLOUDSDK_CORE_PROJECT` variables at the top of the file. `GOOGLE_CREDENTIALS` should contain the local path to your Google Cloud Platform account credentials in JSON format. `CLOUDSDK_CORE_PROJECT` should be set to the ID of your GCP project.
+* Run `make test-image` to create the docker image (with dependencies installed) that will be re-used in the below steps.
+* Run `make test-provision` to provision the GKE cluster using terraform.
+* Run `make test-acceptance` to run the acceptance tests in this already provisioned cluster.
+* You can choose to only run certain tests by setting the ACCEPTANCE_TESTS variable and re-running the above target.
+* Run `make test-destroy` when you have finished testing and want to tear-down and remove the cluster.
+
+### Running in a kind cluster
+
+* Run `make test-acceptance LOCAL_ACCEPTANCE_TESTS=true`
+* You can choose to only run certain tests by setting the `ACCEPTANCE_TESTS` variable and re-running the above target.
+* Run `make delete-kind` when you have finished testing and want to tear-down and remove the cluster.
+* You can set an alternate kind cluster name by specifying the `KIND_CLUSTER_NAME` variable for any of the above targets.
+* You can set an alternate K8S version by specifying the `KIND_K8S_VERSION` variable for any of the above targets.
+
+See [kind-quick-start](https://kind.sigs.k8s.io/docs/user/quick-start/) if you don't have kind installed on your system.
+
+## Running chart verification tests
+
+If [chart-verifier](https://github.com/redhat-certification/chart-verifier) is built and available in your PATH, run:
+
+    bats test/chart/verifier.bats
+
+Or if you'd rather use the latest chart-verifier docker container, set
+USE_DOCKER:
+
+    USE_DOCKER=true bats test/chart/verifier.bats
+
+## Generating the values json schema
+
+There is a make target for generating values.schema.json:
+
+    make values-schema
+
+It relies on the helm [schema-gen plugin][schema-gen]. Note that some manual
+editing will be required, since several properties accept multiple data types.
+
+[schema-gen]: https://github.com/karuppiah7890/helm-schema-gen
+
+## Helm test
+
+OpenBao Helm also contains a simple helm test under
+[templates/tests/](../templates/tests/) that may be run against a helm release:
+
+    helm test <RELEASE_NAME>

test/acceptance/_helpers.bash

@@ -1,9 +1,17 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 # name_prefix returns the prefix of the resources within Kubernetes.
 name_prefix() {
-    printf "consul"
+    printf "openbao"
 }
 
-# helm_install installs the Consul chart. This will source overridable
+# chart_dir returns the directory for the chart
+chart_dir() {
+    echo ${BATS_TEST_DIRNAME}/../../charts/openbao
+}
+
+# helm_install installs the openbao chart. This will source overridable
 # values from the "values.yaml" file in this directory. This can be set
 # by CI or other environments to do test-specific overrides. Note that its
 # easily possible to break tests this way so be careful.
@@ -14,18 +22,88 @@ helm_install() {
     fi
 
     helm install -f ${values} \
-        --name consul \
-        --wait \
-        ${BATS_TEST_DIRNAME}/../..
+        --name openbao \
+        ${BATS_TEST_DIRNAME}/../../charts/openbao
 }
 
-# helm_delete deletes the Consul chart and all resources.
-helm_delete() {
-    helm delete --purge consul
-    kubectl delete --all pvc
+# helm_install_ha installs the openbao chart using HA mode. This will source
+# overridable values from the "values.yaml" file in this directory. This can be
+# set by CI or other environments to do test-specific overrides. Note that its
+# easily possible to break tests this way so be careful.
+helm_install_ha() {
+    local values="${BATS_TEST_DIRNAME}/values.yaml"
+    if [ ! -f "${values}" ]; then
+        touch $values
+    fi
+
+    helm install -f ${values} \
+        --name openbao \
+        --set 'server.enabled=false' \
+        --set 'serverHA.enabled=true' \
+        ${BATS_TEST_DIRNAME}/../../charts/openbao
+}
+
+# wait for consul to be ready
+wait_for_running_consul() {
+    kubectl wait --for=condition=Ready --timeout=5m pod -l app=consul,component=client
+}
+
+wait_for_sealed_vault() {
+    POD_NAME=$1
+
+    check() {
+        sealed_status=$(kubectl exec $1 -- bao status -format=json | jq -r '.sealed')
+        if [ "$sealed_status" == "true" ]; then
+            return 0
+        fi
+        return 1
+    }
+
+    for i in $(seq 60); do
+        if check ${POD_NAME}; then
+            echo "OpenBao on ${POD_NAME} is running."
+            return
+        fi
+
+        echo "Waiting for OpenBao on ${POD_NAME} to be running..."
+        sleep 2
+    done
+
+    echo "OpenBao on ${POD_NAME} never became running."
+    return 1
+}
+
+# wait for a pod to be running
+wait_for_running() {
+    POD_NAME=$1
+
+    check() {
+        # This requests the pod and checks whether the status is running
+        # and the ready state is true. If so, it outputs the name. Otherwise
+        # it outputs empty. Therefore, to check for success, check for nonzero
+        # string length.
+        kubectl get pods $1 -o json | \
+            jq -r 'select(
+                .status.phase == "Running" and
+                ([ .status.conditions[] | select(.type == "Ready" and .status == "False") ] | length) == 1
+            ) | .metadata.namespace + "/" + .metadata.name'
+    }
+
+    for i in $(seq 60); do
+        if [ -n "$(check ${POD_NAME})" ]; then
+            echo "${POD_NAME} is ready."
+            sleep 5
+            return
+        fi
+
+        echo "Waiting for ${POD_NAME} to be ready..."
+        sleep 2
+    done
+
+    echo "${POD_NAME} never became ready."
+    return 1
 }
 
