duynguyen/k8s-cluster
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Vault Helm Chart with initial configuration, README, LICENSE, and changelog; updated versions for Vault and related components, using previous values.yaml

Browse Source
This commit is contained in:
duynguyen
2026-04-12 17:19:05 +07:00
parent 48f18f4c8c
commit bcfb683c10
55 changed files with 5975 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

660
manifest/vault/CHANGELOG.md Normal file
View File

@@ -0,0 +1,660 @@
## Unreleased
## 0.32.0 (January 14, 2026)
Changes:
* Default `vault` version updated to 1.21.2
* Default `vault-csi-provider` version updated to 1.7.0
* Default `vault-k8s` version updated to 1.7.2
* Tested with Vault versions 1.21-1.19, 1.16
* Tested with Kubernetes versions 1.35-1.31
* Test with Kind v0.31.0
Features:
* server: Add OpenShift service-ca operator automation [GH-1165](https://github.com/hashicorp/vault-helm/pull/1165)
Improvements:
* server: Allow users to specify the target service for the ServiceMonitor [GH-1148](https://github.com/hashicorp/vault-helm/pull/1148)
Bugs:
* server: Add namespace to network policy template [GH-1152](https://github.com/hashicorp/vault-helm/pull/1152)
* server: Check if `disable_mlock` is already set before adding to end of HCL config [GH-1154](https://github.com/hashicorp/vault-helm/pull/1154)
* server: provide declarative parameters for volumeClaimTemplates [GH-982](https://github.com/hashicorp/vault-helm/pull/982)
## 0.31.0 (September 25, 2025)
Changes:
* Default `vault` version updated to 1.20.4
* Default `vault-csi-provider` version updated to 1.6.0 for OpenShift
* Change default `csi.daemonSet.providersDir` to "/var/run/secrets-store-csi-providers"
Features:
* csi: Add Red Hat certified vault-csi-provider image to OpenShift defaults [GH-1134](https://github.com/hashicorp/vault-helm/pull/1134)
Improvements:
* server: Add metricRelabelings to serviceMonitor options [GH-1131](https://github.com/hashicorp/vault-helm/pull/1131)
## 0.30.1 (July 28, 2025)
Changes:
* Default `vault` version updated to 1.20.1
* Default `vault-k8s` version updated to 1.7.0
* Default `vault-csi-provider` version updated to 1.5.1
* Tested with Kubernetes versions 1.29-1.33
Bugs:
* server: Allow `server.service.active.annotations` and `server.service.standby.annotation` to override `server.service.annotations` [GH-1121](https://github.com/hashicorp/vault-helm/pull/1121)
## 0.30.0 (March 27, 2025)
Changes:
* Default `vault` version updated to 1.19.0
* Default `vault-k8s` version updated to 1.6.2
* Tested with Kubernetes versions 1.28-1.32
Features:
* server: Support setting custom preStop commands [GH-1099](https://github.com/hashicorp/vault-helm/pull/1099)
Improvements:
* server: Add pod labels to server-test.yaml [GH-1094](https://github.com/hashicorp/vault-helm/pull/1094)
Bugs:
* server: Fix invalid yaml in server test when volumeMounts or volumes are empty [GH-855](https://github.com/hashicorp/vault-helm/pull/855)
* injector: Add RBAC for deleting configmaps [GH-1100](https://github.com/hashicorp/vault-helm/pull/1100)
## 0.29.1 (November 20, 2024)
Bugs:
* server: restore support for templated config [GH-1073](https://github.com/hashicorp/vault-helm/pull/1073)
## 0.29.0 (November 7, 2024)
KNOWN ISSUES:
* Template support in server config stopped working [GH-1072](https://github.com/hashicorp/vault-helm/issues/1072)
Changes:
* Default `vault` version updated to 1.18.1
* Default `vault-k8s` version updated to 1.5.0
* Default `vault-csi-provider` version updated to 1.5.0
* Tested with Kubernetes versions 1.27-1.31
Features:
* csi: Allow modification of the hostNetwork parameter on the DaemonSet [GH-1046](https://github.com/hashicorp/vault-helm/pull/1046)
Bugs:
* Properly handle JSON formatted server config [GH-1049](https://github.com/hashicorp/vault-helm/pull/1049)
## 0.28.1 (July 11, 2024)
Changes:
* Default `vault` version updated to 1.17.2
* Default `vault-k8s` version updated to 1.4.2
* Default `vault-csi-provider` version updated to 1.4.3
* Tested with Kubernetes versions 1.26-1.30
Improvements:
* Configurable `tlsConfig` and `authorization` for Prometheus ServiceMonitor [GH-1025](https://github.com/hashicorp/vault-helm/pull/1025)
* Remove UPDATE from injector-mutating-webhook [GH-783](https://github.com/hashicorp/vault-helm/pull/783)
* Add scope to mutating webhook [GH-1037](https://github.com/hashicorp/vault-helm/pull/1037)
## 0.28.0 (April 8, 2024)
Changes:
* Default `vault` version updated to 1.16.1
* Default `vault-k8s` version updated to 1.4.1
* Default `vault-csi-provider` version updated to 1.4.2
* Tested with Kubernetes versions 1.25-1.29
Features:
* server: Add annotation on config change [GH-1001](https://github.com/hashicorp/vault-helm/pull/1001)
Bugs:
* injector: add missing `get` `nodes` permission to ClusterRole [GH-1005](https://github.com/hashicorp/vault-helm/pull/1005)
## 0.27.0 (November 16, 2023)
Changes:
* Default `vault` version updated to 1.15.2
Features:
* server: Support setting `persistentVolumeClaimRetentionPolicy` on the StatefulSet [GH-965](https://github.com/hashicorp/vault-helm/pull/965)
* server: Support setting labels on PVCs [GH-969](https://github.com/hashicorp/vault-helm/pull/969)
* server: Support setting ingress rules for networkPolicy [GH-877](https://github.com/hashicorp/vault-helm/pull/877)
Improvements:
* Support exec in the server liveness probe [GH-971](https://github.com/hashicorp/vault-helm/pull/971)
## 0.26.1 (October 30, 2023)
Bugs:
* Fix templating of `server.ha.replicas` when set via override file. The `0.26.0` chart would ignore `server.ha.replicas` and always deploy 3 server replicas when `server.ha.enabled=true` unless overridden by command line when issuing the helm command: `--set server.ha.replicas=<some_number>`. Fixed in [GH-961](https://github.com/hashicorp/vault-helm/pull/961)
## 0.26.0 (October 27, 2023)
Changes:
* Default `vault` version updated to 1.15.1
* Default `vault-k8s` version updated to 1.3.1
* Default `vault-csi-provider` version updated to 1.4.1
* Tested with Kubernetes versions 1.24-1.28
* server: OpenShift default readiness probe returns 204 when uninitialized [GH-966](https://github.com/hashicorp/vault-helm/pull/966)
Features:
* server: Add support for dual stack clusters [GH-833](https://github.com/hashicorp/vault-helm/pull/833)
* server: Support `hostAliases` for the StatefulSet pods [GH-955](https://github.com/hashicorp/vault-helm/pull/955)
* server: Add `server.service.active.annotations` and `server.service.standby.annotations` [GH-896](https://github.com/hashicorp/vault-helm/pull/896)
* server: Add long-lived service account token option [GH-923](https://github.com/hashicorp/vault-helm/pull/923)
Bugs:
* csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909)
Improvements:
* global: Add `global.namespace` to override the helm installation namespace. [GH-909](https://github.com/hashicorp/vault-helm/pull/909)
* server: use vault.fullname in Helm test [GH-912](https://github.com/hashicorp/vault-helm/pull/912)
* server: Allow scaling HA replicas to zero [GH-943](https://github.com/hashicorp/vault-helm/pull/943)
## 0.25.0 (June 26, 2023)
Changes:
* Latest Kubernetes version tested is now 1.27
* server: Headless service ignores `server.service.publishNotReadyAddresses` setting and always sets it as `true` [GH-902](https://github.com/hashicorp/vault-helm/pull/902)
* `vault` updated to 1.14.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
* `vault-csi-provider` updated to 1.4.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
Improvements:
* CSI: Make `nodeSelector` and `affinity` configurable for CSI daemonset's pods [GH-862](https://github.com/hashicorp/vault-helm/pull/862)
* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798)
* Minimum kubernetes version for chart reverted to 1.20.0 to allow installation on clusters older than the oldest tested version [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
Bugs:
* server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886)
## 0.24.1 (April 17, 2023)
Bugs:
* csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions [GH-872](https://github.com/hashicorp/vault-helm/pull/872)
## 0.24.0 (April 6, 2023)
Changes:
* Earliest Kubernetes version tested is now 1.22
* `vault` updated to 1.13.1 [GH-863](https://github.com/hashicorp/vault-helm/pull/863)
* `vault-k8s` updated to 1.2.1 [GH-868](https://github.com/hashicorp/vault-helm/pull/868)
* `vault-csi-provider` updated to 1.3.0 [GH-749](https://github.com/hashicorp/vault-helm/pull/749)
Features:
* server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841)
* server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831)
* injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852)
* csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals [GH-749](https://github.com/hashicorp/vault-helm/pull/749)
## 0.23.0 (November 28th, 2022)
Changes:
* `vault` updated to 1.12.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
* `vault-k8s` updated to 1.1.0 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
* `vault-csi-provider` updated to 1.2.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
Features:
* server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806)
* server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811)
* server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811)
* server: Add `server.service.instanceSelector.enabled` option to allow selecting pods outside the helm chart deployment [GH-813](https://github.com/hashicorp/vault-helm/pull/813)
Bugs:
* server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810)
## 0.22.1 (October 26th, 2022)
Changes:
* `vault` updated to 1.12.0 [GH-803](https://github.com/hashicorp/vault-helm/pull/803)
* `vault-k8s` updated to 1.0.1 [GH-803](https://github.com/hashicorp/vault-helm/pull/803)
## 0.22.0 (September 8th, 2022)
Features:
* Add PrometheusOperator support for collecting Vault server metrics. [GH-772](https://github.com/hashicorp/vault-helm/pull/772)
Changes:
* `vault-k8s` to 1.0.0 [GH-784](https://github.com/hashicorp/vault-helm/pull/784)
* Test against Kubernetes 1.25 [GH-784](https://github.com/hashicorp/vault-helm/pull/784)
* `vault` updated to 1.11.3 [GH-785](https://github.com/hashicorp/vault-helm/pull/785)
## 0.21.0 (August 10th, 2022)
CHANGES:
* `vault-k8s` updated to 0.17.0. [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
* `vault-csi-provider` updated to 1.2.0 [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
* `vault` updated to 1.11.2 [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
* Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744)
* Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745)
* CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745)
Features:
* server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
* csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
* injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
* Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610)
* Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753)
## 0.20.1 (May 25th, 2022)
CHANGES:
* `vault-k8s` updated to 0.16.1 [GH-739](https://github.com/hashicorp/vault-helm/pull/739)
Improvements:
* Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736)
Bugs:
* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737)
## 0.20.0 (May 16th, 2022)
CHANGES:
* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
* Vault default image to 1.10.3
* CSI provider default image to 1.1.0
* Vault K8s default image to 0.16.0
* Earliest Kubernetes version tested is now 1.16
* Helm 3.6+ now required
Features:
* Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652)
Improvements:
* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690)
* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683)
* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710)
* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709)
* server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694)
* server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684)
* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692)
## 0.19.0 (January 20th, 2022)
CHANGES:
* Vault image default 1.9.2
* Vault K8s image default 0.14.2
Features:
* Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653)
* Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659)
* Added configurable update strategy for injector [GH-661](https://github.com/hashicorp/vault-helm/pull/661)
* csi: ability to set priorityClassName for CSI daemonset pods [GH-670](https://github.com/hashicorp/vault-helm/pull/670)
Improvements:
* Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679)
* Add volumes and env vars to helm hook test pod [GH-673](https://github.com/hashicorp/vault-helm/pull/673)
* Make TLS configurable for OpenShift routes [GH-686](https://github.com/hashicorp/vault-helm/pull/686)
## 0.18.0 (November 17th, 2021)
CHANGES:
* Removed support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector since vault-k8s now uses an internal mechanism to determine leadership [GH-649](https://github.com/hashicorp/vault-helm/pull/649)
* Vault image default 1.9.0
* Vault K8s image default 0.14.1
Improvements:
* Added templateConfig.staticSecretRenderInterval chart option for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621)
## 0.17.1 (October 25th, 2021)
Improvements:
* Add option for Ingress PathType [GH-634](https://github.com/hashicorp/vault-helm/pull/634)
## 0.17.0 (October 21st, 2021)
KNOWN ISSUES:
* The chart will fail to deploy on Kubernetes 1.19+ with `server.ingress.enabled=true` because no `pathType` is set
CHANGES:
* Vault image default 1.8.4
* Vault K8s image default 0.14.0
Improvements:
* Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590)
* Support setting the `externalTrafficPolicy` for `LoadBalancer` and `NodePort` service types [GH-626](https://github.com/hashicorp/vault-helm/pull/626)
* Support setting ingressClassName on server Ingress [GH-630](https://github.com/hashicorp/vault-helm/pull/630)
Bugs:
* Ensure `kubeletRootDir` volume path and mounts are the same when `csi.daemonSet.kubeletRootDir` is overridden [GH-628](https://github.com/hashicorp/vault-helm/pull/628)
## 0.16.1 (September 29th, 2021)
CHANGES:
* Vault image default 1.8.3
* Vault K8s image default 0.13.1
## 0.16.0 (September 16th, 2021)
CHANGES:
* Support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector will be removed in version 0.18.0 of this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set `useContainer=true`.
Improvements:
* Make CSI provider `hostPaths` configurable via `csi.daemonSet.providersDir` and `csi.daemonSet.kubeletRootDir` [GH-603](https://github.com/hashicorp/vault-helm/pull/603)
* Support vault-k8s internal leader election [GH-568](https://github.com/hashicorp/vault-helm/pull/568) [GH-607](https://github.com/hashicorp/vault-helm/pull/607)
