up ver vault, add bank-vavult examples

add metrics
fix
2025-01-27 14:25:50 +07:00 · 2022-08-26 16:48:25 +07:00 · 2022-08-26 13:48:39 +07:00 · 2022-08-26 13:38:37 +07:00 · 2022-08-25 15:13:58 +07:00 · 2022-08-25 14:18:07 +07:00
70 changed files with 2619 additions and 1595 deletions
--- a/bank-vaults/README.md
+++ b/bank-vaults/README.md
@@ -0,0 +1,72 @@
+# Bank-vault (от banzai-cloud)
+
+[почитать тут](https://bank-vaults.dev/docs/mutating-webhook/)
+
+1. helm upgrade --install --create-namespace -n vault vault helm/vault
+
+**Vaults webhooks**
+
+```bash
+helm upgrade --install --create-namespace --namespace vswh --wait vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --set configMapMutation=true
+kubectl kustomize https://github.com/bank-vaults/vault-operator/deploy/rbac | kubectl apply -f -
+```
+
+2. после запуска идем в первый vault-0 и инитим его (и открываем сразу)
+
+```bash
+vault operator init -key-shares=1 -key-threshold=1
+vault operator unseal <key1>
+vault login <key1>
+```
+
+3. настроим k8s для работы с вольтом
+
+```bash
+vault auth enable kubernetes
+vault write auth/kubernetes/config \
+  token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+  kubernetes_host="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}" \
+  kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+```
+
+4. создаем политику доступа
+
+```bash
+vault policy write vault-test - <<EOF
+path "kv/data/myenvs" {
+  capabilities = ["read"]
+}
+EOF
+```
+
+5. создаем роль
+
+```bash
+vault write auth/kubernetes/role/vault-test \
+        bound_service_account_names=vault \
+        bound_service_account_namespaces=vault-test,vswh  \
+        policies=vault-test \
+        ttl=2h
+```
+
+```bash
+vault write auth/kubernetes/role/default \
+        bound_service_account_names=* \
+        bound_service_account_namespaces=*  \
+        policies=vault-test \
+        ttl=2h
+```
+
+6. импортируем секрет и запускаем деплой
+
+создаем kv
+
+```bash
+vault secrets enable -path=kv -version=2 kv
+```
+
+создаем секрет `myenvs`, содержимое можно взять из примера keys.json
+
+```bash
+kubectl bank-vaults/vault-test.yaml
+```
--- a/bank-vaults/vault-test.yaml
+++ b/bank-vaults/vault-test.yaml
@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vault-test
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+  namespace: vault-test
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-key-secret
+  namespace: vault-test
+  annotations:
+    vault.security.banzaicloud.io/vault-addr: "http://vault.vault.svc:8200"
+    vault.security.banzaicloud.io/vault-skip-verify: "true"
+    vault.security.banzaicloud.io/vault-path: "kubernetes"
+stringData:
+  APPLE: vault:kv/data/myenvs#APPLE
+type: Opaque
+---
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-key-configmap
+  namespace: vault-test
+  annotations:
+    vault.security.banzaicloud.io/vault-addr: "http://vault.vault.svc:8200"
+    vault.security.banzaicloud.io/vault-skip-verify: "true"
+    vault.security.banzaicloud.io/vault-path: "kubernetes"
+data:
+  BANANA: vault:kv/data/myenvs#BANANA
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vault-test
+  namespace: vault-test
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: vault
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: vault
+      annotations:
+        vault.security.banzaicloud.io/vault-addr: "http://vault.vault.svc:8200"
+        vault.security.banzaicloud.io/vault-role: "vault-test"
+        vault.security.banzaicloud.io/vault-skip-verify: "true"
+        vault.security.banzaicloud.io/vault-path: "kubernetes"
+        vault.security.banzaicloud.io/vault-env-from-path: "kv/data/myenvs"
+    spec:
+      serviceAccountName: vault
+      containers:
+      - name: alpine
+        image: alpine
+        command: ["sh", "-c", "echo $BLUEBERRY && echo going to sleep... && sleep 10000"]
+        env:
+        - name: BLUEBERRY
+          value: vault:kv/data/myenvs#BLUEBERRY
+        - name: CARROT
+          value: vault:kv/data/myenvs#CARROT
+        - name: CUCUMBER
+          value: vault:kv/data/myenvs#CUCUMBER
--- a/docs/metrics-logs.md
+++ b/docs/metrics-logs.md
@@ -0,0 +1,77 @@
+# немного про метрики
+
+0. возможные метрики [вот](https://www.vaultproject.io/docs/internals/telemetry) и [вот](https://learn.hashicorp.com/tutorials/vault/usage-metrics)
+
+1. политика для доступа к метрикам
+
+```yaml
+# To retrieve the usage metrics
+path "sys/internal/counters/activity" {
+  capabilities = ["read"]
+}
+
+# To read and update the usage metrics configuration
+path "sys/internal/counters/config" {
+  capabilities = ["read", "update"]
+}
+
+#---------------------------
+# Vault Enterprise only
