From 1f68852dc24e90e9d59f2ef8f6c92fae47fd5f00 Mon Sep 17 00:00:00 2001
From: fischerman <privat@bjorn-fischer.de>
Date: Wed, 15 Jan 2020 11:03:20 +0100
Subject: [PATCH 01/79] add lifecycle to vault instead of extra container
 (#179)

---
 templates/server-statefulset.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 48edf16..985bf59 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -117,9 +117,6 @@ spec:
             successThreshold: 1
             timeoutSeconds: 5
           {{- end }}
-        {{- if .Values.server.extraContainers }}
-          {{ toYaml .Values.server.extraContainers | nindent 8}}
-        {{- end }}
           lifecycle:
             # Vault container doesn't receive SIGTERM from Kubernetes
             # and after the grace period ends, Kube sends SIGKILL.  This 
@@ -128,6 +125,9 @@ spec:
             preStop:
               exec:
                 command: ["/bin/sh","-c","kill -SIGTERM $(pidof vault)"]
+        {{- if .Values.server.extraContainers }}
+          {{ toYaml .Values.server.extraContainers | nindent 8}}
+        {{- end }}
       {{- if .Values.global.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml .Values.global.imagePullSecrets | nindent 8 }}
-- 
GitLab


From 4209cbcc2d0de21f4eee61d04d7b5e450149f73f Mon Sep 17 00:00:00 2001
From: fischerman <privat@bjorn-fischer.de>
Date: Wed, 15 Jan 2020 11:06:54 +0100
Subject: [PATCH 02/79] make shareProcessNamespace configurable (#174)

* make shareProcessNamespace configurable

* add unit tests
---
 CHANGELOG.md                      |  4 ++++
 templates/server-statefulset.yaml |  3 +++
 test/unit/server-statefulset.bats | 27 +++++++++++++++++++++++++++
 values.yaml                       |  4 ++++
 4 files changed, 38 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 49b506f..770935f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## Unreleased
 
+Improvements:
+
+* Allow process namespace sharing between Vault and sidecar containers
+
 ## 0.3.3 (January 14th, 2020)
 
 Security:
diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 985bf59..5ae60af 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -38,6 +38,9 @@ spec:
       {{ template "vault.nodeselector" . }}
       terminationGracePeriodSeconds: 10
       serviceAccountName: {{ template "vault.fullname" . }}
+      {{ if  .Values.server.shareProcessNamespace }}
+      shareProcessNamespace: true
+      {{ end }}
       securityContext:
         runAsNonRoot: true
         runAsGroup: {{ .Values.server.gid | default 1000 }}
diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
index 4ab9cb0..cfc0c4b 100755
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@@ -670,6 +670,33 @@ load _helpers
   [ "${containers_count}" = 1 ]  
 }
 
+# sharedProcessNamespace
+
+@test "server/standalone-StatefulSet: shareProcessNamespace disabled by default" {
+  cd `chart_dir`
+
+  # Test that it defines it
+  local actual=$(helm template \
+      -x templates/server-statefulset.yaml  \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.shareProcessNamespace' | tee /dev/stderr)
+
+  [ "${actual}" = "null" ]  
+}
+
+@test "server/standalone-StatefulSet: shareProcessNamespace enabled" {
+  cd `chart_dir`
+
+  # Test that it defines it
+  local actual=$(helm template \
+      -x templates/server-statefulset.yaml  \
+      --set 'server.shareProcessNamespace=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.shareProcessNamespace' | tee /dev/stderr)
+
+  [ "${actual}" = "true" ]  
+}
+
 # extra labels
 
 @test "server/standalone-StatefulSet: specify extraLabels" {
diff --git a/values.yaml b/values.yaml
index d632113..2aac944 100644
--- a/values.yaml
+++ b/values.yaml
@@ -113,6 +113,10 @@ server:
   # extraContainers is a list of sidecar containers. Specified as a raw YAML string.
   extraContainers: null
 
+  # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
+  # This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation
+  shareProcessNamespace: false
+  
   # extraArgs is a string containing additional Vault server arguments.
   extraArgs: ""
 
-- 
GitLab


From 0099ea8a94d730ed9e24c0f16c43350a5b2d8130 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Wed, 15 Jan 2020 10:16:28 -0500
Subject: [PATCH 03/79] changelog++

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 770935f..510e2de 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,10 @@ Improvements:
 
 * Allow process namespace sharing between Vault and sidecar containers
 
+Bugs:
+
+* Fix bug where Vault lifecycle was appended after extra containers.
+
 ## 0.3.3 (January 14th, 2020)
 
 Security:
-- 
GitLab


From eccd71bfe22401cb738072a85b8538d8796e39df Mon Sep 17 00:00:00 2001
From: Yong Wen Chua <lawliet89@users.noreply.github.com>
Date: Sat, 18 Jan 2020 20:36:45 +0800
Subject: [PATCH 04/79] Allow configure StatefulSet updateStrategy (#172)

---
 templates/server-statefulset.yaml    |  4 ++--
 test/unit/server-ha-statefulset.bats | 11 +++++++++++
 values.yaml                          | 18 +++++++++++-------
 3 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 5ae60af..c89175d 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -15,7 +15,7 @@ spec:
   podManagementPolicy: Parallel
   replicas: {{ template "vault.replicas" . }}
   updateStrategy:
-    type: OnDelete
+    type: {{ .Values.server.updateStrategyType }}
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ template "vault.name" . }}
@@ -122,7 +122,7 @@ spec:
           {{- end }}
           lifecycle:
             # Vault container doesn't receive SIGTERM from Kubernetes
-            # and after the grace period ends, Kube sends SIGKILL.  This 
+            # and after the grace period ends, Kube sends SIGKILL.  This
             # causes issues with graceful shutdowns such as deregistering itself
             # from Consul (zombie services).
             preStop:
diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats
index 833a304..5f05c3c 100755
--- a/test/unit/server-ha-statefulset.bats
+++ b/test/unit/server-ha-statefulset.bats
@@ -97,6 +97,17 @@ load _helpers
   [ "${actual}" = "OnDelete" ]
 }
 
+@test "server/ha-StatefulSet: RollingUpdate updateStrategy" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-statefulset.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'server.updateStrategyType="RollingUpdate"' \
+      . | tee /dev/stderr |
+      yq -r '.spec.updateStrategy.type' | tee /dev/stderr)
+  [ "${actual}" = "RollingUpdate" ]
+}
+
 #--------------------------------------------------------------------
 # affinity
 
diff --git a/values.yaml b/values.yaml
index 2aac944..3fee150 100644
--- a/values.yaml
+++ b/values.yaml
@@ -21,8 +21,8 @@ injector:
     tag: "0.1.2"
     pullPolicy: IfNotPresent
 
-  # agentImage sets the repo and tag of the Vault image to use for the Vault Agent 
-  # containers.  This should be set to the official Vault image.  Vault 1.3.1+ is 
+  # agentImage sets the repo and tag of the Vault image to use for the Vault Agent
+  # containers.  This should be set to the official Vault image.  Vault 1.3.1+ is
   # required.
   agentImage:
     repository: "vault"
@@ -76,6 +76,10 @@ server:
     # Overrides the default Image Pull Policy
     pullPolicy: IfNotPresent
 
+  # Configure the Update Strategy Type for the StatefulSet
+  # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
+  updateStrategyType: "OnDelete"
+
   resources:
   # resources:
   #   requests:
@@ -85,7 +89,7 @@ server:
   #     memory: 256Mi
   #     cpu: 250m
 
-  # Ingress allows ingress services to be created to allow external access 
+  # Ingress allows ingress services to be created to allow external access
   # from Kubernetes to access Vault pods.
   ingress:
     enabled: false
@@ -109,7 +113,7 @@ server:
   # method.  https://www.vaultproject.io/docs/auth/kubernetes.html
   authDelegator:
     enabled: true
-  
+
   # extraContainers is a list of sidecar containers. Specified as a raw YAML string.
   extraContainers: null
 
@@ -198,12 +202,12 @@ server:
     # used to communicate with pods directly through DNS instead of a round robin
     # load balancer.
     # clusterIP: None
-    
-    # Configures the service type for the main Vault service.  Can be ClusterIP 
+
+    # Configures the service type for the main Vault service.  Can be ClusterIP
     # or NodePort.
     #type: ClusterIP
 
-    # If type is set to "NodePort", a specific nodePort value can be configured, 
+    # If type is set to "NodePort", a specific nodePort value can be configured,
     # will be random if left blank.
     #nodePort: 30000
 
-- 
GitLab


From 7a6e8c3648aca626b7da6eb56aa932f2e2e2bf72 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Sat, 18 Jan 2020 07:38:00 -0500
Subject: [PATCH 05/79] changelog++

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 510e2de..41d49d3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 Improvements:
 
 * Allow process namespace sharing between Vault and sidecar containers
+* Addedd configurable to change updateStrategy
 
 Bugs:
 
-- 
GitLab


From 45c91187826c981d9e87b80aa0c7890e08abeeae Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Thu, 30 Jan 2020 09:39:08 -0800
Subject: [PATCH 06/79] Adding sleep in the preStop lifecycle step (#188)

Aims to make vault pod termination more graceful with respect to user
requests.
---
 templates/server-statefulset.yaml |  8 +++++++-
 test/unit/server-statefulset.bats | 21 +++++++++++++++++++++
 values.yaml                       |  3 +++
 3 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index c89175d..abde79d 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -127,7 +127,13 @@ spec:
             # from Consul (zombie services).
             preStop:
               exec:
-                command: ["/bin/sh","-c","kill -SIGTERM $(pidof vault)"]
+                command: [
+                  "/bin/sh", "-c",
+                  # Adding a sleep here to give the pod eviction a
+                  # chance to propagate, so requests will not be made
+                  # to this pod while it's terminating
+                  "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)",
+                ]
         {{- if .Values.server.extraContainers }}
           {{ toYaml .Values.server.extraContainers | nindent 8}}
         {{- end }}
diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
index cfc0c4b..60b54c8 100755
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@@ -841,3 +841,24 @@ load _helpers
        yq -r '.spec.template.spec.containers[0].args[0]' | tee /dev/stderr)
   [[ "${actual}" = *"foobar"* ]]
 }
+
+#--------------------------------------------------------------------
+# preStop
+@test "server/standalone-StatefulSet: preStop sleep duration default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-statefulset.yaml \
+      . | tee /dev/stderr |
+       yq -r '.spec.template.spec.containers[0].lifecycle.preStop.exec.command[2]' | tee /dev/stderr)
+  [[ "${actual}" = "sleep 5 &&"* ]]
+}
+
+@test "server/standalone-StatefulSet: preStop sleep duration 10" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-statefulset.yaml \
+      --set 'server.preStopSleepSeconds=10' \
+      . | tee /dev/stderr |
+       yq -r '.spec.template.spec.containers[0].lifecycle.preStop.exec.command[2]' | tee /dev/stderr)
+  [[ "${actual}" = "sleep 10 &&"* ]]
+}
diff --git a/values.yaml b/values.yaml
index 3fee150..5433026 100644
--- a/values.yaml
+++ b/values.yaml
@@ -135,6 +135,9 @@ server:
     path: "/v1/sys/health?standbyok=true"
     initialDelaySeconds: 60
 
+  # Used to set the sleep time during the preStop step
+  preStopSleepSeconds: 5
+
   # extraEnvironmentVars is a list of extra enviroment variables to set with the stateful set. These could be
   # used to include variables required for auto-unseal.
   extraEnvironmentVars: {}
-- 
GitLab


From 1f94e221c35df3600569aa9819734d0e09db77ff Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Thu, 30 Jan 2020 09:49:29 -0800
Subject: [PATCH 07/79] changelog++

---
 CHANGELOG.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 41d49d3..9daae18 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,7 +3,8 @@
 Improvements:
 
 * Allow process namespace sharing between Vault and sidecar containers
-* Addedd configurable to change updateStrategy
+* Added configurable to change updateStrategy
+* Added sleep in the preStop lifecycle step
 
 Bugs:
 
-- 
GitLab


From 77b973c17fd202feea949d45a552f1ab15167c63 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Thu, 6 Feb 2020 08:44:38 -0800
Subject: [PATCH 08/79] Helm 3 support (#195)

Update chart and tests to Helm 3

Co-authored-by: Matt Piekunka <mpiekunk@users.noreply.github.com>
Co-authored-by: Mike Brancato <mbrancato@users.noreply.github.com>
---
 CONTRIBUTING.md                            |  16 +--
 Chart.yaml                                 |   2 +-
 README.md                                  |   2 +-
 templates/injector-deployment.yaml         |   2 +-
 templates/server-disruptionbudget.yaml     |   4 +-
 templates/server-service.yaml              |   2 +-
 templates/server-statefulset.yaml          |   2 +-
 templates/ui-service.yaml                  |   2 +-
 test/acceptance/injector.bats              |   4 +-
 test/acceptance/server-dev.bats            |   4 +-
 test/acceptance/server-ha.bats             |  11 +-
 test/acceptance/server.bats                |   4 +-
 test/docker/Test.dockerfile                |   2 +-
 test/terraform/main.tf                     |  22 +--
 test/terraform/service-account.yaml        |  18 ---
 test/terraform/variables.tf                |   2 +-
 test/unit/injector-clusterrole.bats        |   8 +-
 test/unit/injector-clusterrolebinding.bats |   8 +-
 test/unit/injector-deployment.bats         |  32 ++---
 test/unit/injector-mutating-webhook.bats   |  22 +--
 test/unit/injector-service.bats            |  16 +--
 test/unit/injector-serviceaccount.bats     |   8 +-
 test/unit/server-clusterrolebinding.bats   |  42 +++---
 test/unit/server-configmap.bats            |  26 ++--
 test/unit/server-dev-statefulset.bats      |  60 ++++-----
 test/unit/server-ha-disruptionbudget.bats  |  26 ++--
 test/unit/server-ha-statefulset.bats       |  90 ++++++-------
 test/unit/server-ingress.bats              |  16 +--
 test/unit/server-service.bats              | 119 ++++++++---------
 test/unit/server-serviceaccount.bats       |   6 +-
 test/unit/server-statefulset.bats          | 148 ++++++++++-----------
 test/unit/ui-service.bats                  |  62 ++++-----
 32 files changed, 374 insertions(+), 414 deletions(-)
 delete mode 100644 test/terraform/service-account.yaml

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index a0efc72..431dfa8 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -123,7 +123,7 @@ Changes to the Helm chart should be accompanied by appropriate unit tests.
 In all of the tests in this repo, the base command being run is [helm template](https://docs.helm.sh/helm/#helm-template) which turns the templated files into straight yaml output.
 In this way, we're able to test that the various conditionals in the templates render as we would expect.
 
-Each test defines the files that should be rendered using the `-x` flag, then it might adjust chart values by adding `--set` flags as well.
+Each test defines the files that should be rendered using the `--show-only` flag, then it might adjust chart values by adding `--set` flags as well.
 The output from this `helm template` command is then piped to [yq](https://pypi.org/project/yq/).
 `yq` allows us to pull out just the information we're interested in, either by referencing its position in the yaml file directly or giving information about it (like its length).
 The `-r` flag can be used with `yq` to return a raw string instead of a quoted one which is especially useful when looking for an exact match.
@@ -142,7 +142,7 @@ Here are some examples of common test patterns:
     @test "ui/Service: no type by default" {
       cd `chart_dir`
       local actual=$(helm template \
-          -x templates/ui-service.yaml  \
+          --show-only templates/ui-service.yaml  \
           . | tee /dev/stderr |
           yq -r '.spec.type' | tee /dev/stderr)
       [ "${actual}" = "null" ]
@@ -158,7 +158,7 @@ Here are some examples of common test patterns:
     @test "ui/Service: specified type" {
       cd `chart_dir`
       local actual=$(helm template \
-          -x templates/ui-service.yaml  \
+          --show-only templates/ui-service.yaml  \
           --set 'ui.serviceType=LoadBalancer' \
           . | tee /dev/stderr |
           yq -r '.spec.type' | tee /dev/stderr)
@@ -173,7 +173,7 @@ Here are some examples of common test patterns:
 	@test "server/standalone-StatefulSet: custom resources" {
 	  cd `chart_dir`
 	  local actual=$(helm template \
-		  -x templates/server-statefulset.yaml  \
+		  --show-only templates/server-statefulset.yaml  \
 		  --set 'server.standalone.enabled=true' \
 		  --set 'server.resources.requests.memory=256Mi' \
 		  --set 'server.resources.requests.cpu=250m' \
@@ -182,7 +182,7 @@ Here are some examples of common test patterns:
 	  [ "${actual}" = "256Mi" ]
 
 	  local actual=$(helm template \
-		  -x templates/server-statefulset.yaml  \
+		  --show-only templates/server-statefulset.yaml  \
 		  --set 'server.standalone.enabled=true' \
 		  --set 'server.resources.limits.memory=256Mi' \
 		  --set 'server.resources.limits.cpu=250m' \
@@ -197,10 +197,10 @@ Here are some examples of common test patterns:
     ```
     @test "syncCatalog/Deployment: disabled by default" {
       cd `chart_dir`
-      local actual=$(helm template \
-          -x templates/server-statefulset.yaml  \
+      local actual=$( (helm template \
+          --show-only templates/server-statefulset.yaml  \
           --set 'global.enabled=false' \
-          . | tee /dev/stderr |
+          . || echo "---") | tee /dev/stderr |
           yq 'length > 0' | tee /dev/stderr)
       [ "${actual}" = "false" ]
     }
diff --git a/Chart.yaml b/Chart.yaml
index f46cfe4..8a41081 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v2
 name: vault
 version: 0.3.3
 description: Install and configure Vault on Kubernetes.
diff --git a/README.md b/README.md
index 8d93c45..c6071b7 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ of this README. Please refer to the Kubernetes and Helm documentation.
 
 The versions required are:
 
-  * **Helm 2.10+** - This is the earliest version of Helm tested. It is possible
+  * **Helm 3.0+** - This is the earliest version of Helm tested. It is possible
     it works with earlier versions but this chart is untested for those versions.
   * **Kubernetes 1.9+** - This is the earliest version of Kubernetes tested.
     It is possible that this chart works with earlier versions but it is
diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml
index ed5a2da..86c54ff 100644
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@@ -1,5 +1,5 @@
-# Deployment for the injector
 {{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+# Deployment for the injector
 apiVersion: apps/v1
 kind: Deployment
 metadata:
diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml
index f41aedd..40ba8b4 100644
--- a/templates/server-disruptionbudget.yaml
+++ b/templates/server-disruptionbudget.yaml
@@ -1,7 +1,7 @@
-# PodDisruptionBudget to prevent degrading the server cluster through
-# voluntary cluster changes.
 {{ template "vault.mode" . }}
 {{- if and (and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha")) (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
+# PodDisruptionBudget to prevent degrading the server cluster through
+# voluntary cluster changes.
 apiVersion: policy/v1beta1
 kind: PodDisruptionBudget
 metadata:
diff --git a/templates/server-service.yaml b/templates/server-service.yaml
index a9c5ede..4ea2363 100644
--- a/templates/server-service.yaml
+++ b/templates/server-service.yaml
@@ -1,5 +1,5 @@
-# Service for Vault cluster
 {{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+# Service for Vault cluster
 apiVersion: v1
 kind: Service
 metadata:
diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index abde79d..8a51e6d 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -1,6 +1,6 @@
-# StatefulSet to run the actual vault server cluster.
 {{ template "vault.mode" . }}
 {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
+# StatefulSet to run the actual vault server cluster.
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml
index 00bab47..cfc53e5 100644
--- a/templates/ui-service.yaml
+++ b/templates/ui-service.yaml
@@ -1,11 +1,11 @@
 {{ template "vault.mode" . }}
 {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
+{{- if eq (.Values.ui.enabled | toString) "true" }}
 # Headless service for Vault server DNS entries. This service should only
 # point to Vault servers. For access to an agent, one should assume that
 # the agent is installed locally on the node and the NODE_IP should be used.
 # If the node can't run a Vault agent, then this service can be used to
 # communicate directly to a server agent.
-{{- if eq (.Values.ui.enabled | toString) "true" }}
 apiVersion: v1
 kind: Service
 metadata:
diff --git a/test/acceptance/injector.bats b/test/acceptance/injector.bats
index 35f4b9c..2fdb7a5 100644
--- a/test/acceptance/injector.bats
+++ b/test/acceptance/injector.bats
@@ -19,7 +19,7 @@ load _helpers
 
   kubectl label secret test app=vault-agent-demo
 
-  helm install --name="$(name_prefix)" \
+  helm install "$(name_prefix)" \
     --set="server.extraVolumes[0].type=secret" \
     --set="server.extraVolumes[0].name=test" .
   wait_for_running $(name_prefix)-0
@@ -46,7 +46,7 @@ load _helpers
 # Clean up
 teardown() {
   echo "helm/pvc teardown"
-  helm delete --purge vault
+  helm delete vault
   kubectl delete --all pvc
   kubectl delete secret test 
   kubectl delete job pgdump
diff --git a/test/acceptance/server-dev.bats b/test/acceptance/server-dev.bats
index eeec698..05f3661 100644
--- a/test/acceptance/server-dev.bats
+++ b/test/acceptance/server-dev.bats
@@ -8,7 +8,7 @@ load _helpers
   kubectl create namespace acceptance
   kubectl config set-context --current --namespace=acceptance
 
-  helm install --name="$(name_prefix)" --set='server.dev.enabled=true' .
+  helm install "$(name_prefix)" --set='server.dev.enabled=true' .
   wait_for_running $(name_prefix)-0
 
   # Replicas
@@ -55,7 +55,7 @@ load _helpers
 # Clean up
 teardown() {
   echo "helm/pvc teardown"
-  helm delete --purge vault
+  helm delete vault
   kubectl delete --all pvc
   kubectl delete namespace acceptance --ignore-not-found=true
 }
diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats
index 78d5505..f29e31f 100644
--- a/test/acceptance/server-ha.bats
+++ b/test/acceptance/server-ha.bats
@@ -5,8 +5,7 @@ load _helpers
 @test "server/ha: testing deployment" {
   cd `chart_dir`
 
-
-  helm install --name="$(name_prefix)" \
+  helm install "$(name_prefix)" \
     --set='server.ha.enabled=true' .
   wait_for_running $(name_prefix)-0
 
@@ -95,8 +94,8 @@ setup() {
   kubectl create namespace acceptance
   kubectl config set-context --current --namespace=acceptance
 
-  helm install https://github.com/hashicorp/consul-helm/archive/v0.8.1.tar.gz \
-    --name consul \
+  helm install consul \
+    https://github.com/hashicorp/consul-helm/archive/v0.16.2.tar.gz \
     --set 'ui.enabled=false' \
 
   wait_for_running_consul
@@ -104,8 +103,8 @@ setup() {
 
 #cleanup
 teardown() {
-  helm delete --purge vault
-  helm delete --purge consul
+  helm delete vault
+  helm delete consul
   kubectl delete --all pvc
   kubectl delete namespace acceptance --ignore-not-found=true
 }
diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats
index 3c4a075..d8edbd5 100644
--- a/test/acceptance/server.bats
+++ b/test/acceptance/server.bats
@@ -9,7 +9,7 @@ load _helpers
   kubectl create namespace acceptance
   kubectl config set-context --current --namespace=acceptance
 
-  helm install --name="$(name_prefix)" .
+  helm install "$(name_prefix)" .
   wait_for_running $(name_prefix)-0
 
   # Sealed, not initialized
@@ -112,7 +112,7 @@ load _helpers
 # Clean up
 teardown() {
   echo "helm/pvc teardown"
-  helm delete --purge vault
+  helm delete vault
   kubectl delete --all pvc
   kubectl delete namespace acceptance --ignore-not-found=true
 }
diff --git a/test/docker/Test.dockerfile b/test/docker/Test.dockerfile
index 51cc166..003a06f 100644
--- a/test/docker/Test.dockerfile
+++ b/test/docker/Test.dockerfile
@@ -37,7 +37,7 @@ RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s
     mv ./kubectl /usr/local/bin/kubectl
 
 # helm
-RUN curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash
+RUN curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
 
 # bats
 RUN curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz \
diff --git a/test/terraform/main.tf b/test/terraform/main.tf
index c4f3516..e3fc2ef 100644
--- a/test/terraform/main.tf
+++ b/test/terraform/main.tf
@@ -1,7 +1,3 @@
-locals {
-  service_account_path = "${path.module}/service-account.yaml"
-}
-
 provider "google" {
   project = "${var.project}"
   region  = "us-central1"
@@ -15,7 +11,7 @@ resource "random_id" "suffix" {
 
 data "google_container_engine_versions" "main" {
   location = "${var.zone}"
-  version_prefix = "1.12."
+  version_prefix = "1.15."
 }
 
 data "google_service_account" "gcpapi" {
@@ -91,19 +87,3 @@ resource "null_resource" "kubectl" {
     command    = "kubectl config get-contexts | grep ${google_container_cluster.cluster.name} | xargs -n1 kubectl config delete-context"
   }
 }
-
-resource "null_resource" "helm" {
-  count      = "${var.init_cli ? 1 : 0 }"
-  depends_on = ["null_resource.kubectl"]
-
-  triggers = {
-    cluster = "${google_container_cluster.cluster.id}"
-  }
-
-  provisioner "local-exec" {
-    command = <<EOF
-kubectl apply -f '${local.service_account_path}'
-helm init --service-account helm
-EOF
-  }
-}
diff --git a/test/terraform/service-account.yaml b/test/terraform/service-account.yaml
deleted file mode 100644
index 05d1846..0000000
--- a/test/terraform/service-account.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: helm
-  namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: helm
-    namespace: kube-system
diff --git a/test/terraform/variables.tf b/test/terraform/variables.tf
index 5fc445b..971af4e 100644
--- a/test/terraform/variables.tf
+++ b/test/terraform/variables.tf
@@ -15,7 +15,7 @@ variable "zone" {
 
 variable "init_cli" {
   default     = true
-  description = "Whether to init the CLI tools kubectl, helm, etc. or not."
+  description = "Whether to init kubectl or not."
 }
 
 variable "gcp_service_account" {
diff --git a/test/unit/injector-clusterrole.bats b/test/unit/injector-clusterrole.bats
index 4c5c1d9..7c25f39 100755
--- a/test/unit/injector-clusterrole.bats
+++ b/test/unit/injector-clusterrole.bats
@@ -5,7 +5,7 @@ load _helpers
 @test "injector/ClusterRole: enabled by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/injector-clusterrole.yaml  \
+      --show-only templates/injector-clusterrole.yaml  \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
@@ -13,10 +13,10 @@ load _helpers
 
 @test "injector/ClusterRole: disable with global.enabled" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/injector-clusterrole.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/injector-clusterrole.yaml  \
       --set 'global.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
diff --git a/test/unit/injector-clusterrolebinding.bats b/test/unit/injector-clusterrolebinding.bats
index efeab4c..6e21787 100755
--- a/test/unit/injector-clusterrolebinding.bats
+++ b/test/unit/injector-clusterrolebinding.bats
@@ -5,7 +5,7 @@ load _helpers
 @test "injector/ClusterRoleBinding: enabled by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/injector-clusterrolebinding.yaml  \
+      --show-only templates/injector-clusterrolebinding.yaml  \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
@@ -13,10 +13,10 @@ load _helpers
 
 @test "injector/ClusterRoleBinding: disable with global.enabled" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/injector-clusterrolebinding.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/injector-clusterrolebinding.yaml  \
       --set 'global.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats
index cdb07ce..1f6caaa 100755
--- a/test/unit/injector-deployment.bats
+++ b/test/unit/injector-deployment.bats
@@ -5,7 +5,7 @@ load _helpers
 @test "injector/deployment: default injector.enabled" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/injector-deployment.yaml  \
+      --show-only templates/injector-deployment.yaml  \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
@@ -14,7 +14,7 @@ load _helpers
 @test "injector/deployment: enable with injector.enabled true" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/injector-deployment.yaml  \
+      --show-only templates/injector-deployment.yaml  \
       --set 'injector.enabled=true' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
@@ -23,11 +23,11 @@ load _helpers
 
 @test "injector/deployment: disable with global.enabled" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/injector-deployment.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/injector-deployment.yaml  \
       --set 'global.enabled=false' \
       --set 'injector.enabled=true' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
@@ -35,7 +35,7 @@ load _helpers
 @test "injector/deployment: image defaults to injector.image" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/injector-deployment.yaml  \
+      --show-only templates/injector-deployment.yaml  \
       --set 'injector.image.repository=foo' \
       --set 'injector.image.tag=1.2.3' \
       . | tee /dev/stderr |
@@ -43,7 +43,7 @@ load _helpers
   [ "${actual}" = "foo:1.2.3" ]
 
   local actual=$(helm template \
-      -x templates/injector-deployment.yaml  \
+      --show-only templates/injector-deployment.yaml  \
       --set 'injector.image.repository=foo' \
       --set 'injector.image.tag=1.2.3' \
       . | tee /dev/stderr |
@@ -54,7 +54,7 @@ load _helpers
 @test "injector/deployment: default imagePullPolicy" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/injector-deployment.yaml  \
+      --show-only templates/injector-deployment.yaml  \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].imagePullPolicy' | tee /dev/stderr)
   [ "${actual}" = "IfNotPresent" ]
@@ -63,7 +63,7 @@ load _helpers
 @test "injector/deployment: default resources" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/injector-deployment.yaml  \
+      --show-only templates/injector-deployment.yaml  \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
   [ "${actual}" = "null" ]
@@ -72,7 +72,7 @@ load _helpers
 @test "injector/deployment: custom resources" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/injector-deployment.yaml  \
+      --show-only templates/injector-deployment.yaml  \
       --set 'injector.enabled=true' \
       --set 'injector.resources.requests.memory=256Mi' \
       --set 'injector.resources.requests.cpu=250m' \
@@ -81,7 +81,7 @@ load _helpers
   [ "${actual}" = "256Mi" ]
 
   local actual=$(helm template \
-      -x templates/injector-deployment.yaml  \
+      --show-only templates/injector-deployment.yaml  \
       --set 'injector.enabled=true' \
       --set 'injector.resources.limits.memory=256Mi' \
       --set 'injector.resources.limits.cpu=250m' \
@@ -90,7 +90,7 @@ load _helpers
   [ "${actual}" = "256Mi" ]
 
   local actual=$(helm template \
-      -x templates/injector-deployment.yaml \
+      --show-only templates/injector-deployment.yaml \
       --set 'injector.enabled=true' \
       --set 'injector.resources.requests.cpu=250m' \
       . | tee /dev/stderr |
@@ -98,7 +98,7 @@ load _helpers
   [ "${actual}" = "250m" ]
 
   local actual=$(helm template \
-      -x templates/injector-deployment.yaml \
+      --show-only templates/injector-deployment.yaml \
       --set 'injector.enabled=true' \
       --set 'injector.resources.limits.cpu=250m' \
       . | tee /dev/stderr |
@@ -109,7 +109,7 @@ load _helpers
 @test "injector/deployment: manual TLS environment vars" {
   cd `chart_dir`
   local object=$(helm template \
-      -x templates/injector-deployment.yaml  \
+      --show-only templates/injector-deployment.yaml  \
       --set 'injector.certs.secretName=foobar' \
       --set 'injector.certs.certName=test.crt' \
       --set 'injector.certs.keyName=test.key' \
@@ -136,13 +136,13 @@ load _helpers
 @test "injector/deployment: auto TLS by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/injector-deployment.yaml  \
+      --show-only templates/injector-deployment.yaml  \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].volumeMounts | length' | tee /dev/stderr)
   [ "${actual}" = "0" ]
 
   local object=$(helm template \
-      -x templates/injector-deployment.yaml  \
+      --show-only templates/injector-deployment.yaml  \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats
index dd0d643..2eefcf2 100755
--- a/test/unit/injector-mutating-webhook.bats
+++ b/test/unit/injector-mutating-webhook.bats
@@ -5,7 +5,7 @@ load _helpers
 @test "injector/MutatingWebhookConfiguration: enabled by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/injector-mutating-webhook.yaml  \
+      --show-only templates/injector-mutating-webhook.yaml  \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
@@ -13,20 +13,20 @@ load _helpers
 
 @test "injector/MutatingWebhookConfiguration: disable with global.enabled false" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/injector-mutating-webhook.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/injector-mutating-webhook.yaml  \
       --set 'global.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
 
 @test "injector/MutatingWebhookConfiguration: disable with injector.enabled false" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/injector-mutating-webhook.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/injector-mutating-webhook.yaml  \
       --set 'injector.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
@@ -34,7 +34,7 @@ load _helpers
 @test "injector/MutatingWebhookConfiguration: namespace is set" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/injector-mutating-webhook.yaml  \
+      --show-only templates/injector-mutating-webhook.yaml  \
       --set 'injector.enabled=true' \
       --namespace foo \
       . | tee /dev/stderr |
@@ -45,7 +45,7 @@ load _helpers
 @test "injector/MutatingWebhookConfiguration: caBundle is empty" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/injector-mutating-webhook.yaml  \
+      --show-only templates/injector-mutating-webhook.yaml  \
       --set 'injector.enabled=true' \
       --namespace foo \
       . | tee /dev/stderr |
@@ -56,7 +56,7 @@ load _helpers
 @test "injector/MutatingWebhookConfiguration: namespaceSelector empty by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/injector-mutating-webhook.yaml  \
+      --show-only templates/injector-mutating-webhook.yaml  \
       --set 'injector.enabled=true' \
       --namespace foo \
       . | tee /dev/stderr |
@@ -67,7 +67,7 @@ load _helpers
 @test "injector/MutatingWebhookConfiguration: can set namespaceSelector" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/injector-mutating-webhook.yaml  \
+      --show-only templates/injector-mutating-webhook.yaml  \
       --set 'injector.enabled=true' \
       --set 'injector.namespaceSelector.matchLabels.injector=true' \
       . | tee /dev/stderr |
diff --git a/test/unit/injector-service.bats b/test/unit/injector-service.bats
index 03f908f..af8787d 100755
--- a/test/unit/injector-service.bats
+++ b/test/unit/injector-service.bats
@@ -5,13 +5,13 @@ load _helpers
 @test "injector/Service: service enabled by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/injector-service.yaml \
+      --show-only templates/injector-service.yaml \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
   local actual=$(helm template \
-      -x templates/injector-service.yaml \
+      --show-only templates/injector-service.yaml \
       --set 'injector.enabled=true' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
@@ -20,18 +20,18 @@ load _helpers
 
 @test "injector/Service: disable with global.enabled false" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/injector-service.yaml \
+  local actual=$( (helm template \
+      --show-only templates/injector-service.yaml \
       --set 'global.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 
-  local actual=$(helm template \
-      -x templates/injector-service.yaml \
+  local actual=$( (helm template \
+      --show-only templates/injector-service.yaml \
       --set 'global.enabled=false' \
       --set 'injector.enabled=true' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
diff --git a/test/unit/injector-serviceaccount.bats b/test/unit/injector-serviceaccount.bats
index 7009a76..1055d90 100755
--- a/test/unit/injector-serviceaccount.bats
+++ b/test/unit/injector-serviceaccount.bats
@@ -5,7 +5,7 @@ load _helpers
 @test "injector/ServiceAccount: enabled by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/injector-serviceaccount.yaml  \
+      --show-only templates/injector-serviceaccount.yaml  \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
@@ -13,10 +13,10 @@ load _helpers
 
 @test "injector/ServiceAccount: disable with global.enabled" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/injector-serviceaccount.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/injector-serviceaccount.yaml  \
       --set 'global.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
diff --git a/test/unit/server-clusterrolebinding.bats b/test/unit/server-clusterrolebinding.bats
index 7d140b8..d1245c4 100755
--- a/test/unit/server-clusterrolebinding.bats
+++ b/test/unit/server-clusterrolebinding.bats
@@ -4,59 +4,59 @@ load _helpers
 
 @test "server/ClusterRoleBinding: enabled by default" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/server-clusterrolebinding.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-clusterrolebinding.yaml  \
       --set 'server.dev.enabled=true' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
-  local actual=$(helm template \
-      -x templates/server-clusterrolebinding.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-clusterrolebinding.yaml  \
       --set 'server.ha.enabled=true' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
-  local actual=$(helm template \
-      -x templates/server-clusterrolebinding.yaml  \
-      . | tee /dev/stderr |
+  local actual=$( (helm template \
+      --show-only templates/server-clusterrolebinding.yaml  \
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
 
 @test "server/ClusterRoleBinding: disable with global.enabled" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/server-clusterrolebinding.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-clusterrolebinding.yaml  \
       --set 'global.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
 
 @test "server/ClusterRoleBinding: can disable with server.authDelegator" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/server-clusterrolebinding.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-clusterrolebinding.yaml  \
       --set 'server.authDelegator.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 
-  local actual=$(helm template \
-      -x templates/server-clusterrolebinding.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-clusterrolebinding.yaml  \
       --set 'server.authDelegator.enabled=false' \
       --set 'server.ha.enabled=true' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 
-  local actual=$(helm template \
-      -x templates/server-clusterrolebinding.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-clusterrolebinding.yaml  \
       --set 'server.authDelegator.enabled=false' \
       --set 'server.dev.enabled=true' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
diff --git a/test/unit/server-configmap.bats b/test/unit/server-configmap.bats
index 7a66c53..679a76f 100755
--- a/test/unit/server-configmap.bats
+++ b/test/unit/server-configmap.bats
@@ -5,20 +5,20 @@ load _helpers
 @test "server/ConfigMap: enabled by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-config-configmap.yaml \
+      --show-only templates/server-config-configmap.yaml \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
   local actual=$(helm template \
-      -x templates/server-config-configmap.yaml \
+      --show-only templates/server-config-configmap.yaml \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
   local actual=$(helm template \
-      -x templates/server-config-configmap.yaml \
+      --show-only templates/server-config-configmap.yaml \
       --set 'server.standalone.enabled=true' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
@@ -27,20 +27,20 @@ load _helpers
 
 @test "server/ConfigMap: disabled by server.dev.enabled true" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/server-config-configmap.yaml \
+  local actual=$( (helm template \
+      --show-only templates/server-config-configmap.yaml \
       --set 'server.dev.enabled=true' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
 