## 0.15.0 (August 23rd, 2021)
Improvements:
* Add imagePullSecrets on server test [GH-572](https://github.com/hashicorp/vault-helm/pull/572)
* Add injector.webhookAnnotations chart option [GH-584](https://github.com/hashicorp/vault-helm/pull/584)
## 0.14.0 (July 28th, 2021)
Features:
* Added templateConfig.exitOnRetryFailure chart option for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560)
Improvements:
* Support configuring pod tolerations, pod affinity, and node selectors as YAML [GH-565](https://github.com/hashicorp/vault-helm/pull/565)
* Set the default vault image to come from the hashicorp organization [GH-567](https://github.com/hashicorp/vault-helm/pull/567)
* Add support for running the acceptance tests against a local `kind` cluster [GH-567](https://github.com/hashicorp/vault-helm/pull/567)
* Add `server.ingress.activeService` to configure if the ingress should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570)
* Add `server.route.activeService` to configure if the route should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570)
* Support configuring `global.imagePullSecrets` from a string array [GH-576](https://github.com/hashicorp/vault-helm/pull/576)
## 0.13.0 (June 17th, 2021)
Improvements:
* Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531)
* Added server.enterpriseLicense option [GH-547](https://github.com/hashicorp/vault-helm/pull/547)
* Added OpenShift overrides [GH-549](https://github.com/hashicorp/vault-helm/pull/549)
Bugs:
* Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537)
* Fix server.ha.disruptionBudget.maxUnavailable schema [GH-535](https://github.com/hashicorp/vault-helm/pull/535)
* Added webhook-certs volume mount to sidecar injector [GH-545](https://github.com/hashicorp/vault-helm/pull/545)
## 0.12.0 (May 25th, 2021)
Features:
* Pass additional arguments to `vault-csi-provider` using `csi.extraArgs` [GH-526](https://github.com/hashicorp/vault-helm/pull/526)
Improvements:
* Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510)
* Added values json schema [GH-513](https://github.com/hashicorp/vault-helm/pull/513)
* Ability to set tolerations for CSI daemonset pods [GH-521](https://github.com/hashicorp/vault-helm/pull/521)
* UI target port is now configurable [GH-437](https://github.com/hashicorp/vault-helm/pull/437)
Bugs:
* CSI: `global.imagePullSecrets` are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519)
## 0.11.0 (April 14th, 2021)
Features:
* Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486)
* Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471)
* Injector port is now configurable [GH-489](https://github.com/hashicorp/vault-helm/pull/489)
* Injector Vault Agent resource defaults are now configurable [GH-493](https://github.com/hashicorp/vault-helm/pull/493)
* Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460)
* Log level and format can now be set directly using `server.logFormat` and `server.logLevel` [GH-488](https://github.com/hashicorp/vault-helm/pull/488)
Improvements:
* Added `https` name to injector service port [GH-495](https://github.com/hashicorp/vault-helm/pull/495)
Bugs:
* CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486)
## 0.10.0 (March 25th, 2021)
Features:
* Add support for [Vault CSI provider](https://github.com/hashicorp/vault-csi-provider) [GH-461](https://github.com/hashicorp/vault-helm/pull/461)
Improvements:
* `objectSelector` can now be set on the mutating admission webhook [GH-456](https://github.com/hashicorp/vault-helm/pull/456)
## 0.9.1 (February 2nd, 2021)
Bugs:
* Injector: fix labels for default anti-affinity rule [GH-441](https://github.com/hashicorp/vault-helm/pull/441), [GH-442](https://github.com/hashicorp/vault-helm/pull/442)
* Set VAULT_DEV_LISTEN_ADDRESS in dev mode [GH-446](https://github.com/hashicorp/vault-helm/pull/446)
## 0.9.0 (January 5th, 2021)
Features:
* Injector now supports configurable number of replicas [GH-436](https://github.com/hashicorp/vault-helm/pull/436)
* Injector now supports auto TLS for multiple replicas using leader elections [GH-436](https://github.com/hashicorp/vault-helm/pull/436)
Improvements:
* Dev mode now supports `server.extraArgs` [GH-421](https://github.com/hashicorp/vault-helm/pull/421)
* Dev mode root token is now configurable with `server.dev.devRootToken` [GH-415](https://github.com/hashicorp/vault-helm/pull/415)
* ClusterRoleBinding updated to `v1` [GH-395](https://github.com/hashicorp/vault-helm/pull/395)
* MutatingWebhook updated to `v1` [GH-408](https://github.com/hashicorp/vault-helm/pull/408)
* Injector service now supports `injector.service.annotations` [425](https://github.com/hashicorp/vault-helm/pull/425)
* Injector now supports `injector.extraLabels` [428](https://github.com/hashicorp/vault-helm/pull/428)
* Added `allowPrivilegeEscalation: false` to Vault and Injector containers [429](https://github.com/hashicorp/vault-helm/pull/429)
* Network Policy now supports `server.networkPolicy.egress` [389](https://github.com/hashicorp/vault-helm/pull/389)
## 0.8.0 (October 20th, 2020)
Improvements:
* Make server NetworkPolicy independent of OpenShift [GH-381](https://github.com/hashicorp/vault-helm/pull/381)
* Added configurables for all probe values [GH-387](https://github.com/hashicorp/vault-helm/pull/387)
* MountPath for audit and data storage is now configurable [GH-393](https://github.com/hashicorp/vault-helm/pull/393)
* Annotations can now be added to the Injector pods [GH-394](https://github.com/hashicorp/vault-helm/pull/394)
* The injector can now be configured with a failurePolicy [GH-400](https://github.com/hashicorp/vault-helm/pull/400)
* Added additional environment variables for rendering within Vault config [GH-398](https://github.com/hashicorp/vault-helm/pull/398)
* Service account for Vault K8s auth is automatically created when `injector.externalVaultAddr` is set [GH-392](https://github.com/hashicorp/vault-helm/pull/392)
Bugs:
* Fixed install output using Helm V2 command [GH-378](https://github.com/hashicorp/vault-helm/pull/378)
## 0.7.0 (August 24th, 2020)
Features:
* Added `volumes` and `volumeMounts` for mounting _any_ type of volume [GH-314](https://github.com/hashicorp/vault-helm/pull/314).
* Added configurable to enable prometheus telemetery exporter for Vault Agent Injector [GH-372](https://github.com/hashicorp/vault-helm/pull/372)
Improvements:
* Added `defaultMode` configurable to `extraVolumes`[GH-321](https://github.com/hashicorp/vault-helm/pull/321)
* Option to install and use PodSecurityPolicy's for vault server and injector [GH-177](https://github.com/hashicorp/vault-helm/pull/177)
* `VAULT_API_ADDR` is now configurable [GH-290](https://github.com/hashicorp/vault-helm/pull/290)
* Removed deprecated tolerate unready endpoint annotations [GH-363](https://github.com/hashicorp/vault-helm/pull/363)
* Add an option to set annotations on the StatefulSet [GH-199](https://github.com/hashicorp/vault-helm/pull/199)
* Make the vault server serviceAccount name a configuration option [GH-367](https://github.com/hashicorp/vault-helm/pull/367)
* Removed annotation striction from `dev` mode [GH-371](https://github.com/hashicorp/vault-helm/pull/371)
* Add an option to set annotations on PVCs [GH-364](https://github.com/hashicorp/vault-helm/pull/364)
* Added service configurables for UI [GH-285](https://github.com/hashicorp/vault-helm/pull/285)
Bugs:
* Fix python dependency in test image [GH-337](https://github.com/hashicorp/vault-helm/pull/337)
* Fix caBundle not being quoted causing validation issues with Helm 3 [GH-352](https://github.com/hashicorp/vault-helm/pull/352)
* Fix injector network policy being rendered when injector is not enabled [GH-358](https://github.com/hashicorp/vault-helm/pull/358)
## 0.6.0 (June 3rd, 2020)
Features:
* Added `extraInitContainers` to define init containers for the Vault cluster [GH-258](https://github.com/hashicorp/vault-helm/pull/258)
* Added `postStart` lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready [GH-315](https://github.com/hashicorp/vault-helm/pull/315)
* Beta: Added OpenShift support [GH-319](https://github.com/hashicorp/vault-helm/pull/319)
Improvements:
* Server configs can now be defined in YAML. Multi-line string configs are still compatible [GH-213](https://github.com/hashicorp/vault-helm/pull/213)
* Removed IPC_LOCK privileges since swap is disabled on containers [[GH-198](https://github.com/hashicorp/vault-helm/pull/198)]
* Use port names that map to vault.scheme [[GH-223](https://github.com/hashicorp/vault-helm/pull/223)]
* Allow both yaml and multi-line string annotations [[GH-272](https://github.com/hashicorp/vault-helm/pull/272)]
* Added configurable to set the Raft node name to hostname [[GH-269](https://github.com/hashicorp/vault-helm/pull/269)]
* Support setting priorityClassName on pods [[GH-282](https://github.com/hashicorp/vault-helm/pull/282)]
* Added support for ingress apiVersion `networking.k8s.io/v1beta1` [[GH-310](https://github.com/hashicorp/vault-helm/pull/310)]
* Added configurable to change service type for the HA active service [GH-317](https://github.com/hashicorp/vault-helm/pull/317)
Bugs:
* Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)]
* Fixed annotations for HA standby/active services [[GH-268](https://github.com/hashicorp/vault-helm/pull/268)]
* Updated some value defaults to match their use in templates [[GH-309](https://github.com/hashicorp/vault-helm/pull/309)]
* Use active service on ingress when ha [[GH-270](https://github.com/hashicorp/vault-helm/pull/270)]
* Fixed bug where pull secrets weren't being used for injector image [GH-298](https://github.com/hashicorp/vault-helm/pull/298)
## 0.5.0 (April 9th, 2020)
Features:
* Added Raft support for HA mode [[GH-228](https://github.com/hashicorp/vault-helm/pull/229)]
* Now supports Vault Enterprise [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)]
* Added K8s Service Registration for HA modes [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)]
* Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)]
* Added environment variables for logging and revocation on Vault Agent Injector [[GH-219](https://github.com/hashicorp/vault-helm/pull/219)]
* Option to set environment variables for the injector deployment [[GH-232](https://github.com/hashicorp/vault-helm/pull/232)]
* Added affinity, tolerations, and nodeSelector options for the injector deployment [[GH-234](https://github.com/hashicorp/vault-helm/pull/234)]
* Made all annotations multi-line strings [[GH-227](https://github.com/hashicorp/vault-helm/pull/227)]
## 0.4.0 (February 21st, 2020)
Improvements:
* Allow process namespace sharing between Vault and sidecar containers [[GH-174](https://github.com/hashicorp/vault-helm/pull/174)]
* Added configurable to change updateStrategy [[GH-172](https://github.com/hashicorp/vault-helm/pull/172)]
* Added sleep in the preStop lifecycle step [[GH-188](https://github.com/hashicorp/vault-helm/pull/188)]
* Updated chart and tests to Helm 3 [[GH-195](https://github.com/hashicorp/vault-helm/pull/195)]
* Adds Values.injector.externalVaultAddr to use the injector with an external vault [[GH-207](https://github.com/hashicorp/vault-helm/pull/207)]
Bugs:
* Fix bug where Vault lifecycle was appended after extra containers. [[GH-179](https://github.com/hashicorp/vault-helm/pull/179)]
## 0.3.3 (January 14th, 2020)
Security:
* Added `server.extraArgs` to allow loading of additional Vault configurations containing sensitive settings [GH-175](https://github.com/hashicorp/vault-helm/issues/175)
Bugs:
* Fixed injection bug where wrong environment variables were being used for manually mounted TLS files
## 0.3.2 (January 8th, 2020)
Bugs:
* Fixed injection bug where TLS Skip Verify was true by default [VK8S-35]
## 0.3.1 (January 2nd, 2020)
Bugs:
* Fixed injection bug causing kube-system pods to be rejected [VK8S-14]
## 0.3.0 (December 19th, 2019)
Features:
* Extra containers can now be added to the Vault pods
* Added configurability of pod probes
* Added Vault Agent Injector
Improvements:
* Moved `global.image` to `server.image`
* Changed UI service template to route pods that aren't ready via `publishNotReadyAddresses: true`
* Added better HTTP/HTTPS scheme support to http probes
* Added configurable node port for Vault service
* `server.authDelegator` is now enabled by default
Bugs:
* Fixed upgrade bug by removing chart label which contained the version
* Fixed typo on `serviceAccount` (was `serviceaccount`)
* Fixed readiness/liveliness HTTP probe default to accept standbys
## 0.2.1 (November 12th, 2019)
Bugs:
* Removed `readOnlyRootFilesystem` causing issues when validating deployments
## 0.2.0 (October 29th, 2019)
Features:
* Added load balancer support
* Added ingress support
* Added configurable for service types (ClusterIP, NodePort, LoadBalancer, etc)
* Removed root requirements, now runs as Vault user
Improvements:
* Added namespace value to all rendered objects
* Made ports configurable in services
* Added the ability to add custom annotations to services
* Added docker image for running bats test in CircleCI
* Removed restrictions around `dev` mode such as annotations
* `readOnlyRootFilesystem` is now configurable
* Image Pull Policy is now configurable
Bugs:
* Fixed selector bugs related to Helm label updates (services, affinities, and pod disruption)
* Fixed bug where audit storage was not being mounted in HA mode
* Fixed bug where Vault pod wasn't receiving SIGTERM signals
## 0.1.2 (August 22nd, 2019)
Features:
* Added `extraSecretEnvironmentVars` to allow users to mount secrets as
environment variables
* Added `tlsDisable` configurable to change HTTP protocols from HTTP/HTTPS
depending on the value
* Added `serviceNodePort` to configure a NodePort value when setting `serviceType`
to "NodePort"
Improvements:
* Changed UI port to 8200 for better HTTP protocol support
* Added `path` to `extraVolumes` to define where the volume should be
mounted. Defaults to `/vault/userconfig`
* Upgraded Vault to 1.2.2
Bugs:
* Fixed bug where upgrade would fail because immutable labels were being
changed (Helm Version label)
* Fixed bug where UI service used wrong selector after updating helm labels
* Added `VAULT_API_ADDR` env to Vault pod to fixed bug where Vault thinks
Consul is the active node
* Removed `step-down` preStop since it requires authentication. Shutdown signal
sent by Kube acts similar to `step-down`
## 0.1.1 (August 7th, 2019)
Features:
* Added `authDelegator` Cluster Role Binding to Vault service account for
bootstrapping Kube auth method
Improvements:
* Added `server.service.clusterIP` to `values.yml` so users can toggle
the Vault service to headless by using the value `None`.
* Upgraded Vault to 1.2.1
## 0.1.0 (August 6th, 2019)
Initial release

