From 3976c34b3f6525ab3091913214dfd12ad04e65d5 Mon Sep 17 00:00:00 2001 From: mgoerens <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 19 Sep 2024 13:29:27 +0200 Subject: [PATCH] test remove chart --- .../testproject2/0.28.5/src/.helmignore | 28 - .../testproject2/0.28.5/src/CHANGELOG.md | 545 ------- .../testproject2/0.28.5/src/CODEOWNERS | 1 - .../testproject2/0.28.5/src/CONTRIBUTING.md | 247 ---- .../testproject2/0.28.5/src/Chart.yaml | 23 - .../mgoerens/testproject2/0.28.5/src/LICENSE | 355 ----- .../mgoerens/testproject2/0.28.5/src/Makefile | 101 -- .../testproject2/0.28.5/src/README.md | 43 - .../0.28.5/src/templates/NOTES.txt | 14 - .../0.28.5/src/templates/_helpers.tpl | 1105 -------------- .../src/templates/csi-agent-configmap.yaml | 34 - .../0.28.5/src/templates/csi-clusterrole.yaml | 23 - .../src/templates/csi-clusterrolebinding.yaml | 24 - .../0.28.5/src/templates/csi-daemonset.yaml | 157 -- .../0.28.5/src/templates/csi-role.yaml | 32 - .../0.28.5/src/templates/csi-rolebinding.yaml | 25 - .../src/templates/csi-serviceaccount.yaml | 21 - .../src/templates/injector-certs-secret.yaml | 19 - .../src/templates/injector-clusterrole.yaml | 30 - .../injector-clusterrolebinding.yaml | 24 - .../src/templates/injector-deployment.yaml | 179 --- .../templates/injector-disruptionbudget.yaml | 25 - .../templates/injector-mutating-webhook.yaml | 44 - .../templates/injector-network-policy.yaml | 29 - .../src/templates/injector-psp-role.yaml | 25 - .../templates/injector-psp-rolebinding.yaml | 26 - .../0.28.5/src/templates/injector-psp.yaml | 51 - .../0.28.5/src/templates/injector-role.yaml | 34 - .../src/templates/injector-rolebinding.yaml | 27 - .../src/templates/injector-service.yaml | 27 - .../templates/injector-serviceaccount.yaml | 18 - .../templates/prometheus-prometheusrules.yaml | 31 - .../templates/prometheus-servicemonitor.yaml | 49 - .../templates/server-clusterrolebinding.yaml | 29 - .../templates/server-config-configmap.yaml | 31 - .../src/templates/server-discovery-role.yaml | 26 - .../server-discovery-rolebinding.yaml | 34 - .../templates/server-disruptionbudget.yaml | 31 - .../templates/server-ha-active-service.yaml | 64 - .../templates/server-ha-standby-service.yaml | 63 - .../templates/server-headless-service.yaml | 47 - .../0.28.5/src/templates/server-ingress.yaml | 69 - .../src/templates/server-network-policy.yaml | 24 - .../0.28.5/src/templates/server-psp-role.yaml | 25 - .../src/templates/server-psp-rolebinding.yaml | 26 - .../0.28.5/src/templates/server-psp.yaml | 54 - .../0.28.5/src/templates/server-route.yaml | 39 - .../0.28.5/src/templates/server-service.yaml | 59 - .../server-serviceaccount-secret.yaml | 21 - .../src/templates/server-serviceaccount.yaml | 22 - .../src/templates/server-statefulset.yaml | 232 --- .../src/templates/tests/server-test.yaml | 56 - .../0.28.5/src/templates/ui-service.yaml | 50 - .../0.28.5/src/values.openshift.yaml | 24 - .../0.28.5/src/values.schema.json | 1303 ----------------- .../testproject2/0.28.5/src/values.yaml | 1186 --------------- 56 files changed, 6931 deletions(-) delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/.helmignore delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/CHANGELOG.md delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/CODEOWNERS delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/CONTRIBUTING.md delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/Chart.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/LICENSE delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/Makefile delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/README.md delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/NOTES.txt delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/_helpers.tpl delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-agent-configmap.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-clusterrole.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-clusterrolebinding.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-daemonset.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-role.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-rolebinding.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-serviceaccount.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-certs-secret.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-clusterrole.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-clusterrolebinding.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-deployment.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-disruptionbudget.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-mutating-webhook.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-network-policy.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-psp-role.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-psp-rolebinding.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-psp.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-role.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-rolebinding.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-service.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-serviceaccount.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/prometheus-prometheusrules.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/prometheus-servicemonitor.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-clusterrolebinding.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-config-configmap.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-discovery-role.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-discovery-rolebinding.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-disruptionbudget.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-ha-active-service.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-ha-standby-service.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-headless-service.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-ingress.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-network-policy.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-psp-role.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-psp-rolebinding.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-psp.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-route.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-service.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-serviceaccount-secret.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-serviceaccount.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-statefulset.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/tests/server-test.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/templates/ui-service.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/values.openshift.yaml delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/values.schema.json delete mode 100644 charts/partners/mgoerens/testproject2/0.28.5/src/values.yaml diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/.helmignore b/charts/partners/mgoerens/testproject2/0.28.5/src/.helmignore deleted file mode 100644 index 4007e2435..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/.helmignore +++ /dev/null @@ -1,28 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.terraform/ -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj - -# CI and test -.circleci/ -.github/ -.gitlab-ci.yml -test/ diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/CHANGELOG.md b/charts/partners/mgoerens/testproject2/0.28.5/src/CHANGELOG.md deleted file mode 100644 index 72e58a878..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/CHANGELOG.md +++ /dev/null @@ -1,545 +0,0 @@ -## Unreleased - -## 0.28.0 (April 8, 2024) - -Changes: - -* Default `vault` version updated to 1.16.1 -* Default `vault-k8s` version updated to 1.4.1 -* Default `vault-csi-provider` version updated to 1.4.2 -* Tested with Kubernetes versions 1.25-1.29 - -Features: - -* server: Add annotation on config change [GH-1001](https://github.com/hashicorp/vault-helm/pull/1001) - -Bugs: - -* injector: add missing `get` `nodes` permission to ClusterRole [GH-1005](https://github.com/hashicorp/vault-helm/pull/1005) - -## 0.27.0 (November 16, 2023) - -Changes: - -* Default `vault` version updated to 1.15.2 - -Features: - -* server: Support setting `persistentVolumeClaimRetentionPolicy` on the StatefulSet [GH-965](https://github.com/hashicorp/vault-helm/pull/965) -* server: Support setting labels on PVCs [GH-969](https://github.com/hashicorp/vault-helm/pull/969) -* server: Support setting ingress rules for networkPolicy [GH-877](https://github.com/hashicorp/vault-helm/pull/877) - -Improvements: - -* Support exec in the server liveness probe [GH-971](https://github.com/hashicorp/vault-helm/pull/971) - -## 0.26.1 (October 30, 2023) - -Bugs: -* Fix templating of `server.ha.replicas` when set via override file. The `0.26.0` chart would ignore `server.ha.replicas` and always deploy 3 server replicas when `server.ha.enabled=true` unless overridden by command line when issuing the helm command: `--set server.ha.replicas=`. Fixed in [GH-961](https://github.com/hashicorp/vault-helm/pull/961) - -## 0.26.0 (October 27, 2023) - -Changes: -* Default `vault` version updated to 1.15.1 -* Default `vault-k8s` version updated to 1.3.1 -* Default `vault-csi-provider` version updated to 1.4.1 -* Tested with Kubernetes versions 1.24-1.28 -* server: OpenShift default readiness probe returns 204 when uninitialized [GH-966](https://github.com/hashicorp/vault-helm/pull/966) - -Features: -* server: Add support for dual stack clusters [GH-833](https://github.com/hashicorp/vault-helm/pull/833) -* server: Support `hostAliases` for the StatefulSet pods [GH-955](https://github.com/hashicorp/vault-helm/pull/955) -* server: Add `server.service.active.annotations` and `server.service.standby.annotations` [GH-896](https://github.com/hashicorp/vault-helm/pull/896) -* server: Add long-lived service account token option [GH-923](https://github.com/hashicorp/vault-helm/pull/923) - -Bugs: -* csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) - -Improvements: -* global: Add `global.namespace` to override the helm installation namespace. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) -* server: use vault.fullname in Helm test [GH-912](https://github.com/hashicorp/vault-helm/pull/912) -* server: Allow scaling HA replicas to zero [GH-943](https://github.com/hashicorp/vault-helm/pull/943) - -## 0.25.0 (June 26, 2023) - -Changes: -* Latest Kubernetes version tested is now 1.27 -* server: Headless service ignores `server.service.publishNotReadyAddresses` setting and always sets it as `true` [GH-902](https://github.com/hashicorp/vault-helm/pull/902) -* `vault` updated to 1.14.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916) -* `vault-csi-provider` updated to 1.4.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916) - -Improvements: -* CSI: Make `nodeSelector` and `affinity` configurable for CSI daemonset's pods [GH-862](https://github.com/hashicorp/vault-helm/pull/862) -* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798) -* Minimum kubernetes version for chart reverted to 1.20.0 to allow installation on clusters older than the oldest tested version [GH-916](https://github.com/hashicorp/vault-helm/pull/916) - -Bugs: -* server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886) - -## 0.24.1 (April 17, 2023) - -Bugs: -* csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions [GH-872](https://github.com/hashicorp/vault-helm/pull/872) - -## 0.24.0 (April 6, 2023) - -Changes: -* Earliest Kubernetes version tested is now 1.22 -* `vault` updated to 1.13.1 [GH-863](https://github.com/hashicorp/vault-helm/pull/863) -* `vault-k8s` updated to 1.2.1 [GH-868](https://github.com/hashicorp/vault-helm/pull/868) -* `vault-csi-provider` updated to 1.3.0 [GH-749](https://github.com/hashicorp/vault-helm/pull/749) - -Features: -* server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) -* server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831) -* injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852) -* csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals [GH-749](https://github.com/hashicorp/vault-helm/pull/749) - -## 0.23.0 (November 28th, 2022) - -Changes: -* `vault` updated to 1.12.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) -* `vault-k8s` updated to 1.1.0 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) -* `vault-csi-provider` updated to 1.2.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) - -Features: -* server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) -* server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) -* server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811) -* server: Add `server.service.instanceSelector.enabled` option to allow selecting pods outside the helm chart deployment [GH-813](https://github.com/hashicorp/vault-helm/pull/813) - -Bugs: -* server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) - -## 0.22.1 (October 26th, 2022) - -Changes: -* `vault` updated to 1.12.0 [GH-803](https://github.com/hashicorp/vault-helm/pull/803) -* `vault-k8s` updated to 1.0.1 [GH-803](https://github.com/hashicorp/vault-helm/pull/803) - -## 0.22.0 (September 8th, 2022) - -Features: -* Add PrometheusOperator support for collecting Vault server metrics. [GH-772](https://github.com/hashicorp/vault-helm/pull/772) - -Changes: -* `vault-k8s` to 1.0.0 [GH-784](https://github.com/hashicorp/vault-helm/pull/784) -* Test against Kubernetes 1.25 [GH-784](https://github.com/hashicorp/vault-helm/pull/784) -* `vault` updated to 1.11.3 [GH-785](https://github.com/hashicorp/vault-helm/pull/785) - -## 0.21.0 (August 10th, 2022) - -CHANGES: -* `vault-k8s` updated to 0.17.0. [GH-771](https://github.com/hashicorp/vault-helm/pull/771) -* `vault-csi-provider` updated to 1.2.0 [GH-771](https://github.com/hashicorp/vault-helm/pull/771) -* `vault` updated to 1.11.2 [GH-771](https://github.com/hashicorp/vault-helm/pull/771) -* Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744) -* Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) -* CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) - -Features: -* server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) -* csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) -* injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767) -* Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610) -* Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753) - -## 0.20.1 (May 25th, 2022) -CHANGES: -* `vault-k8s` updated to 0.16.1 [GH-739](https://github.com/hashicorp/vault-helm/pull/739) - -Improvements: -* Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736) - -Bugs: -* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737) - -## 0.20.0 (May 16th, 2022) - -CHANGES: -* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703) -* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703) -* Vault default image to 1.10.3 -* CSI provider default image to 1.1.0 -* Vault K8s default image to 0.16.0 -* Earliest Kubernetes version tested is now 1.16 -* Helm 3.6+ now required - -Features: -* Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652) - -Improvements: -* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) -* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683) -* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710) -* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709) -* server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694) -* server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684) -* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692) - -## 0.19.0 (January 20th, 2022) - -CHANGES: -* Vault image default 1.9.2 -* Vault K8s image default 0.14.2 - -Features: -* Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653) -* Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659) -* Added configurable update strategy for injector [GH-661](https://github.com/hashicorp/vault-helm/pull/661) -* csi: ability to set priorityClassName for CSI daemonset pods [GH-670](https://github.com/hashicorp/vault-helm/pull/670) - -Improvements: -* Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679) -* Add volumes and env vars to helm hook test pod [GH-673](https://github.com/hashicorp/vault-helm/pull/673) -* Make TLS configurable for OpenShift routes [GH-686](https://github.com/hashicorp/vault-helm/pull/686) - -## 0.18.0 (November 17th, 2021) - -CHANGES: -* Removed support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector since vault-k8s now uses an internal mechanism to determine leadership [GH-649](https://github.com/hashicorp/vault-helm/pull/649) -* Vault image default 1.9.0 -* Vault K8s image default 0.14.1 - -Improvements: -* Added templateConfig.staticSecretRenderInterval chart option for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621) - -## 0.17.1 (October 25th, 2021) - -Improvements: - * Add option for Ingress PathType [GH-634](https://github.com/hashicorp/vault-helm/pull/634) - -## 0.17.0 (October 21st, 2021) - -KNOWN ISSUES: -* The chart will fail to deploy on Kubernetes 1.19+ with `server.ingress.enabled=true` because no `pathType` is set - -CHANGES: -* Vault image default 1.8.4 -* Vault K8s image default 0.14.0 - -Improvements: -* Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590) -* Support setting the `externalTrafficPolicy` for `LoadBalancer` and `NodePort` service types [GH-626](https://github.com/hashicorp/vault-helm/pull/626) -* Support setting ingressClassName on server Ingress [GH-630](https://github.com/hashicorp/vault-helm/pull/630) - -Bugs: -* Ensure `kubeletRootDir` volume path and mounts are the same when `csi.daemonSet.kubeletRootDir` is overridden [GH-628](https://github.com/hashicorp/vault-helm/pull/628) - -## 0.16.1 (September 29th, 2021) - -CHANGES: -* Vault image default 1.8.3 -* Vault K8s image default 0.13.1 - -## 0.16.0 (September 16th, 2021) - -CHANGES: -* Support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector will be removed in version 0.18.0 of this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set `useContainer=true`. - -Improvements: - * Make CSI provider `hostPaths` configurable via `csi.daemonSet.providersDir` and `csi.daemonSet.kubeletRootDir` [GH-603](https://github.com/hashicorp/vault-helm/pull/603) - * Support vault-k8s internal leader election [GH-568](https://github.com/hashicorp/vault-helm/pull/568) [GH-607](https://github.com/hashicorp/vault-helm/pull/607) - -## 0.15.0 (August 23rd, 2021) - -Improvements: -* Add imagePullSecrets on server test [GH-572](https://github.com/hashicorp/vault-helm/pull/572) -* Add injector.webhookAnnotations chart option [GH-584](https://github.com/hashicorp/vault-helm/pull/584) - -## 0.14.0 (July 28th, 2021) - -Features: -* Added templateConfig.exitOnRetryFailure chart option for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560) - -Improvements: -* Support configuring pod tolerations, pod affinity, and node selectors as YAML [GH-565](https://github.com/hashicorp/vault-helm/pull/565) -* Set the default vault image to come from the hashicorp organization [GH-567](https://github.com/hashicorp/vault-helm/pull/567) -* Add support for running the acceptance tests against a local `kind` cluster [GH-567](https://github.com/hashicorp/vault-helm/pull/567) -* Add `server.ingress.activeService` to configure if the ingress should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570) -* Add `server.route.activeService` to configure if the route should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570) -* Support configuring `global.imagePullSecrets` from a string array [GH-576](https://github.com/hashicorp/vault-helm/pull/576) - - -## 0.13.0 (June 17th, 2021) - -Improvements: -* Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531) -* Added server.enterpriseLicense option [GH-547](https://github.com/hashicorp/vault-helm/pull/547) -* Added OpenShift overrides [GH-549](https://github.com/hashicorp/vault-helm/pull/549) - -Bugs: -* Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537) -* Fix server.ha.disruptionBudget.maxUnavailable schema [GH-535](https://github.com/hashicorp/vault-helm/pull/535) -* Added webhook-certs volume mount to sidecar injector [GH-545](https://github.com/hashicorp/vault-helm/pull/545) - -## 0.12.0 (May 25th, 2021) - -Features: -* Pass additional arguments to `vault-csi-provider` using `csi.extraArgs` [GH-526](https://github.com/hashicorp/vault-helm/pull/526) - -Improvements: -* Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) -* Added values json schema [GH-513](https://github.com/hashicorp/vault-helm/pull/513) -* Ability to set tolerations for CSI daemonset pods [GH-521](https://github.com/hashicorp/vault-helm/pull/521) -* UI target port is now configurable [GH-437](https://github.com/hashicorp/vault-helm/pull/437) - -Bugs: -* CSI: `global.imagePullSecrets` are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519) - -## 0.11.0 (April 14th, 2021) - -Features: -* Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) -* Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471) -* Injector port is now configurable [GH-489](https://github.com/hashicorp/vault-helm/pull/489) -* Injector Vault Agent resource defaults are now configurable [GH-493](https://github.com/hashicorp/vault-helm/pull/493) -* Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460) -* Log level and format can now be set directly using `server.logFormat` and `server.logLevel` [GH-488](https://github.com/hashicorp/vault-helm/pull/488) - -Improvements: -* Added `https` name to injector service port [GH-495](https://github.com/hashicorp/vault-helm/pull/495) - -Bugs: -* CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486) - -## 0.10.0 (March 25th, 2021) - -Features: -* Add support for [Vault CSI provider](https://github.com/hashicorp/vault-csi-provider) [GH-461](https://github.com/hashicorp/vault-helm/pull/461) - -Improvements: -* `objectSelector` can now be set on the mutating admission webhook [GH-456](https://github.com/hashicorp/vault-helm/pull/456) - -## 0.9.1 (February 2nd, 2021) - -Bugs: -* Injector: fix labels for default anti-affinity rule [GH-441](https://github.com/hashicorp/vault-helm/pull/441), [GH-442](https://github.com/hashicorp/vault-helm/pull/442) -* Set VAULT_DEV_LISTEN_ADDRESS in dev mode [GH-446](https://github.com/hashicorp/vault-helm/pull/446) - -## 0.9.0 (January 5th, 2021) - -Features: -* Injector now supports configurable number of replicas [GH-436](https://github.com/hashicorp/vault-helm/pull/436) -* Injector now supports auto TLS for multiple replicas using leader elections [GH-436](https://github.com/hashicorp/vault-helm/pull/436) - -Improvements: -* Dev mode now supports `server.extraArgs` [GH-421](https://github.com/hashicorp/vault-helm/pull/421) -* Dev mode root token is now configurable with `server.dev.devRootToken` [GH-415](https://github.com/hashicorp/vault-helm/pull/415) -* ClusterRoleBinding updated to `v1` [GH-395](https://github.com/hashicorp/vault-helm/pull/395) -* MutatingWebhook updated to `v1` [GH-408](https://github.com/hashicorp/vault-helm/pull/408) -* Injector service now supports `injector.service.annotations` [425](https://github.com/hashicorp/vault-helm/pull/425) -* Injector now supports `injector.extraLabels` [428](https://github.com/hashicorp/vault-helm/pull/428) -* Added `allowPrivilegeEscalation: false` to Vault and Injector containers [429](https://github.com/hashicorp/vault-helm/pull/429) -* Network Policy now supports `server.networkPolicy.egress` [389](https://github.com/hashicorp/vault-helm/pull/389) - -## 0.8.0 (October 20th, 2020) - -Improvements: -* Make server NetworkPolicy independent of OpenShift [GH-381](https://github.com/hashicorp/vault-helm/pull/381) -* Added configurables for all probe values [GH-387](https://github.com/hashicorp/vault-helm/pull/387) -* MountPath for audit and data storage is now configurable [GH-393](https://github.com/hashicorp/vault-helm/pull/393) -* Annotations can now be added to the Injector pods [GH-394](https://github.com/hashicorp/vault-helm/pull/394) -* The injector can now be configured with a failurePolicy [GH-400](https://github.com/hashicorp/vault-helm/pull/400) -* Added additional environment variables for rendering within Vault config [GH-398](https://github.com/hashicorp/vault-helm/pull/398) -* Service account for Vault K8s auth is automatically created when `injector.externalVaultAddr` is set [GH-392](https://github.com/hashicorp/vault-helm/pull/392) - -Bugs: -* Fixed install output using Helm V2 command [GH-378](https://github.com/hashicorp/vault-helm/pull/378) - -## 0.7.0 (August 24th, 2020) - -Features: -* Added `volumes` and `volumeMounts` for mounting _any_ type of volume [GH-314](https://github.com/hashicorp/vault-helm/pull/314). -* Added configurable to enable prometheus telemetery exporter for Vault Agent Injector [GH-372](https://github.com/hashicorp/vault-helm/pull/372) - -Improvements: -* Added `defaultMode` configurable to `extraVolumes`[GH-321](https://github.com/hashicorp/vault-helm/pull/321) -* Option to install and use PodSecurityPolicy's for vault server and injector [GH-177](https://github.com/hashicorp/vault-helm/pull/177) -* `VAULT_API_ADDR` is now configurable [GH-290](https://github.com/hashicorp/vault-helm/pull/290) -* Removed deprecated tolerate unready endpoint annotations [GH-363](https://github.com/hashicorp/vault-helm/pull/363) -* Add an option to set annotations on the StatefulSet [GH-199](https://github.com/hashicorp/vault-helm/pull/199) -* Make the vault server serviceAccount name a configuration option [GH-367](https://github.com/hashicorp/vault-helm/pull/367) -* Removed annotation striction from `dev` mode [GH-371](https://github.com/hashicorp/vault-helm/pull/371) -* Add an option to set annotations on PVCs [GH-364](https://github.com/hashicorp/vault-helm/pull/364) -* Added service configurables for UI [GH-285](https://github.com/hashicorp/vault-helm/pull/285) - -Bugs: -* Fix python dependency in test image [GH-337](https://github.com/hashicorp/vault-helm/pull/337) -* Fix caBundle not being quoted causing validation issues with Helm 3 [GH-352](https://github.com/hashicorp/vault-helm/pull/352) -* Fix injector network policy being rendered when injector is not enabled [GH-358](https://github.com/hashicorp/vault-helm/pull/358) - -## 0.6.0 (June 3rd, 2020) - -Features: -* Added `extraInitContainers` to define init containers for the Vault cluster [GH-258](https://github.com/hashicorp/vault-helm/pull/258) -* Added `postStart` lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready [GH-315](https://github.com/hashicorp/vault-helm/pull/315) -* Beta: Added OpenShift support [GH-319](https://github.com/hashicorp/vault-helm/pull/319) - -Improvements: -* Server configs can now be defined in YAML. Multi-line string configs are still compatible [GH-213](https://github.com/hashicorp/vault-helm/pull/213) -* Removed IPC_LOCK privileges since swap is disabled on containers [[GH-198](https://github.com/hashicorp/vault-helm/pull/198)] -* Use port names that map to vault.scheme [[GH-223](https://github.com/hashicorp/vault-helm/pull/223)] -* Allow both yaml and multi-line string annotations [[GH-272](https://github.com/hashicorp/vault-helm/pull/272)] -* Added