 @test "server/ConfigMap: disable with global.enabled" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/server-config-configmap.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-config-configmap.yaml  \
       --set 'global.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
@@ -48,7 +48,7 @@ load _helpers
 @test "server/ConfigMap: standalone extraConfig is set" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-config-configmap.yaml  \
+      --show-only templates/server-config-configmap.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.standalone.config="{\"hello\": \"world\"}"' \
       . | tee /dev/stderr |
@@ -56,7 +56,7 @@ load _helpers
   [ ! -z "${actual}" ]
 
   local actual=$(helm template \
-      -x templates/server-config-configmap.yaml  \
+      --show-only templates/server-config-configmap.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.standalone.config="{\"foo\": \"bar\"}"' \
       . | tee /dev/stderr |
@@ -67,7 +67,7 @@ load _helpers
 @test "server/ConfigMap: ha extraConfig is set" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-config-configmap.yaml  \
+      --show-only templates/server-config-configmap.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.ha.config="{\"hello\": \"world\"}"' \
       . | tee /dev/stderr |
@@ -75,7 +75,7 @@ load _helpers
   [ ! -z "${actual}" ]
 
   local actual=$(helm template \
-      -x templates/server-config-configmap.yaml  \
+      --show-only templates/server-config-configmap.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.ha.config="{\"foo\": \"bar\"}"' \
       . | tee /dev/stderr |
diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats
index 5f1e45a..57acd20 100755
--- a/test/unit/server-dev-statefulset.bats
+++ b/test/unit/server-dev-statefulset.bats
@@ -5,7 +5,7 @@ load _helpers
 @test "server/dev-StatefulSet: enable with server.dev.enabled true" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dev.enabled=true' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
@@ -14,11 +14,11 @@ load _helpers
 
 @test "server/dev-StatefulSet: disable with global.enabled" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-statefulset.yaml  \
       --set 'global.enabled=false' \
       --set 'server.dev.enabled=true' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
@@ -26,7 +26,7 @@ load _helpers
 @test "server/dev-StatefulSet: image defaults to server.image.repository:tag" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.image.repository=foo' \
       --set 'server.image.tag=1.2.3' \
       --set 'server.dev.enabled=true' \
@@ -39,7 +39,7 @@ load _helpers
   cd `chart_dir`
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.image.repository=foo' \
       --set 'server.image.tag=' \
       --set 'server.dev.enabled=true' \
@@ -54,7 +54,7 @@ load _helpers
 @test "server/dev-StatefulSet: default replicas" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dev.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.replicas' | tee /dev/stderr)
@@ -64,7 +64,7 @@ load _helpers
 @test "server/dev-StatefulSet: cant set replicas" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'server.dev.replicas=100' \
       . | tee /dev/stderr |
@@ -78,7 +78,7 @@ load _helpers
 @test "server/dev-StatefulSet: updateStrategy" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dev.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.updateStrategy.type' | tee /dev/stderr)
@@ -91,7 +91,7 @@ load _helpers
 @test "server/dev-StatefulSet: default resources" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dev.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
@@ -101,7 +101,7 @@ load _helpers
 @test "server/dev-StatefulSet: custom resources" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'server.resources.requests.memory=256Mi' \
       --set 'server.resources.requests.cpu=250m' \
@@ -110,7 +110,7 @@ load _helpers
   [ "${actual}" = "256Mi" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'server.resources.limits.memory=256Mi' \
       --set 'server.resources.limits.cpu=250m' \
@@ -119,7 +119,7 @@ load _helpers
   [ "${actual}" = "256Mi" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'server.resources.requests.cpu=250m' \
       . | tee /dev/stderr |
@@ -127,7 +127,7 @@ load _helpers
   [ "${actual}" = "250m" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'server.resources.limits.cpu=250m' \
       . | tee /dev/stderr |
@@ -143,7 +143,7 @@ load _helpers
 
   # Test that it defines it
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'server.extraVolumes[0].type=configMap' \
       --set 'server.extraVolumes[0].name=foo' \
@@ -160,7 +160,7 @@ load _helpers
 
   # Test that it mounts it
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'server.extraVolumes[0].type=configMap' \
       --set 'server.extraVolumes[0].name=foo' \
@@ -181,7 +181,7 @@ load _helpers
 
   # Test that it defines it
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'server.extraVolumes[0].type=secret' \
       --set 'server.extraVolumes[0].name=foo' \
@@ -198,7 +198,7 @@ load _helpers
 
   # Test that it mounts it
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'server.extraVolumes[0].type=configMap' \
       --set 'server.extraVolumes[0].name=foo' \
@@ -217,7 +217,7 @@ load _helpers
 @test "server/dev-StatefulSet: no storageClass on claim by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dev.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.volumeClaimTemplates[0].spec.storageClassName' | tee /dev/stderr)
@@ -230,7 +230,7 @@ load _helpers
 @test "server/dev-StatefulSet: set extraEnvironmentVars" {
   cd `chart_dir`
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'server.extraEnvironmentVars.FOO=bar' \
       --set 'server.extraEnvironmentVars.FOOBAR=foobar' \
@@ -260,7 +260,7 @@ load _helpers
 @test "server/dev-StatefulSet: set extraSecretEnvironmentVars" {
   cd `chart_dir`
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.extraSecretEnvironmentVars[0].envName=ENV_FOO_0' \
       --set 'server.extraSecretEnvironmentVars[0].secretName=secret_name_0' \
       --set 'server.extraSecretEnvironmentVars[0].secretKey=secret_key_0' \
@@ -297,7 +297,7 @@ load _helpers
 @test "server/dev-StatefulSet: can't set storageClass" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'server.dataStorage.enabled=true' \
       --set 'server.dataStorage.storageClass=foo' \
@@ -306,7 +306,7 @@ load _helpers
   [ "${actual}" = "null" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'server.auditStorage.enabled=true' \
       --set 'server.auditStorage.storageClass=foo' \
@@ -315,7 +315,7 @@ load _helpers
   [ "${actual}" = "null" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'server.auditStorage.enabled=true' \
       --set 'server.auditStorage.storageClass=foo' \
@@ -331,7 +331,7 @@ load _helpers
 @test "server/dev-StatefulSet: uid default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.dev.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
@@ -341,7 +341,7 @@ load _helpers
 @test "server/dev-StatefulSet: uid configurable" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.uid=2000' \
       --set 'server.dev.enabled=true' \
       . | tee /dev/stderr |
@@ -352,7 +352,7 @@ load _helpers
 @test "server/dev-StatefulSet: gid default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.dev.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
@@ -362,7 +362,7 @@ load _helpers
 @test "server/dev-StatefulSet: gid configurable" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.gid=2000' \
       --set 'server.dev.enabled=true' \
       . | tee /dev/stderr |
@@ -373,7 +373,7 @@ load _helpers
 @test "server/dev-StatefulSet: fsgroup default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.dev.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
@@ -383,7 +383,7 @@ load _helpers
 @test "server/dev-StatefulSet: fsgroup configurable" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.gid=2000' \
       --set 'server.dev.enabled=true' \
       . | tee /dev/stderr |
diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats
index 6e60707..2c0174a 100755
--- a/test/unit/server-ha-disruptionbudget.bats
+++ b/test/unit/server-ha-disruptionbudget.bats
@@ -5,7 +5,7 @@ load _helpers
 @test "server/DisruptionBudget: enabled by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-disruptionbudget.yaml  \
+      --show-only templates/server-disruptionbudget.yaml  \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
@@ -14,31 +14,31 @@ load _helpers
 
 @test "server/DisruptionBudget: disable with server.enabled" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/server-disruptionbudget.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-disruptionbudget.yaml  \
       --set 'globa.enabled=false' \
       --set 'server.ha.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
 
 @test "server/DisruptionBudget: disable with server.disruptionBudget.enabled" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/server-disruptionbudget.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-disruptionbudget.yaml  \
       --set 'server.ha.disruptionBudget.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
 
 @test "server/DisruptionBudget: disable with global.enabled" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/server-disruptionbudget.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-disruptionbudget.yaml  \
       --set 'global.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
@@ -46,7 +46,7 @@ load _helpers
 @test "server/DisruptionBudget: correct maxUnavailable with n=1" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-disruptionbudget.yaml  \
+      --show-only templates/server-disruptionbudget.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.ha.replicas=1' \
       . | tee /dev/stderr |
@@ -57,7 +57,7 @@ load _helpers
 @test "server/DisruptionBudget: correct maxUnavailable with n=3" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-disruptionbudget.yaml  \
+      --show-only templates/server-disruptionbudget.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.ha.replicas=3' \
       . | tee /dev/stderr |
@@ -68,7 +68,7 @@ load _helpers
 @test "server/DisruptionBudget: correct maxUnavailable with n=5" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-disruptionbudget.yaml  \
+      --show-only templates/server-disruptionbudget.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.ha.replicas=5' \
       . | tee /dev/stderr |
diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats
index 5f05c3c..a40e92f 100755
--- a/test/unit/server-ha-statefulset.bats
+++ b/test/unit/server-ha-statefulset.bats
@@ -5,7 +5,7 @@ load _helpers
 @test "server/ha-StatefulSet: enable with server.ha.enabled true" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
@@ -14,11 +14,11 @@ load _helpers
 
 @test "server/ha-StatefulSet: disable with global.enabled" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-statefulset.yaml  \
       --set 'global.enabled=false' \
       --set 'server.ha.enabled=true' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
@@ -26,7 +26,7 @@ load _helpers
 @test "server/ha-StatefulSet: image defaults to server.image.repository:tag" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.image.repository=foo' \
       --set 'server.image.tag=1.2.3' \
       --set 'server.ha.enabled=true' \
@@ -39,7 +39,7 @@ load _helpers
   cd `chart_dir`
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.image.repository=foo' \
       --set 'server.image.tag=' \
       --set 'server.ha.enabled=true' \
@@ -54,7 +54,7 @@ load _helpers
 @test "server/ha-StatefulSet: tls disabled" {
   cd `chart_dir`
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'global.tlsDisable=true' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
@@ -70,7 +70,7 @@ load _helpers
 @test "server/ha-StatefulSet: tls enabled" {
   cd `chart_dir`
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'global.tlsDisable=false' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
@@ -90,7 +90,7 @@ load _helpers
 @test "server/ha-StatefulSet: OnDelete updateStrategy" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.updateStrategy.type' | tee /dev/stderr)
@@ -100,7 +100,7 @@ load _helpers
 @test "server/ha-StatefulSet: RollingUpdate updateStrategy" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.updateStrategyType="RollingUpdate"' \
       . | tee /dev/stderr |
@@ -114,14 +114,14 @@ load _helpers
 @test "server/ha-StatefulSet: default affinity" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.affinity' | tee /dev/stderr)
   [ "${actual}" != "null" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.affinity=' \
       . | tee /dev/stderr |
@@ -135,7 +135,7 @@ load _helpers
 @test "server/ha-StatefulSet: default replicas" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.replicas' | tee /dev/stderr)
@@ -145,7 +145,7 @@ load _helpers
 @test "server/ha-StatefulSet: custom replicas" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.ha.replicas=10' \
       . | tee /dev/stderr |
@@ -159,7 +159,7 @@ load _helpers
 @test "server/ha-StatefulSet: default resources" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
@@ -169,7 +169,7 @@ load _helpers
 @test "server/ha-StatefulSet: custom resources" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.resources.requests.memory=256Mi' \
       --set 'server.resources.requests.cpu=250m' \
@@ -178,7 +178,7 @@ load _helpers
   [ "${actual}" = "256Mi" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.resources.limits.memory=256Mi' \
       --set 'server.resources.limits.cpu=250m' \
@@ -187,7 +187,7 @@ load _helpers
   [ "${actual}" = "256Mi" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.resources.requests.cpu=250m' \
       . | tee /dev/stderr |
@@ -195,7 +195,7 @@ load _helpers
   [ "${actual}" = "250m" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.resources.limits.cpu=250m' \
       . | tee /dev/stderr |
@@ -210,7 +210,7 @@ load _helpers
   cd `chart_dir`
   # Test that it defines it
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.extraVolumes[0].type=configMap' \
       --set 'server.extraVolumes[0].name=foo' \
@@ -227,7 +227,7 @@ load _helpers
 
   # Test that it mounts it
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.extraVolumes[0].type=configMap' \
       --set 'server.extraVolumes[0].name=foo' \
@@ -247,7 +247,7 @@ load _helpers
   cd `chart_dir`
   # Test that it mounts it
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.extraVolumes[0].type=configMap' \
       --set 'server.extraVolumes[0].name=foo' \
@@ -269,7 +269,7 @@ load _helpers
 
   # Test that it mounts it
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.extraVolumes[0].type=configMap' \
       --set 'server.extraVolumes[0].name=foo' \
@@ -291,7 +291,7 @@ load _helpers
 
   # Test that it defines it
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.extraVolumes[0].type=secret' \
       --set 'server.extraVolumes[0].name=foo' \
@@ -308,7 +308,7 @@ load _helpers
 
   # Test that it mounts it
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.extraVolumes[0].type=configMap' \
       --set 'server.extraVolumes[0].name=foo' \
@@ -330,7 +330,7 @@ load _helpers
 @test "server/ha-StatefulSet: set extraEnvironmentVars" {
   cd `chart_dir`
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.extraEnvironmentVars.FOO=bar' \
       --set 'server.extraEnvironmentVars.FOOBAR=foobar' \
@@ -360,7 +360,7 @@ load _helpers
 @test "server/ha-StatefulSet: set extraSecretEnvironmentVars" {
   cd `chart_dir`
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.extraSecretEnvironmentVars[0].envName=ENV_FOO_0' \
       --set 'server.extraSecretEnvironmentVars[0].secretName=secret_name_0' \
@@ -398,7 +398,7 @@ load _helpers
 @test "server/ha-StatefulSet: no storage by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.volumeClaimTemplates | length' | tee /dev/stderr)
@@ -409,7 +409,7 @@ load _helpers
 @test "server/ha-StatefulSet: cant set data storage" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.dataStorage.enabled=true' \
       --set 'server.dataStorage.storageClass=foo' \
@@ -421,7 +421,7 @@ load _helpers
 @test "server/ha-StatefulSet: can set storageClass" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.dataStorage.enabled=false' \
       --set 'server.auditStorage.enabled=true' \
@@ -434,7 +434,7 @@ load _helpers
 @test "server/ha-StatefulSet: can disable storage" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.auditStorage.enabled=false' \
       --set 'server.dataStorage.enabled=false' \
@@ -443,7 +443,7 @@ load _helpers
   [ "${actual}" = "0" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.auditStorage.enabled=true' \
       --set 'server.dataStorage.enabled=false' \
@@ -455,7 +455,7 @@ load _helpers
 @test "server/ha-StatefulSet: can mount audit" {
   cd `chart_dir`
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.auditStorage.enabled=true' \
       . | tee /dev/stderr |
@@ -465,7 +465,7 @@ load _helpers
 @test "server/ha-StatefulSet: no data storage" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.auditStorage.enabled=false' \
       --set 'server.dataStorage.enabled=true' \
@@ -474,7 +474,7 @@ load _helpers
   [ "${actual}" = "0" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.auditStorage.enabled=true' \
       --set 'server.dataStorage.enabled=true' \
@@ -486,7 +486,7 @@ load _helpers
 @test "server/ha-StatefulSet: tolerations not set by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq '.spec.template.spec | .tolerations? == null' | tee /dev/stderr)
@@ -496,7 +496,7 @@ load _helpers
 @test "server/ha-StatefulSet: tolerations can be set" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.tolerations=foobar' \
       . | tee /dev/stderr |
@@ -507,7 +507,7 @@ load _helpers
 @test "server/ha-StatefulSet: nodeSelector is not set by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq '.spec.template.spec.nodeSelector' | tee /dev/stderr)
@@ -517,7 +517,7 @@ load _helpers
 @test "server/ha-StatefulSet: specified nodeSelector" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.ha.enabled=true' \
       --set 'server.nodeSelector=testing' \
       . | tee /dev/stderr |
@@ -530,7 +530,7 @@ load _helpers
 @test "server/ha-StatefulSet: uid default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
@@ -540,7 +540,7 @@ load _helpers
 @test "server/ha-StatefulSet: uid configurable" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.uid=2000' \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
@@ -551,7 +551,7 @@ load _helpers
 @test "server/ha-StatefulSet: gid default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
@@ -561,7 +561,7 @@ load _helpers
 @test "server/ha-StatefulSet: gid configurable" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.gid=2000' \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
@@ -572,7 +572,7 @@ load _helpers
 @test "server/ha-StatefulSet: fsgroup default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
@@ -582,7 +582,7 @@ load _helpers
 @test "server/ha-StatefulSet: fsgroup configurable" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.gid=2000' \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats
index b0950ca..1cf1576 100755
--- a/test/unit/server-ingress.bats
+++ b/test/unit/server-ingress.bats
@@ -4,9 +4,9 @@ load _helpers
 
 @test "server/ingress: disabled by default" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/server-ingress.yaml  \
-      . | tee /dev/stderr |
+  local actual=$( (helm template \
+      --show-only templates/server-ingress.yaml  \
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
@@ -14,7 +14,7 @@ load _helpers
 @test "server/ingress: checking host entry gets added and path is /" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-ingress.yaml \
+      --show-only templates/server-ingress.yaml \
       --set 'server.ingress.enabled=true' \
       --set 'server.ingress.hosts[0].host=test.com' \
       --set 'server.ingress.hosts[0].paths[0]=/' \
@@ -23,7 +23,7 @@ load _helpers
   [ "${actual}" = 'test.com' ]
 
   local actual=$(helm template \
-      -x templates/server-ingress.yaml \
+      --show-only templates/server-ingress.yaml \
       --set 'server.ingress.enabled=true' \
       --set 'server.ingress.hosts[0].host=test.com' \
       --set 'server.ingress.hosts[0].paths[0]=/' \
@@ -36,7 +36,7 @@ load _helpers
   cd `chart_dir`
 
   local actual=$(helm template \
-      -x templates/server-ingress.yaml \
+      --show-only templates/server-ingress.yaml \
       --set 'server.ingress.enabled=true' \
       --set 'server.ingress.hosts[0].host=test.com' \
       --set 'server.ingress.hosts[0].paths[0]=/' \
@@ -50,11 +50,11 @@ load _helpers
   cd `chart_dir`
 
   local actual=$(helm template \
-      -x templates/server-ingress.yaml \
+      --show-only templates/server-ingress.yaml \
       --set 'server.ingress.enabled=true' \
       --set 'server.ingress.labels.traffic=external' \
       --set 'server.ingress.labels.team=dev' \
       . | tee /dev/stderr |
       yq -r '.metadata.labels.traffic' | tee /dev/stderr)
   [ "${actual}" = "external" ]
-}
\ No newline at end of file
+}
diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats
index c276c43..adcf95f 100755
--- a/test/unit/server-service.bats
+++ b/test/unit/server-service.bats
@@ -5,111 +5,110 @@ load _helpers
 @test "server/Service: service enabled by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.dev.enabled=true' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.standalone.enabled=true' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
 
-
 @test "server/Service: disable with global.enabled false" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/server-service.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'global.enabled=false' \
       --set 'server.service.enabled=true' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 
-  local actual=$(helm template \
-      -x templates/server-service.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'global.enabled=false' \
       --set 'server.service.enabled=true' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 
-  local actual=$(helm template \
-      -x templates/server-service.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'global.enabled=false' \
       --set 'server.service.enabled=true' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
 
 @test "server/Service: disable with server.service.enabled false" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/server-service.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'server.service.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 
-  local actual=$(helm template \
-      -x templates/server-service.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.service.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 
-  local actual=$(helm template \
-      -x templates/server-service.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.service.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
 
 @test "server/Service: disable with global.enabled false server.service.enabled false" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/server-service.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'global.enabled=false' \
       --set 'server.service.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 
-  local actual=$(helm template \
-      -x templates/server-service.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'global.enabled=false' \
       --set 'server.service.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 
-  local actual=$(helm template \
-      -x templates/server-service.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'global.enabled=false' \
       --set 'server.service.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
@@ -119,21 +118,21 @@ load _helpers
 @test "server/Service: tolerates unready endpoints" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.dev.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.metadata.annotations["service.alpha.kubernetes.io/tolerate-unready-endpoints"]' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.metadata.annotations["service.alpha.kubernetes.io/tolerate-unready-endpoints"]' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.standalone.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.metadata.annotations["service.alpha.kubernetes.io/tolerate-unready-endpoints"]' | tee /dev/stderr)
@@ -143,7 +142,7 @@ load _helpers
 @test "server/Service: generic annotations" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.service.annotations.vaultIsAwesome=true' \
       . | tee /dev/stderr |
       yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
@@ -153,21 +152,21 @@ load _helpers
 @test "server/Service: publish not ready" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.dev.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.standalone.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
@@ -177,21 +176,21 @@ load _helpers
 @test "server/Service: type empty by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.dev.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.type' | tee /dev/stderr)
   [ "${actual}" = "null" ]
 
     local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.type' | tee /dev/stderr)
   [ "${actual}" = "null" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       . | tee /dev/stderr |
       yq -r '.spec.type' | tee /dev/stderr)
   [ "${actual}" = "null" ]
@@ -200,7 +199,7 @@ load _helpers
 @test "server/Service: type can set" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.dev.enabled=true' \
       --set 'server.service.type=NodePort' \
       . | tee /dev/stderr |
@@ -208,7 +207,7 @@ load _helpers
   [ "${actual}" = "NodePort" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.ha.enabled=true' \
       --set 'server.service.type=NodePort' \
       . | tee /dev/stderr |
@@ -216,7 +215,7 @@ load _helpers
   [ "${actual}" = "NodePort" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.service.type=NodePort' \
       . | tee /dev/stderr |
       yq -r '.spec.type' | tee /dev/stderr)
@@ -226,21 +225,21 @@ load _helpers
 @test "server/Service: clusterIP empty by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.dev.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.clusterIP' | tee /dev/stderr)
   [ "${actual}" = "null" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.clusterIP' | tee /dev/stderr)
   [ "${actual}" = "null" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       . | tee /dev/stderr |
       yq -r '.spec.clusterIP' | tee /dev/stderr)
   [ "${actual}" = "null" ]
@@ -249,7 +248,7 @@ load _helpers
 @test "server/Service: clusterIP can set" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.dev.enabled=true' \
       --set 'server.service.clusterIP=None' \
       . | tee /dev/stderr |
@@ -257,7 +256,7 @@ load _helpers
   [ "${actual}" = "None" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.ha.enabled=true' \
       --set 'server.service.clusterIP=None' \
       . | tee /dev/stderr |
@@ -265,7 +264,7 @@ load _helpers
   [ "${actual}" = "None" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.service.clusterIP=None' \
       . | tee /dev/stderr |
       yq -r '.spec.clusterIP' | tee /dev/stderr)
@@ -275,13 +274,13 @@ load _helpers
 @test "server/Service: port and targetPort will be 8200 by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       . | tee /dev/stderr |
       yq -r '.spec.ports[0].port' | tee /dev/stderr)
   [ "${actual}" = "8200" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       . | tee /dev/stderr |
       yq -r '.spec.ports[0].targetPort' | tee /dev/stderr)
   [ "${actual}" = "8200" ]
@@ -290,14 +289,14 @@ load _helpers
 @test "server/Service: port and targetPort can be set" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.service.port=8000' \
       . | tee /dev/stderr |
       yq -r '.spec.ports[0].port' | tee /dev/stderr)
   [ "${actual}" = "8000" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.service.targetPort=80' \
       . | tee /dev/stderr |
       yq -r '.spec.ports[0].targetPort' | tee /dev/stderr)
@@ -307,7 +306,7 @@ load _helpers
 @test "server/Service: nodeport can set" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.dev.enabled=true' \
       --set 'server.service.type=NodePort' \
       --set 'server.service.nodePort=30008' \
@@ -316,7 +315,7 @@ load _helpers
   [ "${actual}" = "30008" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.ha.enabled=true' \
       --set 'server.service.type=NodePort' \
       --set 'server.service.nodePort=30009' \
@@ -325,7 +324,7 @@ load _helpers
   [ "${actual}" = "30009" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.service.type=NodePort' \
       --set 'server.service.nodePort=30010' \
       . | tee /dev/stderr |
@@ -336,7 +335,7 @@ load _helpers
 @test "server/Service: nodeport can't set when type isn't NodePort" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.dev.enabled=true' \
       --set 'server.service.nodePort=30008' \
       . | tee /dev/stderr |
@@ -344,7 +343,7 @@ load _helpers
   [ "${actual}" = "null" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.ha.enabled=true' \
       --set 'server.service.nodePort=30009' \
       . | tee /dev/stderr |
@@ -352,7 +351,7 @@ load _helpers
   [ "${actual}" = "null" ]
 
   local actual=$(helm template \
-      -x templates/server-service.yaml \
+      --show-only templates/server-service.yaml \
       --set 'server.standalone.enabled=true' \
       --set 'server.service.nodePort=30010' \
       . | tee /dev/stderr |
diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats
index 23c4841..66fd84b 100755
--- a/test/unit/server-serviceaccount.bats
+++ b/test/unit/server-serviceaccount.bats
@@ -5,7 +5,7 @@ load _helpers
 @test "server/ServiceAccount: specify annotations" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-serviceaccount.yaml  \
+      --show-only templates/server-serviceaccount.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'server.serviceAccount.annotations.foo=bar' \
       . | tee /dev/stderr |
@@ -13,7 +13,7 @@ load _helpers
   [ "${actual}" = "null" ]
 
   local actual=$(helm template \
-      -x templates/server-serviceaccount.yaml  \
+      --show-only templates/server-serviceaccount.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'server.serviceAccount.annotations.foo=bar' \
       . | tee /dev/stderr |
@@ -21,7 +21,7 @@ load _helpers
   [ "${actual}" = "bar" ]
 
   local actual=$(helm template \
-      -x templates/server-serviceaccount.yaml  \
+      --show-only templates/server-serviceaccount.yaml  \
       --set 'server.ha.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
index 60b54c8..059e1c4 100755
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@@ -5,7 +5,7 @@ load _helpers
 @test "server/standalone-StatefulSet: default server.standalone.enabled" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
@@ -14,7 +14,7 @@ load _helpers
 @test "server/standalone-StatefulSet: enable with server.standalone.enabled true" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
@@ -23,11 +23,11 @@ load _helpers
 
 @test "server/standalone-StatefulSet: disable with global.enabled" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/server-statefulset.yaml  \
       --set 'global.enabled=false' \
       --set 'server.standalone.enabled=true' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
@@ -35,7 +35,7 @@ load _helpers
 @test "server/standalone-StatefulSet: image defaults to server.image.repository:tag" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.image.repository=foo' \
       --set 'server.image.tag=1.2.3' \
       . | tee /dev/stderr |
@@ -43,7 +43,7 @@ load _helpers
   [ "${actual}" = "foo:1.2.3" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.image.repository=foo' \
       --set 'server.image.tag=1.2.3' \
       --set 'server.standalone.enabled=true' \
@@ -55,7 +55,7 @@ load _helpers
 @test "server/standalone-StatefulSet: image tag defaults to latest" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.image.repository=foo' \
       --set 'server.image.tag=' \
       . | tee /dev/stderr |
@@ -63,7 +63,7 @@ load _helpers
   [ "${actual}" = "foo:latest" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.image.repository=foo' \
       --set 'server.image.tag=' \
       --set 'server.standalone.enabled=true' \
@@ -75,7 +75,7 @@ load _helpers
 @test "server/standalone-StatefulSet: default imagePullPolicy" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].imagePullPolicy' | tee /dev/stderr)
   [ "${actual}" = "IfNotPresent" ]
@@ -84,7 +84,7 @@ load _helpers
 @test "server/standalone-StatefulSet: Custom imagePullPolicy" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.image.pullPolicy=Always' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].imagePullPolicy' | tee /dev/stderr)
@@ -94,7 +94,7 @@ load _helpers
 @test "server/standalone-StatefulSet: Custom imagePullSecrets" {
   cd `chart_dir`
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'global.imagePullSecrets[0].name=foo' \
       --set 'global.imagePullSecrets[1].name=bar' \
       . | tee /dev/stderr |
@@ -112,7 +112,7 @@ load _helpers
 @test "server/standalone-StatefulSet: default imagePullSecrets" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.imagePullSecrets' | tee /dev/stderr)
   [ "${actual}" = "null" ]
@@ -124,7 +124,7 @@ load _helpers
 @test "server/standalone-StatefulSet: OnDelete updateStrategy" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       . | tee /dev/stderr |
       yq -r '.spec.updateStrategy.type' | tee /dev/stderr)
   [ "${actual}" = "OnDelete" ]
@@ -136,7 +136,7 @@ load _helpers
 @test "server/standalone-StatefulSet: default replicas" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.replicas' | tee /dev/stderr)
@@ -146,14 +146,14 @@ load _helpers
 @test "server/standalone-StatefulSet: custom replicas" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.replicas=100' \
       . | tee /dev/stderr |
       yq -r '.spec.replicas' | tee /dev/stderr)
   [ "${actual}" = "1" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.standalone.replicas=100' \
       . | tee /dev/stderr |
@@ -167,7 +167,7 @@ load _helpers
 @test "server/standalone-StatefulSet: default resources" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
@@ -177,7 +177,7 @@ load _helpers
 @test "server/standalone-StatefulSet: custom resources" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.resources.requests.memory=256Mi' \
       --set 'server.resources.requests.cpu=250m' \
@@ -186,7 +186,7 @@ load _helpers
   [ "${actual}" = "256Mi" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.resources.limits.memory=256Mi' \
       --set 'server.resources.limits.cpu=250m' \
@@ -195,7 +195,7 @@ load _helpers
   [ "${actual}" = "256Mi" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.resources.requests.cpu=250m' \
       . | tee /dev/stderr |
@@ -203,7 +203,7 @@ load _helpers
   [ "${actual}" = "250m" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.resources.limits.cpu=250m' \
       . | tee /dev/stderr |
@@ -219,7 +219,7 @@ load _helpers
 
   # Test that it defines it
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.extraVolumes[0].type=configMap' \
       --set 'server.extraVolumes[0].name=foo' \
       . | tee /dev/stderr |
@@ -234,7 +234,7 @@ load _helpers
   [ "${actual}" = "null" ]
 
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.extraVolumes[0].type=configMap' \
       --set 'server.extraVolumes[0].name=foo' \
@@ -251,7 +251,7 @@ load _helpers
 
   # Test that it mounts it
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.extraVolumes[0].type=configMap' \
       --set 'server.extraVolumes[0].name=foo' \
       . | tee /dev/stderr |
@@ -266,7 +266,7 @@ load _helpers
   [ "${actual}" = "/vault/userconfig/foo" ]
 
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.extraVolumes[0].type=configMap' \
       --set 'server.extraVolumes[0].name=foo' \
@@ -287,7 +287,7 @@ load _helpers
 
   # Test that it defines it
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.extraVolumes[0].type=secret' \
       --set 'server.extraVolumes[0].name=foo' \
       . | tee /dev/stderr |
@@ -302,7 +302,7 @@ load _helpers
   [ "${actual}" = "foo" ]
 
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.extraVolumes[0].type=secret' \
       --set 'server.extraVolumes[0].name=foo' \
@@ -319,7 +319,7 @@ load _helpers
 
   # Test that it mounts it
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.extraVolumes[0].type=configMap' \
       --set 'server.extraVolumes[0].name=foo' \
       . | tee /dev/stderr |
@@ -334,7 +334,7 @@ load _helpers
   [ "${actual}" = "/vault/userconfig/foo" ]
 
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.extraVolumes[0].type=configMap' \
       --set 'server.extraVolumes[0].name=foo' \
@@ -353,7 +353,7 @@ load _helpers
 @test "server/standalone-StatefulSet: can mount audit" {
   cd `chart_dir`
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.auditStorage.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "audit")' | tee /dev/stderr)
@@ -365,7 +365,7 @@ load _helpers
 @test "server/standalone-StatefulSet: set extraEnvironmentVars" {
   cd `chart_dir`
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.stanadlone.enabled=true' \
       --set 'server.extraEnvironmentVars.FOO=bar' \
       --set 'server.extraEnvironmentVars.FOOBAR=foobar' \
@@ -389,7 +389,7 @@ load _helpers
   [ "${actual}" = "foobar" ]
 
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.extraEnvironmentVars.FOO=bar' \
       --set 'server.extraEnvironmentVars.FOOBAR=foobar' \
       . | tee /dev/stderr |
@@ -418,13 +418,13 @@ load _helpers
 @test "server/standalone-StatefulSet: storageClass on claim by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       . | tee /dev/stderr |
       yq -r '.spec.volumeClaimTemplates[0].spec.storageClassName' | tee /dev/stderr)
   [ "${actual}" = "null" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.volumeClaimTemplates[0].spec.storageClassName' | tee /dev/stderr)
@@ -435,7 +435,7 @@ load _helpers
 @test "server/standalone-StatefulSet: can set storageClass" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.dataStorage.enabled=true' \
       --set 'server.dataStorage.storageClass=foo' \
       . | tee /dev/stderr |
@@ -443,7 +443,7 @@ load _helpers
   [ "${actual}" = "foo" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.dataStorage.enabled=false' \
       --set 'server.auditStorage.enabled=true' \
@@ -453,7 +453,7 @@ load _helpers
   [ "${actual}" = "foo" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.auditStorage.enabled=true' \
       --set 'server.auditStorage.storageClass=foo' \
@@ -462,7 +462,7 @@ load _helpers
   [ "${actual}" = "foo" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.auditStorage.enabled=true' \
       --set 'server.dataStorage.enabled=true' \
       . | tee /dev/stderr |
@@ -470,7 +470,7 @@ load _helpers
   [ "${actual}" = "2" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.auditStorage.enabled=true' \
       --set 'server.dataStorage.enabled=true' \
@@ -482,7 +482,7 @@ load _helpers
 @test "server/standalone-StatefulSet: can disable storage" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.auditStorage.enabled=false' \
       --set 'server.dataStorage.enabled=true' \
       . | tee /dev/stderr |
@@ -490,7 +490,7 @@ load _helpers
   [ "${actual}" = "1" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.auditStorage.enabled=true' \
       --set 'server.dataStorage.enabled=false' \
       . | tee /dev/stderr |
@@ -498,7 +498,7 @@ load _helpers
   [ "${actual}" = "1" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.auditStorage.enabled=false' \
       --set 'server.dataStorage.enabled=true' \
@@ -507,7 +507,7 @@ load _helpers
   [ "${actual}" = "1" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.auditStorage.enabled=true' \
       --set 'server.dataStorage.enabled=false' \
@@ -516,7 +516,7 @@ load _helpers
   [ "${actual}" = "1" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.auditStorage.enabled=true' \
       --set 'server.dataStorage.enabled=true' \
       . | tee /dev/stderr |
@@ -524,7 +524,7 @@ load _helpers
   [ "${actual}" = "2" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.auditStorage.enabled=true' \
       --set 'server.dataStorage.enabled=true' \
@@ -533,7 +533,7 @@ load _helpers
   [ "${actual}" = "2" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.auditStorage.enabled=fa;se' \
       --set 'server.dataStorage.enabled=false' \
       . | tee /dev/stderr |
@@ -541,7 +541,7 @@ load _helpers
   [ "${actual}" = "0" ]
 
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'server.auditStorage.enabled=false' \
       --set 'server.dataStorage.enabled=false' \
@@ -553,7 +553,7 @@ load _helpers
 @test "server/standalone-StatefulSet: tolerations not set by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       . | tee /dev/stderr |
       yq '.spec.template.spec | .tolerations? == null' | tee /dev/stderr)
   [ "${actual}" = "true" ]
@@ -562,7 +562,7 @@ load _helpers
 @test "server/standalone-StatefulSet: tolerations can be set" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.tolerations=foobar' \
       . | tee /dev/stderr |
       yq '.spec.template.spec.tolerations == "foobar"' | tee /dev/stderr)
@@ -572,7 +572,7 @@ load _helpers
 @test "server/standalone-StatefulSet: nodeSelector is not set by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       . | tee /dev/stderr |
       yq '.spec.template.spec.nodeSelector' | tee /dev/stderr)
   [ "${actual}" = "null" ]
@@ -581,7 +581,7 @@ load _helpers
 @test "server/standalone-StatefulSet: specified nodeSelector" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.nodeSelector=testing' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr)
@@ -596,7 +596,7 @@ load _helpers
 
   # Test that it defines it
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.extraContainers[0].image=test-image' \
       --set 'server.extraContainers[0].name=test-container' \
       --set 'server.extraContainers[0].ports[0].name=test-port' \
@@ -642,7 +642,7 @@ load _helpers
 
   # Test that it defines it
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.extraContainers[0].image=test-image' \
       --set 'server.extraContainers[0].name=test-container' \
       --set 'server.extraContainers[1].image=test-image' \
@@ -661,13 +661,13 @@ load _helpers
 
   # Test that it defines it
   local object=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers' | tee /dev/stderr)
 
   local containers_count=$(echo $object |
       yq -r 'length' | tee /dev/stderr)
-  [ "${containers_count}" = 1 ]  
+  [ "${containers_count}" = 1 ]
 }
 
 # sharedProcessNamespace
@@ -677,7 +677,7 @@ load _helpers
 
   # Test that it defines it
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.shareProcessNamespace' | tee /dev/stderr)
 
