Merge pull request #23 from ipsavitsky/fix-agent-uri

Add the `.injector.agentImage.registry` to the image path

.circleci/config.yml

@@ -1,106 +0,0 @@
-version: 2.1
-orbs:
-  slack: circleci/slack@3.4.2
-
-jobs:
-  bats-unit-test:
-    docker:
-      # This image is built from test/docker/Test.dockerfile
-      - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0
-    steps:
-      - checkout
-      - run: bats ./test/unit -t
-
-  chart-verifier:
-    docker:
-      - image: docker.mirror.hashicorp.services/cimg/go:1.16
-    environment:
-      BATS_VERSION: "1.3.0"
-      CHART_VERIFIER_VERSION: "1.0.0"
-    steps:
-      - checkout
-      - run:
-          name: install chart-verifier
-          command: go get github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}
-      - run:
-          name: install bats
-          command: |
-            curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz
-            tar -zxf /tmp/bats.tgz -C /tmp
-            sudo /bin/bash /tmp/bats-core-${BATS_VERSION}/install.sh /usr/local
-      - run:
-          name: run chart-verifier tests
-          command: bats ./test/chart -t
-
-  acceptance:
-    docker:
-      # This image is build from test/docker/Test.dockerfile
-      - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0
-
-    steps:
-      - checkout
-      - run:
-          name: terraform init & apply
-          command: |
-            echo -e "${GOOGLE_APP_CREDS}" | base64 -d > vault-helm-test.json
-            export GOOGLE_CREDENTIALS=vault-helm-test.json
-            make provision-cluster
-      - run:
-          name: Run acceptance tests
-          command: bats ./test/acceptance -t
-
-      - run:
-          name: terraform destroy
-          command: |
-            export GOOGLE_CREDENTIALS=vault-helm-test.json
-            make destroy-cluster
-          when: always
-  update-helm-charts-index:
-    docker:
-      - image: docker.mirror.hashicorp.services/circleci/golang:1.15.3
-    steps:
-      - checkout
-      - run:
-          name: verify Chart version matches tag version
-          command: |
-            GO111MODULE=on go get github.com/mikefarah/yq/v2
-            git_tag=$(echo "${CIRCLE_TAG#v}")
-            chart_tag=$(yq r Chart.yaml version)
-            if [ "${git_tag}" != "${chart_tag}" ]; then
-              echo "chart version (${chart_tag}) did not match git version (${git_tag})"
-              exit 1
-            fi
-      - run:
-          name: update helm-charts index
-          command: |
-            curl --show-error --silent --fail --user "${CIRCLE_TOKEN}:" \
-                -X POST \
-                -H 'Content-Type: application/json' \
-                -H 'Accept: application/json' \
-                -d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \
-                "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline"
-      - slack/status:
-          fail_only: true
-          failure_message: "Failed to trigger an update to the helm charts index. Check the logs at: ${CIRCLE_BUILD_URL}"
-
-workflows:
-  version: 2
-  build_and_test:
-    jobs:
-      - bats-unit-test
-      - chart-verifier
-      - acceptance:
-          requires:
-            - bats-unit-test
-          filters:
-            branches:
-              only: master
-  update-helm-charts-index:
-    jobs:
-      - update-helm-charts-index:
-          context: helm-charts-trigger-vault
-          filters:
-            tags:
-              only: /^v.*/
-            branches:
-              ignore: /.*/

.github/ISSUE_TEMPLATE/bug_report.md

@@ -9,9 +9,9 @@ assignees: ''
 
 <!-- Please reserve GitHub issues for bug reports and feature requests.
 
-For questions, the best place to get answers is on our [discussion forum](https://discuss.hashicorp.com/c/vault), as they will get more visibility from experienced users than the issue tracker.
+**Please note**: We take OpenBao's security and our users' trust very seriously. If
-
+you believe you have found a security issue in OpenBao Helm, _please responsibly disclose_
-Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault Helm, _please responsibly disclose_ by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).
+by contacting us at [openbao-security@lists.lfedge.org](mailto:openbao-security@lists.lfedge.org).
 
 -->
 
@@ -21,19 +21,19 @@ A clear and concise description of what the bug is.
 **To Reproduce**
 Steps to reproduce the behavior:
 1. Install chart
-2. Run vault command
+2. Run bao command
-3. See error (vault logs, etc.)
+3. See error (openbao logs, etc.)
 
-Other useful info to include: vault pod logs, `kubectl describe statefulset vault` and `kubectl get statefulset vault -o yaml` output
+Other useful info to include: openbao pod logs, `kubectl describe statefulset openbao` and `kubectl get statefulset openbao -o yaml` output
 
 **Expected behavior**
 A clear and concise description of what you expected to happen.
 
 **Environment**
-* Kubernetes version: 
+* Kubernetes version:
   * Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.):
   * Other configuration options or runtime services (istio, etc.):
-* vault-helm version:
+* openbao-helm version:
 
 Chart values:
 

.github/ISSUE_TEMPLATE/config.yml

@@ -1,4 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 contact_links:
   - name: Ask a question
-    url: https://discuss.hashicorp.com/c/vault
+    url: https://chat.lfx.linuxfoundation.org/#/room/#openbao-questions:chat.lfx.linuxfoundation.org
-    about: For increased visibility, please post questions on the discussion forum, and tag with `k8s`

.github/actions/setup-test-tools/action.yaml

@@ -0,0 +1,24 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+name: Setup common testing tools
+description: Install bats and python-yq
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+      with:
+        node-version: '16'
+    - run: npm install -g bats@${BATS_VERSION}
+      shell: bash
+      env:
+        BATS_VERSION: '1.8.2'
+    - run: bats -v
+      shell: bash
+    - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+      with:
+        python-version: '3.10'
+    - run: pip install yq
+      shell: bash
+permissions:
+  contents: read

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/acceptance.yaml

@@ -0,0 +1,22 @@
+name: Acceptance Tests
+on: [push, workflow_dispatch]
+jobs:
+  kind:
+    strategy:
+      fail-fast: false
+      matrix:
+        kind-k8s-version: [1.27.11, 1.28.7, 1.29.2]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Setup test tools
+        uses: ./.github/actions/setup-test-tools
+      - name: Create K8s Kind Cluster
+        uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0
+        with:
+          config: test/kind/config.yaml
+          node_image: kindest/node:v${{ matrix.kind-k8s-version }}
+          version: v0.22.0
+      - run: bats --tap --timing ./test/acceptance
+permissions:
+  contents: read

.github/workflows/jira.yaml

@@ -1,87 +0,0 @@
-on:
-  issues:
-    types: [opened, closed, deleted, reopened]
-  pull_request_target:
-    types: [opened, closed, reopened]
-  issue_comment: # Also triggers when commenting on a PR from the conversation view
-    types: [created]
-
-name: Jira Sync
-
-jobs:
-  sync:
-    runs-on: ubuntu-latest
-    name: Jira sync
-    steps:
-    - name: Check if community user
-      if: github.event.action == 'opened'
-      id: vault-team-role
-      run: |
-        TEAM=vault
-        ROLE="$(hub api orgs/hashicorp/teams/${TEAM}/memberships/${{ github.actor }} | jq -r '.role | select(.!=null)')"
-        if [[ -n ${ROLE} ]]; then
-          echo "Actor ${{ github.actor }} is a ${TEAM} team member, skipping ticket creation"
-        else
-          echo "Actor ${{ github.actor }} is not a ${TEAM} team member"
-        fi
-        echo "::set-output name=role::${ROLE}"
-      env:
-        GITHUB_TOKEN: ${{ secrets.JIRA_SYNC_GITHUB_TOKEN }}
-
-    - name: Login
-      uses: atlassian/gajira-login@v2.0.0
-      env:
-        JIRA_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }}
-        JIRA_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }}
-        JIRA_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }}
-
-    - name: Preprocess
-      if: github.event.action == 'opened' || github.event.action == 'created'
-      id: preprocess
-      run: |
-        if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then
-          echo "::set-output name=type::PR"
-        else
-          echo "::set-output name=type::ISS"
-        fi
-
-    - name: Create ticket
-      if: github.event.action == 'opened' && !steps.vault-team-role.outputs.role
-      uses: tomhjp/gh-action-jira-create@v0.2.0
-      with:
-        project: VAULT
-        issuetype: "GH Issue"
-        summary: "${{ github.event.repository.name }} [${{ steps.preprocess.outputs.type }} #${{ github.event.issue.number || github.event.pull_request.number }}]: ${{ github.event.issue.title || github.event.pull_request.title }}"
-        description: "${{ github.event.issue.body || github.event.pull_request.body }}\n\n_Created from GitHub Action for ${{ github.event.issue.html_url || github.event.pull_request.html_url }} from ${{ github.actor }}_"
-        # customfield_10089 is Issue Link custom field
-        # customfield_10091 is team custom field
-        extraFields: '{"fixVersions": [{"name": "TBD"}], "customfield_10091": ["ecosystem", "runtime"], "customfield_10089": "${{ github.event.issue.html_url || github.event.pull_request.html_url }}"}'
-
-    - name: Search
-      if: github.event.action != 'opened'
-      id: search
-      uses: tomhjp/gh-action-jira-search@v0.2.1
-      with:
-        # cf[10089] is Issue Link custom field
-        jql: 'project = "VAULT" and issuetype = "GH Issue" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"'
-
-    - name: Sync comment
-      if: github.event.action == 'created' && steps.search.outputs.issue
-      uses: tomhjp/gh-action-jira-comment@v0.2.0
-      with:
-        issue: ${{ steps.search.outputs.issue }}
-        comment: "${{ github.actor }} ${{ github.event.review.state || 'commented' }}:\n\n${{ github.event.comment.body || github.event.review.body }}\n\n${{ github.event.comment.html_url || github.event.review.html_url }}"
-
-    - name: Close ticket
-      if: (github.event.action == 'closed' || github.event.action == 'deleted') && steps.search.outputs.issue
-      uses: atlassian/gajira-transition@v2.0.1
-      with:
-        issue: ${{ steps.search.outputs.issue }}
-        transition: Done
-
-    - name: Reopen ticket
-      if: github.event.action == 'reopened' && steps.search.outputs.issue
-      uses: atlassian/gajira-transition@v2.0.1
-      with:
-        issue: ${{ steps.search.outputs.issue }}
-        transition: "To Do"

.github/workflows/lint-chart.yml

@@ -0,0 +1,47 @@
+name: Lint and Test Chart
+
+on:
+  pull_request:
+    paths:
+      - 'charts/**'
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: "0"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.6.1
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Run chart-testing (lint)
+        id: lint
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct lint --target-branch ${{ github.event.repository.default_branch }}
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.10.0
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run chart-testing (install)
+        id: install
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct install --target-branch ${{ github.event.repository.default_branch }}

.github/workflows/release-chart.yml

@@ -0,0 +1,38 @@
+name: Release
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'charts/**'
+
+jobs:
+  release:
+    environment: helm-release
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3.5
+        id: helm-install
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run chart-releaser
+        id: helm-release
+        uses: helm/chart-releaser-action@v1.6.0
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_GENERATE_RELEASE_NOTES: true

.github/workflows/tests.yaml

@@ -0,0 +1,24 @@
+name: Tests
+on: [push, workflow_dispatch]
+jobs:
+  bats-unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: ./.github/actions/setup-test-tools
+      - run: bats --tap --timing ./test/unit
+  chart-verifier:
+    runs-on: ubuntu-latest
+    env:
+      CHART_VERIFIER_VERSION: "1.13.7"
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Setup test tools
+        uses: ./.github/actions/setup-test-tools
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version: "1.22.5"
+      - run: go install "github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}"
+      - run: bats --tap --timing ./test/chart
+permissions:
+  contents: read

.gitignore

@@ -10,3 +10,5 @@ vaul-helm-dev-creds.json
 ./test/unit/vaul-helm-dev-creds.json
 ./test/acceptance/values.yaml
 ./test/acceptance/values.yml
+.idea
+scratch/

.helmignore

@@ -1,4 +0,0 @@
-.git/
-.terraform/
-bin/
-test/

CHANGELOG.md

@@ -1,5 +1,253 @@
 ## Unreleased
 
+Bugs:
+* injector: add missing `get` `nodes` permission to ClusterRole [GH-1005](https://github.com/hashicorp/vault-helm/pull/1005)
+
+## 0.27.0 (November 16, 2023)
+
+Changes:
+
+* Default `vault` version updated to 1.15.2
+
+Features:
+
+* server: Support setting `persistentVolumeClaimRetentionPolicy` on the StatefulSet [GH-965](https://github.com/hashicorp/vault-helm/pull/965)
+* server: Support setting labels on PVCs [GH-969](https://github.com/hashicorp/vault-helm/pull/969)
+* server: Support setting ingress rules for networkPolicy [GH-877](https://github.com/hashicorp/vault-helm/pull/877)
+
+Improvements:
+
+* Support exec in the server liveness probe [GH-971](https://github.com/hashicorp/vault-helm/pull/971)
+
+## 0.26.1 (October 30, 2023)
+
+Bugs:
+* Fix templating of `server.ha.replicas` when set via override file. The `0.26.0` chart would ignore `server.ha.replicas` and always deploy 3 server replicas when `server.ha.enabled=true` unless overridden by command line when issuing the helm command: `--set server.ha.replicas=<some_number>`. Fixed in [GH-961](https://github.com/hashicorp/vault-helm/pull/961)
+
+## 0.26.0 (October 27, 2023)
+
+Changes:
+* Default `vault` version updated to 1.15.1
+* Default `vault-k8s` version updated to 1.3.1
+* Default `vault-csi-provider` version updated to 1.4.1
+* Tested with Kubernetes versions 1.24-1.28
+* server: OpenShift default readiness probe returns 204 when uninitialized [GH-966](https://github.com/hashicorp/vault-helm/pull/966)
+
+Features:
+* server: Add support for dual stack clusters [GH-833](https://github.com/hashicorp/vault-helm/pull/833)
+* server: Support `hostAliases` for the StatefulSet pods [GH-955](https://github.com/hashicorp/vault-helm/pull/955)
+* server: Add `server.service.active.annotations` and `server.service.standby.annotations` [GH-896](https://github.com/hashicorp/vault-helm/pull/896)
+* server: Add long-lived service account token option [GH-923](https://github.com/hashicorp/vault-helm/pull/923)
+
+Bugs:
+* csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909)
+
+Improvements:
+* global: Add `global.namespace` to override the helm installation namespace. [GH-909](https://github.com/hashicorp/vault-helm/pull/909)
+* server: use vault.fullname in Helm test [GH-912](https://github.com/hashicorp/vault-helm/pull/912)
+* server: Allow scaling HA replicas to zero [GH-943](https://github.com/hashicorp/vault-helm/pull/943)
+
+## 0.25.0 (June 26, 2023)
+
+Changes:
+* Latest Kubernetes version tested is now 1.27
+* server: Headless service ignores `server.service.publishNotReadyAddresses` setting and always sets it as `true` [GH-902](https://github.com/hashicorp/vault-helm/pull/902)
+* `vault` updated to 1.14.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
+* `vault-csi-provider` updated to 1.4.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
+
+Improvements:
+* CSI: Make `nodeSelector` and `affinity` configurable for CSI daemonset's pods [GH-862](https://github.com/hashicorp/vault-helm/pull/862)
+* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798)
+* Minimum kubernetes version for chart reverted to 1.20.0 to allow installation on clusters older than the oldest tested version [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
+
+Bugs:
+* server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886)
+
+## 0.24.1 (April 17, 2023)
+
+Bugs:
+* csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions [GH-872](https://github.com/hashicorp/vault-helm/pull/872)
+
+## 0.24.0 (April 6, 2023)
+
+Changes:
+* Earliest Kubernetes version tested is now 1.22
+* `vault` updated to 1.13.1 [GH-863](https://github.com/hashicorp/vault-helm/pull/863)
+* `vault-k8s` updated to 1.2.1 [GH-868](https://github.com/hashicorp/vault-helm/pull/868)
+* `vault-csi-provider` updated to 1.3.0 [GH-749](https://github.com/hashicorp/vault-helm/pull/749)
+
+Features:
+* server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841)
+* server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831)
+* injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852)
+* csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals [GH-749](https://github.com/hashicorp/vault-helm/pull/749)
+
+## 0.23.0 (November 28th, 2022)
+
+Changes:
+* `vault` updated to 1.12.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
+* `vault-k8s` updated to 1.1.0 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
+* `vault-csi-provider` updated to 1.2.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
+
+Features:
+* server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806)
+* server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811)
+* server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811)
+* server: Add `server.service.instanceSelector.enabled` option to allow selecting pods outside the helm chart deployment [GH-813](https://github.com/hashicorp/vault-helm/pull/813)
+
+Bugs:
+* server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810)
+
+## 0.22.1 (October 26th, 2022)
+
+Changes:
+* `vault` updated to 1.12.0 [GH-803](https://github.com/hashicorp/vault-helm/pull/803)
+* `vault-k8s` updated to 1.0.1 [GH-803](https://github.com/hashicorp/vault-helm/pull/803)
+
+## 0.22.0 (September 8th, 2022)
+
+Features:
+* Add PrometheusOperator support for collecting Vault server metrics. [GH-772](https://github.com/hashicorp/vault-helm/pull/772)
+
+Changes:
+* `vault-k8s` to 1.0.0 [GH-784](https://github.com/hashicorp/vault-helm/pull/784)
+* Test against Kubernetes 1.25 [GH-784](https://github.com/hashicorp/vault-helm/pull/784)
+* `vault` updated to 1.11.3 [GH-785](https://github.com/hashicorp/vault-helm/pull/785)
+
+## 0.21.0 (August 10th, 2022)
+
+CHANGES:
+* `vault-k8s` updated to 0.17.0. [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
+* `vault-csi-provider` updated to 1.2.0 [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
+* `vault` updated to 1.11.2 [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
+* Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744)
+* Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745)
+* CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745)
+
+Features:
+* server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
+* csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
+* injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
+* Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610)
+* Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753)
+
+## 0.20.1 (May 25th, 2022)
+CHANGES:
+* `vault-k8s` updated to 0.16.1 [GH-739](https://github.com/hashicorp/vault-helm/pull/739)
+
+Improvements:
+* Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736)
+
+Bugs:
+* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737)
+
+## 0.20.0 (May 16th, 2022)
+
+CHANGES:
+* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
+* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
+* Vault default image to 1.10.3
+* CSI provider default image to 1.1.0
+* Vault K8s default image to 0.16.0
+* Earliest Kubernetes version tested is now 1.16
+* Helm 3.6+ now required
+
+Features:
+* Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652)
+
+Improvements:
+* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690)
+* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683)
+* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710)
+* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709)
+* server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694)
+* server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684)
+* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692)
+
+## 0.19.0 (January 20th, 2022)
+
+CHANGES:
+* Vault image default 1.9.2
+* Vault K8s image default 0.14.2
+
+Features:
+* Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653)
+* Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659)
+* Added configurable update strategy for injector [GH-661](https://github.com/hashicorp/vault-helm/pull/661)
+* csi: ability to set priorityClassName for CSI daemonset pods [GH-670](https://github.com/hashicorp/vault-helm/pull/670)
+
+Improvements:
+* Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679)
+* Add volumes and env vars to helm hook test pod [GH-673](https://github.com/hashicorp/vault-helm/pull/673)
+* Make TLS configurable for OpenShift routes [GH-686](https://github.com/hashicorp/vault-helm/pull/686)
+
+## 0.18.0 (November 17th, 2021)
+
+CHANGES:
+* Removed support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector since vault-k8s now uses an internal mechanism to determine leadership [GH-649](https://github.com/hashicorp/vault-helm/pull/649)
+* Vault image default 1.9.0
+* Vault K8s image default 0.14.1
+
+Improvements:
+* Added templateConfig.staticSecretRenderInterval chart option for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621)
+
+## 0.17.1 (October 25th, 2021)
+
+Improvements:
+  * Add option for Ingress PathType [GH-634](https://github.com/hashicorp/vault-helm/pull/634)
+
+## 0.17.0 (October 21st, 2021)
+
+KNOWN ISSUES:
+* The chart will fail to deploy on Kubernetes 1.19+ with `server.ingress.enabled=true` because no `pathType` is set
+
+CHANGES:
+* Vault image default 1.8.4
+* Vault K8s image default 0.14.0
+
+Improvements:
+* Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590)
+* Support setting the `externalTrafficPolicy` for `LoadBalancer` and `NodePort` service types [GH-626](https://github.com/hashicorp/vault-helm/pull/626)
+* Support setting ingressClassName on server Ingress [GH-630](https://github.com/hashicorp/vault-helm/pull/630)
+
+Bugs:
+* Ensure `kubeletRootDir` volume path and mounts are the same when `csi.daemonSet.kubeletRootDir` is overridden [GH-628](https://github.com/hashicorp/vault-helm/pull/628)
+
+## 0.16.1 (September 29th, 2021)
+
+CHANGES:
+* Vault image default 1.8.3
+* Vault K8s image default 0.13.1
+
+## 0.16.0 (September 16th, 2021)
+
+CHANGES:
+* Support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector will be removed in version 0.18.0 of this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set `useContainer=true`.
+
+Improvements:
+ * Make CSI provider `hostPaths` configurable via `csi.daemonSet.providersDir` and `csi.daemonSet.kubeletRootDir` [GH-603](https://github.com/hashicorp/vault-helm/pull/603)
+ * Support vault-k8s internal leader election [GH-568](https://github.com/hashicorp/vault-helm/pull/568) [GH-607](https://github.com/hashicorp/vault-helm/pull/607)
+
+## 0.15.0 (August 23rd, 2021)
+
+Improvements:
+* Add imagePullSecrets on server test [GH-572](https://github.com/hashicorp/vault-helm/pull/572)
+* Add injector.webhookAnnotations chart option [GH-584](https://github.com/hashicorp/vault-helm/pull/584)
+
+## 0.14.0 (July 28th, 2021)
+
+Features:
+* Added templateConfig.exitOnRetryFailure chart option for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560)
+
+Improvements:
+* Support configuring pod tolerations, pod affinity, and node selectors as YAML [GH-565](https://github.com/hashicorp/vault-helm/pull/565)
+* Set the default vault image to come from the hashicorp organization [GH-567](https://github.com/hashicorp/vault-helm/pull/567)
+* Add support for running the acceptance tests against a local `kind` cluster [GH-567](https://github.com/hashicorp/vault-helm/pull/567)
+* Add `server.ingress.activeService` to configure if the ingress should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570)
+* Add `server.route.activeService` to configure if the route should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570)
+* Support configuring `global.imagePullSecrets` from a string array [GH-576](https://github.com/hashicorp/vault-helm/pull/576)
+
+
 ## 0.13.0 (June 17th, 2021)
 
 Improvements:

CONTRIBUTING.md

@@ -1,8 +1,8 @@
-# Contributing to Vault Helm
+# Contributing to OpenBao Helm
 
-**Please note:** We take Vault's security and our users' trust very seriously.
+**Please note:** We take OpenBao's security and our users' trust very seriously.
-If you believe you have found a security issue in Vault, please responsibly
+If you believe you have found a security issue in OpenBao, please responsibly
-disclose by contacting us at security@hashicorp.com.
+disclose by contacting us at openbao-security@lists.lfedge.org.
 