-# wait for a pod to be ready
 wait_for_ready() {
     POD_NAME=$1
 
@@ -41,9 +119,10 @@ wait_for_ready() {
             ) | .metadata.namespace + "/" + .metadata.name'
     }
 
-    for i in $(seq 30); do
+    for i in $(seq 60); do
         if [ -n "$(check ${POD_NAME})" ]; then
             echo "${POD_NAME} is ready."
+            sleep 5
             return
         fi
 
@@ -52,5 +131,34 @@ wait_for_ready() {
     done
 
     echo "${POD_NAME} never became ready."
-    exit 1
+    return 1
+}
+
+wait_for_complete_job() {
+	POD_NAME=$1
+
+    check() {
+        # This requests the pod and checks whether the status is running
+        # and the ready state is true. If so, it outputs the name. Otherwise
+        # it outputs empty. Therefore, to check for success, check for nonzero
+        # string length.
+        kubectl get job $1 -o json | \
+            jq -r 'select(
+                .status.succeeded == 1
+            ) | .metadata.namespace + "/" + .metadata.name'
+    }
+
+    for i in $(seq 60); do
+        if [ -n "$(check ${POD_NAME})" ]; then
+            echo "${POD_NAME} is complete."
+            sleep 5
+            return
+        fi
+
+        echo "Waiting for ${POD_NAME} to be complete..."
+        sleep 2
+    done
+
+    echo "${POD_NAME} never completed."
+    return 1
 }

test/acceptance/csi-test/nginx.yaml

@@ -0,0 +1,30 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nginx
+---
+kind: Pod
+apiVersion: v1
+metadata:
+  name: nginx
+spec:
+  terminationGracePeriodSeconds: 0
+  serviceAccountName: nginx
+  containers:
+  - image: docker.mirror.hashicorp.services/nginx
+    name: nginx
+    volumeMounts:
+    - name: secrets-store-inline
+      mountPath: "/mnt/secrets-store"
+      readOnly: true
+  volumes:
+    - name: secrets-store-inline
+      csi:
+        driver: secrets-store.csi.k8s.io
+        readOnly: true
+        volumeAttributes:
+          secretProviderClass: "vault-kv"

test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml

@@ -0,0 +1,16 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+# The "Hello World" OpenBao SecretProviderClass
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: vault-kv
+spec:
+  provider: vault
+  parameters:
+    roleName: "kv-role"
+    objects: |
+      - objectName: "bar"
+        secretPath: "secret/data/kv1"
+        secretKey: "bar1"

test/acceptance/csi-test/openbao-policy.hcl

@@ -0,0 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+path "secret/data/kv1" {
+  capabilities = ["read"]
+}

test/acceptance/csi.bats

@@ -0,0 +1,83 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "csi: testing deployment" {
+  cd `chart_dir`
+
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
+
+  # Install Secrets Store CSI driver
+  # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly
+  # so we can see Agent's cache working.
+  CSI_DRIVER_VERSION=1.3.2
+  helm install secrets-store-csi-driver secrets-store-csi-driver \
+    --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \
+    --version=$CSI_DRIVER_VERSION \
+    --wait --timeout=5m \
+    --namespace=acceptance \
+    --set linux.image.pullPolicy="IfNotPresent" \
+    --set tokenRequests[0].audience="openbao" \
+    --set enableSecretRotation=true \
+    --set rotationPollInterval=5s
+  # Install OpenBao and OpenBao provider
+  helm install openbao \
+    --wait --timeout=5m \
+    --namespace=acceptance \
+    --set="server.dev.enabled=true" \
+    --set="csi.enabled=true" \
+    --set="csi.debug=true" \
+    --set="csi.agent.logLevel=debug" \
+    --set="injector.enabled=false" \
+    .
+  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao
+  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider
+
+  # Set up k8s auth and a kv secret.
+  cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy -
+  kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes
+  kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \
+    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"'
+  kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \
+    bound_service_account_names=nginx \
+    bound_service_account_namespaces=acceptance \
+    policies=kv-policy \
+    ttl=20m
+  kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1
+
+  kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
+  kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml
+  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx
+
+  result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar)
+  [[ "$result" == "hello1" ]]
+
+  for i in $(seq 10); do
+    sleep 2
+    if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
+        echo "Agent returned a cached login response"
+        return
+    fi
+
+    echo "Waiting to confirm the Agent is renewing CSI's auth token..."
+  done
+
+  # Print the logs and fail the test
+  echo "Failed to find a log for the Agent renewing CSI's auth token"
+  kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent
+  kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider
+  exit 1
+}
+
+# Clean up
+teardown() {
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+      echo "helm/pvc teardown"
+      helm --namespace=acceptance delete openbao
+      helm --namespace=acceptance delete secrets-store-csi-driver
+      kubectl delete --all pvc
+      kubectl delete namespace acceptance
+  fi
+}