@@ -689,7 +689,7 @@ load _helpers
 
   # Test that it defines it
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
+      --show-only templates/server-statefulset.yaml  \
       --set 'server.shareProcessNamespace=true' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.shareProcessNamespace' | tee /dev/stderr)
@@ -702,7 +702,7 @@ load _helpers
 @test "server/standalone-StatefulSet: specify extraLabels" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.extraLabels.foo=bar' \
       . | tee /dev/stderr |
       yq -r '.spec.template.metadata.labels.foo' | tee /dev/stderr)
@@ -715,7 +715,7 @@ load _helpers
 @test "server/standalone-StatefulSet: uid default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
   [ "${actual}" = "100" ]
@@ -724,7 +724,7 @@ load _helpers
 @test "server/standalone-StatefulSet: uid configurable" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.uid=2000' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
@@ -734,7 +734,7 @@ load _helpers
 @test "server/standalone-StatefulSet: gid default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
   [ "${actual}" = "1000" ]
@@ -743,7 +743,7 @@ load _helpers
 @test "server/standalone-StatefulSet: gid configurable" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.gid=2000' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
@@ -753,7 +753,7 @@ load _helpers
 @test "server/standalone-StatefulSet: fsgroup default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
   [ "${actual}" = "1000" ]
@@ -762,7 +762,7 @@ load _helpers
 @test "server/standalone-StatefulSet: fsgroup configurable" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.gid=2000' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
@@ -775,7 +775,7 @@ load _helpers
 @test "server/standalone-StatefulSet: readinessProbe default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].readinessProbe.exec.command[2]' | tee /dev/stderr)
   [ "${actual}" = "vault status -tls-skip-verify" ]
@@ -784,7 +784,7 @@ load _helpers
 @test "server/standalone-StatefulSet: readinessProbe configurable" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.readinessProbe.enabled=false' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].readinessProbe' | tee /dev/stderr)
@@ -795,7 +795,7 @@ load _helpers
 @test "server/standalone-StatefulSet: livenessProbe default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].livenessProbe' | tee /dev/stderr)
   [ "${actual}" = "null" ]
@@ -804,7 +804,7 @@ load _helpers
 @test "server/standalone-StatefulSet: livenessProbe configurable" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.livenessProbe.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].livenessProbe.httpGet.path' | tee /dev/stderr)
@@ -814,7 +814,7 @@ load _helpers
 @test "server/standalone-StatefulSet: livenessProbe initialDelaySeconds default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.livenessProbe.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].livenessProbe.initialDelaySeconds' | tee /dev/stderr)
@@ -824,7 +824,7 @@ load _helpers
 @test "server/standalone-StatefulSet: livenessProbe initialDelaySeconds configurable" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.livenessProbe.enabled=true' \
       --set 'server.livenessProbe.initialDelaySeconds=30' \
       . | tee /dev/stderr |
@@ -835,7 +835,7 @@ load _helpers
 @test "server/standalone-StatefulSet: add extraArgs" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.extraArgs=foobar' \
       . | tee /dev/stderr |
        yq -r '.spec.template.spec.containers[0].args[0]' | tee /dev/stderr)
@@ -847,7 +847,7 @@ load _helpers
 @test "server/standalone-StatefulSet: preStop sleep duration default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       . | tee /dev/stderr |
        yq -r '.spec.template.spec.containers[0].lifecycle.preStop.exec.command[2]' | tee /dev/stderr)
   [[ "${actual}" = "sleep 5 &&"* ]]
@@ -856,7 +856,7 @@ load _helpers
 @test "server/standalone-StatefulSet: preStop sleep duration 10" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/server-statefulset.yaml \
+      --show-only templates/server-statefulset.yaml \
       --set 'server.preStopSleepSeconds=10' \
       . | tee /dev/stderr |
        yq -r '.spec.template.spec.containers[0].lifecycle.preStop.exec.command[2]' | tee /dev/stderr)
diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats
index 98d41ff..b0da7bf 100755
--- a/test/unit/ui-service.bats
+++ b/test/unit/ui-service.bats
@@ -4,51 +4,51 @@ load _helpers
 
 @test "ui/Service: disabled by default" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/ui-service.yaml \
+  local actual=$( (helm template \
+      --show-only templates/ui-service.yaml \
       --set 'server.dev.enabled=true' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 
-  local actual=$(helm template \
-      -x templates/ui-service.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/ui-service.yaml  \
       --set 'server.ha.enabled=true' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 
-  local actual=$(helm template \
-      -x templates/ui-service.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/ui-service.yaml  \
       --set 'server.standalone.enabled=true' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
 
 @test "ui/Service: disable with ui.enabled" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/ui-service.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/ui-service.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'ui.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 
-  local actual=$(helm template \
-      -x templates/ui-service.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/ui-service.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'ui.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 
-  local actual=$(helm template \
-      -x templates/ui-service.yaml  \
+  local actual=$( (helm template \
+      --show-only templates/ui-service.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'ui.enabled=false' \
-      . | tee /dev/stderr |
+      . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
@@ -56,7 +56,7 @@ load _helpers
 @test "ui/Service: ClusterIP type by default" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/ui-service.yaml  \
+      --show-only templates/ui-service.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'ui.enabled=true' \
       . | tee /dev/stderr |
@@ -64,7 +64,7 @@ load _helpers
   [ "${actual}" = "ClusterIP" ]
 
   local actual=$(helm template \
-      -x templates/ui-service.yaml  \
+      --show-only templates/ui-service.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'ui.enabled=true' \
       . | tee /dev/stderr |
@@ -72,7 +72,7 @@ load _helpers
   [ "${actual}" = "ClusterIP" ]
 
   local actual=$(helm template \
-      -x templates/ui-service.yaml  \
+      --show-only templates/ui-service.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'ui.enabled=true' \
       . | tee /dev/stderr |
@@ -83,7 +83,7 @@ load _helpers
 @test "ui/Service: specified type" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/ui-service.yaml  \
+      --show-only templates/ui-service.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'ui.serviceType=LoadBalancer' \
       --set 'ui.enabled=true' \
@@ -92,7 +92,7 @@ load _helpers
   [ "${actual}" = "LoadBalancer" ]
 
   local actual=$(helm template \
-      -x templates/ui-service.yaml  \
+      --show-only templates/ui-service.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'ui.serviceType=LoadBalancer' \
       --set 'ui.enabled=true' \
@@ -101,7 +101,7 @@ load _helpers
   [ "${actual}" = "LoadBalancer" ]
 
   local actual=$(helm template \
-      -x templates/ui-service.yaml  \
+      --show-only templates/ui-service.yaml  \
       --set 'server.standalone.enabled=true' \
       --set 'ui.serviceType=LoadBalancer' \
       --set 'ui.enabled=true' \
@@ -113,7 +113,7 @@ load _helpers
 @test "ui/Service: LoadBalancerIP set if specified and serviceType == LoadBalancer" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/ui-service.yaml  \
+      --show-only templates/ui-service.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'ui.serviceType=LoadBalancer' \
       --set 'ui.enabled=true' \
@@ -123,7 +123,7 @@ load _helpers
   [ "${actual}" = "123.123.123.123" ]
 
   local actual=$(helm template \
-      -x templates/ui-service.yaml  \
+      --show-only templates/ui-service.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'ui.serviceType=ClusterIP' \
       --set 'ui.enabled=true' \
@@ -136,7 +136,7 @@ load _helpers
 @test "ui/Service: set loadBalancerSourceRanges when LoadBalancer is configured as serviceType" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/ui-service.yaml  \
+      --show-only templates/ui-service.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'ui.serviceType=LoadBalancer' \
       --set 'ui.enabled=true' \
@@ -146,7 +146,7 @@ load _helpers
   [ "${actual}" = "123.123.123.123" ]
 
   local actual=$(helm template \
-      -x templates/ui-service.yaml  \
+      --show-only templates/ui-service.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'ui.serviceType=ClusterIP' \
       --set 'ui.enabled=true' \
@@ -159,7 +159,7 @@ load _helpers
 @test "ui/Service: specify annotations" {
   cd `chart_dir`
   local actual=$(helm template \
-      -x templates/ui-service.yaml  \
+      --show-only templates/ui-service.yaml  \
       --set 'server.dev.enabled=true' \
       --set 'ui.serviceType=LoadBalancer' \
       --set 'ui.enabled=true' \
@@ -169,7 +169,7 @@ load _helpers
   [ "${actual}" = "bar" ]
 
   local actual=$(helm template \
-      -x templates/ui-service.yaml  \
+      --show-only templates/ui-service.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'ui.serviceType=LoadBalancer' \
       --set 'ui.enabled=true' \
@@ -179,7 +179,7 @@ load _helpers
   [ "${actual}" = "bar" ]
 
   local actual=$(helm template \
-      -x templates/ui-service.yaml  \
+      --show-only templates/ui-service.yaml  \
       --set 'server.ha.enabled=true' \
       --set 'ui.serviceType=LoadBalancer' \
       --set 'ui.enabled=true' \
-- 
GitLab


From 872ae7a48f084379d410867a628dbfdb917d6578 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Thu, 6 Feb 2020 08:46:09 -0800
Subject: [PATCH 09/79] changelog++

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9daae18..0e7da58 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@ Improvements:
 * Allow process namespace sharing between Vault and sidecar containers
 * Added configurable to change updateStrategy
 * Added sleep in the preStop lifecycle step
+* Updated chart and tests to Helm 3
 
 Bugs:
 
-- 
GitLab


From 2b2b0dd2fa9e871d7525e35c7eff5a518bbf9c22 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Fri, 21 Feb 2020 08:16:33 -0800
Subject: [PATCH 10/79] Added support for external vault (#207)

Uses Values.injector.externalVaultAddr to control the vault address
env variable and server yaml rendering.

If injector.externalVaultAddr is empty, both the injector and vault
are deployed, with the injector using the local vault. If
injector.externalVaultAddr is not empty, only the injector is
deployed, and it uses the vault at the address specified in
injector.externalVaultAddr.
---
 templates/_helpers.tpl                    |  4 +-
 templates/injector-deployment.yaml        |  4 ++
 templates/server-clusterrolebinding.yaml  |  2 +
 templates/server-config-configmap.yaml    |  2 +
 templates/server-disruptionbudget.yaml    |  2 +
 templates/server-ingress.yaml             |  3 ++
 templates/server-service.yaml             |  3 ++
 templates/server-serviceaccount.yaml      |  2 +
 templates/server-statefulset.yaml         |  2 +
 templates/ui-service.yaml                 |  2 +
 test/unit/injector-deployment.bats        | 34 ++++++++++++++
 test/unit/server-clusterrolebinding.bats  | 10 +++++
 test/unit/server-configmap.bats           | 10 +++++
 test/unit/server-dev-statefulset.bats     | 11 +++++
 test/unit/server-ha-disruptionbudget.bats | 10 +++++
 test/unit/server-ha-statefulset.bats      | 11 +++++
 test/unit/server-ingress.bats             | 11 +++++
 test/unit/server-service.bats             | 30 +++++++++++++
 test/unit/server-serviceaccount.bats      | 54 +++++++++++++++++++++++
 test/unit/server-statefulset.bats         | 11 +++++
 test/unit/ui-service.bats                 | 27 ++++++++++++
 values.yaml                               |  4 ++
 22 files changed, 248 insertions(+), 1 deletion(-)

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 0098ab1..f985a8c 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -51,7 +51,9 @@ Set the variable 'mode' to the server mode requested by the user to simplify
 template logic.
 */}}
 {{- define "vault.mode" -}}
-  {{- if eq (.Values.server.dev.enabled | toString) "true" -}}
+  {{- if .Values.injector.externalVaultAddr -}}
+    {{- $_ := set . "mode" "external" -}}
+  {{- else if eq (.Values.server.dev.enabled | toString) "true" -}}
     {{- $_ := set . "mode" "dev" -}}
   {{- else if eq (.Values.server.ha.enabled | toString) "true" -}}
     {{- $_ := set . "mode" "ha" -}}
diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml
index 86c54ff..2362915 100644
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@@ -40,7 +40,11 @@ spec:
             - name: AGENT_INJECT_LOG_LEVEL
               value: {{ .Values.injector.logLevel | default "info" }}
             - name: AGENT_INJECT_VAULT_ADDR
+            {{- if .Values.injector.externalVaultAddr }}
+              value: "{{ .Values.injector.externalVaultAddr }}"
+            {{- else }}
               value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
+            {{- end }}
             - name: AGENT_INJECT_VAULT_IMAGE
               value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
             {{- if .Values.injector.certs.secretName }}
diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml
index ac60cd7..733764f 100644
--- a/templates/server-clusterrolebinding.yaml
+++ b/templates/server-clusterrolebinding.yaml
@@ -1,4 +1,5 @@
 {{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
 {{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true")) }}
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
@@ -19,3 +20,4 @@ subjects:
   name: {{ template "vault.fullname" . }}
   namespace: {{ .Release.Namespace }}
 {{ end }}
+{{ end }}
diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml
index 811500b..6748d0f 100644
--- a/templates/server-config-configmap.yaml
+++ b/templates/server-config-configmap.yaml
@@ -1,4 +1,5 @@
 {{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
 {{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}}
 {{ if or (ne .Values.server.standalone.config "")  (ne .Values.server.ha.config "") -}}
 apiVersion: v1
@@ -21,3 +22,4 @@ data:
   {{ end }}
 {{- end }}
 {{- end }}
+{{- end }}
diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml
index 40ba8b4..6d7f824 100644
--- a/templates/server-disruptionbudget.yaml
+++ b/templates/server-disruptionbudget.yaml
@@ -1,4 +1,5 @@
 {{ template "vault.mode" . }}
+{{- if ne .mode "external" -}}
 {{- if and (and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha")) (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
 # PodDisruptionBudget to prevent degrading the server cluster through
 # voluntary cluster changes.
@@ -20,3 +21,4 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
       component: server
 {{- end -}}
+{{- end -}}
diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml
index 0402eab..8786d97 100644
--- a/templates/server-ingress.yaml
+++ b/templates/server-ingress.yaml
@@ -1,3 +1,5 @@
+{{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
 {{- if .Values.server.ingress.enabled -}}
 {{- $serviceName := include "vault.fullname" . -}}
 {{- $servicePort := .Values.server.service.port -}}
@@ -42,3 +44,4 @@ spec:
         {{- end }}
   {{- end }}
 {{- end }}
+{{- end }}
diff --git a/templates/server-service.yaml b/templates/server-service.yaml
index 4ea2363..dc633c6 100644
--- a/templates/server-service.yaml
+++ b/templates/server-service.yaml
@@ -1,3 +1,5 @@
+{{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
 {{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
 # Service for Vault cluster
 apiVersion: v1
@@ -43,3 +45,4 @@ spec:
     app.kubernetes.io/instance: {{ .Release.Name }}
     component: server
 {{- end }}
+{{- end }}
diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml
index 557ee1a..b375182 100644
--- a/templates/server-serviceaccount.yaml
+++ b/templates/server-serviceaccount.yaml
@@ -1,4 +1,5 @@
 {{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
 {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
 apiVersion: v1
 kind: ServiceAccount
@@ -12,3 +13,4 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
   {{ template "vault.serviceAccount.annotations" . }}
 {{ end }}
+{{ end }}
diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 8a51e6d..18e0d6b 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -1,4 +1,5 @@
 {{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
 {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
 # StatefulSet to run the actual vault server cluster.
 apiVersion: apps/v1
@@ -143,3 +144,4 @@ spec:
       {{- end }}
   {{ template "vault.volumeclaims" . }}
 {{ end }}
+{{ end }}
diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml
index cfc53e5..6d89264 100644
--- a/templates/ui-service.yaml
+++ b/templates/ui-service.yaml
@@ -1,4 +1,5 @@
 {{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
 {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
 {{- if eq (.Values.ui.enabled | toString) "true" }}
 # Headless service for Vault server DNS entries. This service should only
@@ -43,3 +44,4 @@ spec:
 {{- end -}}
 
 {{ end }}
+{{ end }}
diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats
index 1f6caaa..7018ea9 100755
--- a/test/unit/injector-deployment.bats
+++ b/test/unit/injector-deployment.bats
@@ -154,3 +154,37 @@ load _helpers
       yq -r '.[5].name' | tee /dev/stderr)
   [ "${actual}" = "AGENT_INJECT_TLS_AUTO_HOSTS" ]
 }
+
+@test "injector/deployment: with externalVaultAddr" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[2].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_VAULT_ADDR" ]
+
+  local actual=$(echo $object |
+      yq -r '.[2].value' | tee /dev/stderr)
+  [ "${actual}" = "http://vault-outside" ]
+}
+
+@test "injector/deployment: without externalVaultAddr" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --release-name not-external-test  \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[2].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_VAULT_ADDR" ]
+
+  local actual=$(echo $object |
+      yq -r '.[2].value' | tee /dev/stderr)
+  [ "${actual}" = "http://not-external-test-vault.default.svc:8200" ]
+}
diff --git a/test/unit/server-clusterrolebinding.bats b/test/unit/server-clusterrolebinding.bats
index d1245c4..d0d2acf 100755
--- a/test/unit/server-clusterrolebinding.bats
+++ b/test/unit/server-clusterrolebinding.bats
@@ -60,3 +60,13 @@ load _helpers
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
+
+@test "server/ClusterRoleBinding: disable with injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-clusterrolebinding.yaml  \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
diff --git a/test/unit/server-configmap.bats b/test/unit/server-configmap.bats
index 679a76f..2aa8856 100755
--- a/test/unit/server-configmap.bats
+++ b/test/unit/server-configmap.bats
@@ -82,3 +82,13 @@ load _helpers
       yq '.data["extraconfig-from-values.hcl"] | match("bar") | length' | tee /dev/stderr)
   [ ! -z "${actual}" ]
 }
+
+@test "server/ConfigMap: disabled by injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-config-configmap.yaml \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats
index 57acd20..10a9da6 100755
--- a/test/unit/server-dev-statefulset.bats
+++ b/test/unit/server-dev-statefulset.bats
@@ -23,6 +23,17 @@ load _helpers
   [ "${actual}" = "false" ]
 }
 
+@test "server/dev-StatefulSet: disable with injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      --set 'server.dev.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
 @test "server/dev-StatefulSet: image defaults to server.image.repository:tag" {
   cd `chart_dir`
   local actual=$(helm template \
diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats
index 2c0174a..f3c329e 100755
--- a/test/unit/server-ha-disruptionbudget.bats
+++ b/test/unit/server-ha-disruptionbudget.bats
@@ -43,6 +43,16 @@ load _helpers
   [ "${actual}" = "false" ]
 }
 
+@test "server/DisruptionBudget: disable with injector.exernalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-disruptionbudget.yaml  \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
 @test "server/DisruptionBudget: correct maxUnavailable with n=1" {
   cd `chart_dir`
   local actual=$(helm template \
diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats
index a40e92f..11c4e93 100755
--- a/test/unit/server-ha-statefulset.bats
+++ b/test/unit/server-ha-statefulset.bats
@@ -23,6 +23,17 @@ load _helpers
   [ "${actual}" = "false" ]
 }
 
+@test "server/ha-StatefulSet: disable with injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      --set 'server.ha.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
 @test "server/ha-StatefulSet: image defaults to server.image.repository:tag" {
   cd `chart_dir`
   local actual=$(helm template \
diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats
index 1cf1576..850ad4c 100755
--- a/test/unit/server-ingress.bats
+++ b/test/unit/server-ingress.bats
@@ -11,6 +11,17 @@ load _helpers
   [ "${actual}" = "false" ]
 }
 
+@test "server/ingress: disable by injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-ingress.yaml  \
+      --set 'server.ingress.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
 @test "server/ingress: checking host entry gets added and path is /" {
   cd `chart_dir`
   local actual=$(helm template \
diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats
index adcf95f..059a1d3 100755
--- a/test/unit/server-service.bats
+++ b/test/unit/server-service.bats
@@ -113,6 +113,36 @@ load _helpers
   [ "${actual}" = "false" ]
 }
 
+@test "server/Service: disable with injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
+      --set 'server.dev.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      --set 'server.service.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      --set 'server.service.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
+      --set 'server.standalone.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      --set 'server.service.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
 # This can be seen as testing just what we put into the YAML raw, but
 # this is such an important part of making everything work we verify it here.
 @test "server/Service: tolerates unready endpoints" {
diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats
index 66fd84b..d72de5d 100755
--- a/test/unit/server-serviceaccount.bats
+++ b/test/unit/server-serviceaccount.bats
@@ -27,3 +27,57 @@ load _helpers
       yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
   [ "${actual}" = "null" ]
 }
+
+@test "server/ServiceAccount: disable with global.enabled false" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
+      --set 'server.dev.enabled=true' \
+      --set 'global.enabled=false' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'global.enabled=false' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
+      --set 'server.standalone.enabled=true' \
+      --set 'global.enabled=false' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/ServiceAccount: disable by injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
+      --set 'server.dev.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/server-service.yaml  \
+      --set 'server.standalone.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
index 059e1c4..1db272a 100755
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@@ -32,6 +32,17 @@ load _helpers
   [ "${actual}" = "false" ]
 }
 
+@test "server/standalone-StatefulSet: disable with injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      --set 'server.standalone.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
 @test "server/standalone-StatefulSet: image defaults to server.image.repository:tag" {
   cd `chart_dir`
   local actual=$(helm template \
diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats
index b0da7bf..59f1818 100755
--- a/test/unit/ui-service.bats
+++ b/test/unit/ui-service.bats
@@ -53,6 +53,33 @@ load _helpers
   [ "${actual}" = "false" ]
 }
 
+@test "ui/Service: disable with injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/ui-service.yaml  \
+      --set 'server.dev.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/ui-service.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$( (helm template \
+      --show-only templates/ui-service.yaml  \
+      --set 'server.standalone.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
 @test "ui/Service: ClusterIP type by default" {
   cd `chart_dir`
   local actual=$(helm template \
diff --git a/values.yaml b/values.yaml
index 5433026..a5437bf 100644
--- a/values.yaml
+++ b/values.yaml
@@ -15,6 +15,10 @@ injector:
   # True if you want to enable vault agent injection.
   enabled: true
 
+  # External vault server address for the injector to use. Setting this will
+  # disable deployment of a vault server along with the injector.
+  externalVaultAddr: ""
+
   # image sets the repo and tag of the vault-k8s image to use for the injector.
   image:
     repository: "hashicorp/vault-k8s"
-- 
GitLab


From 71fad856a10b87cd09d56176e330eee0d10e1ef0 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Fri, 21 Feb 2020 08:23:57 -0800
Subject: [PATCH 11/79] changelog++

Also added links
---
 CHANGELOG.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0e7da58..e9c1957 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,14 +2,15 @@
 
 Improvements:
 
-* Allow process namespace sharing between Vault and sidecar containers
-* Added configurable to change updateStrategy
-* Added sleep in the preStop lifecycle step
-* Updated chart and tests to Helm 3
+* Allow process namespace sharing between Vault and sidecar containers [[GH-174](https://github.com/hashicorp/vault-helm/pull/174)
+* Added configurable to change updateStrategy [[GH-172](https://github.com/hashicorp/vault-helm/pull/172)
+* Added sleep in the preStop lifecycle step [[GH-188](https://github.com/hashicorp/vault-helm/pull/188)]
+* Updated chart and tests to Helm 3 [[GH-195](https://github.com/hashicorp/vault-helm/pull/195)]
+* Adds Values.injector.externalVaultAddr to use the injector with an external vault [[GH-207](https://github.com/hashicorp/vault-helm/pull/207)]
 
 Bugs:
 
-* Fix bug where Vault lifecycle was appended after extra containers.
+* Fix bug where Vault lifecycle was appended after extra containers. [[GH-179](https://github.com/hashicorp/vault-helm/pull/179)]
 
 ## 0.3.3 (January 14th, 2020)
 
-- 
GitLab


From 088331f246e8ed5ecd7aeb347dbaf6374ea3b38f Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Fri, 21 Feb 2020 08:25:17 -0800
Subject: [PATCH 12/79] changelog++

missed a couple brackets
---
 CHANGELOG.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e9c1957..1e0bd38 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,8 +2,8 @@
 
 Improvements:
 
-* Allow process namespace sharing between Vault and sidecar containers [[GH-174](https://github.com/hashicorp/vault-helm/pull/174)
-* Added configurable to change updateStrategy [[GH-172](https://github.com/hashicorp/vault-helm/pull/172)
+* Allow process namespace sharing between Vault and sidecar containers [[GH-174](https://github.com/hashicorp/vault-helm/pull/174)]
+* Added configurable to change updateStrategy [[GH-172](https://github.com/hashicorp/vault-helm/pull/172)]
 * Added sleep in the preStop lifecycle step [[GH-188](https://github.com/hashicorp/vault-helm/pull/188)]
 * Updated chart and tests to Helm 3 [[GH-195](https://github.com/hashicorp/vault-helm/pull/195)]
 * Adds Values.injector.externalVaultAddr to use the injector with an external vault [[GH-207](https://github.com/hashicorp/vault-helm/pull/207)]
-- 
GitLab


From 2b0d91d6148457327c50102125d9b1eb8df7dfb1 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Fri, 21 Feb 2020 11:39:41 -0800
Subject: [PATCH 13/79] Fix the injector deployment unit test (#212)

Set namespace manually, so the test service will have a known
namespace.
---
 test/unit/injector-deployment.bats | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats
index 7018ea9..cb4d56f 100755
--- a/test/unit/injector-deployment.bats
+++ b/test/unit/injector-deployment.bats
@@ -177,6 +177,7 @@ load _helpers
   local object=$(helm template \
       --show-only templates/injector-deployment.yaml  \
       --release-name not-external-test  \
+      --namespace default \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
-- 
GitLab


From 8a6419e623fcf6fae7a92fbeecf8d91c70a75c3a Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Fri, 21 Feb 2020 14:56:30 -0500
Subject: [PATCH 14/79] Update to 0.4.0 (#211)

---
 CHANGELOG.md | 2 ++
 Chart.yaml   | 2 +-
 values.yaml  | 6 +++---
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1e0bd38..bf3c405 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,7 @@
 ## Unreleased
 
+## 0.4.0 (February 21st, 2020)
+
 Improvements:
 
 * Allow process namespace sharing between Vault and sidecar containers [[GH-174](https://github.com/hashicorp/vault-helm/pull/174)]
diff --git a/Chart.yaml b/Chart.yaml
index 8a41081..a41283c 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: vault
-version: 0.3.3
+version: 0.4.0
 description: Install and configure Vault on Kubernetes.
 home: https://www.vaultproject.io
 icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
diff --git a/values.yaml b/values.yaml
index a5437bf..23a61f7 100644
--- a/values.yaml
+++ b/values.yaml
@@ -22,7 +22,7 @@ injector:
   # image sets the repo and tag of the vault-k8s image to use for the injector.
   image:
     repository: "hashicorp/vault-k8s"
-    tag: "0.1.2"
+    tag: "0.2.0"
     pullPolicy: IfNotPresent
 
   # agentImage sets the repo and tag of the Vault image to use for the Vault Agent
@@ -30,7 +30,7 @@ injector:
   # required.
   agentImage:
     repository: "vault"
-    tag: "1.3.1"
+    tag: "1.3.2"
 
   # namespaceSelector is the selector for restricting the webhook to only
   # specific namespaces. This should be set to a multiline string.
@@ -76,7 +76,7 @@ server:
 
   image:
     repository: "vault"
-    tag: "1.3.1"
+    tag: "1.3.2"
     # Overrides the default Image Pull Policy
     pullPolicy: IfNotPresent
 
-- 
GitLab


From 1ccc64788a4cdc4a818036c342492bb4d87ef117 Mon Sep 17 00:00:00 2001
From: Bruno FERNANDO <bruno.fernando@jobteaser.com>
Date: Tue, 3 Mar 2020 19:32:50 +0100
Subject: [PATCH 15/79] feat: add AGENT_INJECT_VAULT_AUTH_PATH option to the
 injector (#185)

* Add related unit tests
---
 templates/injector-deployment.yaml |  2 ++
 test/unit/injector-deployment.bats | 45 ++++++++++++++++++++++++++----
 values.yaml                        |  5 +++-
 3 files changed, 45 insertions(+), 7 deletions(-)

diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml
index 2362915..16f6223 100644
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@@ -45,6 +45,8 @@ spec:
             {{- else }}
               value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
             {{- end }}
+            - name: AGENT_INJECT_VAULT_AUTH_PATH
+              value: {{ .Values.injector.authPath }}
             - name: AGENT_INJECT_VAULT_IMAGE
               value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
             {{- if .Values.injector.certs.secretName }}
diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats
index cb4d56f..fb00ee3 100755
--- a/test/unit/injector-deployment.bats
+++ b/test/unit/injector-deployment.bats
@@ -117,19 +117,19 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-     yq -r '.[4].name' | tee /dev/stderr)
+     yq -r '.[5].name' | tee /dev/stderr)
   [ "${actual}" = "AGENT_INJECT_TLS_CERT_FILE" ]
 
   local actual=$(echo $object |
-      yq -r '.[4].value' | tee /dev/stderr)
+      yq -r '.[5].value' | tee /dev/stderr)
   [ "${actual}" = "/etc/webhook/certs/test.crt" ]
 
   local actual=$(echo $object |
-      yq -r '.[5].name' | tee /dev/stderr)
+      yq -r '.[6].name' | tee /dev/stderr)
   [ "${actual}" = "AGENT_INJECT_TLS_KEY_FILE" ]
 
   local actual=$(echo $object |
-      yq -r '.[5].value' | tee /dev/stderr)
+      yq -r '.[6].value' | tee /dev/stderr)
   [ "${actual}" = "/etc/webhook/certs/test.key" ]
 }
 
@@ -147,11 +147,11 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-     yq -r '.[4].name' | tee /dev/stderr)
+     yq -r '.[5].name' | tee /dev/stderr)
   [ "${actual}" = "AGENT_INJECT_TLS_AUTO" ]
 
   local actual=$(echo $object |
-      yq -r '.[5].name' | tee /dev/stderr)
+      yq -r '.[6].name' | tee /dev/stderr)
   [ "${actual}" = "AGENT_INJECT_TLS_AUTO_HOSTS" ]
 }
 
@@ -189,3 +189,36 @@ load _helpers
       yq -r '.[2].value' | tee /dev/stderr)
   [ "${actual}" = "http://not-external-test-vault.default.svc:8200" ]
 }
+
+@test "injector/deployment: default authPath" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[3].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_VAULT_AUTH_PATH" ]
+
+  local actual=$(echo $object |
+      yq -r '.[3].value' | tee /dev/stderr)
+  [ "${actual}" = "auth/kubernetes" ]
+}
+
+@test "injector/deployment: custom authPath" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'injector.authPath=auth/k8s' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[3].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_VAULT_AUTH_PATH" ]
+
+  local actual=$(echo $object |
+      yq -r '.[3].value' | tee /dev/stderr)
+  [ "${actual}" = "auth/k8s" ]
+}
diff --git a/values.yaml b/values.yaml
index 23a61f7..24cbfd6 100644
--- a/values.yaml
+++ b/values.yaml
@@ -32,6 +32,9 @@ injector:
     repository: "vault"
     tag: "1.3.2"
 
+  # Mount Path of the Vault Kubernetes Auth Method.
+  authPath: "auth/kubernetes"
+
   # namespaceSelector is the selector for restricting the webhook to only
   # specific namespaces. This should be set to a multiline string.
   # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
@@ -124,7 +127,7 @@ server:
   # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
   # This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation
   shareProcessNamespace: false
-  
+
   # extraArgs is a string containing additional Vault server arguments.
   extraArgs: ""
 
-- 
GitLab


From 9d92922c9dc1500642278b172a7150c32534de0b Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Tue, 3 Mar 2020 10:37:47 -0800
Subject: [PATCH 16/79] changelog++

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bf3c405..e6efc43 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## Unreleased
 
+Improvements:
+
+* Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)]
+
 ## 0.4.0 (February 21st, 2020)
 
 Improvements:
-- 
GitLab


From 9d1693ad13bf364da56f0cfe5210981bbe2bf696 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Fri, 6 Mar 2020 15:03:58 -0500
Subject: [PATCH 17/79] Add new vault-k8s environment variables (#219)

* Add new vault-k8s envs

* update vault image

* Add default tests for envs

* Add note about supported log parameters

* Fix typo in test name
---
 templates/injector-deployment.yaml |  4 ++
 test/unit/injector-deployment.bats | 99 ++++++++++++++++++++++++++++++
 values.yaml                        | 15 ++++-
 3 files changed, 115 insertions(+), 3 deletions(-)

diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml
index 16f6223..fa3688e 100644
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@@ -60,6 +60,10 @@ spec:
             - name: AGENT_INJECT_TLS_AUTO_HOSTS
               value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc
             {{- end }}
+            - name: AGENT_INJECT_LOG_FORMAT
+              value: {{ .Values.injector.logFormat | default "standard" }}
+            - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN
+              value: {{ .Values.injector.revokeOnShutdown | default false }}
           args:
             - agent-inject
             - 2>&1
diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats
index fb00ee3..54b5c1c 100755
--- a/test/unit/injector-deployment.bats
+++ b/test/unit/injector-deployment.bats
@@ -222,3 +222,102 @@ load _helpers
       yq -r '.[3].value' | tee /dev/stderr)
   [ "${actual}" = "auth/k8s" ]
 }
+
+@test "injector/deployment: default logLevel" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[1].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_LOG_LEVEL" ]
+
+  local actual=$(echo $object |
+      yq -r '.[1].value' | tee /dev/stderr)
+  [ "${actual}" = "info" ]
+}
+
+@test "injector/deployment: custom logLevel" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'injector.logLevel=foo' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[1].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_LOG_LEVEL" ]
+
+  local actual=$(echo $object |
+      yq -r '.[1].value' | tee /dev/stderr)
+  [ "${actual}" = "foo" ]
+}
+
+@test "injector/deployment: default logFormat" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[7].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_LOG_FORMAT" ]
+
+  local actual=$(echo $object |
+      yq -r '.[7].value' | tee /dev/stderr)
+  [ "${actual}" = "standard" ]
+}
+
+@test "injector/deployment: custom logFormat" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'injector.logFormat=json' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[7].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_LOG_FORMAT" ]
+
+  local actual=$(echo $object |
+      yq -r '.[7].value' | tee /dev/stderr)
+  [ "${actual}" = "json" ]
+}
+
+@test "injector/deployment: default revoke on shutdown" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[8].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_REVOKE_ON_SHUTDOWN" ]
+
+  local actual=$(echo $object |
+      yq -r '.[8].value' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "injector/deployment: custom revoke on shutdown" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'injector.revokeOnShutdown=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[8].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_REVOKE_ON_SHUTDOWN" ]
+
+  local actual=$(echo $object |
+      yq -r '.[8].value' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
diff --git a/values.yaml b/values.yaml
index 24cbfd6..e31e40f 100644
--- a/values.yaml
+++ b/values.yaml
@@ -22,7 +22,7 @@ injector:
   # image sets the repo and tag of the vault-k8s image to use for the injector.
   image:
     repository: "hashicorp/vault-k8s"
-    tag: "0.2.0"
+    tag: "0.3.0"
     pullPolicy: IfNotPresent
 
   # agentImage sets the repo and tag of the Vault image to use for the Vault Agent
@@ -30,11 +30,20 @@ injector:
   # required.
   agentImage:
     repository: "vault"
-    tag: "1.3.2"
+    tag: "1.3.3"
 
   # Mount Path of the Vault Kubernetes Auth Method.
   authPath: "auth/kubernetes"
 
+  # Configures the log verbosity of the injector. Supported log levels: Trace, Debug, Error, Warn, Info
+  logLevel: "info"
+
+  # Configures the log format of the injector. Supported log formats: "standard", "json".
+  logFormat: "standard"
+  
+  # Configures all Vault Agent sidecars to revoke their token when shutting down
+  revokeOnShutdown: false
+
   # namespaceSelector is the selector for restricting the webhook to only
   # specific namespaces. This should be set to a multiline string.
   # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
@@ -79,7 +88,7 @@ server:
 
   image:
     repository: "vault"
-    tag: "1.3.2"
+    tag: "1.3.3"
     # Overrides the default Image Pull Policy
     pullPolicy: IfNotPresent
 
-- 
GitLab


From b8fc51b2be9850368bde67e257224e364ae2db46 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Fri, 6 Mar 2020 15:10:41 -0500
Subject: [PATCH 18/79] changelog++

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e6efc43..0c6a69c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 Improvements:
 
 * Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)]
+* Added environment variables for logging and revocation on Vault Agent Injector [[GH-219](https://github.com/hashicorp/vault-helm/pull/219)]
 
 ## 0.4.0 (February 21st, 2020)
 
-- 
GitLab


From d0f89fced85148ed1b7b11e96c3f9ca2ece04bbc Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Fri, 6 Mar 2020 16:59:59 -0500
Subject: [PATCH 19/79] Change revoke from bool to string (#221)

---
 templates/injector-deployment.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml
index fa3688e..8f2a53d 100644
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@@ -63,7 +63,7 @@ spec:
             - name: AGENT_INJECT_LOG_FORMAT
               value: {{ .Values.injector.logFormat | default "standard" }}
             - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN
-              value: {{ .Values.injector.revokeOnShutdown | default false }}
+              value: "{{ .Values.injector.revokeOnShutdown | default false }}"
           args:
             - agent-inject
             - 2>&1
-- 
GitLab


From 58b96dbc1057d863d334d10d67a3fbaf3b73bb02 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Wed, 18 Mar 2020 15:49:14 -0400
Subject: [PATCH 20/79] Add Raft HA support (#229)

* Add raft support

* Add acceptance test

* Update templates/server-headless-service.yaml

Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com>

* Add notes to raft configurables

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
---
 templates/_helpers.tpl                 |   8 +-
 templates/server-config-configmap.yaml |   4 +-
 templates/server-headless-service.yaml |  35 +++++++
 templates/server-statefulset.yaml      |   8 +-
 test/acceptance/server-ha-raft.bats    | 121 +++++++++++++++++++++++++
 test/unit/server-configmap.bats        |  30 ++++++
 test/unit/server-dev-statefulset.bats  |  20 ++--
 test/unit/server-ha-statefulset.bats   |  20 ++--
 test/unit/server-statefulset.bats      |  16 ++--
 values.yaml                            |  23 +++++
 10 files changed, 252 insertions(+), 33 deletions(-)
 create mode 100644 templates/server-headless-service.yaml
 create mode 100644 test/acceptance/server-ha-raft.bats

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index f985a8c..5639142 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -133,6 +133,10 @@ Set's additional environment variables based on the mode.
             - name: VAULT_DEV_ROOT_TOKEN_ID
               value: "root"
   {{ end }}
+  {{ if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
+            - name: VAULT_CLUSTER_ADDR
+              value: "https://$(HOSTNAME).vault-internal:8201"
+  {{ end }}
 {{- end -}}
 