+#---------------------------
+
+# To view existing namespaces if any
+path "sys/namespaces" {
+  capabilities = ["list", "read", "update"]
+}
+
+# UI to show the namespace selector
+path "sys/internal/ui/namespaces" {
+  capabilities = ["read", "list", "update", "sudo"]
+}
+
+# UI to list existing mounts
+path "sys/internal/ui/mounts" {
+  capabilities = ["read", "sudo"]
+}
+
+# To read and update the usage metrics configuration for any namespace
+path "+/sys/internal/counters/config" {
+  capabilities = ["read", "update"]
+}
+
+# To retrieve the usage metrics for any namespace
+path "+/sys/internal/counters/activity" {
+  capabilities = ["read"]
+}
+```
+
+2. включение сборки метрик
+
+`vault write sys/internal/counters/config enabled=enable retention_months=12`
+
+3. посмотреть метрики через запрос
+
+`vault read -format=json  sys/internal/counters/activity | jq -r ".data"`
+
+4. с фильтром
+
+```bash
+vault read -format=json sys/internal/counters/activity \
+     start_time=2021-09-01T00:00:00Z \
+     end_time=2021-09-30T23:59:59Z  | jq -r ".data"
+```
+
+5. дашбоард
+для [графаны](https://grafana.com/grafana/dashboards/12904-hashicorp-vault/) и для [zabbix](https://www.zabbix.com/ru/integrations/hashicorp_vault)
+
+6. логи
+
+начиная с версии 1.3 доступен отдельный [бинарь](https://releases.hashicorp.com/vault-auditor/)
+
+`vault-auditor parse --help`
+
+`vault-auditor parse audit-logs`
+
+7. мониторинг и алерты
+
+для prom [тут](https://github.com/bosh-prometheus/prometheus-boshrelease/blob/master/jobs/vault_alerts/templates/vault.alerts.yml) и [тут](https://awesome-prometheus-alerts.grep.to/rules.html#hashicorp-vault)
--- a/docs/vault-psql-dynamic.md
+++ b/docs/vault-psql-dynamic.md
@@ -0,0 +1,47 @@
+# Настраиваем PSQL на работу с динамическими секретами
+
+1. подключаем новый тип хранилища
+
+```bash
+vault secrets enable -path=psql database
+```
+
+2. настраиваем конфиг и шаблон
+
+```bash
+vault write psql/config/testdb1 \
+    plugin_name=postgresql-database-plugin \
+    allowed_roles="db1-role" \
+    connection_url="postgresql://{{username}}:{{password}}@psql:5432/testdb1?sslmode=disable" \
+    username="testuser" \
+    password="password"
+```
+
+3. добавляем роль
+
+```bash
+vault write psql/roles/db1-role \
+    db_name=testdb1 \
+    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
+        GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
+    default_ttl="1h" \
+    max_ttl="24h"
+```
+
+4. пробуем получить креды
+
+```bash
+vault read psql/creds/db1-role
+```
+
+5. пробуем под ними авторизоваться
+
+```bash
+psql -d testdb1 -W -U v-root-db1-role-RocdQtHY9MIESxcLjrj3-1661411587
+```
+
+6. смотрим юзеров
+
+```bash
+\du
+```
--- a/docs/vault-raft-backup.md
+++ b/docs/vault-raft-backup.md
@@ -0,0 +1,43 @@
+# бекапим vault правильно
+
+## если у вас бесплатная версия
+
+1. создание снепа
+
+```bash
+vault login
+vault operator raft snapshot save <snapshot-name>
+```
+
+2. пример политики для снепшотов
+
+```yaml
+vault policy write snapshot-read - <<EOF
+path "sys/storage/raft/snapshot" {
+  capabilities = ["read"]
+}
+EOF
+```
+
+## если у вас Enterprise лицензия, то все проще
+
+1. локально
+
+```bash
+vault write sys/storage/raft/snapshot-auto/config/daily interval="24h" retain=5 \
+     path_prefix="raft-backup" storage_type="local" local_max_space=1073741824
+```
+
+2. удаленно на s3
+
+```bash
+vault write sys/storage/raft/snapshot-auto/config/daily interval="24h" retain=5 \
+     storage_type="aws-s3" \
+     aws_s3_bucket="vault" aws_s3_region="ru-1" aws_access_key_id="access-key" aws_secret_access_key="secret-key" \
+     aws_s3_endpoint="https://s3-point.ru" aws_s3_force_path_style="true"
+```
+## восстанавливаем из снепа
+
+```bash
+vault operator raft snapshot restore <snapshot-name>
+```
--- a/helm/vault/.circleci/config.yml
+++ b/helm/vault/.circleci/config.yml
@@ -1,97 +0,0 @@
-version: 2.1
-orbs:
-  slack: circleci/slack@3.4.2
-
-jobs:
-  bats-unit-test:
-    docker:
-      # This image is built from test/docker/Test.dockerfile
-      - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0
-    steps:
-      - checkout
-      - run: bats ./test/unit -t
-
-  chart-verifier:
-    docker:
-      - image: docker.mirror.hashicorp.services/cimg/go:1.16
-    environment:
-      BATS_VERSION: "1.3.0"
-      CHART_VERIFIER_VERSION: "1.2.1"
-    steps:
-      - checkout
-      - run:
-          name: install chart-verifier
-          command: go get github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}
-      - run:
-          name: install bats
-          command: |
-            curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz
-            tar -zxf /tmp/bats.tgz -C /tmp
-            sudo /bin/bash /tmp/bats-core-${BATS_VERSION}/install.sh /usr/local
-      - run:
-          name: run chart-verifier tests
-          command: bats ./test/chart -t
-
-  acceptance:
-    docker:
-      # This image is build from test/docker/Test.dockerfile
-      - image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0
-
-    steps:
-      - checkout
-      - run:
-          name: terraform init & apply
-          command: |
-            echo -e "${GOOGLE_APP_CREDS}" | base64 -d > vault-helm-test.json
-            export GOOGLE_CREDENTIALS=vault-helm-test.json
-            make provision-cluster
-      - run:
-          name: Run acceptance tests
-          command: bats ./test/acceptance -t
-
-      - run:
-          name: terraform destroy
-          command: |
-            export GOOGLE_CREDENTIALS=vault-helm-test.json
-            make destroy-cluster
-          when: always
-  update-helm-charts-index:
-    docker:
-      - image: docker.mirror.hashicorp.services/circleci/golang:1.15.3
-    steps:
-      - checkout
-      - run:
-          name: verify Chart version matches tag version
-          command: |
-            GO111MODULE=on go get github.com/mikefarah/yq/v2
-            git_tag=$(echo "${CIRCLE_TAG#v}")
-            chart_tag=$(yq r Chart.yaml version)
-            if [ "${git_tag}" != "${chart_tag}" ]; then
-              echo "chart version (${chart_tag}) did not match git version (${git_tag})"
-              exit 1
-            fi
-      - run:
-          name: update helm-charts index
-          command: |
-            curl --show-error --silent --fail --user "${CIRCLE_TOKEN}:" \
-                -X POST \
-                -H 'Content-Type: application/json' \
-                -H 'Accept: application/json' \
-                -d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \
-                "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline"
-      - slack/status:
-          fail_only: true
-          failure_message: "Failed to trigger an update to the helm charts index. Check the logs at: ${CIRCLE_BUILD_URL}"
-
-workflows:
-  version: 2
-  # Note: unit and acceptance tests are now being run in GitHub Actions
-  update-helm-charts-index:
-    jobs:
-      - update-helm-charts-index:
-          context: helm-charts-trigger-vault
-          filters:
-            tags:
-              only: /^v.*/
-            branches:
-              ignore: /.*/
--- a/helm/vault/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/helm/vault/.github/ISSUE_TEMPLATE/bug_report.md
@@ -1,46 +0,0 @@
---
-name: Bug report
-about: Let us know about a bug!
-title: ''
-labels: bug
-assignees: ''
-
---
-
-<!-- Please reserve GitHub issues for bug reports and feature requests.
-
-For questions, the best place to get answers is on our [discussion forum](https://discuss.hashicorp.com/c/vault), as they will get more visibility from experienced users than the issue tracker.
-
-Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault Helm, _please responsibly disclose_ by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).
-
-->
-
-**Describe the bug**
-A clear and concise description of what the bug is.
-
-**To Reproduce**
-Steps to reproduce the behavior:
-1. Install chart
-2. Run vault command
-3. See error (vault logs, etc.)
-
-Other useful info to include: vault pod logs, `kubectl describe statefulset vault` and `kubectl get statefulset vault -o yaml` output
-
-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-**Environment**
-* Kubernetes version: 
-  * Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.):
-  * Other configuration options or runtime services (istio, etc.):
-* vault-helm version:
-
-Chart values:
-
-```yaml
-# Paste your user-supplied values here (`helm get values <release>`).
-# Be sure to scrub any sensitive values!
-```
-
-**Additional context**
-Add any other context about the problem here.
--- a/helm/vault/.github/ISSUE_TEMPLATE/config.yml
+++ b/helm/vault/.github/ISSUE_TEMPLATE/config.yml
@@ -1,4 +0,0 @@
-contact_links:
-  - name: Ask a question
-    url: https://discuss.hashicorp.com/c/vault
-    about: For increased visibility, please post questions on the discussion forum, and tag with `k8s`
--- a/helm/vault/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/helm/vault/.github/ISSUE_TEMPLATE/feature_request.md
@@ -1,20 +0,0 @@
---
-name: Feature request
-about: Suggest an idea for this project
-title: ''
-labels: enhancement
-assignees: ''
-
---
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Additional context**
-Add any other context or screenshots about the feature request here.