1
manifest/vault/CODEOWNERS Normal file
View File

@@ -0,0 +1 @@
* @hashicorp/vault-ecosystem

247
manifest/vault/CONTRIBUTING.md Normal file
View File

@@ -0,0 +1,247 @@
# Contributing to Vault Helm
**Please note:** We take Vault's security and our users' trust very seriously.
If you believe you have found a security issue in Vault, please responsibly
disclose by contacting us at security@hashicorp.com.
**First:** if you're unsure or afraid of _anything_, just ask or submit the
issue or pull request anyways. You won't be yelled at for giving it your best
effort. The worst that can happen is that you'll be politely asked to change
something. We appreciate any sort of contributions, and don't want a wall of
rules to get in the way of that.
That said, if you want to ensure that a pull request is likely to be merged,
talk to us! You can find out our thoughts and ensure that your contribution
won't clash or be obviated by Vault's normal direction. A great way to do this
is via the [Vault Discussion Forum][1].
This document will cover what we're looking for in terms of reporting issues.
By addressing all the points we're looking for, it raises the chances we can
quickly merge or address your contributions.
[1]: https://discuss.hashicorp.com/c/vault
## Issues
### Reporting an Issue
* Make sure you test against the latest released version. It is possible
we already fixed the bug you're experiencing. Even better is if you can test
against `main`, as bugs are fixed regularly but new versions are only
released every few months.
* Provide steps to reproduce the issue, and if possible include the expected
results as well as the actual results. Please provide text, not screen shots!
* Respond as promptly as possible to any questions made by the Vault
team to your issue. Stale issues will be closed periodically.
### Issue Lifecycle
1. The issue is reported.
2. The issue is verified and categorized by a Vault Helm collaborator.
Categorization is done via tags. For example, bugs are marked as "bugs".
3. Unless it is critical, the issue may be left for a period of time (sometimes
many weeks), giving outside contributors -- maybe you!? -- a chance to
address the issue.
4. The issue is addressed in a pull request or commit. The issue will be
referenced in the commit message so that the code that fixes it is clearly
linked.
5. The issue is closed. Sometimes, valid issues will be closed to keep
the issue tracker clean. The issue is still indexed and available for
future viewers, or can be re-opened if necessary.
## Testing
The Helm chart ships with both unit and acceptance tests.
The unit tests don't require any active Kubernetes cluster and complete
very quickly. These should be used for fast feedback during development.
The acceptance tests require a Kubernetes cluster with a configured `kubectl`.
### Test Using Docker Container
The following are the instructions for running bats tests using a Docker container.
#### Prerequisites
* Docker installed
* `vault-helm` checked out locally
#### Test
**Note:** the following commands should be run from the `vault-helm` directory.
First, build the Docker image for running the tests:
```shell
docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test
```
Next, execute the tests with the following commands:
```shell
docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit
```
It's possible to only run specific bats tests using regular expressions.
For example, the following will run only tests with "injector" in the name:
```shell
docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit -f "injector"
```
### Test Manually
The following are the instructions for running bats tests on your workstation.
#### Prerequisites
* [Bats](https://github.com/bats-core/bats-core)
```bash
brew install bats-core
```
* [yq](https://pypi.org/project/yq/)
```bash
brew install python-yq
```
* [helm](https://helm.sh)
```bash
brew install kubernetes-helm
```
#### Test
To run the unit tests:
bats ./test/unit
To run the acceptance tests:
bats ./test/acceptance
If the acceptance tests fail, deployed resources in the Kubernetes cluster
may not be properly cleaned up. We recommend recycling the Kubernetes cluster to
start from a clean slate.
**Note:** There is a Terraform configuration in the
[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory
that can be used to quickly bring up a GKE cluster and configure
`kubectl` and `helm` locally. This can be used to quickly spin up a test
cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes
cluster.
### Writing Unit Tests
Changes to the Helm chart should be accompanied by appropriate unit tests.
#### Formatting
- Put tests in the test file in the same order as the variables appear in the `values.yaml`.
- Start tests for a chart value with a header that says what is being tested, like this:
```
#--------------------------------------------------------------------
# annotations
```
- Name the test based on what it's testing in the following format (this will be its first line):
```
@test "<section being tested>: <short description of the test case>" {
```
When adding tests to an existing file, the first section will be the same as the other tests in the file.
#### Test Details
[Bats](https://github.com/bats-core/bats-core) provides a way to run commands in a shell and inspect the output in an automated way.
In all of the tests in this repo, the base command being run is [helm template](https://docs.helm.sh/helm/#helm-template) which turns the templated files into straight yaml output.
In this way, we're able to test that the various conditionals in the templates render as we would expect.
Each test defines the files that should be rendered using the `--show-only` flag, then it might adjust chart values by adding `--set` flags as well.
The output from this `helm template` command is then piped to [yq](https://pypi.org/project/yq/).
`yq` allows us to pull out just the information we're interested in, either by referencing its position in the yaml file directly or giving information about it (like its length).
The `-r` flag can be used with `yq` to return a raw string instead of a quoted one which is especially useful when looking for an exact match.
The test passes or fails based on the conditional at the end that is in square brackets, which is a comparison of our expected value and the output of `helm template` piped to `yq`.
The `| tee /dev/stderr ` pieces direct any terminal output of the `helm template` and `yq` commands to stderr so that it doesn't interfere with `bats`.
#### Test Examples
Here are some examples of common test patterns:
- Check that a value is disabled by default
```
@test "ui/Service: no type by default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/ui-service.yaml \
. | tee /dev/stderr |
yq -r '.spec.type' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
```
In this example, nothing is changed from the default templates (no `--set` flags), then we use `yq` to retrieve the value we're checking, `.spec.type`.
This output is then compared against our expected value (`null` in this case) in the assertion `[ "${actual}" = "null" ]`.
- Check that a template value is rendered to a specific value
```
@test "ui/Service: specified type" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/ui-service.yaml \
--set 'ui.serviceType=LoadBalancer' \
. | tee /dev/stderr |
yq -r '.spec.type' | tee /dev/stderr)
[ "${actual}" = "LoadBalancer" ]
}
```
This is very similar to the last example, except we've changed a default value with the `--set` flag and correspondingly changed the expected value.
- Check that a template value contains several values
```
@test "server/standalone-StatefulSet: custom resources" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-statefulset.yaml \
--set 'server.standalone.enabled=true' \
--set 'server.resources.requests.memory=256Mi' \
--set 'server.resources.requests.cpu=250m' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].resources.requests.memory' | tee /dev/stderr)
[ "${actual}" = "256Mi" ]
local actual=$(helm template \
--show-only templates/server-statefulset.yaml \
--set 'server.standalone.enabled=true' \
--set 'server.resources.limits.memory=256Mi' \
--set 'server.resources.limits.cpu=250m' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].resources.limits.memory' | tee /dev/stderr)
[ "${actual}" = "256Mi" ]
```
*Note:* If testing more than two conditions, it would be good to separate the `helm template` part of the command from the `yq` sections to reduce redundant work.
- Check that an entire template file is not rendered
```
@test "syncCatalog/Deployment: disabled by default" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-statefulset.yaml \
--set 'global.enabled=false' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
```
Here we are check the length of the command output to see if the anything is rendered.
This style can easily be switched to check that a file is rendered instead.
## Contributor License Agreement
We require that all contributors sign our Contributor License Agreement ("CLA")
before we can accept the contribution.
[Learn more about why HashiCorp requires a CLA and what the CLA includes](https://www.hashicorp.com/cla)

23
manifest/vault/Chart.yaml Normal file
View File

@@ -0,0 +1,23 @@
annotations:
charts.openshift.io/name: HashiCorp Vault
apiVersion: v2
appVersion: 1.21.2
description: Official HashiCorp Vault Chart
home: https://www.vaultproject.io
icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
keywords:
- vault
- security
- encryption
- secrets
- management
- automation
- infrastructure
kubeVersion: '>= 1.20.0-0'
name: vault
sources:
- https://github.com/hashicorp/vault
- https://github.com/hashicorp/vault-helm
- https://github.com/hashicorp/vault-k8s
- https://github.com/hashicorp/vault-csi-provider
version: 0.32.0

355
manifest/vault/LICENSE Normal file
View File

@@ -0,0 +1,355 @@
Copyright (c) 2018 HashiCorp, Inc.
Mozilla Public License, version 2.0
1. Definitions
1.1. “Contributor”
means each individual or legal entity that creates, contributes to the
creation of, or owns Covered Software.
1.2. “Contributor Version”
means the combination of the Contributions of others (if any) used by a
Contributor and that particular Contributors Contribution.
1.3. “Contribution”
means Covered Software of a particular Contributor.
1.4. “Covered Software”
means Source Code Form to which the initial Contributor has attached the
notice in Exhibit A, the Executable Form of such Source Code Form, and
Modifications of such Source Code Form, in each case including portions
thereof.
1.5. “Incompatible With Secondary Licenses”
means
a. that the initial Contributor has attached the notice described in
Exhibit B to the Covered Software; or
b. that the Covered Software was made available under the terms of version
1.1 or earlier of the License, but not also under the terms of a
Secondary License.
1.6. “Executable Form”
means any form of the work other than Source Code Form.
1.7. “Larger Work”
means a work that combines Covered Software with other material, in a separate
file or files, that is not Covered Software.
1.8. “License”
means this document.
1.9. “Licensable”
means having the right to grant, to the maximum extent possible, whether at the
time of the initial grant or subsequently, any and all of the rights conveyed by
this License.
1.10. “Modifications”
means any of the following:
a. any file in Source Code Form that results from an addition to, deletion
from, or modification of the contents of Covered Software; or
b. any new file in Source Code Form that contains any Covered Software.
1.11. “Patent Claims” of a Contributor
means any patent claim(s), including without limitation, method, process,
and apparatus claims, in any patent Licensable by such Contributor that
would be infringed, but for the grant of the License, by the making,
using, selling, offering for sale, having made, import, or transfer of
either its Contributions or its Contributor Version.
1.12. “Secondary License”
means either the GNU General Public License, Version 2.0, the GNU Lesser
General Public License, Version 2.1, the GNU Affero General Public
License, Version 3.0, or any later versions of those licenses.
1.13. “Source Code Form”