 **First:** if you're unsure or afraid of _anything_, just ask or submit the
 issue or pull request anyways. You won't be yelled at for giving it your best
@@ -12,34 +12,36 @@ rules to get in the way of that.
 
 That said, if you want to ensure that a pull request is likely to be merged,
 talk to us! You can find out our thoughts and ensure that your contribution
-won't clash or be obviated by Vault's normal direction. A great way to do this
+won't clash or be obviated by OpenBao's normal direction. A great way to do this
-is via the [Vault Google Group][2]. Sometimes Vault devs are in `#vault-tool`
+is via the [Linux Foundation Element chat server][1], or [mailing list][2].
-on Freenode, too.
 
 This document will cover what we're looking for in terms of reporting issues.
 By addressing all the points we're looking for, it raises the chances we can
 quickly merge or address your contributions.
 
+[1]: https://chat.lfx.linuxfoundation.org
+[2]: https://lists.lfedge.org/g/openbao
+
 ## Issues
 
 ### Reporting an Issue
 
 * Make sure you test against the latest released version. It is possible
   we already fixed the bug you're experiencing. Even better is if you can test
-  against `master`, as bugs are fixed regularly but new versions are only
+  against `main`, as bugs are fixed regularly but new versions are only
   released every few months.
 
 * Provide steps to reproduce the issue, and if possible include the expected
   results as well as the actual results. Please provide text, not screen shots!
 
-* Respond as promptly as possible to any questions made by the Vault
+* Respond as promptly as possible to any questions made by the OpenBao
   team to your issue. Stale issues will be closed periodically.
 
 ### Issue Lifecycle
 
 1. The issue is reported.
 
-2. The issue is verified and categorized by a Vault Helm collaborator.
+2. The issue is verified and categorized by a OpenBao Helm collaborator.
    Categorization is done via tags. For example, bugs are marked as "bugs".
 
 3. Unless it is critical, the issue may be left for a period of time (sometimes
@@ -69,25 +71,25 @@ The following are the instructions for running bats tests using a Docker contain
 #### Prerequisites
 
 * Docker installed
-* `vault-helm` checked out locally
+* `openbao-helm` checked out locally
 
 #### Test
 
-**Note:** the following commands should be run from the `vault-helm` directory.
+**Note:** the following commands should be run from the `openbao-helm` directory.
 
 First, build the Docker image for running the tests:
 
 ```shell
-docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test
+docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t openbao-helm-test
 ```
 Next, execute the tests with the following commands:
 ```shell
-docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit
+docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit
 ```
-It's possible to only run specific bats tests using regular expressions. 
+It's possible to only run specific bats tests using regular expressions.
 For example, the following will run only tests with "injector" in the name:
 ```shell
-docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit -f "injector"
+docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit -f "injector"
 ```
 
 ### Test Manually
@@ -121,7 +123,7 @@ may not be properly cleaned up. We recommend recycling the Kubernetes cluster to
 start from a clean slate.
 
 **Note:** There is a Terraform configuration in the
-[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/master/test/terraform) directory
+[`test/terraform/`](https://github.com/openbao/openbao-helm/tree/main/test/terraform) directory
 that can be used to quickly bring up a GKE cluster and configure
 `kubectl` and `helm` locally. This can be used to quickly spin up a test
 cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes
@@ -237,3 +239,10 @@ Here are some examples of common test patterns:
     ```
     Here we are check the length of the command output to see if the anything is rendered.
     This style can easily be switched to check that a file is rendered instead.
+
+## Contributor License Agreement
+
+We require that all contributors sign our Contributor License Agreement ("CLA")
+before we can accept the contribution.
+
+[Learn more about why HashiCorp requires a CLA and what the CLA includes](https://www.hashicorp.com/cla)

Chart.yaml

@@ -1,14 +0,0 @@
-apiVersion: v2
-name: vault
-version: 0.13.0
-appVersion: 1.7.3
-kubeVersion: ">= 1.14.0-0"
-description: Official HashiCorp Vault Chart
-home: https://www.vaultproject.io
-icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
-keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"]
-sources:
-  - https://github.com/hashicorp/vault
-  - https://github.com/hashicorp/vault-helm
-  - https://github.com/hashicorp/vault-k8s
-  - https://github.com/hashicorp/vault-csi-provider

LICENSE

@@ -1,3 +1,5 @@
+Copyright (c) 2018 HashiCorp, Inc.
+
 Mozilla Public License, version 2.0
 
 1. Definitions

Makefile

@@ -1,9 +1,21 @@
-TEST_IMAGE?=vault-helm-test
+TEST_IMAGE?=openbao-helm-test
-GOOGLE_CREDENTIALS?=vault-helm-test.json
+GOOGLE_CREDENTIALS?=openbao-helm-test.json
-CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514
+CLOUDSDK_CORE_PROJECT?=openbao-helm-dev-246514
 # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats
 ACCEPTANCE_TESTS?=acceptance
 
+# filter bats unit tests to run.
+UNIT_TESTS_FILTER?='.*'
+
+# set to 'true' to run acceptance tests locally in a kind cluster
+LOCAL_ACCEPTANCE_TESTS?=false
+
+# kind cluster name
+KIND_CLUSTER_NAME?=openbao-helm
+
+# kind k8s version
+KIND_K8S_VERSION?=v1.29.2
+
 # Generate json schema for chart values. See test/README.md for more details.
 values-schema:
 	helm schema-gen values.yaml > values.schema.json
@@ -12,7 +24,7 @@ test-image:
 	@docker build --rm -t $(TEST_IMAGE) -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR)
 
 test-unit:
-	@docker run -it -v ${PWD}:/helm-test $(TEST_IMAGE) bats /helm-test/test/unit
+	@docker run --rm -it -v ${PWD}:/helm-test $(TEST_IMAGE) bats -f $(UNIT_TESTS_FILTER) /helm-test/test/unit
 
 test-bats: test-unit test-acceptance
 
@@ -21,6 +33,9 @@ test: test-image test-bats
 # run acceptance tests on GKE
 # set google project/credential vars above
 test-acceptance:
+ifeq ($(LOCAL_ACCEPTANCE_TESTS),true)
+	make setup-kind acceptance
+else
 	@docker run -it -v ${PWD}:/helm-test \
 	-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
 	-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
@@ -28,7 +43,8 @@ test-acceptance:
 	-w /helm-test \
 	$(TEST_IMAGE) \
 	make acceptance
-	
+endif
+
 # destroy GKE cluster using terraform
 test-destroy:
 	@docker run -it -v ${PWD}:/helm-test \
@@ -51,8 +67,10 @@ test-provision:
 # this target is for running the acceptance tests
 # it is run in the docker container above when the test-acceptance target is invoked
 acceptance:
+ifneq ($(LOCAL_ACCEPTANCE_TESTS),true)
 	gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS}
-	bats test/${ACCEPTANCE_TESTS}
+endif
+	bats --tap --timing test/${ACCEPTANCE_TESTS}
 
 # this target is for provisioning the GKE cluster
 # it is run in the docker container above when the test-provision target is invoked
@@ -66,4 +84,17 @@ provision-cluster:
 destroy-cluster:
 	terraform destroy -auto-approve
 
+# create a kind cluster for running the acceptance tests locally
+setup-kind:
+	kind get clusters | grep -q "^${KIND_CLUSTER_NAME}$$" || \
+	kind create cluster \
+	--image kindest/node:${KIND_K8S_VERSION} \
+	--name ${KIND_CLUSTER_NAME}  \
+	--config $(CURDIR)/test/kind/config.yaml
+	kubectl config use-context kind-${KIND_CLUSTER_NAME}
+
+# delete the kind cluster
+delete-kind:
+	kind delete cluster --name ${KIND_CLUSTER_NAME} || :
+
 .PHONY: values-schema test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster

README.md

@@ -1,16 +1,12 @@
-# Vault Helm Chart
+# OpenBao Helm Chart
 
-> :warning: **Please note**: We take Vault's security and our users' trust very seriously. If 
+> :warning: **Please note**: We take OpenBao's security and our users' trust very seriously. If
-you believe you have found a security issue in Vault Helm, _please responsibly disclose_ 
+you believe you have found a security issue in OpenBao Helm, _please responsibly disclose_
-by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).
+by contacting us at [openbao-security@lists.lfedge.org](mailto:openbao-security@lists.lfedge.org).
 
-This repository contains the official HashiCorp Helm chart for installing
+This repository contains the OpenBao Helm chart for installing
-and configuring Vault on Kubernetes. This chart supports multiple use
+and configuring OpenBao on Kubernetes. This chart supports multiple use
-cases of Vault on Kubernetes depending on the values provided.
+cases of OpenBao on Kubernetes depending on the values provided.
-
-For full documentation on this Helm chart along with all the ways you can
-use Vault with Kubernetes, please see the
-[Vault and Kubernetes documentation](https://www.vaultproject.io/docs/platform/k8s/).
 
 ## Prerequisites
 
@@ -20,25 +16,19 @@ this README. Please refer to the Kubernetes and Helm documentation.
 
 The versions required are:
 
-  * **Helm 3.0+** - This is the earliest version of Helm tested. It is possible
+  * **Helm 3.12+** - Earliest verison tested
-    it works with earlier versions but this chart is untested for those versions.
+  * **Kubernetes 1.28+** - This is the earliest version of Kubernetes tested.
-  * **Kubernetes 1.14+** - This is the earliest version of Kubernetes tested.
     It is possible that this chart works with earlier versions but it is
     untested.
 
 ## Usage
 
-To install the latest version of this chart, add the Hashicorp helm repository
+To install the latest version of this chart, add the OpenBao helm repository and run `helm install`:
-and run `helm install`:
 
 ```console
-$ helm repo add hashicorp https://helm.releases.hashicorp.com
+helm repo add openbao https://openbao.github.io/openbao-helm
-"hashicorp" has been added to your repositories
 
-$ helm install vault hashicorp/vault
+helm install openbao openbao/openbao
 ```
 
-Please see the many options supported in the `values.yaml` file. These are also
+Please see the many options supported in the [`values.yaml`](./charts/openbao/values.yaml) file. These are also fully documented directly in the [openbao README](./charts/openbao/README.md) along with more detailed installation instructions.
-fully documented directly on the [Vault
-website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more
-detailed installation instructions.

charts/openbao/.helmignore

@@ -0,0 +1,28 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.terraform/
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+
+# CI and test
+.circleci/
+.github/
+.gitlab-ci.yml
+test/

charts/openbao/Chart.yaml

@@ -0,0 +1,31 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+apiVersion: v2
+name: openbao
+version: 0.6.0
+appVersion: v2.0.2
+kubeVersion: ">= 1.27.0-0"
+description: Official OpenBao Chart
+home: https://github.com/openbao/openbao-helm
+icon: https://github.com/openbao/artwork/blob/main/color/openbao-color.svg
+keywords:
+  [
+    "vault",
+    "openbao",
+    "security",
+    "encryption",
+    "secrets",
+    "management",
+    "automation",
+    "infrastructure",
+  ]
+sources:
+  - https://github.com/openbao/openbao-helm
+annotations:
+  charts.openshift.io/name: Openbao
+
+maintainers:
+  - name: OpenBao
+    email: openbao-security@lists.lfedge.org
+    url: https://openbao.org