 {{/*
@@ -144,7 +148,7 @@ based on the mode configured.
             - name: audit
               mountPath: /vault/audit
   {{ end }}
-  {{ if eq .mode "standalone" }}
+  {{ if or (eq .mode "standalone") (and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true"))  }}
     {{ if eq (.Values.server.dataStorage.enabled | toString) "true" }}
             - name: data
               mountPath: /vault/data
@@ -169,7 +173,7 @@ storage might be desired by the user.
 {{- define "vault.volumeclaims" -}}
   {{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }}
   volumeClaimTemplates:
-      {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (eq .mode "standalone") }}
+      {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }}
     - metadata:
         name: data
       spec:
diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml
index 6748d0f..6e05850 100644
--- a/templates/server-config-configmap.yaml
+++ b/templates/server-config-configmap.yaml
@@ -17,8 +17,10 @@ data:
     disable_mlock = true
   {{- if eq .mode "standalone" }}
     {{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
-  {{- else if eq .mode "ha" }}
+  {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }}
     {{ tpl .Values.server.ha.config . | nindent 4 | trim }}
+  {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
+    {{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }}
   {{ end }}
 {{- end }}
 {{- end }}
diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml
new file mode 100644
index 0000000..80a94a3
--- /dev/null
+++ b/templates/server-headless-service.yaml
@@ -0,0 +1,35 @@
+{{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
+{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+# Service for Vault cluster
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "vault.fullname" . }}-internal
+  namespace: {{ .Release.Namespace }}
+  labels:
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  annotations:
+    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+{{- if .Values.server.service.annotations }}
+{{ toYaml .Values.server.service.annotations | indent 4 }}
+{{- end }}
+spec:
+  clusterIP: None
+  publishNotReadyAddresses: true
+  ports:
+    - name: "{{ include "vault.scheme" . }}"
+      port: {{ .Values.server.service.port }}
+      targetPort: {{ .Values.server.service.targetPort }}
+    - name: internal
+      port: 8201
+      targetPort: 8201
+  selector:
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    component: server
+{{- end }}
+{{- end }}
diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 18e0d6b..5b4752b 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -12,7 +12,7 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
-  serviceName: {{ template "vault.fullname" . }}
+  serviceName: {{ template "vault.fullname" . }}-internal
   podManagementPolicy: Parallel
   replicas: {{ template "vault.replicas" . }}
   updateStrategy:
@@ -71,11 +71,15 @@ spec:
             - name: VAULT_ADDR
               value: "{{ include "vault.scheme" . }}://127.0.0.1:8200"
             - name: VAULT_API_ADDR
-              value: "{{ include "vault.scheme" . }}://$(POD_IP):8200"
+              value: "{{ include "vault.scheme" . }}-internal://$(POD_IP):8200"
             - name: SKIP_CHOWN
               value: "true"
             - name: SKIP_SETCAP
               value: "true"
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
             {{ template "vault.envs" . }}
             {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
             {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
diff --git a/test/acceptance/server-ha-raft.bats b/test/acceptance/server-ha-raft.bats
new file mode 100644
index 0000000..17951b8
--- /dev/null
+++ b/test/acceptance/server-ha-raft.bats
@@ -0,0 +1,121 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/ha-raft: testing deployment" {
+  cd `chart_dir`
+
+  helm install "$(name_prefix)" \
+    --set='server.ha.enabled=true' \
+    --set='server.ha.raft.enabled=true' .
+  wait_for_running $(name_prefix)-0
+
+  # Sealed, not initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "true" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "false" ]
+
+  # Security
+  local ipc=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.containers[0].securityContext.capabilities.add[0]')
+  [ "${ipc}" == "IPC_LOCK" ]
+
+  # Replicas
+  local replicas=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.replicas')
+  [ "${replicas}" == "3" ]
+
+  # Volume Mounts
+  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.containers[0].volumeMounts | length')
+  [ "${volumeCount}" == "2" ]
+
+  # Volumes
+  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.volumes | length')
+  [ "${volumeCount}" == "1" ]
+
+  local volume=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.spec.volumes[0].configMap.name')
+  [ "${volume}" == "$(name_prefix)-config" ]
+
+  # Service
+  local service=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.clusterIP')
+  [ "${service}" != "None" ]
+
+  local service=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.type')
+  [ "${service}" == "ClusterIP" ]
+
+  local ports=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.ports | length')
+  [ "${ports}" == "2" ]
+
+  local ports=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.ports[0].port')
+  [ "${ports}" == "8200" ]
+
+  local ports=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.spec.ports[1].port')
+  [ "${ports}" == "8201" ]
+
+  # Vault Init
+  local init=$(kubectl exec -ti "$(name_prefix)-0" -- \
+    vault operator init -format=json -n 1 -t 1)
+
+  local token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
+  [ "${token}" != "" ]
+  
+  local root=$(echo ${init} | jq -r '.root_token')
+  [ "${root}" != "" ]
+
+  kubectl exec -ti vault-0 -- vault operator unseal ${token}
+  wait_for_ready "$(name_prefix)-0"
+
+  sleep 5
+
+  # Vault Unseal
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
+  for pod in "${pods[@]}"
+  do
+      if [[ ${pod?} != "$(name_prefix)-0" ]]
+      then
+          kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200
+          kubectl exec -ti ${pod} -- vault operator unseal ${token}
+          wait_for_ready "${pod}"
+      fi
+  done
+
+  # Sealed, not initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "false" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "true" ]
+
+  kubectl exec "$(name_prefix)-0" -- vault login ${root}
+
+  local raft_status=$(kubectl exec "$(name_prefix)-0" -- vault operator raft configuration -format=json | 
+    jq -r '.data.config.servers | length')
+  [ "${raft_status}" == "3" ]
+}
+
+setup() {
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
+  kubectl config set-context --current --namespace=acceptance
+}
+
+#cleanup
+teardown() {
+  helm delete vault
+  kubectl delete --all pvc
+  kubectl delete namespace acceptance --ignore-not-found=true
+}
diff --git a/test/unit/server-configmap.bats b/test/unit/server-configmap.bats
index 2aa8856..fe2ac12 100755
--- a/test/unit/server-configmap.bats
+++ b/test/unit/server-configmap.bats
@@ -17,6 +17,14 @@ load _helpers
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
+  local actual=$(helm template \
+      --show-only templates/server-config-configmap.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'server.ha.raft.enabled=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+
   local actual=$(helm template \
       --show-only templates/server-config-configmap.yaml \
       --set 'server.standalone.enabled=true' \
@@ -25,6 +33,28 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
+@test "server/ConfigMap: raft config disabled by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-config-configmap.yaml \
+      --set 'server.ha.enabled=true' \
+      . | tee /dev/stderr |
+      grep "raft" | yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" != "true" ]
+}
+
+@test "server/ConfigMap: raft config can be enabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-config-configmap.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'server.ha.raft.enabled=true' \
+      . | tee /dev/stderr |
+      grep "raft" | yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+
 @test "server/ConfigMap: disabled by server.dev.enabled true" {
   cd `chart_dir`
   local actual=$( (helm template \
diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats
index 10a9da6..5ce3405 100755
--- a/test/unit/server-dev-statefulset.bats
+++ b/test/unit/server-dev-statefulset.bats
@@ -249,19 +249,19 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-     yq -r '.[7].name' | tee /dev/stderr)
+     yq -r '.[8].name' | tee /dev/stderr)
   [ "${actual}" = "FOO" ]
 
   local actual=$(echo $object |
-      yq -r '.[7].value' | tee /dev/stderr)
+      yq -r '.[8].value' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
 
   local actual=$(echo $object |
-      yq -r '.[8].name' | tee /dev/stderr)
+      yq -r '.[9].name' | tee /dev/stderr)
   [ "${actual}" = "FOOBAR" ]
 
   local actual=$(echo $object |
-      yq -r '.[8].value' | tee /dev/stderr)
+      yq -r '.[9].value' | tee /dev/stderr)
   [ "${actual}" = "foobar" ]
 }
 
@@ -282,23 +282,23 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-      yq -r '.[6].name' | tee /dev/stderr)
+      yq -r '.[7].name' | tee /dev/stderr)
   [ "${actual}" = "ENV_FOO_0" ]
   local actual=$(echo $object |
-      yq -r '.[6].valueFrom.secretKeyRef.name' | tee /dev/stderr)
+      yq -r '.[7].valueFrom.secretKeyRef.name' | tee /dev/stderr)
   [ "${actual}" = "secret_name_0" ]
   local actual=$(echo $object |
-      yq -r '.[6].valueFrom.secretKeyRef.key' | tee /dev/stderr)
+      yq -r '.[7].valueFrom.secretKeyRef.key' | tee /dev/stderr)
   [ "${actual}" = "secret_key_0" ]
 
   local actual=$(echo $object |
-      yq -r '.[7].name' | tee /dev/stderr)
+      yq -r '.[8].name' | tee /dev/stderr)
   [ "${actual}" = "ENV_FOO_1" ]
   local actual=$(echo $object |
-      yq -r '.[7].valueFrom.secretKeyRef.name' | tee /dev/stderr)
+      yq -r '.[8].valueFrom.secretKeyRef.name' | tee /dev/stderr)
   [ "${actual}" = "secret_name_1" ]
   local actual=$(echo $object |
-      yq -r '.[7].valueFrom.secretKeyRef.key' | tee /dev/stderr)
+      yq -r '.[8].valueFrom.secretKeyRef.key' | tee /dev/stderr)
   [ "${actual}" = "secret_key_1" ]
 }
 
diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats
index 11c4e93..db2ea6b 100755
--- a/test/unit/server-ha-statefulset.bats
+++ b/test/unit/server-ha-statefulset.bats
@@ -349,19 +349,19 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-     yq -r '.[6].name' | tee /dev/stderr)
+     yq -r '.[7].name' | tee /dev/stderr)
   [ "${actual}" = "FOO" ]
 
   local actual=$(echo $object |
-      yq -r '.[6].value' | tee /dev/stderr)
+      yq -r '.[7].value' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
 
   local actual=$(echo $object |
-      yq -r '.[7].name' | tee /dev/stderr)
+      yq -r '.[8].name' | tee /dev/stderr)
   [ "${actual}" = "FOOBAR" ]
 
   local actual=$(echo $object |
-      yq -r '.[7].value' | tee /dev/stderr)
+      yq -r '.[8].value' | tee /dev/stderr)
   [ "${actual}" = "foobar" ]
 }
 
@@ -383,23 +383,23 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-      yq -r '.[6].name' | tee /dev/stderr)
+      yq -r '.[7].name' | tee /dev/stderr)
   [ "${actual}" = "ENV_FOO_0" ]
   local actual=$(echo $object |
-      yq -r '.[6].valueFrom.secretKeyRef.name' | tee /dev/stderr)
+      yq -r '.[7].valueFrom.secretKeyRef.name' | tee /dev/stderr)
   [ "${actual}" = "secret_name_0" ]
   local actual=$(echo $object |
-      yq -r '.[6].valueFrom.secretKeyRef.key' | tee /dev/stderr)
+      yq -r '.[7].valueFrom.secretKeyRef.key' | tee /dev/stderr)
   [ "${actual}" = "secret_key_0" ]
 
   local actual=$(echo $object |
-      yq -r '.[7].name' | tee /dev/stderr)
+      yq -r '.[8].name' | tee /dev/stderr)
   [ "${actual}" = "ENV_FOO_1" ]
   local actual=$(echo $object |
-      yq -r '.[7].valueFrom.secretKeyRef.name' | tee /dev/stderr)
+      yq -r '.[8].valueFrom.secretKeyRef.name' | tee /dev/stderr)
   [ "${actual}" = "secret_name_1" ]
   local actual=$(echo $object |
-      yq -r '.[7].valueFrom.secretKeyRef.key' | tee /dev/stderr)
+      yq -r '.[8].valueFrom.secretKeyRef.key' | tee /dev/stderr)
   [ "${actual}" = "secret_key_1" ]
 }
 
diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
index 1db272a..25d7798 100755
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@@ -384,19 +384,19 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-     yq -r '.[6].name' | tee /dev/stderr)
+     yq -r '.[7].name' | tee /dev/stderr)
   [ "${actual}" = "FOO" ]
 
   local actual=$(echo $object |
-      yq -r '.[6].value' | tee /dev/stderr)
+      yq -r '.[7].value' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
 
   local actual=$(echo $object |
-      yq -r '.[7].name' | tee /dev/stderr)
+      yq -r '.[8].name' | tee /dev/stderr)
   [ "${actual}" = "FOOBAR" ]
 
   local actual=$(echo $object |
-      yq -r '.[7].value' | tee /dev/stderr)
+      yq -r '.[8].value' | tee /dev/stderr)
   [ "${actual}" = "foobar" ]
 
   local object=$(helm template \
@@ -407,19 +407,19 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-     yq -r '.[6].name' | tee /dev/stderr)
+     yq -r '.[7].name' | tee /dev/stderr)
   [ "${actual}" = "FOO" ]
 
   local actual=$(echo $object |
-      yq -r '.[6].value' | tee /dev/stderr)
+      yq -r '.[7].value' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
 
   local actual=$(echo $object |
-      yq -r '.[7].name' | tee /dev/stderr)
+      yq -r '.[8].name' | tee /dev/stderr)
   [ "${actual}" = "FOOBAR" ]
 
   local actual=$(echo $object |
-      yq -r '.[7].value' | tee /dev/stderr)
+      yq -r '.[8].value' | tee /dev/stderr)
   [ "${actual}" = "foobar" ]
 }
 
diff --git a/values.yaml b/values.yaml
index e31e40f..50aa6b6 100644
--- a/values.yaml
+++ b/values.yaml
@@ -314,12 +314,35 @@ server:
   ha:
     enabled: false
     replicas: 3
+    
+    # Enables Vault's integrated Raft storage.  Unlike the typical HA modes where 
+    # Vault's persistence is external (such as Consul), enabling Raft mode will create 
+    # persistent volumes for Vault to store data.  The Vault cluster will coordinate leader 
+    # elections and failovers internally.
+    raft:
+      
+      # Enables Raft integrated storage
+      enabled: false
+      config: |
+        ui = true
+        cluster_addr = "https://POD_IP:8201"
+
+        listener "tcp" {
+          tls_disable = 1
+          address = "[::]:8200"
+          cluster_address = "[::]:8201"
+        }
+
+        storage "raft" {
+          path = "/vault/data"
+        }
 
     # config is a raw string of default configuration when using a Stateful
     # deployment. Default is to use a Consul for its HA storage backend.
     # This should be HCL.
     config: |
       ui = true
+      cluster_addr = "https://POD_IP:8201"
 
       listener "tcp" {
         tls_disable = 1
-- 
GitLab


From 9e0030d70ac0c11df6e64eb577cba84891417e12 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Wed, 18 Mar 2020 15:50:53 -0400
Subject: [PATCH 21/79] changelog++

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0c6a69c..251877b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## Unreleased
 
+Features:
+
+* Added Raft support for HA mode [[GH-228](https://github.com/hashicorp/vault-helm/pull/229)]
+
 Improvements:
 
 * Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)]
-- 
GitLab


From fa13c47858ca89076f84378ff554e205116481d6 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Wed, 18 Mar 2020 21:30:22 -0700
Subject: [PATCH 22/79] Add injector.extraEnvironmentVars (#232)

Allows user-specified environment variables to be set in the injector
deployment.
---
 templates/_helpers.tpl             |  4 ++--
 templates/injector-deployment.yaml |  1 +
 test/unit/injector-deployment.bats | 38 ++++++++++++++++++++++++++++++
 values.yaml                        |  5 ++++
 4 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 5639142..1fd6f3f 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -288,9 +288,9 @@ Inject extra environment vars in the format key:value, if populated
 {{- define "vault.extraEnvironmentVars" -}}
 {{- if .extraEnvironmentVars -}}
 {{- range $key, $value := .extraEnvironmentVars }}
-- name: {{ $key }}
+- name: {{ printf "%s" $key | replace "." "_" | upper | quote }}
   value: {{ $value | quote }}
-{{- end -}}
+{{- end }}
 {{- end -}}
 {{- end -}}
 
diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml
index 8f2a53d..378f468 100644
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@@ -64,6 +64,7 @@ spec:
               value: {{ .Values.injector.logFormat | default "standard" }}
             - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN
               value: "{{ .Values.injector.revokeOnShutdown | default false }}"
+            {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }}
           args:
             - agent-inject
             - 2>&1
diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats
index 54b5c1c..e3419cf 100755
--- a/test/unit/injector-deployment.bats
+++ b/test/unit/injector-deployment.bats
@@ -321,3 +321,41 @@ load _helpers
       yq -r '.[8].value' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+
+#--------------------------------------------------------------------
+# extraEnvironmentVars
+
+@test "injector/deployment: set extraEnvironmentVars" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'injector.extraEnvironmentVars.FOO=bar' \
+      --set 'injector.extraEnvironmentVars.FOOBAR=foobar' \
+      --set 'injector.extraEnvironmentVars.lower\.case=sanitized' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[9].name' | tee /dev/stderr)
+  [ "${actual}" = "FOO" ]
+
+  local actual=$(echo $object |
+      yq -r '.[9].value' | tee /dev/stderr)
+  [ "${actual}" = "bar" ]
+
+  local actual=$(echo $object |
+      yq -r '.[10].name' | tee /dev/stderr)
+  [ "${actual}" = "FOOBAR" ]
+
+  local actual=$(echo $object |
+      yq -r '.[10].value' | tee /dev/stderr)
+  [ "${actual}" = "foobar" ]
+
+  local actual=$(echo $object |
+      yq -r '.[11].name' | tee /dev/stderr)
+  [ "${actual}" = "LOWER_CASE" ]
+
+  local actual=$(echo $object |
+      yq -r '.[11].value' | tee /dev/stderr)
+  [ "${actual}" = "sanitized" ]
+}
diff --git a/values.yaml b/values.yaml
index 50aa6b6..a4aeeea 100644
--- a/values.yaml
+++ b/values.yaml
@@ -81,6 +81,11 @@ injector:
   #     memory: 256Mi
   #     cpu: 250m
 
+  # extraEnvironmentVars is a list of extra enviroment variables to set in the
+  # injector deployment.
+  extraEnvironmentVars: {}
+    # KUBERNETES_SERVICE_HOST: kubernetes.default.svc
+
 server:
   # Resource requests, limits, etc. for the server cluster placement. This
   # should map directly to the value of the resources field for a PodSpec.
-- 
GitLab


From aeaeaa02fb892814bdcb7c8325fa98d9bf48f430 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Wed, 18 Mar 2020 21:32:45 -0700
Subject: [PATCH 23/79] changelog++

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 251877b..2b75ffe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ Improvements:
 
 * Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)]
 * Added environment variables for logging and revocation on Vault Agent Injector [[GH-219](https://github.com/hashicorp/vault-helm/pull/219)]
+* Option to set environment variables for the injector deployment [[GH-232](https://github.com/hashicorp/vault-helm/pull/232)]
 
 ## 0.4.0 (February 21st, 2020)
 
-- 
GitLab


From 1a8d9de5112d5078ceb7b5faa5dfc215df24c307 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Thu, 19 Mar 2020 22:43:52 -0700
Subject: [PATCH 24/79] Injector scheduler options (#234)

Adds affinity, tolerations, and nodeSelector options for the
injector deployment that are separate from those options on the vault
server statefulset.

Co-authored-by: Sergei Shishov <sergei.shishov@dubizzle.com>
---
 templates/_helpers.tpl             | 30 ++++++++++++++
 templates/injector-deployment.yaml |  3 ++
 test/unit/injector-deployment.bats | 66 ++++++++++++++++++++++++++++++
 test/unit/server-statefulset.bats  | 19 +++++++++
 values.yaml                        | 17 ++++++++
 5 files changed, 135 insertions(+)

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 1fd6f3f..107c173 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -212,6 +212,16 @@ Set's the affinity for pod placement when running in standalone and HA modes.
   {{ end }}
 {{- end -}}
 
+{{/*
+Sets the injector affinity for pod placement
+*/}}
+{{- define "injector.affinity" -}}
+  {{- if .Values.injector.affinity }}
+      affinity:
+        {{ tpl .Values.injector.affinity . | nindent 8 | trim }}
+  {{ end }}
+{{- end -}}
+
 {{/*
 Set's the toleration for pod placement when running in standalone and HA modes.
 */}}
@@ -222,6 +232,16 @@ Set's the toleration for pod placement when running in standalone and HA modes.
   {{- end }}
 {{- end -}}
 
+{{/*
+Sets the injector toleration for pod placement
+*/}}
+{{- define "injector.tolerations" -}}
+  {{- if .Values.injector.tolerations }}
+      tolerations:
+        {{ tpl .Values.injector.tolerations . | nindent 8 | trim }}
+  {{- end }}
+{{- end -}}
+
 {{/*
 Set's the node selector for pod placement when running in standalone and HA modes.
 */}}
@@ -232,6 +252,16 @@ Set's the node selector for pod placement when running in standalone and HA mode
   {{- end }}
 {{- end -}}
 
+{{/*
+Sets the injector node selector for pod placement
+*/}}
+{{- define "injector.nodeselector" -}}
+  {{- if .Values.injector.nodeSelector }}
+      nodeSelector:
+        {{ tpl .Values.injector.nodeSelector . | indent 8 | trim }}
+  {{- end }}
+{{- end -}}
+
 {{/*
 Sets extra pod annotations
 */}}
diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml
index 378f468..4233726 100644
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@@ -24,6 +24,9 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name }}
         component: webhook
     spec:
+      {{ template "injector.affinity" . }}
+      {{ template "injector.tolerations" . }}
+      {{ template "injector.nodeselector" . }}
       serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
       securityContext:
         runAsNonRoot: true
diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats
index e3419cf..033ce7c 100755
--- a/test/unit/injector-deployment.bats
+++ b/test/unit/injector-deployment.bats
@@ -359,3 +359,69 @@ load _helpers
       yq -r '.[11].value' | tee /dev/stderr)
   [ "${actual}" = "sanitized" ]
 }
+
+#--------------------------------------------------------------------
+# affinity
+
+@test "injector/deployment: affinity not set by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec | .affinity? == null' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "injector/deployment: affinity can be set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'injector.affinity=foobar' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.affinity == "foobar"' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+#--------------------------------------------------------------------
+# tolerations
+
+@test "injector/deployment: tolerations not set by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec | .tolerations? == null' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "injector/deployment: tolerations can be set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'injector.tolerations=foobar' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.tolerations == "foobar"' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+#--------------------------------------------------------------------
+# nodeSelector
+
+@test "injector/deployment: nodeSelector is not set by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.nodeSelector' | tee /dev/stderr)
+  [ "${actual}" = "null" ]
+}
+
+@test "injector/deployment: nodeSelector can be set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-deployment.yaml \
+      --set 'injector.nodeSelector=testing' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr)
+  [ "${actual}" = "testing" ]
+}
diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
index 25d7798..35ebf21 100755
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@@ -561,6 +561,25 @@ load _helpers
   [ "${actual}" = "0" ]
 }
 
+@test "server/standalone-StatefulSet: affinity is set by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml  \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.affinity["podAntiAffinity"]? != null' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "server/standalone-StatefulSet: affinity can be set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'server.affinity=foobar' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.affinity == "foobar"' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
 @test "server/standalone-StatefulSet: tolerations not set by default" {
   cd `chart_dir`
   local actual=$(helm template \
diff --git a/values.yaml b/values.yaml
index a4aeeea..9e2c7f5 100644
--- a/values.yaml
+++ b/values.yaml
@@ -86,6 +86,23 @@ injector:
   extraEnvironmentVars: {}
     # KUBERNETES_SERVICE_HOST: kubernetes.default.svc
 
+  # Affinity Settings for injector pods
+  # This should be a multi-line string matching the affinity section of a
+  # PodSpec.
+  affinity: null
+
+  # Toleration Settings for injector pods
+  # This should be a multi-line string matching the Toleration array
+  # in a PodSpec.
+  tolerations: null
+
+  # nodeSelector labels for injector pod assignment, formatted as a muli-line string.
+  # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  # Example:
+  # nodeSelector: |
+  #   beta.kubernetes.io/arch: amd64
+  nodeSelector: null
+
 server:
   # Resource requests, limits, etc. for the server cluster placement. This
   # should map directly to the value of the resources field for a PodSpec.
-- 
GitLab


From 127b95d6f99b8b3aee04dec2bb38246487b958df Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Thu, 19 Mar 2020 22:45:58 -0700
Subject: [PATCH 25/79] changelog++

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2b75ffe..49318fd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@ Improvements:
 * Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)]
 * Added environment variables for logging and revocation on Vault Agent Injector [[GH-219](https://github.com/hashicorp/vault-helm/pull/219)]
 * Option to set environment variables for the injector deployment [[GH-232](https://github.com/hashicorp/vault-helm/pull/232)]
+* Added affinity, tolerations, and nodeSelector options for the injector deployment [[GH-234](https://github.com/hashicorp/vault-helm/pull/234)]
 
 ## 0.4.0 (February 21st, 2020)
 
-- 
GitLab


From 2a37c571d77a528783a9d16a77becc91e21ccab6 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Fri, 20 Mar 2020 08:37:40 -0700
Subject: [PATCH 26/79] Making all annotations multi-line strings (#227)

Annotations for various objects were either multi-line strings or yaml
maps strings, so this is making them all multi-line strings for
consistency. Also updated the doc comment for namespaceSelector, since
it's being read as a yaml map (toYaml).
---
 templates/_helpers.tpl               | 14 ++++++++++++--
 templates/server-ingress.yaml        |  5 +----
 templates/server-service.yaml        |  2 +-
 test/unit/server-ingress.bats        | 12 ++++++++++++
 test/unit/server-service.bats        |  2 +-
 test/unit/server-serviceaccount.bats |  4 ++--
 test/unit/ui-service.bats            |  4 ++--
 values.yaml                          | 11 ++++++++---
 8 files changed, 39 insertions(+), 15 deletions(-)

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 107c173..866b826 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -278,7 +278,7 @@ Sets extra ui service annotations
 {{- define "vault.ui.annotations" -}}
   {{- if .Values.ui.annotations }}
   annotations:
-    {{- toYaml .Values.ui.annotations | nindent 4 }}
+    {{- tpl .Values.ui.annotations . | nindent 4 }}
   {{- end }}
 {{- end -}}
 
@@ -288,7 +288,17 @@ Sets extra service account annotations
 {{- define "vault.serviceAccount.annotations" -}}
   {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }}
   annotations:
-    {{- toYaml .Values.server.serviceAccount.annotations | nindent 4 }}
+    {{- tpl .Values.server.serviceAccount.annotations . | nindent 4 }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+Sets extra ingress annotations
+*/}}
+{{- define "vault.ingress.annotations" -}}
+  {{- if .Values.server.ingress.annotations }}
+  annotations:
+    {{- tpl .Values.server.ingress.annotations . | nindent 4 }}
   {{- end }}
 {{- end -}}
 
diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml
index 8786d97..32755f3 100644
--- a/templates/server-ingress.yaml
+++ b/templates/server-ingress.yaml
@@ -16,10 +16,7 @@ metadata:
     {{- with .Values.server.ingress.labels }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
-  {{- with .Values.server.ingress.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
+  {{- template "vault.ingress.annotations" . }}
 spec:
 {{- if .Values.server.ingress.tls }}
   tls:
diff --git a/templates/server-service.yaml b/templates/server-service.yaml
index dc633c6..68a06fb 100644
--- a/templates/server-service.yaml
+++ b/templates/server-service.yaml
@@ -18,7 +18,7 @@ metadata:
     # https://github.com/kubernetes/kubernetes/issues/58662
     service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
 {{- if .Values.server.service.annotations }}
-{{ toYaml .Values.server.service.annotations | indent 4 }}
+{{ tpl .Values.server.service.annotations . | indent 4 }}
 {{- end }}
 spec:
   {{- if .Values.server.service.type}}
diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats
index 850ad4c..9f54e5c 100755
--- a/test/unit/server-ingress.bats
+++ b/test/unit/server-ingress.bats
@@ -69,3 +69,15 @@ load _helpers
       yq -r '.metadata.labels.traffic' | tee /dev/stderr)
   [ "${actual}" = "external" ]
 }
+
+@test "server/ingress: annotations added to object" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-ingress.yaml \
+      --set 'server.ingress.enabled=true' \
+      --set 'server.ingress.annotations=kubernetes.io/ingress.class: nginx' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["kubernetes.io/ingress.class"]' | tee /dev/stderr)
+  [ "${actual}" = "nginx" ]
+}
diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats
index 059a1d3..e3ae0f2 100755
--- a/test/unit/server-service.bats
+++ b/test/unit/server-service.bats
@@ -173,7 +173,7 @@ load _helpers
   cd `chart_dir`
   local actual=$(helm template \
       --show-only templates/server-service.yaml \
-      --set 'server.service.annotations.vaultIsAwesome=true' \
+      --set 'server.service.annotations=vaultIsAwesome: true' \
       . | tee /dev/stderr |
       yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
   [ "${actual}" = "true" ]
diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats
index d72de5d..5b8744a 100755
--- a/test/unit/server-serviceaccount.bats
+++ b/test/unit/server-serviceaccount.bats
@@ -7,7 +7,7 @@ load _helpers
   local actual=$(helm template \
       --show-only templates/server-serviceaccount.yaml  \
       --set 'server.dev.enabled=true' \
-      --set 'server.serviceAccount.annotations.foo=bar' \
+      --set 'server.serviceAccount.annotations=foo: bar' \
       . | tee /dev/stderr |
       yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
   [ "${actual}" = "null" ]
@@ -15,7 +15,7 @@ load _helpers
   local actual=$(helm template \
       --show-only templates/server-serviceaccount.yaml  \
       --set 'server.ha.enabled=true' \
-      --set 'server.serviceAccount.annotations.foo=bar' \
+      --set 'server.serviceAccount.annotations=foo: bar' \
       . | tee /dev/stderr |
       yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats
index 59f1818..46cfa88 100755
--- a/test/unit/ui-service.bats
+++ b/test/unit/ui-service.bats
@@ -190,7 +190,7 @@ load _helpers
       --set 'server.dev.enabled=true' \
       --set 'ui.serviceType=LoadBalancer' \
       --set 'ui.enabled=true' \
-      --set 'ui.annotations.foo=bar' \
+      --set 'ui.annotations=foo: bar' \
       . | tee /dev/stderr |
       yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
@@ -200,7 +200,7 @@ load _helpers
       --set 'server.ha.enabled=true' \
       --set 'ui.serviceType=LoadBalancer' \
       --set 'ui.enabled=true' \
-      --set 'ui.annotations.foo=bar' \
+      --set 'ui.annotations=foo: bar' \
       . | tee /dev/stderr |
       yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
diff --git a/values.yaml b/values.yaml
index 9e2c7f5..1616394 100644
--- a/values.yaml
+++ b/values.yaml
@@ -45,11 +45,11 @@ injector:
   revokeOnShutdown: false
 
   # namespaceSelector is the selector for restricting the webhook to only
-  # specific namespaces. This should be set to a multiline string.
+  # specific namespaces.
   # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
   # for more details.
   # Example:
-  # namespaceSelector: |
+  # namespaceSelector:
   #    matchLabels:
   #      sidecar-injector: enabled
   namespaceSelector: {}
@@ -134,6 +134,7 @@ server:
     labels: {}
       # traffic: external
     annotations: {}
+      # |
       # kubernetes.io/ingress.class: nginx
       # kubernetes.io/tls-acme: "true"
     hosts:
@@ -256,7 +257,8 @@ server:
     port: 8200
     # Target port to which the service should be mapped to
     targetPort: 8200
-    # Extra annotations for the service definition
+    # Extra annotations for the service definition. This should be a multi-line
+    # string formatted as a map of the annotations to apply to the service.
     annotations: {}
 
   # This configures the Vault Statefulset to create a PVC for data
@@ -397,6 +399,9 @@ server:
 
   # Definition of the serviceAccount used to run Vault.
   serviceAccount:
+    # Extra annotations for the serviceAccount definition. This should be a
+    # multi-line string formatted as a map of the annotations to apply to the
+    # serviceAccount.
     annotations: {}
 
 # Vault UI
-- 
GitLab


From 04df47159d986c59510c775cafcac479f09051fb Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Fri, 20 Mar 2020 08:39:56 -0700
Subject: [PATCH 27/79] Update CHANGELOG.md

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 49318fd..a4e8acb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ Improvements:
 * Added environment variables for logging and revocation on Vault Agent Injector [[GH-219](https://github.com/hashicorp/vault-helm/pull/219)]
 * Option to set environment variables for the injector deployment [[GH-232](https://github.com/hashicorp/vault-helm/pull/232)]
 * Added affinity, tolerations, and nodeSelector options for the injector deployment [[GH-234](https://github.com/hashicorp/vault-helm/pull/234)]
+* Made all annotations multi-line strings [[GH-227](https://github.com/hashicorp/vault-helm/pull/227)]
 
 ## 0.4.0 (February 21st, 2020)
 
-- 
GitLab


From 0550623c219dcd3ffc339fe3e1f16df78852d99b Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Fri, 20 Mar 2020 10:54:32 -0700
Subject: [PATCH 28/79] Fix server-headless-service annotations (#236)

`Values.server.service.annotations` are now being treated as multi-line
strings, to match the other annotations in the chart, and to support
templating within the annotations.
---
 templates/server-headless-service.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml
index 80a94a3..b9069d8 100644
--- a/templates/server-headless-service.yaml
+++ b/templates/server-headless-service.yaml
@@ -15,7 +15,7 @@ metadata:
   annotations:
     service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
 {{- if .Values.server.service.annotations }}
-{{ toYaml .Values.server.service.annotations | indent 4 }}
+{{ tpl .Values.server.service.annotations . | indent 4 }}
 {{- end }}
 spec:
   clusterIP: None
-- 
GitLab


From d57bd7cb6e93d8a441328ced9b3d265c7e2e5fd3 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Mon, 23 Mar 2020 12:10:47 -0400
Subject: [PATCH 29/79] Fix bug with api server env (#237)

---
 templates/server-statefulset.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 5b4752b..d2b2ac1 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -71,7 +71,7 @@ spec:
             - name: VAULT_ADDR
               value: "{{ include "vault.scheme" . }}://127.0.0.1:8200"
             - name: VAULT_API_ADDR
-              value: "{{ include "vault.scheme" . }}-internal://$(POD_IP):8200"
+              value: "{{ include "vault.scheme" . }}://$(POD_IP):8200"
             - name: SKIP_CHOWN
               value: "true"
             - name: SKIP_SETCAP
-- 
GitLab


From ac64feb0eb4337343cec2411af8c911b9ae07bda Mon Sep 17 00:00:00 2001
From: Daniel Mittelman <daniel@monday.com>
Date: Thu, 26 Mar 2020 16:15:08 +0200
Subject: [PATCH 30/79] Clarified documentation about Raft PV creation (#239)

---
 values.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/values.yaml b/values.yaml
index 1616394..9e0326a 100644
--- a/values.yaml
+++ b/values.yaml
@@ -262,7 +262,7 @@ server:
     annotations: {}
 
   # This configures the Vault Statefulset to create a PVC for data
-  # storage when using the file backend.
+  # storage when using the file or raft backend storage engines.
   # See https://www.vaultproject.io/docs/configuration/storage/index.html to know more
   dataStorage:
     enabled: true
@@ -341,8 +341,8 @@ server:
     
     # Enables Vault's integrated Raft storage.  Unlike the typical HA modes where 
     # Vault's persistence is external (such as Consul), enabling Raft mode will create 
-    # persistent volumes for Vault to store data.  The Vault cluster will coordinate leader 
-    # elections and failovers internally.
+    # persistent volumes for Vault to store data according to the configuration under server.dataStorage.
+    # The Vault cluster will coordinate leader elections and failovers internally.
     raft:
       
       # Enables Raft integrated storage
-- 
GitLab


From e97f4a579f1bf44cc66d8295573bb01b7d1ff61f Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 26 Mar 2020 17:19:26 -0400
Subject: [PATCH 31/79] Fix hardcoded service name in raft enfv (#240)

---
 templates/_helpers.tpl               |  2 +-
 test/unit/server-ha-statefulset.bats | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 866b826..9a22038 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -135,7 +135,7 @@ Set's additional environment variables based on the mode.
   {{ end }}
   {{ if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
             - name: VAULT_CLUSTER_ADDR
-              value: "https://$(HOSTNAME).vault-internal:8201"
+              value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201"
   {{ end }}
 {{- end -}}
 
diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats
index db2ea6b..8e19ae0 100755
--- a/test/unit/server-ha-statefulset.bats
+++ b/test/unit/server-ha-statefulset.bats
@@ -403,6 +403,28 @@ load _helpers
   [ "${actual}" = "secret_key_1" ]
 }
 
+
+#--------------------------------------------------------------------
+# VAULT_CLUSTER_ADDR renders
+
+@test "server/ha-StatefulSet: cluster addr renders" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'server.ha.raft.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+  
+  local actual=$(echo $object |
+     yq -r '.[7].name' | tee /dev/stderr)
+  [ "${actual}" = "VAULT_CLUSTER_ADDR" ]
+
+  local actual=$(echo $object |
+     yq -r '.[7].value' | tee /dev/stderr)
+  [ "${actual}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ]
+}
+
 #--------------------------------------------------------------------
 # storage class
 
-- 
GitLab


From 2b137c95d2e04fb0ddabb0f94fdd58a7ecf0e5e0 Mon Sep 17 00:00:00 2001
From: Luiz Muller <contact@luizm.dev>
Date: Fri, 3 Apr 2020 21:47:33 -0300
Subject: [PATCH 32/79] fix link to documentation (#247)

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c6071b7..81409de 100644
--- a/README.md
+++ b/README.md
@@ -35,4 +35,4 @@ then be installed directly:
 
 Please see the many options supported in the `values.yaml`
 file. These are also fully documented directly on the
-[Vault website](https://www.vaultproject.io/docs/platform/k8s/helm.html).
+[Vault website](https://www.vaultproject.io/docs/platform/k8s/helm).
-- 
GitLab


From 6d5a2174d85a8ce9790e786b7fc0e44283e93caf Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 9 Apr 2020 09:26:58 -0400
Subject: [PATCH 33/79] Add Vault Helm ent support, service discovery (#250)

* Add Vault Helm ent support, service discovery

* Fix unit test

* Update test/acceptance/server-ha-enterprise-dr.bats

Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com>

* Update test/acceptance/server-ha-enterprise-dr.bats

Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com>

* Update test/acceptance/server-ha-enterprise-perf.bats

Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com>

* Update test/acceptance/server-ha-enterprise-perf.bats

Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com>

* Update values.yaml

Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
---
 templates/_helpers.tpl                        |   4 -
 templates/server-discovery-role.yaml          |  19 ++
 templates/server-discovery-rolebinding.yaml   |  23 +++
 templates/server-ha-active-service.yaml       |  35 ++++
 templates/server-ha-standby-service.yaml      |  35 ++++
 templates/server-statefulset.yaml             |  10 ++
 test/acceptance/injector.bats                 |  17 +-
 test/acceptance/server-dev.bats               |  11 +-
 test/acceptance/server-ha-enterprise-dr.bats  | 167 ++++++++++++++++++
 .../acceptance/server-ha-enterprise-perf.bats | 165 +++++++++++++++++
 test/acceptance/server-ha-raft.bats           |  11 +-
 test/acceptance/server-ha.bats                |  11 +-
 test/acceptance/server.bats                   |  11 +-
 test/unit/server-dev-statefulset.bats         |  20 +--
 test/unit/server-ha-statefulset.bats          |  32 ++--
 test/unit/server-statefulset.bats             |  16 +-
 values.yaml                                   |   7 +-
 17 files changed, 530 insertions(+), 64 deletions(-)
 create mode 100644 templates/server-discovery-role.yaml
 create mode 100644 templates/server-discovery-rolebinding.yaml
 create mode 100644 templates/server-ha-active-service.yaml
 create mode 100644 templates/server-ha-standby-service.yaml
 create mode 100644 test/acceptance/server-ha-enterprise-dr.bats
 create mode 100644 test/acceptance/server-ha-enterprise-perf.bats