test/acceptance/helm-test.bats

@@ -0,0 +1,27 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "helm/test: running helm test" {
+  cd `chart_dir`
+
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
+  kubectl config set-context --current --namespace=acceptance
+
+  helm install "$(name_prefix)" .
+  wait_for_running $(name_prefix)-0
+
+  helm test "$(name_prefix)"
+}
+
+# Clean up
+teardown() {
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+      echo "helm/pvc teardown"
+      helm delete openbao
+      kubectl delete --all pvc
+      kubectl delete namespace acceptance --ignore-not-found=true
+  fi
+}

test/acceptance/injector-leader-elector.bats

@@ -0,0 +1,52 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "injector: testing leader elector" {
+  cd `chart_dir`
+
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
+  kubectl config set-context --current --namespace=acceptance
+
+  helm install "$(name_prefix)" \
+    --wait \
+    --timeout=5m \
+    --set="injector.replicas=3" .
+  kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=openbao-agent-injector --timeout=5m
+
+  pods=($(kubectl get pods -l app.kubernetes.io/name=openbao-agent-injector -o json | jq -r '.items[] | .metadata.name'))
+  [ "${#pods[@]}" == 3 ]
+
+  leader=''
+  tries=0
+  until [ $tries -ge 60 ]
+  do
+    owner=$(kubectl get configmaps vault-k8s-leader -o json | jq -r .metadata.ownerReferences\[0\].name)
+    leader=$(kubectl get pods $owner -o json | jq -r .metadata.name)
+    [ -n "${leader}" ] && [ "${leader}" != "null" ] && break
+    ((++tries))
+    sleep .5
+  done
+
+  # Check the leader name is valid - i.e. one of the 3 pods
+  [[ " ${pods[@]} " =~ " ${leader} " ]]
+
+}
+
+setup() {
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
+  kubectl config set-context --current --namespace=acceptance
+}
+
+# Clean up
+teardown() {
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+      echo "helm/pvc teardown"
+      helm delete openbao
+      kubectl delete --all pvc
+      kubectl delete namespace acceptance
+  fi
+}

test/acceptance/injector-test/bootstrap.sh

@@ -0,0 +1,49 @@
+#!/bin/sh
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+
+OUTPUT=/tmp/output.txt
+
+bao operator init -n 1 -t 1 >> ${OUTPUT?}
+
+unseal=$(cat ${OUTPUT?} | grep "Unseal Key 1:" | sed -e "s/Unseal Key 1: //g")
+root=$(cat ${OUTPUT?} | grep "Initial Root Token:" | sed -e "s/Initial Root Token: //g")
+
+bao operator unseal ${unseal?}
+
+bao login -no-print ${root?}
+
+bao policy write db-backup /openbao/userconfig/test/pgdump-policy.hcl
+
+bao auth enable kubernetes
+
+bao write auth/kubernetes/config \
+   token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+   kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
+   kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+
+bao write auth/kubernetes/role/db-backup \
+    bound_service_account_names=pgdump \
+    bound_service_account_namespaces=acceptance \
+    policies=db-backup \
+    ttl=1h
+
+bao secrets enable database
+
+bao write database/config/postgresql \
+    plugin_name=postgresql-database-plugin \
+    allowed_roles="db-backup" \
+    connection_url="postgresql://{{username}}:{{password}}@postgres:5432/mydb?sslmode=disable" \
+    username="openbao" \
+    password="openbao"
+
+bao write database/roles/db-backup \
+    db_name=postgresql \
+    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
+        GRANT CONNECT ON DATABASE mydb TO \"{{name}}\"; \
+        GRANT USAGE ON SCHEMA app TO \"{{name}}\"; \
+        GRANT SELECT ON ALL TABLES IN SCHEMA app TO \"{{name}}\";" \
+    revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
+    default_ttl="1h" \
+    max_ttl="24h"