charts/openbao/README.md

@@ -0,0 +1,294 @@
+# openbao
+
+![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![AppVersion: v2.0.2](https://img.shields.io/badge/AppVersion-v2.0.2-informational?style=flat-square)
+
+Official OpenBao Chart
+
+**Homepage:** <https://github.com/openbao/openbao-helm>
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| OpenBao | <openbao-security@lists.lfedge.org> | <https://openbao.org> |
+
+## Source Code
+
+* <https://github.com/openbao/openbao-helm>
+
+## Requirements
+
+Kubernetes: `>= 1.27.0-0`
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| csi.agent.enabled | bool | `true` |  |
+| csi.agent.extraArgs | list | `[]` |  |
+| csi.agent.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" |
+| csi.agent.image.registry | string | `"quay.io"` | image registry to use for agent image |
+| csi.agent.image.repository | string | `"openbao/openbao"` | image repo to use for agent image |
+| csi.agent.image.tag | string | `"2.0.2"` | image tag to use for agent image |
+| csi.agent.logFormat | string | `"standard"` |  |
+| csi.agent.logLevel | string | `"info"` |  |
+| csi.agent.resources | object | `{}` |  |
+| csi.daemonSet.annotations | object | `{}` |  |
+| csi.daemonSet.extraLabels | object | `{}` |  |
+| csi.daemonSet.kubeletRootDir | string | `"/var/lib/kubelet"` |  |
+| csi.daemonSet.providersDir | string | `"/etc/kubernetes/secrets-store-csi-providers"` |  |
+| csi.daemonSet.securityContext.container | object | `{}` |  |
+| csi.daemonSet.securityContext.pod | object | `{}` |  |
+| csi.daemonSet.updateStrategy.maxUnavailable | string | `""` |  |
+| csi.daemonSet.updateStrategy.type | string | `"RollingUpdate"` |  |
+| csi.debug | bool | `false` |  |
+| csi.enabled | bool | `false` | True if you want to install a secrets-store-csi-driver-provider-vault daemonset.  Requires installing the secrets-store-csi-driver separately, see: https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver  With the driver and provider installed, you can mount OpenBao secrets into volumes similar to the OpenBao Agent injector, and you can also sync those secrets into Kubernetes secrets. |
+| csi.extraArgs | list | `[]` |  |
+| csi.hmacSecretName | string | `""` |  |
+| csi.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for csi image. if tag is "latest", set to "Always" |
+| csi.image.registry | string | `"docker.io"` | image registry to use for csi image |
+| csi.image.repository | string | `"hashicorp/vault-csi-provider"` | image repo to use for csi image |
+| csi.image.tag | string | `"1.4.0"` | image tag to use for csi image |
+| csi.livenessProbe.failureThreshold | int | `2` |  |
+| csi.livenessProbe.initialDelaySeconds | int | `5` |  |
+| csi.livenessProbe.periodSeconds | int | `5` |  |
+| csi.livenessProbe.successThreshold | int | `1` |  |
+| csi.livenessProbe.timeoutSeconds | int | `3` |  |
+| csi.pod.affinity | object | `{}` |  |
+| csi.pod.annotations | object | `{}` |  |
+| csi.pod.extraLabels | object | `{}` |  |
+| csi.pod.nodeSelector | object | `{}` |  |
+| csi.pod.tolerations | list | `[]` |  |
+| csi.priorityClassName | string | `""` |  |
+| csi.readinessProbe.failureThreshold | int | `2` |  |
+| csi.readinessProbe.initialDelaySeconds | int | `5` |  |
+| csi.readinessProbe.periodSeconds | int | `5` |  |
+| csi.readinessProbe.successThreshold | int | `1` |  |
+| csi.readinessProbe.timeoutSeconds | int | `3` |  |
+| csi.resources | object | `{}` |  |
+| csi.serviceAccount.annotations | object | `{}` |  |
+| csi.serviceAccount.extraLabels | object | `{}` |  |
+| csi.volumeMounts | list | `[]` | volumeMounts is a list of volumeMounts for the main server container. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. |
+| csi.volumes | list | `[]` | volumes is a list of volumes made available to all containers. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. |
+| global.enabled | bool | `true` | enabled is the master enabled switch. Setting this to true or false will enable or disable all the components within this chart by default. |
+| global.externalVaultAddr | string | `""` | External openbao server address for the injector and CSI provider to use. Setting this will disable deployment of a openbao server. |
+| global.imagePullSecrets | list | `[]` | Image pull secret to use for registry authentication. Alternatively, the value may be specified as an array of strings. |
+| global.namespace | string | `""` | The namespace to deploy to. Defaults to the `helm` installation namespace. |
+| global.openshift | bool | `false` | If deploying to OpenShift |
+| global.psp | object | `{"annotations":"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName:  runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName:  runtime/default\n","enable":false}` | Create PodSecurityPolicy for pods |
+| global.psp.annotations | string | `"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName:  runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName:  runtime/default\n"` | Annotation for PodSecurityPolicy. This is a multi-line templated string map, and can also be set as YAML. |
+| global.serverTelemetry.prometheusOperator | bool | `false` | Enable integration with the Prometheus Operator See the top level serverTelemetry section below before enabling this feature. |
+| global.tlsDisable | bool | `true` | TLS for end-to-end encrypted transport |
+| injector.affinity | string | `"podAntiAffinity:\n  requiredDuringSchedulingIgnoredDuringExecution:\n    - labelSelector:\n        matchLabels:\n          app.kubernetes.io/name: {{ template \"openbao.name\" . }}-agent-injector\n          app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n          component: webhook\n      topologyKey: kubernetes.io/hostname\n"` |  |
+| injector.agentDefaults.cpuLimit | string | `"500m"` |  |
+| injector.agentDefaults.cpuRequest | string | `"250m"` |  |
+| injector.agentDefaults.memLimit | string | `"128Mi"` |  |
+| injector.agentDefaults.memRequest | string | `"64Mi"` |  |
+| injector.agentDefaults.template | string | `"map"` |  |
+| injector.agentDefaults.templateConfig.exitOnRetryFailure | bool | `true` |  |
+| injector.agentDefaults.templateConfig.staticSecretRenderInterval | string | `""` |  |
+| injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.2"}` | agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent containers.  This should be set to the official OpenBao image.  OpenBao 1.3.1+ is required. |
+| injector.agentImage.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" |
+| injector.agentImage.registry | string | `"quay.io"` | image registry to use for agent image |
+| injector.agentImage.repository | string | `"openbao/openbao"` | image repo to use for agent image |
+| injector.agentImage.tag | string | `"2.0.2"` | image tag to use for agent image |
+| injector.annotations | object | `{}` |  |
+| injector.authPath | string | `"auth/kubernetes"` |  |
+| injector.certs.caBundle | string | `""` |  |
+| injector.certs.certName | string | `"tls.crt"` |  |
+| injector.certs.keyName | string | `"tls.key"` |  |
+| injector.certs.secretName | string | `nil` |  |
+| injector.enabled | string | `"-"` | True if you want to enable openbao agent injection. @default: global.enabled |
+| injector.externalVaultAddr | string | `""` | Deprecated: Please use global.externalVaultAddr instead. |
+| injector.extraEnvironmentVars | object | `{}` |  |
+| injector.extraLabels | object | `{}` |  |
+| injector.failurePolicy | string | `"Ignore"` |  |
+| injector.hostNetwork | bool | `false` |  |
+| injector.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for k8s image. if tag is "latest", set to "Always" |
+| injector.image.registry | string | `"docker.io"` | image registry to use for k8s image |
+| injector.image.repository | string | `"hashicorp/vault-k8s"` | image repo to use for k8s image |
+| injector.image.tag | string | `"1.4.2"` | image tag to use for k8s image |
+| injector.leaderElector | object | `{"enabled":true}` | If multiple replicas are specified, by default a leader will be determined so that only one injector attempts to create TLS certificates. |
+| injector.livenessProbe.failureThreshold | int | `2` | When a probe fails, Kubernetes will try failureThreshold times before giving up |
+| injector.livenessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates |
+| injector.livenessProbe.periodSeconds | int | `2` | How often (in seconds) to perform the probe |
+| injector.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed |
+| injector.livenessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. |
+| injector.logFormat | string | `"standard"` | Configures the log format of the injector. Supported log formats: "standard", "json". |
+| injector.logLevel | string | `"info"` | Configures the log verbosity of the injector. Supported log levels include: trace, debug, info, warn, error |
+| injector.metrics | object | `{"enabled":false}` | If true, will enable a node exporter metrics endpoint at /metrics. |
+| injector.namespaceSelector | object | `{}` |  |
+| injector.nodeSelector | object | `{}` |  |
+| injector.objectSelector | object | `{}` |  |
+| injector.podDisruptionBudget | object | `{}` |  |
+| injector.port | int | `8080` | Configures the port the injector should listen on |
+| injector.priorityClassName | string | `""` |  |
+| injector.readinessProbe.failureThreshold | int | `2` | When a probe fails, Kubernetes will try failureThreshold times before giving up |
+| injector.readinessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates |
+| injector.readinessProbe.periodSeconds | int | `2` | How often (in seconds) to perform the probe |
+| injector.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed |
+| injector.readinessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. |
+| injector.replicas | int | `1` |  |
+| injector.resources | object | `{}` |  |
+| injector.revokeOnShutdown | bool | `false` |  |
+| injector.securityContext.container | object | `{}` |  |
+| injector.securityContext.pod | object | `{}` |  |
+| injector.service.annotations | object | `{}` |  |
+| injector.serviceAccount.annotations | object | `{}` |  |
+| injector.startupProbe.failureThreshold | int | `12` | When a probe fails, Kubernetes will try failureThreshold times before giving up |
+| injector.startupProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before probe initiates |
+| injector.startupProbe.periodSeconds | int | `5` | How often (in seconds) to perform the probe |
+| injector.startupProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed |
+| injector.startupProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. |
+| injector.strategy | object | `{}` |  |
+| injector.tolerations | list | `[]` |  |
+| injector.topologySpreadConstraints | list | `[]` |  |
+| injector.webhook.annotations | object | `{}` |  |
+| injector.webhook.failurePolicy | string | `"Ignore"` |  |
+| injector.webhook.matchPolicy | string | `"Exact"` |  |
+| injector.webhook.namespaceSelector | object | `{}` |  |
+| injector.webhook.objectSelector | string | `"matchExpressions:\n- key: app.kubernetes.io/name\n  operator: NotIn\n  values:\n  - {{ template \"openbao.name\" . }}-agent-injector\n"` |  |
+| injector.webhook.timeoutSeconds | int | `30` |  |
+| injector.webhookAnnotations | object | `{}` |  |
+| server.affinity | string | `"podAntiAffinity:\n  requiredDuringSchedulingIgnoredDuringExecution:\n    - labelSelector:\n        matchLabels:\n          app.kubernetes.io/name: {{ template \"openbao.name\" . }}\n          app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n          component: server\n      topologyKey: kubernetes.io/hostname\n"` |  |
+| server.annotations | object | `{}` |  |
+| server.auditStorage.accessMode | string | `"ReadWriteOnce"` |  |
+| server.auditStorage.annotations | object | `{}` |  |
+| server.auditStorage.enabled | bool | `false` |  |
+| server.auditStorage.labels | object | `{}` |  |
+| server.auditStorage.mountPath | string | `"/openbao/audit"` |  |
+| server.auditStorage.size | string | `"10Gi"` |  |
+| server.auditStorage.storageClass | string | `nil` |  |
+| server.authDelegator.enabled | bool | `true` |  |
+| server.configAnnotation | bool | `false` |  |
+| server.dataStorage.accessMode | string | `"ReadWriteOnce"` |  |
+| server.dataStorage.annotations | object | `{}` |  |
+| server.dataStorage.enabled | bool | `true` |  |
+| server.dataStorage.labels | object | `{}` |  |
+| server.dataStorage.mountPath | string | `"/openbao/data"` |  |
+| server.dataStorage.size | string | `"10Gi"` |  |
+| server.dataStorage.storageClass | string | `nil` |  |
+| server.dev.devRootToken | string | `"root"` |  |
+| server.dev.enabled | bool | `false` |  |
+| server.enabled | string | `"-"` |  |
+| server.extraArgs | string | `""` | extraArgs is a string containing additional OpenBao server arguments. |
+| server.extraContainers | string | `nil` |  |
+| server.extraEnvironmentVars | object | `{}` |  |
+| server.extraInitContainers | list | `[]` | extraInitContainers is a list of init containers. Specified as a YAML list. This is useful if you need to run a script to provision TLS certificates or write out configuration files in a dynamic way. |
+| server.extraLabels | object | `{}` |  |
+| server.extraPorts | list | `[]` | extraPorts is a list of extra ports. Specified as a YAML list. This is useful if you need to add additional ports to the statefulset in dynamic way. |
+| server.extraSecretEnvironmentVars | list | `[]` |  |
+| server.extraVolumes | list | `[]` |  |
+| server.ha.apiAddr | string | `nil` |  |
+| server.ha.clusterAddr | string | `nil` |  |
+| server.ha.config | string | `"ui = true\n\nlistener \"tcp\" {\n  tls_disable = 1\n  address = \"[::]:8200\"\n  cluster_address = \"[::]:8201\"\n}\nstorage \"consul\" {\n  path = \"openbao\"\n  address = \"HOST_IP:8500\"\n}\n\nservice_registration \"kubernetes\" {}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n#   project     = \"openbao-helm-dev-246514\"\n#   region      = \"global\"\n#   key_ring    = \"openbao-helm-unseal-kr\"\n#   crypto_key  = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics.\n# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.\n# You may wish to enable unauthenticated metrics in the listener block above.\n#telemetry {\n#  prometheus_retention_time = \"30s\"\n#  disable_hostname = true\n#}\n"` |  |
+| server.ha.disruptionBudget.enabled | bool | `true` |  |
+| server.ha.disruptionBudget.maxUnavailable | string | `nil` |  |
+| server.ha.enabled | bool | `false` |  |
+| server.ha.raft.config | string | `"ui = true\n\nlistener \"tcp\" {\n  tls_disable = 1\n  address = \"[::]:8200\"\n  cluster_address = \"[::]:8201\"\n  # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n  #telemetry {\n  #  unauthenticated_metrics_access = \"true\"\n  #}\n}\n\nstorage \"raft\" {\n  path = \"/openbao/data\"\n}\n\nservice_registration \"kubernetes\" {}\n"` |  |
+| server.ha.raft.enabled | bool | `false` |  |
+| server.ha.raft.setNodeId | bool | `false` |  |
+| server.ha.replicas | int | `3` |  |
+| server.hostAliases | list | `[]` |  |
+| server.hostNetwork | bool | `false` |  |
+| server.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for server image. if tag is "latest", set to "Always" |
+| server.image.registry | string | `"quay.io"` | image registry to use for server image |
+| server.image.repository | string | `"openbao/openbao"` | image repo to use for server image |
+| server.image.tag | string | `"2.0.2"` | image tag to use for server image |
+| server.ingress.activeService | bool | `true` |  |
+| server.ingress.annotations | object | `{}` |  |
+| server.ingress.enabled | bool | `false` |  |
+| server.ingress.extraPaths | list | `[]` |  |
+| server.ingress.hosts[0].host | string | `"chart-example.local"` |  |
+| server.ingress.hosts[0].paths | list | `[]` |  |
+| server.ingress.ingressClassName | string | `""` |  |
+| server.ingress.labels | object | `{}` |  |
+| server.ingress.pathType | string | `"Prefix"` |  |
+| server.ingress.tls | list | `[]` |  |
+| server.livenessProbe.enabled | bool | `false` |  |
+| server.livenessProbe.execCommand | list | `[]` |  |
+| server.livenessProbe.failureThreshold | int | `2` |  |
+| server.livenessProbe.initialDelaySeconds | int | `60` |  |
+| server.livenessProbe.path | string | `"/v1/sys/health?standbyok=true"` |  |
+| server.livenessProbe.periodSeconds | int | `5` |  |
+| server.livenessProbe.port | int | `8200` |  |
+| server.livenessProbe.successThreshold | int | `1` |  |
+| server.livenessProbe.timeoutSeconds | int | `3` |  |
+| server.logFormat | string | `""` |  |
+| server.logLevel | string | `""` |  |
+| server.networkPolicy.egress | list | `[]` |  |
+| server.networkPolicy.enabled | bool | `false` |  |
+| server.networkPolicy.ingress[0].from[0].namespaceSelector | object | `{}` |  |
+| server.networkPolicy.ingress[0].ports[0].port | int | `8200` |  |
+| server.networkPolicy.ingress[0].ports[0].protocol | string | `"TCP"` |  |
+| server.networkPolicy.ingress[0].ports[1].port | int | `8201` |  |
+| server.networkPolicy.ingress[0].ports[1].protocol | string | `"TCP"` |  |
+| server.nodeSelector | object | `{}` |  |
+| server.persistentVolumeClaimRetentionPolicy | object | `{}` |  |
+| server.postStart | list | `[]` |  |
+| server.preStopSleepSeconds | int | `5` |  |
+| server.priorityClassName | string | `""` |  |
+| server.readinessProbe.enabled | bool | `true` |  |
+| server.readinessProbe.failureThreshold | int | `2` |  |
+| server.readinessProbe.initialDelaySeconds | int | `5` |  |
+| server.readinessProbe.periodSeconds | int | `5` |  |
+| server.readinessProbe.port | int | `8200` |  |
+| server.readinessProbe.successThreshold | int | `1` |  |
+| server.readinessProbe.timeoutSeconds | int | `3` |  |
+| server.resources | object | `{}` |  |
+| server.route.activeService | bool | `true` |  |
+| server.route.annotations | object | `{}` |  |
+| server.route.enabled | bool | `false` |  |
+| server.route.host | string | `"chart-example.local"` |  |
+| server.route.labels | object | `{}` |  |
+| server.route.tls.termination | string | `"passthrough"` |  |
+| server.service.active.annotations | object | `{}` |  |
+| server.service.active.enabled | bool | `true` |  |
+| server.service.annotations | object | `{}` |  |
+| server.service.enabled | bool | `true` |  |
+| server.service.externalTrafficPolicy | string | `"Cluster"` |  |
+| server.service.instanceSelector.enabled | bool | `true` |  |
+| server.service.ipFamilies | list | `[]` |  |
+| server.service.ipFamilyPolicy | string | `""` |  |
+| server.service.port | int | `8200` |  |
+| server.service.publishNotReadyAddresses | bool | `true` |  |
+| server.service.standby.annotations | object | `{}` |  |
+| server.service.standby.enabled | bool | `true` |  |
+| server.service.targetPort | int | `8200` |  |
+| server.serviceAccount.annotations | object | `{}` |  |
+| server.serviceAccount.create | bool | `true` |  |
+| server.serviceAccount.createSecret | bool | `false` |  |
+| server.serviceAccount.extraLabels | object | `{}` |  |
+| server.serviceAccount.name | string | `""` |  |
+| server.serviceAccount.serviceDiscovery.enabled | bool | `true` |  |
+| server.shareProcessNamespace | bool | `false` | shareProcessNamespace enables process namespace sharing between OpenBao and the extraContainers This is useful if OpenBao must be signaled, e.g. to send a SIGHUP for a log rotation |
+| server.standalone.config | string | `"ui = true\n\nlistener \"tcp\" {\n  tls_disable = 1\n  address = \"[::]:8200\"\n  cluster_address = \"[::]:8201\"\n  # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n  #telemetry {\n  #  unauthenticated_metrics_access = \"true\"\n  #}\n}\nstorage \"file\" {\n  path = \"/openbao/data\"\n}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n#   project     = \"openbao-helm-dev\"\n#   region      = \"global\"\n#   key_ring    = \"openbao-helm-unseal-kr\"\n#   crypto_key  = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics in your config.\n#telemetry {\n#  prometheus_retention_time = \"30s\"\n#  disable_hostname = true\n#}\n"` |  |
+| server.standalone.enabled | string | `"-"` |  |
+| server.statefulSet.annotations | object | `{}` |  |
+| server.statefulSet.securityContext.container | object | `{}` |  |
+| server.statefulSet.securityContext.pod | object | `{}` |  |
+| server.terminationGracePeriodSeconds | int | `10` |  |
+| server.tolerations | list | `[]` |  |
+| server.topologySpreadConstraints | list | `[]` |  |
+| server.updateStrategyType | string | `"OnDelete"` |  |
+| server.volumeMounts | string | `nil` |  |
+| server.volumes | string | `nil` |  |
+| serverTelemetry.prometheusRules.enabled | bool | `false` |  |
+| serverTelemetry.prometheusRules.rules | list | `[]` |  |
+| serverTelemetry.prometheusRules.selectors | object | `{}` |  |
+| serverTelemetry.serviceMonitor.enabled | bool | `false` |  |
+| serverTelemetry.serviceMonitor.interval | string | `"30s"` |  |
+| serverTelemetry.serviceMonitor.scrapeTimeout | string | `"10s"` |  |
+| serverTelemetry.serviceMonitor.selectors | object | `{}` |  |
+| ui.activeOpenbaoPodOnly | bool | `false` |  |
+| ui.annotations | object | `{}` |  |
+| ui.enabled | bool | `false` |  |
+| ui.externalPort | int | `8200` |  |
+| ui.externalTrafficPolicy | string | `"Cluster"` |  |
+| ui.publishNotReadyAddresses | bool | `true` |  |
+| ui.serviceIPFamilies | list | `[]` |  |
+| ui.serviceIPFamilyPolicy | string | `""` |  |
+| ui.serviceNodePort | string | `nil` |  |
+| ui.serviceType | string | `"ClusterIP"` |  |
+| ui.targetPort | int | `8200` |  |
+

charts/openbao/templates/NOTES.txt

@@ -0,0 +1,14 @@
+
+Thank you for installing OpenBao!
+
+Now that you have deployed OpenBao, you should look over the docs on using
+OpenBao with Kubernetes available here:
+
+https://openbao.org/docs/
+
+
+Your release is named {{ .Release.Name }}. To learn more about the release, try:
+
+  $ helm status {{ .Release.Name }}
+  $ helm get manifest {{ .Release.Name }}
+

charts/openbao/templates/csi-agent-configmap.yaml

@@ -0,0 +1,34 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.csiEnabled" . -}}
+{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "openbao.fullname" . }}-csi-provider-agent-config
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+data:
+  config.hcl: |
+    vault {
+        {{- if .Values.global.externalVaultAddr }}
+        "address" = "{{ .Values.global.externalVaultAddr }}"
+        {{- else }}
+        "address" = "{{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}"
+        {{- end }}
+    }
+
+    cache {}
+
+    listener "unix" {
+        address = "/var/run/vault/agent.sock"
+        tls_disable = true
+    }
+{{- end }}

charts/openbao/templates/csi-clusterrole.yaml

@@ -1,10 +1,16 @@
-{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.csiEnabled" . -}}
+{{- if .csiEnabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ template "vault.fullname" . }}-csi-provider-clusterrole
+  name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole
   labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 rules:

charts/openbao/templates/csi-clusterrolebinding.yaml

@@ -0,0 +1,24 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.csiEnabled" . -}}
+{{- if .csiEnabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "openbao.fullname" . }}-csi-provider-clusterrolebinding
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: {{ template "openbao.fullname" . }}-csi-provider
+  namespace: {{ include "openbao.namespace" . }}
+{{- end }}

charts/openbao/templates/csi-daemonset.yaml

@@ -0,0 +1,157 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.csiEnabled" . -}}
+{{- if .csiEnabled -}}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ template "openbao.fullname" . }}-csi-provider
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- if  .Values.csi.daemonSet.extraLabels -}}
+      {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}}
+    {{- end -}}
+  {{ template "csi.daemonSet.annotations" . }}
+spec:
+  updateStrategy:
+    type: {{ .Values.csi.daemonSet.updateStrategy.type }}
+    {{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
+    rollingUpdate:
+      maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
+    {{- end }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ template "openbao.name" . }}-csi-provider
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- if  .Values.csi.pod.extraLabels -}}
+          {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}}
+        {{- end -}}
+      {{ template "csi.pod.annotations" . }}
+    spec:
+      {{ template "csi.daemonSet.securityContext.pod" . }}
+      {{- if .Values.csi.priorityClassName }}
+      priorityClassName: {{ .Values.csi.priorityClassName }}
+      {{- end }}
+      serviceAccountName: {{ template "openbao.fullname" . }}-csi-provider
+      {{- template "csi.pod.tolerations" . }}
+      {{- template "csi.pod.nodeselector" . }}
+      {{- template "csi.pod.affinity" . }}
+      containers:
+        - name: {{ include "openbao.name" . }}-csi-provider
+          {{ template "csi.resources" . }}
+          {{ template "csi.daemonSet.securityContext.container" . }}
+          image: "{{ .Values.csi.image.registry | default "docker.io" }}/{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}"
+          imagePullPolicy: {{ .Values.csi.image.pullPolicy }}
+          args:
+            - --endpoint=/provider/vault.sock
+            - --debug={{ .Values.csi.debug }}
+            {{- if .Values.csi.hmacSecretName }}
+            - --hmac-secret-name={{ .Values.csi.hmacSecretName }}
+            {{- else }}
+            - --hmac-secret-name={{- include "openbao.name" . }}-csi-provider-hmac-key
+            {{- end }}
+            {{- if .Values.csi.extraArgs }}
+            {{- toYaml .Values.csi.extraArgs | nindent 12 }}
+            {{- end }}
+          env:
+            - name: VAULT_ADDR
+            {{- if eq (.Values.csi.agent.enabled | toString) "true" }}
+              value: "unix:///var/run/vault/agent.sock"
+            {{- else if .Values.global.externalVaultAddr }}
+              value: "{{ .Values.global.externalVaultAddr }}"
+            {{- else }}
+              value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
+            {{- end }}
+          volumeMounts:
+            - name: providervol
+              mountPath: "/provider"
+            {{- if eq (.Values.csi.agent.enabled | toString) "true" }}
+            - name: agent-unix-socket
+              mountPath: /var/run/vault
+            {{- end }}
+            {{- if .Values.csi.volumeMounts }}
+              {{- toYaml .Values.csi.volumeMounts | nindent 12}}
+            {{- end }}
+          livenessProbe:
+            httpGet:
+              path: /health/ready
+              port: 8080
+            failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }}
+            initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }}
+            successThreshold: {{ .Values.csi.livenessProbe.successThreshold }}
+            timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }}
+          readinessProbe:
+            httpGet:
+              path: /health/ready
+              port: 8080
+            failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }}
+            initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }}
+            successThreshold: {{ .Values.csi.readinessProbe.successThreshold }}
+            timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }}
+        {{- if eq (.Values.csi.agent.enabled | toString) "true" }}
+        - name: {{ include "openbao.name" . }}-agent
+          image: "{{ .Values.csi.agent.image.registry | default "docker.io" }}/{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}"
+          imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }}
+          {{ template "csi.agent.resources" . }}
+          command:
+            - bao
+          args:
+            - agent
+            - -config=/etc/vault/config.hcl
+            {{- if .Values.csi.agent.extraArgs }}
+            {{- toYaml .Values.csi.agent.extraArgs | nindent 12 }}
+            {{- end }}
+          ports:
+            - containerPort: 8200
+          env:
+            - name: BAO_LOG_LEVEL
+              value: "{{ .Values.csi.agent.logLevel }}"
+            - name: BAO_LOG_FORMAT
+              value: "{{ .Values.csi.agent.logFormat }}"
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsUser: 100
+            runAsGroup: 1000
+          volumeMounts:
+            - name: agent-config
+              mountPath: /etc/vault/config.hcl
+              subPath: config.hcl
+              readOnly: true
+            - name: agent-unix-socket
+              mountPath: /var/run/vault
+            {{- if .Values.csi.volumeMounts }}
+            {{- toYaml .Values.csi.volumeMounts | nindent 12 }}
+            {{- end }}
+        {{- end }}
+      volumes:
+        - name: providervol
+          hostPath:
+            path: {{ .Values.csi.daemonSet.providersDir }}
+        {{- if eq (.Values.csi.agent.enabled | toString) "true" }}
+        - name: agent-config
+          configMap:
+            name: {{ template "openbao.fullname" . }}-csi-provider-agent-config
+        - name: agent-unix-socket
+          emptyDir:
+            medium: Memory
+        {{- end }}
+        {{- if .Values.csi.volumes }}
+        {{- toYaml .Values.csi.volumes | nindent 8}}
+        {{- end }}
+      {{- include "imagePullSecrets" . | nindent 6 }}
+{{- end }}