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 9a22038..89d23d8 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -133,10 +133,6 @@ Set's additional environment variables based on the mode.
             - name: VAULT_DEV_ROOT_TOKEN_ID
               value: "root"
   {{ end }}
-  {{ if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
-            - name: VAULT_CLUSTER_ADDR
-              value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201"
-  {{ end }}
 {{- end -}}
 
 {{/*
diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml
new file mode 100644
index 0000000..4a39cec
--- /dev/null
+++ b/templates/server-discovery-role.yaml
@@ -0,0 +1,19 @@
+{{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
+{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ template "vault.fullname" . }}-discovery-role
+  labels:
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "watch", "list", "update", "patch"]
+{{ end }}
+{{ end }}
diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml
new file mode 100644
index 0000000..f9494b4
--- /dev/null
+++ b/templates/server-discovery-rolebinding.yaml
@@ -0,0 +1,23 @@
+{{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
+{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: {{ template "vault.fullname" . }}-discovery-rolebinding
+  namespace: {{ .Release.Namespace }}
+  labels:
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "vault.fullname" . }}-discovery-role
+subjects:
+- kind: ServiceAccount
+  name: {{ template "vault.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+{{ end }}
+{{ end }}
diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml
new file mode 100644
index 0000000..1af8520
--- /dev/null
+++ b/templates/server-ha-active-service.yaml
@@ -0,0 +1,35 @@
+{{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
+{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }}
+# Service for active Vault pod
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "vault.fullname" . }}-active
+  namespace: {{ .Release.Namespace }}
+  labels:
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  annotations:
+{{- if .Values.server.service.annotations }}
+{{ toYaml .Values.server.service.annotations | indent 4 }}
+{{- end }}
+spec:
+  type: ClusterIP
+  publishNotReadyAddresses: true
+  ports:
+    - name: http
+      port: 8200
+      targetPort: 8200
+    - name: internal
+      port: 8201
+      targetPort: 8201
+  selector:
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    component: server
+    vault-active: "true"
+{{- end }}
+{{- end }}
diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml
new file mode 100644
index 0000000..2dd7522
--- /dev/null
+++ b/templates/server-ha-standby-service.yaml
@@ -0,0 +1,35 @@
+{{ template "vault.mode" . }}
+{{- if ne .mode "external" }}
+{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }}
+# Service for active Vault pod
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "vault.fullname" . }}-standby
+  namespace: {{ .Release.Namespace }}
+  labels:
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  annotations:
+{{- if .Values.server.service.annotations }}
+{{ toYaml .Values.server.service.annotations | indent 4 }}
+{{- end }}
+spec:
+  type: ClusterIP
+  publishNotReadyAddresses: true
+  ports:
+    - name: http
+      port: 8200
+      targetPort: 8200
+    - name: internal
+      port: 8201
+      targetPort: 8201
+  selector:
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    component: server
+    vault-active: "false"
+{{- end }}
+{{- end }}
diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index d2b2ac1..255a844 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -68,6 +68,14 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: status.podIP
+            - name: VAULT_K8S_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: VAULT_K8S_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
             - name: VAULT_ADDR
               value: "{{ include "vault.scheme" . }}://127.0.0.1:8200"
             - name: VAULT_API_ADDR
@@ -80,6 +88,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.name
+            - name: VAULT_CLUSTER_ADDR
+              value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201"
             {{ template "vault.envs" . }}
             {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
             {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
diff --git a/test/acceptance/injector.bats b/test/acceptance/injector.bats
index 2fdb7a5..e7fb393 100644
--- a/test/acceptance/injector.bats
+++ b/test/acceptance/injector.bats
@@ -45,11 +45,14 @@ load _helpers
 
 # Clean up
 teardown() {
-  echo "helm/pvc teardown"
-  helm delete vault
-  kubectl delete --all pvc
-  kubectl delete secret test 
-  kubectl delete job pgdump
-  kubectl delete deployment postgres
-  kubectl delete namespace acceptance
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+      echo "helm/pvc teardown"
+      helm delete vault
+      kubectl delete --all pvc
+      kubectl delete secret test 
+      kubectl delete job pgdump
+      kubectl delete deployment postgres
+      kubectl delete namespace acceptance
+  fi
 }
diff --git a/test/acceptance/server-dev.bats b/test/acceptance/server-dev.bats
index 05f3661..ffda946 100644
--- a/test/acceptance/server-dev.bats
+++ b/test/acceptance/server-dev.bats
@@ -54,8 +54,11 @@ load _helpers
 
 # Clean up
 teardown() {
-  echo "helm/pvc teardown"
-  helm delete vault
-  kubectl delete --all pvc
-  kubectl delete namespace acceptance --ignore-not-found=true
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+      echo "helm/pvc teardown"
+      helm delete vault
+      kubectl delete --all pvc
+      kubectl delete namespace acceptance --ignore-not-found=true
+  fi
 }
diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats
new file mode 100644
index 0000000..35348e3
--- /dev/null
+++ b/test/acceptance/server-ha-enterprise-dr.bats
@@ -0,0 +1,167 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/ha-enterprise-raft: testing DR deployment" {
+  cd `chart_dir`
+
+  helm install "$(name_prefix)-east" \
+    --set='server.image.repository=hashicorp/vault-enterprise' \
+    --set='server.image.tag=1.4.0_ent' \
+    --set='injector.enabled=false' \
+    --set='server.ha.enabled=true' \
+    --set='server.ha.raft.enabled=true' .
+  wait_for_running "$(name_prefix)-east-0"
+
+  # Sealed, not initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "true" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "false" ]
+
+  # Vault Init
+  local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \
+    vault operator init -format=json -n 1 -t 1)
+
+  local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
+  [ "${primary_token}" != "" ]
+  
+  local primary_root=$(echo ${init} | jq -r '.root_token')
+  [ "${primary_root}" != "" ]
+
+  kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token}
+  wait_for_ready "$(name_prefix)-east-0"
+
+  sleep 10
+
+  # Vault Unseal
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
+  for pod in "${pods[@]}"
+  do
+      if [[ ${pod?} != "$(name_prefix)-east-0" ]]
+      then
+          kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200
+          kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
+          wait_for_ready "${pod}"
+      fi
+  done
+
+  # Sealed, not initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "false" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "true" ]
+
+  kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root}
+
+  local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json | 
+    jq -r '.data.config.servers | length')
+  [ "${raft_status}" == "3" ]
+
+  kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/dr/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201
+
+  local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/dr/primary/secondary-token id=secondary -format=json)
+  [ "${secondary}" != "" ]
+
+  local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token')
+  [ "${secondary_replica_token}" != "" ]
+
+  # Install vault-west
+  helm install "$(name_prefix)-west" \
+    --set='injector.enabled=false' \
+    --set='server.image.repository=hashicorp/vault-enterprise' \
+    --set='server.image.tag=1.4.0_ent' \
+    --set='server.ha.enabled=true' \
+    --set='server.ha.raft.enabled=true' .
+  wait_for_running "$(name_prefix)-west-0"
+
+  # Sealed, not initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "true" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "false" ]
+
+  # Vault Init
+  local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \
+    vault operator init -format=json -n 1 -t 1)
+
+  local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
+  [ "${secondary_token}" != "" ]
+
+  local secondary_root=$(echo ${init} | jq -r '.root_token')
+  [ "${secondary_root}" != "" ]
+
+  kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token}
+  wait_for_ready "$(name_prefix)-west-0"
+
+  sleep 10
+
+  # Vault Unseal
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name'))
+  for pod in "${pods[@]}"
+  do
+      if [[ ${pod?} != "$(name_prefix)-west-0" ]]
+      then
+          kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200
+          kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token}
+          wait_for_ready "${pod}"
+      fi
+  done
+
+  # Sealed, not initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "false" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "true" ]
+
+  kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root}
+
+  local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json |
+    jq -r '.data.config.servers | length')
+  [ "${raft_status}" == "3" ]
+
+  kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/dr/secondary/enable token=${secondary_replica_token}
+
+  sleep 10
+
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name'))
+  for pod in "${pods[@]}"
+  do
+      if [[ ${pod?} != "$(name_prefix)-west-0" ]]
+      then
+          kubectl delete pod "${pod?}"
+          wait_for_running "${pod?}"
+          kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
+          wait_for_ready "${pod}"
+      fi
+  done
+}
+
+setup() {
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
+  kubectl config set-context --current --namespace=acceptance
+}
+
+#cleanup
+teardown() {
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+	  helm delete vault-east
+	  helm delete vault-west
+	  kubectl delete --all pvc
+	  kubectl delete namespace acceptance --ignore-not-found=true
+  fi
+}
diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats
new file mode 100644
index 0000000..6543663
--- /dev/null
+++ b/test/acceptance/server-ha-enterprise-perf.bats
@@ -0,0 +1,165 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/ha-enterprise-raft: testing performance replica deployment" {
+  cd `chart_dir`
+
+  helm install "$(name_prefix)-east" \
+    --set='injector.enabled=false' \
+    --set='server.image.repository=hashicorp/vault-enterprise' \
+    --set='server.image.tag=1.4.0_ent' \
+    --set='server.ha.enabled=true' \
+    --set='server.ha.raft.enabled=true' .
+  wait_for_running "$(name_prefix)-east-0"
+
+  # Sealed, not initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "true" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "false" ]
+
+  # Vault Init
+  local init=$(kubectl exec -ti "$(name_prefix)-east-0" -- \
+    vault operator init -format=json -n 1 -t 1)
+
+  local primary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
+  [ "${primary_token}" != "" ]
+  
+  local primary_root=$(echo ${init} | jq -r '.root_token')
+  [ "${primary_root}" != "" ]
+
+  kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token}
+  wait_for_ready "$(name_prefix)-east-0"
+
+  sleep 10
+
+  # Vault Unseal
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
+  for pod in "${pods[@]}"
+  do
+      if [[ ${pod?} != "$(name_prefix)-east-0" ]]
+      then
+          kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-east-0.$(name_prefix)-east-internal:8200
+          kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
+          wait_for_ready "${pod}"
+      fi
+  done
+
+  # Sealed, not initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "false" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "true" ]
+
+  kubectl exec "$(name_prefix)-east-0" -- vault login ${primary_root}
+
+  local raft_status=$(kubectl exec "$(name_prefix)-east-0" -- vault operator raft list-peers -format=json | 
+    jq -r '.data.config.servers | length')
+  [ "${raft_status}" == "3" ]
+
+  kubectl exec -ti $(name_prefix)-east-0 -- vault write -f sys/replication/performance/primary/enable primary_cluster_addr=https://$(name_prefix)-east-active:8201
+
+  local secondary=$(kubectl exec -ti "$(name_prefix)-east-0" -- vault write sys/replication/performance/primary/secondary-token id=secondary -format=json)
+  [ "${secondary}" != "" ]
+
+  local secondary_replica_token=$(echo ${secondary} | jq -r '.wrap_info.token')
+  [ "${secondary_replica_token}" != "" ]
+
+  # Install vault-west
+  helm install "$(name_prefix)-west" \
+    --set='injector.enabled=false' \
+    --set='server.image.repository=hashicorp/vault-enterprise' \
+    --set='server.image.tag=1.4.0_ent' \
+    --set='server.ha.enabled=true' \
+    --set='server.ha.raft.enabled=true' .
+  wait_for_running "$(name_prefix)-west-0"
+
+  # Sealed, not initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "true" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "false" ]
+
+  # Vault Init
+  local init=$(kubectl exec -ti "$(name_prefix)-west-0" -- \
+    vault operator init -format=json -n 1 -t 1)
+
+  local secondary_token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
+  [ "${secondary_token}" != "" ]
+
+  local secondary_root=$(echo ${init} | jq -r '.root_token')
+  [ "${secondary_root}" != "" ]
+
+  kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token}
+  wait_for_ready "$(name_prefix)-west-0"
+
+  sleep 10
+
+  # Vault Unseal
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name'))
+  for pod in "${pods[@]}"
+  do
+      if [[ ${pod?} != "$(name_prefix)-west-0" ]]
+      then
+          kubectl exec -ti ${pod} -- vault operator raft join http://$(name_prefix)-west-0.$(name_prefix)-west-internal:8200
+          kubectl exec -ti ${pod} -- vault operator unseal ${secondary_token}
+          wait_for_ready "${pod}"
+      fi
+  done
+
+  # Sealed, not initialized
+  local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
+    jq -r '.sealed' )
+  [ "${sealed_status}" == "false" ]
+
+  local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json |
+    jq -r '.initialized')
+  [ "${init_status}" == "true" ]
+
+  kubectl exec "$(name_prefix)-west-0" -- vault login ${secondary_root}
+
+  local raft_status=$(kubectl exec "$(name_prefix)-west-0" -- vault operator raft list-peers -format=json |
+    jq -r '.data.config.servers | length')
+  [ "${raft_status}" == "3" ]
+
+  kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/performance/secondary/enable token=${secondary_replica_token}
+
+  sleep 10
+
+  local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name'))
+  for pod in "${pods[@]}"
+  do
+      if [[ ${pod?} != "$(name_prefix)-west-0" ]]
+      then
+          kubectl exec -ti ${pod} -- vault operator unseal ${primary_token}
+          wait_for_ready "${pod}"
+      fi
+  done
+}
+
+setup() {
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
+  kubectl config set-context --current --namespace=acceptance
+}
+
+#cleanup
+teardown() {
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+      helm delete vault-east
+      helm delete vault-west
+      kubectl delete --all pvc
+      kubectl delete namespace acceptance --ignore-not-found=true
+  fi
+}
diff --git a/test/acceptance/server-ha-raft.bats b/test/acceptance/server-ha-raft.bats
index 17951b8..a411f3c 100644
--- a/test/acceptance/server-ha-raft.bats
+++ b/test/acceptance/server-ha-raft.bats
@@ -102,7 +102,7 @@ load _helpers
 
   kubectl exec "$(name_prefix)-0" -- vault login ${root}
 
-  local raft_status=$(kubectl exec "$(name_prefix)-0" -- vault operator raft configuration -format=json | 
+  local raft_status=$(kubectl exec "$(name_prefix)-0" -- vault operator raft list-peers -format=json | 
     jq -r '.data.config.servers | length')
   [ "${raft_status}" == "3" ]
 }
@@ -115,7 +115,10 @@ setup() {
 
 #cleanup
 teardown() {
-  helm delete vault
-  kubectl delete --all pvc
-  kubectl delete namespace acceptance --ignore-not-found=true
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+      helm delete vault
+      kubectl delete --all pvc
+      kubectl delete namespace acceptance --ignore-not-found=true
+  fi
 }
diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats
index f29e31f..74a3c11 100644
--- a/test/acceptance/server-ha.bats
+++ b/test/acceptance/server-ha.bats
@@ -103,8 +103,11 @@ setup() {
 
 #cleanup
 teardown() {
-  helm delete vault
-  helm delete consul
-  kubectl delete --all pvc
-  kubectl delete namespace acceptance --ignore-not-found=true
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+      helm delete vault
+      helm delete consul
+      kubectl delete --all pvc
+      kubectl delete namespace acceptance --ignore-not-found=true
+  fi
 }
diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats
index d8edbd5..beb2fa2 100644
--- a/test/acceptance/server.bats
+++ b/test/acceptance/server.bats
@@ -111,8 +111,11 @@ load _helpers
 
 # Clean up
 teardown() {
-  echo "helm/pvc teardown"
-  helm delete vault
-  kubectl delete --all pvc
-  kubectl delete namespace acceptance --ignore-not-found=true
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+      echo "helm/pvc teardown"
+      helm delete vault
+      kubectl delete --all pvc
+      kubectl delete namespace acceptance --ignore-not-found=true
+  fi
 }
diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats
index 5ce3405..3b38eab 100755
--- a/test/unit/server-dev-statefulset.bats
+++ b/test/unit/server-dev-statefulset.bats
@@ -249,19 +249,19 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-     yq -r '.[8].name' | tee /dev/stderr)
+     yq -r '.[11].name' | tee /dev/stderr)
   [ "${actual}" = "FOO" ]
 
   local actual=$(echo $object |
-      yq -r '.[8].value' | tee /dev/stderr)
+      yq -r '.[11].value' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
 
   local actual=$(echo $object |
-      yq -r '.[9].name' | tee /dev/stderr)
+      yq -r '.[12].name' | tee /dev/stderr)
   [ "${actual}" = "FOOBAR" ]
 
   local actual=$(echo $object |
-      yq -r '.[9].value' | tee /dev/stderr)
+      yq -r '.[12].value' | tee /dev/stderr)
   [ "${actual}" = "foobar" ]
 }
 
@@ -282,23 +282,23 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-      yq -r '.[7].name' | tee /dev/stderr)
+      yq -r '.[10].name' | tee /dev/stderr)
   [ "${actual}" = "ENV_FOO_0" ]
   local actual=$(echo $object |
-      yq -r '.[7].valueFrom.secretKeyRef.name' | tee /dev/stderr)
+      yq -r '.[10].valueFrom.secretKeyRef.name' | tee /dev/stderr)
   [ "${actual}" = "secret_name_0" ]
   local actual=$(echo $object |
-      yq -r '.[7].valueFrom.secretKeyRef.key' | tee /dev/stderr)
+      yq -r '.[10].valueFrom.secretKeyRef.key' | tee /dev/stderr)
   [ "${actual}" = "secret_key_0" ]
 
   local actual=$(echo $object |
-      yq -r '.[8].name' | tee /dev/stderr)
+      yq -r '.[11].name' | tee /dev/stderr)
   [ "${actual}" = "ENV_FOO_1" ]
   local actual=$(echo $object |
-      yq -r '.[8].valueFrom.secretKeyRef.name' | tee /dev/stderr)
+      yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr)
   [ "${actual}" = "secret_name_1" ]
   local actual=$(echo $object |
-      yq -r '.[8].valueFrom.secretKeyRef.key' | tee /dev/stderr)
+      yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr)
   [ "${actual}" = "secret_key_1" ]
 }
 
diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats
index 8e19ae0..e93bf31 100755
--- a/test/unit/server-ha-statefulset.bats
+++ b/test/unit/server-ha-statefulset.bats
@@ -71,11 +71,11 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-     yq -r '.[2].name' | tee /dev/stderr)
+     yq -r '.[4].name' | tee /dev/stderr)
   [ "${actual}" = "VAULT_ADDR" ]
 
   local actual=$(echo $object |
-     yq -r '.[2].value' | tee /dev/stderr)
+     yq -r '.[4].value' | tee /dev/stderr)
   [ "${actual}" = "http://127.0.0.1:8200" ]
 }
 @test "server/ha-StatefulSet: tls enabled" {
@@ -87,11 +87,11 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-     yq -r '.[2].name' | tee /dev/stderr)
+     yq -r '.[4].name' | tee /dev/stderr)
   [ "${actual}" = "VAULT_ADDR" ]
 
   local actual=$(echo $object |
-     yq -r '.[2].value' | tee /dev/stderr)
+     yq -r '.[4].value' | tee /dev/stderr)
   [ "${actual}" = "https://127.0.0.1:8200" ]
 }
 
@@ -349,19 +349,19 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-     yq -r '.[7].name' | tee /dev/stderr)
+     yq -r '.[10].name' | tee /dev/stderr)
   [ "${actual}" = "FOO" ]
 
   local actual=$(echo $object |
-      yq -r '.[7].value' | tee /dev/stderr)
+      yq -r '.[10].value' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
 
   local actual=$(echo $object |
-      yq -r '.[8].name' | tee /dev/stderr)
+      yq -r '.[11].name' | tee /dev/stderr)
   [ "${actual}" = "FOOBAR" ]
 
   local actual=$(echo $object |
-      yq -r '.[8].value' | tee /dev/stderr)
+      yq -r '.[11].value' | tee /dev/stderr)
   [ "${actual}" = "foobar" ]
 }
 
@@ -383,23 +383,23 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-      yq -r '.[7].name' | tee /dev/stderr)
+      yq -r '.[10].name' | tee /dev/stderr)
   [ "${actual}" = "ENV_FOO_0" ]
   local actual=$(echo $object |
-      yq -r '.[7].valueFrom.secretKeyRef.name' | tee /dev/stderr)
+      yq -r '.[10].valueFrom.secretKeyRef.name' | tee /dev/stderr)
   [ "${actual}" = "secret_name_0" ]
   local actual=$(echo $object |
-      yq -r '.[7].valueFrom.secretKeyRef.key' | tee /dev/stderr)
+      yq -r '.[10].valueFrom.secretKeyRef.key' | tee /dev/stderr)
   [ "${actual}" = "secret_key_0" ]
 
   local actual=$(echo $object |
-      yq -r '.[8].name' | tee /dev/stderr)
+      yq -r '.[11].name' | tee /dev/stderr)
   [ "${actual}" = "ENV_FOO_1" ]
   local actual=$(echo $object |
-      yq -r '.[8].valueFrom.secretKeyRef.name' | tee /dev/stderr)
+      yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr)
   [ "${actual}" = "secret_name_1" ]
   local actual=$(echo $object |
-      yq -r '.[8].valueFrom.secretKeyRef.key' | tee /dev/stderr)
+      yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr)
   [ "${actual}" = "secret_key_1" ]
 }
 
@@ -417,11 +417,11 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
   
   local actual=$(echo $object |
-     yq -r '.[7].name' | tee /dev/stderr)
+     yq -r '.[9].name' | tee /dev/stderr)
   [ "${actual}" = "VAULT_CLUSTER_ADDR" ]
 
   local actual=$(echo $object |
-     yq -r '.[7].value' | tee /dev/stderr)
+     yq -r '.[9].value' | tee /dev/stderr)
   [ "${actual}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ]
 }
 
diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
index 35ebf21..b0dc6fb 100755
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@@ -384,19 +384,19 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-     yq -r '.[7].name' | tee /dev/stderr)
+     yq -r '.[10].name' | tee /dev/stderr)
   [ "${actual}" = "FOO" ]
 
   local actual=$(echo $object |
-      yq -r '.[7].value' | tee /dev/stderr)
+      yq -r '.[10].value' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
 
   local actual=$(echo $object |
-      yq -r '.[8].name' | tee /dev/stderr)
+      yq -r '.[11].name' | tee /dev/stderr)
   [ "${actual}" = "FOOBAR" ]
 
   local actual=$(echo $object |
-      yq -r '.[8].value' | tee /dev/stderr)
+      yq -r '.[11].value' | tee /dev/stderr)
   [ "${actual}" = "foobar" ]
 
   local object=$(helm template \
@@ -407,19 +407,19 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-     yq -r '.[7].name' | tee /dev/stderr)
+     yq -r '.[10].name' | tee /dev/stderr)
   [ "${actual}" = "FOO" ]
 
   local actual=$(echo $object |
-      yq -r '.[7].value' | tee /dev/stderr)
+      yq -r '.[10].value' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
 
   local actual=$(echo $object |
-      yq -r '.[8].name' | tee /dev/stderr)
+      yq -r '.[11].name' | tee /dev/stderr)
   [ "${actual}" = "FOOBAR" ]
 
   local actual=$(echo $object |
-      yq -r '.[8].value' | tee /dev/stderr)
+      yq -r '.[11].value' | tee /dev/stderr)
   [ "${actual}" = "foobar" ]
 }
 
diff --git a/values.yaml b/values.yaml
index 9e0326a..a7d7b92 100644
--- a/values.yaml
+++ b/values.yaml
@@ -110,7 +110,7 @@ server:
 
   image:
     repository: "vault"
-    tag: "1.3.3"
+    tag: "1.4.0"
     # Overrides the default Image Pull Policy
     pullPolicy: IfNotPresent
 
@@ -349,7 +349,6 @@ server:
       enabled: false
       config: |
         ui = true
-        cluster_addr = "https://POD_IP:8201"
 
         listener "tcp" {
           tls_disable = 1
@@ -361,12 +360,12 @@ server:
           path = "/vault/data"
         }
 
+        service_registration "kubernetes" {}
     # config is a raw string of default configuration when using a Stateful
     # deployment. Default is to use a Consul for its HA storage backend.
     # This should be HCL.
     config: |
       ui = true
-      cluster_addr = "https://POD_IP:8201"
 
       listener "tcp" {
         tls_disable = 1
@@ -378,6 +377,8 @@ server:
         address = "HOST_IP:8500"
       }
 
+      service_registration "kubernetes" {}
+
       # Example configuration for using auto-unseal, using Google Cloud KMS. The
       # GKMS keys must already exist, and the cluster must have a service account
       # that is authorized to access GCP KMS.
-- 
GitLab


From 13f6df4e6af605be7c14bca1e78244b16e5ad8bb Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 9 Apr 2020 09:51:37 -0400
Subject: [PATCH 34/79] Update to 0.5.0 (#253)

* Update to 0.5.0

* Add changelog for k8s service discovery
---
 CHANGELOG.md | 6 ++++--
 Chart.yaml   | 2 +-
 values.yaml  | 2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a4e8acb..8109c85 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,10 +1,12 @@
 ## Unreleased
 
+## 0.5.0 (April 9th, 2020)
+
 Features:
 
 * Added Raft support for HA mode [[GH-228](https://github.com/hashicorp/vault-helm/pull/229)]
-
-Improvements:
+* Now supports Vault Enterprise [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)]
+* Added K8s Service Registration for HA modes [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)]
 
 * Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)]
 * Added environment variables for logging and revocation on Vault Agent Injector [[GH-219](https://github.com/hashicorp/vault-helm/pull/219)]
diff --git a/Chart.yaml b/Chart.yaml
index a41283c..3469359 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: vault
-version: 0.4.0
+version: 0.5.0
 description: Install and configure Vault on Kubernetes.
 home: https://www.vaultproject.io
 icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
diff --git a/values.yaml b/values.yaml
index a7d7b92..54ca6d0 100644
--- a/values.yaml
+++ b/values.yaml
@@ -30,7 +30,7 @@ injector:
   # required.
   agentImage:
     repository: "vault"
-    tag: "1.3.3"
+    tag: "1.4.0"
 
   # Mount Path of the Vault Kubernetes Auth Method.
   authPath: "auth/kubernetes"
-- 
GitLab


From 497daa5f60f434f90cec2a736ed7e5dbd6bfc26c Mon Sep 17 00:00:00 2001
From: Petter Abrahamsson <petter@jebus.nu>
Date: Thu, 9 Apr 2020 12:47:17 -0400
Subject: [PATCH 35/79] Remove IPC_LOCK capability (#198)

* Remove IPC_LOCK capability

* Remove tests for IPC_LOCK
---
 templates/server-statefulset.yaml | 3 ---
 test/acceptance/server-ha.bats    | 5 -----
 test/acceptance/server.bats       | 5 -----
 3 files changed, 13 deletions(-)

diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 255a844..1497889 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -52,9 +52,6 @@ spec:
       containers:
         - name: vault
           {{ template "vault.resources" . }}
-          securityContext:
-            capabilities:
-              add: ["IPC_LOCK"]
           image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
           imagePullPolicy: {{ .Values.server.image.pullPolicy }}
           command: {{ template "vault.command" . }}
diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats
index 74a3c11..4cb4a75 100644
--- a/test/acceptance/server-ha.bats
+++ b/test/acceptance/server-ha.bats
@@ -18,11 +18,6 @@ load _helpers
     jq -r '.initialized')
   [ "${init_status}" == "false" ]
 
-  # Security
-  local ipc=$(kubectl get statefulset "$(name_prefix)" --output json |
-    jq -r '.spec.template.spec.containers[0].securityContext.capabilities.add[0]')
-  [ "${ipc}" == "IPC_LOCK" ]
-
   # Replicas
   local replicas=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.replicas')
diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats
index beb2fa2..ce7843f 100644
--- a/test/acceptance/server.bats
+++ b/test/acceptance/server.bats
@@ -21,11 +21,6 @@ load _helpers
     jq -r '.initialized')
   [ "${init_status}" == "false" ]
 
-  # Security
-  local ipc=$(kubectl get statefulset "$(name_prefix)" --output json |
-    jq -r '.spec.template.spec.containers[0].securityContext.capabilities.add[0]')
-  [ "${ipc}" == "IPC_LOCK" ]
-
   # Replicas
   local replicas=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.replicas')
-- 
GitLab


From 27a3a765138e95d22f725031ac501f52e402e755 Mon Sep 17 00:00:00 2001
From: Jared Allard <jaredallard@users.noreply.github.com>
Date: Thu, 9 Apr 2020 09:48:42 -0700
Subject: [PATCH 36/79] fix(templates/server): ingress has default paths of /
 (#224)

* fix(templates/server): ingress has default paths of /

* fix: array -> list

It's been awhile since I wrote Helm templates :/
---
 templates/server-ingress.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml
index 32755f3..fd9662d 100644
--- a/templates/server-ingress.yaml
+++ b/templates/server-ingress.yaml
@@ -33,7 +33,7 @@ spec:
     - host: {{ .host | quote }}
       http:
         paths:
-        {{- range .paths }}
+        {{- range (.paths | default (list "/")) }}
           - path: {{ . }}
             backend:
               serviceName: {{ $serviceName }}
-- 
GitLab


From c869fa86517bffc68f5827b9995dbe17fd35d197 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 9 Apr 2020 12:51:35 -0400
Subject: [PATCH 37/79] changelog++

---
 CHANGELOG.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8109c85..0e7e732 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,13 @@
 ## Unreleased
 
+Features:
+
+Improvements:
+* Removed IPC_LOCK privileges since swap is disabled on containers [[GH-198](https://github.com/hashicorp/vault-helm/pull/198)]
+
+Bugs:
+* Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)]
+
 ## 0.5.0 (April 9th, 2020)
 
 Features:
-- 
GitLab


From 0e115513c2740ca8e467006df6b5354c01af7852 Mon Sep 17 00:00:00 2001
From: Denys Vitali <denys@denv.it>
Date: Fri, 10 Apr 2020 14:43:14 +0000
Subject: [PATCH 38/79] docs(REAMDE): Fix Vault K8s dead link (#256)

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 81409de..b049825 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@ cases of Vault on Kubernetes depending on the values provided.
 
 For full documentation on this Helm chart along with all the ways you can
 use Vault with Kubernetes, please see the
-[Vault and Kubernetes documentation](https://www.vaultproject.io/docs/platform/k8s/index.html).
+[Vault and Kubernetes documentation](https://www.vaultproject.io/docs/platform/k8s/).
 
 ## Prerequisites
 
-- 
GitLab


From 374ea22c02957aff7811d9875c2c2666e91acfaa Mon Sep 17 00:00:00 2001
From: Javad Karabi <karabijavad@gmail.com>
Date: Mon, 13 Apr 2020 10:48:23 -0500
Subject: [PATCH 39/79] use port names that map to vault.scheme (#223)

* use port names that map to vault.scheme

* prefix internal/replication port names with vault.scheme

* port names must be 'no more than 15 characters'

* test vault server service port names are prefixed with vault scheme

* test vault server statefulset port names are prefixed with vault scheme

* test vault ui service port names are prefixed with vault scheme

* formatting: replace double quote with single quote

* uncomment accidentally-commented lines

* always set internal port name to https-internal, since it is always https

* prefix headless service internal port name with https
---
 templates/server-headless-service.yaml |  2 +-
 templates/server-service.yaml          |  4 +--
 templates/server-statefulset.yaml      |  6 ++--
 templates/ui-service.yaml              |  2 +-
 test/unit/server-service.bats          | 22 +++++++++++++
 test/unit/server-statefulset.bats      | 44 ++++++++++++++++++++++++++
 test/unit/ui-service.bats              | 24 ++++++++++++++
 7 files changed, 97 insertions(+), 7 deletions(-)

diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml
index b9069d8..cced609 100644
--- a/templates/server-headless-service.yaml
+++ b/templates/server-headless-service.yaml
@@ -24,7 +24,7 @@ spec:
     - name: "{{ include "vault.scheme" . }}"
       port: {{ .Values.server.service.port }}
       targetPort: {{ .Values.server.service.targetPort }}
-    - name: internal
+    - name: https-internal
       port: 8201
       targetPort: 8201
   selector:
diff --git a/templates/server-service.yaml b/templates/server-service.yaml
index 68a06fb..4d0e289 100644
--- a/templates/server-service.yaml
+++ b/templates/server-service.yaml
@@ -31,13 +31,13 @@ spec:
   # since this DNS is also used for join operations.
   publishNotReadyAddresses: true
   ports:
-    - name: http
+    - name: {{ include "vault.scheme" . }}
       port: {{ .Values.server.service.port }}
       targetPort: {{ .Values.server.service.targetPort }}
       {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
       nodePort: {{ .Values.server.service.nodePort }}
       {{- end }}
-    - name: internal
+    - name: https-internal
       port: 8201
       targetPort: 8201
   selector:
diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 1497889..3b51a62 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -94,11 +94,11 @@ spec:
           {{ template "vault.mounts" . }}
           ports:
             - containerPort: 8200
-              name: http
+              name: {{ include "vault.scheme" . }}
             - containerPort: 8201
-              name: internal
+              name: https-internal
             - containerPort: 8202
-              name: replication
+              name: {{ include "vault.scheme" . }}-rep
           {{- if .Values.server.readinessProbe.enabled }}
           readinessProbe:
             {{- if .Values.server.readinessProbe.path }}
diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml
index 6d89264..8b8a2c9 100644
--- a/templates/ui-service.yaml
+++ b/templates/ui-service.yaml
@@ -25,7 +25,7 @@ spec:
     component: server
   publishNotReadyAddresses: true
   ports:
-    - name: http
+    - name: {{ include "vault.scheme" . }}
       port: {{ .Values.ui.externalPort }}
       targetPort: 8200
       {{- if .Values.ui.serviceNodePort }}
diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats
index e3ae0f2..5821b91 100755
--- a/test/unit/server-service.bats
+++ b/test/unit/server-service.bats
@@ -388,3 +388,25 @@ load _helpers
       yq -r '.spec.ports[0].nodePort' | tee /dev/stderr)
   [ "${actual}" = "null" ]
 }
+
+@test "server/Service: vault port name is http, when tlsDisable is true" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-service.yaml \
+      --set 'global.tlsDisable=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr)
+  [ "${actual}" = "http" ]
+}
+
+@test "server/Service: vault port name is https, when tlsDisable is false" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-service.yaml \
+      --set 'global.tlsDisable=false' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr)
+  [ "${actual}" = "https" ]
+}
diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
index b0dc6fb..3d08925 100755
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@@ -892,3 +892,47 @@ load _helpers
        yq -r '.spec.template.spec.containers[0].lifecycle.preStop.exec.command[2]' | tee /dev/stderr)
   [[ "${actual}" = "sleep 10 &&"* ]]
 }
+
+@test "server/standalone-StatefulSet: vault port name is http, when tlsDisable is true" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml \
+      --set 'global.tlsDisable=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].ports | map(select(.containerPort==8200)) | .[] .name' | tee /dev/stderr)
+  [ "${actual}" = "http" ]
+}
+
+@test "server/standalone-StatefulSet: vault replication port name is http-rep, when tlsDisable is true" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml \
+      --set 'global.tlsDisable=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].ports | map(select(.containerPort==8202)) | .[] .name' | tee /dev/stderr)
+  [ "${actual}" = "http-rep" ]
+}
+
+@test "server/standalone-StatefulSet: vault port name is https, when tlsDisable is false" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml \
+      --set 'global.tlsDisable=false' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].ports | map(select(.containerPort==8200)) | .[] .name' | tee /dev/stderr)
+  [ "${actual}" = "https" ]
+}
+
+@test "server/standalone-StatefulSet: vault replication port name is https-rep, when tlsDisable is false" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml \
+      --set 'global.tlsDisable=false' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].ports | map(select(.containerPort==8202)) | .[] .name' | tee /dev/stderr)
+  [ "${actual}" = "https-rep" ]
+}
diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats
index 46cfa88..042e141 100755
--- a/test/unit/ui-service.bats
+++ b/test/unit/ui-service.bats
@@ -214,3 +214,27 @@ load _helpers
       yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
   [ "${actual}" = "null" ]
 }
+
+@test "ui/Service: port name is http, when tlsDisable is true" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/ui-service.yaml \
+      --set 'global.tlsDisable=true' \
+      --set 'ui.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[0].name' | tee /dev/stderr)
+  [ "${actual}" = "http" ]
+}
+
+@test "ui/Service: port name is https, when tlsDisable is false" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/ui-service.yaml \
+      --set 'global.tlsDisable=false' \
+      --set 'ui.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[0].name' | tee /dev/stderr)
+  [ "${actual}" = "https" ]
+}
-- 
GitLab


From 39631aad6be443941c4a8cfb8ac033ad141ed366 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Mon, 13 Apr 2020 10:17:49 -0700
Subject: [PATCH 40/79] changelog++

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0e7e732..3f808fa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,7 @@ Features:
 
 Improvements:
 * Removed IPC_LOCK privileges since swap is disabled on containers [[GH-198](https://github.com/hashicorp/vault-helm/pull/198)]
+* Use port names that map to vault.scheme [[GH-223](https://github.com/hashicorp/vault-helm/pull/223)]
 
 Bugs:
 * Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)]
-- 
GitLab


From 2072bf2dcd0babe260654932f40a4d5fa13569df Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Tue, 21 Apr 2020 08:19:17 -0700
Subject: [PATCH 41/79] Fix ha standby and active service annotations (#268)

* service: fix annotations for HA standby/active services

* added unit tests

Co-authored-by: yotsub <63680950+yotsub@users.noreply.github.com>
---
 templates/server-ha-active-service.yaml  |  2 +-
 templates/server-ha-standby-service.yaml |  2 +-
 test/unit/server-ha-active-service.bats  | 14 ++++++++++++++
 test/unit/server-ha-standby-service.bats | 14 ++++++++++++++
 4 files changed, 30 insertions(+), 2 deletions(-)
 create mode 100644 test/unit/server-ha-active-service.bats
 create mode 100644 test/unit/server-ha-standby-service.bats

diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml
index 1af8520..0333df1 100644
--- a/templates/server-ha-active-service.yaml
+++ b/templates/server-ha-active-service.yaml
@@ -14,7 +14,7 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
   annotations:
 {{- if .Values.server.service.annotations }}
-{{ toYaml .Values.server.service.annotations | indent 4 }}
+{{ tpl .Values.server.service.annotations . | indent 4 }}
 {{- end }}
 spec:
   type: ClusterIP
diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml
index 2dd7522..d8df9e7 100644
--- a/templates/server-ha-standby-service.yaml
+++ b/templates/server-ha-standby-service.yaml
@@ -14,7 +14,7 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
   annotations:
 {{- if .Values.server.service.annotations }}
-{{ toYaml .Values.server.service.annotations | indent 4 }}
+{{ tpl .Values.server.service.annotations . | indent 4 }}
 {{- end }}
 spec:
   type: ClusterIP
diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats
new file mode 100644
index 0000000..4e6ad1a
--- /dev/null
+++ b/test/unit/server-ha-active-service.bats
@@ -0,0 +1,14 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/ha-active-Service: generic annotations" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-active-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.annotations=vaultIsAwesome: true' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats
new file mode 100644
index 0000000..7630ac5
--- /dev/null
+++ b/test/unit/server-ha-standby-service.bats
@@ -0,0 +1,14 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/ha-standby-Service: generic annotations" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-standby-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.annotations=vaultIsAwesome: true' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
-- 
GitLab


From 1be24460f3e8b2fa5ac0fa4b1794eaa271246d2f Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Tue, 21 Apr 2020 08:20:41 -0700
Subject: [PATCH 42/79] changelog++

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3f808fa..604bd71 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ Improvements:
 
 Bugs:
 * Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)]
+* Fixed annotations for HA standby/active services [[GH-268](https://github.com/hashicorp/vault-helm/pull/268)]
 
 ## 0.5.0 (April 9th, 2020)
 
-- 
GitLab


From 0f36ee3a5b536e7b3541a7353b21ef34c0e70ab2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Moreno=20Garc=C3=ADa?= <david.mogar@gmail.com>
Date: Mon, 27 Apr 2020 16:45:56 +0200
Subject: [PATCH 43/79] Change config specification (#213)

* Change config specification

As it is right now, the specification of the config is done through an
string. When using storage backends like PostgreSQL, the password for the
database has to be included in the config variable of the values file.