means the form of the work preferred for making modifications.
1.14. “You” (or “Your”)
means an individual or a legal entity exercising rights under this
License. For legal entities, “You” includes any entity that controls, is
controlled by, or is under common control with You. For purposes of this
definition, “control” means (a) the power, direct or indirect, to cause
the direction or management of such entity, whether by contract or
otherwise, or (b) ownership of more than fifty percent (50%) of the
outstanding shares or beneficial ownership of such entity.
2. License Grants and Conditions
2.1. Grants
Each Contributor hereby grants You a world-wide, royalty-free,
non-exclusive license:
a. under intellectual property rights (other than patent or trademark)
Licensable by such Contributor to use, reproduce, make available,
modify, display, perform, distribute, and otherwise exploit its
Contributions, either on an unmodified basis, with Modifications, or as
part of a Larger Work; and
b. under Patent Claims of such Contributor to make, use, sell, offer for
sale, have made, import, and otherwise transfer either its Contributions
or its Contributor Version.
2.2. Effective Date
The licenses granted in Section 2.1 with respect to any Contribution become
effective for each Contribution on the date the Contributor first distributes
such Contribution.
2.3. Limitations on Grant Scope
The licenses granted in this Section 2 are the only rights granted under this
License. No additional rights or licenses will be implied from the distribution
or licensing of Covered Software under this License. Notwithstanding Section
2.1(b) above, no patent license is granted by a Contributor:
a. for any code that a Contributor has removed from Covered Software; or
b. for infringements caused by: (i) Your and any other third partys
modifications of Covered Software, or (ii) the combination of its
Contributions with other software (except as part of its Contributor
Version); or
c. under Patent Claims infringed by Covered Software in the absence of its
Contributions.
This License does not grant any rights in the trademarks, service marks, or
logos of any Contributor (except as may be necessary to comply with the
notice requirements in Section 3.4).
2.4. Subsequent Licenses
No Contributor makes additional grants as a result of Your choice to
distribute the Covered Software under a subsequent version of this License
(see Section 10.2) or under the terms of a Secondary License (if permitted
under the terms of Section 3.3).
2.5. Representation
Each Contributor represents that the Contributor believes its Contributions
are its original creation(s) or it has sufficient rights to grant the
rights to its Contributions conveyed by this License.
2.6. Fair Use
This License is not intended to limit any rights You have under applicable
copyright doctrines of fair use, fair dealing, or other equivalents.
2.7. Conditions
Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
Section 2.1.
3. Responsibilities
3.1. Distribution of Source Form
All distribution of Covered Software in Source Code Form, including any
Modifications that You create or to which You contribute, must be under the
terms of this License. You must inform recipients that the Source Code Form
of the Covered Software is governed by the terms of this License, and how
they can obtain a copy of this License. You may not attempt to alter or
restrict the recipients rights in the Source Code Form.
3.2. Distribution of Executable Form
If You distribute Covered Software in Executable Form then:
a. such Covered Software must also be made available in Source Code Form,
as described in Section 3.1, and You must inform recipients of the
Executable Form how they can obtain a copy of such Source Code Form by
reasonable means in a timely manner, at a charge no more than the cost
of distribution to the recipient; and
b. You may distribute such Executable Form under the terms of this License,
or sublicense it under different terms, provided that the license for
the Executable Form does not attempt to limit or alter the recipients
rights in the Source Code Form under this License.
3.3. Distribution of a Larger Work
You may create and distribute a Larger Work under terms of Your choice,
provided that You also comply with the requirements of this License for the
Covered Software. If the Larger Work is a combination of Covered Software
with a work governed by one or more Secondary Licenses, and the Covered
Software is not Incompatible With Secondary Licenses, this License permits
You to additionally distribute such Covered Software under the terms of
such Secondary License(s), so that the recipient of the Larger Work may, at
their option, further distribute the Covered Software under the terms of
either this License or such Secondary License(s).
3.4. Notices
You may not remove or alter the substance of any license notices (including
copyright notices, patent notices, disclaimers of warranty, or limitations
of liability) contained within the Source Code Form of the Covered
Software, except that You may alter any license notices to the extent
required to remedy known factual inaccuracies.
3.5. Application of Additional Terms
You may choose to offer, and to charge a fee for, warranty, support,
indemnity or liability obligations to one or more recipients of Covered
Software. However, You may do so only on Your own behalf, and not on behalf
of any Contributor. You must make it absolutely clear that any such
warranty, support, indemnity, or liability obligation is offered by You
alone, and You hereby agree to indemnify every Contributor for any
liability incurred by such Contributor as a result of warranty, support,
indemnity or liability terms You offer. You may include additional
disclaimers of warranty and limitations of liability specific to any
jurisdiction.
4. Inability to Comply Due to Statute or Regulation
If it is impossible for You to comply with any of the terms of this License
with respect to some or all of the Covered Software due to statute, judicial
order, or regulation then You must: (a) comply with the terms of this License
to the maximum extent possible; and (b) describe the limitations and the code
they affect. Such description must be placed in a text file included with all
distributions of the Covered Software under this License. Except to the
extent prohibited by statute or regulation, such description must be
sufficiently detailed for a recipient of ordinary skill to be able to
understand it.
5. Termination
5.1. The rights granted under this License will terminate automatically if You
fail to comply with any of its terms. However, if You become compliant,
then the rights granted under this License from a particular Contributor
are reinstated (a) provisionally, unless and until such Contributor
explicitly and finally terminates Your grants, and (b) on an ongoing basis,
if such Contributor fails to notify You of the non-compliance by some
reasonable means prior to 60 days after You have come back into compliance.
Moreover, Your grants from a particular Contributor are reinstated on an
ongoing basis if such Contributor notifies You of the non-compliance by
some reasonable means, this is the first time You have received notice of
non-compliance with this License from such Contributor, and You become
compliant prior to 30 days after Your receipt of the notice.
5.2. If You initiate litigation against any entity by asserting a patent
infringement claim (excluding declaratory judgment actions, counter-claims,
and cross-claims) alleging that a Contributor Version directly or
indirectly infringes any patent, then the rights granted to You by any and
all Contributors for the Covered Software under Section 2.1 of this License
shall terminate.
5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user
license agreements (excluding distributors and resellers) which have been
validly granted by You or Your distributors under this License prior to
termination shall survive termination.
6. Disclaimer of Warranty
Covered Software is provided under this License on an “as is” basis, without
warranty of any kind, either expressed, implied, or statutory, including,
without limitation, warranties that the Covered Software is free of defects,
merchantable, fit for a particular purpose or non-infringing. The entire
risk as to the quality and performance of the Covered Software is with You.
Should any Covered Software prove defective in any respect, You (not any
Contributor) assume the cost of any necessary servicing, repair, or
correction. This disclaimer of warranty constitutes an essential part of this
License. No use of any Covered Software is authorized under this License
except under this disclaimer.
7. Limitation of Liability
Under no circumstances and under no legal theory, whether tort (including
negligence), contract, or otherwise, shall any Contributor, or anyone who
distributes Covered Software as permitted above, be liable to You for any
direct, indirect, special, incidental, or consequential damages of any
character including, without limitation, damages for lost profits, loss of
goodwill, work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses, even if such party shall have been
informed of the possibility of such damages. This limitation of liability
shall not apply to liability for death or personal injury resulting from such
partys negligence to the extent applicable law prohibits such limitation.
Some jurisdictions do not allow the exclusion or limitation of incidental or
consequential damages, so this exclusion and limitation may not apply to You.
8. Litigation
Any litigation relating to this License may be brought only in the courts of
a jurisdiction where the defendant maintains its principal place of business
and such litigation shall be governed by laws of that jurisdiction, without
reference to its conflict-of-law provisions. Nothing in this Section shall
prevent a partys ability to bring cross-claims or counter-claims.
9. Miscellaneous
This License represents the complete agreement concerning the subject matter
hereof. If any provision of this License is held to be unenforceable, such
provision shall be reformed only to the extent necessary to make it
enforceable. Any law or regulation which provides that the language of a
contract shall be construed against the drafter shall not be used to construe
this License against a Contributor.
10. Versions of the License
10.1. New Versions
Mozilla Foundation is the license steward. Except as provided in Section
10.3, no one other than the license steward has the right to modify or
publish new versions of this License. Each version will be given a
distinguishing version number.
10.2. Effect of New Versions
You may distribute the Covered Software under the terms of the version of
the License under which You originally received the Covered Software, or
under the terms of any subsequent version published by the license
steward.
10.3. Modified Versions
If you create software not governed by this License, and you want to
create a new license for such software, you may create and use a modified
version of this License if you rename the license and remove any
references to the name of the license steward (except to note that such
modified license differs from this License).
10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses
If You choose to distribute Source Code Form that is Incompatible With
Secondary Licenses under the terms of this version of the License, the
notice described in Exhibit B of this License must be attached.
Exhibit A - Source Code Form License Notice
This Source Code Form is subject to the
terms of the Mozilla Public License, v.
2.0. If a copy of the MPL was not
distributed with this file, You can
obtain one at
http://mozilla.org/MPL/2.0/.
If it is not possible or desirable to put the notice in a particular file, then
You may include the notice in a location (such as a LICENSE file in a relevant
directory) where a recipient would be likely to look for such a notice.
You may add additional accurate notices of copyright ownership.
Exhibit B - “Incompatible With Secondary Licenses” Notice
This Source Code Form is “Incompatible
With Secondary Licenses”, as defined by
the Mozilla Public License, v. 2.0.