configurable to set the Raft node name to hostname [[GH-269](https://github.com/hashicorp/vault-helm/pull/269)] -* Support setting priorityClassName on pods [[GH-282](https://github.com/hashicorp/vault-helm/pull/282)] -* Added support for ingress apiVersion `networking.k8s.io/v1beta1` [[GH-310](https://github.com/hashicorp/vault-helm/pull/310)] -* Added configurable to change service type for the HA active service [GH-317](https://github.com/hashicorp/vault-helm/pull/317) - -Bugs: -* Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)] -* Fixed annotations for HA standby/active services [[GH-268](https://github.com/hashicorp/vault-helm/pull/268)] -* Updated some value defaults to match their use in templates [[GH-309](https://github.com/hashicorp/vault-helm/pull/309)] -* Use active service on ingress when ha [[GH-270](https://github.com/hashicorp/vault-helm/pull/270)] -* Fixed bug where pull secrets weren't being used for injector image [GH-298](https://github.com/hashicorp/vault-helm/pull/298) - -## 0.5.0 (April 9th, 2020) - -Features: - -* Added Raft support for HA mode [[GH-228](https://github.com/hashicorp/vault-helm/pull/229)] -* Now supports Vault Enterprise [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)] -* Added K8s Service Registration for HA modes [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)] - -* Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)] -* Added environment variables for logging and revocation on Vault Agent Injector [[GH-219](https://github.com/hashicorp/vault-helm/pull/219)] -* Option to set environment variables for the injector deployment [[GH-232](https://github.com/hashicorp/vault-helm/pull/232)] -* Added affinity, tolerations, and nodeSelector options for the injector deployment [[GH-234](https://github.com/hashicorp/vault-helm/pull/234)] -* Made all annotations multi-line strings [[GH-227](https://github.com/hashicorp/vault-helm/pull/227)] - -## 0.4.0 (February 21st, 2020) - -Improvements: - -* Allow process namespace sharing between Vault and sidecar containers [[GH-174](https://github.com/hashicorp/vault-helm/pull/174)] -* Added configurable to change updateStrategy [[GH-172](https://github.com/hashicorp/vault-helm/pull/172)] -* Added sleep in the preStop lifecycle step [[GH-188](https://github.com/hashicorp/vault-helm/pull/188)] -* Updated chart and tests to Helm 3 [[GH-195](https://github.com/hashicorp/vault-helm/pull/195)] -* Adds Values.injector.externalVaultAddr to use the injector with an external vault [[GH-207](https://github.com/hashicorp/vault-helm/pull/207)] - -Bugs: - -* Fix bug where Vault lifecycle was appended after extra containers. [[GH-179](https://github.com/hashicorp/vault-helm/pull/179)] - -## 0.3.3 (January 14th, 2020) - -Security: - -* Added `server.extraArgs` to allow loading of additional Vault configurations containing sensitive settings [GH-175](https://github.com/hashicorp/vault-helm/issues/175) - -Bugs: - -* Fixed injection bug where wrong environment variables were being used for manually mounted TLS files - -## 0.3.2 (January 8th, 2020) - -Bugs: - -* Fixed injection bug where TLS Skip Verify was true by default [VK8S-35] - -## 0.3.1 (January 2nd, 2020) - -Bugs: - -* Fixed injection bug causing kube-system pods to be rejected [VK8S-14] - -## 0.3.0 (December 19th, 2019) - -Features: - -* Extra containers can now be added to the Vault pods -* Added configurability of pod probes -* Added Vault Agent Injector - -Improvements: - -* Moved `global.image` to `server.image` -* Changed UI service template to route pods that aren't ready via `publishNotReadyAddresses: true` -* Added better HTTP/HTTPS scheme support to http probes -* Added configurable node port for Vault service -* `server.authDelegator` is now enabled by default - -Bugs: - -* Fixed upgrade bug by removing chart label which contained the version -* Fixed typo on `serviceAccount` (was `serviceaccount`) -* Fixed readiness/liveliness HTTP probe default to accept standbys - -## 0.2.1 (November 12th, 2019) - -Bugs: - -* Removed `readOnlyRootFilesystem` causing issues when validating deployments - -## 0.2.0 (October 29th, 2019) - -Features: - -* Added load balancer support -* Added ingress support -* Added configurable for service types (ClusterIP, NodePort, LoadBalancer, etc) -* Removed root requirements, now runs as Vault user - -Improvements: - -* Added namespace value to all rendered objects -* Made ports configurable in services -* Added the ability to add custom annotations to services -* Added docker image for running bats test in CircleCI -* Removed restrictions around `dev` mode such as annotations -* `readOnlyRootFilesystem` is now configurable -* Image Pull Policy is now configurable - -Bugs: - -* Fixed selector bugs related to Helm label updates (services, affinities, and pod disruption) -* Fixed bug where audit storage was not being mounted in HA mode -* Fixed bug where Vault pod wasn't receiving SIGTERM signals - - -## 0.1.2 (August 22nd, 2019) - -Features: - -* Added `extraSecretEnvironmentVars` to allow users to mount secrets as - environment variables -* Added `tlsDisable` configurable to change HTTP protocols from HTTP/HTTPS - depending on the value -* Added `serviceNodePort` to configure a NodePort value when setting `serviceType` - to "NodePort" - -Improvements: - -* Changed UI port to 8200 for better HTTP protocol support -* Added `path` to `extraVolumes` to define where the volume should be - mounted. Defaults to `/vault/userconfig` -* Upgraded Vault to 1.2.2 - -Bugs: - -* Fixed bug where upgrade would fail because immutable labels were being - changed (Helm Version label) -* Fixed bug where UI service used wrong selector after updating helm labels -* Added `VAULT_API_ADDR` env to Vault pod to fixed bug where Vault thinks - Consul is the active node -* Removed `step-down` preStop since it requires authentication. Shutdown signal - sent by Kube acts similar to `step-down` - - -## 0.1.1 (August 7th, 2019) - -Features: - -* Added `authDelegator` Cluster Role Binding to Vault service account for - bootstrapping Kube auth method - -Improvements: - -* Added `server.service.clusterIP` to `values.yml` so users can toggle - the Vault service to headless by using the value `None`. -* Upgraded Vault to 1.2.1 - -## 0.1.0 (August 6th, 2019) - -Initial release diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/CODEOWNERS b/charts/partners/mgoerens/testproject2/0.28.5/src/CODEOWNERS deleted file mode 100644 index a765f7ea9..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/CODEOWNERS +++ /dev/null @@ -1 +0,0 @@ -* @hashicorp/vault-ecosystem diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/CONTRIBUTING.md b/charts/partners/mgoerens/testproject2/0.28.5/src/CONTRIBUTING.md deleted file mode 100644 index ad31ac92d..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/CONTRIBUTING.md +++ /dev/null @@ -1,247 +0,0 @@ -# Contributing to Vault Helm - -**Please note:** We take Vault's security and our users' trust very seriously. -If you believe you have found a security issue in Vault, please responsibly -disclose by contacting us at security@hashicorp.com. - -**First:** if you're unsure or afraid of _anything_, just ask or submit the -issue or pull request anyways. You won't be yelled at for giving it your best -effort. The worst that can happen is that you'll be politely asked to change -something. We appreciate any sort of contributions, and don't want a wall of -rules to get in the way of that. - -That said, if you want to ensure that a pull request is likely to be merged, -talk to us! You can find out our thoughts and ensure that your contribution -won't clash or be obviated by Vault's normal direction. A great way to do this -is via the [Vault Discussion Forum][1]. - -This document will cover what we're looking for in terms of reporting issues. -By addressing all the points we're looking for, it raises the chances we can -quickly merge or address your contributions. - -[1]: https://discuss.hashicorp.com/c/vault - -## Issues - -### Reporting an Issue - -* Make sure you test against the latest released version. It is possible - we already fixed the bug you're experiencing. Even better is if you can test - against `main`, as bugs are fixed regularly but new versions are only - released every few months. - -* Provide steps to reproduce the issue, and if possible include the expected - results as well as the actual results. Please provide text, not screen shots! - -* Respond as promptly as possible to any questions made by the Vault - team to your issue. Stale issues will be closed periodically. - -### Issue Lifecycle - -1. The issue is reported. - -2. The issue is verified and categorized by a Vault Helm collaborator. - Categorization is done via tags. For example, bugs are marked as "bugs". - -3. Unless it is critical, the issue may be left for a period of time (sometimes - many weeks), giving outside contributors -- maybe you!? -- a chance to - address the issue. - -4. The issue is addressed in a pull request or commit. The issue will be - referenced in the commit message so that the code that fixes it is clearly - linked. - -5. The issue is closed. Sometimes, valid issues will be closed to keep - the issue tracker clean. The issue is still indexed and available for - future viewers, or can be re-opened if necessary. - -## Testing - -The Helm chart ships with both unit and acceptance tests. - -The unit tests don't require any active Kubernetes cluster and complete -very quickly. These should be used for fast feedback during development. -The acceptance tests require a Kubernetes cluster with a configured `kubectl`. - -### Test Using Docker Container - -The following are the instructions for running bats tests using a Docker container. - -#### Prerequisites - -* Docker installed -* `vault-helm` checked out locally - -#### Test - -**Note:** the following commands should be run from the `vault-helm` directory. - -First, build the Docker image for running the tests: - -```shell -docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test -``` -Next, execute the tests with the following commands: -```shell -docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit -``` -It's possible to only run specific bats tests using regular expressions. -For example, the following will run only tests with "injector" in the name: -```shell -docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit -f "injector" -``` - -### Test Manually -The following are the instructions for running bats tests on your workstation. -#### Prerequisites -* [Bats](https://github.com/bats-core/bats-core) - ```bash - brew install bats-core - ``` -* [yq](https://pypi.org/project/yq/) - ```bash - brew install python-yq - ``` -* [helm](https://helm.sh) - ```bash - brew install kubernetes-helm - ``` - -#### Test - -To run the unit tests: - - bats ./test/unit - -To run the acceptance tests: - - bats ./test/acceptance - -If the acceptance tests fail, deployed resources in the Kubernetes cluster -may not be properly cleaned up. We recommend recycling the Kubernetes cluster to -start from a clean slate. - -**Note:** There is a Terraform configuration in the -[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory -that can be used to quickly bring up a GKE cluster and configure -`kubectl` and `helm` locally. This can be used to quickly spin up a test -cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes -cluster. - -### Writing Unit Tests - -Changes to the Helm chart should be accompanied by appropriate unit tests. - -#### Formatting - -- Put tests in the test file in the same order as the variables appear in the `values.yaml`. -- Start tests for a chart value with a header that says what is being tested, like this: - ``` - #-------------------------------------------------------------------- - # annotations - ``` - -- Name the test based on what it's testing in the following format (this will be its first line): - ``` - @test "
: " { - ``` - - When adding tests to an existing file, the first section will be the same as the other tests in the file. - -#### Test Details - -[Bats](https://github.com/bats-core/bats-core) provides a way to run commands in a shell and inspect the output in an automated way. -In all of the tests in this repo, the base command being run is [helm template](https://docs.helm.sh/helm/#helm-template) which turns the templated files into straight yaml output. -In this way, we're able to test that the various conditionals in the templates render as we would expect. - -Each test defines the files that should be rendered using the `--show-only` flag, then it might adjust chart values by adding `--set` flags as well. -The output from this `helm template` command is then piped to [yq](https://pypi.org/project/yq/). -`yq` allows us to pull out just the information we're interested in, either by referencing its position in the yaml file directly or giving information about it (like its length). -The `-r` flag can be used with `yq` to return a raw string instead of a quoted one which is especially useful when looking for an exact match. - -The test passes or fails based on the conditional at the end that is in square brackets, which is a comparison of our expected value and the output of `helm template` piped to `yq`. - -The `| tee /dev/stderr ` pieces direct any terminal output of the `helm template` and `yq` commands to stderr so that it doesn't interfere with `bats`. - -#### Test Examples - -Here are some examples of common test patterns: - -- Check that a value is disabled by default - - ``` - @test "ui/Service: no type by default" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/ui-service.yaml \ - . | tee /dev/stderr | - yq -r '.spec.type' | tee /dev/stderr) - [ "${actual}" = "null" ] - } - ``` - - In this example, nothing is changed from the default templates (no `--set` flags), then we use `yq` to retrieve the value we're checking, `.spec.type`. - This output is then compared against our expected value (`null` in this case) in the assertion `[ "${actual}" = "null" ]`. - - -- Check that a template value is rendered to a specific value - ``` - @test "ui/Service: specified type" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/ui-service.yaml \ - --set 'ui.serviceType=LoadBalancer' \ - . | tee /dev/stderr | - yq -r '.spec.type' | tee /dev/stderr) - [ "${actual}" = "LoadBalancer" ] - } - ``` - - This is very similar to the last example, except we've changed a default value with the `--set` flag and correspondingly changed the expected value. - -- Check that a template value contains several values - ``` - @test "server/standalone-StatefulSet: custom resources" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/server-statefulset.yaml \ - --set 'server.standalone.enabled=true' \ - --set 'server.resources.requests.memory=256Mi' \ - --set 'server.resources.requests.cpu=250m' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].resources.requests.memory' | tee /dev/stderr) - [ "${actual}" = "256Mi" ] - - local actual=$(helm template \ - --show-only templates/server-statefulset.yaml \ - --set 'server.standalone.enabled=true' \ - --set 'server.resources.limits.memory=256Mi' \ - --set 'server.resources.limits.cpu=250m' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].resources.limits.memory' | tee /dev/stderr) - [ "${actual}" = "256Mi" ] - ``` - - *Note:* If testing more than two conditions, it would be good to separate the `helm template` part of the command from the `yq` sections to reduce redundant work. - -- Check that an entire template file is not rendered - ``` - @test "syncCatalog/Deployment: disabled by default" { - cd `chart_dir` - local actual=$( (helm template \ - --show-only templates/server-statefulset.yaml \ - --set 'global.enabled=false' \ - . || echo "---") | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] - } - ``` - Here we are check the length of the command output to see if the anything is rendered. - This style can easily be switched to check that a file is rendered instead. - -## Contributor License Agreement - -We require that all contributors sign our Contributor License Agreement ("CLA") -before we can accept the contribution. - -[Learn more about why HashiCorp requires a CLA and what the CLA includes](https://www.hashicorp.com/cla) diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/Chart.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/Chart.yaml deleted file mode 100644 index 14b88a1c3..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/Chart.yaml +++ /dev/null @@ -1,23 +0,0 @@ -annotations: - charts.openshift.io/name: HashiCorp Vault -apiVersion: v2 -appVersion: 1.16.1 -description: Official HashiCorp Vault Chart -home: https://www.vaultproject.io -icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png -keywords: -- vault -- security -- encryption -- secrets -- management -- automation -- infrastructure -kubeVersion: '>= 1.20.0-0' -name: testproject2 -sources: -- https://github.com/hashicorp/vault -- https://github.com/hashicorp/vault-helm -- https://github.com/hashicorp/vault-k8s -- https://github.com/hashicorp/vault-csi-provider -version: 0.28.5 diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/LICENSE b/charts/partners/mgoerens/testproject2/0.28.5/src/LICENSE deleted file mode 100644 index 74f38c010..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/LICENSE +++ /dev/null @@ -1,355 +0,0 @@ -Copyright (c) 2018 HashiCorp, Inc. - -Mozilla Public License, version 2.0 - -1. Definitions - -1.1. “Contributor” - - means each individual or legal entity that creates, contributes to the - creation of, or owns Covered Software. - -1.2. “Contributor Version” - - means the combination of the Contributions of others (if any) used by a - Contributor and that particular Contributor’s Contribution. - -1.3. “Contribution” - - means Covered Software of a particular Contributor. - -1.4. “Covered Software” - - means Source Code Form to which the initial Contributor has attached the - notice in Exhibit A, the Executable Form of such Source Code Form, and - Modifications of such Source Code Form, in each case including portions - thereof. - -1.5. “Incompatible With Secondary Licenses” - means - - a. that the initial Contributor has attached the notice described in - Exhibit B to the Covered Software; or - - b. that the Covered Software was made available under the terms of version - 1.1 or earlier of the License, but not also under the terms of a - Secondary License. - -1.6. “Executable Form” - - means any form of the work other than Source Code Form. - -1.7. “Larger Work” - - means a work that combines Covered Software with other material, in a separate - file or files, that is not Covered Software. - -1.8. “License” - - means this document. - -1.9. “Licensable” - - means having the right to grant, to the maximum extent possible, whether at the - time of the initial grant or subsequently, any and all of the rights conveyed by - this License. - -1.10. “Modifications” - - means any of the following: - - a. any file in Source Code Form that results from an addition to, deletion - from, or modification of the contents of Covered Software; or - - b. any new file in Source Code Form that contains any Covered Software. - -1.11. “Patent Claims” of a Contributor - - means any patent claim(s), including without limitation, method, process, - and apparatus claims, in any patent Licensable by such Contributor that - would be infringed, but for the grant of the License, by the making, - using, selling, offering for sale, having made, import, or transfer of - either its Contributions or its Contributor Version. - -1.12. “Secondary License” - - means either the GNU General Public License, Version 2.0, the GNU Lesser - General Public License, Version 2.1, the GNU Affero General Public - License, Version 3.0, or any later versions of those licenses. - -1.13. “Source Code Form” - - means the form of the work preferred for making modifications. - -1.14. “You” (or “Your”) - - means an individual or a legal entity exercising rights under this - License. For legal entities, “You” includes any entity that controls, is - controlled by, or is under common control with You. For purposes of this - definition, “control” means (a) the power, direct or indirect, to cause - the direction or management of such entity, whether by contract or - otherwise, or (b) ownership of more than fifty percent (50%) of the - outstanding shares or beneficial ownership of such entity. - - -2. License Grants and Conditions - -2.1. Grants - - Each Contributor hereby grants You a world-wide, royalty-free, - non-exclusive license: - - a. under intellectual property rights (other than patent or trademark) - Licensable by such Contributor to use, reproduce, make available, - modify, display, perform, distribute, and otherwise exploit its - Contributions, either on an unmodified basis, with Modifications, or as - part of a Larger Work; and - - b. under Patent Claims of such Contributor to make, use, sell, offer for - sale, have made, import, and otherwise transfer either its Contributions - or its Contributor Version. - -2.2. Effective Date - - The licenses granted in Section 2.1 with respect to any Contribution become - effective for each Contribution on the date the Contributor first distributes - such Contribution. - -2.3. Limitations on Grant Scope - - The licenses granted in this Section 2 are the only rights granted under this - License. No additional rights or licenses will be implied from the distribution - or licensing of Covered Software under this License. Notwithstanding Section - 2.1(b) above, no patent license is granted by a Contributor: - - a. for any code that a Contributor has removed from Covered Software; or - - b. for infringements caused by: (i) Your and any other third party’s - modifications of Covered Software, or (ii) the combination of its - Contributions with other software (except as part of its Contributor - Version); or - - c. under Patent Claims infringed by Covered Software in the absence of its - Contributions. - - This License does not grant any rights in the trademarks, service marks, or - logos of any Contributor (except as may be necessary to comply with the - notice requirements in Section 3.4). - -2.4. Subsequent Licenses - - No Contributor makes additional grants as a result of Your choice to - distribute the Covered Software under a subsequent version of this License - (see Section 10.2) or under the terms of a Secondary License (if permitted - under the terms of Section 3.3). - -2.5. Representation - - Each Contributor represents that the Contributor believes its Contributions - are its original creation(s) or it has sufficient rights to grant the - rights to its Contributions conveyed by this License. - -2.6. Fair Use - - This License is not intended to limit any rights You have under applicable - copyright doctrines of fair use, fair dealing, or other equivalents. - -2.7. Conditions - - Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in - Section 2.1. - - -3. Responsibilities - -3.1. Distribution of Source Form - - All distribution of Covered Software in Source Code Form, including any - Modifications that You create or to which You contribute, must be under the - terms of this License. You must inform recipients that the Source Code Form - of the Covered Software is governed by the terms of this License, and how - they can obtain a copy of this License. You may not attempt to alter or - restrict the recipients’ rights in the Source Code Form. - -3.2. Distribution of Executable Form - - If You distribute Covered Software in Executable Form then: - - a. such Covered Software must also be made available in Source Code Form, - as described in Section 3.1, and You must inform recipients of the - Executable Form how they can obtain a copy of such Source Code Form by - reasonable means in a timely manner, at a charge no more than the cost - of distribution to the recipient; and - - b. You may distribute such Executable Form under the terms of this License, - or sublicense it under different terms, provided that the license for - the Executable Form does not attempt to limit or alter the recipients’ - rights in the Source Code Form under this License. - -3.3. Distribution of a Larger Work - - You may create and distribute a Larger Work under terms of Your choice, - provided that You also comply with the requirements of this License for the - Covered Software. If the Larger Work is a combination of Covered Software - with a work governed by one or more Secondary Licenses, and the Covered - Software is not Incompatible With Secondary Licenses, this License permits - You to additionally distribute such Covered Software under the terms of - such Secondary License(s), so that the recipient of the Larger Work may, at - their option, further distribute the Covered Software under the terms of - either this License or such Secondary License(s). - -3.4. Notices - - You may not remove or alter the substance of any license notices (including - copyright notices, patent notices, disclaimers of warranty, or limitations - of liability) contained within the Source Code Form of the Covered - Software, except that You may alter any license notices to the extent - required to remedy known factual inaccuracies. - -3.5. Application of Additional Terms - - You may choose to offer, and to charge a fee for, warranty, support, - indemnity or liability obligations to one or more recipients of Covered - Software. However, You may do so only on Your own behalf, and not on behalf - of any Contributor. You must make it absolutely clear that any such - warranty, support, indemnity, or liability obligation is offered by You - alone, and You hereby agree to indemnify every Contributor for any - liability incurred by such Contributor as a result of warranty, support, - indemnity or liability terms You offer. You may include additional - disclaimers of warranty and limitations of liability specific to any - jurisdiction. - -4. Inability to Comply Due to Statute or Regulation - - If it is impossible for You to comply with any of the terms of this License - with respect to some or all of the Covered Software due to statute, judicial - order, or regulation then You must: (a) comply with the terms of this License - to the maximum extent possible; and (b) describe the limitations and the code - they affect. Such description must be placed in a text file included with all - distributions of the Covered Software under this License. Except to the - extent prohibited by statute or regulation, such description must be - sufficiently detailed for a recipient of ordinary skill to be able to - understand it. - -5. Termination - -5.1. The rights granted under this License will terminate automatically if You - fail to comply with any of its terms. However, if You become compliant, - then the rights granted under this License from a particular Contributor - are reinstated (a) provisionally, unless and until such Contributor - explicitly and finally terminates Your grants, and (b) on an ongoing basis, - if such Contributor fails to notify You of the non-compliance by some - reasonable means prior to 60 days after You have come back