This change allows to specify the configuration through a map, making
the chart GitOps friendly. Now, sensitive values can be stored in a
different values file or passed on deployment time with --set.

To have a very generic specification:
- I've assumed that the combination stanza (eg. storage) name (eg. file)
is unique.
- Quoted values for all stanza parameters. I tested a generated
configuration in a vault docker image and it seems to work just fine.

* Change config format to json

* Add conditional formatting

* Add config for raft mode
---
 templates/_helpers.tpl                 |  4 ++--
 templates/server-config-configmap.yaml | 13 ++++++++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 89d23d8..12a006a 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -83,7 +83,7 @@ defined a custom configuration.  Additionally iterates over any
 extra volumes the user may have specified (such as a secret with TLS).
 */}}
 {{- define "vault.volumes" -}}
-  {{- if and (ne .mode "dev") (or (ne .Values.server.standalone.config "")  (ne .Values.server.ha.config "")) }}
+  {{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }}
         - name: config
           configMap:
             name: {{ template "vault.fullname" . }}-config
@@ -150,7 +150,7 @@ based on the mode configured.
               mountPath: /vault/data
     {{ end }}
   {{ end }}
-  {{ if and (ne .mode "dev") (or (ne .Values.server.standalone.config "")  (ne .Values.server.ha.config "")) }}
+  {{ if and (ne .mode "dev") (or (.Values.server.standalone.config)  (.Values.server.ha.config)) }}
             - name: config
               mountPath: /vault/config
   {{ end }}
diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml
index 6e05850..b8093ad 100644
--- a/templates/server-config-configmap.yaml
+++ b/templates/server-config-configmap.yaml
@@ -1,7 +1,7 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
 {{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}}
-{{ if or (ne .Values.server.standalone.config "")  (ne .Values.server.ha.config "") -}}
+{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -14,6 +14,9 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 data:
   extraconfig-from-values.hcl: |-
+  {{- if or (eq .mode "ha") (eq .mode "standalone") }}
+  {{- $type := typeOf (index .Values.server .mode).config }}
+  {{- if eq $type "string" }}
     disable_mlock = true
   {{- if eq .mode "standalone" }}
     {{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
@@ -22,6 +25,14 @@ data:
   {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
     {{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }}
   {{ end }}
+  {{- else }}
+  {{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
+{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }}
+  {{- else }}
+{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}
-- 
GitLab


From 7880c3b973f39fc6119b0038c527f25617092d4d Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Mon, 27 Apr 2020 10:47:28 -0400
Subject: [PATCH 44/79] changelog++

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 604bd71..b34f640 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 Features:
 
 Improvements:
+* Server configs can now be defined in YAML.  Multi-line string configs are still compatible [GH-213](https://github.com/hashicorp/vault-helm/pull/213)
 * Removed IPC_LOCK privileges since swap is disabled on containers [[GH-198](https://github.com/hashicorp/vault-helm/pull/198)]
 * Use port names that map to vault.scheme [[GH-223](https://github.com/hashicorp/vault-helm/pull/223)]
 
-- 
GitLab


From e09de0dc636e8a8ee277d1e729a6f967867c62d8 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Mon, 27 Apr 2020 08:28:50 -0700
Subject: [PATCH 45/79] Allow both yaml and multi-line string annotations
 (#272)

Changed/added helper functions to detect if the annotations value
is a string or yaml, and apply `tpl` or `toYaml`
accordingly. Defaults are left as `{}` since yaml is more likely
to be used with helm on the command line. This means a warning
will be shown when setting an annotation to a multi-line
string (which has been the existing behavior).
---
 templates/_helpers.tpl                        | 42 +++++++++++++++--
 templates/server-ha-active-service.yaml       |  4 +-
 templates/server-ha-standby-service.yaml      |  4 +-
 templates/server-headless-service.yaml        |  4 +-
 templates/server-service.yaml                 |  4 +-
 test/acceptance/server-annotations.bats       | 46 +++++++++++++++++++
 .../server-test/annotations-overrides.yaml    |  9 ++++
 test/unit/server-ha-standby-service.bats      | 13 +++++-
 test/unit/server-ingress.bats                 | 14 +++++-
 test/unit/server-serviceaccount.bats          |  8 ++++
 test/unit/server-statefulset.bats             | 22 +++++++++
 test/unit/ui-service.bats                     | 10 ++++
 values.yaml                                   | 22 +++++----
 13 files changed, 175 insertions(+), 27 deletions(-)
 create mode 100644 test/acceptance/server-annotations.bats
 create mode 100644 test/acceptance/server-test/annotations-overrides.yaml

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 12a006a..bab233b 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -264,7 +264,12 @@ Sets extra pod annotations
 {{- define "vault.annotations" -}}
   {{- if and (ne .mode "dev") .Values.server.annotations }}
       annotations:
-        {{- tpl .Values.server.annotations . | nindent 8 }}
+        {{- $tp := typeOf .Values.server.annotations }}
+        {{- if eq $tp "string" }}
+          {{- tpl .Values.server.annotations . | nindent 8 }}
+        {{- else }}
+          {{- toYaml .Values.server.annotations | nindent 8 }}
+        {{- end }}
   {{- end }}
 {{- end -}}
 
@@ -274,7 +279,12 @@ Sets extra ui service annotations
 {{- define "vault.ui.annotations" -}}
   {{- if .Values.ui.annotations }}
   annotations:
-    {{- tpl .Values.ui.annotations . | nindent 4 }}
+    {{- $tp := typeOf .Values.ui.annotations }}
+    {{- if eq $tp "string" }}
+      {{- tpl .Values.ui.annotations . | nindent 4 }}
+    {{- else }}
+      {{- toYaml .Values.ui.annotations | nindent 4 }}
+    {{- end }}
   {{- end }}
 {{- end -}}
 
@@ -284,7 +294,12 @@ Sets extra service account annotations
 {{- define "vault.serviceAccount.annotations" -}}
   {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }}
   annotations:
-    {{- tpl .Values.server.serviceAccount.annotations . | nindent 4 }}
+    {{- $tp := typeOf .Values.server.serviceAccount.annotations }}
+    {{- if eq $tp "string" }}
+      {{- tpl .Values.server.serviceAccount.annotations . | nindent 4 }}
+    {{- else }}
+      {{- toYaml .Values.server.serviceAccount.annotations | nindent 4 }}
+    {{- end }}
   {{- end }}
 {{- end -}}
 
@@ -294,7 +309,26 @@ Sets extra ingress annotations
 {{- define "vault.ingress.annotations" -}}
   {{- if .Values.server.ingress.annotations }}
   annotations:
-    {{- tpl .Values.server.ingress.annotations . | nindent 4 }}
+    {{- $tp := typeOf .Values.server.ingress.annotations }}
+    {{- if eq $tp "string" }}
+      {{- tpl .Values.server.ingress.annotations . | nindent 4 }}
+    {{- else }}
+      {{- toYaml .Values.server.ingress.annotations | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+Sets extra vault server Service annotations
+*/}}
+{{- define "vault.service.annotations" -}}
+  {{- if .Values.server.service.annotations }}
+    {{- $tp := typeOf .Values.server.service.annotations }}
+    {{- if eq $tp "string" }}
+      {{- tpl .Values.server.service.annotations . | nindent 4 }}
+    {{- else }}
+      {{- toYaml .Values.server.service.annotations | nindent 4 }}
+    {{- end }}
   {{- end }}
 {{- end -}}
 
diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml
index 0333df1..01f962d 100644
--- a/templates/server-ha-active-service.yaml
+++ b/templates/server-ha-active-service.yaml
@@ -13,9 +13,7 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
   annotations:
-{{- if .Values.server.service.annotations }}
-{{ tpl .Values.server.service.annotations . | indent 4 }}
-{{- end }}
+{{ template "vault.service.annotations" .}}
 spec:
   type: ClusterIP
   publishNotReadyAddresses: true
diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml
index d8df9e7..302627a 100644
--- a/templates/server-ha-standby-service.yaml
+++ b/templates/server-ha-standby-service.yaml
@@ -13,9 +13,7 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
   annotations:
-{{- if .Values.server.service.annotations }}
-{{ tpl .Values.server.service.annotations . | indent 4 }}
-{{- end }}
+{{ template "vault.service.annotations" .}}
 spec:
   type: ClusterIP
   publishNotReadyAddresses: true
diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml
index cced609..4bb276b 100644
--- a/templates/server-headless-service.yaml
+++ b/templates/server-headless-service.yaml
@@ -14,9 +14,7 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
   annotations:
     service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
-{{- if .Values.server.service.annotations }}
-{{ tpl .Values.server.service.annotations . | indent 4 }}
-{{- end }}
+{{ template "vault.service.annotations" .}}
 spec:
   clusterIP: None
   publishNotReadyAddresses: true
diff --git a/templates/server-service.yaml b/templates/server-service.yaml
index 4d0e289..6d50584 100644
--- a/templates/server-service.yaml
+++ b/templates/server-service.yaml
@@ -17,9 +17,7 @@ metadata:
     # to an open issue where it may not work:
     # https://github.com/kubernetes/kubernetes/issues/58662
     service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
-{{- if .Values.server.service.annotations }}
-{{ tpl .Values.server.service.annotations . | indent 4 }}
-{{- end }}
+{{ template "vault.service.annotations" .}}
 spec:
   {{- if .Values.server.service.type}}
   type: {{ .Values.server.service.type }}
diff --git a/test/acceptance/server-annotations.bats b/test/acceptance/server-annotations.bats
new file mode 100644
index 0000000..d382788
--- /dev/null
+++ b/test/acceptance/server-annotations.bats
@@ -0,0 +1,46 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/annotations: testing yaml and yaml-formatted string formats" {
+  cd `chart_dir`
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
+  kubectl config set-context --current --namespace=acceptance
+
+  helm install "$(name_prefix)" -f ./test/acceptance/server-test/annotations-overrides.yaml .
+  wait_for_running $(name_prefix)-0
+
+  # service annotations
+  local awesome=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.metadata.annotations.active')
+  [ "${awesome}" == "sometimes" ]
+
+  local pickMe=$(kubectl get service "$(name_prefix)" --output json |
+    jq -r '.metadata.annotations.pickMe')
+  [ "${pickMe}" == "please" ]
+
+  local environment=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.metadata.annotations.environment')
+  [ "${environment}" == "production" ]
+
+  local milk=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.metadata.annotations.milk')
+  [ "${milk}" == "oat" ]
+
+  local myName=$(kubectl get statefulset "$(name_prefix)" --output json |
+    jq -r '.spec.template.metadata.annotations.myName')
+  [ "${myName}" == "$(name_prefix)" ]
+
+}
+
+# Clean up
+teardown() {
+  if [[ ${CLEANUP:-true} == "true" ]]
+  then
+      echo "helm/pvc teardown"
+      helm delete $(name_prefix)
+      kubectl delete --all pvc
+      kubectl delete namespace acceptance --ignore-not-found=true
+  fi
+}
diff --git a/test/acceptance/server-test/annotations-overrides.yaml b/test/acceptance/server-test/annotations-overrides.yaml
new file mode 100644
index 0000000..459576a
--- /dev/null
+++ b/test/acceptance/server-test/annotations-overrides.yaml
@@ -0,0 +1,9 @@
+server:
+  annotations: |
+    environment: production
+    milk: oat
+    myName: "{{ .Release.Name }}"
+  service:
+    annotations:
+      active: sometimes
+      pickMe: please
diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats
index 7630ac5..f2f0043 100644
--- a/test/unit/server-ha-standby-service.bats
+++ b/test/unit/server-ha-standby-service.bats
@@ -2,7 +2,7 @@
 
 load _helpers
 
-@test "server/ha-standby-Service: generic annotations" {
+@test "server/ha-standby-Service: generic annotations string" {
   cd `chart_dir`
   local actual=$(helm template \
       --show-only templates/server-ha-standby-service.yaml \
@@ -12,3 +12,14 @@ load _helpers
       yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+
+@test "server/ha-standby-Service: generic annotations yaml" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-standby-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.annotations.vaultIsAwesome=true' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats
index 9f54e5c..8660920 100755
--- a/test/unit/server-ingress.bats
+++ b/test/unit/server-ingress.bats
@@ -70,7 +70,7 @@ load _helpers
   [ "${actual}" = "external" ]
 }
 
-@test "server/ingress: annotations added to object" {
+@test "server/ingress: annotations added to object - string" {
   cd `chart_dir`
 
   local actual=$(helm template \
@@ -81,3 +81,15 @@ load _helpers
       yq -r '.metadata.annotations["kubernetes.io/ingress.class"]' | tee /dev/stderr)
   [ "${actual}" = "nginx" ]
 }
+
+@test "server/ingress: annotations added to object - yaml" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-ingress.yaml \
+      --set 'server.ingress.enabled=true' \
+      --set server.ingress.annotations."kubernetes\.io/ingress\.class"=nginx \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["kubernetes.io/ingress.class"]' | tee /dev/stderr)
+  [ "${actual}" = "nginx" ]
+}
diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats
index 5b8744a..fe09c2a 100755
--- a/test/unit/server-serviceaccount.bats
+++ b/test/unit/server-serviceaccount.bats
@@ -20,6 +20,14 @@ load _helpers
       yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
 
+  local actual=$(helm template \
+      --show-only templates/server-serviceaccount.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'server.serviceAccount.annotations.foo=bar' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
+  [ "${actual}" = "bar" ]
+
   local actual=$(helm template \
       --show-only templates/server-serviceaccount.yaml  \
       --set 'server.ha.enabled=true' \
diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
index 3d08925..8e80119 100755
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@@ -936,3 +936,25 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].ports | map(select(.containerPort==8202)) | .[] .name' | tee /dev/stderr)
   [ "${actual}" = "https-rep" ]
 }
+
+#--------------------------------------------------------------------
+# annotations
+@test "server/standalone-StatefulSet: generic annotations string" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml \
+      --set 'server.annotations=vaultIsAwesome: true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "server/ha-standby-Service: generic annotations yaml" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml \
+      --set 'server.annotations.vaultIsAwesome=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats
index 042e141..b92160b 100755
--- a/test/unit/ui-service.bats
+++ b/test/unit/ui-service.bats
@@ -205,6 +205,16 @@ load _helpers
       yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
 
+  local actual=$(helm template \
+      --show-only templates/ui-service.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'ui.serviceType=LoadBalancer' \
+      --set 'ui.enabled=true' \
+      --set 'ui.annotations.foo=bar' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
+  [ "${actual}" = "bar" ]
+
   local actual=$(helm template \
       --show-only templates/ui-service.yaml  \
       --set 'server.ha.enabled=true' \
diff --git a/values.yaml b/values.yaml
index 54ca6d0..b0b303c 100644
--- a/values.yaml
+++ b/values.yaml
@@ -137,6 +137,9 @@ server:
       # |
       # kubernetes.io/ingress.class: nginx
       # kubernetes.io/tls-acme: "true"
+      #   or
+      # kubernetes.io/ingress.class: nginx
+      # kubernetes.io/tls-acme: "true"
     hosts:
       - host: chart-example.local
         paths: []
@@ -230,8 +233,8 @@ server:
   extraLabels: {}
 
   # Extra annotations to attach to the server pods
-  # This should be a multi-line string mapping directly to the a map of
-  # the annotations to apply to the server pods
+  # This can either be YAML or a YAML-formatted multi-line templated string map
+  # of the annotations to apply to the server pods
   annotations: {}
 
   # Enables a headless service to be used by the Vault Statefulset
@@ -257,8 +260,9 @@ server:
     port: 8200
     # Target port to which the service should be mapped to
     targetPort: 8200
-    # Extra annotations for the service definition. This should be a multi-line
-    # string formatted as a map of the annotations to apply to the service.
+    # Extra annotations for the service definition. This can either be YAML or a
+    # YAML-formatted multi-line templated string map of the annotations to apply
+    # to the service.
     annotations: {}
 
   # This configures the Vault Statefulset to create a PVC for data
@@ -400,9 +404,9 @@ server:
 
   # Definition of the serviceAccount used to run Vault.
   serviceAccount:
-    # Extra annotations for the serviceAccount definition. This should be a
-    # multi-line string formatted as a map of the annotations to apply to the
-    # serviceAccount.
+    # Extra annotations for the serviceAccount definition. This can either be
+    # YAML or a YAML-formatted multi-line templated string map of the
+    # annotations to apply to the serviceAccount.
     annotations: {}
 
 # Vault UI
@@ -424,6 +428,6 @@ ui:
   # loadBalancerIP:
 
   # Extra annotations to attach to the ui service
-  # This should be a multi-line string mapping directly to the a map of
-  # the annotations to apply to the ui service
+  # This can either be YAML or a YAML-formatted multi-line templated string map
+  # of the annotations to apply to the ui service
   annotations: {}
-- 
GitLab


From accbd222ecf8672d5de85f47f7d96f615b457ff7 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Mon, 27 Apr 2020 08:31:25 -0700
Subject: [PATCH 46/79] changelog++

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b34f640..396a339 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@ Improvements:
 * Server configs can now be defined in YAML.  Multi-line string configs are still compatible [GH-213](https://github.com/hashicorp/vault-helm/pull/213)
 * Removed IPC_LOCK privileges since swap is disabled on containers [[GH-198](https://github.com/hashicorp/vault-helm/pull/198)]
 * Use port names that map to vault.scheme [[GH-223](https://github.com/hashicorp/vault-helm/pull/223)]
+* Allow both yaml and multi-line string annotations [[GH-272](https://github.com/hashicorp/vault-helm/pull/272)]
 
 Bugs:
 * Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)]
-- 
GitLab


From 8cc3fdb167c3a3458deea1a6774f281016cb29ce Mon Sep 17 00:00:00 2001
From: Yong Wen Chua <lawliet89@users.noreply.github.com>
Date: Mon, 27 Apr 2020 23:38:26 +0800
Subject: [PATCH 47/79] Add support for setting VAULT_RAFT_NODE_ID environment
 variable (#269)

* Add support for setting VAULT_RAFT_NODE_ID environment variable

* Update server-statefulset.yaml

* Update server-ha-statefulset.bats
---
 templates/server-statefulset.yaml    |  6 ++++++
 test/unit/server-ha-statefulset.bats | 25 +++++++++++++++++++++++--
 values.yaml                          | 12 +++++++-----
 3 files changed, 36 insertions(+), 7 deletions(-)

diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 3b51a62..545b3d6 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -87,6 +87,12 @@ spec:
                   fieldPath: metadata.name
             - name: VAULT_CLUSTER_ADDR
               value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201"
+            {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }}
+            - name: VAULT_RAFT_NODE_ID
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            {{- end }}
             {{ template "vault.envs" . }}
             {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
             {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats
index e93bf31..e6d0d58 100755
--- a/test/unit/server-ha-statefulset.bats
+++ b/test/unit/server-ha-statefulset.bats
@@ -403,7 +403,6 @@ load _helpers
   [ "${actual}" = "secret_key_1" ]
 }
 
-
 #--------------------------------------------------------------------
 # VAULT_CLUSTER_ADDR renders
 
@@ -415,7 +414,7 @@ load _helpers
       --set 'server.ha.raft.enabled=true' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
-  
+
   local actual=$(echo $object |
      yq -r '.[9].name' | tee /dev/stderr)
   [ "${actual}" = "VAULT_CLUSTER_ADDR" ]
@@ -425,6 +424,28 @@ load _helpers
   [ "${actual}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ]
 }
 
+#--------------------------------------------------------------------
+# VAULT_RAFT_NODE_ID renders
+
+@test "server/ha-StatefulSet: raft node ID renders" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'server.ha.raft.enabled=true' \
+      --set 'server.ha.raft.setNodeId=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[10].name' | tee /dev/stderr)
+  [ "${actual}" = "VAULT_RAFT_NODE_ID" ]
+
+  local actual=$(echo $object |
+     yq -r '.[10].valueFrom.fieldRef.fieldPath' | tee /dev/stderr)
+  [ "${actual}" = 'metadata.name' ]
+}
+
 #--------------------------------------------------------------------
 # storage class
 
diff --git a/values.yaml b/values.yaml
index b0b303c..305da7b 100644
--- a/values.yaml
+++ b/values.yaml
@@ -40,7 +40,7 @@ injector:
 
   # Configures the log format of the injector. Supported log formats: "standard", "json".
   logFormat: "standard"
-  
+
   # Configures all Vault Agent sidecars to revoke their token when shutting down
   revokeOnShutdown: false
 
@@ -342,15 +342,17 @@ server:
   ha:
     enabled: false
     replicas: 3
-    
-    # Enables Vault's integrated Raft storage.  Unlike the typical HA modes where 
-    # Vault's persistence is external (such as Consul), enabling Raft mode will create 
+
+    # Enables Vault's integrated Raft storage.  Unlike the typical HA modes where
+    # Vault's persistence is external (such as Consul), enabling Raft mode will create
     # persistent volumes for Vault to store data according to the configuration under server.dataStorage.
     # The Vault cluster will coordinate leader elections and failovers internally.
     raft:
-      
+
       # Enables Raft integrated storage
       enabled: false
+      # Set the Node Raft ID to the name of the pod
+      setNodeId: false
       config: |
         ui = true
 
-- 
GitLab


From 138b9217a5ba2a16fc762f8235ffccdc27d4f039 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Mon, 27 Apr 2020 11:39:22 -0400
Subject: [PATCH 48/79] changelog++

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 396a339..90ba23b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ Improvements:
 * Removed IPC_LOCK privileges since swap is disabled on containers [[GH-198](https://github.com/hashicorp/vault-helm/pull/198)]
 * Use port names that map to vault.scheme [[GH-223](https://github.com/hashicorp/vault-helm/pull/223)]
 * Allow both yaml and multi-line string annotations [[GH-272](https://github.com/hashicorp/vault-helm/pull/272)]
+* Added configurable to set the Raft node name to hostname [[GH-269](https://github.com/hashicorp/vault-helm/pull/269)]
 
 Bugs:
 * Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)]
-- 
GitLab


From c045ad89aa2a320c7335949b77330e56c89ac8bd Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Mon, 27 Apr 2020 14:49:09 -0400
Subject: [PATCH 49/79] Fix raft acceptance test (#279)

---
 test/acceptance/server-ha-raft.bats | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/test/acceptance/server-ha-raft.bats b/test/acceptance/server-ha-raft.bats
index a411f3c..b6f1f25 100644
--- a/test/acceptance/server-ha-raft.bats
+++ b/test/acceptance/server-ha-raft.bats
@@ -19,11 +19,6 @@ load _helpers
     jq -r '.initialized')
   [ "${init_status}" == "false" ]
 
-  # Security
-  local ipc=$(kubectl get statefulset "$(name_prefix)" --output json |
-    jq -r '.spec.template.spec.containers[0].securityContext.capabilities.add[0]')
-  [ "${ipc}" == "IPC_LOCK" ]
-
   # Replicas
   local replicas=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.replicas')
-- 
GitLab


From ee2827f710454997a75a0ecf0cd718a3ff213ea0 Mon Sep 17 00:00:00 2001
From: Alvin Huang <17609145+alvin-huang@users.noreply.github.com>
Date: Wed, 29 Apr 2020 14:37:18 -0400
Subject: [PATCH 50/79] add API trigger for helm charts index (#281)

---
 .circleci/config.yml | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 357aa40..9d497c0 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -6,8 +6,30 @@ jobs:
       - checkout
       - run: make test-image
       - run: make test-unit
+  update-helm-charts-index:
+    docker:
+      - image: circleci/golang:latest
+    steps:
+      - run:
+          name: update helm-charts index
+          command: |
+            curl --show-error --silent --fail --user "${CIRCLE_TOKEN}:" \
+                -X POST \
+                -H 'Content-Type: application/json' \
+                -H 'Accept: application/json' \
+                -d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \
+                "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline"
 workflows:
   version: 2
   build_and_test:
     jobs:
-      - bats-unit-test 
+      - bats-unit-test
+  update-helm-charts-index:
+    jobs:
+      - update-helm-charts-index:
+          context: helm-charts-trigger
+          filters:
+            tags:
+              only: /^v.*/
+            branches:
+              ignore: /.*/
-- 
GitLab


From c8b18d1876a5f8ca708cd86f288a246b776a07c6 Mon Sep 17 00:00:00 2001
From: Yong Wen Chua <lawliet89@users.noreply.github.com>
Date: Fri, 1 May 2020 09:37:27 +0800
Subject: [PATCH 51/79] Support setting priorityClassName on pods (#282)

---
 templates/injector-deployment.yaml |  3 +++
 templates/server-statefulset.yaml  |  3 +++
 test/unit/injector-deployment.bats | 22 ++++++++++++++++++++++
 test/unit/server-statefulset.bats  | 26 ++++++++++++++++++++++++--
 values.yaml                        |  6 ++++++
 5 files changed, 58 insertions(+), 2 deletions(-)

diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml
index 4233726..1c5b951 100644
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@@ -27,6 +27,9 @@ spec:
       {{ template "injector.affinity" . }}
       {{ template "injector.tolerations" . }}
       {{ template "injector.nodeselector" . }}
+      {{- if .Values.injector.priorityClassName }}
+      priorityClassName: {{ .Values.injector.priorityClassName }}
+      {{- end }}
       serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
       securityContext:
         runAsNonRoot: true
diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 545b3d6..3f40709 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -37,6 +37,9 @@ spec:
       {{ template "vault.affinity" . }}
       {{ template "vault.tolerations" . }}
       {{ template "vault.nodeselector" . }}
+      {{- if .Values.server.priorityClassName }}
+      priorityClassName: {{ .Values.server.priorityClassName }}
+      {{- end }}
       terminationGracePeriodSeconds: 10
       serviceAccountName: {{ template "vault.fullname" . }}
       {{ if  .Values.server.shareProcessNamespace }}
diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats
index 033ce7c..bd3f63a 100755
--- a/test/unit/injector-deployment.bats
+++ b/test/unit/injector-deployment.bats
@@ -425,3 +425,25 @@ load _helpers
       yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr)
   [ "${actual}" = "testing" ]
 }
+
+#--------------------------------------------------------------------
+# priorityClassName
+
+@test "injector/deployment: priorityClassName not set by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec | .priorityClassName? == null' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "injector/deployment: priorityClassName can be set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'injector.priorityClassName=armaggeddon' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
index 8e80119..3fa7ba4 100755
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@@ -711,7 +711,7 @@ load _helpers
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.shareProcessNamespace' | tee /dev/stderr)
 
-  [ "${actual}" = "null" ]  
+  [ "${actual}" = "null" ]
 }
 
 @test "server/standalone-StatefulSet: shareProcessNamespace enabled" {
@@ -724,7 +724,7 @@ load _helpers
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.shareProcessNamespace' | tee /dev/stderr)
 
-  [ "${actual}" = "true" ]  
+  [ "${actual}" = "true" ]
 }
 
 # extra labels
@@ -958,3 +958,25 @@ load _helpers
       yq -r '.spec.template.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+
+#--------------------------------------------------------------------
+# priorityClassName
+
+@test "server/standalone-StatefulSet: priorityClassName not set by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml  \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec | .priorityClassName? == null' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "server/standalone-StatefulSet: priorityClassName can be set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'server.priorityClassName=armaggeddon' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
diff --git a/values.yaml b/values.yaml
index 305da7b..2385dcc 100644
--- a/values.yaml
+++ b/values.yaml
@@ -103,6 +103,9 @@ injector:
   #   beta.kubernetes.io/arch: amd64
   nodeSelector: null
 
+  # Priority class for injector pods
+  priorityClassName: ""
+
 server:
   # Resource requests, limits, etc. for the server cluster placement. This
   # should map directly to the value of the resources field for a PodSpec.
@@ -227,6 +230,9 @@ server:
   #   beta.kubernetes.io/arch: amd64
   nodeSelector: {}
 
+  # Priority class for server pods
+  priorityClassName: ""
+
   # Extra labels to attach to the server pods
   # This should be a multi-line string mapping directly to the a map of
   # the labels to apply to the server pods
-- 
GitLab


From 24b13630f013b8be91b7befd2910c800648d8446 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Thu, 30 Apr 2020 18:38:42 -0700
Subject: [PATCH 52/79] Update CHANGELOG.md

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 90ba23b..6eea47b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ Improvements:
 * Use port names that map to vault.scheme [[GH-223](https://github.com/hashicorp/vault-helm/pull/223)]
 * Allow both yaml and multi-line string annotations [[GH-272](https://github.com/hashicorp/vault-helm/pull/272)]
 * Added configurable to set the Raft node name to hostname [[GH-269](https://github.com/hashicorp/vault-helm/pull/269)]
+* Support setting priorityClassName on pods [[GH-282](https://github.com/hashicorp/vault-helm/pull/282)]
 
 Bugs:
 * Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)]
-- 
GitLab


From 2af6f9b44f7cf6f4a5d6d4fd26c42b1b092ffc96 Mon Sep 17 00:00:00 2001
From: Brian Choy <bycEEE@gmail.com>
Date: Tue, 5 May 2020 08:10:17 -0700
Subject: [PATCH 53/79] Add support for priorityClassName (#165)

* Add support for priorityClassName

* Add unit tests

* Remove comment

* Update comment, accidentally deleted comment

* Remove whitespace
---
 templates/injector-deployment.yaml |  3 +++
 templates/server-statefulset.yaml  |  3 +++
 test/unit/server-statefulset.bats  | 23 +++++++++++++++++++++++
 values.yaml                        | 11 +++++++++++
 4 files changed, 40 insertions(+)

diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml
index 1c5b951..8c947ac 100644
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@@ -94,6 +94,9 @@ spec:
             periodSeconds: 2
             successThreshold: 1
             timeoutSeconds: 5
+      {{- if .Values.injector.priorityClassName }}
+      priorityClassName: {{ .Values.injector.priorityClassName }}
+      {{- end }}
 {{- if .Values.injector.certs.secretName }}
           volumeMounts:
             - name: webhook-certs
diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 3f40709..174feee 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -158,6 +158,9 @@ spec:
         {{- if .Values.server.extraContainers }}
           {{ toYaml .Values.server.extraContainers | nindent 8}}
         {{- end }}
+      {{- if .Values.server.priorityClassName }}
+      priorityClassName: {{ .Values.server.priorityClassName }}
+      {{- end }}
       {{- if .Values.global.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml .Values.global.imagePullSecrets | nindent 8 }}
diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
index 3fa7ba4..1f3f2f0 100755
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@@ -872,6 +872,29 @@ load _helpers
   [[ "${actual}" = *"foobar"* ]]
 }
 
+#--------------------------------------------------------------------
+# priorityClassName
+
+@test "server/standalone-StatefulSet: priorityClassName disabled by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-statefulset.yaml  \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr)
+
+  [ "${actual}" = "null" ]  
+}
+
+@test "server/standalone-StatefulSet: priorityClassName enabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-statefulset.yaml  \
+      --set 'server.priorityClassName=foo' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr)
+
+  [ "${actual}" = "foo" ]  
+
 #--------------------------------------------------------------------
 # preStop
 @test "server/standalone-StatefulSet: preStop sleep duration default" {
diff --git a/values.yaml b/values.yaml
index 2385dcc..851ef25 100644
--- a/values.yaml
+++ b/values.yaml
@@ -81,6 +81,11 @@ injector:
   #     memory: 256Mi
   #     cpu: 250m
 
+  # priorityClassName launches injector pods with a priority class.
+  # See: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
+  # for more details.
+  priorityClassName: null
+
   # extraEnvironmentVars is a list of extra enviroment variables to set in the
   # injector deployment.
   extraEnvironmentVars: {}
@@ -131,6 +136,12 @@ server:
   #     cpu: 250m
 
   # Ingress allows ingress services to be created to allow external access
+  # priorityClassName launches server pods with a priority class.
+  # See: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
+  # for more details.
+  priorityClassName: null
+
+  # Ingress allows ingress services to be created to allow external access 
   # from Kubernetes to access Vault pods.
   ingress:
     enabled: false
-- 
GitLab


From 08a6f929b863cc78fa82dabdc1295fa8415b9c6b Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Tue, 5 May 2020 11:29:09 -0400
Subject: [PATCH 54/79] Revert "Add support for priorityClassName (#165)"
 (#287)

This reverts commit 2af6f9b44f7cf6f4a5d6d4fd26c42b1b092ffc96.
---
 templates/injector-deployment.yaml |  3 ---
 templates/server-statefulset.yaml  |  3 ---
 test/unit/server-statefulset.bats  | 23 -----------------------
 values.yaml                        | 11 -----------
 4 files changed, 40 deletions(-)

diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml
index 8c947ac..1c5b951 100644
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@@ -94,9 +94,6 @@ spec:
             periodSeconds: 2
             successThreshold: 1
             timeoutSeconds: 5
-      {{- if .Values.injector.priorityClassName }}
-      priorityClassName: {{ .Values.injector.priorityClassName }}
-      {{- end }}
 {{- if .Values.injector.certs.secretName }}
           volumeMounts:
             - name: webhook-certs
diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 174feee..3f40709 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -158,9 +158,6 @@ spec:
         {{- if .Values.server.extraContainers }}
           {{ toYaml .Values.server.extraContainers | nindent 8}}
         {{- end }}
-      {{- if .Values.server.priorityClassName }}
-      priorityClassName: {{ .Values.server.priorityClassName }}
-      {{- end }}
       {{- if .Values.global.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml .Values.global.imagePullSecrets | nindent 8 }}
diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
index 1f3f2f0..3fa7ba4 100755
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@@ -872,29 +872,6 @@ load _helpers
   [[ "${actual}" = *"foobar"* ]]
 }
 
-#--------------------------------------------------------------------
-# priorityClassName
-
-@test "server/standalone-StatefulSet: priorityClassName disabled by default" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
-      . | tee /dev/stderr |
-      yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr)
-
-  [ "${actual}" = "null" ]  
-}
-
-@test "server/standalone-StatefulSet: priorityClassName enabled" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/server-statefulset.yaml  \
-      --set 'server.priorityClassName=foo' \
-      . | tee /dev/stderr |
-      yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr)
-
-  [ "${actual}" = "foo" ]  
-
 #--------------------------------------------------------------------
 # preStop
 @test "server/standalone-StatefulSet: preStop sleep duration default" {
diff --git a/values.yaml b/values.yaml
index 851ef25..2385dcc 100644
--- a/values.yaml
+++ b/values.yaml
@@ -81,11 +81,6 @@ injector:
   #     memory: 256Mi
   #     cpu: 250m
 
-  # priorityClassName launches injector pods with a priority class.
-  # See: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
-  # for more details.
-  priorityClassName: null
-
   # extraEnvironmentVars is a list of extra enviroment variables to set in the
   # injector deployment.
   extraEnvironmentVars: {}
@@ -136,12 +131,6 @@ server:
   #     cpu: 250m
 
   # Ingress allows ingress services to be created to allow external access
-  # priorityClassName launches server pods with a priority class.
-  # See: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
-  # for more details.
-  priorityClassName: null
-
-  # Ingress allows ingress services to be created to allow external access 
   # from Kubernetes to access Vault pods.
   ingress:
     enabled: false
-- 
GitLab


From 0cc1af18767f8874683baa85066395f72b0d4640 Mon Sep 17 00:00:00 2001
From: Adrienne Cohea <34219237+AdrienneCohea@users.noreply.github.com>
Date: Fri, 8 May 2020 11:35:39 -0700
Subject: [PATCH 55/79] Add init containers to support TLS certificate
 introduction and other dynamic configuration use cases. (#258)

---
 templates/server-statefulset.yaml |  4 ++
 test/unit/server-statefulset.bats | 68 +++++++++++++++++++++++++++++++
 values.yaml                       |  5 +++
 3 files changed, 77 insertions(+)

diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 3f40709..96aaf75 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -52,6 +52,10 @@ spec:
         fsGroup: {{ .Values.server.gid | default 1000 }}
       volumes:
         {{ template "vault.volumes" . }}
+      {{- if .Values.server.extraInitContainers }}
+      initContainers:
+        {{ toYaml .Values.server.extraInitContainers | nindent 8}}
+      {{- end }}
       containers:
         - name: vault
           {{ template "vault.resources" . }}
diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
index 3fa7ba4..5bdc25f 100755
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@@ -618,6 +618,74 @@ load _helpers
   [ "${actual}" = "testing" ]
 }
 
+#--------------------------------------------------------------------
+# extraInitContainers
+
+@test "server/standalone-StatefulSet: adds extra init containers" {
+  cd `chart_dir`
+
+  # Test that it defines it
+  local object=$(helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'server.extraInitContainers[0].image=test-image' \
+      --set 'server.extraInitContainers[0].name=test-container' \
+      --set 'server.extraInitContainers[0].ports[0].name=test-port' \
+      --set 'server.extraInitContainers[0].ports[0].containerPort=9410' \
+      --set 'server.extraInitContainers[0].ports[0].protocol=TCP' \
+      --set 'server.extraInitContainers[0].env[0].name=TEST_ENV' \
+      --set 'server.extraInitContainers[0].env[0].value=test_env_value' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.initContainers[] | select(.name == "test-container")' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+      yq -r '.name' | tee /dev/stderr)
+  [ "${actual}" = "test-container" ]
+
+  local actual=$(echo $object |
+      yq -r '.image' | tee /dev/stderr)
+  [ "${actual}" = "test-image" ]
+
+  local actual=$(echo $object |
+      yq -r '.ports[0].name' | tee /dev/stderr)
+  [ "${actual}" = "test-port" ]
+
+  local actual=$(echo $object |
+      yq -r '.ports[0].containerPort' | tee /dev/stderr)
+  [ "${actual}" = "9410" ]
+
+  local actual=$(echo $object |
+      yq -r '.ports[0].protocol' | tee /dev/stderr)
+  [ "${actual}" = "TCP" ]
+
+  local actual=$(echo $object |
+      yq -r '.env[0].name' | tee /dev/stderr)
+  [ "${actual}" = "TEST_ENV" ]
+
+  local actual=$(echo $object |
+      yq -r '.env[0].value' | tee /dev/stderr)
+  [ "${actual}" = "test_env_value" ]
+
+}
+
+@test "server/standalone-StatefulSet: add two extra init containers" {
+  cd `chart_dir`
+
+  # Test that it defines it
+  local object=$(helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'server.extraInitContainers[0].image=test-image' \
+      --set 'server.extraInitContainers[0].name=test-container' \
+      --set 'server.extraInitContainers[1].image=test-image' \
+      --set 'server.extraInitContainers[1].name=test-container-2' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.initContainers' | tee /dev/stderr)
+
+  local containers_count=$(echo $object |
+      yq -r 'length' | tee /dev/stderr)
+  [ "${containers_count}" = 2 ]
+
+}
+
 #--------------------------------------------------------------------
 # extraContainers
 
diff --git a/values.yaml b/values.yaml
index 2385dcc..f757d13 100644
--- a/values.yaml
+++ b/values.yaml
@@ -159,6 +159,11 @@ server:
   authDelegator:
     enabled: true
 
+  # extraInitContainers is a list of init containers. Specified as a raw YAML string.
+  # This is useful if you need to run a script to provision TLS certificates or
+  # write out configuration files in a dynamic way.
+  extraInitContainers: null
+
   # extraContainers is a list of sidecar containers. Specified as a raw YAML string.
   extraContainers: null
 
-- 
GitLab


From ac6089c45ef66d4e1eed0e279364ccbb2f8a6eda Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Fri, 8 May 2020 14:36:56 -0400
Subject: [PATCH 56/79] changelog++

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6eea47b..aff223c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,7 @@
 ## Unreleased
 
 Features:
+* Added `extraInitContainers` to define init containers for the Vault cluster [GH-258](https://github.com/hashicorp/vault-helm/pull/258)
 
 Improvements:
 * Server configs can now be defined in YAML.  Multi-line string configs are still compatible [GH-213](https://github.com/hashicorp/vault-helm/pull/213)
-- 
GitLab


From dd8e3a230cdb7e2f0bf934d430065d29ba176d1e Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Wed, 20 May 2020 09:15:55 -0700
Subject: [PATCH 57/79] updated readme with the helm repo info (#308)

---
 README.md | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index b049825..bbc9de3 100644
--- a/README.md
+++ b/README.md
@@ -10,9 +10,9 @@ use Vault with Kubernetes, please see the
 
 ## Prerequisites
 
-To use the charts here, [Helm](https://helm.sh/) must be installed in your
-Kubernetes cluster. Setting up Kubernetes and Helm and is outside the scope
-of this README. Please refer to the Kubernetes and Helm documentation.
+To use the charts here, [Helm](https://helm.sh/) must be configured for your
+Kubernetes cluster. Setting up Kubernetes and Helm and is outside the scope of
+this README. Please refer to the Kubernetes and Helm documentation.
 
