Update for Chart 0.16 (#9)

See https://github.com/hashicorp/vault-helm/blob/master/CHANGELOG.md#0160-september-16th-2021

README.md

@@ -242,20 +242,19 @@ No modules.
 | <a name="input_agent_default_memory_request"></a> [agent\_default\_memory\_request](#input\_agent\_default\_memory\_request) | Default memory request for injected agent containers | `string` | `"128Mi"` | no |
 | <a name="input_agent_default_template_type"></a> [agent\_default\_template\_type](#input\_agent\_default\_template\_type) | Default template type for secrets when no custom template is specified. Possible values include: "json" and "map". | `string` | `"map"` | no |
 | <a name="input_agent_image_repository"></a> [agent\_image\_repository](#input\_agent\_image\_repository) | Image repository for the Vault agent that is injected | `string` | `"hashicorp/vault"` | no |
-| <a name="input_agent_image_tag"></a> [agent\_image\_tag](#input\_agent\_image\_tag) | Image tag for the Vault agent that is injected | `string` | `"1.8.0"` | no |
+| <a name="input_agent_image_tag"></a> [agent\_image\_tag](#input\_agent\_image\_tag) | Image tag for the Vault agent that is injected | `string` | `"1.8.2"` | no |
 | <a name="input_api_addr"></a> [api\_addr](#input\_api\_addr) | Set the api\_addr configuration for Vault HA. See https://www.vaultproject.io/docs/configuration#api_addr If set to null, this will be set to the Pod IP Address | `any` | `null` | no |
 | <a name="input_auth_path"></a> [auth\_path](#input\_auth\_path) | Mount path of the Kubernetes Auth Engine that the injector will use | `string` | `"auth/kubernetes"` | no |
 | <a name="input_chart_name"></a> [chart\_name](#input\_chart\_name) | Helm chart name to provision | `string` | `"vault"` | no |
 | <a name="input_chart_repository"></a> [chart\_repository](#input\_chart\_repository) | Helm repository for the chart | `string` | `"https://helm.releases.hashicorp.com"` | no |
-| <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | Version of Chart to install. Set to empty to install the latest version | `string` | `"0.13.0"` | no |
+| <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | Version of Chart to install. Set to empty to install the latest version | `string` | `"0.16.0"` | no |
 | <a name="input_enable_auth_delegator"></a> [enable\_auth\_delegator](#input\_enable\_auth\_delegator) | uthDelegator enables a cluster role binding to be attached to the service account.  This cluster role binding can be used to setup Kubernetes auth method. https://www.vaultproject.io/docs/auth/kubernetes.html | `bool` | `true` | no |
 | <a name="input_exit_on_retry_failure"></a> [exit\_on\_retry\_failure](#input\_exit\_on\_retry\_failure) | Exit agent on templating failure | `bool` | `true` | no |
 | <a name="input_external_vault_addr"></a> [external\_vault\_addr](#input\_external\_vault\_addr) | External vault server address for the injector to use. Setting this will disable deployment of a vault server along with the injector. | `string` | `""` | no |
 | <a name="input_fullname_override"></a> [fullname\_override](#input\_fullname\_override) | Helm resources full name override | `string` | `""` | no |
 | <a name="input_gcs_extra_parameters"></a> [gcs\_extra\_parameters](#input\_gcs\_extra\_parameters) | Additional paramaters for GCS storage in HCL. See https://www.vaultproject.io/docs/configuration/storage/google-cloud-storage | `string` | `""` | no |
 | <a name="input_gcs_storage_enable"></a> [gcs\_storage\_enable](#input\_gcs\_storage\_enable) | Enable the use of GCS Storage | `any` | n/a | yes |
-| <a name="input_gcs_storage_use"></a> [gcs\_storage\_use](#input\_gcs\_storage\_use) | Use GCS storage in Vault configuration. Setting this to false allows GCS storage resouces to be created but not used with Vault | `bool` | `true` | no |
-| <a name="input_gke_boot_disk_kms_key"></a> [gke\_boot\_disk\_kms\_key](#input\_gke\_boot\_disk\_kms\_key) | KMS Key to encrypt the boot disk. Set to `null` to not use any | `string` | `null` | no |
+| <a name="input_gcs_storage_use"></a> [gcs\_storage\_use](#input\_gcs\_storage\_use) | Use GCS storage in Vault configuration. Setting this to false allows GCS storage resouces to be created but not used with Vault | `bool` | `true` | no || <a name="input_gke_boot_disk_kms_key"></a> [gke\_boot\_disk\_kms\_key](#input\_gke\_boot\_disk\_kms\_key) | KMS Key to encrypt the boot disk. Set to `null` to not use any | `string` | `null` | no |
 | <a name="input_gke_cluster"></a> [gke\_cluster](#input\_gke\_cluster) | Cluster to create node pool for | `string` | `"<REQUIRED if gke_pool_create is true>"` | no |
 | <a name="input_gke_disk_type"></a> [gke\_disk\_type](#input\_gke\_disk\_type) | Disk type for the nodes | `string` | `"pd-standard"` | no |
 | <a name="input_gke_enable_integrity_monitoring"></a> [gke\_enable\_integrity\_monitoring](#input\_gke\_enable\_integrity\_monitoring) | Enable integrity monitoring of nodes | `bool` | `false` | no |