--- a/helm/vault/.github/workflows/acceptance.yaml
+++ b/helm/vault/.github/workflows/acceptance.yaml
@@ -1,34 +0,0 @@
-name: Acceptance Tests
-
-on:
-  push:
-    branches:
-      - main
-  workflow_dispatch: {}
-
-jobs:
-  kind:
-    strategy:
-      fail-fast: false
-      matrix:
-        kind-k8s-version: [1.14.10, 1.19.11, 1.20.7, 1.21.2, 1.22.4]
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: Setup test tools
-        uses: ./.github/workflows/setup-test-tools
-
-      - name: Create K8s Kind Cluster
-        uses: helm/kind-action@v1.2.0
-        with:
-          config: test/kind/config.yaml
-          node_image: kindest/node:v${{ matrix.kind-k8s-version }}
-
-      # Skip CSI tests if K8s version < 1.16.x
-      - run: echo K8S_MINOR=$(kubectl version -o json | jq -r .serverVersion.minor) >> $GITHUB_ENV
-      - if: ${{ env.K8S_MINOR < 16 }}
-        run: echo "SKIP_CSI=true" >> $GITHUB_ENV
-
-      - run: bats ./test/acceptance -t
-        env:
-          VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
--- a/helm/vault/.github/workflows/jira.yaml
+++ b/helm/vault/.github/workflows/jira.yaml
@@ -1,72 +0,0 @@
-on:
-  issues:
-    types: [opened, closed, deleted, reopened]
-  pull_request_target:
-    types: [opened, closed, reopened]
-  issue_comment: # Also triggers when commenting on a PR from the conversation view
-    types: [created]
-
-name: Jira Sync
-
-jobs:
-  sync:
-    runs-on: ubuntu-latest
-    name: Jira sync
-    steps:
-    - name: Login
-      uses: atlassian/gajira-login@v2.0.0
-      env:
-        JIRA_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }}
-        JIRA_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }}
-        JIRA_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }}
-
-    - name: Preprocess
-      if: github.event.action == 'opened' || github.event.action == 'created'
-      id: preprocess
-      run: |
-        if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then
-          echo "::set-output name=type::PR"
-        else
-          echo "::set-output name=type::ISS"
-        fi
-
-    - name: Create ticket
-      if: github.event.action == 'opened'
-      uses: tomhjp/gh-action-jira-create@v0.2.0
-      with:
-        project: VAULT
-        issuetype: "GH Issue"
-        summary: "${{ github.event.repository.name }} [${{ steps.preprocess.outputs.type }} #${{ github.event.issue.number || github.event.pull_request.number }}]: ${{ github.event.issue.title || github.event.pull_request.title }}"
-        description: "${{ github.event.issue.body || github.event.pull_request.body }}\n\n_Created from GitHub Action for ${{ github.event.issue.html_url || github.event.pull_request.html_url }} from ${{ github.actor }}_"
-        # customfield_10089 is Issue Link custom field
-        # customfield_10091 is team custom field
-        extraFields: '{"fixVersions": [{"name": "TBD"}], "customfield_10091": ["ecosystem", "runtime"], "customfield_10089": "${{ github.event.issue.html_url || github.event.pull_request.html_url }}"}'
-
-    - name: Search
-      if: github.event.action != 'opened'
-      id: search
-      uses: tomhjp/gh-action-jira-search@v0.2.1
-      with:
-        # cf[10089] is Issue Link custom field
-        jql: 'project = "VAULT" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"'
-
-    - name: Sync comment
-      if: github.event.action == 'created' && steps.search.outputs.issue
-      uses: tomhjp/gh-action-jira-comment@v0.2.0
-      with:
-        issue: ${{ steps.search.outputs.issue }}
-        comment: "${{ github.actor }} ${{ github.event.review.state || 'commented' }}:\n\n${{ github.event.comment.body || github.event.review.body }}\n\n${{ github.event.comment.html_url || github.event.review.html_url }}"
-
-    - name: Close ticket
-      if: (github.event.action == 'closed' || github.event.action == 'deleted') && steps.search.outputs.issue
-      uses: atlassian/gajira-transition@v2.0.1
-      with:
-        issue: ${{ steps.search.outputs.issue }}
-        transition: Close
-
-    - name: Reopen ticket
-      if: github.event.action == 'reopened' && steps.search.outputs.issue
-      uses: atlassian/gajira-transition@v2.0.1
-      with:
-        issue: ${{ steps.search.outputs.issue }}
-        transition: "Pending Triage"
--- a/helm/vault/.github/workflows/setup-test-tools/action.yaml
+++ b/helm/vault/.github/workflows/setup-test-tools/action.yaml
@@ -1,18 +0,0 @@
-name: Setup common testing tools
-description: Install bats and python-yq
-
-runs:
-  using: "composite"
-  steps:
-    - uses: actions/setup-node@v2
-      with:
-        node-version: '14'
-    - run: npm install -g bats@${BATS_VERSION}
-      shell: bash
-      env:
-        BATS_VERSION: '1.5.0'
-    - run: bats -v
-      shell: bash
-    - uses: actions/setup-python@v2
-    - run: pip install yq
-      shell: bash
--- a/helm/vault/.github/workflows/tests.yaml
+++ b/helm/vault/.github/workflows/tests.yaml
@@ -1,25 +0,0 @@
-name: Tests
-
-on: [push, workflow_dispatch]
-
-jobs:
-  bats-unit-tests:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: ./.github/workflows/setup-test-tools
-      - run: bats ./test/unit -t
-
-  chart-verifier:
-    runs-on: ubuntu-latest
-    env:
-      CHART_VERIFIER_VERSION: '1.2.1'
-    steps:
-      - uses: actions/checkout@v2
-      - name: Setup test tools
-        uses: ./.github/workflows/setup-test-tools
-      - uses: actions/setup-go@v2
-        with:
-          go-version: '1.17.4'
-      - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}