test/acceptance/injector-test/job.yaml

@@ -0,0 +1,42 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pgdump
+  labels:
+    app: pgdump
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: pgdump
+spec:
+  backoffLimit: 0
+  template:
+    metadata:
+      name: pgdump
+      labels:
+        app: pgdump
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-inject-secret-db-creds: "database/creds/db-backup"
+        vault.hashicorp.com/agent-inject-template-db-creds: |
+          {{- with secret "database/creds/db-backup" -}}
+          postgresql://{{ .Data.username }}:{{ .Data.password }}@postgres.acceptance.svc.cluster.local:5432/mydb
+          {{- end }}
+        vault.hashicorp.com/role: "db-backup"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+    spec:
+      serviceAccountName: pgdump
+      containers:
+        - name: pgdump
+          image: postgres:11.5
+          command:
+            - "/bin/sh"
+            - "-ec"
+          args:
+            - "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout"
+      restartPolicy: Never

test/acceptance/injector-test/pg-deployment.yaml

@@ -0,0 +1,72 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres
+  labels:
+    app: postgres
+spec:
+  type: ClusterIP
+  ports:
+   - port: 5432
+     targetPort: 5432
+  selector:
+   app: postgres
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: postgres
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgres
+  template:
+    metadata:
+      labels:
+        service: postgres
+        app: postgres
+    spec:
+      containers:
+        - name: postgres
+          image: postgres:11.5
+          ports:
+            - containerPort: 5432
+          env:
+            - name: POSTGRES_DB
+              value: mydb
+            - name: POSTGRES_USER
+              value: postgres
+            - name: POSTGRES_PASSWORD
+              value: password
+          volumeMounts:
+            - mountPath: "/var/lib/postgresql"
+              name: "pgdata"
+            - mountPath: "/docker-entrypoint-initdb.d"
+              name: "pgconf"
+      volumes:
+        - name: pgdata
+          emptyDir: {}
+        - name: pgconf
+          configMap:
+            name: "pg-init"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pg-init
+  labels:
+    app: postgres
+data:
+  setup.sql: |
+    CREATE ROLE openbao;
+    ALTER ROLE openbao WITH SUPERUSER LOGIN PASSWORD 'openbao';
+
+    \c mydb
+    CREATE SCHEMA app;
+    CREATE TABLE app.inventory(id int);
+    INSERT INTO app.inventory(id) VALUES (0);

test/acceptance/injector-test/pgdump-policy.hcl

@@ -0,0 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+path "database/creds/db-backup" {
+  capabilities = ["read"]
+}

test/acceptance/injector.bats

@@ -0,0 +1,58 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "injector: testing deployment" {
+  cd `chart_dir`
+
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
+  kubectl config set-context --current --namespace=acceptance
+
+  kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml
+  sleep 5
+  wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}")
+
+  kubectl create secret generic test \
+    --from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \
+    --from-file ../../test/acceptance/injector-test/bootstrap.sh
+
+  kubectl label secret test app=openbao-agent-demo
+
+  helm install "$(name_prefix)" \
+    --set="server.extraVolumes[0].type=secret" \
+    --set="server.extraVolumes[0].name=test" .
+  wait_for_running $(name_prefix)-0
+
+  wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}")
+
+  kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh"
+  sleep 5
+
+    # Sealed, not initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "false" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "true" ]
+
+
+  kubectl create -f ../../test/acceptance/injector-test/job.yaml
+  wait_for_complete_job "pgdump"
+}
+
+# Clean up
+teardown() {
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+      echo "helm/pvc teardown"
+      helm delete openbao
+      kubectl delete --all pvc
+      kubectl delete secret test
+      kubectl delete job pgdump
+      kubectl delete deployment postgres
+      kubectl delete namespace acceptance
+  fi
+}

test/acceptance/server-annotations.bats

@@ -0,0 +1,46 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/annotations: testing yaml and yaml-formatted string formats" {
+  cd `chart_dir`
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
+  kubectl config set-context --current --namespace=acceptance
+
+  helm install "$(name_prefix)" -f ../../test/acceptance/server-test/annotations-overrides.yaml .
+  wait_for_running $(name_prefix)-0
+
+  # service annotations
+  local awesome=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.metadata.annotations.active')
+  [ "${awesome}" == "sometimes" ]
+
+  local pickMe=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.metadata.annotations.pickMe')
+  [ "${pickMe}" == "please" ]
+
+  local environment=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.metadata.annotations.environment')
+  [ "${environment}" == "production" ]
+
+  local milk=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.metadata.annotations.milk')
+  [ "${milk}" == "oat" ]
+
+  local myName=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.metadata.annotations.myName')
+  [ "${myName}" == "$(name_prefix)" ]
+
+}
+
+# Clean up
+teardown() {
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+      echo "helm/pvc teardown"
+      helm delete $(name_prefix)
+      kubectl delete --all pvc
+      kubectl delete namespace acceptance --ignore-not-found=true
+  fi
+}