charts/openbao/templates/csi-role.yaml

@@ -0,0 +1,32 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.csiEnabled" . -}}
+{{- if .csiEnabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "openbao.fullname" . }}-csi-provider-role
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get"]
+  resourceNames:
+    {{- if .Values.csi.hmacSecretName }}
+    - {{ .Values.csi.hmacSecretName }}
+    {{- else }}
+    - {{ include "openbao.name" . }}-csi-provider-hmac-key
+    {{- end }}
+# 'create' permissions cannot be restricted by resource name:
+# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
+{{- end }}

charts/openbao/templates/csi-rolebinding.yaml

@@ -0,0 +1,25 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.csiEnabled" . -}}
+{{- if .csiEnabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "openbao.fullname" . }}-csi-provider-rolebinding
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "openbao.fullname" . }}-csi-provider-role
+subjects:
+- kind: ServiceAccount
+  name: {{ template "openbao.fullname" . }}-csi-provider
+  namespace: {{ include "openbao.namespace" . }}
+{{- end }}

charts/openbao/templates/csi-serviceaccount.yaml

@@ -0,0 +1,21 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.csiEnabled" . -}}
+{{- if .csiEnabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "openbao.fullname" . }}-csi-provider
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- if  .Values.csi.serviceAccount.extraLabels -}}
+      {{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}}
+    {{- end -}}
+  {{ template "csi.serviceAccount.annotations" . }}
+{{- end }}

charts/openbao/templates/injector-certs-secret.yaml

@@ -0,0 +1,19 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: openbao-injector-certs
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+{{- end }}

charts/openbao/templates/injector-clusterrole.yaml

@@ -0,0 +1,30 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations"]
+  verbs:
+    - "get"
+    - "list"
+    - "watch"
+    - "patch"
+{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs:
+    - "get"
+{{ end }}
+{{ end }}

charts/openbao/templates/injector-clusterrolebinding.yaml

@@ -0,0 +1,24 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector-binding
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: {{ template "openbao.fullname" . }}-agent-injector
+  namespace: {{ include "openbao.namespace" . }}
+{{ end }}

charts/openbao/templates/injector-deployment.yaml

@@ -1,12 +1,18 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
 # Deployment for the injector
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ template "vault.fullname" . }}-agent-injector
+  name: {{ template "openbao.fullname" . }}-agent-injector
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "openbao.namespace" . }}
   labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     component: webhook
@@ -14,13 +20,14 @@ spec:
   replicas: {{ .Values.injector.replicas }}
   selector:
     matchLabels:
-      app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
+      app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
       app.kubernetes.io/instance: {{ .Release.Name }}
       component: webhook
+  {{ template "injector.strategy" . }}
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
+        app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
         app.kubernetes.io/instance: {{ .Release.Name }}
         component: webhook
         {{- if  .Values.injector.extraLabels -}}
@@ -29,43 +36,40 @@ spec:
       {{ template "injector.annotations" . }}
     spec:
       {{ template "injector.affinity" . }}
+      {{ template "injector.topologySpreadConstraints" . }}
       {{ template "injector.tolerations" . }}
       {{ template "injector.nodeselector" . }}
       {{- if .Values.injector.priorityClassName }}
       priorityClassName: {{ .Values.injector.priorityClassName }}
       {{- end }}
-      serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
+      serviceAccountName: "{{ template "openbao.fullname" . }}-agent-injector"
+      {{ template "injector.securityContext.pod" . -}}
       {{- if not .Values.global.openshift }}
       hostNetwork: {{ .Values.injector.hostNetwork }}
-      securityContext:
-        runAsNonRoot: true
-        runAsGroup: {{ .Values.injector.gid | default 1000 }}
-        runAsUser: {{ .Values.injector.uid | default 100 }}
       {{- end }}
       containers:
         - name: sidecar-injector
           {{ template "injector.resources" . }}
-          image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
+          image: "{{ .Values.injector.image.registry | default "docker.io" }}/{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
           imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
-          {{- if not .Values.global.openshift }}
+          {{- template "injector.securityContext.container" . }}
-          securityContext:
-            allowPrivilegeEscalation: false
-          {{- end }}
           env:
             - name: AGENT_INJECT_LISTEN
               value: {{ printf ":%v" .Values.injector.port  }}
             - name: AGENT_INJECT_LOG_LEVEL
               value: {{ .Values.injector.logLevel | default "info" }}
             - name: AGENT_INJECT_VAULT_ADDR
-            {{- if .Values.injector.externalVaultAddr }}
+            {{- if .Values.global.externalVaultAddr }}
+              value: "{{ .Values.global.externalVaultAddr }}"
+            {{- else if .Values.injector.externalVaultAddr }}
               value: "{{ .Values.injector.externalVaultAddr }}"
             {{- else }}
-              value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
+              value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
             {{- end }}
             - name: AGENT_INJECT_VAULT_AUTH_PATH
               value: {{ .Values.injector.authPath }}
             - name: AGENT_INJECT_VAULT_IMAGE
-              value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
+              value: "{{ .Values.injector.image.registry | default "quay.io" }}/{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
             {{- if .Values.injector.certs.secretName }}
             - name: AGENT_INJECT_TLS_CERT_FILE
               value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}"
@@ -73,9 +77,9 @@ spec:
               value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}"
             {{- else }}
             - name: AGENT_INJECT_TLS_AUTO
-              value: {{ template "vault.fullname" . }}-agent-injector-cfg
+              value: {{ template "openbao.fullname" . }}-agent-injector-cfg
             - name: AGENT_INJECT_TLS_AUTO_HOSTS
-              value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc
+              value: {{ template "openbao.fullname" . }}-agent-injector-svc,{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }},{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }}.svc
             {{- end }}
             - name: AGENT_INJECT_LOG_FORMAT
               value: {{ .Values.injector.logFormat | default "standard" }}
@@ -105,9 +109,27 @@ spec:
               value: "{{ .Values.injector.agentDefaults.memRequest }}"
             - name: AGENT_INJECT_MEM_LIMIT
               value: "{{ .Values.injector.agentDefaults.memLimit }}"
+            {{- if .Values.injector.agentDefaults.ephemeralRequest }}
+            - name: AGENT_INJECT_EPHEMERAL_REQUEST
+              value: "{{ .Values.injector.agentDefaults.ephemeralRequest }}"
+            {{- end }}
+            {{- if .Values.injector.agentDefaults.ephemeralLimit }}
+            - name: AGENT_INJECT_EPHEMERAL_LIMIT
+              value: "{{ .Values.injector.agentDefaults.ephemeralLimit }}"
+            {{- end }}
             - name: AGENT_INJECT_DEFAULT_TEMPLATE
               value: "{{ .Values.injector.agentDefaults.template }}"
-            {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }}
+            - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE
+              value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}"
+            {{- if .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}
+            - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL
+              value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}"
+            {{- end }}
+            {{- include "openbao.extraEnvironmentVars" .Values.injector | nindent 12 }}
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
           args:
             - agent-inject
             - 2>&1
@@ -116,64 +138,42 @@ spec:
               path: /health/ready
               port: {{ .Values.injector.port }}
               scheme: HTTPS
-            failureThreshold: 2
+            failureThreshold: {{ .Values.injector.livenessProbe.failureThreshold }}
-            initialDelaySeconds: 5
+            initialDelaySeconds: {{ .Values.injector.livenessProbe.initialDelaySeconds }}
-            periodSeconds: 2
+            periodSeconds: {{ .Values.injector.livenessProbe.periodSeconds }}
-            successThreshold: 1
+            successThreshold: {{ .Values.injector.livenessProbe.successThreshold }}
-            timeoutSeconds: 5
+            timeoutSeconds: {{ .Values.injector.livenessProbe.timeoutSeconds }}
           readinessProbe:
             httpGet:
               path: /health/ready
               port: {{ .Values.injector.port }}
               scheme: HTTPS
-            failureThreshold: 2
+            failureThreshold: {{ .Values.injector.readinessProbe.failureThreshold }}
-            initialDelaySeconds: 5
+            initialDelaySeconds: {{ .Values.injector.readinessProbe.initialDelaySeconds }}
-            periodSeconds: 2
+            periodSeconds: {{ .Values.injector.readinessProbe.periodSeconds }}
-            successThreshold: 1
+            successThreshold: {{ .Values.injector.readinessProbe.successThreshold }}
-            timeoutSeconds: 5
+            timeoutSeconds: {{ .Values.injector.readinessProbe.timeoutSeconds }}
+          startupProbe:
+            httpGet:
+              path: /health/ready
+              port: {{ .Values.injector.port }}
+              scheme: HTTPS
+            failureThreshold: {{ .Values.injector.startupProbe.failureThreshold }}
+            initialDelaySeconds: {{ .Values.injector.startupProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.injector.startupProbe.periodSeconds }}
+            successThreshold: {{ .Values.injector.startupProbe.successThreshold }}
+            timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }}
 {{- if .Values.injector.certs.secretName }}
           volumeMounts:
             - name: webhook-certs
               mountPath: /etc/webhook/certs
               readOnly: true
 {{- end }}
-        {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
-        - name: leader-elector
-          image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }}
-          args:
-            - --election={{ template "vault.fullname" . }}-agent-injector-leader
-            - --election-namespace={{ .Release.Namespace }}
-            - --http=0.0.0.0:4040
-            - --ttl={{ .Values.injector.leaderElector.ttl }}
-          livenessProbe:
-            httpGet:
-              path: /
-              port: 4040
-              scheme: HTTP
-            failureThreshold: 2
-            initialDelaySeconds: 5
-            periodSeconds: 2
-            successThreshold: 1
-            timeoutSeconds: 5
-          readinessProbe:
-            httpGet:
-              path: /
-              port: 4040
-              scheme: HTTP
-            failureThreshold: 2
-            initialDelaySeconds: 5
-            periodSeconds: 2
-            successThreshold: 1
-            timeoutSeconds: 5
-        {{- end }}
 {{- if .Values.injector.certs.secretName }}
       volumes:
         - name: webhook-certs
           secret:
             secretName: "{{ .Values.injector.certs.secretName }}"
 {{- end }}
-      {{- if .Values.global.imagePullSecrets }}
+      {{- include "imagePullSecrets" . | nindent 6 }}
-      imagePullSecrets:
-        {{- toYaml .Values.global.imagePullSecrets | nindent 8 }}
-      {{- end }}
 {{ end }}

charts/openbao/templates/injector-disruptionbudget.yaml

@@ -0,0 +1,25 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- if .Values.injector.podDisruptionBudget }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    component: webhook
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      component: webhook
+  {{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }}
+{{- end -}}

charts/openbao/templates/injector-mutating-webhook.yaml

@@ -0,0 +1,44 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
+apiVersion: admissionregistration.k8s.io/v1
+{{- else }}
+apiVersion: admissionregistration.k8s.io/v1beta1
+{{- end }}
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector-cfg
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  {{- template "injector.webhookAnnotations" . }}
+webhooks:
+  - name: vault.hashicorp.com
+    failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }}
+    matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }}
+    sideEffects: None
+    timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }}
+    admissionReviewVersions: ["v1", "v1beta1"]
+    clientConfig:
+      service:
+        name: {{ template "openbao.fullname" . }}-agent-injector-svc
+        namespace: {{ include "openbao.namespace" . }}
+        path: "/mutate"
+      caBundle: {{ .Values.injector.certs.caBundle | quote }}
+    rules:
+      - operations: ["CREATE", "UPDATE"]
+        apiGroups: [""]
+        apiVersions: ["v1"]
+        resources: ["pods"]
+{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }}
+    namespaceSelector:
+{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}}
+{{ end }}
+{{- template "injector.objectSelector" . -}}
+{{ end }}

charts/openbao/templates/injector-network-policy.yaml

@@ -0,0 +1,29 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if eq (.Values.global.openshift | toString) "true" }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector
+  labels:
+    app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      component: webhook
+  ingress:
+    - from:
+        - namespaceSelector: {}
+      ports:
+      - port: 8080
+        protocol: TCP
+{{ end }}
+{{ end }}

charts/openbao/templates/injector-psp-role.yaml

@@ -0,0 +1,25 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if eq (.Values.global.psp.enable | toString) "true" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector-psp
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+    - {{ template "openbao.fullname" . }}-agent-injector
+{{- end }}
+{{- end }}

charts/openbao/templates/injector-psp-rolebinding.yaml

@@ -0,0 +1,26 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if eq (.Values.global.psp.enable | toString) "true" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector-psp
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  kind: Role
+  name: {{ template "openbao.fullname" . }}-agent-injector-psp
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "openbao.fullname" . }}-agent-injector
+{{- end }}
+{{- end }}

charts/openbao/templates/injector-psp.yaml

@@ -1,13 +1,20 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if eq (.Values.global.psp.enable | toString) "true" }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
-  name: {{ template "vault.fullname" . }}-agent-injector
+  name: {{ template "openbao.fullname" . }}-agent-injector
   labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- template "vault.psp.annotations" . }}
+{{- template "openbao.psp.annotations" . }}
 spec:
   privileged: false
   # Required to prevent escalations to root.
@@ -41,3 +48,4 @@ spec:
         max: 65535
   readOnlyRootFilesystem: false
 {{- end }}
+{{- end }}

charts/openbao/templates/injector-role.yaml

@@ -0,0 +1,34 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets", "configmaps"]
+    verbs:
+      - "create"
+      - "get"
+      - "watch"
+      - "list"
+      - "update"
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs:
+      - "get"
+      - "patch"
+      - "delete"
+{{- end }}
+{{- end }}

charts/openbao/templates/injector-rolebinding.yaml

@@ -0,0 +1,27 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-binding
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "openbao.fullname" . }}-agent-injector
+    namespace: {{ include "openbao.namespace" . }}
+{{- end }}
+{{- end }}

charts/openbao/templates/injector-service.yaml

@@ -0,0 +1,27 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector-svc
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  {{ template "injector.service.annotations" . }}
+spec:
+  ports:
+  - name: https
+    port: 443
+    targetPort: {{ .Values.injector.port }}
+  selector:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    component: webhook
+{{- end }}

charts/openbao/templates/injector-serviceaccount.yaml

@@ -0,0 +1,18 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "openbao.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "openbao.fullname" . }}-agent-injector
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  {{ template "injector.serviceAccount.annotations" . }}
+{{ end }}

charts/openbao/templates/prometheus-prometheusrules.yaml

@@ -0,0 +1,31 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ if and (.Values.serverTelemetry.prometheusRules.rules)
+     (or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) )
+}}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ template "openbao.fullname" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
+    {{- $selectors := .Values.serverTelemetry.prometheusRules.selectors }}
+    {{- if $selectors }}
+    {{- toYaml $selectors | nindent 4 }}
+    {{- else }}
+    release: prometheus
+    {{- end }}
+spec:
+  groups:
+  - name: {{ include "openbao.fullname" . }}
+    rules:
+      {{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }}
+{{- end }}

charts/openbao/templates/prometheus-servicemonitor.yaml

@@ -0,0 +1,49 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "openbao.fullname" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
+    {{- $selectors := .Values.serverTelemetry.serviceMonitor.selectors }}
+    {{- if $selectors }}
+    {{- toYaml $selectors | nindent 4 }}
+    {{- else }}
+    release: prometheus
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "openbao.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      {{- if eq .mode "ha" }}
+      openbao-active: "true"
+      {{- else }}
+      openbao-internal: "true"
+      {{- end }}
+  endpoints:
+  - port: {{ include "openbao.scheme" . }}
+    interval: {{ .Values.serverTelemetry.serviceMonitor.interval }}
+    scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }}
+    scheme: {{ include "openbao.scheme" . | lower }}
+    path: /v1/sys/metrics
+    params:
+      format:
+      - prometheus
+    tlsConfig:
+      insecureSkipVerify: true
+  namespaceSelector:
+    matchNames:
+      - {{ include "openbao.namespace" . }}
+{{ end }}

charts/openbao/templates/server-clusterrolebinding.yaml

@@ -1,5 +1,10 @@
-{{ template "vault.mode" . }}
+{{/*
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true") }}
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.serverAuthDelegator" . }}
+{{- if .serverAuthDelegator -}}
 {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
 apiVersion: rbac.authorization.k8s.io/v1
 {{- else }}
@@ -7,10 +12,10 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
 {{- end }}
 kind: ClusterRoleBinding
 metadata:
-  name: {{ template "vault.fullname" . }}-server-binding
+  name: {{ template "openbao.fullname" . }}-server-binding
   labels:
-    helm.sh/chart: {{ include "vault.chart" . }}
+    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 roleRef:
@@ -19,6 +24,6 @@ roleRef:
   name: system:auth-delegator
 subjects:
 - kind: ServiceAccount
-  name: {{ template "vault.serviceAccount.name" . }}
+  name: {{ template "openbao.serviceAccount.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "openbao.namespace" . }}
 {{ end }}

charts/openbao/templates/server-config-configmap.yaml

@@ -0,0 +1,31 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if ne .mode "external" }}
+{{- if .serverEnabled -}}
+{{- if ne .mode "dev" -}}
+{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "openbao.fullname" . }}-config
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.server.includeConfigAnnotation }}
+  annotations:
+    vault.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }}
+{{- end }}
+data:
+  extraconfig-from-values.hcl: |-
+    {{ template "openbao.config" . }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/openbao/templates/server-discovery-role.yaml