-      - run: bats ./test/chart -t
--- a/helm/vault/.gitignore
+++ b/helm/vault/.gitignore
@@ -1,13 +0,0 @@
-.DS_Store
-.terraform/
-.terraform.tfstate*
-terraform.tfstate*
-terraform.tfvars
-values.dev.yaml
-vaul-helm-dev-creds.json
-./test/acceptance/vaul-helm-dev-creds.json
-./test/terraform/vaul-helm-dev-creds.json
-./test/unit/vaul-helm-dev-creds.json
-./test/acceptance/values.yaml
-./test/acceptance/values.yml
-.idea
--- a/helm/vault/.helmignore
+++ b/helm/vault/.helmignore
@@ -1,4 +1,29 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
 .git/
+.gitignore
 .terraform/
-bin/
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+
+# CI and test
+.circleci/
+.github/
+.gitlab-ci.yml
 test/
+scratch/
--- a/helm/vault/CHANGELOG.md
+++ b/helm/vault/CHANGELOG.md
@@ -1,5 +1,223 @@
 ## Unreleased

+## 0.29.1 (November 20, 2024)
+
+Bugs:
+* server: restore support for templated config [GH-1073](https://github.com/hashicorp/vault-helm/pull/1073)
+
+## 0.29.0 (November 7, 2024)
+
+KNOWN ISSUES:
+* Template support in server config stopped working [GH-1072](https://github.com/hashicorp/vault-helm/issues/1072)
+
+Changes:
+
+* Default `vault` version updated to 1.18.1
+* Default `vault-k8s` version updated to 1.5.0
+* Default `vault-csi-provider` version updated to 1.5.0
+* Tested with Kubernetes versions 1.27-1.31
+
+Features:
+
+* csi: Allow modification of the hostNetwork parameter on the DaemonSet [GH-1046](https://github.com/hashicorp/vault-helm/pull/1046)
+
+Bugs:
+
+* Properly handle JSON formatted server config [GH-1049](https://github.com/hashicorp/vault-helm/pull/1049)
+
+## 0.28.1 (July 11, 2024)
+
+Changes:
+
+* Default `vault` version updated to 1.17.2
+* Default `vault-k8s` version updated to 1.4.2
+* Default `vault-csi-provider` version updated to 1.4.3
+* Tested with Kubernetes versions 1.26-1.30
+
+Improvements:
+
+* Configurable `tlsConfig` and `authorization` for Prometheus ServiceMonitor [GH-1025](https://github.com/hashicorp/vault-helm/pull/1025)
+* Remove UPDATE from injector-mutating-webhook [GH-783](https://github.com/hashicorp/vault-helm/pull/783)
+* Add scope to mutating webhook [GH-1037](https://github.com/hashicorp/vault-helm/pull/1037)
+
+## 0.28.0 (April 8, 2024)
+
+Changes:
+
+* Default `vault` version updated to 1.16.1
+* Default `vault-k8s` version updated to 1.4.1
+* Default `vault-csi-provider` version updated to 1.4.2
+* Tested with Kubernetes versions 1.25-1.29
+
+Features:
+
+* server: Add annotation on config change [GH-1001](https://github.com/hashicorp/vault-helm/pull/1001)
+
+Bugs:
+
+* injector: add missing `get` `nodes` permission to ClusterRole [GH-1005](https://github.com/hashicorp/vault-helm/pull/1005)
+
+## 0.27.0 (November 16, 2023)
+
+Changes:
+
+* Default `vault` version updated to 1.15.2
+
+Features:
+
+* server: Support setting `persistentVolumeClaimRetentionPolicy` on the StatefulSet [GH-965](https://github.com/hashicorp/vault-helm/pull/965)
+* server: Support setting labels on PVCs [GH-969](https://github.com/hashicorp/vault-helm/pull/969)
+* server: Support setting ingress rules for networkPolicy [GH-877](https://github.com/hashicorp/vault-helm/pull/877)
+
+Improvements:
+
+* Support exec in the server liveness probe [GH-971](https://github.com/hashicorp/vault-helm/pull/971)
+
+## 0.26.1 (October 30, 2023)
+
+Bugs:
+* Fix templating of `server.ha.replicas` when set via override file. The `0.26.0` chart would ignore `server.ha.replicas` and always deploy 3 server replicas when `server.ha.enabled=true` unless overridden by command line when issuing the helm command: `--set server.ha.replicas=<some_number>`. Fixed in [GH-961](https://github.com/hashicorp/vault-helm/pull/961)
+
+## 0.26.0 (October 27, 2023)
+
+Changes:
+* Default `vault` version updated to 1.15.1
+* Default `vault-k8s` version updated to 1.3.1
+* Default `vault-csi-provider` version updated to 1.4.1
+* Tested with Kubernetes versions 1.24-1.28
+* server: OpenShift default readiness probe returns 204 when uninitialized [GH-966](https://github.com/hashicorp/vault-helm/pull/966)
+
+Features:
+* server: Add support for dual stack clusters [GH-833](https://github.com/hashicorp/vault-helm/pull/833)
+* server: Support `hostAliases` for the StatefulSet pods [GH-955](https://github.com/hashicorp/vault-helm/pull/955)
+* server: Add `server.service.active.annotations` and `server.service.standby.annotations` [GH-896](https://github.com/hashicorp/vault-helm/pull/896)
+* server: Add long-lived service account token option [GH-923](https://github.com/hashicorp/vault-helm/pull/923)
+
+Bugs:
+* csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909)
+
+Improvements:
+* global: Add `global.namespace` to override the helm installation namespace. [GH-909](https://github.com/hashicorp/vault-helm/pull/909)
+* server: use vault.fullname in Helm test [GH-912](https://github.com/hashicorp/vault-helm/pull/912)
+* server: Allow scaling HA replicas to zero [GH-943](https://github.com/hashicorp/vault-helm/pull/943)
+
+## 0.25.0 (June 26, 2023)
+
+Changes:
+* Latest Kubernetes version tested is now 1.27
+* server: Headless service ignores `server.service.publishNotReadyAddresses` setting and always sets it as `true` [GH-902](https://github.com/hashicorp/vault-helm/pull/902)
+* `vault` updated to 1.14.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
+* `vault-csi-provider` updated to 1.4.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
+
+Improvements:
+* CSI: Make `nodeSelector` and `affinity` configurable for CSI daemonset's pods [GH-862](https://github.com/hashicorp/vault-helm/pull/862)
+* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798)
+* Minimum kubernetes version for chart reverted to 1.20.0 to allow installation on clusters older than the oldest tested version [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
+
+Bugs:
+* server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886)
+
+## 0.24.1 (April 17, 2023)
+
+Bugs:
+* csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions [GH-872](https://github.com/hashicorp/vault-helm/pull/872)
+
+## 0.24.0 (April 6, 2023)
+
+Changes:
+* Earliest Kubernetes version tested is now 1.22
+* `vault` updated to 1.13.1 [GH-863](https://github.com/hashicorp/vault-helm/pull/863)
+* `vault-k8s` updated to 1.2.1 [GH-868](https://github.com/hashicorp/vault-helm/pull/868)
+* `vault-csi-provider` updated to 1.3.0 [GH-749](https://github.com/hashicorp/vault-helm/pull/749)
+
+Features:
+* server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841)
+* server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831)
+* injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852)
+* csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals [GH-749](https://github.com/hashicorp/vault-helm/pull/749)
+
+## 0.23.0 (November 28th, 2022)
+
+Changes:
+* `vault` updated to 1.12.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
+* `vault-k8s` updated to 1.1.0 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
+* `vault-csi-provider` updated to 1.2.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
+
+Features:
+* server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806)
+* server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811)
+* server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811)
+* server: Add `server.service.instanceSelector.enabled` option to allow selecting pods outside the helm chart deployment [GH-813](https://github.com/hashicorp/vault-helm/pull/813)
+
+Bugs:
+* server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810)
+
+## 0.22.1 (October 26th, 2022)
+
+Changes:
+* `vault` updated to 1.12.0 [GH-803](https://github.com/hashicorp/vault-helm/pull/803)
+* `vault-k8s` updated to 1.0.1 [GH-803](https://github.com/hashicorp/vault-helm/pull/803)
+
+## 0.22.0 (September 8th, 2022)
+
+Features:
+* Add PrometheusOperator support for collecting Vault server metrics. [GH-772](https://github.com/hashicorp/vault-helm/pull/772)
+
+Changes:
+* `vault-k8s` to 1.0.0 [GH-784](https://github.com/hashicorp/vault-helm/pull/784)
+* Test against Kubernetes 1.25 [GH-784](https://github.com/hashicorp/vault-helm/pull/784)
+* `vault` updated to 1.11.3 [GH-785](https://github.com/hashicorp/vault-helm/pull/785)
+
+## 0.21.0 (August 10th, 2022)
+
+CHANGES:
+* `vault-k8s` updated to 0.17.0. [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
+* `vault-csi-provider` updated to 1.2.0 [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
+* `vault` updated to 1.11.2 [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
+* Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744)
+* Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745)
+* CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745)
+
+Features:
+* server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
+* csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
+* injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
+* Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610)
+* Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753)
+
+## 0.20.1 (May 25th, 2022)
+CHANGES:
+* `vault-k8s` updated to 0.16.1 [GH-739](https://github.com/hashicorp/vault-helm/pull/739)
+
+Improvements:
+* Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736)
+
+Bugs:
+* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737)
+
+## 0.20.0 (May 16th, 2022)
+
+CHANGES:
+* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
+* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
+* Vault default image to 1.10.3
+* CSI provider default image to 1.1.0
+* Vault K8s default image to 0.16.0
+* Earliest Kubernetes version tested is now 1.16
+* Helm 3.6+ now required
+
+Features:
+* Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652)
+
+Improvements:
+* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690)
+* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683)
+* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710)
+* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709)
+* server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694)
+* server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684)
+* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692)
+
 ## 0.19.0 (January 20th, 2022)

 CHANGES:
--- a/helm/vault/CODEOWNERS
+++ b/helm/vault/CODEOWNERS
@@ -0,0 +1 @@
+* @hashicorp/vault-ecosystem
--- a/helm/vault/Chart.yaml
+++ b/helm/vault/Chart.yaml
@@ -1,5 +1,7 @@
+annotations:
+  charts.openshift.io/name: HashiCorp Vault
 apiVersion: v2
-appVersion: 1.9.2
+appVersion: 1.18.1
 description: Official HashiCorp Vault Chart
 home: https://www.vaultproject.io
 icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
@@ -11,11 +13,11 @@ keywords:
 - management
 - automation
 - infrastructure
-kubeVersion: '>= 1.14.0-0'
+kubeVersion: '>= 1.20.0-0'
 name: vault
 sources:
 - https://github.com/hashicorp/vault
 - https://github.com/hashicorp/vault-helm
 - https://github.com/hashicorp/vault-k8s
 - https://github.com/hashicorp/vault-csi-provider
-version: 0.19.0
+version: 0.29.1
--- a/helm/vault/LICENSE.md
+++ b/helm/vault/LICENSE.md
@@ -1,3 +1,5 @@
+Copyright (c) 2018 HashiCorp, Inc.