test/acceptance/server-dev.bats

@@ -0,0 +1,64 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/dev: testing deployment" {
+  cd `chart_dir`
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
+  kubectl config set-context --current --namespace=acceptance
+
+  helm install "$(name_prefix)" --set='server.dev.enabled=true' .
+  wait_for_running $(name_prefix)-0
+
+  # Replicas
+  local replicas=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.replicas')
+  [ "${replicas}" == "1" ]
+
+  # Volume Mounts
+  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.containers[0].volumeMounts | length')
+  [ "${volumeCount}" == "1" ]
+
+  # Service
+  local service=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.clusterIP')
+  [ "${service}" != "None" ]
+
+  local service=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.type')
+  [ "${service}" == "ClusterIP" ]
+
+  local ports=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.ports | length')
+  [ "${ports}" == "2" ]
+
+  local ports=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.ports[0].port')
+  [ "${ports}" == "8200" ]
+
+  local ports=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.ports[1].port')
+  [ "${ports}" == "8201" ]
+
+  # Sealed, not initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "false" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "true" ]
+}
+
+# Clean up
+teardown() {
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+      echo "helm/pvc teardown"
+      helm delete openbao
+      kubectl delete --all pvc
+      kubectl delete namespace acceptance --ignore-not-found=true
+  fi
+}

test/acceptance/server-ha-raft.bats

@@ -0,0 +1,121 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/ha-raft: testing deployment" {
+  cd `chart_dir`
+
+  helm install "$(name_prefix)" \
+    --set='server.ha.enabled=true' \
+    --set='server.ha.raft.enabled=true' .
+  wait_for_running $(name_prefix)-0
+
+  # Sealed, not initialized
+  wait_for_sealed_vault $(name_prefix)-0
+
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "false" ]
+
+  # Replicas
+  local replicas=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.replicas')
+  [ "${replicas}" == "3" ]
+
+  # Volume Mounts
+  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.containers[0].volumeMounts | length')
+  [ "${volumeCount}" == "3" ]
+
+  # Volumes
+  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.volumes | length')
+  [ "${volumeCount}" == "2" ]
+
+  local volume=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.volumes[0].configMap.name')
+  [ "${volume}" == "$(name_prefix)-config" ]
+
+  # Service
+  local service=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.clusterIP')
+  [ "${service}" != "None" ]
+
+  local service=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.type')
+  [ "${service}" == "ClusterIP" ]
+
+  local ports=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.ports | length')
+  [ "${ports}" == "2" ]
+
+  local ports=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.ports[0].port')
+  [ "${ports}" == "8200" ]
+
+  local ports=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.ports[1].port')
+  [ "${ports}" == "8201" ]
+
+  # OpenBao Init
+  local init=$(kubectl exec -ti "$(name_prefix)-0" -- \
+    bao operator init -format=json -n 1 -t 1)
+
+  local token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
+  [ "${token}" != "" ]
+
+  local root=$(echo ${init} | jq -r '.root_token')
+  [ "${root}" != "" ]
+
+  kubectl exec -ti openbao-0 -- bao operator unseal ${token}
+  wait_for_ready "$(name_prefix)-0"
+
+  sleep 5
+
+  # OpenBao Unseal
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
+  for pod in "${pods[@]}"
+  do
+      if [[ ${pod?} != "$(name_prefix)-0" ]]
+      then
+          kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200
+          kubectl exec -ti ${pod} -- bao operator unseal ${token}
+          wait_for_ready "${pod}"
+      fi
+  done
+
+  # Sealed, not initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "false" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "true" ]
+
+  kubectl exec "$(name_prefix)-0" -- bao login ${root}
+
+  local raft_status=$(kubectl exec "$(name_prefix)-0" -- bao operator raft list-peers -format=json |
+    jq -r '.data.config.servers | length')
+  [ "${raft_status}" == "3" ]
+}
+
+setup() {
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
+  kubectl config set-context --current --namespace=acceptance
+}
+
+#cleanup
+teardown() {
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+      # If the test failed, print some debug output
+      if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then
+          kubectl logs -l app.kubernetes.io/name=openbao
+      fi
+      helm delete openbao
+      kubectl delete --all pvc
+      kubectl delete namespace acceptance --ignore-not-found=true
+  fi
+}