@@ -0,0 +1,26 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if .serverEnabled -}}
+{{- if eq .mode "ha" }}
+{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: {{ include "openbao.namespace" . }}
+  name: {{ template "openbao.fullname" . }}-discovery-role
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "watch", "list", "update", "patch"]
+{{ end }}
+{{ end }}
+{{ end }}

charts/openbao/templates/server-discovery-rolebinding.yaml

@@ -0,0 +1,34 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if .serverEnabled -}}
+{{- if eq .mode "ha" }}
+{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
+{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+{{- end }}
+kind: RoleBinding
+metadata:
+  name: {{ template "openbao.fullname" . }}-discovery-rolebinding
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "openbao.fullname" . }}-discovery-role
+subjects:
+- kind: ServiceAccount
+  name: {{ template "openbao.serviceAccount.name" . }}
+  namespace: {{ include "openbao.namespace" . }}
+{{ end }}
+{{ end }}
+{{ end }}

charts/openbao/templates/server-disruptionbudget.yaml

@@ -0,0 +1,31 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if ne .mode "external" -}}
+{{- if .serverEnabled -}}
+{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
+# PodDisruptionBudget to prevent degrading the server cluster through
+# voluntary cluster changes.
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "openbao.fullname" . }}
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  maxUnavailable: {{ template "openbao.pdb.maxUnavailable" . }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "openbao.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      component: server
+{{- end -}}
+{{- end -}}
+{{- end -}}

charts/openbao/templates/server-ha-active-service.yaml

@@ -0,0 +1,64 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if ne .mode "external" }}
+{{- template "openbao.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
+{{- if eq .mode "ha" }}
+{{- if eq (.Values.server.service.active.enabled | toString) "true" }}
+# Service for active OpenBao pod
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "openbao.fullname" . }}-active
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    openbao-active: "true"
+  annotations:
+{{- template "openbao.service.active.annotations" . }}
+{{- template "openbao.service.annotations" . }}
+spec:
+  {{- if .Values.server.service.type}}
+  type: {{ .Values.server.service.type }}
+  {{- end}}
+  {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
+  {{- if .Values.server.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.server.service.ipFamilies }}
+  ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.server.service.clusterIP }}
+  clusterIP: {{ .Values.server.service.clusterIP }}
+  {{- end }}
+  {{- include "service.externalTrafficPolicy" .Values.server.service }}
+  publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
+  ports:
+    - name: {{ include "openbao.scheme" . }}
+      port: {{ .Values.server.service.port }}
+      targetPort: {{ .Values.server.service.targetPort }}
+      {{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
+      nodePort: {{ .Values.server.service.activeNodePort }}
+      {{- end }}
+    - name: https-internal
+      port: 8201
+      targetPort: 8201
+  selector:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- end }}
+    component: server
+    openbao-active: "true"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/openbao/templates/server-ha-standby-service.yaml

@@ -0,0 +1,63 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if ne .mode "external" }}
+{{- template "openbao.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
+{{- if eq .mode "ha" }}
+{{- if eq (.Values.server.service.standby.enabled | toString) "true" }}
+# Service for standby OpenBao pod
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "openbao.fullname" . }}-standby
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  annotations:
+{{- template "openbao.service.standby.annotations" . }}
+{{- template "openbao.service.annotations" . }}
+spec:
+  {{- if .Values.server.service.type}}
+  type: {{ .Values.server.service.type }}
+  {{- end}}
+  {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
+  {{- if .Values.server.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.server.service.ipFamilies }}
+  ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.server.service.clusterIP }}
+  clusterIP: {{ .Values.server.service.clusterIP }}
+  {{- end }}
+  {{- include "service.externalTrafficPolicy" .Values.server.service }}
+  publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
+  ports:
+    - name: {{ include "openbao.scheme" . }}
+      port: {{ .Values.server.service.port }}
+      targetPort: {{ .Values.server.service.targetPort }}
+      {{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
+      nodePort: {{ .Values.server.service.standbyNodePort }}
+      {{- end }}
+    - name: https-internal
+      port: 8201
+      targetPort: 8201
+  selector:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- end }}
+    component: server
+    openbao-active: "false"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/openbao/templates/server-headless-service.yaml

@@ -0,0 +1,47 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if ne .mode "external" }}
+{{- template "openbao.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
+# Service for OpenBao cluster
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "openbao.fullname" . }}-internal
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    openbao-internal: "true"
+  annotations:
+{{ template "openbao.service.annotations" .}}
+spec:
+  {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
+  {{- if .Values.server.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.server.service.ipFamilies }}
+  ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
+  clusterIP: None
+  publishNotReadyAddresses: true
+  ports:
+    - name: "{{ include "openbao.scheme" . }}"
+      port: {{ .Values.server.service.port }}
+      targetPort: {{ .Values.server.service.targetPort }}
+    - name: https-internal
+      port: 8201
+      targetPort: 8201
+  selector:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    component: server
+{{- end }}
+{{- end }}

charts/openbao/templates/server-ingress.yaml

@@ -1,31 +1,36 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{- if not .Values.global.openshift }}
-{{ template "vault.mode" . }}
+{{ template "openbao.mode" . }}
 {{- if ne .mode "external" }}
 {{- if .Values.server.ingress.enabled -}}
 {{- $extraPaths := .Values.server.ingress.extraPaths -}}
-{{- $serviceName := include "vault.fullname" . -}}
+{{- $serviceName := include "openbao.fullname" . -}}
-{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "openbao.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
+{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }}
 {{- $serviceName = printf "%s-%s" $serviceName "active" -}}
 {{- end }}
 {{- $servicePort := .Values.server.service.port -}}
-{{ if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
+{{- $pathType := .Values.server.ingress.pathType -}}
-apiVersion: networking.k8s.io/v1beta1
+{{- $kubeVersion := .Capabilities.KubeVersion.Version }}
-{{ else }}
+apiVersion: networking.k8s.io/v1
-apiVersion: extensions/v1beta1
-{{ end }}
 kind: Ingress
 metadata:
-  name: {{ template "vault.fullname" . }}
+  name: {{ template "openbao.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "openbao.namespace" . }}
   labels:
-    helm.sh/chart: {{ include "vault.chart" . }}
+    helm.sh/chart: {{ include "openbao.chart" . }}
-    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     {{- with .Values.server.ingress.labels }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
-  {{- template "vault.ingress.annotations" . }}
+  {{- template "openbao.ingress.annotations" . }}
 spec:
 {{- if .Values.server.ingress.tls }}
   tls:
@@ -36,6 +41,9 @@ spec:
       {{- end }}
       secretName: {{ .secretName }}
   {{- end }}
+{{- end }}
+{{- if .Values.server.ingress.ingressClassName }}
+  ingressClassName: {{ .Values.server.ingress.ingressClassName }}
 {{- end }}
   rules:
   {{- range .Values.server.ingress.hosts }}
@@ -47,11 +55,15 @@ spec:
 {{- end }}
         {{- range (.paths | default (list "/")) }}
           - path: {{ . }}
+            pathType: {{ $pathType }}
             backend:
-              serviceName: {{ $serviceName }}
+              service:
-              servicePort: {{ $servicePort }}
+                name: {{ $serviceName }}
+                port:
+                  number: {{ $servicePort }}
         {{- end }}
   {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}
+{{- end }}

charts/openbao/templates/server-network-policy.yaml

@@ -1,24 +1,22 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{- if eq (.Values.server.networkPolicy.enabled | toString) "true"  }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: {{ template "vault.fullname" . }}
+  name: {{ template "openbao.fullname" . }}
   labels:
-    app.kubernetes.io/name: {{ template "vault.name" . }}
+    app.kubernetes.io/name: {{ template "openbao.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
 spec:
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: {{ template "vault.name" . }}
+      app.kubernetes.io/name: {{ template "openbao.name" . }}
       app.kubernetes.io/instance: {{ .Release.Name }}
-  ingress:
+  ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }}
-    - from:
-        - namespaceSelector: {}
-      ports:
-      - port: 8200
-        protocol: TCP
-      - port: 8201
-        protocol: TCP
   {{- if .Values.server.networkPolicy.egress }}
   egress:
   {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }}

charts/openbao/templates/server-psp-role.yaml

@@ -0,0 +1,25 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if .serverEnabled -}}
+{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "openbao.fullname" . }}-psp
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+    - {{ template "openbao.fullname" . }}
+{{- end }}
+{{- end }}

charts/openbao/templates/server-psp-rolebinding.yaml

@@ -0,0 +1,26 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if .serverEnabled -}}
+{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "openbao.fullname" . }}-psp
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  kind: Role
+  name: {{ template "openbao.fullname" . }}-psp
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "openbao.fullname" . }}
+{{- end }}
+{{- end }}

charts/openbao/templates/server-psp.yaml

@@ -1,14 +1,20 @@
-{{ template "vault.mode" . }}
+{{/*
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if .serverEnabled -}}
+{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
-  name: {{ template "vault.fullname" . }}
+  name: {{ template "openbao.fullname" . }}
   labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- template "vault.psp.annotations" . }}
+{{- template "openbao.psp.annotations" . }}
 spec:
   privileged: false
   # Required to prevent escalations to root.
@@ -45,3 +51,4 @@ spec:
         max: 65535
   readOnlyRootFilesystem: false
 {{- end }}
+{{- end }}

charts/openbao/templates/server-route.yaml

@@ -1,33 +1,39 @@
-{{- if .Values.global.openshift }}
+{{/*
-{{- if ne .mode "external" }}
+Copyright (c) HashiCorp, Inc.
-{{- if .Values.server.route.enabled -}}
+SPDX-License-Identifier: MPL-2.0
-{{- $serviceName := include "vault.fullname" . -}}
+*/}}
-{{- if eq .mode "ha" }}
+
-{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
+{{- if .Values.global.openshift }}
-{{- end }}
+{{- if ne .mode "external" }}
-kind: Route
+{{- if .Values.server.route.enabled -}}
-apiVersion: route.openshift.io/v1
+{{- $serviceName := include "openbao.fullname" . -}}
-metadata:
+{{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }}
-  name: {{ template "vault.fullname" . }}
+{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
-  labels:
+{{- end }}
-    helm.sh/chart: {{ include "vault.chart" . }}
+kind: Route
-    app.kubernetes.io/name: {{ include "vault.name" . }}
+apiVersion: route.openshift.io/v1
-    app.kubernetes.io/instance: {{ .Release.Name }}
+metadata:
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  name: {{ template "openbao.fullname" . }}
-    {{- with .Values.server.route.labels }}
+  namespace: {{ include "openbao.namespace" . }}
-      {{- toYaml . | nindent 4 }}
+  labels:
-    {{- end }}
+    helm.sh/chart: {{ include "openbao.chart" . }}
-  {{- template "vault.route.annotations" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
-spec:
+    app.kubernetes.io/instance: {{ .Release.Name }}
-  host: {{ .Values.server.route.host }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
-  to:
+    {{- with .Values.server.route.labels }}
-    kind: Service
+      {{- toYaml . | nindent 4 }}
-    name: {{ $serviceName }}
+    {{- end }}
-    weight: 100
+  {{- template "openbao.route.annotations" . }}
-  port:
+spec:
-    targetPort: 8200
+  host: {{ .Values.server.route.host }}
-  tls:
+  to:
-    termination: passthrough
+    kind: Service
-{{- end }}
+    name: {{ $serviceName }}
-{{- end }}
+    weight: 100
-{{- end }}
+  port:
+    targetPort: 8200
+  tls:
+    {{- toYaml .Values.server.route.tls | nindent  4 }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/openbao/templates/server-service.yaml

@@ -0,0 +1,59 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if ne .mode "external" }}
+{{- template "openbao.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
+# Service for OpenBao cluster
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "openbao.fullname" . }}
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  annotations:
+{{ template "openbao.service.annotations" .}}
+spec:
+  {{- if .Values.server.service.type}}
+  type: {{ .Values.server.service.type }}
+  {{- end}}
+  {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
+  {{- if .Values.server.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.server.service.ipFamilies }}
+  ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.server.service.clusterIP }}
+  clusterIP: {{ .Values.server.service.clusterIP }}
+  {{- end }}
+  {{- include "service.externalTrafficPolicy" .Values.server.service }}
+  # We want the servers to become available even if they're not ready
+  # since this DNS is also used for join operations.
+  publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
+  ports:
+    - name: {{ include "openbao.scheme" . }}
+      port: {{ .Values.server.service.port }}
+      targetPort: {{ .Values.server.service.targetPort }}
+      {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
+      nodePort: {{ .Values.server.service.nodePort }}
+      {{- end }}
+    - name: https-internal
+      port: 8201
+      targetPort: 8201
+  selector:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- end }}
+    component: server
+{{- end }}
+{{- end }}

charts/openbao/templates/server-serviceaccount-secret.yaml

@@ -0,0 +1,21 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.serverServiceAccountSecretCreationEnabled" . }}
+{{- if .serverServiceAccountSecretCreationEnabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "openbao.serviceAccount.name" . }}-token
+  namespace: {{ include "openbao.namespace" . }}
+  annotations:
+    kubernetes.io/service-account.name: {{ template "openbao.serviceAccount.name" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+type: kubernetes.io/service-account-token
+{{ end }}

charts/openbao/templates/server-serviceaccount.yaml

@@ -0,0 +1,22 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.serverServiceAccountEnabled" . }}
+{{- if .serverServiceAccountEnabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "openbao.serviceAccount.name" . }}
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- if  .Values.server.serviceAccount.extraLabels -}}
+      {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}}
+    {{- end -}}
+  {{ template "openbao.serviceAccount.annotations" . }}
+{{ end }}

charts/openbao/templates/server-statefulset.yaml

@@ -1,79 +1,87 @@
-{{ template "vault.mode" . }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
+{{- if ne .mode "" }}
-# StatefulSet to run the actual vault server cluster.
+{{- if .serverEnabled -}}
+# StatefulSet to run the actual openbao server cluster.
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  name: {{ template "vault.fullname" . }}
+  name: {{ template "openbao.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "openbao.namespace" . }}
   labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
-  {{- template "vault.statefulSet.annotations" . }}
+  {{- template "openbao.statefulSet.annotations" . }}
 spec:
-  serviceName: {{ template "vault.fullname" . }}-internal
+  serviceName: {{ template "openbao.fullname" . }}-internal
   podManagementPolicy: Parallel
-  replicas: {{ template "vault.replicas" . }}
+  replicas: {{ template "openbao.replicas" . }}
   updateStrategy:
     type: {{ .Values.server.updateStrategyType }}
+  {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }}
+  persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }}
+  {{- end }}
   selector:
     matchLabels:
-      app.kubernetes.io/name: {{ template "vault.name" . }}
+      app.kubernetes.io/name: {{ template "openbao.name" . }}
       app.kubernetes.io/instance: {{ .Release.Name }}
       component: server
   template:
     metadata:
       labels:
-        helm.sh/chart: {{ template "vault.chart" . }}
+        helm.sh/chart: {{ template "openbao.chart" . }}
-        app.kubernetes.io/name: {{ template "vault.name" . }}
+        app.kubernetes.io/name: {{ template "openbao.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
         component: server
         {{- if  .Values.server.extraLabels -}}
           {{- toYaml .Values.server.extraLabels | nindent 8 -}}
         {{- end -}}
-      {{ template "vault.annotations" . }}
+      {{ template "openbao.annotations" . }}
     spec:
-      {{ template "vault.affinity" . }}
+      {{ template "openbao.affinity" . }}
-      {{ template "vault.tolerations" . }}
+      {{ template "openbao.topologySpreadConstraints" . }}
-      {{ template "vault.nodeselector" . }}
+      {{ template "openbao.tolerations" . }}
+      {{ template "openbao.nodeselector" . }}
       {{- if .Values.server.priorityClassName }}
       priorityClassName: {{ .Values.server.priorityClassName }}
       {{- end }}
-      terminationGracePeriodSeconds: 10
+      terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }}
-      serviceAccountName: {{ template "vault.serviceAccount.name" . }}
+      serviceAccountName: {{ template "openbao.serviceAccount.name" . }}
       {{ if  .Values.server.shareProcessNamespace }}
       shareProcessNamespace: true
       {{ end }}
+      {{- template "server.statefulSet.securityContext.pod" . }}
       {{- if not .Values.global.openshift }}
-      securityContext:
+      hostNetwork: {{ .Values.server.hostNetwork }}
-        runAsNonRoot: true
-        runAsGroup: {{ .Values.server.gid | default 1000 }}
-        runAsUser: {{ .Values.server.uid | default 100 }}
-        fsGroup: {{ .Values.server.gid | default 1000 }}
       {{- end }}
       volumes:
-        {{ template "vault.volumes" . }}
+        {{ template "openbao.volumes" . }}
         - name: home
           emptyDir: {}
+      {{- if .Values.server.hostAliases }}
+      hostAliases:
+        {{ toYaml .Values.server.hostAliases | nindent 8}}
+      {{- end }}
       {{- if .Values.server.extraInitContainers }}
       initContainers:
         {{ toYaml .Values.server.extraInitContainers | nindent 8}}
       {{- end }}
       containers:
-        - name: vault
+        - name: openbao
-          {{ template "vault.resources" . }}
+          {{ template "openbao.resources" . }}
-          image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
+          image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
           imagePullPolicy: {{ .Values.server.image.pullPolicy }}
           command:
           - "/bin/sh"
           - "-ec"
-          args: {{ template "vault.args" . }}
+          args: {{ template "openbao.args" . }}
-          {{- if not .Values.global.openshift }}
+          {{- template "server.statefulSet.securityContext.container" . }}
-          securityContext:
-            allowPrivilegeEscalation: false
-          {{- end }}
           env:
             - name: HOST_IP
               valueFrom:
@@ -83,21 +91,21 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: status.podIP
-            - name: VAULT_K8S_POD_NAME
+            - name: BAO_K8S_POD_NAME
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.name
-            - name: VAULT_K8S_NAMESPACE
+            - name: BAO_K8S_NAMESPACE
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
-            - name: VAULT_ADDR
+            - name: BAO_ADDR
-              value: "{{ include "vault.scheme" . }}://127.0.0.1:8200"
+              value: "{{ include "openbao.scheme" . }}://127.0.0.1:8200"
-            - name: VAULT_API_ADDR
+            - name: BAO_API_ADDR
               {{- if .Values.server.ha.apiAddr }}
               value: {{ .Values.server.ha.apiAddr }}
               {{- else }}
-              value: "{{ include "vault.scheme" . }}://$(POD_IP):8200"
+              value: "{{ include "openbao.scheme" . }}://$(POD_IP):8200"
               {{- end }}
             - name: SKIP_CHOWN
               value: "true"
@@ -107,57 +115,60 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.name
-            - name: VAULT_CLUSTER_ADDR
+            - name: BAO_CLUSTER_ADDR
-              value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201"
+              {{- if .Values.server.ha.clusterAddr }}
+              value: {{ .Values.server.ha.clusterAddr | quote }}
+              {{- else }}
+              value: "https://$(HOSTNAME).{{ template "openbao.fullname" . }}-internal:8201"
+              {{- end }}
             {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }}
-            - name: VAULT_RAFT_NODE_ID
+            - name: BAO_RAFT_NODE_ID
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.name
             {{- end }}
             - name: HOME
-              value: "/home/vault"
+              value: "/home/openbao"
             {{- if .Values.server.logLevel }}
-            - name: VAULT_LOG_LEVEL
+            - name: BAO_LOG_LEVEL
               value: "{{ .Values.server.logLevel }}"
             {{- end }}
             {{- if .Values.server.logFormat }}
-            - name: VAULT_LOG_FORMAT
+            - name: BAO_LOG_FORMAT
               value: "{{ .Values.server.logFormat }}"
             {{- end }}
-            {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
+            {{ template "openbao.envs" . }}
-            - name: VAULT_LICENSE_PATH
+            {{- include "openbao.extraEnvironmentVars" .Values.server | nindent 12 }}
-              value: /vault/license/{{ .Values.server.enterpriseLicense.secretKey }}
+            {{- include "openbao.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
-            {{- end }}
-            {{ template "vault.envs" . }}
-            {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
-            {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
           volumeMounts:
-          {{ template "vault.mounts" . }}
+          {{ template "openbao.mounts" . }}
             - name: home
-              mountPath: /home/vault
+              mountPath: /home/openbao
           ports:
             - containerPort: 8200
-              name: {{ include "vault.scheme" . }}
+              name: {{ include "openbao.scheme" . }}
             - containerPort: 8201
               name: https-internal
             - containerPort: 8202
-              name: {{ include "vault.scheme" . }}-rep
+              name: {{ include "openbao.scheme" . }}-rep
+          {{- if .Values.server.extraPorts -}}
+          {{ toYaml .Values.server.extraPorts | nindent 12}}
+          {{- end }}
           {{- if .Values.server.readinessProbe.enabled }}
           readinessProbe:
             {{- if .Values.server.readinessProbe.path }}
             httpGet:
               path: {{ .Values.server.readinessProbe.path | quote }}
-              port: 8200
+              port: {{ .Values.server.readinessProbe.port }}
-              scheme: {{ include "vault.scheme" . | upper }}
+              scheme: {{ include "openbao.scheme" . | upper }}
             {{- else }}
-            # Check status; unsealed vault servers return 0
+            # Check status; unsealed openbao servers return 0
             # The exit code reflects the seal status:
             #   0 - unsealed
             #   1 - error
             #   2 - sealed
             exec:
-              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
+              command: ["/bin/sh", "-ec", "bao status -tls-skip-verify"]
             {{- end }}
             failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }}
             initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }}
@@ -167,10 +178,18 @@ spec:
           {{- end }}
           {{- if .Values.server.livenessProbe.enabled }}
           livenessProbe:
+            {{- if .Values.server.livenessProbe.execCommand }}
+            exec:
+              command:
+                {{- range (.Values.server.livenessProbe.execCommand) }}
+                - {{ . | quote }}
+                {{- end }}
+            {{- else }}
             httpGet:
               path: {{ .Values.server.livenessProbe.path | quote }}
-              port: 8200
+              port: {{ .Values.server.livenessProbe.port }}
-              scheme: {{ include "vault.scheme" . | upper }}
+              scheme: {{ include "openbao.scheme" . | upper }}
+            {{- end }}
             failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }}
             initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }}
@@ -178,7 +197,7 @@ spec:
             timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }}
           {{- end }}
           lifecycle:
-            # Vault container doesn't receive SIGTERM from Kubernetes
+            # openbao container doesn't receive SIGTERM from Kubernetes
             # and after the grace period ends, Kube sends SIGKILL.  This
             # causes issues with graceful shutdowns such as deregistering itself
             # from Consul (zombie services).
@@ -189,7 +208,7 @@ spec:
                   # Adding a sleep here to give the pod eviction a
                   # chance to propagate, so requests will not be made
                   # to this pod while it's terminating
-                  "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)",
+                  "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof bao)",
                 ]
             {{- if .Values.server.postStart }}
             postStart:
@@ -202,10 +221,8 @@ spec:
         {{- if .Values.server.extraContainers }}
           {{ toYaml .Values.server.extraContainers | nindent 8}}
         {{- end }}
-      {{- if .Values.global.imagePullSecrets }}
+      {{- include "imagePullSecrets" . | nindent 6 }}
-      imagePullSecrets:
+  {{ template "openbao.volumeclaims" . }}
-        {{- toYaml .Values.global.imagePullSecrets | nindent 8 }}
+{{ end }}
-      {{- end }}
-  {{ template "vault.volumeclaims" . }}
 {{ end }}
 {{ end }}

