* make staticSecretRenderInterval default to empty string

* update values schema to add staticSecretRenderInterval

* add test for default value

* adding changelog entry

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* No longer check for Vault team membership
* Tweak jira states and search parameters

Ports the bats unit, chart-verifier, and bats acceptance tests to use
github workflows and actions. The acceptance tests run using kind, and
run for multiple k8s versions, on pushes to the main branch.

Adds a SKIP_CSI env check in the CSI acceptance test, set in the
workflow if K8s version is less than 1.16.

Adds kubeAdmConfigPatches to the kind config to allow testing the CSI
provider on K8s versions prior to 1.21.

Updates the Secrets Store CSI driver to 1.0.0 in tests.

Makes the HA Vault tests more robust by waiting for all consul client
pods to be Ready, and waits with a timeout for Vault to start
responding as sealed (since the tests on GitHub runners were often
failing at that point).

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

Make terminationGracePeriodSeconds configurable for server pod

…icorp#661)

Co-authored-by: Jason Hancock <jhancock@netskope.com>

…rp#670)

Link to the discuss forum instead of the old google group and irc
channel. Add info about the CLA.

* Fix test typo

* Add basic server-test Pod tests

 - This covers all existing functionality that matches what's
   present in server-statefulset.bats

* Fix server-test helm hook Pod rendering

 - Properly adhere to the global.enabled flag and the presence of
   the injector.externalVaultAddr setting, the same way that
   the servers StatefulSet behaves

* Add volumes and env vars to helm hook test pod

 - Uses the same extraEnvironmentVars, volumes and volumeMounts set on
   the server statefulset to configure the Vault server test pod used by
   the helm test hook
 - This is necessary in situations where TLS is configured, but the
   certificates are not affiliated with the k8s CA / part of k8s PKI

 - Fixes hashicorpGH-665

* Add some tests on top of hashicorp#396

* convert server-route.yaml to unix newlines

* changelog

Co-authored-by: André Becker <andre@arestless.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Signed-off-by: Lionel H <me@nullbyte.be>

…hashicorp#683)

…corp#694)

…1.22 (hashicorp#692)

* Prepare default values for MutatingWebhookConfiguration hashicorp#691
* Add values.yaml values to injector-mutating-webhook.yaml hashicorp#691
* Duplicate and deprecate top-level webhook settings and put them in a webhook object
* Made the new values default with the fallback to the old values.yaml
* Fix _helpers.tpl to support both old and new webhook annotations
* Add new tests and deprecate old ones for injector webhook configuration
* Old tests now work with old values.yaml
* Add all new fields showing that they have priority over old ones
* Add deprecation note to injector.failurePolicy hashicorp#691

VAULT-571 Matching documented behavior and consul

Consul's helm template defaults most of the enabled to the special value
`"-"`, which means to inherit from global. This is what is implied
should happen in Vault as well according to the documentation for the
helm chart:

> [global.enabled] The master enabled/disabled configuration. If this is
> true, most components will be installed by default. If this is false,
> no components will be installed by default and manually opting-in is
> required, such as by setting server.enabled to true.

(https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled)

We also simplified the chart logic using a few template helpers.

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* tests: updating the four most recent k8s versions

* bump oldest version to 1.16

* docs, Chart.yaml, and changelog for 1.14 -> 1.16

Issue hashicorp#667, adding updates to the disruptionbudget to support new
non beta spec beyond kube 1.21

- As part of VAULT-571 / hashicorp#703 in 7109159, a new vault.serverEnabled
   template was added (and included in vault.mode)

   Various templates were updated accordingly, but those that were
   already calling vault.mode had an additonal call to
   vault.serverEnabled made which was unnecessary

   Remove those

…e… (hashicorp#709)

* Issue hashicorp#629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it

* Issue-hashicorp#629 removing extra whitespace I added accidently.

* Issue-hashicorp#629 fixing extra whitespace added.

* Update values.yaml

Co-authored-by: Joaco Muleiro Beltran <joaquinmuleirobeltran@gmail.com>

* Issue hashicorp#629 adding changelog

Co-authored-by: Joaco Muleiro Beltran <joaquinmuleirobeltran@gmail.com>

* VAULT-5838 Update CSI provider to 1.1.0

* Update test/acceptance/csi.bats

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

1.0.1+ seems to only support Kubernetes 1.19+, so we break support for
1.16 if we upgrade

* Implemented support for topology spread constraints

* Update values.yaml

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>

* Update values.yaml

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>

* Add topologySpreadConstraints to values schema

* Implement injector deployment topology spread UTs

* also remove string from the relevant schema types

* Implement injector statefulset topology spread UTs

* Implement injector HA statefulset topology UTs

* Allow topologySpreadConstraints to be a string

Co-authored-by: Ellis Tarn <ellistarn@gmail.com>
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
Co-authored-by: Christopher Swenson <swenson@swenson.io>

* Update the changelog with changes from 614 and 652

* Update CHANGELOG.md

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

Our tutorials rely on this service account being present even if we are
using an external Vault.