test/acceptance/server-telemetry.bats

@@ -0,0 +1,90 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/telemetry: prometheusOperator" {
+  cd `chart_dir`
+  helm --namespace acceptance uninstall $(name_prefix) || :
+  helm --namespace acceptance uninstall prometheus || :
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
+  kubectl config set-context --current --namespace=acceptance
+
+  helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
+  helm repo update
+  helm install \
+    --wait \
+    --version 39.6.0 \
+    prometheus prometheus-community/kube-prometheus-stack
+
+  helm install \
+    --wait \
+    --values ../../test/acceptance/server-test/telemetry.yaml \
+    "$(name_prefix)" .
+
+  wait_for_running $(name_prefix)-0
+
+  # Sealed, not initialized
+  wait_for_sealed_vault $(name_prefix)-0
+
+  # OpenBao Init
+  local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
+    bao operator init -format=json -n 1 -t 1 | \
+    jq -r '.unseal_keys_b64[0]')
+  [ "${token}" != "" ]
+
+  # OpenBao Unseal
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
+  for pod in "${pods[@]}"
+  do
+      kubectl exec -ti ${pod} -- bao operator unseal ${token}
+  done
+
+  wait_for_ready "$(name_prefix)-0"
+
+  # Unsealed, initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "false" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "true" ]
+
+  # unfortunately it can take up to 2 minutes for the openbao prometheus job to appear
+  # TODO: investigate how reduce this.
+  local job_labels
+  local tries=0
+  until [ $tries -ge 240 ]
+  do
+      job_labels=$( (kubectl exec -n acceptance svc/prometheus-kube-prometheus-prometheus \
+        -c prometheus \
+        -- wget -q -O - http://127.0.0.1:9090/api/v1/label/job/values) | tee /dev/stderr )
+
+      # Ensure the expected job label was picked up by Prometheus
+      [ "$(echo "${job_labels}" | jq 'any(.data[]; . == "openbao-internal")')" = "true" ] && break
+
+      ((++tries))
+      sleep .5
+    done
+
+
+  # Ensure the expected job is "up"
+  local job_up=$( ( kubectl exec -n acceptance svc/prometheus-kube-prometheus-prometheus \
+    -c prometheus \
+    -- wget -q -O - 'http://127.0.0.1:9090/api/v1/query?query=up{job="openbao-internal"}' ) | \
+    tee /dev/stderr )
+  [ "$(echo "${job_up}" | jq '.data.result[0].value[1]')" = \"1\" ]
+}
+
+# Clean up
+teardown() {
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+      echo "helm/pvc teardown"
+      helm uninstall $(name_prefix)
+      helm uninstall prometheus
+      kubectl delete --all pvc
+      kubectl delete namespace acceptance --ignore-not-found=true
+  fi
+}

test/acceptance/server-test/annotations-overrides.yaml

@@ -0,0 +1,12 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+server:
+  annotations: |
+    environment: production
+    milk: oat
+    myName: "{{ .Release.Name }}"
+  service:
+    annotations:
+      active: sometimes
+      pickMe: please

test/acceptance/server-test/telemetry.yaml

@@ -0,0 +1,31 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+server:
+  standalone:
+    config: |
+      ui = true
+
+      listener "tcp" {
+        tls_disable = 1
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
+        # Enable unauthenticated metrics access (necessary for Prometheus Operator)
+        telemetry {
+          unauthenticated_metrics_access = "true"
+        }
+      }
+
+      storage "file" {
+        path = "/openbao/data"
+      }
+
+      telemetry {
+        prometheus_retention_time = "30s"
+        disable_hostname = true
+      }
+
+serverTelemetry:
+  serviceMonitor:
+    enabled: true
+    interval: 15s

test/acceptance/server.bats

@@ -2,16 +2,108 @@
 
 load _helpers
 
-@test "server: default, comes up healthy" {
-  helm_install
-  wait_for_ready $(name_prefix)-server-0
+@test "server/standalone: testing deployment" {
+  cd `chart_dir`
 
-  # Verify there are three servers
-  local server_count=$(kubectl exec "$(name_prefix)-server-0" consul members |
-      grep server |
-      wc -l)
-  [ "${server_count}" -eq "3" ]
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
+  kubectl config set-context --current --namespace=acceptance
+
+  helm install "$(name_prefix)" .
+  wait_for_running $(name_prefix)-0
+
+  # Sealed, not initialized
+  wait_for_sealed_vault $(name_prefix)-0
+
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "false" ]
+
+  # Replicas
+  local replicas=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.replicas')
+  [ "${replicas}" == "1" ]
+
+  # Affinity
+  local affinity=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.affinity')
+  [ "${affinity}" != "null" ]
+
+  # Volume Mounts
+  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.containers[0].volumeMounts | length')
+  [ "${volumeCount}" == "3" ]
+
+  local mountName=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.containers[0].volumeMounts[0].name')
+  [ "${mountName}" == "data" ]
+
+  local mountPath=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.containers[0].volumeMounts[0].mountPath')
+  [ "${mountPath}" == "/openbao/data" ]
+
+  # Volumes
+  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.volumes | length')
+  [ "${volumeCount}" == "2" ]
+
+  local volume=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.volumes[0].configMap.name')
+  [ "${volume}" == "$(name_prefix)-config" ]
+
+  # Service
+  local service=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.clusterIP')
+  [ "${service}" != "None" ]
+
+  local service=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.type')
+  [ "${service}" == "ClusterIP" ]
+
+  local ports=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.ports | length')
+  [ "${ports}" == "2" ]
+
+  local ports=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.ports[0].port')
+  [ "${ports}" == "8200" ]
+
+  local ports=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.ports[1].port')
+  [ "${ports}" == "8201" ]
+
+  # OpenBao Init
+  local token=$(kubectl exec -ti "$(name_prefix)-0" -- \
+    bao operator init -format=json -n 1 -t 1 | \
+    jq -r '.unseal_keys_b64[0]')
+  [ "${token}" != "" ]
+
+  # OpenBao Unseal
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
+  for pod in "${pods[@]}"
+  do
+      kubectl exec -ti ${pod} -- bao operator unseal ${token}
+  done
+
+  wait_for_ready "$(name_prefix)-0"
+
+  # Unsealed, initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "false" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "true" ]
+}
 