 The versions required are:
 
@@ -24,15 +24,17 @@ The versions required are:
 
 ## Usage
 
-For now, we do not host a chart repository. To use the charts, you must
-download this repository and unpack it into a directory. Either
-[download a tagged release](https://github.com/hashicorp/vault-helm/releases) or
-use `git checkout` to a tagged release.
-Assuming this repository was unpacked into the directory `vault-helm`, the chart can
-then be installed directly:
+To install the latest version of this chart, add the Hashicorp helm repository
+and run `helm install`:
 
-    helm install ./vault-helm
+```console
+$ helm repo add hashicorp https://helm.releases.hashicorp.com
+"hashicorp" has been added to your repositories
 
-Please see the many options supported in the `values.yaml`
-file. These are also fully documented directly on the
-[Vault website](https://www.vaultproject.io/docs/platform/k8s/helm).
+$ helm install vault hashicorp/vault
+```
+
+Please see the many options supported in the `values.yaml` file. These are also
+fully documented directly on the [Vault
+website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more
+detailed installation instructions.
-- 
GitLab


From 7b744295cfa6d5f6283965e09434f7c3af45ba73 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Wed, 20 May 2020 09:16:54 -0700
Subject: [PATCH 58/79] Update default values (#309)

Updating some of the default values to match how they're used in
the templates.
---
 values.yaml | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/values.yaml b/values.yaml
index f757d13..d315c87 100644
--- a/values.yaml
+++ b/values.yaml
@@ -121,7 +121,7 @@ server:
   # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
   updateStrategyType: "OnDelete"
 
-  resources:
+  resources: {}
   # resources:
   #   requests:
   #     memory: 256Mi
@@ -159,12 +159,12 @@ server:
   authDelegator:
     enabled: true
 
-  # extraInitContainers is a list of init containers. Specified as a raw YAML string.
+  # extraInitContainers is a list of init containers. Specified as a YAML list.
   # This is useful if you need to run a script to provision TLS certificates or
   # write out configuration files in a dynamic way.
   extraInitContainers: null
 
-  # extraContainers is a list of sidecar containers. Specified as a raw YAML string.
+  # extraContainers is a list of sidecar containers. Specified as a YAML list.
   extraContainers: null
 
   # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
@@ -226,21 +226,20 @@ server:
   # Toleration Settings for server pods
   # This should be a multi-line string matching the Toleration array
   # in a PodSpec.
-  tolerations: {}
+  tolerations: null
 
   # nodeSelector labels for server pod assignment, formatted as a muli-line string.
   # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
   # Example:
   # nodeSelector: |
   #   beta.kubernetes.io/arch: amd64
-  nodeSelector: {}
+  nodeSelector: null
 
   # Priority class for server pods
   priorityClassName: ""
 
   # Extra labels to attach to the server pods
-  # This should be a multi-line string mapping directly to the a map of
-  # the labels to apply to the server pods
+  # This should be a YAML map of the labels to apply to the server pods
   extraLabels: {}
 
   # Extra annotations to attach to the server pods
-- 
GitLab


From 7e5ed6bae9764d23acb0c43add21dfc47096779a Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Wed, 20 May 2020 09:18:54 -0700
Subject: [PATCH 59/79] changelog++

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index aff223c..a69eba9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ Improvements:
 Bugs:
 * Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)]
 * Fixed annotations for HA standby/active services [[GH-268](https://github.com/hashicorp/vault-helm/pull/268)]
+* Updated some value defaults to match their use in templates [[GH-309](https://github.com/hashicorp/vault-helm/pull/309)]
 
 ## 0.5.0 (April 9th, 2020)
 
-- 
GitLab


From 9a835c40f1d2897c893abadb02b5b5c48ddc4d68 Mon Sep 17 00:00:00 2001
From: Josh Keife <jkeife@gmail.com>
Date: Thu, 21 May 2020 09:58:53 -0600
Subject: [PATCH 60/79] Update comment in standby service (#299)

---
 templates/server-ha-standby-service.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml
index 302627a..2def5f7 100644
--- a/templates/server-ha-standby-service.yaml
+++ b/templates/server-ha-standby-service.yaml
@@ -1,7 +1,7 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
 {{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }}
-# Service for active Vault pod
+# Service for standby Vault pod
 apiVersion: v1
 kind: Service
 metadata:
-- 
GitLab


From 6b77840e22faa67d3148fffd4199e662cc762569 Mon Sep 17 00:00:00 2001
From: Gorka Maiztegi <gmaiztegi@gmail.com>
Date: Wed, 27 May 2020 04:28:15 +0200
Subject: [PATCH 61/79] Update ingress apiVersion (#310)

The apiVersion `extensions/v1beta1` for ingresses has been removed in Kubernetes 1.16 and the new `networking.k8s.io/v1beta1` has to be used now. This conditional keeps compatibility with older Kubernetes versions while using the new apiVersion when available.
---
 templates/server-ingress.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml
index fd9662d..b17eb5c 100644
--- a/templates/server-ingress.yaml
+++ b/templates/server-ingress.yaml
@@ -3,7 +3,11 @@
 {{- if .Values.server.ingress.enabled -}}
 {{- $serviceName := include "vault.fullname" . -}}
 {{- $servicePort := .Values.server.service.port -}}
+{{ if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
+apiVersion: networking.k8s.io/v1beta1
+{{ else }}
 apiVersion: extensions/v1beta1
+{{ end }}
 kind: Ingress
 metadata:
   name: {{ template "vault.fullname" . }}
-- 
GitLab


From 7cc905e00ece416507846159bb02bf66e594b35b Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Tue, 26 May 2020 19:31:06 -0700
Subject: [PATCH 62/79] changelog++

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a69eba9..2561ab4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ Improvements:
 * Allow both yaml and multi-line string annotations [[GH-272](https://github.com/hashicorp/vault-helm/pull/272)]
 * Added configurable to set the Raft node name to hostname [[GH-269](https://github.com/hashicorp/vault-helm/pull/269)]
 * Support setting priorityClassName on pods [[GH-282](https://github.com/hashicorp/vault-helm/pull/282)]
+* Add support for ingress apiVersion `networking.k8s.io/v1beta1` [[GH-310](https://github.com/hashicorp/vault-helm/pull/310)]
 
 Bugs:
 * Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)]
-- 
GitLab


From 7002cc664be17f955a3be9ff540a2f8ef754e8d8 Mon Sep 17 00:00:00 2001
From: Sarah Thompson <sthompson@hashicorp.com>
Date: Wed, 27 May 2020 17:21:16 +0100
Subject: [PATCH 63/79] Get acceptance tests running against GKE in CI - merges
 to master only. (#291)

* Get acceptance tests running against GKE in CI - merges to master only.

* Adding README.md
---
 .circleci/config.yml                          | 36 +++++++++++--
 Makefile                                      | 54 +++++++++++++++++--
 test/README.md                                | 10 ++++
 test/acceptance/_helpers.bash                 |  8 +--
 .../acceptance/server-ha-enterprise-perf.bats |  6 +--
 test/docker/Test.dockerfile                   |  7 +++
 test/terraform/main.tf                        | 17 ------
 7 files changed, 108 insertions(+), 30 deletions(-)
 create mode 100644 test/README.md

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 9d497c0..ed2bf8a 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,11 +1,35 @@
 version: 2
 jobs:
   bats-unit-test:
-    machine: true
+    docker:
+        # This image is built from test/docker/Test.dockerfile
+        - image: hashicorpdev/vault-helm-test:0.1.0
     steps:
       - checkout
-      - run: make test-image
-      - run: make test-unit
+      - run: bats ./test/unit -t
+  acceptance:
+    docker:
+        # This image is build from test/docker/Test.dockerfile
+        - image: hashicorpdev/vault-helm-test:0.1.0
+
+    steps:
+        - checkout
+        - run:
+            name: terraform init & apply
+            command: |
+                echo -e "${GOOGLE_APP_CREDS}" | base64 -d > vault-helm-test.json
+                export GOOGLE_CREDENTIALS=vault-helm-test.json
+                make provision-cluster
+        - run:
+            name: Run acceptance tests
+            command: bats ./test/acceptance -t
+
+        - run:
+            name: terraform destroy
+            command: |
+                export GOOGLE_CREDENTIALS=vault-helm-test.json
+                make destroy-cluster
+            when: always
   update-helm-charts-index:
     docker:
       - image: circleci/golang:latest
@@ -24,6 +48,12 @@ workflows:
   build_and_test:
     jobs:
       - bats-unit-test
+      - acceptance:
+            requires:
+                - bats-unit-test
+            filters:
+                branches:
+                    only: master
   update-helm-charts-index:
     jobs:
       - update-helm-charts-index:
diff --git a/Makefile b/Makefile
index 4698fb9..8c9bf7f 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,8 @@
 TEST_IMAGE?=vault-helm-test
+GOOGLE_CREDENTIALS?=vault-helm-test.json
+CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514
+# set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats
+ACCEPTANCE_TESTS?=acceptance
 
 test-image:
 	@docker build --rm -t '$(TEST_IMAGE)' -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR)
@@ -6,12 +10,56 @@ test-image:
 test-unit:
 	@docker run -it -v ${PWD}:/helm-test vault-helm-test bats /helm-test/test/unit
 
-test-acceptance:
-	@docker run -it -v ${PWD}:/helm-test vault-helm-test bats /helm-test/test/acceptance
-
 test-bats: test-unit test-acceptance
 
 test: test-image test-bats
 
+# run acceptance tests on GKE
+# set google project/credential vars above
+test-acceptance:
+	@docker run -it -v ${PWD}:/helm-test \
+	-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
+	-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
+	-e KUBECONFIG=/helm-test/.kube/config \
+	-w /helm-test \
+	$(TEST_IMAGE) \
+	make acceptance
+	
+# destroy GKE cluster using terraform
+test-destroy:
+	@docker run -it -v ${PWD}:/helm-test \
+	-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
+	-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
+	-w /helm-test \
+	$(TEST_IMAGE) \
+	make destroy-cluster
+
+# provision GKE cluster using terraform
+test-provision:
+	@docker run -it -v ${PWD}:/helm-test \
+	-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
+	-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
+	-e KUBECONFIG=/helm-test/.kube/config \
+	-w /helm-test \
+	$(TEST_IMAGE) \
+	make provision-cluster
+
+# this target is for running the acceptance tests
+# it is run in the docker container above when the test-acceptance target is invoked
+acceptance:
+	gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS}
+	bats test/${ACCEPTANCE_TESTS}
+
+# this target is for provisioning the GKE cluster
+# it is run in the docker container above when the test-provision target is invoked
+provision-cluster:
+	gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS}
+	terraform init test/terraform
+	terraform apply -var project=${CLOUDSDK_CORE_PROJECT} -var init_cli=true -auto-approve test/terraform
+
+# this target is for removing the GKE cluster
+# it is run in the docker container above when the test-destroy target is invoked
+destroy-cluster:
+	terraform destroy -auto-approve
 
 .PHONY: test-docker
diff --git a/test/README.md b/test/README.md
new file mode 100644
index 0000000..e4ce891
--- /dev/null
+++ b/test/README.md
@@ -0,0 +1,10 @@
+# Running Vault Helm Acceptance tests
+
+The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance.
+
+* Set the GOOGLE_CREDENTIALS and CLOUDSDK_CORE_PROJECT variables at the top of the file. GOOGLE_CREDENTIALS should contain the local path to your Google Cloud Platform account credentials in JSON format. CLOUDSDK_CORE_PROJECT should be set to the ID of your GCP project.
+* Run `make test-image` to create the docker image (with dependencies installed) that will be re-used in the below steps.
+* Run `make test-provision` to provision the GKE cluster using terraform.
+* Run `make test-acceptance` to run the acceptance tests in this already provisioned cluster.
+* You can choose to only run certain tests by setting the ACCEPTANCE_TESTS variable and re-running the above target.
+* Run `make test-destroy` when you have finished testing and want to tear-down and remove the cluster.
\ No newline at end of file
diff --git a/test/acceptance/_helpers.bash b/test/acceptance/_helpers.bash
index 031daf5..466a517 100644
--- a/test/acceptance/_helpers.bash
+++ b/test/acceptance/_helpers.bash
@@ -65,7 +65,7 @@ wait_for_running_consul() {
     done
 
     echo "consul clients never became ready."
-    exit 1
+    return 1
 }
 
 # wait for a pod to be ready
@@ -96,7 +96,7 @@ wait_for_running() {
     done
 
     echo "${POD_NAME} never became ready."
-    exit 1
+    return 1
 }
 
 wait_for_ready() {
@@ -126,7 +126,7 @@ wait_for_ready() {
     done
 
     echo "${POD_NAME} never became ready."
-    exit 1
+    return 1
 }
 
 wait_for_complete_job() {
@@ -155,5 +155,5 @@ wait_for_complete_job() {
     done
 
     echo "${POD_NAME} never completed."
-    exit 1
+    return 1
 }
diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats
index 6543663..48f9887 100644
--- a/test/acceptance/server-ha-enterprise-perf.bats
+++ b/test/acceptance/server-ha-enterprise-perf.bats
@@ -35,7 +35,7 @@ load _helpers
   kubectl exec -ti "$(name_prefix)-east-0" -- vault operator unseal ${primary_token}
   wait_for_ready "$(name_prefix)-east-0"
 
-  sleep 10
+  sleep 30
 
   # Vault Unseal
   local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name'))
@@ -103,7 +103,7 @@ load _helpers
   kubectl exec -ti "$(name_prefix)-west-0" -- vault operator unseal ${secondary_token}
   wait_for_ready "$(name_prefix)-west-0"
 
-  sleep 10
+  sleep 30
 
   # Vault Unseal
   local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name'))
@@ -134,7 +134,7 @@ load _helpers
 
   kubectl exec -ti "$(name_prefix)-west-0" -- vault write sys/replication/performance/secondary/enable token=${secondary_replica_token}
 
-  sleep 10
+  sleep 30
 
   local pods=($(kubectl get pods --selector='app.kubernetes.io/instance=vault-west' -o json | jq -r '.items[].metadata.name'))
   for pod in "${pods[@]}"
diff --git a/test/docker/Test.dockerfile b/test/docker/Test.dockerfile
index 003a06f..9bbe478 100644
--- a/test/docker/Test.dockerfile
+++ b/test/docker/Test.dockerfile
@@ -10,6 +10,7 @@ FROM alpine:latest
 WORKDIR /root
 
 ENV BATS_VERSION "1.1.0"
+ENV TERRAFORM_VERSION "0.12.10"
 
 # base packages
 RUN apk update && apk add --no-cache --virtual .build-deps \
@@ -21,6 +22,7 @@ RUN apk update && apk add --no-cache --virtual .build-deps \
     python \
     py-pip \
     git \
+    make \
     jq
 
 # yq
@@ -31,6 +33,11 @@ RUN curl -OL https://dl.google.com/dl/cloudsdk/channels/rapid/install_google_clo
     bash install_google_cloud_sdk.bash --disable-prompts --install-dir='/root/' && \
     ln -s /root/google-cloud-sdk/bin/gcloud /usr/local/bin/gcloud
 
+# terraform
+RUN curl -sSL https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip -o /tmp/tf.zip \
+    && unzip /tmp/tf.zip  \
+    && ln -s /root/terraform /usr/local/bin/terraform
+
 # kubectl
 RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && \
     chmod +x ./kubectl && \
diff --git a/test/terraform/main.tf b/test/terraform/main.tf
index e3fc2ef..1c3f035 100644
--- a/test/terraform/main.tf
+++ b/test/terraform/main.tf
@@ -1,8 +1,5 @@
 provider "google" {
   project = "${var.project}"
-  region  = "us-central1"
-
-  credentials = "${file("vault-helm-dev-creds.json")}"
 }
 
 resource "random_id" "suffix" {
@@ -18,20 +15,6 @@ data "google_service_account" "gcpapi" {
   account_id = "${var.gcp_service_account}"
 }
 
-resource "google_kms_key_ring" "keyring" {
-  name     = "vault-helm-unseal-kr"
-  location = "global"
-}
-
-resource "google_kms_crypto_key" "vault-helm-unseal-key" {
-  name            = "vault-helm-unseal-key"
-  key_ring        = "${google_kms_key_ring.keyring.self_link}"
-
-  lifecycle {
-    prevent_destroy = true
-  }
-}
-
 resource "google_container_cluster" "cluster" {
   name               = "vault-helm-dev-${random_id.suffix.dec}"
   project            = "${var.project}"
-- 
GitLab


From d755ad1ba03c088ac2f2d481ddc8e0fca3b01fda Mon Sep 17 00:00:00 2001
From: georgekaz <egeorgekaz@gmail.com>
Date: Thu, 28 May 2020 19:51:25 +0100
Subject: [PATCH 64/79] Use active service on ingress when ha (#270)

Added some logic that points the ingress at the active server
when in ha mode. There are times that pointing at the standby
pods causes problems.
---
 templates/server-ingress.yaml |  3 +++
 test/unit/server-ingress.bats | 28 ++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml
index b17eb5c..9b3d112 100644
--- a/templates/server-ingress.yaml
+++ b/templates/server-ingress.yaml
@@ -2,6 +2,9 @@
 {{- if ne .mode "external" }}
 {{- if .Values.server.ingress.enabled -}}
 {{- $serviceName := include "vault.fullname" . -}}
+{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }}
+{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
+{{- end }}
 {{- $servicePort := .Values.server.service.port -}}
 {{ if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
 apiVersion: networking.k8s.io/v1beta1
diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats
index 8660920..5af4938 100755
--- a/test/unit/server-ingress.bats
+++ b/test/unit/server-ingress.bats
@@ -93,3 +93,31 @@ load _helpers
       yq -r '.metadata.annotations["kubernetes.io/ingress.class"]' | tee /dev/stderr)
   [ "${actual}" = "nginx" ]
 }
+
+@test "server/ingress: uses active service when ha - yaml" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-ingress.yaml \
+      --set 'server.ingress.enabled=true' \
+      --set 'server.dev.enabled=false' \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr)
+  [ "${actual}" = "RELEASE-NAME-vault-active" ]
+}
+
+@test "server/ingress: uses regular service when not ha - yaml" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-ingress.yaml \
+      --set 'server.ingress.enabled=true' \
+      --set 'server.dev.enabled=false' \
+      --set 'server.ha.enabled=false' \
+      --set 'server.service.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr)
+  [ "${actual}" = "RELEASE-NAME-vault" ]
+}
\ No newline at end of file
-- 
GitLab


From 42153168182e6e8eb1aaa4873c39a42d46ea0159 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 28 May 2020 14:53:46 -0400
Subject: [PATCH 65/79] Add postStart lifecycle hook (#315)

* Add postStart lifecycle hook

* Update values.yaml

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
---
 templates/server-statefulset.yaml |  8 ++++++++
 test/unit/server-statefulset.bats | 21 +++++++++++++++++++++
 values.yaml                       |  8 ++++++++
 3 files changed, 37 insertions(+)

diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 96aaf75..69a925f 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -159,6 +159,14 @@ spec:
                   # to this pod while it's terminating
                   "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)",
                 ]
+            {{- if .Values.server.postStart }}
+            postStart:
+              exec:
+                command:
+                {{- range (.Values.server.postStart) }}
+                - {{ . | quote }}
+                {{- end }}
+            {{- end }}
         {{- if .Values.server.extraContainers }}
           {{ toYaml .Values.server.extraContainers | nindent 8}}
         {{- end }}
diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
index 5bdc25f..7e7678c 100755
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@@ -1048,3 +1048,24 @@ load _helpers
       yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+
+#--------------------------------------------------------------------
+# postStart
+@test "server/standalone-StatefulSet: postStart disabled by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml  \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].lifecycle.postStart' | tee /dev/stderr)
+  [ "${actual}" = "null" ]
+}
+
+@test "server/standalone-StatefulSet: postStart can be set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set='server.postStart={/bin/sh,-c,sleep}' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].lifecycle.postStart.exec.command[0]' | tee /dev/stderr)
+  [ "${actual}" = "/bin/sh" ]
+}
diff --git a/values.yaml b/values.yaml
index d315c87..d1bbaf4 100644
--- a/values.yaml
+++ b/values.yaml
@@ -188,6 +188,14 @@ server:
   # Used to set the sleep time during the preStop step
   preStopSleepSeconds: 5
 
+  # Used to define commands to run after the pod is ready.
+  # This can be used to automate processes such as initialization
+  # or boostrapping auth methods.
+  postStart: []
+  # - /bin/sh
+  # - -c
+  # - /vault/userconfig/myscript/run.sh
+
   # extraEnvironmentVars is a list of extra enviroment variables to set with the stateful set. These could be
   # used to include variables required for auto-unseal.
   extraEnvironmentVars: {}
-- 
GitLab


From e58051e3c6c51a8faeb16f409132ab157e51cae8 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Thu, 28 May 2020 11:54:52 -0700
Subject: [PATCH 66/79] changelog++

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2561ab4..944f28f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@ Bugs:
 * Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)]
 * Fixed annotations for HA standby/active services [[GH-268](https://github.com/hashicorp/vault-helm/pull/268)]
 * Updated some value defaults to match their use in templates [[GH-309](https://github.com/hashicorp/vault-helm/pull/309)]
+* Use active service on ingress when ha [[GH-270](https://github.com/hashicorp/vault-helm/pull/270)]
 
 ## 0.5.0 (April 9th, 2020)
 
-- 
GitLab


From cd7591b0f81de017f4c1cf3d0cd5d451fe3dd709 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 28 May 2020 14:55:47 -0400
Subject: [PATCH 67/79] changelog++

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 944f28f..d0ff27c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 Features:
 * Added `extraInitContainers` to define init containers for the Vault cluster [GH-258](https://github.com/hashicorp/vault-helm/pull/258)
+* Added `postStart` lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready [GH-315](https://github.com/hashicorp/vault-helm/pull/315)
 
 Improvements:
 * Server configs can now be defined in YAML.  Multi-line string configs are still compatible [GH-213](https://github.com/hashicorp/vault-helm/pull/213)
-- 
GitLab


From 78ca71d2eb57be5a1811813c8028d8a9f1db76fa Mon Sep 17 00:00:00 2001
From: lukemassa <lukefrederickmassa@gmail.com>
Date: Thu, 28 May 2020 22:47:41 -0400
Subject: [PATCH 68/79] Removing namespace from yaml of non-namespaced objects
 (#300)

---
 templates/injector-clusterrolebinding.yaml | 1 -
 templates/server-clusterrolebinding.yaml   | 1 -
 2 files changed, 2 deletions(-)

diff --git a/templates/injector-clusterrolebinding.yaml b/templates/injector-clusterrolebinding.yaml
index 9826693..35d30b3 100644
--- a/templates/injector-clusterrolebinding.yaml
+++ b/templates/injector-clusterrolebinding.yaml
@@ -3,7 +3,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ template "vault.fullname" . }}-agent-injector-binding
-  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
     app.kubernetes.io/instance: {{ .Release.Name }}
diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml
index 733764f..37e06e9 100644
--- a/templates/server-clusterrolebinding.yaml
+++ b/templates/server-clusterrolebinding.yaml
@@ -5,7 +5,6 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
   name: {{ template "vault.fullname" . }}-server-binding
-  namespace: {{ .Release.Namespace }}
   labels:
     helm.sh/chart: {{ include "vault.chart" . }}
     app.kubernetes.io/name: {{ include "vault.name" . }}
-- 
GitLab


From 8e982a6c9d080182b6476f1caf5c426e17dd4e8b Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Tue, 2 Jun 2020 07:06:50 -0700
Subject: [PATCH 69/79] Allow setting HA services type (#317)

Making the types for active and standby services configurable (just
like the main vault service).
---
 templates/server-ha-active-service.yaml  |  18 ++-
 templates/server-ha-standby-service.yaml |  18 ++-
 test/unit/server-ha-active-service.bats  | 145 +++++++++++++++++++++++
 test/unit/server-ha-standby-service.bats | 145 +++++++++++++++++++++++
 4 files changed, 316 insertions(+), 10 deletions(-)

diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml
index 01f962d..b6366b0 100644
--- a/templates/server-ha-active-service.yaml
+++ b/templates/server-ha-active-service.yaml
@@ -15,13 +15,21 @@ metadata:
   annotations:
 {{ template "vault.service.annotations" .}}
 spec:
-  type: ClusterIP
+  {{- if .Values.server.service.type}}
+  type: {{ .Values.server.service.type }}
+  {{- end}}
+  {{- if .Values.server.service.clusterIP }}
+  clusterIP: {{ .Values.server.service.clusterIP }}
+  {{- end }}
   publishNotReadyAddresses: true
   ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-    - name: internal
+    - name: {{ include "vault.scheme" . }}
+      port: {{ .Values.server.service.port }}
+      targetPort: {{ .Values.server.service.targetPort }}
+      {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
+      nodePort: {{ .Values.server.service.nodePort }}
+      {{- end }}
+    - name: https-internal
       port: 8201
       targetPort: 8201
   selector:
diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml
index 2def5f7..473de55 100644
--- a/templates/server-ha-standby-service.yaml
+++ b/templates/server-ha-standby-service.yaml
@@ -15,13 +15,21 @@ metadata:
   annotations:
 {{ template "vault.service.annotations" .}}
 spec:
-  type: ClusterIP
+  {{- if .Values.server.service.type}}
+  type: {{ .Values.server.service.type }}
+  {{- end}}
+  {{- if .Values.server.service.clusterIP }}
+  clusterIP: {{ .Values.server.service.clusterIP }}
+  {{- end }}
   publishNotReadyAddresses: true
   ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-    - name: internal
+    - name: {{ include "vault.scheme" . }}
+      port: {{ .Values.server.service.port }}
+      targetPort: {{ .Values.server.service.targetPort }}
+      {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
+      nodePort: {{ .Values.server.service.nodePort }}
+      {{- end }}
+    - name: https-internal
       port: 8201
       targetPort: 8201
   selector:
diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats
index 4e6ad1a..be3060d 100644
--- a/test/unit/server-ha-active-service.bats
+++ b/test/unit/server-ha-active-service.bats
@@ -12,3 +12,148 @@ load _helpers
       yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+
+@test "server/ha-active-Service: disable with ha.enabled false" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-ha-active-service.yaml  \
+      --set 'server.ha.enabled=false' \
+      --set 'server.service.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/ha-active-Service: disable with server.service.enabled false" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-ha-active-service.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.enabled=false' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/ha-active-Service: type empty by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-active-service.yaml \
+      --set 'server.ha.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.type' | tee /dev/stderr)
+  [ "${actual}" = "null" ]
+}
+
+@test "server/ha-active-Service: type can set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-active-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.type=NodePort' \
+      . | tee /dev/stderr |
+      yq -r '.spec.type' | tee /dev/stderr)
+  [ "${actual}" = "NodePort" ]
+}
+
+@test "server/ha-active-Service: clusterIP empty by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-active-service.yaml \
+      --set 'server.ha.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.clusterIP' | tee /dev/stderr)
+  [ "${actual}" = "null" ]
+}
+
+@test "server/ha-active-Service: clusterIP can set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-active-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.clusterIP=None' \
+      . | tee /dev/stderr |
+      yq -r '.spec.clusterIP' | tee /dev/stderr)
+  [ "${actual}" = "None" ]
+}
+
+@test "server/ha-active-Service: port and targetPort will be 8200 by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-active-service.yaml \
+      --set 'server.ha.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[0].port' | tee /dev/stderr)
+  [ "${actual}" = "8200" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-ha-active-service.yaml \
+      --set 'server.ha.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[0].targetPort' | tee /dev/stderr)
+  [ "${actual}" = "8200" ]
+}
+
+@test "server/ha-active-Service: port and targetPort can be set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-active-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.port=8000' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[0].port' | tee /dev/stderr)
+  [ "${actual}" = "8000" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-ha-active-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.targetPort=80' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[0].targetPort' | tee /dev/stderr)
+  [ "${actual}" = "80" ]
+}
+
+@test "server/ha-active-Service: nodeport can set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-active-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.type=NodePort' \
+      --set 'server.service.nodePort=30009' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[0].nodePort' | tee /dev/stderr)
+  [ "${actual}" = "30009" ]
+}
+
+@test "server/ha-active-Service: nodeport can't set when type isn't NodePort" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-active-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.nodePort=30009' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[0].nodePort' | tee /dev/stderr)
+  [ "${actual}" = "null" ]
+}
+
+@test "server/ha-active-Service: vault port name is http, when tlsDisable is true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-active-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'global.tlsDisable=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr)
+  [ "${actual}" = "http" ]
+}
+
+@test "server/ha-active-Service: vault port name is https, when tlsDisable is false" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-active-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'global.tlsDisable=false' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr)
+  [ "${actual}" = "https" ]
+}
diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats
index f2f0043..e164cde 100644
--- a/test/unit/server-ha-standby-service.bats
+++ b/test/unit/server-ha-standby-service.bats
@@ -23,3 +23,148 @@ load _helpers
       yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+
+@test "server/ha-standby-Service: disable with ha.enabled false" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-ha-standby-service.yaml  \
+      --set 'server.ha.enabled=false' \
+      --set 'server.service.enabled=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/ha-standby-Service: disable with server.service.enabled false" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-ha-standby-service.yaml  \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.enabled=false' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/ha-standby-Service: type empty by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-standby-service.yaml \
+      --set 'server.ha.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.type' | tee /dev/stderr)
+  [ "${actual}" = "null" ]
+}
+
+@test "server/ha-standby-Service: type can set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-standby-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.type=NodePort' \
+      . | tee /dev/stderr |
+      yq -r '.spec.type' | tee /dev/stderr)
+  [ "${actual}" = "NodePort" ]
+}
+
+@test "server/ha-standby-Service: clusterIP empty by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-standby-service.yaml \
+      --set 'server.ha.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.clusterIP' | tee /dev/stderr)
+  [ "${actual}" = "null" ]
+}
+
+@test "server/ha-standby-Service: clusterIP can set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-standby-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.clusterIP=None' \
+      . | tee /dev/stderr |
+      yq -r '.spec.clusterIP' | tee /dev/stderr)
+  [ "${actual}" = "None" ]
+}
+
+@test "server/ha-standby-Service: port and targetPort will be 8200 by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-standby-service.yaml \
+      --set 'server.ha.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[0].port' | tee /dev/stderr)
+  [ "${actual}" = "8200" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-ha-standby-service.yaml \
+      --set 'server.ha.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[0].targetPort' | tee /dev/stderr)
+  [ "${actual}" = "8200" ]
+}
+
+@test "server/ha-standby-Service: port and targetPort can be set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-standby-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.port=8000' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[0].port' | tee /dev/stderr)
+  [ "${actual}" = "8000" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-ha-standby-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.targetPort=80' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[0].targetPort' | tee /dev/stderr)
+  [ "${actual}" = "80" ]
+}
+
+@test "server/ha-standby-Service: nodeport can set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-standby-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.type=NodePort' \
+      --set 'server.service.nodePort=30009' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[0].nodePort' | tee /dev/stderr)
+  [ "${actual}" = "30009" ]
+}
+
+@test "server/ha-standby-Service: nodeport can't set when type isn't NodePort" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-standby-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'server.service.nodePort=30009' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[0].nodePort' | tee /dev/stderr)
+  [ "${actual}" = "null" ]
+}
+
+@test "server/ha-standby-Service: vault port name is http, when tlsDisable is true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-standby-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'global.tlsDisable=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr)
+  [ "${actual}" = "http" ]
+}
+
+@test "server/ha-standby-Service: vault port name is https, when tlsDisable is false" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-ha-standby-service.yaml \
+      --set 'server.ha.enabled=true' \
+      --set 'global.tlsDisable=false' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr)
+  [ "${actual}" = "https" ]
+}
-- 
GitLab


From 4f81ac070baf4f4ee68de1957c1abdd3b694aa1e Mon Sep 17 00:00:00 2001
From: ttinkr <34622932+ttinkr@users.noreply.github.com>
Date: Tue, 2 Jun 2020 16:09:48 +0200
Subject: [PATCH 70/79] imagePullSecrets in injector-deployment (#298)

Co-authored-by: ttinkr <thomas.fellinger@nts.eu>
---
 templates/injector-deployment.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml
index 1c5b951..9ab89f1 100644
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@@ -104,4 +104,8 @@ spec:
           secret:
             secretName: "{{ .Values.injector.certs.secretName }}"
 {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
 {{ end }}
-- 
GitLab


From d1ad4ff4032ff9b520fdec923befd1755a881ed2 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Tue, 2 Jun 2020 10:12:13 -0400
Subject: [PATCH 71/79] changelog++

---
 CHANGELOG.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d0ff27c..a8c8d99 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,13 +11,15 @@ Improvements:
 * Allow both yaml and multi-line string annotations [[GH-272](https://github.com/hashicorp/vault-helm/pull/272)]
 * Added configurable to set the Raft node name to hostname [[GH-269](https://github.com/hashicorp/vault-helm/pull/269)]
 * Support setting priorityClassName on pods [[GH-282](https://github.com/hashicorp/vault-helm/pull/282)]
-* Add support for ingress apiVersion `networking.k8s.io/v1beta1` [[GH-310](https://github.com/hashicorp/vault-helm/pull/310)]
+* Added support for ingress apiVersion `networking.k8s.io/v1beta1` [[GH-310](https://github.com/hashicorp/vault-helm/pull/310)]
+* Added configurable to change service type for the HA active service [GH-317](https://github.com/hashicorp/vault-helm/pull/317)
 
 Bugs:
 * Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)]
 * Fixed annotations for HA standby/active services [[GH-268](https://github.com/hashicorp/vault-helm/pull/268)]
 * Updated some value defaults to match their use in templates [[GH-309](https://github.com/hashicorp/vault-helm/pull/309)]
 * Use active service on ingress when ha [[GH-270](https://github.com/hashicorp/vault-helm/pull/270)]
+* Fixed bug where pull secrets weren't being used for injector image [GH-298](https://github.com/hashicorp/vault-helm/pull/298)
 
 ## 0.5.0 (April 9th, 2020)
 
-- 
GitLab


From 7f7fb7bad01bb872c82eb934673f1fa8deb07e17 Mon Sep 17 00:00:00 2001
From: Alvin Huang <17609145+alvin-huang@users.noreply.github.com>
Date: Tue, 2 Jun 2020 11:38:59 -0400
Subject: [PATCH 72/79] check that git tag == chart tag on tagged releases
 (#316)