charts/openbao/templates/tests/server-test.yaml

@@ -0,0 +1,56 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if ne .mode "external" }}
+{{- if .serverEnabled -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "openbao.fullname" . }}-server-test
+  namespace: {{ include "openbao.namespace" . }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  {{- include "imagePullSecrets" . | nindent 2 }}
+  containers:
+    - name: {{ .Release.Name }}-server-test
+      image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
+      imagePullPolicy: {{ .Values.server.image.pullPolicy }}
+      env:
+        - name: VAULT_ADDR
+          value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}
+        {{- include "openbao.extraEnvironmentVars" .Values.server | nindent 8 }}
+      command:
+        - /bin/sh
+        - -c
+        - |
+          echo "Checking for sealed info in 'bao status' output"
+          ATTEMPTS=10
+          n=0
+          until [ "$n" -ge $ATTEMPTS ]
+          do
+            echo "Attempt" $n...
+            bao status -format yaml | grep -E '^sealed: (true|false)' && break
+            n=$((n+1))
+            sleep 5
+          done
+          if [ $n -ge $ATTEMPTS ]; then
+            echo "timed out looking for sealed info in 'bao status' output"
+            exit 1
+          fi
+
+          exit 0
+      volumeMounts:
+        {{- if .Values.server.volumeMounts }}
+          {{- toYaml .Values.server.volumeMounts | nindent 8}}
+        {{- end }}
+  volumes:
+    {{- if .Values.server.volumes }}
+      {{- toYaml .Values.server.volumes | nindent 4}}
+    {{- end }}
+  restartPolicy: Never
+{{- end }}
+{{- end }}

charts/openbao/templates/ui-service.yaml

@@ -0,0 +1,50 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "openbao.mode" . }}
+{{- if ne .mode "external" }}
+{{- template "openbao.uiEnabled" . -}}
+{{- if .uiEnabled -}}
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "openbao.fullname" . }}-ui
+  namespace: {{ include "openbao.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "openbao.chart" . }}
+    app.kubernetes.io/name: {{ include "openbao.name" . }}-ui
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  {{- template "openbao.ui.annotations" . }}
+spec:
+  {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
+  {{- if .Values.ui.serviceIPFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.ui.serviceIPFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.ui.serviceIPFamilies }}
+  ipFamilies: {{ .Values.ui.serviceIPFamilies | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
+  selector:
+    app.kubernetes.io/name: {{ include "openbao.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    component: server
+    {{- if and (.Values.ui.activeOpenbaoPodOnly) (eq .mode "ha") }}
+    openbao-active: "true"
+    {{- end }}
+  publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }}
+  ports:
+    - name: {{ include "openbao.scheme" . }}
+      port: {{ .Values.ui.externalPort }}
+      targetPort: {{ .Values.ui.targetPort }}
+      {{- if .Values.ui.serviceNodePort }}
+      nodePort: {{ .Values.ui.serviceNodePort }}
+      {{- end }}
+  type: {{ .Values.ui.serviceType }}
+  {{- include "service.externalTrafficPolicy" .Values.ui }}
+  {{- include "service.loadBalancer" .Values.ui }}
+{{- end -}}
+{{- end }}

charts/openbao/values.openshift.yaml

@@ -0,0 +1,26 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+# These overrides are appropriate defaults for deploying this chart on OpenShift
+
+global:
+  openshift: true
+
+injector:
+  image:
+    repository: "registry.connect.redhat.com/hashicorp/vault-k8s"
+    tag: "1.3.1-ubi"
+
+  agentImage:
+    registry: "quay.io"
+    repository: "openbao/openbao"
+    tag: "v2.0.2-ubi"
+
+server:
+  image:
+    registry: "quay.io"
+    repository: "openbao/openbao"
+    tag: "v2.0.2-ubi"
+
+  readinessProbe:
+    path: "/v1/sys/health?uninitcode=204"

charts/openbao/values.schema.json

@@ -5,6 +5,40 @@
         "csi": {
             "type": "object",
             "properties": {
+                "agent": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "extraArgs": {
+                            "type": "array"
+                        },
+                        "image": {
+                            "type": "object",
+                            "properties": {
+                                "pullPolicy": {
+                                    "type": "string"
+                                },
+                                "repository": {
+                                    "type": "string"
+                                },
+                                "tag": {
+                                    "type": "string"
+                                }
+                            }
+                        },
+                        "logFormat": {
+                            "type": "string"
+                        },
+                        "logLevel": {
+                            "type": "string"
+                        },
+                        "resources": {
+                            "type": "object"
+                        }
+                    }
+                },
                 "daemonSet": {
                     "type": "object",
                     "properties": {
@@ -14,6 +48,32 @@
                                 "string"
                             ]
                         },
+                        "extraLabels": {
+                            "type": "object"
+                        },
+                        "kubeletRootDir": {
+                            "type": "string"
+                        },
+                        "providersDir": {
+                            "type": "string"
+                        },
+                        "securityContext": {
+                            "type": "object",
+                            "properties": {
+                                "container": {
+                                    "type": [
+                                        "object",
+                                        "string"
+                                    ]
+                                },
+                                "pod": {
+                                    "type": [
+                                        "object",
+                                        "string"
+                                    ]
+                                }
+                            }
+                        },
                         "updateStrategy": {
                             "type": "object",
                             "properties": {
@@ -31,7 +91,10 @@
                     "type": "boolean"
                 },
                 "enabled": {
-                    "type": "boolean"
+                    "type": [
+                        "boolean",
+                        "string"
+                    ]
                 },
                 "extraArgs": {
                     "type": "array"
@@ -73,17 +136,41 @@
                 "pod": {
                     "type": "object",
                     "properties": {
+                        "affinity": {
+                            "type": [
+                              "null",
+                              "object",
+                              "string"
+                            ]
+                        },
                         "annotations": {
                             "type": [
                                 "object",
                                 "string"
                             ]
                         },
+                        "extraLabels": {
+                            "type": "object"
+                        },
+                        "nodeSelector": {
+                            "type": [
+                              "null",
+                              "object",
+                              "string"
+                            ]
+                        },
                         "tolerations": {
-                            "type": ["null", "string"]
+                            "type": [
+                                "null",
+                                "array",
+                                "string"
+                            ]
                         }
                     }
                 },
+                "priorityClassName": {
+                    "type": "string"
+                },
                 "readinessProbe": {
                     "type": "object",
                     "properties": {
@@ -115,6 +202,9 @@
                                 "object",
                                 "string"
                             ]
+                        },
+                        "extraLabels": {
+                            "type": "object"
                         }
                     }
                 },
@@ -138,6 +228,12 @@
                 "enabled": {
                     "type": "boolean"
                 },
+                "namespace": {
+                    "type": "string"
+                },
+                "externalVaultAddr": {
+                    "type": "string"
+                },
                 "imagePullSecrets": {
                     "type": "array"
                 },
@@ -167,7 +263,10 @@
             "type": "object",
             "properties": {
                 "affinity": {
-                    "type": "string"
+                    "type": [
+                        "object",
+                        "string"
+                    ]
                 },
                 "agentDefaults": {
                     "type": "object",
@@ -184,8 +283,25 @@
                         "memRequest": {
                             "type": "string"
                         },
+                        "ephemeralLimit": {
+                            "type": "string"
+                        },
+                        "ephemeralRequest": {
+                            "type": "string"
+                        },
                         "template": {
                             "type": "string"
+                        },
+                        "templateConfig": {
+                            "type": "object",
+                            "properties": {
+                                "exitOnRetryFailure": {
+                                    "type": "boolean"
+                                },
+                                "staticSecretRenderInterval": {
+                                    "type": "string"
+                                }
+                            }
                         }
                     }
                 },
@@ -230,7 +346,10 @@
                     }
                 },
                 "enabled": {
-                    "type": "boolean"
+                    "type": [
+                        "boolean",
+                        "string"
+                    ]
                 },
                 "externalVaultAddr": {
                     "type": "string"
@@ -266,20 +385,6 @@
                     "properties": {
                         "enabled": {
                             "type": "boolean"
-                        },
-                        "image": {
-                            "type": "object",
-                            "properties": {
-                                "repository": {
-                                    "type": "string"
-                                },
-                                "tag": {
-                                    "type": "string"
-                                }
-                            }
-                        },
-                        "ttl": {
-                            "type": "string"
                         }
                     }
                 },
@@ -301,9 +406,19 @@
                     "type": "object"
                 },
                 "nodeSelector": {
-                    "type": ["null", "string"]
+                    "type": [
+                        "null",
+                        "object",
+                        "string"
+                    ]
                 },
                 "objectSelector": {
+                    "type": [
+                        "object",
+                        "string"
+                    ]
+                },
+                "podDisruptionBudget": {
                     "type": "object"
                 },
                 "port": {
@@ -321,6 +436,23 @@
                 "revokeOnShutdown": {
                     "type": "boolean"
                 },
+                "securityContext": {
+                    "type": "object",
+                    "properties": {
+                        "container": {
+                            "type": [
+                                "object",
+                                "string"
+                            ]
+                        },
+                        "pod": {
+                            "type": [
+                                "object",
+                                "string"
+                            ]
+                        }
+                    }
+                },
                 "service": {
                     "type": "object",
                     "properties": {
@@ -332,9 +464,69 @@
                         }
                     }
                 },
+                "serviceAccount": {
+                    "type": "object",
+                    "properties": {
+                        "annotations": {
+                            "type": [
+                                "object",
+                                "string"
+                            ]
+                        }
+                    }
+                },
+                "strategy": {
+                    "type": [
+                        "object",
+                        "string"
+                    ]
+                },
                 "tolerations": {
                     "type": [
                         "null",
+                        "array",
+                        "string"
+                    ]
+                },
+                "topologySpreadConstraints": {
+                    "type": [
+                        "null",
+                        "array",
+                        "string"
+                    ]
+                },
+                "webhook": {
+                    "type": "object",
+                    "properties": {
+                        "annotations": {
+                            "type": [
+                                "object",
+                                "string"
+                            ]
+                        },
+                        "failurePolicy": {
+                            "type": "string"
+                        },
+                        "matchPolicy": {
+                            "type": "string"
+                        },
+                        "namespaceSelector": {
+                            "type": "object"
+                        },
+                        "objectSelector": {
+                            "type": [
+                                "object",
+                                "string"
+                            ]
+                        },
+                        "timeoutSeconds": {
+                            "type": "integer"
+                        }
+                    }
+                },
+                "webhookAnnotations": {
+                    "type": [
+                        "object",
                         "string"
                     ]
                 }
@@ -344,7 +536,10 @@
             "type": "object",
             "properties": {
                 "affinity": {
-                    "type": "string"
+                    "type": [
+                        "object",
+                        "string"
+                    ]
                 },
                 "annotations": {
                     "type": [
@@ -364,6 +559,12 @@
                                 "string"
                             ]
                         },
+                        "labels": {
+                            "type": [
+                                "object",
+                                "string"
+                            ]
+                        },
                         "enabled": {
                             "type": [
                                 "boolean",
@@ -404,6 +605,12 @@
                                 "string"
                             ]
                         },
+                        "labels": {
+                            "type": [
+                                "object",
+                                "string"
+                            ]
+                        },
                         "enabled": {
                             "type": [
                                 "boolean",
@@ -424,6 +631,17 @@
                         }
                     }
                 },
+                "persistentVolumeClaimRetentionPolicy": {
+                    "type": "object",
+                    "properties": {
+                        "whenDeleted": {
+                            "type": "string"
+                        },
+                        "whenScaled": {
+                            "type": "string"
+                        }
+                    }
+                },
                 "dev": {
                     "type": "object",
                     "properties": {
@@ -436,22 +654,20 @@
                     }
                 },
                 "enabled": {
-                    "type": "boolean"
+                    "type": [
-                },
+                        "boolean",
-                "enterpriseLicense": {
+                        "string"
-                    "type": "object",
+                    ]
-                    "properties": {
-                        "secretKey": {
-                            "type": "string"
-                        },
-                        "secretName": {
-                            "type": "string"
-                        }
-                    }
                 },
                 "extraArgs": {
                     "type": "string"
                 },
+                "extraPorts": {
+                    "type": [
+                        "null",
+                        "array"
+                    ]
+                },
                 "extraContainers": {
                     "type": [
                         "null",
@@ -485,8 +701,17 @@
                                 "string"
                             ]
                         },
+                        "clusterAddr": {
+                            "type": [
+                                "null",
+                                "string"
+                            ]
+                        },
                         "config": {
-                            "type": "string"
+                            "type": [
+                                "string",
+                                "object"
+                            ]
                         },
                         "disruptionBudget": {
                             "type": "object",
@@ -509,7 +734,10 @@
                             "type": "object",
                             "properties": {
                                 "config": {
-                                    "type": "string"
+                                    "type": [
+                                        "string",
+                                        "object"
+                                    ]
                                 },
                                 "enabled": {
                                     "type": "boolean"
@@ -524,6 +752,9 @@
                         }
                     }
                 },
+                "hostAliases": {
+                    "type": "array"
+                },
                 "image": {
                     "type": "object",
                     "properties": {
@@ -541,6 +772,9 @@
                 "ingress": {
                     "type": "object",
                     "properties": {
+                        "activeService": {
+                            "type": "boolean"
+                        },
                         "annotations": {
                             "type": [
                                 "object",
@@ -567,9 +801,15 @@
                                 }
                             }
                         },
+                        "ingressClassName": {
+                            "type": "string"
+                        },
                         "labels": {
                             "type": "object"
                         },
+                        "pathType": {
+                            "type": "string"
+                        },
                         "tls": {
                             "type": "array"
                         }
@@ -590,6 +830,12 @@
                         "path": {
                             "type": "string"
                         },
+                        "port": {
+                            "type": "integer"
+                        },
+                        "execCommand": {
+                            "type": "array"
+                        },
                         "periodSeconds": {
                             "type": "integer"
                         },
@@ -615,12 +861,16 @@
                         },
                         "enabled": {
                             "type": "boolean"
+                        },
+                        "ingress": {
+                            "type": "array"
                         }
                     }
                 },
                 "nodeSelector": {
                     "type": [
                         "null",
+                        "object",
                         "string"
                     ]
                 },
@@ -662,6 +912,9 @@
                 "route": {
                     "type": "object",
                     "properties": {
+                        "activeService": {
+                            "type": "boolean"
+                        },
                         "annotations": {
                             "type": [
                                 "object",
@@ -676,12 +929,29 @@
                         },
                         "labels": {
                             "type": "object"
+                        },
+                        "tls": {
+                            "type": "object"
                         }
                     }
                 },
                 "service": {
                     "type": "object",
                     "properties": {
+                        "active": {
+                            "type": "object",
+                            "properties": {
+                                "enabled": {
+                                    "type": "boolean"
+                                },
+                                "annotations": {
+                                    "type": [
+                                        "object",
+                                        "string"
+                                    ]
+                                }
+                            }
+                        },
                         "annotations": {
                             "type": [
                                 "object",
@@ -691,11 +961,56 @@
                         "enabled": {
                             "type": "boolean"
                         },
+                        "externalTrafficPolicy": {
+                            "type": "string"
+                        },
+                        "instanceSelector": {
+                            "type": "object",
+                            "properties": {
+                                "enabled": {
+                                    "type": "boolean"
+                                }
+                            }
+                        },
                         "port": {
                             "type": "integer"
                         },
+                        "publishNotReadyAddresses": {
+                            "type": "boolean"
+                        },
+                        "standby": {
+                            "type": "object",
+                            "properties": {
+                                "enabled": {
+                                    "type": "boolean"
+                                },
+                                "annotations": {
+                                    "type": [
+                                        "object",
+                                        "string"
+                                    ]
+                                }
+                            }
+                        },
                         "targetPort": {
                             "type": "integer"
+                        },
+                        "nodePort": {
+                            "type": "integer"
+                        },
+                        "activeNodePort": {
+                            "type": "integer"
+                        },
+                        "standbyNodePort": {
+                            "type": "integer"
+                        },
+                        "ipFamilyPolicy": {
+                            "type": "string"
+                        },
+                        "ipFamilies": {
+                            "type": [
+                                "array"
+                            ]
                         }
                     }
                 },
@@ -711,8 +1026,22 @@
                         "create": {
                             "type": "boolean"
                         },
+                        "extraLabels": {
+                            "type": "object"
+                        },
+                        "createSecret": {
+                            "type": "boolean"
+                        },
                         "name": {
                             "type": "string"
+                        },
+                        "serviceDiscovery": {
+                            "type": "object",
+                            "properties": {
+                                "enabled": {
+                                    "type": "boolean"
+                                }
+                            }
                         }
                     }
                 },
@@ -723,7 +1052,10 @@
                     "type": "object",
                     "properties": {
                         "config": {
-                            "type": "string"
+                            "type": [
+                                "string",
+                                "object"
+                            ]
                         },
                         "enabled": {
                             "type": [
@@ -741,12 +1073,40 @@
                                 "object",
                                 "string"
                             ]
+                        },
+                        "securityContext": {
+                            "type": "object",
+                            "properties": {
+                                "container": {
+                                    "type": [
+                                        "object",
+                                        "string"
+                                    ]
+                                },
+                                "pod": {
+                                    "type": [
+                                        "object",
+                                        "string"
+                                    ]
+                                }
+                            }
                         }
                     }
                 },
+                "terminationGracePeriodSeconds": {
+                    "type": "integer"
+                },
                 "tolerations": {
                     "type": [
                         "null",
+                        "array",
+                        "string"
+                    ]
+                },
+                "topologySpreadConstraints": {
+                    "type": [
+                        "null",
+                        "array",
                         "string"
                     ]
                 },
@@ -764,13 +1124,35 @@
                         "null",
                         "array"
                     ]
+                },
+                "hostNetwork": {
+                    "type": "boolean"
+                }
+            }
+        },
+        "serverTelemetry": {
+            "type": "object",
+            "properties": {
+                "prometheusRules": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "rules": {
+                            "type": "array"
+                        },
+                        "selectors": {
+                            "type": "object"
+                        }
+                    }
                 }
             }
         },
         "ui": {
             "type": "object",
             "properties": {
-                "activeVaultPodOnly": {
+                "activeOpenbaoPodOnly": {
                     "type": "boolean"
                 },
                 "annotations": {
@@ -780,11 +1162,17 @@
                     ]
                 },
                 "enabled": {
-                    "type": "boolean"
+                    "type": [
+                        "boolean",
+                        "string"
+                    ]
                 },
                 "externalPort": {
                     "type": "integer"
                 },
+                "externalTrafficPolicy": {
+                    "type": "string"
+                },
                 "publishNotReadyAddresses": {
                     "type": "boolean"
                 },
@@ -799,6 +1187,16 @@
                 },
                 "targetPort": {
                     "type": "integer"
+                },
+                "serviceIPFamilyPolicy": {
+                    "type": [
+                        "string"
+                    ]
+                },
+                "serviceIPFamilies": {
+                    "type": [
+                        "array"
+                    ]
                 }
             }
         }