into compliance. - Moreover, Your grants from a particular Contributor are reinstated on an - ongoing basis if such Contributor notifies You of the non-compliance by - some reasonable means, this is the first time You have received notice of - non-compliance with this License from such Contributor, and You become - compliant prior to 30 days after Your receipt of the notice. - -5.2. If You initiate litigation against any entity by asserting a patent - infringement claim (excluding declaratory judgment actions, counter-claims, - and cross-claims) alleging that a Contributor Version directly or - indirectly infringes any patent, then the rights granted to You by any and - all Contributors for the Covered Software under Section 2.1 of this License - shall terminate. - -5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user - license agreements (excluding distributors and resellers) which have been - validly granted by You or Your distributors under this License prior to - termination shall survive termination. - -6. Disclaimer of Warranty - - Covered Software is provided under this License on an “as is” basis, without - warranty of any kind, either expressed, implied, or statutory, including, - without limitation, warranties that the Covered Software is free of defects, - merchantable, fit for a particular purpose or non-infringing. The entire - risk as to the quality and performance of the Covered Software is with You. - Should any Covered Software prove defective in any respect, You (not any - Contributor) assume the cost of any necessary servicing, repair, or - correction. This disclaimer of warranty constitutes an essential part of this - License. No use of any Covered Software is authorized under this License - except under this disclaimer. - -7. Limitation of Liability - - Under no circumstances and under no legal theory, whether tort (including - negligence), contract, or otherwise, shall any Contributor, or anyone who - distributes Covered Software as permitted above, be liable to You for any - direct, indirect, special, incidental, or consequential damages of any - character including, without limitation, damages for lost profits, loss of - goodwill, work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses, even if such party shall have been - informed of the possibility of such damages. This limitation of liability - shall not apply to liability for death or personal injury resulting from such - party’s negligence to the extent applicable law prohibits such limitation. - Some jurisdictions do not allow the exclusion or limitation of incidental or - consequential damages, so this exclusion and limitation may not apply to You. - -8. Litigation - - Any litigation relating to this License may be brought only in the courts of - a jurisdiction where the defendant maintains its principal place of business - and such litigation shall be governed by laws of that jurisdiction, without - reference to its conflict-of-law provisions. Nothing in this Section shall - prevent a party’s ability to bring cross-claims or counter-claims. - -9. Miscellaneous - - This License represents the complete agreement concerning the subject matter - hereof. If any provision of this License is held to be unenforceable, such - provision shall be reformed only to the extent necessary to make it - enforceable. Any law or regulation which provides that the language of a - contract shall be construed against the drafter shall not be used to construe - this License against a Contributor. - - -10. Versions of the License - -10.1. New Versions - - Mozilla Foundation is the license steward. Except as provided in Section - 10.3, no one other than the license steward has the right to modify or - publish new versions of this License. Each version will be given a - distinguishing version number. - -10.2. Effect of New Versions - - You may distribute the Covered Software under the terms of the version of - the License under which You originally received the Covered Software, or - under the terms of any subsequent version published by the license - steward. - -10.3. Modified Versions - - If you create software not governed by this License, and you want to - create a new license for such software, you may create and use a modified - version of this License if you rename the license and remove any - references to the name of the license steward (except to note that such - modified license differs from this License). - -10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses - If You choose to distribute Source Code Form that is Incompatible With - Secondary Licenses under the terms of this version of the License, the - notice described in Exhibit B of this License must be attached. - -Exhibit A - Source Code Form License Notice - - This Source Code Form is subject to the - terms of the Mozilla Public License, v. - 2.0. If a copy of the MPL was not - distributed with this file, You can - obtain one at - http://mozilla.org/MPL/2.0/. - -If it is not possible or desirable to put the notice in a particular file, then -You may include the notice in a location (such as a LICENSE file in a relevant -directory) where a recipient would be likely to look for such a notice. - -You may add additional accurate notices of copyright ownership. - -Exhibit B - “Incompatible With Secondary Licenses” Notice - - This Source Code Form is “Incompatible - With Secondary Licenses”, as defined by - the Mozilla Public License, v. 2.0. diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/Makefile b/charts/partners/mgoerens/testproject2/0.28.5/src/Makefile deleted file mode 100644 index 96503eb69..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/Makefile +++ /dev/null @@ -1,101 +0,0 @@ -TEST_IMAGE?=vault-helm-test -GOOGLE_CREDENTIALS?=vault-helm-test.json -CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514 -# set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats -ACCEPTANCE_TESTS?=acceptance - -# filter bats unit tests to run. -UNIT_TESTS_FILTER?='.*' - -# set to 'true' to run acceptance tests locally in a kind cluster -LOCAL_ACCEPTANCE_TESTS?=false - -# kind cluster name -KIND_CLUSTER_NAME?=vault-helm - -# kind k8s version -KIND_K8S_VERSION?=v1.29.2 - -# Generate json schema for chart values. See test/README.md for more details. -values-schema: - helm schema-gen values.yaml > values.schema.json - -test-image: - @docker build --rm -t $(TEST_IMAGE) -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR) - -test-unit: - @docker run --rm -it -v ${PWD}:/helm-test $(TEST_IMAGE) bats -f $(UNIT_TESTS_FILTER) /helm-test/test/unit - -test-bats: test-unit test-acceptance - -test: test-image test-bats - -# run acceptance tests on GKE -# set google project/credential vars above -test-acceptance: -ifeq ($(LOCAL_ACCEPTANCE_TESTS),true) - make setup-kind acceptance -else - @docker run -it -v ${PWD}:/helm-test \ - -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ - -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ - -e KUBECONFIG=/helm-test/.kube/config \ - -e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \ - -w /helm-test \ - $(TEST_IMAGE) \ - make acceptance -endif - -# destroy GKE cluster using terraform -test-destroy: - @docker run -it -v ${PWD}:/helm-test \ - -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ - -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ - -w /helm-test \ - $(TEST_IMAGE) \ - make destroy-cluster - -# provision GKE cluster using terraform -test-provision: - @docker run -it -v ${PWD}:/helm-test \ - -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ - -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ - -e KUBECONFIG=/helm-test/.kube/config \ - -w /helm-test \ - $(TEST_IMAGE) \ - make provision-cluster - -# this target is for running the acceptance tests -# it is run in the docker container above when the test-acceptance target is invoked -acceptance: -ifneq ($(LOCAL_ACCEPTANCE_TESTS),true) - gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS} -endif - bats --tap --timing test/${ACCEPTANCE_TESTS} - -# this target is for provisioning the GKE cluster -# it is run in the docker container above when the test-provision target is invoked -provision-cluster: - gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS} - terraform init test/terraform - terraform apply -var project=${CLOUDSDK_CORE_PROJECT} -var init_cli=true -auto-approve test/terraform - -# this target is for removing the GKE cluster -# it is run in the docker container above when the test-destroy target is invoked -destroy-cluster: - terraform destroy -auto-approve - -# create a kind cluster for running the acceptance tests locally -setup-kind: - kind get clusters | grep -q "^${KIND_CLUSTER_NAME}$$" || \ - kind create cluster \ - --image kindest/node:${KIND_K8S_VERSION} \ - --name ${KIND_CLUSTER_NAME} \ - --config $(CURDIR)/test/kind/config.yaml - kubectl config use-context kind-${KIND_CLUSTER_NAME} - -# delete the kind cluster -delete-kind: - kind delete cluster --name ${KIND_CLUSTER_NAME} || : - -.PHONY: values-schema test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/README.md b/charts/partners/mgoerens/testproject2/0.28.5/src/README.md deleted file mode 100644 index 256bd8b91..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/README.md +++ /dev/null @@ -1,43 +0,0 @@ -# Vault Helm Chart - -> :warning: **Please note**: We take Vault's security and our users' trust very seriously. If -you believe you have found a security issue in Vault Helm, _please responsibly disclose_ -by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). - -This repository contains the official HashiCorp Helm chart for installing -and configuring Vault on Kubernetes. This chart supports multiple use -cases of Vault on Kubernetes depending on the values provided. - -For full documentation on this Helm chart along with all the ways you can -use Vault with Kubernetes, please see the -[Vault and Kubernetes documentation](https://developer.hashicorp.com/vault/docs/platform/k8s). - -## Prerequisites - -To use the charts here, [Helm](https://helm.sh/) must be configured for your -Kubernetes cluster. Setting up Kubernetes and Helm is outside the scope of -this README. Please refer to the Kubernetes and Helm documentation. - -The versions required are: - - * **Helm 3.6+** - * **Kubernetes 1.22+** - This is the earliest version of Kubernetes tested. - It is possible that this chart works with earlier versions but it is - untested. - -## Usage - -To install the latest version of this chart, add the Hashicorp helm repository -and run `helm install`: - -```console -$ helm repo add hashicorp https://helm.releases.hashicorp.com -"hashicorp" has been added to your repositories - -$ helm install vault hashicorp/vault -``` - -Please see the many options supported in the `values.yaml` file. These are also -fully documented directly on the [Vault -website](https://developer.hashicorp.com/vault/docs/platform/k8s/helm) along with more -detailed installation instructions. diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/NOTES.txt b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/NOTES.txt deleted file mode 100644 index 60d99a4e5..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/NOTES.txt +++ /dev/null @@ -1,14 +0,0 @@ - -Thank you for installing HashiCorp Vault! - -Now that you have deployed Vault, you should look over the docs on using -Vault with Kubernetes available here: - -https://developer.hashicorp.com/vault/docs - - -Your release is named {{ .Release.Name }}. To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get manifest {{ .Release.Name }} - diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/_helpers.tpl b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/_helpers.tpl deleted file mode 100644 index 7a22d04cc..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/_helpers.tpl +++ /dev/null @@ -1,1105 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to -this (by the DNS naming spec). If release name contains chart name it will -be used as a full name. -*/}} -{{- define "vault.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "vault.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Expand the name of the chart. -*/}} -{{- define "vault.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Allow the release namespace to be overridden -*/}} -{{- define "vault.namespace" -}} -{{- default .Release.Namespace .Values.global.namespace -}} -{{- end -}} - -{{/* -Compute if the csi driver is enabled. -*/}} -{{- define "vault.csiEnabled" -}} -{{- $_ := set . "csiEnabled" (or - (eq (.Values.csi.enabled | toString) "true") - (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} -{{- end -}} - -{{/* -Compute if the injector is enabled. -*/}} -{{- define "vault.injectorEnabled" -}} -{{- $_ := set . "injectorEnabled" (or - (eq (.Values.injector.enabled | toString) "true") - (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} -{{- end -}} - -{{/* -Compute if the server is enabled. -*/}} -{{- define "vault.serverEnabled" -}} -{{- $_ := set . "serverEnabled" (or - (eq (.Values.server.enabled | toString) "true") - (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} -{{- end -}} - -{{/* -Compute if the server serviceaccount is enabled. -*/}} -{{- define "vault.serverServiceAccountEnabled" -}} -{{- $_ := set . "serverServiceAccountEnabled" - (and - (eq (.Values.server.serviceAccount.create | toString) "true" ) - (or - (eq (.Values.server.enabled | toString) "true") - (eq (.Values.global.enabled | toString) "true"))) -}} -{{- end -}} - -{{/* -Compute if the server serviceaccount should have a token created and mounted to the serviceaccount. -*/}} -{{- define "vault.serverServiceAccountSecretCreationEnabled" -}} -{{- $_ := set . "serverServiceAccountSecretCreationEnabled" - (and - (eq (.Values.server.serviceAccount.create | toString) "true") - (eq (.Values.server.serviceAccount.createSecret | toString) "true")) -}} -{{- end -}} - - -{{/* -Compute if the server auth delegator serviceaccount is enabled. -*/}} -{{- define "vault.serverAuthDelegator" -}} -{{- $_ := set . "serverAuthDelegator" - (and - (eq (.Values.server.authDelegator.enabled | toString) "true" ) - (or (eq (.Values.server.serviceAccount.create | toString) "true") - (not (eq .Values.server.serviceAccount.name ""))) - (or - (eq (.Values.server.enabled | toString) "true") - (eq (.Values.global.enabled | toString) "true"))) -}} -{{- end -}} - -{{/* -Compute if the server service is enabled. -*/}} -{{- define "vault.serverServiceEnabled" -}} -{{- template "vault.serverEnabled" . -}} -{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}} -{{- end -}} - -{{/* -Compute if the ui is enabled. -*/}} -{{- define "vault.uiEnabled" -}} -{{- $_ := set . "uiEnabled" (or - (eq (.Values.ui.enabled | toString) "true") - (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} -{{- end -}} - -{{/* -Compute the maximum number of unavailable replicas for the PodDisruptionBudget. -This defaults to (n/2)-1 where n is the number of members of the server cluster. -Add a special case for replicas=1, where it should default to 0 as well. -*/}} -{{- define "vault.pdb.maxUnavailable" -}} -{{- if eq (int .Values.server.ha.replicas) 1 -}} -{{ 0 }} -{{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}} -{{ .Values.server.ha.disruptionBudget.maxUnavailable -}} -{{- else -}} -{{- div (sub (div (mul (int .Values.server.ha.replicas) 10) 2) 1) 10 -}} -{{- end -}} -{{- end -}} - -{{/* -Set the variable 'mode' to the server mode requested by the user to simplify -template logic. -*/}} -{{- define "vault.mode" -}} - {{- template "vault.serverEnabled" . -}} - {{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}} - {{- $_ := set . "mode" "external" -}} - {{- else if not .serverEnabled -}} - {{- $_ := set . "mode" "external" -}} - {{- else if eq (.Values.server.dev.enabled | toString) "true" -}} - {{- $_ := set . "mode" "dev" -}} - {{- else if eq (.Values.server.ha.enabled | toString) "true" -}} - {{- $_ := set . "mode" "ha" -}} - {{- else if or (eq (.Values.server.standalone.enabled | toString) "true") (eq (.Values.server.standalone.enabled | toString) "-") -}} - {{- $_ := set . "mode" "standalone" -}} - {{- else -}} - {{- $_ := set . "mode" "" -}} - {{- end -}} -{{- end -}} - -{{/* -Set's the replica count based on the different modes configured by user -*/}} -{{- define "vault.replicas" -}} - {{ if eq .mode "standalone" }} - {{- default 1 -}} - {{ else if eq .mode "ha" }} - {{- if or (kindIs "int64" .Values.server.ha.replicas) (kindIs "float64" .Values.server.ha.replicas) -}} - {{- .Values.server.ha.replicas -}} - {{ else }} - {{- 3 -}} - {{- end -}} - {{ else }} - {{- default 1 -}} - {{ end }} -{{- end -}} - -{{/* -Set's up configmap mounts if this isn't a dev deployment and the user -defined a custom configuration. Additionally iterates over any -extra volumes the user may have specified (such as a secret with TLS). -*/}} -{{- define "vault.volumes" -}} - {{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} - - name: config - configMap: - name: {{ template "vault.fullname" . }}-config - {{ end }} - {{- range .Values.server.extraVolumes }} - - name: userconfig-{{ .name }} - {{ .type }}: - {{- if (eq .type "configMap") }} - name: {{ .name }} - {{- else if (eq .type "secret") }} - secretName: {{ .name }} - {{- end }} - defaultMode: {{ .defaultMode | default 420 }} - {{- end }} - {{- if .Values.server.volumes }} - {{- toYaml .Values.server.volumes | nindent 8}} - {{- end }} - {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} - - name: vault-license - secret: - secretName: {{ .Values.server.enterpriseLicense.secretName }} - defaultMode: 0440 - {{- end }} -{{- end -}} - -{{/* -Set's the args for custom command to render the Vault configuration -file with IP addresses to make the out of box experience easier -for users looking to use this chart with Consul Helm. -*/}} -{{- define "vault.args" -}} - {{ if or (eq .mode "standalone") (eq .mode "ha") }} - - | - cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; - [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; - [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; - /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }} - {{ else if eq .mode "dev" }} - - | - /usr/local/bin/docker-entrypoint.sh vault server -dev {{ .Values.server.extraArgs }} - {{ end }} -{{- end -}} - -{{/* -Set's additional environment variables based on the mode. -*/}} -{{- define "vault.envs" -}} - {{ if eq .mode "dev" }} - - name: VAULT_DEV_ROOT_TOKEN_ID - value: {{ .Values.server.dev.devRootToken }} - - name: VAULT_DEV_LISTEN_ADDRESS - value: "[::]:8200" - {{ end }} -{{- end -}} - -{{/* -Set's which additional volumes should be mounted to the container -based on the mode configured. -*/}} -{{- define "vault.mounts" -}} - {{ if eq (.Values.server.auditStorage.enabled | toString) "true" }} - - name: audit - mountPath: {{ .Values.server.auditStorage.mountPath }} - {{ end }} - {{ if or (eq .mode "standalone") (and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true")) }} - {{ if eq (.Values.server.dataStorage.enabled | toString) "true" }} - - name: data - mountPath: {{ .Values.server.dataStorage.mountPath }} - {{ end }} - {{ end }} - {{ if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} - - name: config - mountPath: /vault/config - {{ end }} - {{- range .Values.server.extraVolumes }} - - name: userconfig-{{ .name }} - readOnly: true - mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }} - {{- end }} - {{- if .Values.server.volumeMounts }} - {{- toYaml .Values.server.volumeMounts | nindent 12}} - {{- end }} - {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} - - name: vault-license - mountPath: /vault/license - readOnly: true - {{- end }} -{{- end -}} - -{{/* -Set's up the volumeClaimTemplates when data or audit storage is required. HA -might not use data storage since Consul is likely it's backend, however, audit -storage might be desired by the user. -*/}} -{{- define "vault.volumeclaims" -}} - {{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }} - volumeClaimTemplates: - {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }} - - metadata: - name: data - {{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }} - {{- include "vault.dataVolumeClaim.labels" . | nindent 6 }} - spec: - accessModes: - - {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }} - resources: - requests: - storage: {{ .Values.server.dataStorage.size }} - {{- if .Values.server.dataStorage.storageClass }} - storageClassName: {{ .Values.server.dataStorage.storageClass }} - {{- end }} - {{ end }} - {{- if eq (.Values.server.auditStorage.enabled | toString) "true" }} - - metadata: - name: audit - {{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }} - {{- include "vault.auditVolumeClaim.labels" . | nindent 6 }} - spec: - accessModes: - - {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }} - resources: - requests: - storage: {{ .Values.server.auditStorage.size }} - {{- if .Values.server.auditStorage.storageClass }} - storageClassName: {{ .Values.server.auditStorage.storageClass }} - {{- end }} - {{ end }} - {{ end }} -{{- end -}} - -{{/* -Set's the affinity for pod placement when running in standalone and HA modes. -*/}} -{{- define "vault.affinity" -}} - {{- if and (ne .mode "dev") .Values.server.affinity }} - affinity: - {{ $tp := typeOf .Values.server.affinity }} - {{- if eq $tp "string" }} - {{- tpl .Values.server.affinity . | nindent 8 | trim }} - {{- else }} - {{- toYaml .Values.server.affinity | nindent 8 }} - {{- end }} - {{ end }} -{{- end -}} - -{{/* -Sets the injector affinity for pod placement -*/}} -{{- define "injector.affinity" -}} - {{- if .Values.injector.affinity }} - affinity: - {{ $tp := typeOf .Values.injector.affinity }} - {{- if eq $tp "string" }} - {{- tpl .Values.injector.affinity . | nindent 8 | trim }} - {{- else }} - {{- toYaml .Values.injector.affinity | nindent 8 }} - {{- end }} - {{ end }} -{{- end -}} - -{{/* -Sets the topologySpreadConstraints when running in standalone and HA modes. -*/}} -{{- define "vault.topologySpreadConstraints" -}} - {{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }} - topologySpreadConstraints: - {{ $tp := typeOf .Values.server.topologySpreadConstraints }} - {{- if eq $tp "string" }} - {{- tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} - {{- else }} - {{- toYaml .Values.server.topologySpreadConstraints | nindent 8 }} - {{- end }} - {{ end }} -{{- end -}} - - -{{/* -Sets the injector topologySpreadConstraints for pod placement -*/}} -{{- define "injector.topologySpreadConstraints" -}} - {{- if .Values.injector.topologySpreadConstraints }} - topologySpreadConstraints: - {{ $tp := typeOf .Values.injector.topologySpreadConstraints }} - {{- if eq $tp "string" }} - {{- tpl .Values.injector.topologySpreadConstraints . | nindent 8 | trim }} - {{- else }} - {{- toYaml .Values.injector.topologySpreadConstraints | nindent 8 }} - {{- end }} - {{ end }} -{{- end -}} - -{{/* -Sets the toleration for pod placement when running in standalone and HA modes. -*/}} -{{- define "vault.tolerations" -}} - {{- if and (ne .mode "dev") .Values.server.tolerations }} - tolerations: - {{- $tp := typeOf .Values.server.tolerations }} - {{- if eq $tp "string" }} - {{ tpl .Values.server.tolerations . | nindent 8 | trim }} - {{- else }} - {{- toYaml .Values.server.tolerations | nindent 8 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets the injector toleration for pod placement -*/}} -{{- define "injector.tolerations" -}} - {{- if .Values.injector.tolerations }} - tolerations: - {{- $tp := typeOf .Values.injector.tolerations }} - {{- if eq $tp "string" }} - {{ tpl .Values.injector.tolerations . | nindent 8 | trim }} - {{- else }} - {{- toYaml .Values.injector.tolerations | nindent 8 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Set's the node selector for pod placement when running in standalone and HA modes. -*/}} -{{- define "vault.nodeselector" -}} - {{- if and (ne .mode "dev") .Values.server.nodeSelector }} - nodeSelector: - {{- $tp := typeOf .Values.server.nodeSelector }} - {{- if eq $tp "string" }} - {{ tpl .Values.server.nodeSelector . | nindent 8 | trim }} - {{- else }} - {{- toYaml .Values.server.nodeSelector | nindent 8 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets the injector node selector for pod placement -*/}} -{{- define "injector.nodeselector" -}} - {{- if .Values.injector.nodeSelector }} - nodeSelector: - {{- $tp := typeOf .Values.injector.nodeSelector }} - {{- if eq $tp "string" }} - {{ tpl .Values.injector.nodeSelector . | nindent 8 | trim }} - {{- else }} - {{- toYaml .Values.injector.nodeSelector | nindent 8 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets the injector deployment update strategy -*/}} -{{- define "injector.strategy" -}} - {{- if .Values.injector.strategy }} - strategy: - {{- $tp := typeOf .Values.injector.strategy }} - {{- if eq $tp "string" }} - {{ tpl .Values.injector.strategy . | nindent 4 | trim }} - {{- else }} - {{- toYaml .Values.injector.strategy | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets extra pod annotations -*/}} -{{- define "vault.annotations" }} - annotations: - {{- if .Values.server.includeConfigAnnotation }} - vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }} - {{- end }} - {{- if .Values.server.annotations }} - {{- $tp := typeOf .Values.server.annotations }} - {{- if eq $tp "string" }} - {{- tpl .Values.server.annotations . | nindent 8 }} - {{- else }} - {{- toYaml .Values.server.annotations | nindent 8 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets extra injector pod annotations -*/}} -{{- define "injector.annotations" -}} - {{- if .Values.injector.annotations }} - annotations: - {{- $tp := typeOf .Values.injector.annotations }} - {{- if eq $tp "string" }} - {{- tpl .Values.injector.annotations . | nindent 8 }} - {{- else }} - {{- toYaml .Values.injector.annotations | nindent 8 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets extra injector service annotations -*/}} -{{- define "injector.service.annotations" -}} - {{- if .Values.injector.service.annotations }} - annotations: - {{- $tp := typeOf .Values.injector.service.annotations }} - {{- if eq $tp "string" }} - {{- tpl .Values.injector.service.annotations . | nindent 4 }} - {{- else }} - {{- toYaml .Values.injector.service.annotations | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -securityContext for the injector pod level. -*/}} -{{- define "injector.securityContext.pod" -}} - {{- if .Values.injector.securityContext.pod }} - securityContext: - {{- $tp := typeOf .Values.injector.securityContext.pod }} - {{- if eq $tp "string" }} - {{- tpl .Values.injector.securityContext.pod . | nindent 8 }} - {{- else }} - {{- toYaml .Values.injector.securityContext.pod | nindent 8 }} - {{- end }} - {{- else if not .Values.global.openshift }} - securityContext: - runAsNonRoot: true - runAsGroup: {{ .Values.injector.gid | default 1000 }} - runAsUser: {{ .Values.injector.uid | default 100 }} - fsGroup: {{ .Values.injector.gid | default 1000 }} - {{- end }} -{{- end -}} - -{{/* -securityContext for the injector container level. -*/}} -{{- define "injector.securityContext.container" -}} - {{- if .Values.injector.securityContext.container}} - securityContext: - {{- $tp := typeOf .Values.injector.securityContext.container }} - {{- if eq $tp "string" }} - {{- tpl .Values.injector.securityContext.container . | nindent 12 }} - {{- else }} - {{- toYaml .Values.injector.securityContext.container | nindent 12 }} - {{- end }} - {{- else if not .Values.global.openshift }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - {{- end }} -{{- end -}} - -{{/* -securityContext for the statefulset pod template. -*/}} -{{- define "server.statefulSet.securityContext.pod" -}} - {{- if .Values.server.statefulSet.securityContext.pod }} - securityContext: - {{- $tp := typeOf .Values.server.statefulSet.securityContext.pod }} - {{- if eq $tp "string" }} - {{- tpl .Values.server.statefulSet.securityContext.pod . | nindent 8 }} - {{- else }} - {{- toYaml .Values.server.statefulSet.securityContext.pod | nindent 8 }} - {{- end }} - {{- else if not .Values.global.openshift }} - securityContext: - runAsNonRoot: true - runAsGroup: {{ .Values.server.gid | default 1000 }} - runAsUser: {{ .Values.server.uid | default 100 }} - fsGroup: {{ .Values.server.gid | default 1000 }} - {{- end }} -{{- end -}} - -{{/* -securityContext for the statefulset vault container -*/}} -{{- define "server.statefulSet.securityContext.container" -}} - {{- if .Values.server.statefulSet.securityContext.container }} - securityContext: - {{- $tp := typeOf .Values.server.statefulSet.securityContext.container }} - {{- if eq $tp "string" }} - {{- tpl .Values.server.statefulSet.securityContext.container . | nindent 12 }} - {{- else }} - {{- toYaml .Values.server.statefulSet.securityContext.container | nindent 12 }} - {{- end }} - {{- else if not .Values.global.openshift }} - securityContext: - allowPrivilegeEscalation: false - {{- end }} -{{- end -}} - - -{{/* -Sets extra injector service account annotations -*/}} -{{- define "injector.serviceAccount.annotations" -}} - {{- if and (ne .mode "dev") .Values.injector.serviceAccount.annotations }} - annotations: - {{- $tp := typeOf .Values.injector.serviceAccount.annotations }} - {{- if eq $tp "string" }} - {{- tpl .Values.injector.serviceAccount.annotations . | nindent 4 }} - {{- else }} - {{- toYaml .Values.injector.serviceAccount.annotations | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets extra injector webhook annotations -*/}} -{{- define "injector.webhookAnnotations" -}} - {{- if or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations) }} - annotations: - {{- $tp := typeOf (or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)) }} - {{- if eq $tp "string" }} - {{- tpl (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) . | nindent 4 }} - {{- else }} - {{- toYaml (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Set's the injector webhook objectSelector -*/}} -{{- define "injector.objectSelector" -}} - {{- $v := or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) -}} - {{ if $v }} - objectSelector: - {{- $tp := typeOf $v -}} - {{ if eq $tp "string" }} - {{ tpl $v . | indent 6 | trim }} - {{ else }} - {{ toYaml $v | indent 6 | trim }} - {{ end }} - {{ end }} -{{ end }} - -{{/* -Sets extra ui service annotations -*/}} -{{- define "vault.ui.annotations" -}} - {{- if .Values.ui.annotations }} - annotations: - {{- $tp := typeOf .Values.ui.annotations }} - {{- if eq $tp "string" }} - {{- tpl .Values.ui.annotations . | nindent 4 }} - {{- else }} - {{- toYaml .Values.ui.annotations | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "vault.serviceAccount.name" -}} -{{- if .Values.server.serviceAccount.create -}} - {{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.server.