 # Clean up
-  helm_delete
+teardown() {
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+      echo "helm/pvc teardown"
+      helm delete openbao
+      kubectl delete --all pvc
+      kubectl delete namespace acceptance --ignore-not-found=true
+  fi
 }

test/chart/_helpers.bash

@@ -0,0 +1,21 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+# chart_dir returns the directory for the chart
+chart_dir() {
+    echo ${BATS_TEST_DIRNAME}/../../charts/openbao
+}
+
+# check_result checks if the specified test passed
+# results schema example:
+# {
+#   "check": "has-minkubeversion",
+#   "type": "Mandatory",
+#   "outcome": "PASS",
+#   "reason": "Minimum Kubernetes version specified"
+# }
+check_result() {
+  local -r var="$1"
+  local check=$(cat $VERIFY_OUTPUT | jq -r ".results[] | select(.check==\"${var}\").outcome")
+  [ "$check" = "PASS" ]
+}

test/chart/verifier.bats

@@ -0,0 +1,94 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+setup_file() {
+    cd `chart_dir`
+    export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json"
+    export CHART_VOLUME=openbao-helm-chart-src
+    local IMAGE="quay.io/redhat-certification/chart-verifier:1.13.7"
+    # chart-verifier requires an openshift version if a cluster isn't available
+    local OPENSHIFT_VERSION="4.12"
+    local DISABLED_TESTS="chart-testing"
+
+    local run_cmd="chart-verifier"
+    local chart_src="."
+
+    if [ ! -e $USE_DOCKER ]; then
+        chart_src="/chart"
+        # Create a dummy container which will hold a volume with chart source
+        docker create -v $chart_src --name $CHART_VOLUME alpine:3 /bin/true
+        # Copy the chart source into this volume
+        docker cp . $CHART_VOLUME:$chart_src
+        # Make sure we have the latest version of chart-verifier
+        docker pull $IMAGE
+        # Start chart-verifier using this volume
+        run_cmd="docker run --rm --volumes-from $CHART_VOLUME -w $chart_src $IMAGE"
+    fi
+
+    $run_cmd verify $chart_src \
+      --output json \
+      --openshift-version $OPENSHIFT_VERSION \
+      --disable $DISABLED_TESTS \
+      --chart-values values.openshift.yaml 2>&1 | tee $VERIFY_OUTPUT
+}
+
+teardown_file() {
+    if [ ! -e $USE_DOCKER ]; then
+        docker rm $CHART_VOLUME
+    fi
+}
+
+@test "has-kubeversion" {
+    check_result v1.1/has-kubeversion
+}
+
+@test "is-helm-v3" {
+    check_result v1.0/is-helm-v3
+}
+
+@test "not-contains-crds" {
+    check_result v1.0/not-contains-crds
+}
+
+@test "helm-lint" {
+    check_result v1.0/helm-lint
+}
+
+@test "not-contain-csi-objects" {
+    check_result v1.0/not-contain-csi-objects
+}
+
+@test "has-readme" {
+    check_result v1.0/has-readme
+}
+
+@test "contains-values" {
+    check_result v1.0/contains-values
+}
+
+@test "contains-values-schema" {
+    check_result v1.0/contains-values-schema
+}
+
+@test "contains-test" {
+    check_result v1.0/contains-test
+}
+
+@test "images-are-certified" {
+    check_result v1.1/images-are-certified
+}
+
+@test "required-annotations-present" {
+    check_result v1.0/required-annotations-present
+}
+
+@test "chart-testing" {
+    skip "Skipping since this test requires a kubernetes/openshift cluster"
+    check_result v1.0/chart-testing
+}
+
+@test "signature-is-valid" {
+    skip "Chart is not signed : Signature verification not required"
+    check_result v1.0/signature-is-valid
+}

test/docker/Test.dockerfile

@@ -1,3 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 # This Dockerfile installs all the dependencies necessary to run the unit and
 # acceptance tests. This image also contains gcloud so you can run tests
 # against a GKE cluster easily.
@@ -6,10 +9,11 @@
 # a script to configure kubectl, potentially install Helm, and run the tests
 # manually. This image only has the dependencies pre-installed.
 