templates/NOTES.txt

@@ -1,14 +0,0 @@
-
-Thank you for installing HashiCorp Vault!
-
-Now that you have deployed Vault, you should look over the docs on using
-Vault with Kubernetes available here:
-
-https://www.vaultproject.io/docs/
-
-
-Your release is named {{ .Release.Name }}. To learn more about the release, try:
-
-  $ helm status {{ .Release.Name }}
-  $ helm get manifest {{ .Release.Name }}
-

templates/_helpers.tpl

@@ -1,590 +0,0 @@
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to
-this (by the DNS naming spec). If release name contains chart name it will
-be used as a full name.
-*/}}
-{{- define "vault.fullname" -}}
-{{- if .Values.fullnameOverride -}}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "vault.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "vault.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
-This defaults to (n/2)-1 where n is the number of members of the server cluster.
-Add a special case for replicas=1, where it should default to 0 as well.
-*/}}
-{{- define "vault.pdb.maxUnavailable" -}}
-{{- if eq (int .Values.server.ha.replicas) 1 -}}
-{{ 0 }}
-{{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}}
-{{ .Values.server.ha.disruptionBudget.maxUnavailable -}}
-{{- else -}}
-{{- div (sub (div (mul (int .Values.server.ha.replicas) 10) 2) 1) 10 -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Set the variable 'mode' to the server mode requested by the user to simplify
-template logic.
-*/}}
-{{- define "vault.mode" -}}
-  {{- if .Values.injector.externalVaultAddr -}}
-    {{- $_ := set . "mode" "external" -}}
-  {{- else if ne (.Values.server.enabled | toString) "true" -}}
-    {{- $_ := set . "mode" "external" -}}
-  {{- else if eq (.Values.server.dev.enabled | toString) "true" -}}
-    {{- $_ := set . "mode" "dev" -}}
-  {{- else if eq (.Values.server.ha.enabled | toString) "true" -}}
-    {{- $_ := set . "mode" "ha" -}}
-  {{- else if or (eq (.Values.server.standalone.enabled | toString) "true") (eq (.Values.server.standalone.enabled | toString) "-") -}}
-    {{- $_ := set . "mode" "standalone" -}}
-  {{- else -}}
-    {{- $_ := set . "mode" "" -}}
-  {{- end -}}
-{{- end -}}
-
-{{/*
-Set's the replica count based on the different modes configured by user
-*/}}
-{{- define "vault.replicas" -}}
-  {{ if eq .mode "standalone" }}
-    {{- default 1 -}}
-  {{ else if eq .mode "ha" }}
-    {{- .Values.server.ha.replicas | default 3 -}}
-  {{ else }}
-    {{- default 1 -}}
-  {{ end }}
-{{- end -}}
-
-{{/*
-Set's up configmap mounts if this isn't a dev deployment and the user
-defined a custom configuration.  Additionally iterates over any
-extra volumes the user may have specified (such as a secret with TLS).
-*/}}
-{{- define "vault.volumes" -}}
-  {{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }}
-        - name: config
-          configMap:
-            name: {{ template "vault.fullname" . }}-config
-  {{ end }}
-  {{- range .Values.server.extraVolumes }}
-        - name: userconfig-{{ .name }}
-          {{ .type }}:
-          {{- if (eq .type "configMap") }}
-            name: {{ .name }}
-          {{- else if (eq .type "secret") }}
-            secretName: {{ .name }}
-          {{- end }}
-            defaultMode: {{ .defaultMode | default 420 }}
-  {{- end }}
-  {{- if .Values.server.volumes }}
-    {{- toYaml .Values.server.volumes | nindent 8}}
-  {{- end }}
-  {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
-        - name: vault-license
-          secret:
-            secretName: {{ .Values.server.enterpriseLicense.secretName }}
-            defaultMode: 0440
-  {{- end }}
-{{- end -}}
-
-{{/*
-Set's the args for custom command to render the Vault configuration
-file with IP addresses to make the out of box experience easier
-for users looking to use this chart with Consul Helm.
-*/}}
-{{- define "vault.args" -}}
-  {{ if or (eq .mode "standalone") (eq .mode "ha") }}
-          - |
-            cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
-            [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
-            [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
-            /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }}
-   {{ else if eq .mode "dev" }}
-          - |
-            /usr/local/bin/docker-entrypoint.sh vault server -dev {{ .Values.server.extraArgs }}
-  {{ end }}
-{{- end -}}
-
-{{/*
-Set's additional environment variables based on the mode.
-*/}}
-{{- define "vault.envs" -}}
-  {{ if eq .mode "dev" }}
-            - name: VAULT_DEV_ROOT_TOKEN_ID
-              value: {{ .Values.server.dev.devRootToken }}
-            - name: VAULT_DEV_LISTEN_ADDRESS
-              value: "[::]:8200"
-  {{ end }}
-{{- end -}}
-
-{{/*
-Set's which additional volumes should be mounted to the container
-based on the mode configured.
-*/}}
-{{- define "vault.mounts" -}}
-  {{ if eq (.Values.server.auditStorage.enabled | toString) "true" }}
-            - name: audit
-              mountPath: {{ .Values.server.auditStorage.mountPath }}
-  {{ end }}
-  {{ if or (eq .mode "standalone") (and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true"))  }}
-    {{ if eq (.Values.server.dataStorage.enabled | toString) "true" }}
-            - name: data
-              mountPath: {{ .Values.server.dataStorage.mountPath }}
-    {{ end }}
-  {{ end }}
-  {{ if and (ne .mode "dev") (or (.Values.server.standalone.config)  (.Values.server.ha.config)) }}
-            - name: config
-              mountPath: /vault/config
-  {{ end }}
-  {{- range .Values.server.extraVolumes }}
-            - name: userconfig-{{ .name }}
-              readOnly: true
-              mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }}
-  {{- end }}
-  {{- if .Values.server.volumeMounts }}
-    {{- toYaml .Values.server.volumeMounts | nindent 12}}
-  {{- end }}
-  {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
-            - name: vault-license
-              mountPath: /vault/license
-              readOnly: true
-  {{- end }}
-{{- end -}}
-
-{{/*
-Set's up the volumeClaimTemplates when data or audit storage is required.  HA
-might not use data storage since Consul is likely it's backend, however, audit
-storage might be desired by the user.
-*/}}
-{{- define "vault.volumeclaims" -}}
-  {{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }}
-  volumeClaimTemplates:
-      {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }}
-    - metadata:
-        name: data
-        {{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }}
-      spec:
-        accessModes:
-          - {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }}
-        resources:
-          requests:
-            storage: {{ .Values.server.dataStorage.size }}
-          {{- if .Values.server.dataStorage.storageClass }}
-        storageClassName: {{ .Values.server.dataStorage.storageClass }}
-          {{- end }}
-      {{ end }}
-      {{- if eq (.Values.server.auditStorage.enabled | toString) "true" }}
-    - metadata:
-        name: audit
-        {{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }}
-      spec:
-        accessModes:
-          - {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }}
-        resources:
-          requests:
-            storage: {{ .Values.server.auditStorage.size }}
-          {{- if .Values.server.auditStorage.storageClass }}
-        storageClassName: {{ .Values.server.auditStorage.storageClass }}
-          {{- end }}
-      {{ end }}
-  {{ end }}
-{{- end -}}
-
-{{/*
-Set's the affinity for pod placement when running in standalone and HA modes.
-*/}}
-{{- define "vault.affinity" -}}
-  {{- if and (ne .mode "dev") .Values.server.affinity }}
-      affinity:
-        {{ tpl .Values.server.affinity . | nindent 8 | trim }}
-  {{ end }}
-{{- end -}}
-
-{{/*
-Sets the injector affinity for pod placement
-*/}}
-{{- define "injector.affinity" -}}
-  {{- if .Values.injector.affinity }}
-      affinity:
-        {{ tpl .Values.injector.affinity . | nindent 8 | trim }}
-  {{ end }}
-{{- end -}}
-
-{{/*
-Set's the toleration for pod placement when running in standalone and HA modes.
-*/}}
-{{- define "vault.tolerations" -}}
-  {{- if and (ne .mode "dev") .Values.server.tolerations }}
-      tolerations:
-        {{ tpl .Values.server.tolerations . | nindent 8 | trim }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Sets the injector toleration for pod placement
-*/}}
-{{- define "injector.tolerations" -}}
-  {{- if .Values.injector.tolerations }}
-      tolerations:
-        {{ tpl .Values.injector.tolerations . | nindent 8 | trim }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Set's the node selector for pod placement when running in standalone and HA modes.
-*/}}
-{{- define "vault.nodeselector" -}}
-  {{- if and (ne .mode "dev") .Values.server.nodeSelector }}
-      nodeSelector:
-        {{ tpl .Values.server.nodeSelector . | indent 8 | trim }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Sets the injector node selector for pod placement
-*/}}
-{{- define "injector.nodeselector" -}}
-  {{- if .Values.injector.nodeSelector }}
-      nodeSelector:
-        {{ tpl .Values.injector.nodeSelector . | indent 8 | trim }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Sets extra pod annotations
-*/}}
-{{- define "vault.annotations" -}}
-  {{- if .Values.server.annotations }}
-      annotations:
-        {{- $tp := typeOf .Values.server.annotations }}
-        {{- if eq $tp "string" }}
-          {{- tpl .Values.server.annotations . | nindent 8 }}
-        {{- else }}
-          {{- toYaml .Values.server.annotations | nindent 8 }}
-        {{- end }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Sets extra injector pod annotations
-*/}}
-{{- define "injector.annotations" -}}
-  {{- if .Values.injector.annotations }}
-      annotations:
-        {{- $tp := typeOf .Values.injector.annotations }}
-        {{- if eq $tp "string" }}
-          {{- tpl .Values.injector.annotations . | nindent 8 }}
-        {{- else }}
-          {{- toYaml .Values.injector.annotations | nindent 8 }}
-        {{- end }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Sets extra injector service annotations
-*/}}
-{{- define "injector.service.annotations" -}}
-  {{- if .Values.injector.service.annotations }}
-  annotations:
-    {{- $tp := typeOf .Values.injector.service.annotations }}
-    {{- if eq $tp "string" }}
-      {{- tpl .Values.injector.service.annotations . | nindent 4 }}
-    {{- else }}
-      {{- toYaml .Values.injector.service.annotations | nindent 4 }}
-    {{- end }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Sets extra ui service annotations
-*/}}
-{{- define "vault.ui.annotations" -}}
-  {{- if .Values.ui.annotations }}
-  annotations:
-    {{- $tp := typeOf .Values.ui.annotations }}
-    {{- if eq $tp "string" }}
-      {{- tpl .Values.ui.annotations . | nindent 4 }}
-    {{- else }}
-      {{- toYaml .Values.ui.annotations | nindent 4 }}
-    {{- end }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "vault.serviceAccount.name" -}}
-{{- if .Values.server.serviceAccount.create -}}
-    {{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }}
-{{- else -}}
-    {{ default "default" .Values.server.serviceAccount.name }}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Sets extra service account annotations
-*/}}
-{{- define "vault.serviceAccount.annotations" -}}
-  {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }}
-  annotations:
-    {{- $tp := typeOf .Values.server.serviceAccount.annotations }}
-    {{- if eq $tp "string" }}
-      {{- tpl .Values.server.serviceAccount.annotations . | nindent 4 }}
-    {{- else }}
-      {{- toYaml .Values.server.serviceAccount.annotations | nindent 4 }}
-    {{- end }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Sets extra ingress annotations
-*/}}
-{{- define "vault.ingress.annotations" -}}
-  {{- if .Values.server.ingress.annotations }}
-  annotations:
-    {{- $tp := typeOf .Values.server.ingress.annotations }}
-    {{- if eq $tp "string" }}
-      {{- tpl .Values.server.ingress.annotations . | nindent 4 }}
-    {{- else }}
-      {{- toYaml .Values.server.ingress.annotations | nindent 4 }}
-    {{- end }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Sets extra route annotations
-*/}}
-{{- define "vault.route.annotations" -}}
-  {{- if .Values.server.route.annotations }}
-  annotations:
-    {{- $tp := typeOf .Values.server.route.annotations }}
-    {{- if eq $tp "string" }}
-      {{- tpl .Values.server.route.annotations . | nindent 4 }}
-    {{- else }}
-      {{- toYaml .Values.server.route.annotations | nindent 4 }}
-    {{- end }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Sets extra vault server Service annotations
-*/}}
-{{- define "vault.service.annotations" -}}
-  {{- if .Values.server.service.annotations }}
-    {{- $tp := typeOf .Values.server.service.annotations }}
-    {{- if eq $tp "string" }}
-      {{- tpl .Values.server.service.annotations . | nindent 4 }}
-    {{- else }}
-      {{- toYaml .Values.server.service.annotations | nindent 4 }}
-    {{- end }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Sets PodSecurityPolicy annotations
-*/}}
-{{- define "vault.psp.annotations" -}}
-  {{- if .Values.global.psp.annotations }}
-  annotations:
-    {{- $tp := typeOf .Values.global.psp.annotations }}
-    {{- if eq $tp "string" }}
-      {{- tpl .Values.global.psp.annotations . | nindent 4 }}
-    {{- else }}
-      {{- toYaml .Values.global.psp.annotations | nindent 4 }}
-    {{- end }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Sets extra statefulset annotations
-*/}}
-{{- define "vault.statefulSet.annotations" -}}
-  {{- if .Values.server.statefulSet.annotations }}
-  annotations:
-    {{- $tp := typeOf .Values.server.statefulSet.annotations }}
-    {{- if eq $tp "string" }}
-      {{- tpl .Values.server.statefulSet.annotations . | nindent 4 }}
-    {{- else }}
-      {{- toYaml .Values.server.statefulSet.annotations | nindent 4 }}
-    {{- end }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Sets VolumeClaim annotations for data volume
-*/}}
-{{- define "vault.dataVolumeClaim.annotations" -}}
-  {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.annotations) }}
-  annotations:
-    {{- $tp := typeOf .Values.server.dataStorage.annotations }}
-    {{- if eq $tp "string" }}
-      {{- tpl .Values.server.dataStorage.annotations . | nindent 4 }}
-    {{- else }}
-      {{- toYaml .Values.server.dataStorage.annotations | nindent 4 }}
-    {{- end }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Sets VolumeClaim annotations for audit volume
-*/}}
-{{- define "vault.auditVolumeClaim.annotations" -}}
-  {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.annotations) }}
-  annotations:
-    {{- $tp := typeOf .Values.server.auditStorage.annotations }}
-    {{- if eq $tp "string" }}
-      {{- tpl .Values.server.auditStorage.annotations . | nindent 4 }}
-    {{- else }}
-      {{- toYaml .Values.server.auditStorage.annotations | nindent 4 }}
-    {{- end }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Set's the container resources if the user has set any.
-*/}}
-{{- define "vault.resources" -}}
-  {{- if .Values.server.resources -}}
-          resources:
-{{ toYaml .Values.server.resources | indent 12}}
-  {{ end }}
-{{- end -}}
-
-{{/*
-Sets the container resources if the user has set any.
-*/}}
-{{- define "injector.resources" -}}
-  {{- if .Values.injector.resources -}}
-          resources:
-{{ toYaml .Values.injector.resources | indent 12}}
-  {{ end }}
-{{- end -}}
-
-{{/*
-Sets the container resources if the user has set any.
-*/}}
-{{- define "csi.resources" -}}
-  {{- if .Values.csi.resources -}}
-          resources:
-{{ toYaml .Values.csi.resources | indent 12}}
-  {{ end }}
-{{- end -}}
-
-{{/*
-Sets extra CSI daemonset annotations
-*/}}
-{{- define "csi.daemonSet.annotations" -}}
-  {{- if .Values.csi.daemonSet.annotations }}
-  annotations:
-    {{- $tp := typeOf .Values.csi.daemonSet.annotations }}
-    {{- if eq $tp "string" }}
-      {{- tpl .Values.csi.daemonSet.annotations . | nindent 4 }}
-    {{- else }}
-      {{- toYaml .Values.csi.daemonSet.annotations | nindent 4 }}
-    {{- end }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Sets the injector toleration for pod placement
-*/}}
-{{- define "csi.pod.tolerations" -}}
-  {{- if .Values.csi.pod.tolerations }}
-      tolerations:
-        {{ tpl .Values.csi.pod.tolerations . | nindent 8 | trim }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Sets extra CSI provider pod annotations
-*/}}
-{{- define "csi.pod.annotations" -}}
-  {{- if .Values.csi.pod.annotations }}
-      annotations:
-      {{- $tp := typeOf .Values.csi.pod.annotations }}
-      {{- if eq $tp "string" }}
-        {{- tpl .Values.csi.pod.annotations . | nindent 8 }}
-      {{- else }}
-        {{- toYaml .Values.csi.pod.annotations | nindent 8 }}
-      {{- end }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Sets extra CSI service account annotations
-*/}}
-{{- define "csi.serviceAccount.annotations" -}}
-  {{- if .Values.csi.serviceAccount.annotations }}
-  annotations:
-    {{- $tp := typeOf .Values.csi.serviceAccount.annotations }}
-    {{- if eq $tp "string" }}
-      {{- tpl .Values.csi.serviceAccount.annotations . | nindent 4 }}
-    {{- else }}
-      {{- toYaml .Values.csi.serviceAccount.annotations | nindent 4 }}
-    {{- end }}
-  {{- end }}
-{{- end -}}
-
-{{/*
-Inject extra environment vars in the format key:value, if populated
-*/}}
-{{- define "vault.extraEnvironmentVars" -}}
-{{- if .extraEnvironmentVars -}}
-{{- range $key, $value := .extraEnvironmentVars }}
-- name: {{ printf "%s" $key | replace "." "_" | upper | quote }}
-  value: {{ $value | quote }}
-{{- end }}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Inject extra environment populated by secrets, if populated
-*/}}
-{{- define "vault.extraSecretEnvironmentVars" -}}
-{{- if .extraSecretEnvironmentVars -}}
-{{- range .extraSecretEnvironmentVars }}
-- name: {{ .envName }}
-  valueFrom:
-   secretKeyRef:
-     name: {{ .secretName }}
-     key: {{ .secretKey }}
-{{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{/* Scheme for health check and local endpoint */}}
-{{- define "vault.scheme" -}}
-{{- if .Values.global.tlsDisable -}}
-{{ "http" }}
-{{- else -}}
-{{ "https" }}
-{{- end -}}
-{{- end -}}

templates/csi-clusterrolebinding.yaml

@@ -1,18 +0,0 @@
-{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding
-  labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ template "vault.fullname" . }}-csi-provider-clusterrole
-subjects:
-- kind: ServiceAccount
-  name: {{ template "vault.fullname" . }}-csi-provider
-  namespace: {{ .Release.Namespace }}
-{{- end }}