101
manifest/vault/Makefile Normal file
View File

@@ -0,0 +1,101 @@
TEST_IMAGE?=vault-helm-test
GOOGLE_CREDENTIALS?=vault-helm-test.json
CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514
# set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats
ACCEPTANCE_TESTS?=acceptance
# filter bats unit tests to run.
UNIT_TESTS_FILTER?='.*'
# set to 'true' to run acceptance tests locally in a kind cluster
LOCAL_ACCEPTANCE_TESTS?=false
# kind cluster name
KIND_CLUSTER_NAME?=vault-helm
# kind k8s version
KIND_K8S_VERSION?=v1.32.3
# Generate json schema for chart values. See test/README.md for more details.
values-schema:
helm schema-gen values.yaml > values.schema.json
test-image:
@docker build --rm -t $(TEST_IMAGE) -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR)
test-unit:
@docker run --rm -it -v ${PWD}:/helm-test $(TEST_IMAGE) bats -f $(UNIT_TESTS_FILTER) /helm-test/test/unit
test-bats: test-unit test-acceptance
test: test-image test-bats
# run acceptance tests on GKE
# set google project/credential vars above
test-acceptance:
ifeq ($(LOCAL_ACCEPTANCE_TESTS),true)
make setup-kind acceptance
else
@docker run -it -v ${PWD}:/helm-test \
-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
-e KUBECONFIG=/helm-test/.kube/config \
-e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \
-w /helm-test \
$(TEST_IMAGE) \
make acceptance
endif
# destroy GKE cluster using terraform
test-destroy:
@docker run -it -v ${PWD}:/helm-test \
-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
-w /helm-test \
$(TEST_IMAGE) \
make destroy-cluster
# provision GKE cluster using terraform
test-provision:
@docker run -it -v ${PWD}:/helm-test \
-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
-e KUBECONFIG=/helm-test/.kube/config \
-w /helm-test \
$(TEST_IMAGE) \
make provision-cluster
# this target is for running the acceptance tests
# it is run in the docker container above when the test-acceptance target is invoked
acceptance:
ifneq ($(LOCAL_ACCEPTANCE_TESTS),true)
gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS}
endif
bats --tap --timing test/${ACCEPTANCE_TESTS}
# this target is for provisioning the GKE cluster
# it is run in the docker container above when the test-provision target is invoked
provision-cluster:
gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS}
terraform init test/terraform
terraform apply -var project=${CLOUDSDK_CORE_PROJECT} -var init_cli=true -auto-approve test/terraform
# this target is for removing the GKE cluster
# it is run in the docker container above when the test-destroy target is invoked
destroy-cluster:
terraform destroy -auto-approve
# create a kind cluster for running the acceptance tests locally
setup-kind:
kind get clusters | grep -q "^${KIND_CLUSTER_NAME}$$" || \
kind create cluster \
--image kindest/node:${KIND_K8S_VERSION} \
--name ${KIND_CLUSTER_NAME} \
--config $(CURDIR)/test/kind/config.yaml
kubectl config use-context kind-${KIND_CLUSTER_NAME}
# delete the kind cluster
delete-kind:
kind delete cluster --name ${KIND_CLUSTER_NAME} || :
.PHONY: values-schema test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster

43
manifest/vault/README.md Normal file
View File

@@ -0,0 +1,43 @@
# Vault Helm Chart
> :warning: **Please note**: We take Vault's security and our users' trust very seriously. If
you believe you have found a security issue in Vault Helm, _please responsibly disclose_
by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).
This repository contains the official HashiCorp Helm chart for installing
and configuring Vault on Kubernetes. This chart supports multiple use
cases of Vault on Kubernetes depending on the values provided.
For full documentation on this Helm chart along with all the ways you can
use Vault with Kubernetes, please see the
[Vault and Kubernetes documentation](https://developer.hashicorp.com/vault/docs/platform/k8s).
## Prerequisites
To use the charts here, [Helm](https://helm.sh/) must be configured for your
Kubernetes cluster. Setting up Kubernetes and Helm is outside the scope of
this README. Please refer to the Kubernetes and Helm documentation.
The versions required are:
* **Helm 3.6+**
* **Kubernetes 1.29+** - This is the earliest version of Kubernetes tested.
It is possible that this chart works with earlier versions but it is
untested.
## Usage
To install the latest version of this chart, add the Hashicorp helm repository
and run `helm install`:
```console
$ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories
$ helm install vault hashicorp/vault
```
Please see the many options supported in the `values.yaml` file. These are also
fully documented directly on the [Vault
website](https://developer.hashicorp.com/vault/docs/platform/k8s/helm) along with more
detailed installation instructions.