-FROM alpine:latest
+FROM docker.mirror.hashicorp.services/alpine:latest
 WORKDIR /root
 
-ENV BATS_VERSION "1.1.0"
+ENV BATS_VERSION "1.3.0"
+ENV TERRAFORM_VERSION "0.12.10"
 
 # base packages
 RUN apk update && apk add --no-cache --virtual .build-deps \
@@ -18,26 +22,35 @@ RUN apk update && apk add --no-cache --virtual .build-deps \
     tar \
     bash \
     openssl \
-    python \
     py-pip \
     git \
+    make \
     jq
 
 # yq
-RUN pip install yq
+RUN python3 -m venv venv && \
+    . venv/bin/activate && \
+    pip install yq && \
+    ln -s $PWD/venv/bin/yq /usr/local/bin/yq && \
+    deactivate
 
 # gcloud
 RUN curl -OL https://dl.google.com/dl/cloudsdk/channels/rapid/install_google_cloud_sdk.bash && \
     bash install_google_cloud_sdk.bash --disable-prompts --install-dir='/root/' && \
     ln -s /root/google-cloud-sdk/bin/gcloud /usr/local/bin/gcloud
 
+# terraform
+RUN curl -sSL https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip -o /tmp/tf.zip \
+    && unzip /tmp/tf.zip  \
+    && ln -s /root/terraform /usr/local/bin/terraform
+
 # kubectl
 RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && \
     chmod +x ./kubectl && \
     mv ./kubectl /usr/local/bin/kubectl
 
 # helm
-RUN curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash
+RUN curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
 
 # bats
 RUN curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz \

test/kind/config.yaml

@@ -0,0 +1,23 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+- role: worker
+- role: worker
+- role: worker
+# These apiServer settings are included for running the CSI provider on K8s
+# prior to 1.21
+kubeadmConfigPatches:
+  - |
+    apiVersion: kubeadm.k8s.io/v1beta2
+    kind: ClusterConfiguration
+    metadata:
+      name: config
+    apiServer:
+      extraArgs:
+        "service-account-issuer": "https://kubernetes.default.svc.cluster.local"
+        "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key"
+        "service-account-api-audiences": "https://kubernetes.default.svc.cluster.local"

test/terraform/.gitignore

@@ -0,0 +1 @@
+vault-helm-dev-creds.json

test/terraform/main.tf

@@ -1,11 +1,8 @@
-locals {
-  service_account_path = "${path.module}/service-account.yaml"
-}
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
 
 provider "google" {
   project = "${var.project}"
-  region      = "us-central1"
-  credentials = "${file("vault-helm-dev-creds.json")}"
 }
 
 resource "random_id" "suffix" {
@@ -13,23 +10,44 @@ resource "random_id" "suffix" {
 }
 
 data "google_container_engine_versions" "main" {
-  zone = "${var.zone}"
+  location = "${var.zone}"
+  version_prefix = "1.19."
+}
+
+data "google_service_account" "gcpapi" {
+  account_id = "${var.gcp_service_account}"
 }
 
 resource "google_container_cluster" "cluster" {
-  name               = "vault-helm-dev-${random_id.suffix.dec}"
+  name               = "openbao-helm-dev-${random_id.suffix.dec}"
   project            = "${var.project}"
   enable_legacy_abac = true
   initial_node_count = 3
-  zone               = "${var.zone}"
+  location           = "${var.zone}"
   min_master_version = "${data.google_container_engine_versions.main.latest_master_version}"
   node_version       = "${data.google_container_engine_versions.main.latest_node_version}"
+
+  node_config {
+    #service account for nodes to use
+    oauth_scopes = [
+      "https://www.googleapis.com/auth/cloud-platform",
+      "https://www.googleapis.com/auth/compute",
+      "https://www.googleapis.com/auth/devstorage.read_write",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring",
+      "https://www.googleapis.com/auth/service.management.readonly",
+      "https://www.googleapis.com/auth/servicecontrol",
+      "https://www.googleapis.com/auth/trace.append",
+    ]
+
+    service_account = "${data.google_service_account.gcpapi.email}"
+  }
 }
 
 resource "null_resource" "kubectl" {
   count = "${var.init_cli ? 1 : 0 }"
 
-  triggers {
+  triggers = {
     cluster = "${google_container_cluster.cluster.id}"
   }
 
@@ -55,19 +73,3 @@ resource "null_resource" "kubectl" {
     command    = "kubectl config get-contexts | grep ${google_container_cluster.cluster.name} | xargs -n1 kubectl config delete-context"
   }
 }
-
-resource "null_resource" "helm" {
-  count      = "${var.init_cli ? 1 : 0 }"
-  depends_on = ["null_resource.kubectl"]
-
-  triggers {
-    cluster = "${google_container_cluster.cluster.id}"
-  }
-
-  provisioner "local-exec" {
-    command = <<EOF
-kubectl apply -f '${local.service_account_path}'
-helm init --service-account helm
-EOF
-  }
-}