+
 Mozilla Public License, version 2.0

 1. Definitions
--- a/helm/vault/Makefile
+++ b/helm/vault/Makefile
@@ -14,7 +14,7 @@ LOCAL_ACCEPTANCE_TESTS?=false
 KIND_CLUSTER_NAME?=vault-helm

 # kind k8s version
-KIND_K8S_VERSION?=v1.20.2
+KIND_K8S_VERSION?=v1.31.2

 # Generate json schema for chart values. See test/README.md for more details.
 values-schema:
@@ -71,7 +71,7 @@ acceptance:
 ifneq ($(LOCAL_ACCEPTANCE_TESTS),true)
 	gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS}
 endif
-	bats test/${ACCEPTANCE_TESTS}
+	bats --tap --timing test/${ACCEPTANCE_TESTS}

 # this target is for provisioning the GKE cluster
 # it is run in the docker container above when the test-provision target is invoked
--- a/helm/vault/templates/NOTES.txt
+++ b/helm/vault/templates/NOTES.txt
@@ -4,7 +4,7 @@ Thank you for installing HashiCorp Vault!
 Now that you have deployed Vault, you should look over the docs on using
 Vault with Kubernetes available here:

-https://www.vaultproject.io/docs/
+https://developer.hashicorp.com/vault/docs


 Your release is named {{ .Release.Name }}. To learn more about the release, try:
--- a/helm/vault/templates/_helpers.tpl
+++ b/helm/vault/templates/_helpers.tpl
@@ -1,3 +1,8 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to
@@ -31,6 +36,94 @@ Expand the name of the chart.
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}

+{{/*
+Allow the release namespace to be overridden
+*/}}
+{{- define "vault.namespace" -}}
+{{- default .Release.Namespace .Values.global.namespace -}}
+{{- end -}}
+
+{{/*
+Compute if the csi driver is enabled.
+*/}}
+{{- define "vault.csiEnabled" -}}
+{{- $_ := set . "csiEnabled" (or
+  (eq (.Values.csi.enabled | toString) "true")
+  (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
+{{- end -}}
+
+{{/*
+Compute if the injector is enabled.
+*/}}
+{{- define "vault.injectorEnabled" -}}
+{{- $_ := set . "injectorEnabled" (or
+  (eq (.Values.injector.enabled | toString) "true")
+  (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
+{{- end -}}
+
+{{/*
+Compute if the server is enabled.
+*/}}
+{{- define "vault.serverEnabled" -}}
+{{- $_ := set . "serverEnabled" (or
+  (eq (.Values.server.enabled | toString) "true")
+  (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
+{{- end -}}
+
+{{/*
+Compute if the server serviceaccount is enabled.
+*/}}
+{{- define "vault.serverServiceAccountEnabled" -}}
+{{- $_ := set . "serverServiceAccountEnabled"
+  (and
+    (eq (.Values.server.serviceAccount.create | toString) "true" )
+    (or
+      (eq (.Values.server.enabled | toString) "true")
+      (eq (.Values.global.enabled | toString) "true"))) -}}
+{{- end -}}
+
+{{/*
+Compute if the server serviceaccount should have a token created and mounted to the serviceaccount.
+*/}}
+{{- define "vault.serverServiceAccountSecretCreationEnabled" -}}
+{{- $_ := set . "serverServiceAccountSecretCreationEnabled"
+  (and
+    (eq (.Values.server.serviceAccount.create | toString) "true")
+    (eq (.Values.server.serviceAccount.createSecret | toString) "true")) -}}
+{{- end -}}
+
+
+{{/*
+Compute if the server auth delegator serviceaccount is enabled.
+*/}}
+{{- define "vault.serverAuthDelegator" -}}
+{{- $_ := set . "serverAuthDelegator"
+  (and
+    (eq (.Values.server.authDelegator.enabled | toString) "true" )
+    (or (eq (.Values.server.serviceAccount.create | toString) "true")
+        (not (eq .Values.server.serviceAccount.name "")))
+    (or
+      (eq (.Values.server.enabled | toString) "true")
+      (eq (.Values.global.enabled | toString) "true"))) -}}
+{{- end -}}
+
+{{/*
+Compute if the server service is enabled.
+*/}}
+{{- define "vault.serverServiceEnabled" -}}
+{{- template "vault.serverEnabled" . -}}
+{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}}
+{{- end -}}
+
+{{/*
+Compute if the ui is enabled.