@@ -284,7 +283,7 @@ No modules.
 | <a name="input_injector_env"></a> [injector\_env](#input\_injector\_env) | Extra environment variable for the injector pods | `map` | `{}` | no |
 | <a name="input_injector_failure_policy"></a> [injector\_failure\_policy](#input\_injector\_failure\_policy) | Configures failurePolicy of the webhook. Default behaviour depends on the admission webhook version. See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy | `string` | `"Ignore"` | no |
 | <a name="input_injector_image_repository"></a> [injector\_image\_repository](#input\_injector\_image\_repository) | Image repository for Vault Injector | `string` | `"hashicorp/vault-k8s"` | no |
-| <a name="input_injector_image_tag"></a> [injector\_image\_tag](#input\_injector\_image\_tag) | Image tag for Vault Injector | `string` | `"0.11.0"` | no |
+| <a name="input_injector_image_tag"></a> [injector\_image\_tag](#input\_injector\_image\_tag) | Image tag for Vault Injector | `string` | `"0.13.0"` | no |
 | <a name="input_injector_leader_elector_enabled"></a> [injector\_leader\_elector\_enabled](#input\_injector\_leader\_elector\_enabled) | Enable leader elector for Injector if > 1 replicas | `bool` | `true` | no |
 | <a name="input_injector_leader_elector_image"></a> [injector\_leader\_elector\_image](#input\_injector\_leader\_elector\_image) | Image for Injector leader elector | `string` | `"gcr.io/google_containers/leader-elector"` | no |
 | <a name="input_injector_leader_elector_tag"></a> [injector\_leader\_elector\_tag](#input\_injector\_leader\_elector\_tag) | Image tag for Injector leader elector | `string` | `"0.4"` | no |
@@ -315,8 +314,7 @@ No modules.
 | <a name="input_raft_disk_labels"></a> [raft\_disk\_labels](#input\_raft\_disk\_labels) | Override labels for Raft GCE PD resources. Will use `var.labels` if set to null | `map(string)` | `null` | no |
 | <a name="input_raft_disk_regional"></a> [raft\_disk\_regional](#input\_raft\_disk\_regional) | Use regional disks instead of zonal disks | `bool` | `true` | no |
 | <a name="input_raft_disk_size"></a> [raft\_disk\_size](#input\_raft\_disk\_size) | Size of Raft disks in GB | `number` | `10` | no |
-| <a name="input_raft_disk_snapshot_labels"></a> [raft\_disk\_snapshot\_labels](#input\_raft\_disk\_snapshot\_labels) | Override labels for Raft GCE PD snapshot resources. Will use `var.labels` if set to null | `map(string)` | `null` | no |
-| <a name="input_raft_disk_type"></a> [raft\_disk\_type](#input\_raft\_disk\_type) | Raft data disk type | `string` | `"pd-ssd"` | no |
+| <a name="input_raft_disk_snapshot_labels"></a> [raft\_disk\_snapshot\_labels](#input\_raft\_disk\_snapshot\_labels) | Override labels for Raft GCE PD snapshot resources. Will use `var.labels` if set to null | `map(string)` | `null` | no || <a name="input_raft_disk_type"></a> [raft\_disk\_type](#input\_raft\_disk\_type) | Raft data disk type | `string` | `"pd-ssd"` | no |
 | <a name="input_raft_disk_zones"></a> [raft\_disk\_zones](#input\_raft\_disk\_zones) | List of zones for disks. If not set, will default to the zones in var.region | `list(string)` | `[]` | no |
 | <a name="input_raft_extra_parameters"></a> [raft\_extra\_parameters](#input\_raft\_extra\_parameters) | Extra parameters for Raft storage in HCL | `string` | `""` | no |
 | <a name="input_raft_persistent_disks_prefix"></a> [raft\_persistent\_disks\_prefix](#input\_raft\_persistent\_disks\_prefix) | Prefix of the name persistent disks for Vault to create. The prefix will be appended with the index | `string` | `"vault-data-"` | no |
@@ -343,7 +341,7 @@ No modules.
 | <a name="input_server_extra_args"></a> [server\_extra\_args](#input\_server\_extra\_args) | Extra args for the server | `string` | `""` | no |
 | <a name="input_server_extra_containers"></a> [server\_extra\_containers](#input\_server\_extra\_containers) | List of extra server containers | `any` | `[]` | no |
 | <a name="input_server_image_repository"></a> [server\_image\_repository](#input\_server\_image\_repository) | Server image repository | `string` | `"hashicorp/vault"` | no |
-| <a name="input_server_image_tag"></a> [server\_image\_tag](#input\_server\_image\_tag) | Server image tag | `string` | `"1.8.0"` | no |
+| <a name="input_server_image_tag"></a> [server\_image\_tag](#input\_server\_image\_tag) | Server image tag | `string` | `"1.8.2"` | no |
 | <a name="input_server_labels"></a> [server\_labels](#input\_server\_labels) | Labels for server | `map` | `{}` | no |
 | <a name="input_server_liveness_probe_enable"></a> [server\_liveness\_probe\_enable](#input\_server\_liveness\_probe\_enable) | Enable server liness probe | `bool` | `true` | no |
 | <a name="input_server_liveness_probe_path"></a> [server\_liveness\_probe\_path](#input\_server\_liveness\_probe\_path) | Server liveness probe path | `string` | `"/v1/sys/health?standbyok=true"` | no |