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Sets extra service account annotations -*/}} -{{- define "vault.serviceAccount.annotations" -}} - {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }} - annotations: - {{- $tp := typeOf .Values.server.serviceAccount.annotations }} - {{- if eq $tp "string" }} - {{- tpl .Values.server.serviceAccount.annotations . | nindent 4 }} - {{- else }} - {{- toYaml .Values.server.serviceAccount.annotations | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets extra ingress annotations -*/}} -{{- define "vault.ingress.annotations" -}} - {{- if .Values.server.ingress.annotations }} - annotations: - {{- $tp := typeOf .Values.server.ingress.annotations }} - {{- if eq $tp "string" }} - {{- tpl .Values.server.ingress.annotations . | nindent 4 }} - {{- else }} - {{- toYaml .Values.server.ingress.annotations | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets extra route annotations -*/}} -{{- define "vault.route.annotations" -}} - {{- if .Values.server.route.annotations }} - annotations: - {{- $tp := typeOf .Values.server.route.annotations }} - {{- if eq $tp "string" }} - {{- tpl .Values.server.route.annotations . | nindent 4 }} - {{- else }} - {{- toYaml .Values.server.route.annotations | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets extra vault server Service annotations -*/}} -{{- define "vault.service.annotations" -}} - {{- if .Values.server.service.annotations }} - {{- $tp := typeOf .Values.server.service.annotations }} - {{- if eq $tp "string" }} - {{- tpl .Values.server.service.annotations . | nindent 4 }} - {{- else }} - {{- toYaml .Values.server.service.annotations | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets extra vault server Service (active) annotations -*/}} -{{- define "vault.service.active.annotations" -}} - {{- if .Values.server.service.active.annotations }} - {{- $tp := typeOf .Values.server.service.active.annotations }} - {{- if eq $tp "string" }} - {{- tpl .Values.server.service.active.annotations . | nindent 4 }} - {{- else }} - {{- toYaml .Values.server.service.active.annotations | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} -{{/* -Sets extra vault server Service annotations -*/}} -{{- define "vault.service.standby.annotations" -}} - {{- if .Values.server.service.standby.annotations }} - {{- $tp := typeOf .Values.server.service.standby.annotations }} - {{- if eq $tp "string" }} - {{- tpl .Values.server.service.standby.annotations . | nindent 4 }} - {{- else }} - {{- toYaml .Values.server.service.standby.annotations | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets PodSecurityPolicy annotations -*/}} -{{- define "vault.psp.annotations" -}} - {{- if .Values.global.psp.annotations }} - annotations: - {{- $tp := typeOf .Values.global.psp.annotations }} - {{- if eq $tp "string" }} - {{- tpl .Values.global.psp.annotations . | nindent 4 }} - {{- else }} - {{- toYaml .Values.global.psp.annotations | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets extra statefulset annotations -*/}} -{{- define "vault.statefulSet.annotations" -}} - {{- if .Values.server.statefulSet.annotations }} - annotations: - {{- $tp := typeOf .Values.server.statefulSet.annotations }} - {{- if eq $tp "string" }} - {{- tpl .Values.server.statefulSet.annotations . | nindent 4 }} - {{- else }} - {{- toYaml .Values.server.statefulSet.annotations | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets VolumeClaim annotations for data volume -*/}} -{{- define "vault.dataVolumeClaim.annotations" -}} - {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.annotations) }} - annotations: - {{- $tp := typeOf .Values.server.dataStorage.annotations }} - {{- if eq $tp "string" }} - {{- tpl .Values.server.dataStorage.annotations . | nindent 4 }} - {{- else }} - {{- toYaml .Values.server.dataStorage.annotations | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets VolumeClaim labels for data volume -*/}} -{{- define "vault.dataVolumeClaim.labels" -}} - {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.labels) }} - labels: - {{- $tp := typeOf .Values.server.dataStorage.labels }} - {{- if eq $tp "string" }} - {{- tpl .Values.server.dataStorage.labels . | nindent 4 }} - {{- else }} - {{- toYaml .Values.server.dataStorage.labels | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets VolumeClaim annotations for audit volume -*/}} -{{- define "vault.auditVolumeClaim.annotations" -}} - {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.annotations) }} - annotations: - {{- $tp := typeOf .Values.server.auditStorage.annotations }} - {{- if eq $tp "string" }} - {{- tpl .Values.server.auditStorage.annotations . | nindent 4 }} - {{- else }} - {{- toYaml .Values.server.auditStorage.annotations | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets VolumeClaim labels for audit volume -*/}} -{{- define "vault.auditVolumeClaim.labels" -}} - {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.labels) }} - labels: - {{- $tp := typeOf .Values.server.auditStorage.labels }} - {{- if eq $tp "string" }} - {{- tpl .Values.server.auditStorage.labels . | nindent 4 }} - {{- else }} - {{- toYaml .Values.server.auditStorage.labels | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Set's the container resources if the user has set any. -*/}} -{{- define "vault.resources" -}} - {{- if .Values.server.resources -}} - resources: -{{ toYaml .Values.server.resources | indent 12}} - {{ end }} -{{- end -}} - -{{/* -Sets the container resources if the user has set any. -*/}} -{{- define "injector.resources" -}} - {{- if .Values.injector.resources -}} - resources: -{{ toYaml .Values.injector.resources | indent 12}} - {{ end }} -{{- end -}} - -{{/* -Sets the container resources if the user has set any. -*/}} -{{- define "csi.resources" -}} - {{- if .Values.csi.resources -}} - resources: -{{ toYaml .Values.csi.resources | indent 12}} - {{ end }} -{{- end -}} - -{{/* -Sets the container resources for CSI's Agent sidecar if the user has set any. -*/}} -{{- define "csi.agent.resources" -}} - {{- if .Values.csi.agent.resources -}} - resources: -{{ toYaml .Values.csi.agent.resources | indent 12}} - {{ end }} -{{- end -}} - -{{/* -Sets extra CSI daemonset annotations -*/}} -{{- define "csi.daemonSet.annotations" -}} - {{- if .Values.csi.daemonSet.annotations }} - annotations: - {{- $tp := typeOf .Values.csi.daemonSet.annotations }} - {{- if eq $tp "string" }} - {{- tpl .Values.csi.daemonSet.annotations . | nindent 4 }} - {{- else }} - {{- toYaml .Values.csi.daemonSet.annotations | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets CSI daemonset securityContext for pod template -*/}} -{{- define "csi.daemonSet.securityContext.pod" -}} - {{- if .Values.csi.daemonSet.securityContext.pod }} - securityContext: - {{- $tp := typeOf .Values.csi.daemonSet.securityContext.pod }} - {{- if eq $tp "string" }} - {{- tpl .Values.csi.daemonSet.securityContext.pod . | nindent 8 }} - {{- else }} - {{- toYaml .Values.csi.daemonSet.securityContext.pod | nindent 8 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets CSI daemonset securityContext for container -*/}} -{{- define "csi.daemonSet.securityContext.container" -}} - {{- if .Values.csi.daemonSet.securityContext.container }} - securityContext: - {{- $tp := typeOf .Values.csi.daemonSet.securityContext.container }} - {{- if eq $tp "string" }} - {{- tpl .Values.csi.daemonSet.securityContext.container . | nindent 12 }} - {{- else }} - {{- toYaml .Values.csi.daemonSet.securityContext.container | nindent 12 }} - {{- end }} - {{- end }} -{{- end -}} - - -{{/* -Sets the injector toleration for pod placement -*/}} -{{- define "csi.pod.tolerations" -}} - {{- if .Values.csi.pod.tolerations }} - tolerations: - {{- $tp := typeOf .Values.csi.pod.tolerations }} - {{- if eq $tp "string" }} - {{ tpl .Values.csi.pod.tolerations . | nindent 8 | trim }} - {{- else }} - {{- toYaml .Values.csi.pod.tolerations | nindent 8 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets the CSI provider nodeSelector for pod placement -*/}} -{{- define "csi.pod.nodeselector" -}} - {{- if .Values.csi.pod.nodeSelector }} - nodeSelector: - {{- $tp := typeOf .Values.csi.pod.nodeSelector }} - {{- if eq $tp "string" }} - {{ tpl .Values.csi.pod.nodeSelector . | nindent 8 | trim }} - {{- else }} - {{- toYaml .Values.csi.pod.nodeSelector | nindent 8 }} - {{- end }} - {{- end }} -{{- end -}} -{{/* -Sets the CSI provider affinity for pod placement. -*/}} -{{- define "csi.pod.affinity" -}} - {{- if .Values.csi.pod.affinity }} - affinity: - {{ $tp := typeOf .Values.csi.pod.affinity }} - {{- if eq $tp "string" }} - {{- tpl .Values.csi.pod.affinity . | nindent 8 | trim }} - {{- else }} - {{- toYaml .Values.csi.pod.affinity | nindent 8 }} - {{- end }} - {{ end }} -{{- end -}} -{{/* -Sets extra CSI provider pod annotations -*/}} -{{- define "csi.pod.annotations" -}} - {{- if .Values.csi.pod.annotations }} - annotations: - {{- $tp := typeOf .Values.csi.pod.annotations }} - {{- if eq $tp "string" }} - {{- tpl .Values.csi.pod.annotations . | nindent 8 }} - {{- else }} - {{- toYaml .Values.csi.pod.annotations | nindent 8 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Sets extra CSI service account annotations -*/}} -{{- define "csi.serviceAccount.annotations" -}} - {{- if .Values.csi.serviceAccount.annotations }} - annotations: - {{- $tp := typeOf .Values.csi.serviceAccount.annotations }} - {{- if eq $tp "string" }} - {{- tpl .Values.csi.serviceAccount.annotations . | nindent 4 }} - {{- else }} - {{- toYaml .Values.csi.serviceAccount.annotations | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Inject extra environment vars in the format key:value, if populated -*/}} -{{- define "vault.extraEnvironmentVars" -}} -{{- if .extraEnvironmentVars -}} -{{- range $key, $value := .extraEnvironmentVars }} -- name: {{ printf "%s" $key | replace "." "_" | upper | quote }} - value: {{ $value | quote }} -{{- end }} -{{- end -}} -{{- end -}} - -{{/* -Inject extra environment populated by secrets, if populated -*/}} -{{- define "vault.extraSecretEnvironmentVars" -}} -{{- if .extraSecretEnvironmentVars -}} -{{- range .extraSecretEnvironmentVars }} -- name: {{ .envName }} - valueFrom: - secretKeyRef: - name: {{ .secretName }} - key: {{ .secretKey }} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* Scheme for health check and local endpoint */}} -{{- define "vault.scheme" -}} -{{- if .Values.global.tlsDisable -}} -{{ "http" }} -{{- else -}} -{{ "https" }} -{{- end -}} -{{- end -}} - -{{/* -imagePullSecrets generates pull secrets from either string or map values. -A map value must be indexable by the key 'name'. -*/}} -{{- define "imagePullSecrets" -}} -{{- with .Values.global.imagePullSecrets -}} -imagePullSecrets: -{{- range . -}} -{{- if typeIs "string" . }} - - name: {{ . }} -{{- else if index . "name" }} - - name: {{ .name }} -{{- end }} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -externalTrafficPolicy sets a Service's externalTrafficPolicy if applicable. -Supported inputs are Values.server.service and Values.ui -*/}} -{{- define "service.externalTrafficPolicy" -}} -{{- $type := "" -}} -{{- if .serviceType -}} -{{- $type = .serviceType -}} -{{- else if .type -}} -{{- $type = .type -}} -{{- end -}} -{{- if and .externalTrafficPolicy (or (eq $type "LoadBalancer") (eq $type "NodePort")) }} - externalTrafficPolicy: {{ .externalTrafficPolicy }} -{{- else }} -{{- end }} -{{- end -}} - -{{/* -loadBalancer configuration for the the UI service. -Supported inputs are Values.ui -*/}} -{{- define "service.loadBalancer" -}} -{{- if eq (.serviceType | toString) "LoadBalancer" }} -{{- if .loadBalancerIP }} - loadBalancerIP: {{ .loadBalancerIP }} -{{- end }} -{{- with .loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{- range . }} - - {{ . }} -{{- end }} -{{- end -}} -{{- end }} -{{- end -}} - -{{/* -config file from values -*/}} -{{- define "vault.config" -}} - {{- if or (eq .mode "ha") (eq .mode "standalone") }} - {{- $type := typeOf (index .Values.server .mode).config }} - {{- if eq $type "string" }} - disable_mlock = true - {{- if eq .mode "standalone" }} - {{ tpl .Values.server.standalone.config . | nindent 4 | trim }} - {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }} - {{ tpl .Values.server.ha.config . | nindent 4 | trim }} - {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} - {{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }} - {{ end }} - {{- else }} - {{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} -{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }} - {{- else }} -{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }} - {{- end }} - {{- end }} - {{- end }} -{{- end -}} \ No newline at end of file diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-agent-configmap.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-agent-configmap.yaml deleted file mode 100644 index 18cdb04ac..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-agent-configmap.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.csiEnabled" . -}} -{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "vault.fullname" . }}-csi-provider-agent-config - namespace: {{ include "vault.namespace" . }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -data: - config.hcl: | - vault { - {{- if .Values.global.externalVaultAddr }} - "address" = "{{ .Values.global.externalVaultAddr }}" - {{- else }} - "address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}" - {{- end }} - } - - cache {} - - listener "unix" { - address = "/var/run/vault/agent.sock" - tls_disable = true - } -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-clusterrole.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-clusterrole.yaml deleted file mode 100644 index 6d979ea40..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-clusterrole.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.csiEnabled" . -}} -{{- if .csiEnabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "vault.fullname" . }}-csi-provider-clusterrole - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -rules: -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-clusterrolebinding.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-clusterrolebinding.yaml deleted file mode 100644 index 506ec944a..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-clusterrolebinding.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.csiEnabled" . -}} -{{- if .csiEnabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "vault.fullname" . }}-csi-provider-clusterrole -subjects: -- kind: ServiceAccount - name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ include "vault.namespace" . }} -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-daemonset.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-daemonset.yaml deleted file mode 100644 index 1436ff905..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-daemonset.yaml +++ /dev/null @@ -1,157 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.csiEnabled" . -}} -{{- if .csiEnabled -}} -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ include "vault.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- if .Values.csi.daemonSet.extraLabels -}} - {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}} - {{- end -}} - {{ template "csi.daemonSet.annotations" . }} -spec: - updateStrategy: - type: {{ .Values.csi.daemonSet.updateStrategy.type }} - {{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }} - rollingUpdate: - maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }} - {{- end }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider - app.kubernetes.io/instance: {{ .Release.Name }} - {{- if .Values.csi.pod.extraLabels -}} - {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}} - {{- end -}} - {{ template "csi.pod.annotations" . }} - spec: - {{ template "csi.daemonSet.securityContext.pod" . }} - {{- if .Values.csi.priorityClassName }} - priorityClassName: {{ .Values.csi.priorityClassName }} - {{- end }} - serviceAccountName: {{ template "vault.fullname" . }}-csi-provider - {{- template "csi.pod.tolerations" . }} - {{- template "csi.pod.nodeselector" . }} - {{- template "csi.pod.affinity" . }} - containers: - - name: {{ include "vault.name" . }}-csi-provider - {{ template "csi.resources" . }} - {{ template "csi.daemonSet.securityContext.container" . }} - image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}" - imagePullPolicy: {{ .Values.csi.image.pullPolicy }} - args: - - --endpoint=/provider/vault.sock - - --debug={{ .Values.csi.debug }} - {{- if .Values.csi.hmacSecretName }} - - --hmac-secret-name={{ .Values.csi.hmacSecretName }} - {{- else }} - - --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key - {{- end }} - {{- if .Values.csi.extraArgs }} - {{- toYaml .Values.csi.extraArgs | nindent 12 }} - {{- end }} - env: - - name: VAULT_ADDR - {{- if eq (.Values.csi.agent.enabled | toString) "true" }} - value: "unix:///var/run/vault/agent.sock" - {{- else if .Values.global.externalVaultAddr }} - value: "{{ .Values.global.externalVaultAddr }}" - {{- else }} - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} - {{- end }} - volumeMounts: - - name: providervol - mountPath: "/provider" - {{- if eq (.Values.csi.agent.enabled | toString) "true" }} - - name: agent-unix-socket - mountPath: /var/run/vault - {{- end }} - {{- if .Values.csi.volumeMounts }} - {{- toYaml .Values.csi.volumeMounts | nindent 12}} - {{- end }} - livenessProbe: - httpGet: - path: /health/ready - port: 8080 - failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }} - initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }} - successThreshold: {{ .Values.csi.livenessProbe.successThreshold }} - timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }} - readinessProbe: - httpGet: - path: /health/ready - port: 8080 - failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }} - initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }} - successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} - timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} - {{- if eq (.Values.csi.agent.enabled | toString) "true" }} - - name: {{ include "vault.name" . }}-agent - image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}" - imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }} - {{ template "csi.agent.resources" . }} - command: - - vault - args: - - agent - - -config=/etc/vault/config.hcl - {{- if .Values.csi.agent.extraArgs }} - {{- toYaml .Values.csi.agent.extraArgs | nindent 12 }} - {{- end }} - ports: - - containerPort: 8200 - env: - - name: VAULT_LOG_LEVEL - value: "{{ .Values.csi.agent.logLevel }}" - - name: VAULT_LOG_FORMAT - value: "{{ .Values.csi.agent.logFormat }}" - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 100 - runAsGroup: 1000 - volumeMounts: - - name: agent-config - mountPath: /etc/vault/config.hcl - subPath: config.hcl - readOnly: true - - name: agent-unix-socket - mountPath: /var/run/vault - {{- if .Values.csi.volumeMounts }} - {{- toYaml .Values.csi.volumeMounts | nindent 12 }} - {{- end }} - {{- end }} - volumes: - - name: providervol - hostPath: - path: {{ .Values.csi.daemonSet.providersDir }} - {{- if eq (.Values.csi.agent.enabled | toString) "true" }} - - name: agent-config - configMap: - name: {{ template "vault.fullname" . }}-csi-provider-agent-config - - name: agent-unix-socket - emptyDir: - medium: Memory - {{- end }} - {{- if .Values.csi.volumes }} - {{- toYaml .Values.csi.volumes | nindent 8}} - {{- end }} - {{- include "imagePullSecrets" . | nindent 6 }} -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-role.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-role.yaml deleted file mode 100644 index 17e1918b4..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-role.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.csiEnabled" . -}} -{{- if .csiEnabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "vault.fullname" . }}-csi-provider-role - namespace: {{ include "vault.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get"] - resourceNames: - {{- if .Values.csi.hmacSecretName }} - - {{ .Values.csi.hmacSecretName }} - {{- else }} - - {{ include "vault.name" . }}-csi-provider-hmac-key - {{- end }} -# 'create' permissions cannot be restricted by resource name: -# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create"] -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-rolebinding.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-rolebinding.yaml deleted file mode 100644 index 3d3b981b8..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-rolebinding.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.csiEnabled" . -}} -{{- if .csiEnabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "vault.fullname" . }}-csi-provider-rolebinding - namespace: {{ include "vault.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "vault.fullname" . }}-csi-provider-role -subjects: -- kind: ServiceAccount - name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ include "vault.namespace" . }} -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-serviceaccount.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-serviceaccount.yaml deleted file mode 100644 index 6327a7b2f..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/csi-serviceaccount.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.csiEnabled" . -}} -{{- if .csiEnabled -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ include "vault.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- if .Values.csi.serviceAccount.extraLabels -}} - {{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}} - {{- end -}} - {{ template "csi.serviceAccount.annotations" . }} -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-certs-secret.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-certs-secret.yaml deleted file mode 100644 index f6995af10..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-certs-secret.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.injectorEnabled" . -}} -{{- if .injectorEnabled -}} -{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} -apiVersion: v1 -kind: Secret -metadata: - name: vault-injector-certs - namespace: {{ include "vault.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-clusterrole.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-clusterrole.yaml deleted file mode 100644 index df603f250..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-clusterrole.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.injectorEnabled" . -}} -{{- if .injectorEnabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "vault.fullname" . }}-agent-injector-clusterrole - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -rules: -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: - - "get" - - "list" - - "watch" - - "patch" -{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} -- apiGroups: [""] - resources: ["nodes"] - verbs: - - "get" -{{ end }} -{{ end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-clusterrolebinding.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-clusterrolebinding.yaml deleted file mode 100644 index 82cbce0ce..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-clusterrolebinding.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.injectorEnabled" . -}} -{{- if .injectorEnabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "vault.fullname" . }}-agent-injector-binding - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "vault.fullname" . }}-agent-injector-clusterrole -subjects: -- kind: ServiceAccount - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ include "vault.namespace" . }} -{{ end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-deployment.