---
 .circleci/config.yml | 70 ++++++++++++++++++++++++++++----------------
 1 file changed, 44 insertions(+), 26 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index ed2bf8a..0a9c31f 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,39 +1,53 @@
-version: 2
+version: 2.1
+orbs:
+  slack: circleci/slack@3.4.2
+
 jobs:
   bats-unit-test:
     docker:
-        # This image is built from test/docker/Test.dockerfile
-        - image: hashicorpdev/vault-helm-test:0.1.0
+      # This image is built from test/docker/Test.dockerfile
+      - image: hashicorpdev/vault-helm-test:0.1.0
     steps:
       - checkout
       - run: bats ./test/unit -t
   acceptance:
     docker:
-        # This image is build from test/docker/Test.dockerfile
-        - image: hashicorpdev/vault-helm-test:0.1.0
+      # This image is build from test/docker/Test.dockerfile
+      - image: hashicorpdev/vault-helm-test:0.1.0
 
     steps:
-        - checkout
-        - run:
-            name: terraform init & apply
-            command: |
-                echo -e "${GOOGLE_APP_CREDS}" | base64 -d > vault-helm-test.json
-                export GOOGLE_CREDENTIALS=vault-helm-test.json
-                make provision-cluster
-        - run:
-            name: Run acceptance tests
-            command: bats ./test/acceptance -t
+      - checkout
+      - run:
+          name: terraform init & apply
+          command: |
+            echo -e "${GOOGLE_APP_CREDS}" | base64 -d > vault-helm-test.json
+            export GOOGLE_CREDENTIALS=vault-helm-test.json
+            make provision-cluster
+      - run:
+          name: Run acceptance tests
+          command: bats ./test/acceptance -t
 
-        - run:
-            name: terraform destroy
-            command: |
-                export GOOGLE_CREDENTIALS=vault-helm-test.json
-                make destroy-cluster
-            when: always
+      - run:
+          name: terraform destroy
+          command: |
+            export GOOGLE_CREDENTIALS=vault-helm-test.json
+            make destroy-cluster
+          when: always
   update-helm-charts-index:
     docker:
       - image: circleci/golang:latest
     steps:
+      - checkout
+      - run:
+          name: verify Chart version matches tag version
+          command: |
+            GO111MODULE=on go get github.com/mikefarah/yq/v2
+            git_tag=$(echo "${CIRCLE_TAG#v}")
+            chart_tag=$(yq r Chart.yaml version)
+            if [ "${git_tag}" != "${chart_tag}" ]; then
+              echo "chart version (${chart_tag}) did not match git version (${git_tag})"
+              exit 1
+            fi
       - run:
           name: update helm-charts index
           command: |
@@ -43,17 +57,21 @@ jobs:
                 -H 'Accept: application/json' \
                 -d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \
                 "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline"
+      - slack/status:
+          fail_only: true
+          failure_message: "Failed to trigger an update to the helm charts index. Check the logs at: ${CIRCLE_BUILD_URL}"
+
 workflows:
   version: 2
   build_and_test:
     jobs:
       - bats-unit-test
       - acceptance:
-            requires:
-                - bats-unit-test
-            filters:
-                branches:
-                    only: master
+          requires:
+            - bats-unit-test
+          filters:
+            branches:
+              only: master
   update-helm-charts-index:
     jobs:
       - update-helm-charts-index:
-- 
GitLab


From 853cb06842b015859cd82d50e96fd61c77247d56 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Tue, 2 Jun 2020 22:10:41 -0400
Subject: [PATCH 73/79] Add OpenShift beta support (#319)

* Initial commit

* Added openshift flag

* added self signed certificate for service annotation

* added OpenShift flag

* Added OpenShift flag

* cleanup

* Cleanup

* Further cleanup

* Further cleanup

* reverted security context on injector

* Extra corrections

* cleanup

* Removed Raft config for OpenShift, removed generated certs for ha and standby services

* Add openshift flag to global block, route disabled by default, condition for injector in network policy

* Added Unit tests for OpenShift

* Fixed unit test for HA statefulset for OpenShift

* Removed debug log level from stateful set

* Added port 8201 to networkpolicy

* Updated injector image

* Add openshift beta support

* Add openshift beta support

* Remove comments from configs

* Remove vault-k8s note from values

* Change route to use active service when HA

Co-authored-by: Radu Domnu <radu.domnu@sixdx.com>
Co-authored-by: Radu Domnu <radu.domnu@gmail.com>
---
 templates/_helpers.tpl                        |  15 +++
 templates/injector-deployment.yaml            |   6 +
 templates/injector-network-policy.yaml        |  21 ++++
 templates/server-ingress.yaml                 |   2 +
 templates/server-network-policy.yaml          |  22 ++++
 templates/server-route.yaml                   |  33 +++++
 templates/server-statefulset.yaml             |   8 ++
 .../injector-test/pg-deployment.yaml          |   2 +-
 test/acceptance/server-dev.bats               |   2 +-
 test/acceptance/server-ha-enterprise-dr.bats  |   4 +-
 .../acceptance/server-ha-enterprise-perf.bats |   4 +-
 test/acceptance/server-ha-raft.bats           |   4 +-
 test/acceptance/server-ha.bats                |   4 +-
 test/acceptance/server.bats                   |   9 +-
 test/unit/injector-deployment.bats            |  35 ++++++
 test/unit/server-dev-statefulset.bats         |  22 ++--
 test/unit/server-ha-active-service.bats       |   0
 test/unit/server-ha-standby-service.bats      |   0
 test/unit/server-ha-statefulset.bats          |  43 +++++--
 test/unit/server-network-policy.bats          |  22 ++++
 test/unit/server-route.bats                   | 116 ++++++++++++++++++
 test/unit/server-statefulset.bats             |  40 ++++--
 values.yaml                                   |  17 ++-
 23 files changed, 382 insertions(+), 49 deletions(-)
 create mode 100644 templates/injector-network-policy.yaml
 create mode 100644 templates/server-network-policy.yaml
 create mode 100644 templates/server-route.yaml
 mode change 100644 => 100755 test/unit/server-ha-active-service.bats
 mode change 100644 => 100755 test/unit/server-ha-standby-service.bats
 create mode 100755 test/unit/server-network-policy.bats
 create mode 100755 test/unit/server-route.bats

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index bab233b..5c88b18 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -318,6 +318,21 @@ Sets extra ingress annotations
   {{- end }}
 {{- end -}}
 
+{{/*
+Sets extra route annotations
+*/}}
+{{- define "vault.route.annotations" -}}
+  {{- if .Values.server.route.annotations }}
+  annotations:
+    {{- $tp := typeOf .Values.server.route.annotations }}
+    {{- if eq $tp "string" }}
+      {{- tpl .Values.server.route.annotations . | nindent 4 }}
+    {{- else }}
+      {{- toYaml .Values.server.route.annotations | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
 {{/*
 Sets extra vault server Service annotations
 */}}
diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml
index 9ab89f1..8768f7d 100644
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@@ -31,10 +31,12 @@ spec:
       priorityClassName: {{ .Values.injector.priorityClassName }}
       {{- end }}
       serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
+      {{- if not .Values.global.openshift }}
       securityContext:
         runAsNonRoot: true
         runAsGroup: {{ .Values.injector.gid | default 1000 }}
         runAsUser: {{ .Values.injector.uid | default 100 }}
+      {{- end }}
       containers:
         - name: sidecar-injector
           {{ template "injector.resources" . }}
@@ -70,6 +72,10 @@ spec:
               value: {{ .Values.injector.logFormat | default "standard" }}
             - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN
               value: "{{ .Values.injector.revokeOnShutdown | default false }}"
+            {{- if .Values.global.openshift }}
+            - name: AGENT_INJECT_SET_SECURITY_CONTEXT
+              value: "false"
+            {{- end }}
             {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }}
           args:
             - agent-inject
diff --git a/templates/injector-network-policy.yaml b/templates/injector-network-policy.yaml
new file mode 100644
index 0000000..b727669
--- /dev/null
+++ b/templates/injector-network-policy.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.global.openshift }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "vault.fullname" . }}-agent-injector
+  labels:
+    app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      component: webhook
+  ingress:
+    - from:
+        - namespaceSelector: {}
+      ports:
+      - port: 8080
+        protocol: TCP
+{{ end }}
diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml
index 9b3d112..7c19f5f 100644
--- a/templates/server-ingress.yaml
+++ b/templates/server-ingress.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.global.openshift }}
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
 {{- if .Values.server.ingress.enabled -}}
@@ -49,3 +50,4 @@ spec:
   {{- end }}
 {{- end }}
 {{- end }}
+{{- end }}
diff --git a/templates/server-network-policy.yaml b/templates/server-network-policy.yaml
new file mode 100644
index 0000000..0879d5b
--- /dev/null
+++ b/templates/server-network-policy.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.global.openshift }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "vault.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ template "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "vault.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  ingress:
+    - from:
+        - namespaceSelector: {}
+      ports:
+      - port: 8200
+        protocol: TCP
+      - port: 8201
+        protocol: TCP
+{{ end }}
diff --git a/templates/server-route.yaml b/templates/server-route.yaml
new file mode 100644
index 0000000..2fccf02
--- /dev/null
+++ b/templates/server-route.yaml
@@ -0,0 +1,33 @@
+{{- if .Values.global.openshift }}
+{{- if ne .mode "external" }}
+{{- if .Values.server.route.enabled -}}
+{{- $serviceName := include "vault.fullname" . -}}
+{{- if eq .mode "ha" }}
+{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
+{{- end }}
+kind: Route
+apiVersion: route.openshift.io/v1
+metadata:
+  name: {{ template "vault.fullname" . }}
+  labels:
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- with .Values.server.route.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- template "vault.route.annotations" . }}
+spec:
+  host: {{ .Values.server.route.host }}
+  to:
+    kind: Service
+    name: {{ $serviceName }}
+    weight: 100
+  port:
+    targetPort: 8200
+  tls:
+    termination: passthrough
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 69a925f..f8a0eb1 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -45,13 +45,17 @@ spec:
       {{ if  .Values.server.shareProcessNamespace }}
       shareProcessNamespace: true
       {{ end }}
+      {{- if not .Values.global.openshift }}
       securityContext:
         runAsNonRoot: true
         runAsGroup: {{ .Values.server.gid | default 1000 }}
         runAsUser: {{ .Values.server.uid | default 100 }}
         fsGroup: {{ .Values.server.gid | default 1000 }}
+      {{- end }}
       volumes:
         {{ template "vault.volumes" . }}
+        - name: home
+          emptyDir: {}
       {{- if .Values.server.extraInitContainers }}
       initContainers:
         {{ toYaml .Values.server.extraInitContainers | nindent 8}}
@@ -100,11 +104,15 @@ spec:
                 fieldRef:
                   fieldPath: metadata.name
             {{- end }}
+            - name: HOME
+              value: "/home/vault"
             {{ template "vault.envs" . }}
             {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
             {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
           volumeMounts:
           {{ template "vault.mounts" . }}
+            - name: home
+              mountPath: /home/vault
           ports:
             - containerPort: 8200
               name: {{ include "vault.scheme" . }}
diff --git a/test/acceptance/injector-test/pg-deployment.yaml b/test/acceptance/injector-test/pg-deployment.yaml
index 13389ff..caf8605 100644
--- a/test/acceptance/injector-test/pg-deployment.yaml
+++ b/test/acceptance/injector-test/pg-deployment.yaml
@@ -41,7 +41,7 @@ spec:
             - name: POSTGRES_PASSWORD
               value: password
           volumeMounts:
-            - mountPath: "/var/lib/postgresql/data"
+            - mountPath: "/var/lib/postgresql"
               name: "pgdata"
             - mountPath: "/docker-entrypoint-initdb.d"
               name: "pgconf"
diff --git a/test/acceptance/server-dev.bats b/test/acceptance/server-dev.bats
index ffda946..0619c28 100644
--- a/test/acceptance/server-dev.bats
+++ b/test/acceptance/server-dev.bats
@@ -19,7 +19,7 @@ load _helpers
   # Volume Mounts
   local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.containers[0].volumeMounts | length')
-  [ "${volumeCount}" == "0" ]
+  [ "${volumeCount}" == "1" ]
 
   # Service
   local service=$(kubectl get service "$(name_prefix)" --output json |
diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats
index 35348e3..ea8a8db 100644
--- a/test/acceptance/server-ha-enterprise-dr.bats
+++ b/test/acceptance/server-ha-enterprise-dr.bats
@@ -7,7 +7,7 @@ load _helpers
 
   helm install "$(name_prefix)-east" \
     --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.4.0_ent' \
+    --set='server.image.tag=1.4.2_ent' \
     --set='injector.enabled=false' \
     --set='server.ha.enabled=true' \
     --set='server.ha.raft.enabled=true' .
@@ -76,7 +76,7 @@ load _helpers
   helm install "$(name_prefix)-west" \
     --set='injector.enabled=false' \
     --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.4.0_ent' \
+    --set='server.image.tag=1.4.2_ent' \
     --set='server.ha.enabled=true' \
     --set='server.ha.raft.enabled=true' .
   wait_for_running "$(name_prefix)-west-0"
diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats
index 48f9887..0d4c779 100644
--- a/test/acceptance/server-ha-enterprise-perf.bats
+++ b/test/acceptance/server-ha-enterprise-perf.bats
@@ -8,7 +8,7 @@ load _helpers
   helm install "$(name_prefix)-east" \
     --set='injector.enabled=false' \
     --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.4.0_ent' \
+    --set='server.image.tag=1.4.2_ent' \
     --set='server.ha.enabled=true' \
     --set='server.ha.raft.enabled=true' .
   wait_for_running "$(name_prefix)-east-0"
@@ -76,7 +76,7 @@ load _helpers
   helm install "$(name_prefix)-west" \
     --set='injector.enabled=false' \
     --set='server.image.repository=hashicorp/vault-enterprise' \
-    --set='server.image.tag=1.4.0_ent' \
+    --set='server.image.tag=1.4.2_ent' \
     --set='server.ha.enabled=true' \
     --set='server.ha.raft.enabled=true' .
   wait_for_running "$(name_prefix)-west-0"
diff --git a/test/acceptance/server-ha-raft.bats b/test/acceptance/server-ha-raft.bats
index b6f1f25..9f9f3de 100644
--- a/test/acceptance/server-ha-raft.bats
+++ b/test/acceptance/server-ha-raft.bats
@@ -27,12 +27,12 @@ load _helpers
   # Volume Mounts
   local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.containers[0].volumeMounts | length')
-  [ "${volumeCount}" == "2" ]
+  [ "${volumeCount}" == "3" ]
 
   # Volumes
   local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.volumes | length')
-  [ "${volumeCount}" == "1" ]
+  [ "${volumeCount}" == "2" ]
 
   local volume=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.volumes[0].configMap.name')
diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats
index 4cb4a75..0945f12 100644
--- a/test/acceptance/server-ha.bats
+++ b/test/acceptance/server-ha.bats
@@ -26,12 +26,12 @@ load _helpers
   # Volume Mounts
   local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.containers[0].volumeMounts | length')
-  [ "${volumeCount}" == "1" ]
+  [ "${volumeCount}" == "2" ]
 
   # Volumes
   local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.volumes | length')
-  [ "${volumeCount}" == "1" ]
+  [ "${volumeCount}" == "2" ]
 
   local volume=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.volumes[0].configMap.name')
diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats
index ce7843f..84a4e7d 100644
--- a/test/acceptance/server.bats
+++ b/test/acceptance/server.bats
@@ -34,7 +34,7 @@ load _helpers
   # Volume Mounts
   local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.containers[0].volumeMounts | length')
-  [ "${volumeCount}" == "2" ]
+  [ "${volumeCount}" == "3" ]
 
   local mountName=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.containers[0].volumeMounts[0].name')
@@ -47,17 +47,12 @@ load _helpers
   # Volumes
   local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.volumes | length')
-  [ "${volumeCount}" == "1" ]
+  [ "${volumeCount}" == "2" ]
 
   local volume=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.template.spec.volumes[0].configMap.name')
   [ "${volume}" == "$(name_prefix)-config" ]
 
-  # Security Context
-  local fsGroup=$(kubectl get statefulset "$(name_prefix)" --output json |
-    jq -r '.spec.template.spec.securityContext.fsGroup')
-  [ "${fsGroup}" == "1000" ]
-
   # Service
   local service=$(kubectl get service "$(name_prefix)" --output json |
     jq -r '.spec.clusterIP')
diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats
index bd3f63a..9e09e42 100755
--- a/test/unit/injector-deployment.bats
+++ b/test/unit/injector-deployment.bats
@@ -322,6 +322,19 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
+@test "injector/deployment: disable security context when openshift enabled" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'global.openshift=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+    yq -r '.[9].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_SET_SECURITY_CONTEXT" ]
+}
+
 #--------------------------------------------------------------------
 # extraEnvironmentVars
 
@@ -447,3 +460,25 @@ load _helpers
       yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+#--------------------------------------------------------------------
+# OpenShift
+
+@test "injector/deployment: OpenShift - runAsUser disabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'global.openshift=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.securityContext.runAsUser | length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "injector/deployment: OpenShift - runAsGroup disabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'global.openshift=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.securityContext.runAsGroup | length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats
index 3b38eab..a44e243 100755
--- a/test/unit/server-dev-statefulset.bats
+++ b/test/unit/server-dev-statefulset.bats
@@ -249,19 +249,19 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-     yq -r '.[11].name' | tee /dev/stderr)
+    yq -r '.[12].name' | tee /dev/stderr)
   [ "${actual}" = "FOO" ]
 
   local actual=$(echo $object |
-      yq -r '.[11].value' | tee /dev/stderr)
+      yq -r '.[12].value' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
 
   local actual=$(echo $object |
-      yq -r '.[12].name' | tee /dev/stderr)
+      yq -r '.[13].name' | tee /dev/stderr)
   [ "${actual}" = "FOOBAR" ]
 
   local actual=$(echo $object |
-      yq -r '.[12].value' | tee /dev/stderr)
+      yq -r '.[13].value' | tee /dev/stderr)
   [ "${actual}" = "foobar" ]
 }
 
@@ -282,23 +282,25 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-      yq -r '.[10].name' | tee /dev/stderr)
+      yq -r '.[11].name' | tee /dev/stderr)
   [ "${actual}" = "ENV_FOO_0" ]
   local actual=$(echo $object |
-      yq -r '.[10].valueFrom.secretKeyRef.name' | tee /dev/stderr)
+      yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr)
   [ "${actual}" = "secret_name_0" ]
   local actual=$(echo $object |
-      yq -r '.[10].valueFrom.secretKeyRef.key' | tee /dev/stderr)
+      yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr)
   [ "${actual}" = "secret_key_0" ]
 
   local actual=$(echo $object |
-      yq -r '.[11].name' | tee /dev/stderr)
+      yq -r '.[12].name' | tee /dev/stderr)
   [ "${actual}" = "ENV_FOO_1" ]
+
   local actual=$(echo $object |
-      yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr)
+      yq -r '.[12].valueFrom.secretKeyRef.name' | tee /dev/stderr)
   [ "${actual}" = "secret_name_1" ]
+
   local actual=$(echo $object |
-      yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr)
+      yq -r '.[12].valueFrom.secretKeyRef.key' | tee /dev/stderr)
   [ "${actual}" = "secret_key_1" ]
 }
 
diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats
old mode 100644
new mode 100755
diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats
old mode 100644
new mode 100755
diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats
index e6d0d58..ff5c571 100755
--- a/test/unit/server-ha-statefulset.bats
+++ b/test/unit/server-ha-statefulset.bats
@@ -349,19 +349,19 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-     yq -r '.[10].name' | tee /dev/stderr)
+     yq -r '.[11].name' | tee /dev/stderr)
   [ "${actual}" = "FOO" ]
 
   local actual=$(echo $object |
-      yq -r '.[10].value' | tee /dev/stderr)
+      yq -r '.[11].value' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
 
   local actual=$(echo $object |
-      yq -r '.[11].name' | tee /dev/stderr)
+      yq -r '.[12].name' | tee /dev/stderr)
   [ "${actual}" = "FOOBAR" ]
 
   local actual=$(echo $object |
-      yq -r '.[11].value' | tee /dev/stderr)
+      yq -r '.[12].value' | tee /dev/stderr)
   [ "${actual}" = "foobar" ]
 }
 
@@ -383,23 +383,23 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-      yq -r '.[10].name' | tee /dev/stderr)
+      yq -r '.[11].name' | tee /dev/stderr)
   [ "${actual}" = "ENV_FOO_0" ]
   local actual=$(echo $object |
-      yq -r '.[10].valueFrom.secretKeyRef.name' | tee /dev/stderr)
+      yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr)
   [ "${actual}" = "secret_name_0" ]
   local actual=$(echo $object |
-      yq -r '.[10].valueFrom.secretKeyRef.key' | tee /dev/stderr)
+      yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr)
   [ "${actual}" = "secret_key_0" ]
 
   local actual=$(echo $object |
-      yq -r '.[11].name' | tee /dev/stderr)
+      yq -r '.[12].name' | tee /dev/stderr)
   [ "${actual}" = "ENV_FOO_1" ]
   local actual=$(echo $object |
-      yq -r '.[11].valueFrom.secretKeyRef.name' | tee /dev/stderr)
+      yq -r '.[12].valueFrom.secretKeyRef.name' | tee /dev/stderr)
   [ "${actual}" = "secret_name_1" ]
   local actual=$(echo $object |
-      yq -r '.[11].valueFrom.secretKeyRef.key' | tee /dev/stderr)
+      yq -r '.[12].valueFrom.secretKeyRef.key' | tee /dev/stderr)
   [ "${actual}" = "secret_key_1" ]
 }
 
@@ -643,3 +643,26 @@ load _helpers
       yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
   [ "${actual}" = "2000" ]
 }
+
+#--------------------------------------------------------------------
+# OpenShift
+
+@test "server/ha-statefulset: OpenShift - runAsUser disabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'global.openshift=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.securityContext.runAsUser | length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/ha-statefulset: OpenShift - runAsGroup disabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'global.openshift=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.securityContext.runAsGroup | length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
diff --git a/test/unit/server-network-policy.bats b/test/unit/server-network-policy.bats
new file mode 100755
index 0000000..0df89fc
--- /dev/null
+++ b/test/unit/server-network-policy.bats
@@ -0,0 +1,22 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/network-policy: OpenShift - disabled by default" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-network-policy.yaml  \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/network-policy: OpenShift - enabled if OpenShift" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --set 'global.openshift=true' \
+      --show-only templates/server-network-policy.yaml  \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
\ No newline at end of file
diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats
new file mode 100755
index 0000000..f5830e6
--- /dev/null
+++ b/test/unit/server-route.bats
@@ -0,0 +1,116 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "server/route: OpenShift - disabled by default" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --set 'global.openshift=true' \
+      --show-only templates/server-route.yaml  \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/route: OpenShift -disable by injector.externalVaultAddr" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/server-route.yaml  \
+      --set 'global.openshift=true' \
+      --set 'server.route.enabled=true' \
+      --set 'injector.externalVaultAddr=http://vault-outside' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/route: OpenShift - checking host entry gets added and path is /" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-route.yaml \
+      --set 'global.openshift=true' \
+      --set 'server.route.enabled=true' \
+      --set 'server.route.host=test.com' \
+      . | tee /dev/stderr |
+      yq  -r '.spec.host' | tee /dev/stderr)
+  [ "${actual}" = 'test.com' ]
+}
+
+@test "server/route: OpenShift - vault backend should be added when I specify a path" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-route.yaml \
+      --set 'global.openshift=true' \
+      --set 'server.route.enabled=true' \
+      --set 'server.route.host=test.com' \
+      . | tee /dev/stderr |
+      yq  -r '.spec.to.name  | length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+
+}
+
+@test "server/route: OpenShift - labels gets added to object" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-route.yaml \
+      --set 'global.openshift=true' \
+      --set 'server.route.enabled=true' \
+      --set 'server.route.labels.traffic=external' \
+      --set 'server.route.labels.team=dev' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.labels.traffic' | tee /dev/stderr)
+  [ "${actual}" = "external" ]
+}
+
+@test "server/route: OpenShift - annotations added to object - string" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-route.yaml \
+      --set 'global.openshift=true' \
+      --set 'server.route.enabled=true' \
+      --set 'server.route.annotations=kubernetes.io/route.class: haproxy' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["kubernetes.io/route.class"]' | tee /dev/stderr)
+  [ "${actual}" = "haproxy" ]
+}
+
+@test "server/route: OpenShift - annotations added to object - yaml" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-route.yaml \
+      --set 'global.openshift=true' \
+      --set 'server.route.enabled=true' \
+      --set server.route.annotations."kubernetes\.io/route\.class"=haproxy \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["kubernetes.io/route.class"]' | tee /dev/stderr)
+  [ "${actual}" = "haproxy" ]
+}
+
+@test "server/route: OpenShift - route points to main service by default" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-route.yaml \
+      --set 'global.openshift=true' \
+      --set 'server.route.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.to.name' | tee /dev/stderr)
+  [ "${actual}" = "RELEASE-NAME-vault" ]
+}
+
+@test "server/route: OpenShift - route points to active service by when HA" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-route.yaml \
+      --set 'global.openshift=true' \
+      --set 'server.route.enabled=true' \
+      --set 'server.ha.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.to.name' | tee /dev/stderr)
+  [ "${actual}" = "RELEASE-NAME-vault-active" ]
+}
diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
index 7e7678c..65f4ce2 100755
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@@ -384,19 +384,19 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-     yq -r '.[10].name' | tee /dev/stderr)
+     yq -r '.[11].name' | tee /dev/stderr)
   [ "${actual}" = "FOO" ]
 
   local actual=$(echo $object |
-      yq -r '.[10].value' | tee /dev/stderr)
+      yq -r '.[11].value' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
 
   local actual=$(echo $object |
-      yq -r '.[11].name' | tee /dev/stderr)
+      yq -r '.[12].name' | tee /dev/stderr)
   [ "${actual}" = "FOOBAR" ]
 
   local actual=$(echo $object |
-      yq -r '.[11].value' | tee /dev/stderr)
+      yq -r '.[12].value' | tee /dev/stderr)
   [ "${actual}" = "foobar" ]
 
   local object=$(helm template \
@@ -407,19 +407,19 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
 
   local actual=$(echo $object |
-     yq -r '.[10].name' | tee /dev/stderr)
+     yq -r '.[11].name' | tee /dev/stderr)
   [ "${actual}" = "FOO" ]
 
   local actual=$(echo $object |
-      yq -r '.[10].value' | tee /dev/stderr)
+      yq -r '.[11].value' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
 
   local actual=$(echo $object |
-      yq -r '.[11].name' | tee /dev/stderr)
+      yq -r '.[12].name' | tee /dev/stderr)
   [ "${actual}" = "FOOBAR" ]
 
   local actual=$(echo $object |
-      yq -r '.[11].value' | tee /dev/stderr)
+      yq -r '.[12].value' | tee /dev/stderr)
   [ "${actual}" = "foobar" ]
 }
 
@@ -1049,7 +1049,6 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
-#--------------------------------------------------------------------
 # postStart
 @test "server/standalone-StatefulSet: postStart disabled by default" {
   cd `chart_dir`
@@ -1069,3 +1068,26 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].lifecycle.postStart.exec.command[0]' | tee /dev/stderr)
   [ "${actual}" = "/bin/sh" ]
 }
+
+#--------------------------------------------------------------------
+# OpenShift
+
+@test "server/standalone-StatefulSet: OpenShift - runAsUser disabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'global.openshift=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.securityContext.runAsUser | length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/standalone-StatefulSet: OpenShift - runAsGroup disabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'global.openshift=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.securityContext.runAsGroup | length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
diff --git a/values.yaml b/values.yaml
index d1bbaf4..8c6e4a3 100644
--- a/values.yaml
+++ b/values.yaml
@@ -10,6 +10,8 @@ global:
   #   - name: image-pull-secret
   # TLS for end-to-end encrypted transport
   tlsDisable: true
+  # Beta Feature: If deploying to OpenShift
+  openshift: false
 
 injector:
   # True if you want to enable vault agent injection.
@@ -22,7 +24,7 @@ injector:
   # image sets the repo and tag of the vault-k8s image to use for the injector.
   image:
     repository: "hashicorp/vault-k8s"
-    tag: "0.3.0"
+    tag: "0.4.0"
     pullPolicy: IfNotPresent
 
   # agentImage sets the repo and tag of the Vault image to use for the Vault Agent
@@ -30,7 +32,7 @@ injector:
   # required.
   agentImage:
     repository: "vault"
-    tag: "1.4.0"
+    tag: "1.4.2"
 
   # Mount Path of the Vault Kubernetes Auth Method.
   authPath: "auth/kubernetes"
@@ -113,7 +115,7 @@ server:
 
   image:
     repository: "vault"
-    tag: "1.4.0"
+    tag: "1.4.2"
     # Overrides the default Image Pull Policy
     pullPolicy: IfNotPresent
 
@@ -132,6 +134,8 @@ server:
 
   # Ingress allows ingress services to be created to allow external access
   # from Kubernetes to access Vault pods.
+  # If deployment is on OpenShift, the following block is ignored.
+  # In order to expose the service, use the route section below
   ingress:
     enabled: false
     labels: {}
@@ -152,6 +156,13 @@ server:
     #    hosts:
     #      - chart-example.local
 
+  # OpenShift only - create a route to expose the service
+  # The created route will be of type passthrough
+  route:
+    enabled: false
+    labels: {}
+    annotations: {}
+    host: chart-example.local
 
   # authDelegator enables a cluster role binding to be attached to the service
   # account.  This cluster role binding can be used to setup Kubernetes auth
-- 
GitLab


From b42c0c53b5263e2088b052b63c9e1732abea914c Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Tue, 2 Jun 2020 22:12:02 -0400
Subject: [PATCH 74/79] changelog++

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a8c8d99..27d5ef0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 Features:
 * Added `extraInitContainers` to define init containers for the Vault cluster [GH-258](https://github.com/hashicorp/vault-helm/pull/258)
 * Added `postStart` lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready [GH-315](https://github.com/hashicorp/vault-helm/pull/315)
+* Beta: Added OpenShift support [GH-319](https://github.com/hashicorp/vault-helm/pull/319)
 
 Improvements:
 * Server configs can now be defined in YAML.  Multi-line string configs are still compatible [GH-213](https://github.com/hashicorp/vault-helm/pull/213)
-- 
GitLab


From e7736defa1e0bf01f40575a0578ded5215a2128b Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Wed, 3 Jun 2020 10:03:10 -0400
Subject: [PATCH 75/79] Update to v0.6.0 (#320)

---
 CHANGELOG.md | 8 ++++++++
 Chart.yaml   | 6 ++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 27d5ef0..b18e123 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,13 @@
 ## Unreleased
 
+Features:
+
+Improvements:
+
+Bugs:
+
+## 0.6.0 (June 3rd, 2020)
+
 Features:
 * Added `extraInitContainers` to define init containers for the Vault cluster [GH-258](https://github.com/hashicorp/vault-helm/pull/258)
 * Added `postStart` lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready [GH-315](https://github.com/hashicorp/vault-helm/pull/315)
diff --git a/Chart.yaml b/Chart.yaml
index 3469359..0668a83 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,9 +1,11 @@
 apiVersion: v2
 name: vault
-version: 0.5.0
-description: Install and configure Vault on Kubernetes.
+version: 0.6.0
+appVersion: 1.4.2
+description: Official HashiCorp Vault Chart
 home: https://www.vaultproject.io
 icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
+keywords: ["vault", "security", "encryption", "secrets", "management", "automation", "infrastructure"]
 sources:
   - https://github.com/hashicorp/vault
   - https://github.com/hashicorp/vault-helm
-- 
GitLab


From 62380cc24a65eb4a707eb45354666ac79e12c074 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 4 Jun 2020 13:37:31 -0400
Subject: [PATCH 76/79] Add note to config about sensitive configs (#323)

* Add note to config about sensitive configs

* Update README.md

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
---
 README.md   |  4 ++++
 values.yaml | 16 ++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/README.md b/README.md
index bbc9de3..29db848 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,9 @@
 # Vault Helm Chart
 
+> :warning: **Please note**: We take Vault's security and our users' trust very seriously. If 
+you believe you have found a security issue in Vault Helm, _please responsibly disclose_ 
+by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).
+
 This repository contains the official HashiCorp Helm chart for installing
 and configuring Vault on Kubernetes. This chart supports multiple use
 cases of Vault on Kubernetes depending on the values provided.
diff --git a/values.yaml b/values.yaml
index 8c6e4a3..65ced07 100644
--- a/values.yaml
+++ b/values.yaml
@@ -341,6 +341,11 @@ server:
     # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
     # and store data there. This is only used when using a Replica count of 1, and
     # using a stateful set. This should be HCL.
+
+    # Note: Configuration files are stored in ConfigMaps so sensitive data 
+    # such as passwords should be either mounted through extraSecretEnvironmentVars
+    # or through a Kube secret.  For more information see: 
+    # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
     config: |
       ui = true
 
@@ -382,6 +387,11 @@ server:
       enabled: false
       # Set the Node Raft ID to the name of the pod
       setNodeId: false
+    
+      # Note: Configuration files are stored in ConfigMaps so sensitive data 
+      # such as passwords should be either mounted through extraSecretEnvironmentVars
+      # or through a Kube secret.  For more information see: 
+      # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
       config: |
         ui = true
 
@@ -396,9 +406,15 @@ server:
         }
 
         service_registration "kubernetes" {}
+   
     # config is a raw string of default configuration when using a Stateful
     # deployment. Default is to use a Consul for its HA storage backend.
     # This should be HCL.
+    
+    # Note: Configuration files are stored in ConfigMaps so sensitive data 
+    # such as passwords should be either mounted through extraSecretEnvironmentVars
+    # or through a Kube secret.  For more information see: 
+    # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
     config: |
       ui = true
 
-- 
GitLab


From 5a7e10cf08e960b57a6c884c7c01dcdbda6969c8 Mon Sep 17 00:00:00 2001
From: Omer Levi Hevroni <omerlh@users.noreply.github.com>
Date: Thu, 11 Jun 2020 17:50:16 +0300
Subject: [PATCH 77/79] allow to set extra volume mode (#321)

---
 templates/_helpers.tpl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 5c88b18..31872fc 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -96,6 +96,7 @@ extra volumes the user may have specified (such as a secret with TLS).
           {{- else if (eq .type "secret") }}
             secretName: {{ .name }}
           {{- end }}
+            defaultMode: {{ .defaultMode | default 420 }}
   {{- end }}
 {{- end -}}
 
-- 
GitLab


From ebed731222c85c3fd3777e3db7d1fac7393bb838 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 11 Jun 2020 10:51:44 -0400
Subject: [PATCH 78/79] changelog++

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b18e123..9a4afd9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 Features:
 
 Improvements:
+* Added `defaultMode` configurable to `extraVolumes`[GH-321](https://github.com/hashicorp/vault-helm/pull/321)
 
 Bugs:
 
-- 
GitLab


From e4bfe2917d41920c8caa86040ef0db4fbb3c2677 Mon Sep 17 00:00:00 2001
From: Ricardo Rocha <rocha.porto@gmail.com>
Date: Tue, 5 May 2020 09:34:01 +0200
Subject: [PATCH 79/79] Add gitlab-ci for cern registry

---
 .gitlab-ci.yml | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 .gitlab-ci.yml

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000..24c2a20
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,71 @@
+stages:
+  - build
+  - deploy
+
+before_script:
+  - mkdir -p .repo
+  - export REPO="cern"
+  - export CHART="vault"
+
+build:
+  stage: build
+  image: gitlab-registry.cern.ch/cloud/ciadm
+  script:
+    - curl -o helm.tar.gz https://kubernetes-helm.storage.googleapis.com/helm-v2.14.1-linux-amd64.tar.gz; mkdir -p helm; tar zxvf helm.tar.gz -C helm; cp helm/linux-amd64/helm /usr/local/bin; rm -rf helm*
+    - helm init --client-only
+    - helm repo add ${REPO} https://registry.cern.ch/chartrepo/${REPO}
+    - helm dep update .; helm lint .; helm package .
+  except:
+    - tags
+
+version-check:
+  stage: build
+  image: gitlab-registry.cern.ch/cloud/ciadm
+  script:
+    - |
+        VDIFF="$(echo "$(git diff origin/master -- Chart.yaml)" | grep "\-version:" || true)"
+        if [ "${VDIFF}" == "" ]; then
+            echo "${CHART} is a new chart, not checking version bump"
+            exit 0;
+        fi
+        OLD_CHART_VERSION="$(echo "${VDIFF}" | awk '{print $2}')"
+        # Check and accept if it's a new chart
+        if [ "${OLD_CHART_VERSION}" == "" ]; then
+            echo "${CHART} is a new chart, not checking version bump"
+            exit 0;
+        fi
+        NEW_CHART_VERSION="$(echo "$(git diff origin/master -- Chart.yaml)" | grep "+version:" | awk '{print $2}')"
+        fi
+    - |
+        if [ ${NEW_CHART_VERSION} = "" ] || \
+            [ $(expr ${NEW_CHART_VERSION} \<= ${OLD_CHART_VERSION}) -eq 1 ]; then
+            echo "ERROR: Chart version must be higher than existent. Please fix before merging again."
+            exit 1
+        fi
+  except:
+    - tags
+
+deploy:
+  stage: deploy
+  image: gitlab-registry.cern.ch/cloud/ciadm
+  script:
+    - helm init --client-only
+    - helm repo add ${REPO} https://registry.cern.ch/chartrepo/${REPO}
+    - helm repo update
+    # helm-push not possible for now as it lacks --sign to pass a provenance file
+    # - helm plugin install https://github.com/chartmuseum/helm-push
+    - echo "${HARBOR_SIGNKEY}" | base64 -d > secring.gpg
+    - |
+        # Get local and remote versions
+        LOCAL_VERSION=$(grep -R version Chart.yaml | awk '{print $2}')
+        REMOTE_LATEST_VERSION=$(helm search ${REPO}/${CHART} | grep ${REPO}/${CHART} | awk '{print $2}')
+        # Only push if chart version does not exists in remote
+        if [ ${REMOTE_LATEST_VERSION} = "" ] || \
+            [ $(expr ${REMOTE_LATEST_VERSION} \< ${LOCAL_VERSION}) -eq 1 ]; then
+            helm dep update .
+            helm package --sign --key registry --keyring secring.gpg .
+            curl --fail -F "chart=@${CHART}-${LOCAL_VERSION}.tgz" -F "prov=@${CHART}-${LOCAL_VERSION}.tgz.prov" https://${HARBOR_USER}:${HARBOR_TOKEN}@registry.cern.ch/api/chartrepo/${REPO}/charts
+        fi
+        
+  only:
+    - tags
-- 
GitLab