templates/values.yaml

@@ -29,10 +29,16 @@ injector:
   # Configures the port the injector should listen on
   port: 8080
 
-  # If multiple replicas are specified, by default a leader-elector side-car
-  # will be created so that only one injector attempts to create TLS certificates.
+  # If multiple replicas are specified, by default a leader will be determined
+  # so that only one injector attempts to create TLS certificates.
   leaderElector:
     enabled: ${injector_leader_elector_enabled}
+    # Note: The deployment of the leader-elector container will soon be removed
+    # from this chart since vault-k8s now uses an internal mechanism to
+    # determine leadership.
+    # To enable the deployment of the leader-elector container for use with
+    # vault-k8s 0.12.0 and earlier, set `useContainer=true`
+    useContainer: false
     image:
       repository: ${injector_leader_elector_image}
       tag: "${injector_leader_elector_tag}"
@@ -661,6 +667,10 @@ csi:
     # YAML-formatted multi-line templated string map of the annotations to apply
     # to the daemonSet.
     annotations: {}
+    # Provider host path (must match the CSI provider's path)
+    providersDir: "/etc/kubernetes/secrets-store-csi-providers"
+    # Kubelet host path
+    kubeletRootDir: "/var/lib/kubelet"
 
   pod:
     # Extra annotations for the provider pods. This can either be YAML or a

variables.tf

@@ -35,7 +35,7 @@ variable "chart_repository" {
 
 variable "chart_version" {
   description = "Version of Chart to install. Set to empty to install the latest version"
-  default     = "0.15.0"
+  default     = "0.16.0"
 }
 
 variable "max_history" {
@@ -104,7 +104,7 @@ variable "injector_image_repository" {
 
 variable "injector_image_tag" {
   description = "Image tag for Vault Injector"
-  default     = "0.12.0"
+  default     = "0.13.0"
 }
 
 variable "injector_log_level" {