14
manifest/vault/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,14 @@
Thank you for installing HashiCorp Vault!
Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here:
https://developer.hashicorp.com/vault/docs
Your release is named {{ .Release.Name }}. To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get manifest {{ .Release.Name }}

1138
manifest/vault/templates/_helpers.tpl Normal file
View File

File diff suppressed because it is too large Load Diff

34
manifest/vault/templates/csi-agent-configmap.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-agent-config
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
config.hcl: |
vault {
{{- if .Values.global.externalVaultAddr }}
"address" = "{{ .Values.global.externalVaultAddr }}"
{{- else }}
"address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}"
{{- end }}
}
cache {}
listener "unix" {
address = "/var/run/vault/agent.sock"
tls_disable = true
}
{{- end }}

23
manifest/vault/templates/csi-clusterrole.yaml Normal file
View File

@@ -0,0 +1,23 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-clusterrole
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
{{- end }}

24
manifest/vault/templates/csi-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "vault.fullname" . }}-csi-provider-clusterrole
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ include "vault.namespace" . }}
{{- end }}

157
manifest/vault/templates/csi-daemonset.yaml Normal file
View File

@@ -0,0 +1,157 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.daemonSet.extraLabels -}}
{{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "csi.daemonSet.annotations" . }}
spec:
updateStrategy:
type: {{ .Values.csi.daemonSet.updateStrategy.type }}
{{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
rollingUpdate:
maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.csi.pod.extraLabels -}}
{{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}}
{{- end -}}
{{ template "csi.pod.annotations" . }}
spec:
{{ template "csi.daemonSet.securityContext.pod" . }}
{{- if .Values.csi.priorityClassName }}
priorityClassName: {{ .Values.csi.priorityClassName }}
{{- end }}
hostNetwork: {{ .Values.csi.hostNetwork }}
serviceAccountName: {{ template "vault.fullname" . }}-csi-provider
{{- template "csi.pod.tolerations" . }}
{{- template "csi.pod.nodeselector" . }}
{{- template "csi.pod.affinity" . }}
containers:
- name: {{ include "vault.name" . }}-csi-provider
{{ template "csi.resources" . }}
{{ template "csi.daemonSet.securityContext.container" . }}
image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}"
imagePullPolicy: {{ .Values.csi.image.pullPolicy }}
args:
- --endpoint=/provider/vault.sock
{{- if .Values.csi.debug }}
- --log-level=debug
{{- else }}
- --log-level={{ .Values.csi.logLevel }}
{{- end }}
{{- if .Values.csi.hmacSecretName }}
- --hmac-secret-name={{ .Values.csi.hmacSecretName }}
{{- else }}
- --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key
{{- end }}
{{- if .Values.csi.extraArgs }}
{{- toYaml .Values.csi.extraArgs | nindent 12 }}
{{- end }}
env:
- name: VAULT_ADDR
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
value: "unix:///var/run/vault/agent.sock"
{{- else if .Values.global.externalVaultAddr }}
value: "{{ .Values.global.externalVaultAddr }}"
{{- else }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- end }}
volumeMounts:
- name: providervol
mountPath: "/provider"
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
- name: agent-unix-socket
mountPath: /var/run/vault
{{- end }}
{{- if .Values.csi.volumeMounts }}
{{- toYaml .Values.csi.volumeMounts | nindent 12}}
{{- end }}
livenessProbe:
httpGet:
path: /health/ready
port: 8080
failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.csi.livenessProbe.successThreshold }}
timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }}
readinessProbe:
httpGet:
path: /health/ready
port: 8080
failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.csi.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }}
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
- name: {{ include "vault.name" . }}-agent
image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}"
imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }}
{{ template "csi.agent.resources" . }}
command:
- vault
args:
- agent
- -config=/etc/vault/config.hcl
{{- if .Values.csi.agent.extraArgs }}
{{- toYaml .Values.csi.agent.extraArgs | nindent 12 }}
{{- end }}
ports:
- containerPort: 8200
env:
- name: VAULT_LOG_LEVEL
value: "{{ .Values.csi.agent.logLevel }}"
- name: VAULT_LOG_FORMAT
value: "{{ .Values.csi.agent.logFormat }}"
{{- template "csi.agent.securityContext.container" . }}
volumeMounts:
- name: agent-config
mountPath: /etc/vault/config.hcl
subPath: config.hcl
readOnly: true
- name: agent-unix-socket
mountPath: /var/run/vault
{{- if .Values.csi.volumeMounts }}
{{- toYaml .Values.csi.volumeMounts | nindent 12 }}
{{- end }}
{{- end }}
volumes:
- name: providervol
hostPath:
path: {{ .Values.csi.daemonSet.providersDir }}
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
- name: agent-config
configMap:
name: {{ template "vault.fullname" . }}-csi-provider-agent-config
- name: agent-unix-socket
emptyDir:
medium: Memory
{{- end }}
{{- if .Values.csi.volumes }}
{{- toYaml .Values.csi.volumes | nindent 8}}
{{- end }}
{{- include "imagePullSecrets" . | nindent 6 }}
{{- end }}

32
manifest/vault/templates/csi-role.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-role
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames:
{{- if .Values.csi.hmacSecretName }}
- {{ .Values.csi.hmacSecretName }}
{{- else }}
- {{ include "vault.name" . }}-csi-provider-hmac-key
{{- end }}
# 'create' permissions cannot be restricted by resource name:
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
{{- end }}

25
manifest/vault/templates/csi-rolebinding.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-rolebinding
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "vault.fullname" . }}-csi-provider-role
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ include "vault.namespace" . }}
{{- end }}

21
manifest/vault/templates/csi-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.serviceAccount.extraLabels -}}
{{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "csi.serviceAccount.annotations" . }}
{{- end }}

19
manifest/vault/templates/injector-certs-secret.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: v1
kind: Secret
metadata:
name: vault-injector-certs
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- end }}

30
manifest/vault/templates/injector-clusterrole.yaml Normal file
View File

@@ -0,0 +1,30 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-clusterrole
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs:
- "get"
- "list"
- "watch"
- "patch"
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
- apiGroups: [""]
resources: ["nodes"]
verbs:
- "get"
{{ end }}
{{ end }}

24
manifest/vault/templates/injector-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-binding
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "vault.fullname" . }}-agent-injector-clusterrole
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }}
{{ end }}

179
manifest/vault/templates/injector-deployment.yaml Normal file
View File

@@ -0,0 +1,179 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
# Deployment for the injector
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
component: webhook
spec:
replicas: {{ .Values.injector.replicas }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{ template "injector.strategy" . }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{- if .Values.injector.extraLabels -}}
{{- toYaml .Values.injector.extraLabels | nindent 8 -}}
{{- end -}}
{{ template "injector.annotations" . }}
spec:
{{ template "injector.affinity" . }}
{{ template "injector.topologySpreadConstraints" . }}
{{ template "injector.tolerations" . }}
{{ template "injector.nodeselector" . }}
{{- if .Values.injector.priorityClassName }}
priorityClassName: {{ .Values.injector.priorityClassName }}
{{- end }}
serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
{{ template "injector.securityContext.pod" . -}}
{{- if not .Values.global.openshift }}
hostNetwork: {{ .Values.injector.hostNetwork }}
{{- end }}
containers:
- name: sidecar-injector
{{ template "injector.resources" . }}
image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
{{- template "injector.securityContext.container" . }}
env:
- name: AGENT_INJECT_LISTEN
value: {{ printf ":%v" .Values.injector.port }}
- name: AGENT_INJECT_LOG_LEVEL
value: {{ .Values.injector.logLevel | default "info" }}
- name: AGENT_INJECT_VAULT_ADDR
{{- if .Values.global.externalVaultAddr }}
value: "{{ .Values.global.externalVaultAddr }}"
{{- else if .Values.injector.externalVaultAddr }}
value: "{{ .Values.injector.externalVaultAddr }}"
{{- else }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- end }}
- name: AGENT_INJECT_VAULT_AUTH_PATH
value: {{ .Values.injector.authPath }}
- name: AGENT_INJECT_VAULT_IMAGE
value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
{{- if .Values.injector.certs.secretName }}
- name: AGENT_INJECT_TLS_CERT_FILE
value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}"
- name: AGENT_INJECT_TLS_KEY_FILE
value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}"
{{- else }}
- name: AGENT_INJECT_TLS_AUTO
value: {{ template "vault.fullname" . }}-agent-injector-cfg
- name: AGENT_INJECT_TLS_AUTO_HOSTS
value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }}.svc
{{- end }}
- name: AGENT_INJECT_LOG_FORMAT
value: {{ .Values.injector.logFormat | default "standard" }}
- name: AGENT_INJECT_REVOKE_ON_SHUTDOWN
value: "{{ .Values.injector.revokeOnShutdown | default false }}"
{{- if .Values.global.openshift }}
- name: AGENT_INJECT_SET_SECURITY_CONTEXT
value: "false"
{{- end }}
{{- if .Values.injector.metrics.enabled }}
- name: AGENT_INJECT_TELEMETRY_PATH
value: "/metrics"
{{- end }}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
- name: AGENT_INJECT_USE_LEADER_ELECTOR
value: "true"
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- end }}
- name: AGENT_INJECT_CPU_REQUEST
value: "{{ .Values.injector.agentDefaults.cpuRequest }}"
- name: AGENT_INJECT_CPU_LIMIT
value: "{{ .Values.injector.agentDefaults.cpuLimit }}"
- name: AGENT_INJECT_MEM_REQUEST
value: "{{ .Values.injector.agentDefaults.memRequest }}"
- name: AGENT_INJECT_MEM_LIMIT
value: "{{ .Values.injector.agentDefaults.memLimit }}"
{{- if .Values.injector.agentDefaults.ephemeralRequest }}
- name: AGENT_INJECT_EPHEMERAL_REQUEST
value: "{{ .Values.injector.agentDefaults.ephemeralRequest }}"
{{- end }}
{{- if .Values.injector.agentDefaults.ephemeralLimit }}
- name: AGENT_INJECT_EPHEMERAL_LIMIT
value: "{{ .Values.injector.agentDefaults.ephemeralLimit }}"
{{- end }}
- name: AGENT_INJECT_DEFAULT_TEMPLATE
value: "{{ .Values.injector.agentDefaults.template }}"
- name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE
value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}"
{{- if .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}
- name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL
value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}"
{{- end }}
{{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
args:
- agent-inject
- 2>&1
livenessProbe:
httpGet:
path: /health/ready
port: {{ .Values.injector.port }}
scheme: HTTPS
failureThreshold: {{ .Values.injector.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.injector.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.injector.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.injector.livenessProbe.successThreshold }}
timeoutSeconds: {{ .Values.injector.livenessProbe.timeoutSeconds }}
readinessProbe:
httpGet:
path: /health/ready
port: {{ .Values.injector.port }}
scheme: HTTPS
failureThreshold: {{ .Values.injector.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.injector.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.injector.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.injector.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.injector.readinessProbe.timeoutSeconds }}
startupProbe:
httpGet:
path: /health/ready
port: {{ .Values.injector.port }}
scheme: HTTPS
failureThreshold: {{ .Values.injector.startupProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.injector.startupProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.injector.startupProbe.periodSeconds }}
successThreshold: {{ .Values.injector.startupProbe.successThreshold }}
timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }}
{{- if .Values.injector.certs.secretName }}
volumeMounts:
- name: webhook-certs
mountPath: /etc/webhook/certs
readOnly: true
{{- end }}
{{- if .Values.injector.certs.secretName }}
volumes:
- name: webhook-certs
secret:
secretName: "{{ .Values.injector.certs.secretName }}"
{{- end }}
{{- include "imagePullSecrets" . | nindent 6 }}
{{ end }}

25
manifest/vault/templates/injector-disruptionbudget.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- if .Values.injector.podDisruptionBudget }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
component: webhook
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }}
{{- end -}}