templates/csi-daemonset.yaml

@@ -1,84 +0,0 @@
-{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: {{ template "vault.fullname" . }}-csi-provider
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-  {{ template "csi.daemonSet.annotations" . }}
-spec:
-  updateStrategy:
-    type: {{ .Values.csi.daemonSet.updateStrategy.type }}
-    {{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
-    rollingUpdate:
-      maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
-    {{- end }}
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
-      app.kubernetes.io/instance: {{ .Release.Name }}
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider
-        app.kubernetes.io/instance: {{ .Release.Name }}
-      {{ template "csi.pod.annotations" . }}
-    spec:
-      serviceAccountName: {{ template "vault.fullname" . }}-csi-provider
-      {{- template "csi.pod.tolerations" . }}
-      containers:
-        - name: {{ include "vault.name" . }}-csi-provider
-          {{ template "csi.resources" . }}
-          image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}"
-          imagePullPolicy: {{ .Values.csi.image.pullPolicy }}
-          args:
-            - --endpoint=/provider/vault.sock
-            - --debug={{ .Values.csi.debug }}
-            {{- if .Values.csi.extraArgs }}
-              {{- toYaml .Values.csi.extraArgs | nindent 12 }}
-            {{- end }}
-          volumeMounts:
-            - name: providervol
-              mountPath: "/provider"
-            - name: mountpoint-dir
-              mountPath: /var/lib/kubelet/pods
-              mountPropagation: HostToContainer
-            {{- if .Values.csi.volumeMounts }}
-              {{- toYaml .Values.csi.volumeMounts | nindent 12}}
-            {{- end }}
-          livenessProbe:
-            httpGet:
-              path: /health/ready
-              port: 8080
-            failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }}
-            initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }}
-            periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }}
-            successThreshold: {{ .Values.csi.livenessProbe.successThreshold }}
-            timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }}
-          readinessProbe:
-            httpGet:
-              path: /health/ready
-              port: 8080
-            failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }}
-            initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }}
-            periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }}
-            successThreshold: {{ .Values.csi.readinessProbe.successThreshold }}
-            timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }}
-      volumes:
-        - name: providervol
-          hostPath:
-            path: "/etc/kubernetes/secrets-store-csi-providers"
-        - name: mountpoint-dir
-          hostPath:
-            path: /var/lib/kubelet/pods
-       {{- if .Values.csi.volumes }}
-         {{- toYaml .Values.csi.volumes | nindent 8}}
-       {{- end }}
-      {{- if .Values.global.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml .Values.global.imagePullSecrets | nindent 8 }}
-      {{- end }}
-{{- end }}

templates/csi-serviceaccount.yaml

@@ -1,12 +0,0 @@
-{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ template "vault.fullname" . }}-csi-provider
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-  {{ template "csi.serviceAccount.annotations" . }}
-{{- end }}

templates/injector-certs-secret.yaml

@@ -1,10 +0,0 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: vault-injector-certs
-  labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}

templates/injector-clusterrole.yaml

@@ -1,18 +0,0 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "vault.fullname" . }}-agent-injector-clusterrole
-  labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-rules:
-- apiGroups: ["admissionregistration.k8s.io"]
-  resources: ["mutatingwebhookconfigurations"]
-  verbs: 
-    - "get"
-    - "list"
-    - "watch"
-    - "patch"
-{{ end }}

templates/injector-clusterrolebinding.yaml

@@ -1,18 +0,0 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ template "vault.fullname" . }}-agent-injector-binding
-  labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ template "vault.fullname" . }}-agent-injector-clusterrole
-subjects:
-- kind: ServiceAccount
-  name: {{ template "vault.fullname" . }}-agent-injector
-  namespace: {{ .Release.Namespace }}
-{{ end }}

templates/injector-leader-endpoint.yaml

@@ -1,12 +0,0 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
-# This is created here so it can be cleaned up easily, since if
-# the endpoint is left around the leader won't expire for about a minute.
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: {{ template "vault.fullname" . }}-agent-injector-leader
-  labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}

templates/injector-mutating-webhook.yaml

@@ -1,42 +0,0 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
-{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
-apiVersion: admissionregistration.k8s.io/v1
-{{- else }}
-apiVersion: admissionregistration.k8s.io/v1beta1
-{{- end }}
-kind: MutatingWebhookConfiguration
-metadata:
-  name: {{ template "vault.fullname" . }}-agent-injector-cfg
-  labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-webhooks:
-  - name: vault.hashicorp.com
-    sideEffects: None
-    admissionReviewVersions:
-    - "v1beta1"
-    - "v1"
-    clientConfig:
-      service:
-        name: {{ template "vault.fullname" . }}-agent-injector-svc
-        namespace: {{ .Release.Namespace }}
-        path: "/mutate"
-      caBundle: {{ .Values.injector.certs.caBundle | quote }}
-    rules:
-      - operations: ["CREATE", "UPDATE"]
-        apiGroups: [""]
-        apiVersions: ["v1"]
-        resources: ["pods"]
-{{- if .Values.injector.namespaceSelector }}
-    namespaceSelector:
-{{ toYaml .Values.injector.namespaceSelector | indent 6}}
-{{ end }}
-{{- if .Values.injector.objectSelector }}
-    objectSelector:
-{{ toYaml .Values.injector.objectSelector | indent 6}}
-{{ end }}
-{{- with .Values.injector.failurePolicy }}
-    failurePolicy: {{.}}
-{{ end }}
-{{ end }}

templates/injector-network-policy.yaml

@@ -1,21 +0,0 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") }}
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: {{ template "vault.fullname" . }}-agent-injector
-  labels:
-    app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
-    app.kubernetes.io/instance: {{ .Release.Name }}
-spec:
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
-      app.kubernetes.io/instance: {{ .Release.Name }}
-      component: webhook
-  ingress:
-    - from:
-        - namespaceSelector: {}
-      ports:
-      - port: 8080
-        protocol: TCP
-{{ end }}

templates/injector-psp-role.yaml

@@ -1,17 +0,0 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ template "vault.fullname" . }}-agent-injector-psp
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-rules:
-- apiGroups: ['policy']
-  resources: ['podsecuritypolicies']
-  verbs:     ['use']
-  resourceNames:
-    - {{ template "vault.fullname" . }}-agent-injector
-{{- end }}

templates/injector-psp-rolebinding.yaml

@@ -1,18 +0,0 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ template "vault.fullname" . }}-agent-injector-psp
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-roleRef:
-  kind: Role
-  name: {{ template "vault.fullname" . }}-agent-injector-psp
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-  - kind: ServiceAccount
-    name: {{ template "vault.fullname" . }}-agent-injector
-{{- end }}

templates/injector-role.yaml

@@ -1,19 +0,0 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
-  labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-rules:
-  - apiGroups: [""]
-    resources: ["endpoints", "secrets"]
-    verbs:
-      - "create"
-      - "get"
-      - "watch"
-      - "list"
-      - "update"
-{{- end }}

templates/injector-rolebinding.yaml

@@ -1,18 +0,0 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding
-  labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
-subjects:
-  - kind: ServiceAccount
-    name: {{ template "vault.fullname" . }}-agent-injector
-    namespace: {{ .Release.Namespace }}
-{{- end }}

templates/injector-service.yaml

@@ -1,21 +0,0 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "vault.fullname" . }}-agent-injector-svc
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-  {{ template "injector.service.annotations" . }}
-spec:
-  ports:
-  - name: https
-    port: 443
-    targetPort: {{ .Values.injector.port }}
-  selector:
-    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    component: webhook
-{{- end }}

templates/injector-serviceaccount.yaml

@@ -1,11 +0,0 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ template "vault.fullname" . }}-agent-injector
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{ end }}

templates/server-config-configmap.yaml

@@ -1,38 +0,0 @@
-{{ template "vault.mode" . }}
-{{- if ne .mode "external" }}
-{{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}}
-{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ template "vault.fullname" . }}-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    helm.sh/chart: {{ include "vault.chart" . }}
-    app.kubernetes.io/name: {{ include "vault.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-data:
-  extraconfig-from-values.hcl: |-
-  {{- if or (eq .mode "ha") (eq .mode "standalone") }}
-  {{- $type := typeOf (index .Values.server .mode).config }}
-  {{- if eq $type "string" }}
-    disable_mlock = true
-  {{- if eq .mode "standalone" }}
-    {{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
-  {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }}
-    {{ tpl .Values.server.ha.config . | nindent 4 | trim }}
-  {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
-    {{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }}
-  {{ end }}
-  {{- else }}
-  {{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
-{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }}
-  {{- else }}
-{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }}
-  {{- end }}
-  {{- end }}
-  {{- end }}
-{{- end }}
-{{- end }}
-{{- end }}

templates/server-discovery-role.yaml

@@ -1,19 +0,0 @@
-{{ template "vault.mode" . }}
-{{- if ne .mode "external" }}
-{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  namespace: {{ .Release.Namespace }}
-  name: {{ template "vault.fullname" . }}-discovery-role
-  labels:
-    helm.sh/chart: {{ include "vault.chart" . }}
-    app.kubernetes.io/name: {{ include "vault.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-rules:
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get", "watch", "list", "update", "patch"]
-{{ end }}
-{{ end }}

templates/server-discovery-rolebinding.yaml

@@ -1,27 +0,0 @@
-{{ template "vault.mode" . }}
-{{- if ne .mode "external" }}
-{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }}
-{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
-apiVersion: rbac.authorization.k8s.io/v1
-{{- else }}
-apiVersion: rbac.authorization.k8s.io/v1beta1
-{{- end }}
-kind: RoleBinding
-metadata:
-  name: {{ template "vault.fullname" . }}-discovery-rolebinding
-  namespace: {{ .Release.Namespace }}
-  labels:
-    helm.sh/chart: {{ include "vault.chart" . }}
-    app.kubernetes.io/name: {{ include "vault.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ template "vault.fullname" . }}-discovery-role
-subjects:
-- kind: ServiceAccount
-  name: {{ template "vault.serviceAccount.name" . }}
-  namespace: {{ .Release.Namespace }}
-{{ end }}
-{{ end }}

templates/server-disruptionbudget.yaml

@@ -1,24 +0,0 @@
-{{ template "vault.mode" . }}
-{{- if ne .mode "external" -}}
-{{- if and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
-# PodDisruptionBudget to prevent degrading the server cluster through
-# voluntary cluster changes.
-apiVersion: policy/v1beta1
-kind: PodDisruptionBudget
-metadata:
-  name: {{ template "vault.fullname" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    helm.sh/chart: {{ include "vault.chart" . }}
-    app.kubernetes.io/name: {{ include "vault.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-spec:
-  maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }}
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: {{ include "vault.name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name }}
-      component: server
-{{- end -}}
-{{- end -}}

templates/server-ha-active-service.yaml

@@ -1,41 +0,0 @@
-{{ template "vault.mode" . }}
-{{- if ne .mode "external" }}
-{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
-# Service for active Vault pod
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "vault.fullname" . }}-active
-  namespace: {{ .Release.Namespace }}
-  labels:
-    helm.sh/chart: {{ include "vault.chart" . }}
-    app.kubernetes.io/name: {{ include "vault.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-  annotations:
-{{ template "vault.service.annotations" .}}
-spec:
-  {{- if .Values.server.service.type}}
-  type: {{ .Values.server.service.type }}
-  {{- end}}
-  {{- if .Values.server.service.clusterIP }}
-  clusterIP: {{ .Values.server.service.clusterIP }}
-  {{- end }}
-  publishNotReadyAddresses: true
-  ports:
-    - name: {{ include "vault.scheme" . }}
-      port: {{ .Values.server.service.port }}
-      targetPort: {{ .Values.server.service.targetPort }}
-      {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
-      nodePort: {{ .Values.server.service.nodePort }}
-      {{- end }}
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: {{ include "vault.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    component: server
-    vault-active: "true"
-{{- end }}
-{{- end }}

templates/server-ha-standby-service.yaml

@@ -1,41 +0,0 @@
-{{ template "vault.mode" . }}
-{{- if ne .mode "external" }}
-{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
-# Service for standby Vault pod
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "vault.fullname" . }}-standby
-  namespace: {{ .Release.Namespace }}
-  labels:
-    helm.sh/chart: {{ include "vault.chart" . }}
-    app.kubernetes.io/name: {{ include "vault.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-  annotations:
-{{ template "vault.service.annotations" .}}
-spec:
-  {{- if .Values.server.service.type}}
-  type: {{ .Values.server.service.type }}
-  {{- end}}
-  {{- if .Values.server.service.clusterIP }}
-  clusterIP: {{ .Values.server.service.clusterIP }}
-  {{- end }}
-  publishNotReadyAddresses: true
-  ports:
-    - name: {{ include "vault.scheme" . }}
-      port: {{ .Values.server.service.port }}
-      targetPort: {{ .Values.server.service.targetPort }}
-      {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
-      nodePort: {{ .Values.server.service.nodePort }}
-      {{- end }}
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: {{ include "vault.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    component: server
-    vault-active: "false"
-{{- end }}
-{{- end }}

templates/server-headless-service.yaml

@@ -1,32 +0,0 @@
-{{ template "vault.mode" . }}
-{{- if ne .mode "external" }}
-{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "vault.fullname" . }}-internal
-  namespace: {{ .Release.Namespace }}
-  labels:
-    helm.sh/chart: {{ include "vault.chart" . }}
-    app.kubernetes.io/name: {{ include "vault.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-  annotations:
-{{ template "vault.service.annotations" .}}
-spec:
-  clusterIP: None
-  publishNotReadyAddresses: true
-  ports:
-    - name: "{{ include "vault.scheme" . }}"
-      port: {{ .Values.server.service.port }}
-      targetPort: {{ .Values.server.service.targetPort }}
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: {{ include "vault.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    component: server
-{{- end }}
-{{- end }}

templates/server-psp-role.yaml

@@ -1,18 +0,0 @@
-{{ template "vault.mode" . }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ template "vault.fullname" . }}-psp
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-rules:
-- apiGroups: ['policy']
-  resources: ['podsecuritypolicies']
-  verbs:     ['use']
-  resourceNames:
-    - {{ template "vault.fullname" . }}
-{{- end }}

templates/server-psp-rolebinding.yaml

@@ -1,19 +0,0 @@
-{{ template "vault.mode" . }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ template "vault.fullname" . }}-psp
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-roleRef:
-  kind: Role
-  name: {{ template "vault.fullname" . }}-psp
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-  - kind: ServiceAccount
-    name: {{ template "vault.fullname" . }}
-{{- end }}

templates/server-service.yaml

@@ -1,42 +0,0 @@
-{{ template "vault.mode" . }}
-{{- if ne .mode "external" }}
-{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "vault.fullname" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    helm.sh/chart: {{ include "vault.chart" . }}
-    app.kubernetes.io/name: {{ include "vault.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-  annotations:
-{{ template "vault.service.annotations" .}}
-spec:
-  {{- if .Values.server.service.type}}
-  type: {{ .Values.server.service.type }}
-  {{- end}}
-  {{- if .Values.server.service.clusterIP }}
-  clusterIP: {{ .Values.server.service.clusterIP }}
-  {{- end }}
-  # We want the servers to become available even if they're not ready
-  # since this DNS is also used for join operations.
-  publishNotReadyAddresses: true
-  ports:
-    - name: {{ include "vault.scheme" . }}
-      port: {{ .Values.server.service.port }}
-      targetPort: {{ .Values.server.service.targetPort }}
-      {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
-      nodePort: {{ .Values.server.service.nodePort }}
-      {{- end }}
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: {{ include "vault.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    component: server
-{{- end }}
-{{- end }}

templates/server-serviceaccount.yaml

@@ -1,16 +0,0 @@
-{{ template "vault.mode" . }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
-{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ template "vault.serviceAccount.name" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    helm.sh/chart: {{ include "vault.chart" . }}
-    app.kubernetes.io/name: {{ include "vault.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-  {{ template "vault.serviceAccount.annotations" . }}
-{{ end }}
-{{ end }}

templates/tests/server-test.yaml

@@ -1,39 +0,0 @@
-{{- if .Values.server.enabled }}
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "{{ .Release.Name }}-server-test"
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook": test
-spec:
-  containers:
-    - name: {{ .Release.Name }}-server-test
-      image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
-      imagePullPolicy: {{ .Values.server.image.pullPolicy }}
-      env:
-        - name: VAULT_ADDR
-          value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
-      command:
-        - /bin/sh
-        - -c
-        - |
-          echo "Checking for sealed info in 'vault status' output"
-          ATTEMPTS=10
-          n=0
-          until [ "$n" -ge $ATTEMPTS ]
-          do
-            echo "Attempt" $n...
-            vault status -format yaml | grep -E '^sealed: (true|false)' && break
-            n=$((n+1))
-            sleep 5
-          done
-          if [ $n -ge $ATTEMPTS ]; then
-            echo "timed out looking for sealed info in 'vault status' output"
-            exit 1
-          fi
-
-          exit 0
-
-  restartPolicy: Never
-{{- end }}

templates/ui-service.yaml

@@ -1,45 +0,0 @@
-{{ template "vault.mode" . }}
-{{- if ne .mode "external" }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
-{{- if eq (.Values.ui.enabled | toString) "true" }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "vault.fullname" . }}-ui
-  namespace: {{ .Release.Namespace }}
-  labels:
-    helm.sh/chart: {{ include "vault.chart" . }}
-    app.kubernetes.io/name: {{ include "vault.name" . }}-ui
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-  {{- template "vault.ui.annotations" . }}
-spec:
-  selector:
-    app.kubernetes.io/name: {{ include "vault.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    component: server
-    {{- if and (.Values.ui.activeVaultPodOnly) (eq .mode "ha") }}
-    vault-active: "true"
-    {{- end }}
-  publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }}
-  ports:
-    - name: {{ include "vault.scheme" . }}
-      port: {{ .Values.ui.externalPort }}
-      targetPort: {{ .Values.ui.targetPort }}
-      {{- if .Values.ui.serviceNodePort }}
-      nodePort: {{ .Values.ui.serviceNodePort }}
-      {{- end }}
-  type: {{ .Values.ui.serviceType }}
-  {{- if and (eq (.Values.ui.serviceType | toString) "LoadBalancer") (.Values.ui.loadBalancerSourceRanges) }}
-  loadBalancerSourceRanges:
-    {{- range $cidr := .Values.ui.loadBalancerSourceRanges }}
-      - {{ $cidr }}
-    {{- end }}
-  {{- end }}
-  {{- if and (eq (.Values.ui.serviceType | toString) "LoadBalancer") (.Values.ui.loadBalancerIP) }}
-  loadBalancerIP: {{ .Values.ui.loadBalancerIP }}
-  {{- end }}
-{{- end -}}
-
-{{- end }}
-{{- end }}

test/README.md

@@ -1,16 +1,28 @@
-# Vault Helm Tests
+# OpenBao Helm Tests
 
-## Running Vault Helm Acceptance tests
+## Running OpenBao Helm Acceptance tests
 
-The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance.
+The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance or in a kind cluster.
 
-* Set the GOOGLE_CREDENTIALS and CLOUDSDK_CORE_PROJECT variables at the top of the file. GOOGLE_CREDENTIALS should contain the local path to your Google Cloud Platform account credentials in JSON format. CLOUDSDK_CORE_PROJECT should be set to the ID of your GCP project.
+### Running in a GKE cluster
+
+* Set the `GOOGLE_CREDENTIALS` and `CLOUDSDK_CORE_PROJECT` variables at the top of the file. `GOOGLE_CREDENTIALS` should contain the local path to your Google Cloud Platform account credentials in JSON format. `CLOUDSDK_CORE_PROJECT` should be set to the ID of your GCP project.
 * Run `make test-image` to create the docker image (with dependencies installed) that will be re-used in the below steps.
 * Run `make test-provision` to provision the GKE cluster using terraform.
 * Run `make test-acceptance` to run the acceptance tests in this already provisioned cluster.
 * You can choose to only run certain tests by setting the ACCEPTANCE_TESTS variable and re-running the above target.
 * Run `make test-destroy` when you have finished testing and want to tear-down and remove the cluster.
 
+### Running in a kind cluster
+
+* Run `make test-acceptance LOCAL_ACCEPTANCE_TESTS=true`
+* You can choose to only run certain tests by setting the `ACCEPTANCE_TESTS` variable and re-running the above target.
+* Run `make delete-kind` when you have finished testing and want to tear-down and remove the cluster.
+* You can set an alternate kind cluster name by specifying the `KIND_CLUSTER_NAME` variable for any of the above targets.
+* You can set an alternate K8S version by specifying the `KIND_K8S_VERSION` variable for any of the above targets.
+
+See [kind-quick-start](https://kind.sigs.k8s.io/docs/user/quick-start/) if you don't have kind installed on your system.
+
 ## Running chart verification tests
 
 If [chart-verifier](https://github.com/redhat-certification/chart-verifier) is built and available in your PATH, run:
@@ -35,7 +47,7 @@ editing will be required, since several properties accept multiple data types.
 
 ## Helm test
 
-Vault Helm also contains a simple helm test under
+OpenBao Helm also contains a simple helm test under
 [templates/tests/](../templates/tests/) that may be run against a helm release:
 
     helm test <RELEASE_NAME>