The `values.yaml` also states that external Vaults are expected to use
this service account.

For example,
https://learn.hashicorp.com/tutorials/vault/kubernetes-external-vault?in=vault/kubernetes#install-the-vault-helm-chart-configured-to-address-an-external-vault

…ashicorp#736)

Set default object selector for webhooks to exclude injector itself

If `injector.failurePolicy` is set to `Fail`, there is a race condition
where if the mutating webhook config is setup before the injector, then
the injector can fail to start because it tries to inject itself.

We can work around this by ignoring the injector pod in in the webhook
by default.

Thanks to @joeyslalom for the object selector to exclude the pod.

Fixes hashicorp/vault-k8s#258

Prepare for release 0.20.1

Improvements:
* `vault-k8s` updated to 0.16.1

CHANGES:
* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [hashicorpGH-737](hashicorp#737)
* Mutating webhook will no longer target the agent injector pod [hashicorpGH-736](hashicorp#736)

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Also add a features section to 0.20.0

Start testing against Kubernetes 1.24

Update .github/workflows/acceptance.yaml

Remove skip csi

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Review .helmignore file, ignore CI in chart

Allow the injector's pod- and container-level securityContext to be
fully specified by the user, via new options
`injector.securityContext.pod` and
`injector.securityContext.container` with more complete
defaults. Deprecates `injector.uid` and `injector.gid`.

If `injector.uid` or `injector.gid` are set by the user, the old pod
securityContext settings will be used. Otherwise the new defaults and
settings are used.

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Changelog and schema update for active/standby node port

Follow-up to hashicorp#610

Changelog updates for hashicorp#750, and json schema update.

csi/server.statefulset: custom security context

This adds flexibility to have custom pod template and container
`securityContext` and preserves current default values and behavior.

Fixes hashicorp#663.

This also is a way to address hashicorp#599
so that people can specify, for example, the CSI to run in a privileged
container for OpenShift.

This is a follow-up to hashicorp#750
and builds on the same principles.

Side note: I am not able to run `helm schema-gen` since it is
unmaintained and does not work with M1 Macs.

Prepare for 0.21.0 release

CHANGES:
* `vault-k8s` updated to 0.17.0. (this)
* `vault-csi-provider` updated to 1.2.0 (this)
* `vault` updated to 1.11.2 (this)
* Start testing against Kubernetes 1.24. [hashicorpGH-744](hashicorp#744)
* Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [hashicorpGH-745](hashicorp#745)
* CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [hashicorpGH-745](hashicorp#745)

Features:
* server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [hashicorpGH-767](hashicorp#767)
* csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [hashicorpGH-767](hashicorp#767)
* injector: Add `injector.securityContext` to override pod and container `securityContext`. [hashicorpGH-750](hashicorp#750) and [hashicorpGH-767](hashicorp#767)
* Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [hashicorpGH-610](hashicorp#610)
* Support for setting annotations on the injector's serviceAccount [hashicorpGH-753](hashicorp#753)

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

Since container is empty for openshift.

support collecting Vault server metrics by deploying PrometheusOperator
CustomResources.

Co-authored-by: Sam Weston <weston.sam@gmail.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Update vault-k8s to 1.0.0

Also update Kubernetes versions tested against, including adding 1.25

Update consul in tests for Kubernetes 1.25 support

Prepare for 0.21.1 release

* Update Vault to 1.11.3

Co-authored-by: hashicorp-copywrite[bot] <noreply@hashicorp.com>

* Prepare to release to 0.22.1

* Revert chart verifier update for now

* Remove unused jobs from CircleCI config

* Fix CircleCI config

* Add manual trigger option

…covery role (hashicorp#811)

…#813)

* swap helm charts call to GHA

* fix path for gh utility

Also in the telemetry test

* remove 1.16 from the versions tested in .github/workflows/acceptance.yaml as kind no longer supports creating a k8s 1.16 cluster
* update vault-helm's minimum support k8s version to 1.20 in README and Chart.yaml
* refactor server-ingress's templating and unit tests applied to k8s versions < 1.20

… add configurable startupProbe (hashicorp#852)

Test with latest kind k8s versions 1.22-1.26. Remove support for old
disruptionbudget and ingress APIs (pre 1.22).

Pin all actions to SHAs, and use the common jira sync.

Update the default Vault version to v1.13.1.

Update chart-verifier used in tests to 1.10.1, also add an openshift
name annotation to Chart.yaml (one of the required checks).

* Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset. 
Co-authored-by: Kyle Schochenmaier <kyle.schochenmaier@hashicorp.com>

* Add changelog for hashicorp#831
* fixes bats test

Adds Agent as a sidecar for the CSI Provider to:

* Cache k8s auth login leases
* Cache secret leases
* Automatically renew renewable leases in the background