45
manifest/vault/templates/injector-mutating-webhook.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
apiVersion: admissionregistration.k8s.io/v1
{{- else }}
apiVersion: admissionregistration.k8s.io/v1beta1
{{- end }}
kind: MutatingWebhookConfiguration
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-cfg
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "injector.webhookAnnotations" . }}
webhooks:
- name: vault.hashicorp.com
failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }}
matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }}
sideEffects: None
timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }}
admissionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: {{ template "vault.fullname" . }}-agent-injector-svc
namespace: {{ include "vault.namespace" . }}
path: "/mutate"
caBundle: {{ .Values.injector.certs.caBundle | quote }}
rules:
- operations: ["CREATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
scope: "Namespaced"
{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }}
namespaceSelector:
{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}}
{{ end }}
{{- template "injector.objectSelector" . -}}
{{ end }}

29
manifest/vault/templates/injector-network-policy.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.openshift | toString) "true" }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
ingress:
- from:
- namespaceSelector: {}
ports:
- port: 8080
protocol: TCP
{{ end }}
{{ end }}

25
manifest/vault/templates/injector-psp-role.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-psp
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "vault.fullname" . }}-agent-injector
{{- end }}
{{- end }}

26
manifest/vault/templates/injector-psp-rolebinding.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-psp
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
kind: Role
name: {{ template "vault.fullname" . }}-agent-injector-psp
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
{{- end }}
{{- end }}

51
manifest/vault/templates/injector-psp.yaml Normal file
View File

@@ -0,0 +1,51 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.psp.annotations" . }}
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: MustRunAsNonRoot
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}
{{- end }}

38
manifest/vault/templates/injector-role.yaml Normal file
View File

@@ -0,0 +1,38 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: [""]
resources: ["secrets", "configmaps"]
verbs:
- "create"
- "get"
- "watch"
- "list"
- "update"
- apiGroups: [""]
resources: ["configmaps"]
verbs:
- "delete"
- apiGroups: [""]
resources: ["pods"]
verbs:
- "get"
- "patch"
- "delete"
{{- end }}
{{- end }}

27
manifest/vault/templates/injector-rolebinding.yaml Normal file
View File

@@ -0,0 +1,27 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }}
{{- end }}
{{- end }}

27
manifest/vault/templates/injector-service.yaml Normal file
View File

@@ -0,0 +1,27 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-svc
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "injector.service.annotations" . }}
spec:
ports:
- name: https
port: 443
targetPort: {{ .Values.injector.port }}
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{- end }}

18
manifest/vault/templates/injector-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "injector.serviceAccount.annotations" . }}
{{ end }}

31
manifest/vault/templates/prometheus-prometheusrules.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ if and (.Values.serverTelemetry.prometheusRules.rules)
(or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) )
}}
---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ template "vault.fullname" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
{{- $selectors := .Values.serverTelemetry.prometheusRules.selectors }}
{{- if $selectors }}
{{- toYaml $selectors | nindent 4 }}
{{- else }}
release: prometheus
{{- end }}
spec:
groups:
- name: {{ include "vault.fullname" . }}
rules:
{{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }}
{{- end }}

66
manifest/vault/templates/prometheus-servicemonitor.yaml Normal file
View File

@@ -0,0 +1,66 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "vault.fullname" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
{{- $selectors := .Values.serverTelemetry.serviceMonitor.selectors }}
{{- if $selectors }}
{{- toYaml $selectors | nindent 4 }}
{{- else }}
release: prometheus
{{- end }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.serverTelemetry.serviceMonitor.matchLabels }}
{{- toYaml .Values.serverTelemetry.serviceMonitor.matchLabels | nindent 6 }}
{{- else }}
{{- if eq .mode "ha" }}
vault-active: "true"
{{- else }}
vault-internal: "true"
{{- end }}
{{- end }}
endpoints:
- port: {{ include "vault.scheme" . }}
interval: {{ .Values.serverTelemetry.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }}
scheme: {{ include "vault.scheme" . | lower }}
path: /v1/sys/metrics
params:
format:
- prometheus
{{- with .Values.serverTelemetry.serviceMonitor.tlsConfig }}
tlsConfig:
{{- toYaml . | nindent 6 }}
{{- else }}
tlsConfig:
insecureSkipVerify: true
{{- end }}
{{- with .Values.serverTelemetry.serviceMonitor.authorization }}
authorization:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.serverTelemetry.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 6 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ include "vault.namespace" . }}
{{ end }}

29
manifest/vault/templates/server-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.serverAuthDelegator" . }}
{{- if .serverAuthDelegator -}}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: {{ template "vault.fullname" . }}-server-binding
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ include "vault.namespace" . }}
{{ end }}

31
manifest/vault/templates/server-config-configmap.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .serverEnabled -}}
{{- if ne .mode "dev" -}}
{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "vault.fullname" . }}-config
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.server.includeConfigAnnotation }}
annotations:
vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }}
{{- end }}
data:
extraconfig-from-values.hcl: |-
{{ template "vault.config" . }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

26
manifest/vault/templates/server-discovery-role.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {{ include "vault.namespace" . }}
name: {{ template "vault.fullname" . }}-discovery-role
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "update", "patch"]
{{ end }}
{{ end }}
{{ end }}

34
manifest/vault/templates/server-discovery-rolebinding.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- end }}
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-discovery-rolebinding
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "vault.fullname" . }}-discovery-role
subjects:
- kind: ServiceAccount
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ include "vault.namespace" . }}
{{ end }}
{{ end }}
{{ end }}

31
manifest/vault/templates/server-disruptionbudget.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" -}}
{{- if .serverEnabled -}}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
# PodDisruptionBudget to prevent degrading the server cluster through
# voluntary cluster changes.
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- end -}}
{{- end -}}
{{- end -}}

64
manifest/vault/templates/server-ha-active-service.yaml Normal file
View File

@@ -0,0 +1,64 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.service.active.enabled | toString) "true" }}
# Service for active Vault pod
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-active
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
vault-active: "true"
annotations:
{{- template "vault.service.annotations" . }}
{{- template "vault.service.active.annotations" . }}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
{{- end}}
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.server.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.server.service.ipFamilies }}
ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
{{- end }}
{{- end }}
{{- if .Values.server.service.clusterIP }}
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
nodePort: {{ .Values.server.service.activeNodePort }}
{{- end }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
component: server
vault-active: "true"
{{- end }}
{{- end }}
{{- end }}
{{- end }}

63
manifest/vault/templates/server-ha-standby-service.yaml Normal file
View File

@@ -0,0 +1,63 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.service.standby.enabled | toString) "true" }}
# Service for standby Vault pod
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-standby
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
{{- template "vault.service.annotations" . }}
{{- template "vault.service.standby.annotations" . }}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
{{- end}}
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.server.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.server.service.ipFamilies }}
ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
{{- end }}
{{- end }}
{{- if .Values.server.service.clusterIP }}
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
nodePort: {{ .Values.server.service.standbyNodePort }}
{{- end }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
component: server
vault-active: "false"
{{- end }}
{{- end }}
{{- end }}
{{- end }}

47
manifest/vault/templates/server-headless-service.yaml Normal file
View File

@@ -0,0 +1,47 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for Vault cluster
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-internal
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
vault-internal: "true"
annotations:
{{ template "vault.service.annotations" .}}
spec:
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.server.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.server.service.ipFamilies }}
ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
{{- end }}
{{- end }}
clusterIP: None
publishNotReadyAddresses: true
ports:
- name: "{{ include "vault.scheme" . }}"
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- end }}
{{- end }}

69
manifest/vault/templates/server-ingress.yaml Normal file
View File

@@ -0,0 +1,69 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- if not .Values.global.openshift }}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .Values.server.ingress.enabled -}}
{{- $extraPaths := .Values.server.ingress.extraPaths -}}
{{- $serviceName := include "vault.fullname" . -}}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }}
{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
{{- end }}
{{- $servicePort := .Values.server.service.port -}}
{{- $pathType := .Values.server.ingress.pathType -}}
{{- $kubeVersion := .Capabilities.KubeVersion.Version }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.server.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- template "vault.ingress.annotations" . }}
spec:
{{- if .Values.server.ingress.tls }}
tls:
{{- range .Values.server.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
{{- if .Values.server.ingress.ingressClassName }}
ingressClassName: {{ .Values.server.ingress.ingressClassName }}
{{- end }}
rules:
{{- range .Values.server.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{ if $extraPaths }}
{{ toYaml $extraPaths | indent 10 }}
{{- end }}
{{- range (.paths | default (list "/")) }}
- path: {{ . }}
pathType: {{ $pathType }}
backend:
service:
name: {{ $serviceName }}
port:
number: {{ $servicePort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

25
manifest/vault/templates/server-network-policy.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- if eq (.Values.server.networkPolicy.enabled | toString) "true" }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }}
{{- if .Values.server.networkPolicy.egress }}
egress:
{{- toYaml .Values.server.networkPolicy.egress | nindent 4 }}
{{ end }}
{{ end }}

25
manifest/vault/templates/server-psp-role.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-psp
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "vault.fullname" . }}
{{- end }}
{{- end }}

26
manifest/vault/templates/server-psp-rolebinding.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-psp
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
kind: Role
name: {{ template "vault.fullname" . }}-psp
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}
{{- end }}
{{- end }}

54
manifest/vault/templates/server-psp.yaml Normal file
View File

@@ -0,0 +1,54 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "vault.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.psp.annotations" . }}
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
{{- if eq (.Values.server.dataStorage.enabled | toString) "true" }}
- persistentVolumeClaim
{{- end }}
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: MustRunAsNonRoot
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}
{{- end }}

39
manifest/vault/templates/server-route.yaml Normal file
View File

@@ -0,0 +1,39 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- if .Values.global.openshift }}
{{- if ne .mode "external" }}
{{- if .Values.server.route.enabled -}}
{{- $serviceName := include "vault.fullname" . -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }}
{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
{{- end }}
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.server.route.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- template "vault.route.annotations" . }}
spec:
host: {{ .Values.server.route.host }}
to:
kind: Service
name: {{ $serviceName }}
weight: 100
port:
targetPort: 8200
tls:
{{- toYaml .Values.server.route.tls | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

62
manifest/vault/templates/server-service.yaml Normal file
View File

@@ -0,0 +1,62 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for Vault cluster
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
{{ template "vault.service.annotations" .}}
{{- if and .Values.global.openshift .Values.server.serviceCA.enabled }}
service.beta.openshift.io/serving-cert-secret-name: {{ .Values.server.serviceCA.secretName | quote }}
{{- end }}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
{{- end}}
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.server.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.server.service.ipFamilies }}
ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
{{- end }}
{{- end }}
{{- if .Values.server.service.clusterIP }}
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- include "service.externalTrafficPolicy" .Values.server.service }}
# We want the servers to become available even if they're not ready
# since this DNS is also used for join operations.
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
nodePort: {{ .Values.server.service.nodePort }}
{{- end }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
component: server
{{- end }}
{{- end }}