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-deployment.yaml deleted file mode 100644 index 822e8e41d..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-deployment.yaml +++ /dev/null @@ -1,179 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.injectorEnabled" . -}} -{{- if .injectorEnabled -}} -# Deployment for the injector -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ include "vault.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - component: webhook -spec: - replicas: {{ .Values.injector.replicas }} - selector: - matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - component: webhook - {{ template "injector.strategy" . }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - component: webhook - {{- if .Values.injector.extraLabels -}} - {{- toYaml .Values.injector.extraLabels | nindent 8 -}} - {{- end -}} - {{ template "injector.annotations" . }} - spec: - {{ template "injector.affinity" . }} - {{ template "injector.topologySpreadConstraints" . }} - {{ template "injector.tolerations" . }} - {{ template "injector.nodeselector" . }} - {{- if .Values.injector.priorityClassName }} - priorityClassName: {{ .Values.injector.priorityClassName }} - {{- end }} - serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" - {{ template "injector.securityContext.pod" . -}} - {{- if not .Values.global.openshift }} - hostNetwork: {{ .Values.injector.hostNetwork }} - {{- end }} - containers: - - name: sidecar-injector - {{ template "injector.resources" . }} - image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}" - imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}" - {{- template "injector.securityContext.container" . }} - env: - - name: AGENT_INJECT_LISTEN - value: {{ printf ":%v" .Values.injector.port }} - - name: AGENT_INJECT_LOG_LEVEL - value: {{ .Values.injector.logLevel | default "info" }} - - name: AGENT_INJECT_VAULT_ADDR - {{- if .Values.global.externalVaultAddr }} - value: "{{ .Values.global.externalVaultAddr }}" - {{- else if .Values.injector.externalVaultAddr }} - value: "{{ .Values.injector.externalVaultAddr }}" - {{- else }} - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} - {{- end }} - - name: AGENT_INJECT_VAULT_AUTH_PATH - value: {{ .Values.injector.authPath }} - - name: AGENT_INJECT_VAULT_IMAGE - value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}" - {{- if .Values.injector.certs.secretName }} - - name: AGENT_INJECT_TLS_CERT_FILE - value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}" - - name: AGENT_INJECT_TLS_KEY_FILE - value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}" - {{- else }} - - name: AGENT_INJECT_TLS_AUTO - value: {{ template "vault.fullname" . }}-agent-injector-cfg - - name: AGENT_INJECT_TLS_AUTO_HOSTS - value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }}.svc - {{- end }} - - name: AGENT_INJECT_LOG_FORMAT - value: {{ .Values.injector.logFormat | default "standard" }} - - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN - value: "{{ .Values.injector.revokeOnShutdown | default false }}" - {{- if .Values.global.openshift }} - - name: AGENT_INJECT_SET_SECURITY_CONTEXT - value: "false" - {{- end }} - {{- if .Values.injector.metrics.enabled }} - - name: AGENT_INJECT_TELEMETRY_PATH - value: "/metrics" - {{- end }} - {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} - - name: AGENT_INJECT_USE_LEADER_ELECTOR - value: "true" - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- end }} - - name: AGENT_INJECT_CPU_REQUEST - value: "{{ .Values.injector.agentDefaults.cpuRequest }}" - - name: AGENT_INJECT_CPU_LIMIT - value: "{{ .Values.injector.agentDefaults.cpuLimit }}" - - name: AGENT_INJECT_MEM_REQUEST - value: "{{ .Values.injector.agentDefaults.memRequest }}" - - name: AGENT_INJECT_MEM_LIMIT - value: "{{ .Values.injector.agentDefaults.memLimit }}" - {{- if .Values.injector.agentDefaults.ephemeralRequest }} - - name: AGENT_INJECT_EPHEMERAL_REQUEST - value: "{{ .Values.injector.agentDefaults.ephemeralRequest }}" - {{- end }} - {{- if .Values.injector.agentDefaults.ephemeralLimit }} - - name: AGENT_INJECT_EPHEMERAL_LIMIT - value: "{{ .Values.injector.agentDefaults.ephemeralLimit }}" - {{- end }} - - name: AGENT_INJECT_DEFAULT_TEMPLATE - value: "{{ .Values.injector.agentDefaults.template }}" - - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE - value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}" - {{- if .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }} - - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL - value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}" - {{- end }} - {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - args: - - agent-inject - - 2>&1 - livenessProbe: - httpGet: - path: /health/ready - port: {{ .Values.injector.port }} - scheme: HTTPS - failureThreshold: {{ .Values.injector.livenessProbe.failureThreshold }} - initialDelaySeconds: {{ .Values.injector.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.injector.livenessProbe.periodSeconds }} - successThreshold: {{ .Values.injector.livenessProbe.successThreshold }} - timeoutSeconds: {{ .Values.injector.livenessProbe.timeoutSeconds }} - readinessProbe: - httpGet: - path: /health/ready - port: {{ .Values.injector.port }} - scheme: HTTPS - failureThreshold: {{ .Values.injector.readinessProbe.failureThreshold }} - initialDelaySeconds: {{ .Values.injector.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.injector.readinessProbe.periodSeconds }} - successThreshold: {{ .Values.injector.readinessProbe.successThreshold }} - timeoutSeconds: {{ .Values.injector.readinessProbe.timeoutSeconds }} - startupProbe: - httpGet: - path: /health/ready - port: {{ .Values.injector.port }} - scheme: HTTPS - failureThreshold: {{ .Values.injector.startupProbe.failureThreshold }} - initialDelaySeconds: {{ .Values.injector.startupProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.injector.startupProbe.periodSeconds }} - successThreshold: {{ .Values.injector.startupProbe.successThreshold }} - timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }} -{{- if .Values.injector.certs.secretName }} - volumeMounts: - - name: webhook-certs - mountPath: /etc/webhook/certs - readOnly: true -{{- end }} -{{- if .Values.injector.certs.secretName }} - volumes: - - name: webhook-certs - secret: - secretName: "{{ .Values.injector.certs.secretName }}" -{{- end }} - {{- include "imagePullSecrets" . | nindent 6 }} -{{ end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-disruptionbudget.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-disruptionbudget.yaml deleted file mode 100644 index 2b2a61c6f..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-disruptionbudget.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- if .Values.injector.podDisruptionBudget }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ include "vault.namespace" . }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - component: webhook -spec: - selector: - matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - component: webhook - {{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }} -{{- end -}} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-mutating-webhook.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-mutating-webhook.yaml deleted file mode 100644 index b1de1ee3f..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-mutating-webhook.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.injectorEnabled" . -}} -{{- if .injectorEnabled -}} -{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} -apiVersion: admissionregistration.k8s.io/v1 -{{- else }} -apiVersion: admissionregistration.k8s.io/v1beta1 -{{- end }} -kind: MutatingWebhookConfiguration -metadata: - name: {{ template "vault.fullname" . }}-agent-injector-cfg - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- template "injector.webhookAnnotations" . }} -webhooks: - - name: vault.hashicorp.com - failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }} - matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }} - sideEffects: None - timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }} - admissionReviewVersions: ["v1", "v1beta1"] - clientConfig: - service: - name: {{ template "vault.fullname" . }}-agent-injector-svc - namespace: {{ include "vault.namespace" . }} - path: "/mutate" - caBundle: {{ .Values.injector.certs.caBundle | quote }} - rules: - - operations: ["CREATE", "UPDATE"] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] -{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }} - namespaceSelector: -{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}} -{{ end }} -{{- template "injector.objectSelector" . -}} -{{ end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-network-policy.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-network-policy.yaml deleted file mode 100644 index 4c3b08782..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-network-policy.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.injectorEnabled" . -}} -{{- if .injectorEnabled -}} -{{- if eq (.Values.global.openshift | toString) "true" }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "vault.fullname" . }}-agent-injector - labels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} -spec: - podSelector: - matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - component: webhook - ingress: - - from: - - namespaceSelector: {} - ports: - - port: 8080 - protocol: TCP -{{ end }} -{{ end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-psp-role.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-psp-role.yaml deleted file mode 100644 index a07f8f6c0..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-psp-role.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.injectorEnabled" . -}} -{{- if .injectorEnabled -}} -{{- if eq (.Values.global.psp.enable | toString) "true" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "vault.fullname" . }}-agent-injector-psp - namespace: {{ include "vault.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -rules: -- apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - {{ template "vault.fullname" . }}-agent-injector -{{- end }} -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-psp-rolebinding.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-psp-rolebinding.yaml deleted file mode 100644 index 3c97e8dad..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-psp-rolebinding.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.injectorEnabled" . -}} -{{- if .injectorEnabled -}} -{{- if eq (.Values.global.psp.enable | toString) "true" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "vault.fullname" . }}-agent-injector-psp - namespace: {{ include "vault.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -roleRef: - kind: Role - name: {{ template "vault.fullname" . }}-agent-injector-psp - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ template "vault.fullname" . }}-agent-injector -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-psp.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-psp.yaml deleted file mode 100644 index 0eca9a87c..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-psp.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.injectorEnabled" . -}} -{{- if .injectorEnabled -}} -{{- if eq (.Values.global.psp.enable | toString) "true" }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ template "vault.fullname" . }}-agent-injector - labels: - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- template "vault.psp.annotations" . }} -spec: - privileged: false - # Required to prevent escalations to root. - allowPrivilegeEscalation: false - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - # Require the container to run without root privileges. - rule: MustRunAsNonRoot - seLinux: - # This policy assumes the nodes are using AppArmor rather than SELinux. - rule: RunAsAny - supplementalGroups: - rule: MustRunAs - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: MustRunAs - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: false -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-role.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-role.yaml deleted file mode 100644 index b2ad0c7b9..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-role.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.injectorEnabled" . -}} -{{- if .injectorEnabled -}} -{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role - namespace: {{ include "vault.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -rules: - - apiGroups: [""] - resources: ["secrets", "configmaps"] - verbs: - - "create" - - "get" - - "watch" - - "list" - - "update" - - apiGroups: [""] - resources: ["pods"] - verbs: - - "get" - - "patch" - - "delete" -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-rolebinding.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-rolebinding.yaml deleted file mode 100644 index 6ad25ca69..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-rolebinding.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.injectorEnabled" . -}} -{{- if .injectorEnabled -}} -{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding - namespace: {{ include "vault.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role -subjects: - - kind: ServiceAccount - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ include "vault.namespace" . }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-service.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-service.yaml deleted file mode 100644 index 1479cd1ab..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-service.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.injectorEnabled" . -}} -{{- if .injectorEnabled -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "vault.fullname" . }}-agent-injector-svc - namespace: {{ include "vault.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{ template "injector.service.annotations" . }} -spec: - ports: - - name: https - port: 443 - targetPort: {{ .Values.injector.port }} - selector: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - component: webhook -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-serviceaccount.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-serviceaccount.yaml deleted file mode 100644 index 2f91c3d4a..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/injector-serviceaccount.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- template "vault.injectorEnabled" . -}} -{{- if .injectorEnabled -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ include "vault.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{ template "injector.serviceAccount.annotations" . }} -{{ end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/prometheus-prometheusrules.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/prometheus-prometheusrules.yaml deleted file mode 100644 index 7e58a0e52..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/prometheus-prometheusrules.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ if and (.Values.serverTelemetry.prometheusRules.rules) - (or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) ) -}} ---- -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: {{ template "vault.fullname" . }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} - {{- $selectors := .Values.serverTelemetry.prometheusRules.selectors }} - {{- if $selectors }} - {{- toYaml $selectors | nindent 4 }} - {{- else }} - release: prometheus - {{- end }} -spec: - groups: - - name: {{ include "vault.fullname" . }} - rules: - {{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }} -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/prometheus-servicemonitor.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/prometheus-servicemonitor.yaml deleted file mode 100644 index 25d30a468..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/prometheus-servicemonitor.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ template "vault.mode" . }} -{{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }} ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ template "vault.fullname" . }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} - {{- $selectors := .Values.serverTelemetry.serviceMonitor.selectors }} - {{- if $selectors }} - {{- toYaml $selectors | nindent 4 }} - {{- else }} - release: prometheus - {{- end }} -spec: - selector: - matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- if eq .mode "ha" }} - vault-active: "true" - {{- else }} - vault-internal: "true" - {{- end }} - endpoints: - - port: {{ include "vault.scheme" . }} - interval: {{ .Values.serverTelemetry.serviceMonitor.interval }} - scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }} - scheme: {{ include "vault.scheme" . | lower }} - path: /v1/sys/metrics - params: - format: - - prometheus - tlsConfig: - insecureSkipVerify: true - namespaceSelector: - matchNames: - - {{ include "vault.namespace" . }} -{{ end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-clusterrolebinding.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-clusterrolebinding.yaml deleted file mode 100644 index 14ec838a0..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-clusterrolebinding.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ template "vault.serverAuthDelegator" . }} -{{- if .serverAuthDelegator -}} -{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: rbac.authorization.k8s.io/v1beta1 -{{- end }} -kind: ClusterRoleBinding -metadata: - name: {{ template "vault.fullname" . }}-server-binding - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ include "vault.namespace" . }} -{{ end }} \ No newline at end of file diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-config-configmap.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-config-configmap.yaml deleted file mode 100644 index 1fed2e690..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-config-configmap.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ template "vault.mode" . }} -{{- if ne .mode "external" }} -{{- if .serverEnabled -}} -{{- if ne .mode "dev" -}} -{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "vault.fullname" . }}-config - namespace: {{ include "vault.namespace" . }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- if .Values.server.includeConfigAnnotation }} - annotations: - vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }} -{{- end }} -data: - extraconfig-from-values.hcl: |- - {{ template "vault.config" . }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-discovery-role.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-discovery-role.yaml deleted file mode 100644 index 0cbdefaff..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-discovery-role.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ template "vault.mode" . }} -{{- if .serverEnabled -}} -{{- if eq .mode "ha" }} -{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: {{ include "vault.namespace" . }} - name: {{ template "vault.fullname" . }}-discovery-role - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list", "update", "patch"] -{{ end }} -{{ end }} -{{ end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-discovery-rolebinding.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-discovery-rolebinding.yaml deleted file mode 100644 index 87b0f6170..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-discovery-rolebinding.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ template "vault.mode" . }} -{{- if .serverEnabled -}} -{{- if eq .mode "ha" }} -{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} -{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: rbac.authorization.k8s.io/v1beta1 -{{- end }} -kind: RoleBinding -metadata: - name: {{ template "vault.fullname" . }}-discovery-rolebinding - namespace: {{ include "vault.namespace" . }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "vault.fullname" . }}-discovery-role -subjects: -- kind: ServiceAccount - name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ include "vault.namespace" . }} -{{ end }} -{{ end }} -{{ end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-disruptionbudget.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-disruptionbudget.yaml deleted file mode 100644 index bbe9eb299..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-disruptionbudget.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ template "vault.mode" . }} -{{- if ne .mode "external" -}} -{{- if .serverEnabled -}} -{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} -# PodDisruptionBudget to prevent degrading the server cluster through -# voluntary cluster changes. -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ include "vault.namespace" . }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -spec: - maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - component: server -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-ha-active-service.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-ha-active-service.yaml deleted file mode 100644 index 9d2abfbb1..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-ha-active-service.yaml +++ /dev/null @@ -1,64 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ template "vault.mode" . }} -{{- if ne .mode "external" }} -{{- template "vault.serverServiceEnabled" . -}} -{{- if .serverServiceEnabled -}} -{{- if eq .mode "ha" }} -{{- if eq (.Values.server.service.active.enabled | toString) "true" }} -# Service for active Vault pod -apiVersion: v1 -kind: Service -metadata: - name: {{ template "vault.fullname" . }}-active - namespace: {{ include "vault.namespace" . }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - vault-active: "true" - annotations: -{{- template "vault.service.active.annotations" . }} -{{- template "vault.service.annotations" . }} -spec: - {{- if .Values.server.service.type}} - type: {{ .Values.server.service.type }} - {{- end}} - {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} - {{- if .Values.server.service.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} - {{- end }} - {{- if .Values.server.service.ipFamilies }} - ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} - {{- end }} - {{- end }} - {{- if .Values.server.service.clusterIP }} - clusterIP: {{ .Values.server.service.clusterIP }} - {{- end }} - {{- include "service.externalTrafficPolicy" .Values.server.service }} - publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} - ports: - - name: {{ include "vault.scheme" . }} - port: {{ .Values.server.service.port }} - targetPort: {{ .Values.server.service.targetPort }} - {{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} - nodePort: {{ .Values.server.service.activeNodePort }} - {{- end }} - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: {{ include "vault.name" . }} - {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- end }} - component: server - vault-active: "true" -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-ha-standby-service.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-ha-standby-service.yaml deleted file mode 100644 index bae1e2834..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-ha-standby-service.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ template "vault.mode" . }} -{{- if ne .mode "external" }} -{{- template "vault.serverServiceEnabled" . -}} -{{- if .serverServiceEnabled -}} -{{- if eq .mode "ha" }} -{{- if eq (.Values.server.service.standby.enabled | toString) "true" }} -# Service for standby Vault pod -apiVersion: v1 -kind: Service -metadata: - name: {{ template "vault.fullname" . }}-standby - namespace: {{ include "vault.namespace" . }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - annotations: -{{- template "vault.service.standby.annotations" . }} -{{- template "vault.service.annotations" . }} -spec: - {{- if .Values.server.service.type}} - type: {{ .Values.server.service.type }} - {{- end}} - {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} - {{- if .Values.server.service.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} - {{- end }} - {{- if .Values.server.service.ipFamilies }} - ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} - {{- end }} - {{- end }} - {{- if .Values.server.service.clusterIP }} - clusterIP: {{ .Values.server.service.clusterIP }} - {{- end }} - {{- include "service.externalTrafficPolicy" .Values.server.service }} - publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} - ports: - - name: {{ include "vault.scheme" . }} - port: {{ .Values.server.service.port }} - targetPort: {{ .Values.server.service.targetPort }} - {{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} - nodePort: {{ .Values.server.service.standbyNodePort }} - {{- end }} - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: {{ include "vault.name" . }} - {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- end }} - component: server - vault-active: "false" -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-headless-service.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-headless-service.yaml deleted file mode 100644 index c0f4d3460..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-headless-service.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ template "vault.mode" . }} -{{- if ne .mode "external" }} -{{- template "vault.serverServiceEnabled" . -}} -{{- if .serverServiceEnabled -}} -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: {{ template "vault.fullname" . }}-internal - namespace: {{ include "vault.namespace" . }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - vault-internal: "true" - annotations: -{{ template "vault.service.annotations" .}} -spec: - {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} - {{- if .Values.server.service.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} - {{- end }} - {{- if .Values.server.service.ipFamilies }} - ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} - {{- end }} - {{- end }} - clusterIP: None - publishNotReadyAddresses: true - ports: - - name: "{{ include "vault.scheme" . }}" - port: {{ .Values.server.service.port }} - targetPort: {{ .Values.server.service.targetPort }} - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - component: server -{{- end }} -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-ingress.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-ingress.yaml deleted file mode 100644 index d796bae41..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-ingress.yaml +++ /dev/null @@ -1,69 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- if not .Values.global.openshift }} -{{ template "vault.mode" . }} -{{- if ne .mode "external" }} -{{- if .Values.server.ingress.enabled -}} -{{- $extraPaths := .Values.server.ingress.extraPaths -}} -{{- $serviceName := include "vault.fullname" . -}} -{{- template "vault.serverServiceEnabled" . -}} -{{- if .serverServiceEnabled -}} -{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }} -{{- $serviceName = printf "%s-%s" $serviceName "active" -}} -{{- end }} -{{- $servicePort := .Values.server.service.port -}} -{{- $pathType := .Values.server.ingress.pathType -}} -{{- $kubeVersion := .Capabilities.KubeVersion.Version }} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ include "vault.namespace" . }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- with .Values.server.ingress.