21
manifest/vault/templates/server-serviceaccount-secret.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.serverServiceAccountSecretCreationEnabled" . }}
{{- if .serverServiceAccountSecretCreationEnabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "vault.serviceAccount.name" . }}-token
namespace: {{ include "vault.namespace" . }}
annotations:
kubernetes.io/service-account.name: {{ template "vault.serviceAccount.name" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
type: kubernetes.io/service-account-token
{{ end }}

22
manifest/vault/templates/server-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,22 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.serverServiceAccountEnabled" . }}
{{- if .serverServiceAccountEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.server.serviceAccount.extraLabels -}}
{{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "vault.serviceAccount.annotations" . }}
{{ end }}

22
manifest/vault/templates/server-serviceca-configmap.yaml Normal file
View File

@@ -0,0 +1,22 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{- if and .Values.global.openshift .Values.server.serviceCA.enabled }}
# ConfigMap for OpenShift service-ca operator
# The service-ca operator will automatically inject the CA bundle
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Values.server.serviceCA.configMapName }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
service.beta.openshift.io/inject-cabundle: "true"
data: {}
{{- end }}

240
manifest/vault/templates/server-statefulset.yaml Normal file
View File

@@ -0,0 +1,240 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if ne .mode "" }}
{{- if .serverEnabled -}}
# StatefulSet to run the actual vault server cluster.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.statefulSet.annotations" . }}
spec:
serviceName: {{ template "vault.fullname" . }}-internal
podManagementPolicy: Parallel
replicas: {{ template "vault.replicas" . }}
updateStrategy:
type: {{ .Values.server.updateStrategyType }}
{{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }}
persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
template:
metadata:
labels:
helm.sh/chart: {{ template "vault.chart" . }}
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- if .Values.server.extraLabels -}}
{{- toYaml .Values.server.extraLabels | nindent 8 -}}
{{- end -}}
{{ template "vault.annotations" . }}
spec:
{{ template "vault.affinity" . }}
{{ template "vault.topologySpreadConstraints" . }}
{{ template "vault.tolerations" . }}
{{ template "vault.nodeselector" . }}
{{- if .Values.server.priorityClassName }}
priorityClassName: {{ .Values.server.priorityClassName }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }}
serviceAccountName: {{ template "vault.serviceAccount.name" . }}
{{ if .Values.server.shareProcessNamespace }}
shareProcessNamespace: true
{{ end }}
{{- template "server.statefulSet.securityContext.pod" . }}
{{- if not .Values.global.openshift }}
hostNetwork: {{ .Values.server.hostNetwork }}
{{- end }}
volumes:
{{ template "vault.volumes" . }}
- name: home
emptyDir: {}
{{- if .Values.server.hostAliases }}
hostAliases:
{{ toYaml .Values.server.hostAliases | nindent 8}}
{{- end }}
{{- if .Values.server.extraInitContainers }}
initContainers:
{{ toYaml .Values.server.extraInitContainers | nindent 8}}
{{- end }}
containers:
- name: vault
{{ template "vault.resources" . }}
image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
imagePullPolicy: {{ .Values.server.image.pullPolicy }}
command:
- "/bin/sh"
- "-ec"
args: {{ template "vault.args" . }}
{{- template "server.statefulSet.securityContext.container" . }}
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: VAULT_K8S_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: VAULT_K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: VAULT_ADDR
value: "{{ include "vault.scheme" . }}://127.0.0.1:8200"
- name: VAULT_API_ADDR
{{- if .Values.server.ha.apiAddr }}
value: {{ .Values.server.ha.apiAddr }}
{{- else }}
value: "{{ include "vault.scheme" . }}://$(POD_IP):8200"
{{- end }}
- name: SKIP_CHOWN
value: "true"
- name: SKIP_SETCAP
value: "true"
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: VAULT_CLUSTER_ADDR
{{- if .Values.server.ha.clusterAddr }}
value: {{ .Values.server.ha.clusterAddr | quote }}
{{- else }}
value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201"
{{- end }}
{{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }}
- name: VAULT_RAFT_NODE_ID
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- end }}
- name: HOME
value: "/home/vault"
{{- if .Values.server.logLevel }}
- name: VAULT_LOG_LEVEL
value: "{{ .Values.server.logLevel }}"
{{- end }}
{{- if .Values.server.logFormat }}
- name: VAULT_LOG_FORMAT
value: "{{ .Values.server.logFormat }}"
{{- end }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
- name: VAULT_LICENSE_PATH
value: /vault/license/{{ .Values.server.enterpriseLicense.secretKey }}
{{- end }}
{{ template "vault.envs" . }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
{{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
volumeMounts:
{{ template "vault.mounts" . }}
- name: home
mountPath: /home/vault
ports:
- containerPort: 8200
name: {{ include "vault.scheme" . }}
- containerPort: 8201
name: https-internal
- containerPort: 8202
name: {{ include "vault.scheme" . }}-rep
{{- if .Values.server.extraPorts -}}
{{ toYaml .Values.server.extraPorts | nindent 12}}
{{- end }}
{{- if .Values.server.readinessProbe.enabled }}
readinessProbe:
{{- if .Values.server.readinessProbe.path }}
httpGet:
path: {{ .Values.server.readinessProbe.path | quote }}
port: {{ .Values.server.readinessProbe.port }}
scheme: {{ include "vault.scheme" . | upper }}
{{- else }}
# Check status; unsealed vault servers return 0
# The exit code reflects the seal status:
# 0 - unsealed
# 1 - error
# 2 - sealed
exec:
command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
{{- end }}
failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.server.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.server.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.server.readinessProbe.timeoutSeconds }}
{{- end }}
{{- if .Values.server.livenessProbe.enabled }}
livenessProbe:
{{- if .Values.server.livenessProbe.execCommand }}
exec:
command:
{{- range (.Values.server.livenessProbe.execCommand) }}
- {{ . | quote }}
{{- end }}
{{- else }}
httpGet:
path: {{ .Values.server.livenessProbe.path | quote }}
port: {{ .Values.server.livenessProbe.port }}
scheme: {{ include "vault.scheme" . | upper }}
{{- end }}
failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.server.livenessProbe.successThreshold }}
timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }}
{{- end }}
lifecycle:
# Vault container doesn't receive SIGTERM from Kubernetes
# and after the grace period ends, Kube sends SIGKILL. This
# causes issues with graceful shutdowns such as deregistering itself
# from Consul (zombie services).
preStop:
{{- if .Values.server.preStop }}
exec:
command:
{{- range (.Values.server.preStop) }}
- {{ . | quote }}
{{- end }}
{{- else }}
exec:
command:
- "/bin/sh"
- "-c"
# Adding a sleep here to give the pod eviction a
# chance to propagate, so requests will not be made
# to this pod while it's terminating
- "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)"
{{- end}}
{{- if .Values.server.postStart }}
postStart:
exec:
command:
{{- range (.Values.server.postStart) }}
- {{ . | quote }}
{{- end }}
{{- end }}
{{- if .Values.server.extraContainers }}
{{ toYaml .Values.server.extraContainers | nindent 8}}
{{- end }}
{{- include "imagePullSecrets" . | nindent 6 }}
{{ template "vault.volumeclaims" . }}
{{ end }}
{{ end }}
{{ end }}

60
manifest/vault/templates/tests/server-test.yaml Normal file
View File

@@ -0,0 +1,60 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .serverEnabled -}}
apiVersion: v1
kind: Pod
metadata:
name: {{ template "vault.fullname" . }}-server-test
namespace: {{ include "vault.namespace" . }}
annotations:
"helm.sh/hook": test
{{- with .Values.server.extraLabels }}
labels:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- include "imagePullSecrets" . | nindent 2 }}
containers:
- name: {{ .Release.Name }}-server-test
image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
imagePullPolicy: {{ .Values.server.image.pullPolicy }}
env:
- name: VAULT_ADDR
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }}
command:
- /bin/sh
- -c
- |
echo "Checking for sealed info in 'vault status' output"
ATTEMPTS=10
n=0
until [ "$n" -ge $ATTEMPTS ]
do
echo "Attempt" $n...
vault status -format yaml | grep -E '^sealed: (true|false)' && break
n=$((n+1))
sleep 5
done
if [ $n -ge $ATTEMPTS ]; then
echo "timed out looking for sealed info in 'vault status' output"
exit 1
fi
exit 0
{{- if .Values.server.volumeMounts }}
volumeMounts:
{{- toYaml .Values.server.volumeMounts | nindent 8}}
{{- end }}
{{- if .Values.server.volumes }}
volumes:
{{- toYaml .Values.server.volumes | nindent 4}}
{{- end }}
restartPolicy: Never
{{- end }}
{{- end }}

50
manifest/vault/templates/ui-service.yaml Normal file
View File

@@ -0,0 +1,50 @@
{{/*
Copyright IBM Corp. 2018, 2025
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.uiEnabled" . -}}
{{- if .uiEnabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-ui
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-ui
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.ui.annotations" . }}
spec:
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.ui.serviceIPFamilyPolicy }}
ipFamilyPolicy: {{ .Values.ui.serviceIPFamilyPolicy }}
{{- end }}
{{- if .Values.ui.serviceIPFamilies }}
ipFamilies: {{ .Values.ui.serviceIPFamilies | toYaml | nindent 2 }}
{{- end }}
{{- end }}
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- if and (.Values.ui.activeVaultPodOnly) (eq .mode "ha") }}
vault-active: "true"
{{- end }}
publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.ui.externalPort }}
targetPort: {{ .Values.ui.targetPort }}
{{- if .Values.ui.serviceNodePort }}
nodePort: {{ .Values.ui.serviceNodePort }}
{{- end }}
type: {{ .Values.ui.serviceType }}
{{- include "service.externalTrafficPolicy" .Values.ui }}
{{- include "service.loadBalancer" .Values.ui }}
{{- end -}}
{{- end }}

34
manifest/vault/values.openshift.yaml Normal file
View File

@@ -0,0 +1,34 @@
# Copyright IBM Corp. 2018, 2025
# SPDX-License-Identifier: MPL-2.0
# These overrides are appropriate defaults for deploying this chart on OpenShift
global:
openshift: true
injector:
image:
repository: "registry.connect.redhat.com/hashicorp/vault-k8s"
tag: "1.7.2-ubi"
agentImage:
repository: "registry.connect.redhat.com/hashicorp/vault"
tag: "1.21.2-ubi"
server:
image:
repository: "registry.connect.redhat.com/hashicorp/vault"
tag: "1.21.2-ubi"
readinessProbe:
path: "/v1/sys/health?uninitcode=204"
csi:
image:
repository: "registry.connect.redhat.com/hashicorp/vault-csi-provider"
tag: "1.7.0-ubi"
agent:
image:
repository: "registry.connect.redhat.com/hashicorp/vault"
tag: "1.21.2-ubi"

1343
manifest/vault/values.schema.json Normal file
View File

File diff suppressed because it is too large Load Diff