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- template "vault.ingress.annotations" . }} -spec: -{{- if .Values.server.ingress.tls }} - tls: - {{- range .Values.server.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} -{{- end }} -{{- if .Values.server.ingress.ingressClassName }} - ingressClassName: {{ .Values.server.ingress.ingressClassName }} -{{- end }} - rules: - {{- range .Values.server.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: -{{ if $extraPaths }} -{{ toYaml $extraPaths | indent 10 }} -{{- end }} - {{- range (.paths | default (list "/")) }} - - path: {{ . }} - pathType: {{ $pathType }} - backend: - service: - name: {{ $serviceName }} - port: - number: {{ $servicePort }} - {{- end }} - {{- end }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-network-policy.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-network-policy.yaml deleted file mode 100644 index 43dcdb16f..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-network-policy.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- if eq (.Values.server.networkPolicy.enabled | toString) "true" }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "vault.fullname" . }} - labels: - app.kubernetes.io/name: {{ template "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} -spec: - podSelector: - matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }} - {{- if .Values.server.networkPolicy.egress }} - egress: - {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }} - {{ end }} -{{ end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-psp-role.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-psp-role.yaml deleted file mode 100644 index 64cd6c507..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-psp-role.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ template "vault.mode" . }} -{{- if .serverEnabled -}} -{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "vault.fullname" . }}-psp - namespace: {{ include "vault.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -rules: -- apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - {{ template "vault.fullname" . }} -{{- end }} -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-psp-rolebinding.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-psp-rolebinding.yaml deleted file mode 100644 index 342f55379..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-psp-rolebinding.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ template "vault.mode" . }} -{{- if .serverEnabled -}} -{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "vault.fullname" . }}-psp - namespace: {{ include "vault.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -roleRef: - kind: Role - name: {{ template "vault.fullname" . }}-psp - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ template "vault.fullname" . }} -{{- end }} -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-psp.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-psp.yaml deleted file mode 100644 index 567e66245..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-psp.yaml +++ /dev/null @@ -1,54 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ template "vault.mode" . }} -{{- if .serverEnabled -}} -{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ template "vault.fullname" . }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- template "vault.psp.annotations" . }} -spec: - privileged: false - # Required to prevent escalations to root. - allowPrivilegeEscalation: false - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - {{- if eq (.Values.server.dataStorage.enabled | toString) "true" }} - - persistentVolumeClaim - {{- end }} - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - # Require the container to run without root privileges. - rule: MustRunAsNonRoot - seLinux: - # This policy assumes the nodes are using AppArmor rather than SELinux. - rule: RunAsAny - supplementalGroups: - rule: MustRunAs - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: MustRunAs - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: false -{{- end }} -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-route.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-route.yaml deleted file mode 100644 index 4e955555a..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-route.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{- if .Values.global.openshift }} -{{- if ne .mode "external" }} -{{- if .Values.server.route.enabled -}} -{{- $serviceName := include "vault.fullname" . -}} -{{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }} -{{- $serviceName = printf "%s-%s" $serviceName "active" -}} -{{- end }} -kind: Route -apiVersion: route.openshift.io/v1 -metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ include "vault.namespace" . }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- with .Values.server.route.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- template "vault.route.annotations" . }} -spec: - host: {{ .Values.server.route.host }} - to: - kind: Service - name: {{ $serviceName }} - weight: 100 - port: - targetPort: 8200 - tls: - {{- toYaml .Values.server.route.tls | nindent 4 }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-service.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-service.yaml deleted file mode 100644 index c12e190cb..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-service.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ template "vault.mode" . }} -{{- if ne .mode "external" }} -{{- template "vault.serverServiceEnabled" . -}} -{{- if .serverServiceEnabled -}} -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ include "vault.namespace" . }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - annotations: -{{ template "vault.service.annotations" .}} -spec: - {{- if .Values.server.service.type}} - type: {{ .Values.server.service.type }} - {{- end}} - {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} - {{- if .Values.server.service.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} - {{- end }} - {{- if .Values.server.service.ipFamilies }} - ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} - {{- end }} - {{- end }} - {{- if .Values.server.service.clusterIP }} - clusterIP: {{ .Values.server.service.clusterIP }} - {{- end }} - {{- include "service.externalTrafficPolicy" .Values.server.service }} - # We want the servers to become available even if they're not ready - # since this DNS is also used for join operations. - publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} - ports: - - name: {{ include "vault.scheme" . }} - port: {{ .Values.server.service.port }} - targetPort: {{ .Values.server.service.targetPort }} - {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} - nodePort: {{ .Values.server.service.nodePort }} - {{- end }} - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: {{ include "vault.name" . }} - {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- end }} - component: server -{{- end }} -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-serviceaccount-secret.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-serviceaccount-secret.yaml deleted file mode 100644 index 74d70f900..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-serviceaccount-secret.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ template "vault.serverServiceAccountSecretCreationEnabled" . }} -{{- if .serverServiceAccountSecretCreationEnabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "vault.serviceAccount.name" . }}-token - namespace: {{ include "vault.namespace" . }} - annotations: - kubernetes.io/service-account.name: {{ template "vault.serviceAccount.name" . }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -type: kubernetes.io/service-account-token -{{ end }} \ No newline at end of file diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-serviceaccount.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-serviceaccount.yaml deleted file mode 100644 index 216ea6178..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-serviceaccount.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ template "vault.serverServiceAccountEnabled" . }} -{{- if .serverServiceAccountEnabled -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ include "vault.namespace" . }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- if .Values.server.serviceAccount.extraLabels -}} - {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}} - {{- end -}} - {{ template "vault.serviceAccount.annotations" . }} -{{ end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-statefulset.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-statefulset.yaml deleted file mode 100644 index 0d8e604d0..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/server-statefulset.yaml +++ /dev/null @@ -1,232 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ template "vault.mode" . }} -{{- if ne .mode "external" }} -{{- if ne .mode "" }} -{{- if .serverEnabled -}} -# StatefulSet to run the actual vault server cluster. -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ include "vault.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- template "vault.statefulSet.annotations" . }} -spec: - serviceName: {{ template "vault.fullname" . }}-internal - podManagementPolicy: Parallel - replicas: {{ template "vault.replicas" . }} - updateStrategy: - type: {{ .Values.server.updateStrategyType }} - {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }} - persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }} - {{- end }} - selector: - matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - component: server - template: - metadata: - labels: - helm.sh/chart: {{ template "vault.chart" . }} - app.kubernetes.io/name: {{ template "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - component: server - {{- if .Values.server.extraLabels -}} - {{- toYaml .Values.server.extraLabels | nindent 8 -}} - {{- end -}} - {{ template "vault.annotations" . }} - spec: - {{ template "vault.affinity" . }} - {{ template "vault.topologySpreadConstraints" . }} - {{ template "vault.tolerations" . }} - {{ template "vault.nodeselector" . }} - {{- if .Values.server.priorityClassName }} - priorityClassName: {{ .Values.server.priorityClassName }} - {{- end }} - terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} - serviceAccountName: {{ template "vault.serviceAccount.name" . }} - {{ if .Values.server.shareProcessNamespace }} - shareProcessNamespace: true - {{ end }} - {{- template "server.statefulSet.securityContext.pod" . }} - {{- if not .Values.global.openshift }} - hostNetwork: {{ .Values.server.hostNetwork }} - {{- end }} - volumes: - {{ template "vault.volumes" . }} - - name: home - emptyDir: {} - {{- if .Values.server.hostAliases }} - hostAliases: - {{ toYaml .Values.server.hostAliases | nindent 8}} - {{- end }} - {{- if .Values.server.extraInitContainers }} - initContainers: - {{ toYaml .Values.server.extraInitContainers | nindent 8}} - {{- end }} - containers: - - name: vault - {{ template "vault.resources" . }} - image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} - imagePullPolicy: {{ .Values.server.image.pullPolicy }} - command: - - "/bin/sh" - - "-ec" - args: {{ template "vault.args" . }} - {{- template "server.statefulSet.securityContext.container" . }} - env: - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: VAULT_K8S_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_K8S_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: VAULT_ADDR - value: "{{ include "vault.scheme" . }}://127.0.0.1:8200" - - name: VAULT_API_ADDR - {{- if .Values.server.ha.apiAddr }} - value: {{ .Values.server.ha.apiAddr }} - {{- else }} - value: "{{ include "vault.scheme" . }}://$(POD_IP):8200" - {{- end }} - - name: SKIP_CHOWN - value: "true" - - name: SKIP_SETCAP - value: "true" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_CLUSTER_ADDR - {{- if .Values.server.ha.clusterAddr }} - value: {{ .Values.server.ha.clusterAddr | quote }} - {{- else }} - value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" - {{- end }} - {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }} - - name: VAULT_RAFT_NODE_ID - valueFrom: - fieldRef: - fieldPath: metadata.name - {{- end }} - - name: HOME - value: "/home/vault" - {{- if .Values.server.logLevel }} - - name: VAULT_LOG_LEVEL - value: "{{ .Values.server.logLevel }}" - {{- end }} - {{- if .Values.server.logFormat }} - - name: VAULT_LOG_FORMAT - value: "{{ .Values.server.logFormat }}" - {{- end }} - {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} - - name: VAULT_LICENSE_PATH - value: /vault/license/{{ .Values.server.enterpriseLicense.secretKey }} - {{- end }} - {{ template "vault.envs" . }} - {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} - {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} - volumeMounts: - {{ template "vault.mounts" . }} - - name: home - mountPath: /home/vault - ports: - - containerPort: 8200 - name: {{ include "vault.scheme" . }} - - containerPort: 8201 - name: https-internal - - containerPort: 8202 - name: {{ include "vault.scheme" . }}-rep - {{- if .Values.server.extraPorts -}} - {{ toYaml .Values.server.extraPorts | nindent 12}} - {{- end }} - {{- if .Values.server.readinessProbe.enabled }} - readinessProbe: - {{- if .Values.server.readinessProbe.path }} - httpGet: - path: {{ .Values.server.readinessProbe.path | quote }} - port: {{ .Values.server.readinessProbe.port }} - scheme: {{ include "vault.scheme" . | upper }} - {{- else }} - # Check status; unsealed vault servers return 0 - # The exit code reflects the seal status: - # 0 - unsealed - # 1 - error - # 2 - sealed - exec: - command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] - {{- end }} - failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }} - initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.server.readinessProbe.periodSeconds }} - successThreshold: {{ .Values.server.readinessProbe.successThreshold }} - timeoutSeconds: {{ .Values.server.readinessProbe.timeoutSeconds }} - {{- end }} - {{- if .Values.server.livenessProbe.enabled }} - livenessProbe: - {{- if .Values.server.livenessProbe.execCommand }} - exec: - command: - {{- range (.Values.server.livenessProbe.execCommand) }} - - {{ . | quote }} - {{- end }} - {{- else }} - httpGet: - path: {{ .Values.server.livenessProbe.path | quote }} - port: {{ .Values.server.livenessProbe.port }} - scheme: {{ include "vault.scheme" . | upper }} - {{- end }} - failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }} - initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }} - successThreshold: {{ .Values.server.livenessProbe.successThreshold }} - timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }} - {{- end }} - lifecycle: - # Vault container doesn't receive SIGTERM from Kubernetes - # and after the grace period ends, Kube sends SIGKILL. This - # causes issues with graceful shutdowns such as deregistering itself - # from Consul (zombie services). - preStop: - exec: - command: [ - "/bin/sh", "-c", - # Adding a sleep here to give the pod eviction a - # chance to propagate, so requests will not be made - # to this pod while it's terminating - "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)", - ] - {{- if .Values.server.postStart }} - postStart: - exec: - command: - {{- range (.Values.server.postStart) }} - - {{ . | quote }} - {{- end }} - {{- end }} - {{- if .Values.server.extraContainers }} - {{ toYaml .Values.server.extraContainers | nindent 8}} - {{- end }} - {{- include "imagePullSecrets" . | nindent 6 }} - {{ template "vault.volumeclaims" . }} -{{ end }} -{{ end }} -{{ end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/tests/server-test.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/tests/server-test.yaml deleted file mode 100644 index 20e2e5a5a..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/tests/server-test.yaml +++ /dev/null @@ -1,56 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ template "vault.mode" . }} -{{- if ne .mode "external" }} -{{- if .serverEnabled -}} -apiVersion: v1 -kind: Pod -metadata: - name: {{ template "vault.fullname" . }}-server-test - namespace: {{ include "vault.namespace" . }} - annotations: - "helm.sh/hook": test -spec: - {{- include "imagePullSecrets" . | nindent 2 }} - containers: - - name: {{ .Release.Name }}-server-test - image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} - imagePullPolicy: {{ .Values.server.image.pullPolicy }} - env: - - name: VAULT_ADDR - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} - {{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }} - command: - - /bin/sh - - -c - - | - echo "Checking for sealed info in 'vault status' output" - ATTEMPTS=10 - n=0 - until [ "$n" -ge $ATTEMPTS ] - do - echo "Attempt" $n... - vault status -format yaml | grep -E '^sealed: (true|false)' && break - n=$((n+1)) - sleep 5 - done - if [ $n -ge $ATTEMPTS ]; then - echo "timed out looking for sealed info in 'vault status' output" - exit 1 - fi - - exit 0 - volumeMounts: - {{- if .Values.server.volumeMounts }} - {{- toYaml .Values.server.volumeMounts | nindent 8}} - {{- end }} - volumes: - {{- if .Values.server.volumes }} - {{- toYaml .Values.server.volumes | nindent 4}} - {{- end }} - restartPolicy: Never -{{- end }} -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/ui-service.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/templates/ui-service.yaml deleted file mode 100644 index 95370842e..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/templates/ui-service.yaml +++ /dev/null @@ -1,50 +0,0 @@ -{{/* -Copyright (c) HashiCorp, Inc. -SPDX-License-Identifier: MPL-2.0 -*/}} - -{{ template "vault.mode" . }} -{{- if ne .mode "external" }} -{{- template "vault.uiEnabled" . -}} -{{- if .uiEnabled -}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ template "vault.fullname" . }}-ui - namespace: {{ include "vault.namespace" . }} - labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }}-ui - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- template "vault.ui.annotations" . }} -spec: - {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} - {{- if .Values.ui.serviceIPFamilyPolicy }} - ipFamilyPolicy: {{ .Values.ui.serviceIPFamilyPolicy }} - {{- end }} - {{- if .Values.ui.serviceIPFamilies }} - ipFamilies: {{ .Values.ui.serviceIPFamilies | toYaml | nindent 2 }} - {{- end }} - {{- end }} - selector: - app.kubernetes.io/name: {{ include "vault.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - component: server - {{- if and (.Values.ui.activeVaultPodOnly) (eq .mode "ha") }} - vault-active: "true" - {{- end }} - publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }} - ports: - - name: {{ include "vault.scheme" . }} - port: {{ .Values.ui.externalPort }} - targetPort: {{ .Values.ui.targetPort }} - {{- if .Values.ui.serviceNodePort }} - nodePort: {{ .Values.ui.serviceNodePort }} - {{- end }} - type: {{ .Values.ui.serviceType }} - {{- include "service.externalTrafficPolicy" .Values.ui }} - {{- include "service.loadBalancer" .Values.ui }} -{{- end -}} -{{- end }} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/values.openshift.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/values.openshift.yaml deleted file mode 100644 index 62a85a6d5..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/values.openshift.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -# These overrides are appropriate defaults for deploying this chart on OpenShift - -global: - openshift: true - -injector: - image: - repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "1.4.1-ubi" - - agentImage: - repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.16.1-ubi" - -server: - image: - repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.16.1-ubi" - - readinessProbe: - path: "/v1/sys/health?uninitcode=204" diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/values.schema.json b/charts/partners/mgoerens/testproject2/0.28.5/src/values.schema.json deleted file mode 100644 index 3f0871f2c..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/values.schema.json +++ /dev/null @@ -1,1303 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "type": "object", - "properties": { - "csi": { - "type": "object", - "properties": { - "agent": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "extraArgs": { - "type": "array" - }, - "image": { - "type": "object", - "properties": { - "pullPolicy": { - "type": "string" - }, - "repository": { - "type": "string" - }, - "tag": { - "type": "string" - } - } - }, - "logFormat": { - "type": "string" - }, - "logLevel": { - "type": "string" - }, - "resources": { - "type": "object" - } - } - }, - "daemonSet": { - "type": "object", - "properties": { - "annotations": { - "type": [ - "object", - "string" - ] - }, - "extraLabels": { - "type": "object" - }, - "kubeletRootDir": { - "type": "string" - }, - "providersDir": { - "type": "string" - }, - "securityContext": { - "type": "object", - "properties": { - "container": { - "type": [ - "object", - "string" - ] - }, - "pod": { - "type": [ - "object", - "string" - ] - } - } - }, - "updateStrategy": { - "type": "object", - "properties": { - "maxUnavailable": { - "type": "string" - }, - "type": { - "type": "string" - } - } - } - } - }, - "debug": { - "type": "boolean" - }, - "enabled": { - "type": [ - "boolean", - "string" - ] - }, - "extraArgs": { - "type": "array" - }, - "hmacSecretName": { - "type": "string" - }, - "image": { - "type": "object", - "properties": { - "pullPolicy": { - "type": "string" - }, - "repository": { - "type": "string" - }, - "tag": { - "type": "string" - } - } - }, - "livenessProbe": { - "type": "object", - "properties": { - "failureThreshold": { - "type": "integer" - }, - "initialDelaySeconds": { - "type": "integer" - }, - "periodSeconds": { - "type": "integer" - }, - "successThreshold": { - "type": "integer" - }, - "timeoutSeconds": { - "type": "integer" - } - } - }, - "pod": { - "type": "object", - "properties": { - "affinity": { - "type": [ - "null", - "object", - "string" - ] - }, - "annotations": { - "type": [ - "object", - "string" - ] - }, - "extraLabels": { - "type": "object" - }, - "nodeSelector": { - "type": [ - "null", - "object", - "string" - ] - }, - "tolerations": { - "type": [ - "null", - "array", - "string" - ] - } - } - }, - "priorityClassName": { - "type": "string" - }, - "readinessProbe": { - "type": "object", - "properties": { - "failureThreshold": { - "type": "integer" - }, - "initialDelaySeconds": { - "type": "integer" - }, - "periodSeconds": { - "type": "integer" - }, - "successThreshold": { - "type": "integer" - }, - "timeoutSeconds": { - "type": "integer" - } - } - }, - "resources": { - "type": "object" - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": [ - "object", - "string" - ] - }, - "extraLabels": { - "type": "object" - } - } - }, - "volumeMounts": { - "type": [ - "null", - "array" - ] - }, - "volumes": { - "type": [ - "null", - "array" - ] - } - } - }, - "global": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "externalVaultAddr": { - "type": "string" - }, - "imagePullSecrets": { - "type": "array" - }, - "namespace": { - "type": "string" - }, - "openshift": { - "type": "boolean" - }, - "psp": { - "type": "object", - "properties": { - "annotations": { - "type": [ - "object", - "string" - ] - }, - "enable": { - "type": "boolean" - } - } - }, - "serverTelemetry": { - "type": "object", - "properties": { - "prometheusOperator": { - "type": "boolean" - } - } - }, - "tlsDisable": { - "type": "boolean" - } - } - }, - "injector": { - "type": "object", - "properties": { - "affinity": { - "type": [ - "object", - "string" - ] - }, - "agentDefaults": { - "type": "object", - "properties": { - "cpuLimit": { - "type": "string" - }, - "cpuRequest": { - "type": "string" - }, - "memLimit": { - "type": "string" - }, - "memRequest": { - "type": "string" - }, - "ephemeralLimit": { - "type": "string" - }, - "ephemeralRequest": { - "type": "string" - }, - "template": { - "type": "string" - }, - "templateConfig": { - "type": "object", - "properties": { - "exitOnRetryFailure": { - "type": "boolean" - }, - "staticSecretRenderInterval": { - "type": "string" - } - } - } - } - }, - "agentImage": { - "type": "object", - "properties": { - "repository": { - "type": "string" - }, - "tag": { - "type": "string" - } - } - }, - "annotations": { - "type": [ - "object", - "string" - ] - }, - "authPath": { - "type": "string" - }, - "certs": { - "type": "object", - "properties": { - "caBundle": { - "type": "string" - }, - "certName": { - "type": "string" - }, - "keyName": { - "type": "string" - }, - "secretName": { - "type": [ - "null", - "string" - ] - } - } - }, - "enabled": { - "type": [ - "boolean", - "string" - ] - }, - "externalVaultAddr": { - "type": "string" - }, - "extraEnvironmentVars": { - "type": "object" - }, - "extraLabels": { - "type": "object" - }, - "failurePolicy": { - "type": "string" - }, - "hostNetwork": { - "type": "boolean" - }, - "image": { - "type": "object", - "properties": { - "pullPolicy": { - "type": "string" - }, - "repository": { - "type": "string" - }, - "tag": { - "type": "string" - } - } - }, - "leaderElector": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "livenessProbe": { - "type": "object", - "properties": { - "failureThreshold": { - "type": "integer" - }, - "initialDelaySeconds": { - "type": "integer" - }, - "periodSeconds": { - "type": "integer" - }, - "successThreshold": { - "type": "integer" - }, - "timeoutSeconds": { - "type": "integer" - } - } - }, - "logFormat": { - "type": "string" - }, - "logLevel": { - "type": "string" - }, - "metrics": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "namespaceSelector": { - "type": "object" - }, - "nodeSelector": { - "type": [ - "null", - "object", - "string" - ] - }, - "objectSelector": { - "type": [ - "object", - "string" - ] - }, - "podDisruptionBudget": { - "type": "object" - }, - "port": { - "type": "integer" - }, - "priorityClassName": { - "type": "string" - }, - "readinessProbe": { - "type": "object", - "properties": { - "failureThreshold": { - "type": "integer" - }, - "initialDelaySeconds": { - "type": "integer" - }, - "periodSeconds": { - "type": "integer" - }, - "successThreshold": { - "type": "integer" - }, - "timeoutSeconds": { - "type": "integer" - } - } - }, - "replicas": { - "type": "integer" - }, - "resources": { - "type": "object" - }, - "revokeOnShutdown": { - "type": "boolean" - }, - "securityContext": { - "type": "object", - "properties": { - "container": { - "type": [ - "object", - "string" - ] - }, - "pod": { - "type": [ - "object", - "string" - ] - } - } - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": [ - "object", - "string" - ] - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": [ - "object", - "string" - ] - } - } - }, - "startupProbe": { - "type": "object", - "properties": { - "failureThreshold": { - "type": "integer" - }, - "initialDelaySeconds": { - "type": "integer" - }, - "periodSeconds": { - "type": "integer" - }, - "successThreshold": { - "type": "integer" - }, - "timeoutSeconds": { - "type": "integer" - } - } - }, - "strategy": { - "type": [ - "object", - "string" - ] - }, - "tolerations": { - "type": [ - "null", - "array", - "string" - ] - }, - "topologySpreadConstraints": { - "type": [ - "null", - "array", - "string" - ] - }, - "webhook": { - "type": "object", - "properties": { - "annotations": { - "type": [ - "object", - "string" - ] - }, - "failurePolicy": { - "type": "string" - }, - "matchPolicy": { - "type": "string" - }, - "namespaceSelector": { - "type": "object" - }, - "objectSelector": { - "type": [ - "object", - "string" - ] - }, - "timeoutSeconds": { - "type": "integer" - } - } - }, - "webhookAnnotations": { - "type": [ - "object", - "string" - ] - } - } - }, - "server": { - "type": "object", - "properties": { - "affinity": { - "type": [ - "object", - "string" - ] - }, - "annotations": { - "type": [ - "object", - "string" - ] - }, - "auditStorage": { - "type": "object", - "properties": { - "accessMode": { - "type": "string" - }, - "annotations": { - "type": [ - "object", - "string" - ] - }, - "enabled": { - "type": [ - "boolean", - "string" - ] - }, - "labels": { - "type": [ - "object", - "string" - ] - }, - "mountPath": { - "type": "string" - }, - "size": { - "type": "string" - }, - "storageClass": { - "type": [ - "null", - "string" - ] - } - } - }, - "authDelegator": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "configAnnotation": { - "type": "boolean" - }, - "dataStorage": { - "type": "object", - "properties": { - "accessMode": { - "type": "string" - }, - "annotations": { - "type": [ - "object", - "string" - ] - }, - "enabled": { - "type": [ - "boolean", - "string" - ] - }, - "labels": { - "type": [ - "object", - "string" - ] - }, - "mountPath": { - "type": "string" - }, - "size": { - "type": "string" - }, - "storageClass": { - "type": [ - "null", - "string" - ] - } - } - }, - "dev": { - "type": "object", - "properties": { - "devRootToken": { - "type": "string" - }, - "enabled": { - "type": "boolean" - } - } - }, - "enabled": { - "type": [ - "boolean", - "string" - ] - }, - "enterpriseLicense": { - "type": "object", - "properties": { - "secretKey": { - "type": "string" - }, - "secretName": { - "type": "string" - } - } - }, - "extraArgs": { - "type": "string" - }, - "extraContainers": { - "type": [ - "null", - "array" - ] - }, - "extraEnvironmentVars": { - "type": "object" - }, - "extraInitContainers": { - "type": [ - "null", - "array" - ] - }, - "extraLabels": { - "type": "object" - }, - "extraPorts": { - "type": [ - "null", - "array" - ] - }, - "extraSecretEnvironmentVars": { - "type": "array" - }, - "extraVolumes": { - "type": "array" - }, - "ha": { - "type": "object", - "properties": { - "apiAddr": { - "type": [ - "null", - "string" - ] - }, - "clusterAddr": { - "type": [ - "null", - "string" - ] - }, - "config": { - "type": [ - "string", - "object" - ] - }, - "disruptionBudget": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "maxUnavailable": { - "type": [ - "null", - "integer" - ] - } - } - }, - "enabled": { - "type": "boolean" - }, - "raft": { - "type": "object", - "properties": { - "config": { - "type": [ - "string", - "object" - ] - }, - "enabled": { - "type": "boolean" - }, - "setNodeId": { - "type": "boolean" - } - } - }, - "replicas": { - "type": "integer" - } - } - }, - "hostAliases": { - "type": "array" - }, - "hostNetwork": { - "type": "boolean" - }, - "image": { - "type": "object", - "properties": { - "pullPolicy": { - "type": "string" - }, - "repository": { - "type": "string" - }, - "tag": { - "type": "string" - } - } - }, - "ingress": { - "type": "object", - "properties": { - "activeService": { - "type": "boolean" - }, - "annotations": { - "type": [ - "object", - "string" - ] - }, - "enabled": { - "type": "boolean" - }, - "extraPaths": { - "type": "array" - }, - "hosts": { - "type": "array", - "items": { - "type": "object", - "properties": { - "host": { - "type": "string" - }, - "paths": { - "type": "array" - } - } - } - }, - "ingressClassName": { - "type": "string" - }, - "labels": { - "type": "object" - }, - "pathType": { - "type": "string" - }, - "tls": { - "type": "array" - } - } - }, - "livenessProbe": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "execCommand": { - "type": "array" - }, - "failureThreshold": { - "type": "integer" - }, - "initialDelaySeconds": { - "type": "integer" - }, - "path": { - "type": "string" - }, - "periodSeconds": { - "type": "integer" - }, - "port": { - "type": "integer" - }, - "successThreshold": { - "type": "integer" - }, - "timeoutSeconds": { - "type": "integer" - } - } - }, - "logFormat": { - "type": "string" - }, - "logLevel": { - "type": "string" - }, - "networkPolicy": { - "type": "object", - "properties": { - "egress": { - "type": "array" - }, - "enabled": { - "type": "boolean" - }, - "ingress": { - "type": "array" - } - } - }, - "nodeSelector": { - "type": [ - "null", - "object", - "string" - ] - }, - "persistentVolumeClaimRetentionPolicy": { - "type": "object", - "properties": { - "whenDeleted": { - "type": "string" - }, - "whenScaled": { - "type": "string" - } - } - }, - "postStart": { - "type": "array" - }, - "preStopSleepSeconds": { - "type": "integer" - }, - "priorityClassName": { - "type": "string" - }, - "readinessProbe": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "failureThreshold": { - "type": "integer" - }, - "initialDelaySeconds": { - "type": "integer" - }, - "periodSeconds": { - "type": "integer" - }, - "port": { - "type": "integer" - }, - "successThreshold": { - "type": "integer" - }, - "timeoutSeconds": { - "type": "integer" - } - } - }, - "resources": { - "type": "object" - }, - "route": { - "type": "object", - "properties": { - "activeService": { - "type": "boolean" - }, - "annotations": { - "type": [ - "object", - "string" - ] - }, - "enabled": { - "type": "boolean" - }, - "host": { - "type": "string" - }, - "labels": { - "type": "object" - }, - "tls": { - "type": "object" - } - } - }, - "service": { - "type": "object", - "properties": { - "active": { - "type": "object", - "properties": { - "annotations": { - "type": [ - "object", - "string" - ] - }, - "enabled": { - "type": "boolean" - } - } - }, - "activeNodePort": { - "type": "integer" - }, - "annotations": { - "type": [ - "object", - "string" - ] - }, - "enabled": { - "type": "boolean" - }, - "externalTrafficPolicy": { - "type": "string" - }, - "instanceSelector": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "ipFamilies": { - "type": "array" - }, - "ipFamilyPolicy": { - "type": "string" - }, - "nodePort": { - "type": "integer" - }, - "port": { - "type": "integer" - }, - "publishNotReadyAddresses": { - "type": "boolean" - }, - "standby": { - "type": "object", - "properties": { - "annotations": { - "type": [ - "object", - "string" - ] - }, - "enabled": { - "type": "boolean" - } - } - }, - "standbyNodePort": { - "type": "integer" - }, - "targetPort": { - "type": "integer" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": [ - "object", - "string" - ] - }, - "create": { - "type": "boolean" - }, - "createSecret": { - "type": "boolean" - }, - "extraLabels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "serviceDiscovery": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - } - } - }, - "shareProcessNamespace": { - "type": "boolean" - }, - "standalone": { - "type": "object", - "properties": { - "config": { - "type": [ - "string", - "object" - ] - }, - "enabled": { - "type": [ - "string", - "boolean" - ] - } - } - }, - "statefulSet": { - "type": "object", - "properties": { - "annotations": { - "type": [ - "object", - "string" - ] - }, - "securityContext": { - "type": "object", - "properties": { - "container": { - "type": [ - "object", - "string" - ] - }, - "pod": { - "type": [ - "object", - "string" - ] - } - } - } - } - }, - "terminationGracePeriodSeconds": { - "type": "integer" - }, - "tolerations": { - "type": [ - "null", - "array", - "string" - ] - }, - "topologySpreadConstraints": { - "type": [ - "null", - "array", - "string" - ] - }, - "updateStrategyType": { - "type": "string" - }, - "volumeMounts": { - "type": [ - "null", - "array" - ] - }, - "volumes": { - "type": [ - "null", - "array" - ] - } - } - }, - "serverTelemetry": { - "type": "object", - "properties": { - "prometheusRules": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "rules": { - "type": "array" - }, - "selectors": { - "type": "object" - } - } - }, - "serviceMonitor": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "interval": { - "type": "string" - }, - "scrapeTimeout": { - "type": "string" - }, - "selectors": { - "type": "object" - } - } - } - } - }, - "ui": { - "type": "object", - "properties": { - "activeVaultPodOnly": { - "type": "boolean" - }, - "annotations": { - "type": [ - "object", - "string" - ] - }, - "enabled": { - "type": [ - "boolean", - "string" - ] - }, - "externalPort": { - "type": "integer" - }, - "externalTrafficPolicy": { - "type": "string" - }, - "publishNotReadyAddresses": { - "type": "boolean" - }, - "serviceIPFamilies": { - "type": "array" - }, - "serviceIPFamilyPolicy": { - "type": "string" - }, - "serviceNodePort": { - "type": [ - "null", - "integer" - ] - }, - "serviceType": { - "type": "string" - }, - "targetPort": { - "type": "integer" - } - } - } - } -} diff --git a/charts/partners/mgoerens/testproject2/0.28.5/src/values.yaml b/charts/partners/mgoerens/testproject2/0.28.5/src/values.yaml deleted file mode 100644 index 7fab7b545..000000000 --- a/charts/partners/mgoerens/testproject2/0.28.5/src/values.yaml +++ /dev/null @@ -1,1186 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -# Available parameters and their default values for the Vault chart. - -global: - # enabled is the master enabled switch. Setting this to true or false - # will enable or disable all the components within this chart by default. - enabled: true - # The namespace to deploy to. Defaults to the `helm` installation namespace. - namespace: "" - # Image pull secret to use for registry authentication. - # Alternatively, the value may be specified as an array of strings. - imagePullSecrets: [] - # imagePullSecrets: - # - name: image-pull-secret - - # TLS for end-to-end encrypted transport - tlsDisable: true - # External vault server address for the injector and CSI provider to use. - # Setting this will disable deployment of a vault server. - externalVaultAddr: "" - # If deploying to OpenShift - openshift: true - # Create PodSecurityPolicy for pods - psp: - enable: false - # Annotation for PodSecurityPolicy. - # This is a multi-line templated string map, and can also be set as YAML. - annotations: | - seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default - apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default - apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - serverTelemetry: - # Enable integration with the Prometheus Operator - # See the top level serverTelemetry section below before enabling this feature. - prometheusOperator: false -injector: - # True if you want to enable vault agent injection. - # @default: global.enabled - enabled: "-" - replicas: 1 - # Configures the port the injector should listen on - port: 8080 - # If multiple replicas are specified, by default a leader will be determined - # so that only one injector attempts to create TLS certificates. - leaderElector: - enabled: true - # If true, will enable a node exporter metrics endpoint at /metrics. - metrics: - enabled: false - # Deprecated: Please use global.externalVaultAddr instead. - externalVaultAddr: "" - # image sets the repo and tag of the vault-k8s image to use for the injector. - image: - repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "1.4.1-ubi" - pullPolicy: IfNotPresent - # agentImage sets the repo and tag of the Vault image to use for the Vault Agent - # containers. This should be set to the official Vault image. Vault 1.3.1+ is - # required. - agentImage: - repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.16.1-ubi" - # The default values for the injected Vault Agent containers. - agentDefaults: - # For more information on configuring resources, see the K8s documentation: - # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - cpuLimit: "500m" - cpuRequest: "250m" - memLimit: "128Mi" - memRequest: "64Mi" - # ephemeralLimit: "128Mi" - # ephemeralRequest: "64Mi" - - # Default template type for secrets when no custom template is specified. - # Possible values include: "json" and "map". - template: "map" - # Default values within Agent's template_config stanza. - templateConfig: - exitOnRetryFailure: true - staticSecretRenderInterval: "" - # Used to define custom livenessProbe settings - livenessProbe: - # When a probe fails, Kubernetes will try failureThreshold times before giving up - failureThreshold: 2 - # Number of seconds after the container has started before probe initiates - initialDelaySeconds: 5 - # How often (in seconds) to perform the probe - periodSeconds: 2 - # Minimum consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - # Number of seconds after which the probe times out. - timeoutSeconds: 5 - # Used to define custom readinessProbe settings - readinessProbe: - # When a probe fails, Kubernetes will try failureThreshold times before giving up - failureThreshold: 2 - # Number of seconds after the container has started before probe initiates - initialDelaySeconds: 5 - # How often (in seconds) to perform the probe - periodSeconds: 2 - # Minimum consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - # Number of seconds after which the probe times out. - timeoutSeconds: 5 - # Used to define custom startupProbe settings - startupProbe: - # When a probe fails, Kubernetes will try failureThreshold times before giving up - failureThreshold: 12 - # Number of seconds after the container has started before probe initiates - initialDelaySeconds: 5 - # How often (in seconds) to perform the probe - periodSeconds: 5 - # Minimum consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - # Number of seconds after which the probe times out. - timeoutSeconds: 5 - # Mount Path of the Vault Kubernetes Auth Method. - authPath: "auth/kubernetes" - # Configures the log verbosity of the injector. - # Supported log levels include: trace, debug, info, warn, error - logLevel: "info" - # Configures the log format of the injector. Supported log formats: "standard", "json". - logFormat: "standard" - # Configures all Vault Agent sidecars to revoke their token when shutting down - revokeOnShutdown: false - webhook: - # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the - # API Version of the WebHook. - # To block pod creation while the webhook is unavailable, set the policy to `Fail` below. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy - # - failurePolicy: Ignore - # matchPolicy specifies the approach to accepting changes based on the rules of - # the MutatingWebhookConfiguration. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy - # for more details. - # - matchPolicy: Exact - # timeoutSeconds is the amount of seconds before the webhook request will be ignored - # or fails. - # If it is ignored or fails depends on the failurePolicy - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts - # for more details. - # - timeoutSeconds: 30 - # namespaceSelector is the selector for restricting the webhook to only - # specific namespaces. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector - # for more details. - # Example: - # namespaceSelector: - # matchLabels: - # sidecar-injector: enabled - namespaceSelector: {} - # objectSelector is the selector for restricting the webhook to only - # specific labels. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector - # for more details. - # Example: - # objectSelector: - # matchLabels: - # vault-sidecar-injector: enabled - objectSelector: | - matchExpressions: - - key: app.kubernetes.io/name - operator: NotIn - values: - - {{ template "vault.name" . }}-agent-injector - # Extra annotations to attach to the webhook - annotations: {} - # Deprecated: please use 'webhook.failurePolicy' instead - # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the - # API Version of the WebHook. - # To block pod creation while webhook is unavailable, set the policy to `Fail` below. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy - # - failurePolicy: Ignore - # Deprecated: please use 'webhook.namespaceSelector' instead - # namespaceSelector is the selector for restricting the webhook to only - # specific namespaces. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector - # for more details. - # Example: - # namespaceSelector: - # matchLabels: - # sidecar-injector: enabled - namespaceSelector: {} - # Deprecated: please use 'webhook.objectSelector' instead - # objectSelector is the selector for restricting the webhook to only - # specific labels. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector - # for more details. - # Example: - # objectSelector: - # matchLabels: - # vault-sidecar-injector: enabled - objectSelector: {} - # Deprecated: please use 'webhook.annotations' instead - # Extra annotations to attach to the webhook - webhookAnnotations: {} - certs: - # secretName is the name of the secret that has the TLS certificate and - # private key to serve the injector webhook. If this is null, then the - # injector will default to its automatic management mode that will assign - # a service account to the injector to generate its own certificates. - secretName: null - # caBundle is a base64-encoded PEM-encoded certificate bundle for the CA - # that signed the TLS certificate that the webhook serves. This must be set - # if secretName is non-null unless an external service like cert-manager is - # keeping the caBundle updated. - caBundle: "" - # certName and keyName are the names of the files within the secret for - # the TLS cert and private key, respectively. These have reasonable - # defaults but can be customized if necessary. - certName: tls.crt - keyName: tls.key - # Security context for the pod template and the injector container - # The default pod securityContext is: - # runAsNonRoot: true - # runAsGroup: {{ .Values.injector.gid | default 1000 }} - # runAsUser: {{ .Values.injector.uid | default 100 }} - # fsGroup: {{ .Values.injector.gid | default 1000 }} - # and for container is - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - ALL - securityContext: - pod: {} - container: {} - resources: {} - # resources: - # requests: - # memory: 256Mi - # cpu: 250m - # limits: - # memory: 256Mi - # cpu: 250m - - # extraEnvironmentVars is a list of extra environment variables to set in the - # injector deployment. - extraEnvironmentVars: {} - # KUBERNETES_SERVICE_HOST: kubernetes.default.svc - - # Affinity Settings for injector pods - # This can either be a multi-line string or YAML matching the PodSpec's affinity field. - # Commenting out or setting as empty the affinity variable, will allow - # deployment of multiple replicas to single node services such as Minikube. - affinity: | - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector - app.kubernetes.io/instance: "{{ .Release.Name }}" - component: webhook - topologyKey: kubernetes.io/hostname - # Topology settings for injector pods - # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - # This should be either a multi-line string or YAML matching the topologySpreadConstraints array - # in a PodSpec. - topologySpreadConstraints: [] - # Toleration Settings for injector pods - # This should be either a multi-line string or YAML matching the Toleration array - # in a PodSpec. - tolerations: [] - # nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map. - # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - # Example: - # nodeSelector: - # beta.kubernetes.io/arch: amd64 - nodeSelector: {} - # Priority class for injector pods - priorityClassName: "" - # Extra annotations to attach to the injector pods - # This can either be YAML or a YAML-formatted multi-line templated string map - # of the annotations to apply to the injector pods - annotations: {} - # Extra labels to attach to the agent-injector - # This should be a YAML map of the labels to apply to the injector - extraLabels: {} - # Should the injector pods run on the host network (useful when using - # an alternate CNI in EKS) - hostNetwork: false - # Injector service specific config - service: - # Extra annotations to attach to the injector service - annotations: {} - # Injector serviceAccount specific config - serviceAccount: - # Extra annotations to attach to the injector serviceAccount - annotations: {} - # A disruption budget limits the number of pods of a replicated application - # that are down simultaneously from voluntary disruptions - podDisruptionBudget: {} - # podDisruptionBudget: - # maxUnavailable: 1 - - # strategy for updating the deployment. This can be a multi-line string or a - # YAML map. - strategy: {} - # strategy: | - # rollingUpdate: - # maxSurge: 25% - # maxUnavailable: 25% - # type: RollingUpdate -server: - # If true, or "-" with global.enabled true, Vault server will be installed. - # See vault.mode in _helpers.tpl for implementation details. - enabled: "-" - # [Enterprise Only] This value refers to a Kubernetes secret that you have - # created that contains your enterprise license. If you are not using an - # enterprise image or if you plan to introduce the license key via another - # route, then leave secretName blank ("") or set it to null. - # Requires Vault Enterprise 1.8 or later. - enterpriseLicense: - # The name of the Kubernetes secret that holds the enterprise license. The - # secret must be in the same namespace that Vault is installed into. - secretName: "" - # The key within the Kubernetes secret that holds the enterprise license. - secretKey: "license" - # Resource requests, limits, etc. for the server cluster placement. This - # should map directly to the value of the resources field for a PodSpec. - # By default no direct resource request is made. - image: - repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.16.1-ubi" - # Overrides the default Image Pull Policy - pullPolicy: IfNotPresent - # Configure the Update Strategy Type for the StatefulSet - # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - updateStrategyType: "OnDelete" - # Configure the logging verbosity for the Vault server. - # Supported log levels include: trace, debug, info, warn, error - logLevel: "" - # Configure the logging format for the Vault server. - # Supported log formats include: standard, json - logFormat: "" - resources: {} - # resources: - # requests: - # memory: 256Mi - # cpu: 250m - # limits: - # memory: 256Mi - # cpu: 250m - - # Ingress allows ingress services to be created to allow external access - # from Kubernetes to access Vault pods. - # If deployment is on OpenShift, the following block is ignored. - # In order to expose the service, use the route section below - ingress: - enabled: false - labels: {} - # traffic: external - annotations: {} - # | - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - # or - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - - # Optionally use ingressClassName instead of deprecated annotation. - # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation - ingressClassName: "" - # As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases. - # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values. - pathType: Prefix - # When HA mode is enabled and K8s service registration is being used, - # configure the ingress to point to the Vault active service. - activeService: true - hosts: - - host: chart-example.local - paths: [] - ## Extra paths to prepend to the host configuration. This is useful when working with annotation based services. - extraPaths: [] - # - path: /* - # backend: - # service: - # name: ssl-redirect - # port: - # number: use-annotation - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - # hostAliases is a list of aliases to be added to /etc/hosts. Specified as a YAML list. - hostAliases: [] - # - ip: 127.0.0.1 - # hostnames: - # - chart-example.local - - # OpenShift only - create a route to expose the service - # By default the created route will be of type passthrough - route: - enabled: false - # When HA mode is enabled and K8s service registration is being used, - # configure the route to point to the Vault active service. - activeService: true - labels: {} - annotations: {} - host: chart-example.local - # tls will be passed directly to the route's TLS config, which - # can be used to configure other termination methods that terminate - # TLS at the router - tls: - termination: passthrough - # authDelegator enables a cluster role binding to be attached to the service - # account. This cluster role binding can be used to setup Kubernetes auth - # method. See https://developer.hashicorp.com/vault/docs/auth/kubernetes - authDelegator: - enabled: true - # extraInitContainers is a list of init containers. Specified as a YAML list. - # This is useful if you need to run a script to provision TLS certificates or - # write out configuration files in a dynamic way. - extraInitContainers: null - # # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder, - # # which is defined in the volumes value. - # - name: oauthapp - # image: "alpine" - # command: [sh, -c] - # args: - # - cd /tmp && - # wget https://github.com/puppetlabs/vault-plugin-secrets-oauthapp/releases/download/v1.2.0/vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64.tar.xz -O oauthapp.xz && - # tar -xf oauthapp.xz && - # mv vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64 /usr/local/libexec/vault/oauthapp && - # chmod +x /usr/local/libexec/vault/oauthapp - # volumeMounts: - # - name: plugins - # mountPath: /usr/local/libexec/vault - - # extraContainers is a list of sidecar containers. Specified as a YAML list. - extraContainers: null - # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers - # This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation - shareProcessNamespace: false - # extraArgs is a string containing additional Vault server arguments. - extraArgs: "" - # extraPorts is a list of extra ports. Specified as a YAML list. - # This is useful if you need to add additional ports to the statefulset in dynamic way. - extraPorts: null - # - containerPort: 8300 - # name: http-monitoring - - # Used to define custom readinessProbe settings - readinessProbe: - enabled: true - # If you need to use a http path instead of the default exec - # path: /v1/sys/health?standbyok=true - - # Port number on which readinessProbe will be checked. - port: 8200 - # When a probe fails, Kubernetes will try failureThreshold times before giving up - failureThreshold: 2 - # Number of seconds after the container has started before probe initiates - initialDelaySeconds: 5 - # How often (in seconds) to perform the probe - periodSeconds: 5 - # Minimum consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - # Number of seconds after which the probe times out. - timeoutSeconds: 3 - path: "/v1/sys/health?uninitcode=204" - # Used to enable a livenessProbe for the pods - livenessProbe: - enabled: false - # Used to define a liveness exec command. If provided, exec is preferred to httpGet (path) as the livenessProbe handler. - execCommand: [] - # - /bin/sh - # - -c - # - /vault/userconfig/mylivenessscript/run.sh - # Path for the livenessProbe to use httpGet as the livenessProbe handler - path: "/v1/sys/health?standbyok=true" - # Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler - port: 8200 - # When a probe fails, Kubernetes will try failureThreshold times before giving up - failureThreshold: 2 - # Number of seconds after the container has started before probe initiates - initialDelaySeconds: 60 - # How often (in seconds) to perform the probe - periodSeconds: 5 - # Minimum consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - # Number of seconds after which the probe times out. - timeoutSeconds: 3 - # Optional duration in seconds the pod needs to terminate gracefully. - # See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ - terminationGracePeriodSeconds: 10 - # Used to set the sleep time during the preStop step - preStopSleepSeconds: 5 - # Used to define commands to run after the pod is ready. - # This can be used to automate processes such as initialization - # or boostrapping auth methods. - postStart: [] - # - /bin/sh - # - -c - # - /vault/userconfig/myscript/run.sh - - # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be - # used to include variables required for auto-unseal. - extraEnvironmentVars: {} - # GOOGLE_REGION: global - # GOOGLE_PROJECT: myproject - # GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json - - # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set. - # These variables take value from existing Secret objects. - extraSecretEnvironmentVars: [] - # - envName: AWS_SECRET_ACCESS_KEY - # secretName: vault - # secretKey: AWS_SECRET_ACCESS_KEY - - # Deprecated: please use 'volumes' instead. - # extraVolumes is a list of extra volumes to mount. These will be exposed - # to Vault in the path `/vault/userconfig//`. The value below is - # an array of objects, examples are shown below. - extraVolumes: [] - # - type: secret (or "configMap") - # name: my-secret - # path: null # default is `/vault/userconfig` - - # volumes is a list of volumes made available to all containers. These are rendered - # via toYaml rather than pre-processed like the extraVolumes value. - # The purpose is to make it easy to share volumes between containers. - volumes: null - # - name: plugins - # emptyDir: {} - - # volumeMounts is a list of volumeMounts for the main server container. These are rendered - # via toYaml rather than pre-processed like the extraVolumes value. - # The purpose is to make it easy to share volumes between containers. - volumeMounts: null - # - mountPath: /usr/local/libexec/vault - # name: plugins - # readOnly: true - - # Affinity Settings - # Commenting out or setting as empty the affinity variable, will allow - # deployment to single node services such as Minikube - # This should be either a multi-line string or YAML matching the PodSpec's affinity field. - affinity: | - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} - app.kubernetes.io/instance: "{{ .Release.Name }}" - component: server - topologyKey: kubernetes.io/hostname - # Topology settings for server pods - # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - # This should be either a multi-line string or YAML matching the topologySpreadConstraints array - # in a PodSpec. - topologySpreadConstraints: [] - # Toleration Settings for server pods - # This should be either a multi-line string or YAML matching the Toleration array - # in a PodSpec. - tolerations: [] - # nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map. - # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - # Example: - # nodeSelector: - # beta.kubernetes.io/arch: amd64 - nodeSelector: {} - # Enables network policy for server pods - networkPolicy: - enabled: false - egress: [] - # egress: - # - to: - # - ipBlock: - # cidr: 10.0.0.0/24 - # ports: - # - protocol: TCP - # port: 443 - ingress: - - from: - - namespaceSelector: {} - ports: - - port: 8200 - protocol: TCP - - port: 8201 - protocol: TCP - # Priority class for server pods - priorityClassName: "" - # Extra labels to attach to the server pods - # This should be a YAML map of the labels to apply to the server pods - extraLabels: {} - # Extra annotations to attach to the server pods - # This can either be YAML or a YAML-formatted multi-line templated string map - # of the annotations to apply to the server pods - annotations: {} - # Add an annotation to the server configmap and the statefulset pods, - # vaultproject.io/config-checksum, that is a hash of the Vault configuration. - # This can be used together with an OnDelete deployment strategy to help - # identify which pods still need to be deleted during a deployment to pick up - # any configuration changes. - configAnnotation: false - # Enables a headless service to be used by the Vault Statefulset - service: - enabled: true - # Enable or disable the vault-active service, which selects Vault pods that - # have labeled themselves as the cluster leader with `vault-active: "true"`. - active: - enabled: true - # Extra annotations for the service definition. This can either be YAML or a - # YAML-formatted multi-line templated string map of the annotations to apply - # to the active service. - annotations: {} - # Enable or disable the vault-standby service, which selects Vault pods that - # have labeled themselves as a cluster follower with `vault-active: "false"`. - standby: - enabled: true - # Extra annotations for the service definition. This can either be YAML or a - # YAML-formatted multi-line templated string map of the annotations to apply - # to the standby service. - annotations: {} - # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}` - # When disabled, services may select Vault pods not deployed from the chart. - # Does not affect the headless vault-internal service with `ClusterIP: None` - instanceSelector: - enabled: true - # clusterIP controls whether a Cluster IP address is attached to the - # Vault service within Kubernetes. By default, the Vault service will - # be given a Cluster IP address, set to None to disable. When disabled - # Kubernetes will create a "headless" service. Headless services can be - # used to communicate with pods directly through DNS instead of a round-robin - # load balancer. - # clusterIP: None - - # Configures the service type for the main Vault service. Can be ClusterIP - # or NodePort. - #type: ClusterIP - - # The IP family and IP families options are to set the behaviour in a dual-stack environment. - # Omitting these values will let the service fall back to whatever the CNI dictates the defaults - # should be. - # These are only supported for kubernetes versions >=1.23.0 - # - # Configures the service's supported IP family policy, can be either: - # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. - # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. - # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. - ipFamilyPolicy: "" - # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. - # Can be IPv4 and/or IPv6. - ipFamilies: [] - # Do not wait for pods to be ready before including them in the services' - # targets. Does not apply to the headless service, which is used for - # cluster-internal communication. - publishNotReadyAddresses: true - # The externalTrafficPolicy can be set to either Cluster or Local - # and is only valid for LoadBalancer and NodePort service types. - # The default value is Cluster. - # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy - externalTrafficPolicy: Cluster - # If type is set to "NodePort", a specific nodePort value can be configured, - # will be random if left blank. - #nodePort: 30000 - - # When HA mode is enabled - # If type is set to "NodePort", a specific nodePort value can be configured, - # will be random if left blank. - #activeNodePort: 30001 - - # When HA mode is enabled - # If type is set to "NodePort", a specific nodePort value can be configured, - # will be random if left blank. - #standbyNodePort: 30002 - - # Port on which Vault server is listening - port: 8200 - # Target port to which the service should be mapped to - targetPort: 8200 - # Extra annotations for the service definition. This can either be YAML or a - # YAML-formatted multi-line templated string map of the annotations to apply - # to the service. - annotations: {} - # This configures the Vault Statefulset to create a PVC for data - # storage when using the file or raft backend storage engines. - # See https://developer.hashicorp.com/vault/docs/configuration/storage to know more - dataStorage: - enabled: true - # Size of the PVC created - size: 10Gi - # Location where the PVC will be mounted. - mountPath: "/vault/data" - # Name of the storage class to use. If null it will use the - # configured default Storage Class. - storageClass: null - # Access Mode of the storage device being used for the PVC - accessMode: ReadWriteOnce - # Annotations to apply to the PVC - annotations: {} - # Labels to apply to the PVC - labels: {} - # Persistent Volume Claim (PVC) retention policy - # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention - # Example: - # persistentVolumeClaimRetentionPolicy: - # whenDeleted: Retain - # whenScaled: Retain - persistentVolumeClaimRetentionPolicy: {} - # This configures the Vault Statefulset to create a PVC for audit - # logs. Once Vault is deployed, initialized, and unsealed, Vault must - # be configured to use this for audit logs. This will be mounted to - # /vault/audit - # See https://developer.hashicorp.com/vault/docs/audit to know more - auditStorage: - enabled: false - # Size of the PVC created - size: 10Gi - # Location where the PVC will be mounted. - mountPath: "/vault/audit" - # Name of the storage class to use. If null it will use the - # configured default Storage Class. - storageClass: null - # Access Mode of the storage device being used for the PVC - accessMode: ReadWriteOnce - # Annotations to apply to the PVC - annotations: {} - # Labels to apply to the PVC - labels: {} - # Run Vault in "dev" mode. This requires no further setup, no state management, - # and no initialization. This is useful for experimenting with Vault without - # needing to unseal, store keys, et. al. All data is lost on restart - do not - # use dev mode for anything other than experimenting. - # See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more - dev: - enabled: false - # Set VAULT_DEV_ROOT_TOKEN_ID value - devRootToken: "root" - # Run Vault in "standalone" mode. This is the default mode that will deploy if - # no arguments are given to helm. This requires a PVC for data storage to use - # the "file" backend. This mode is not highly available and should not be scaled - # past a single replica. - standalone: - enabled: "-" - # config is a raw string of default configuration when using a Stateful - # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data - # and store data there. This is only used when using a Replica count of 1, and - # using a stateful set. This should be HCL. - - # Note: Configuration files are stored in ConfigMaps so sensitive data - # such as passwords should be either mounted through extraSecretEnvironmentVars - # or through a Kube secret. For more information see: - # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations - config: | - ui = true - - listener "tcp" { - tls_disable = 1 - address = "[::]:8200" - cluster_address = "[::]:8201" - # Enable unauthenticated metrics access (necessary for Prometheus Operator) - #telemetry { - # unauthenticated_metrics_access = "true" - #} - } - storage "file" { - path = "/vault/data" - } - - # Example configuration for using auto-unseal, using Google Cloud KMS. The - # GKMS keys must already exist, and the cluster must have a service account - # that is authorized to access GCP KMS. - #seal "gcpckms" { - # project = "vault-helm-dev" - # region = "global" - # key_ring = "vault-helm-unseal-kr" - # crypto_key = "vault-helm-unseal-key" - #} - - # Example configuration for enabling Prometheus metrics in your config. - #telemetry { - # prometheus_retention_time = "30s" - # disable_hostname = true - #} - # Run Vault in "HA" mode. There are no storage requirements unless the audit log - # persistence is required. In HA mode Vault will configure itself to use Consul - # for its storage backend. The default configuration provided will work the Consul - # Helm project by default. It is possible to manually configure Vault to use a - # different HA backend. - ha: - enabled: false - replicas: 3 - # Set the api_addr configuration for Vault HA - # See https://developer.hashicorp.com/vault/docs/configuration#api_addr - # If set to null, this will be set to the Pod IP Address - apiAddr: null - # Set the cluster_addr confuguration for Vault HA - # See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr - # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201 - clusterAddr: null - # Enables Vault's integrated Raft storage. Unlike the typical HA modes where - # Vault's persistence is external (such as Consul), enabling Raft mode will create - # persistent volumes for Vault to store data according to the configuration under server.dataStorage. - # The Vault cluster will coordinate leader elections and failovers internally. - raft: - # Enables Raft integrated storage - enabled: false - # Set the Node Raft ID to the name of the pod - setNodeId: false - # Note: Configuration files are stored in ConfigMaps so sensitive data - # such as passwords should be either mounted through extraSecretEnvironmentVars - # or through a Kube secret. For more information see: - # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations - config: | - ui = true - - listener "tcp" { - tls_disable = 1 - address = "[::]:8200" - cluster_address = "[::]:8201" - # Enable unauthenticated metrics access (necessary for Prometheus Operator) - #telemetry { - # unauthenticated_metrics_access = "true" - #} - } - - storage "raft" { - path = "/vault/data" - } - - service_registration "kubernetes" {} - # config is a raw string of default configuration when using a Stateful - # deployment. Default is to use a Consul for its HA storage backend. - # This should be HCL. - - # Note: Configuration files are stored in ConfigMaps so sensitive data - # such as passwords should be either mounted through extraSecretEnvironmentVars - # or through a Kube secret. For more information see: - # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations - config: | - ui = true - - listener "tcp" { - tls_disable = 1 - address = "[::]:8200" - cluster_address = "[::]:8201" - } - storage "consul" { - path = "vault" - address = "HOST_IP:8500" - } - - service_registration "kubernetes" {} - - # Example configuration for using auto-unseal, using Google Cloud KMS. The - # GKMS keys must already exist, and the cluster must have a service account - # that is authorized to access GCP KMS. - #seal "gcpckms" { - # project = "vault-helm-dev-246514" - # region = "global" - # key_ring = "vault-helm-unseal-kr" - # crypto_key = "vault-helm-unseal-key" - #} - - # Example configuration for enabling Prometheus metrics. - # If you are using Prometheus Operator you can enable a ServiceMonitor resource below. - # You may wish to enable unauthenticated metrics in the listener block above. - #telemetry { - # prometheus_retention_time = "30s" - # disable_hostname = true - #} - # A disruption budget limits the number of pods of a replicated application - # that are down simultaneously from voluntary disruptions - disruptionBudget: - enabled: true - # maxUnavailable will default to (n/2)-1 where n is the number of - # replicas. If you'd like a custom value, you can specify an override here. - maxUnavailable: null - # Definition of the serviceAccount used to run Vault. - # These options are also used when using an external Vault server to validate - # Kubernetes tokens. - serviceAccount: - # Specifies whether a service account should be created - create: true - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - # Create a Secret API object to store a non-expiring token for the service account. - # Prior to v1.24.0, Kubernetes used to generate this secret for each service account by default. - # Kubernetes now recommends using short-lived tokens from the TokenRequest API or projected volumes instead if possible. - # For more details, see https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets - # serviceAccount.create must be equal to 'true' in order to use this feature. - createSecret: false - # Extra annotations for the serviceAccount definition. This can either be - # YAML or a YAML-formatted multi-line templated string map of the - # annotations to apply to the serviceAccount. - annotations: {} - # Extra labels to attach to the serviceAccount - # This should be a YAML map of the labels to apply to the serviceAccount - extraLabels: {} - # Enable or disable a service account role binding with the permissions required for - # Vault's Kubernetes service_registration config option. - # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes - serviceDiscovery: - enabled: true - # Settings for the statefulSet used to run Vault. - statefulSet: - # Extra annotations for the statefulSet. This can either be YAML or a - # YAML-formatted multi-line templated string map of the annotations to apply - # to the statefulSet. - annotations: {} - # Set the pod and container security contexts. - # If not set, these will default to, and for *not* OpenShift: - # pod: - # runAsNonRoot: true - # runAsGroup: {{ .Values.server.gid | default 1000 }} - # runAsUser: {{ .Values.server.uid | default 100 }} - # fsGroup: {{ .Values.server.gid | default 1000 }} - # container: - # allowPrivilegeEscalation: false - # - # If not set, these will default to, and for OpenShift: - # pod: {} - # container: {} - securityContext: - pod: {} - container: {} - # Should the server pods run on the host network - hostNetwork: false -# Vault UI -ui: - # True if you want to create a Service entry for the Vault UI. - # - # serviceType can be used to control the type of service created. For - # example, setting this to "LoadBalancer" will create an external load - # balancer (for supported K8S installations) to access the UI. - enabled: false - publishNotReadyAddresses: true - # The service should only contain selectors for active Vault pod - activeVaultPodOnly: false - serviceType: "ClusterIP" - serviceNodePort: null - externalPort: 8200 - targetPort: 8200 - # The IP family and IP families options are to set the behaviour in a dual-stack environment. - # Omitting these values will let the service fall back to whatever the CNI dictates the defaults - # should be. - # These are only supported for kubernetes versions >=1.23.0 - # - # Configures the service's supported IP family, can be either: - # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. - # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. - # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. - serviceIPFamilyPolicy: "" - # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well - # Can be IPv4 and/or IPv6. - serviceIPFamilies: [] - # The externalTrafficPolicy can be set to either Cluster or Local - # and is only valid for LoadBalancer and NodePort service types. - # The default value is Cluster. - # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy - externalTrafficPolicy: Cluster - #loadBalancerSourceRanges: - # - 10.0.0.0/16 - # - 1.78.23.3/32 - - # loadBalancerIP: - - # Extra annotations to attach to the ui service - # This can either be YAML or a YAML-formatted multi-line templated string map - # of the annotations to apply to the ui service - annotations: {} -# secrets-store-csi-driver-provider-vault -csi: - # True if you want to install a secrets-store-csi-driver-provider-vault daemonset. - # - # Requires installing the secrets-store-csi-driver separately, see: - # https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver - # - # With the driver and provider installed, you can mount Vault secrets into volumes - # similar to the Vault Agent injector, and you can also sync those secrets into - # Kubernetes secrets. - enabled: false - image: - repository: "hashicorp/vault-csi-provider" - tag: "1.4.2" - pullPolicy: IfNotPresent - # volumes is a list of volumes made available to all containers. These are rendered - # via toYaml rather than pre-processed like the extraVolumes value. - # The purpose is to make it easy to share volumes between containers. - volumes: null - # - name: tls - # secret: - # secretName: vault-tls - - # volumeMounts is a list of volumeMounts for the main server container. These are rendered - # via toYaml rather than pre-processed like the extraVolumes value. - # The purpose is to make it easy to share volumes between containers. - volumeMounts: null - # - name: tls - # mountPath: "/vault/tls" - # readOnly: true - - resources: {} - # resources: - # requests: - # cpu: 50m - # memory: 128Mi - # limits: - # cpu: 50m - # memory: 128Mi - - # Override the default secret name for the CSI Provider's HMAC key used for - # generating secret versions. - hmacSecretName: "" - # Settings for the daemonSet used to run the provider. - daemonSet: - updateStrategy: - type: RollingUpdate - maxUnavailable: "" - # Extra annotations for the daemonSet. This can either be YAML or a - # YAML-formatted multi-line templated string map of the annotations to apply - # to the daemonSet. - annotations: {} - # Provider host path (must match the CSI provider's path) - providersDir: "/etc/kubernetes/secrets-store-csi-providers" - # Kubelet host path - kubeletRootDir: "/var/lib/kubelet" - # Extra labels to attach to the vault-csi-provider daemonSet - # This should be a YAML map of the labels to apply to the csi provider daemonSet - extraLabels: {} - # security context for the pod template and container in the csi provider daemonSet - securityContext: - pod: {} - container: {} - pod: - # Extra annotations for the provider pods. This can either be YAML or a - # YAML-formatted multi-line templated string map of the annotations to apply - # to the pod. - annotations: {} - # Toleration Settings for provider pods - # This should be either a multi-line string or YAML matching the Toleration array - # in a PodSpec. - tolerations: [] - # nodeSelector labels for csi pod assignment, formatted as a multi-line string or YAML map. - # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - # Example: - # nodeSelector: - # beta.kubernetes.io/arch: amd64 - nodeSelector: {} - # Affinity Settings - # This should be either a multi-line string or YAML matching the PodSpec's affinity field. - affinity: {} - # Extra labels to attach to the vault-csi-provider pod - # This should be a YAML map of the labels to apply to the csi provider pod - extraLabels: {} - agent: - enabled: true - extraArgs: [] - image: - repository: "hashicorp/vault" - tag: "1.16.1" - pullPolicy: IfNotPresent - logFormat: standard - logLevel: info - resources: {} - # resources: - # requests: - # memory: 256Mi - # cpu: 250m - # limits: - # memory: 256Mi - # cpu: 250m - # Priority class for csi pods - priorityClassName: "" - serviceAccount: - # Extra annotations for the serviceAccount definition. This can either be - # YAML or a YAML-formatted multi-line templated string map of the - # annotations to apply to the serviceAccount. - annotations: {} - # Extra labels to attach to the vault-csi-provider serviceAccount - # This should be a YAML map of the labels to apply to the csi provider serviceAccount - extraLabels: {} - # Used to configure readinessProbe for the pods. - readinessProbe: - # When a probe fails, Kubernetes will try failureThreshold times before giving up - failureThreshold: 2 - # Number of seconds after the container has started before probe initiates - initialDelaySeconds: 5 - # How often (in seconds) to perform the probe - periodSeconds: 5 - # Minimum consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - # Number of seconds after which the probe times out. - timeoutSeconds: 3 - # Used to configure livenessProbe for the pods. - livenessProbe: - # When a probe fails, Kubernetes will try failureThreshold times before giving up - failureThreshold: 2 - # Number of seconds after the container has started before probe initiates - initialDelaySeconds: 5 - # How often (in seconds) to perform the probe - periodSeconds: 5 - # Minimum consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - # Number of seconds after which the probe times out. - timeoutSeconds: 3 - # Enables debug logging. - debug: false - # Pass arbitrary additional arguments to vault-csi-provider. - # See https://developer.hashicorp.com/vault/docs/platform/k8s/csi/configurations#command-line-arguments - # for the available command line flags. - extraArgs: [] -# Vault is able to collect and publish various runtime metrics. -# Enabling this feature requires setting adding `telemetry{}` stanza to -# the Vault configuration. There are a few examples included in the `config` sections above. -# -# For more information see: -# https://developer.hashicorp.com/vault/docs/configuration/telemetry -# https://developer.hashicorp.com/vault/docs/internals/telemetry -serverTelemetry: - # Enable support for the Prometheus Operator. Currently, this chart does not support - # authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included - # in the `listener "tcp"{}` stanza - # telemetry { - # unauthenticated_metrics_access = "true" - # } - # - # See the `standalone.config` for a more complete example of this. - # - # In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration: - # - # example: - # telemetry { - # prometheus_retention_time = "30s" - # disable_hostname = true - # } - # - # Configuration for monitoring the Vault server. - serviceMonitor: - # The Prometheus operator *must* be installed before enabling this feature, - # if not the chart will fail to install due to missing CustomResourceDefinitions - # provided by the operator. - # - # Instructions on how to install the Helm chart can be found here: - # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack - # More information can be found here: - # https://github.com/prometheus-operator/prometheus-operator - # https://github.com/prometheus-operator/kube-prometheus - - # Enable deployment of the Vault Server ServiceMonitor CustomResource. - enabled: false - # Selector labels to add to the ServiceMonitor. - # When empty, defaults to: - # release: prometheus - selectors: {} - # Interval at which Prometheus scrapes metrics - interval: 30s - # Timeout for Prometheus scrapes - scrapeTimeout: 10s - prometheusRules: - # The Prometheus operator *must* be installed before enabling this feature, - # if not the chart will fail to install due to missing CustomResourceDefinitions - # provided by the operator. - - # Deploy the PrometheusRule custom resource for AlertManager based alerts. - # Requires that AlertManager is properly deployed. - enabled: false - # Selector labels to add to the PrometheusRules. - # When empty, defaults to: - # release: prometheus - selectors: {} - # Some example rules. - rules: [] - # - alert: vault-HighResponseTime - # annotations: - # message: The response time of Vault is over 500ms on average over the last 5 minutes. - # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 - # for: 5m - # labels: - # severity: warning - # - alert: vault-HighResponseTime - # annotations: - # message: The response time of Vault is over 1s on average over the last 5 minutes. - # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 - # for: 5m - # labels: - # severity: critical