+*/}}
+{{- define "vault.uiEnabled" -}}
+{{- $_ := set . "uiEnabled" (or
+  (eq (.Values.ui.enabled | toString) "true")
+  (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
+{{- end -}}
+
 {{/*
 Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
 This defaults to (n/2)-1 where n is the number of members of the server cluster.
@@ -51,9 +144,10 @@ Set the variable 'mode' to the server mode requested by the user to simplify
 template logic.
 */}}
 {{- define "vault.mode" -}}
-  {{- if .Values.injector.externalVaultAddr -}}
+  {{- template "vault.serverEnabled" . -}}
+  {{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}}
    {{- $_ := set . "mode" "external" -}}
-  {{- else if ne (.Values.server.enabled | toString) "true" -}}
+  {{- else if not .serverEnabled -}}
    {{- $_ := set . "mode" "external" -}}
  {{- else if eq (.Values.server.dev.enabled | toString) "true" -}}
    {{- $_ := set . "mode" "dev" -}}
@@ -73,7 +167,11 @@ Set's the replica count based on the different modes configured by user
  {{ if eq .mode "standalone" }}
    {{- default 1 -}}
  {{ else if eq .mode "ha" }}
-    {{- .Values.server.ha.replicas | default 3 -}}
+    {{- if or (kindIs "int64" .Values.server.ha.replicas) (kindIs "float64" .Values.server.ha.replicas) -}}
+      {{- .Values.server.ha.replicas -}}
+    {{ else }}
+      {{- 3 -}}
+    {{- end -}}
  {{ else }}
    {{- default 1 -}}
  {{ end }}
@@ -85,7 +183,7 @@ defined a custom configuration.  Additionally iterates over any
 extra volumes the user may have specified (such as a secret with TLS).
 */}}
 {{- define "vault.volumes" -}}
-  {{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }}
+  {{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config) (.Values.server.ha.raft.config)) }}
        - name: config
          configMap:
            name: {{ template "vault.fullname" . }}-config
@@ -188,9 +286,12 @@ storage might be desired by the user.
  {{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }}
  volumeClaimTemplates:
      {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }}
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
        name: data
        {{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }}
+        {{- include "vault.dataVolumeClaim.labels" . | nindent 6 }}
      spec:
        accessModes:
          - {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }}
@@ -202,9 +303,12 @@ storage might be desired by the user.
          {{- end }}
      {{ end }}
      {{- if eq (.Values.server.auditStorage.enabled | toString) "true" }}
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
        name: audit
        {{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }}
+        {{- include "vault.auditVolumeClaim.labels" . | nindent 6 }}
      spec:
        accessModes:
          - {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }}
@@ -248,6 +352,37 @@ Sets the injector affinity for pod placement
  {{ end }}
 {{- end -}}

+{{/*
+Sets the topologySpreadConstraints when running in standalone and HA modes.
+*/}}
+{{- define "vault.topologySpreadConstraints" -}}
+  {{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{ $tp := typeOf .Values.server.topologySpreadConstraints }}
+        {{- if eq $tp "string" }}
+          {{- tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }}
+        {{- else }}
+          {{- toYaml .Values.server.topologySpreadConstraints | nindent 8 }}
+        {{- end }}
+  {{ end }}
+{{- end -}}
+
+
+{{/*
+Sets the injector topologySpreadConstraints for pod placement
+*/}}
+{{- define "injector.topologySpreadConstraints" -}}
+  {{- if .Values.injector.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{ $tp := typeOf .Values.injector.topologySpreadConstraints }}
+        {{- if eq $tp "string" }}
+          {{- tpl .Values.injector.topologySpreadConstraints . | nindent 8 | trim }}
+        {{- else }}
+          {{- toYaml .Values.injector.topologySpreadConstraints | nindent 8 }}
+        {{- end }}
+  {{ end }}
+{{- end -}}
+
 {{/*
 Sets the toleration for pod placement when running in standalone and HA modes.
 */}}
@@ -326,9 +461,12 @@ Sets the injector deployment update strategy
 {{/*
 Sets extra pod annotations
 */}}
-{{- define "vault.annotations" -}}
-  {{- if .Values.server.annotations }}
+{{- define "vault.annotations" }}
      annotations:
+  {{- if .Values.server.includeConfigAnnotation }}
+        vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }}
+  {{- end }}
+  {{- if .Values.server.annotations }}
        {{- $tp := typeOf .Values.server.annotations }}
        {{- if eq $tp "string" }}
          {{- tpl .Values.server.annotations . | nindent 8 }}
@@ -369,20 +507,133 @@ Sets extra injector service annotations
 {{- end -}}

 {{/*
-Sets extra injector webhook annotations
+securityContext for the injector pod level.
 */}}
-{{- define "injector.webhookAnnotations" -}}
-  {{- if .Values.injector.webhookAnnotations }}
+{{- define "injector.securityContext.pod" -}}
+  {{- if .Values.injector.securityContext.pod }}
+      securityContext:
+        {{- $tp := typeOf .Values.injector.securityContext.pod }}
+        {{- if eq $tp "string" }}
+          {{- tpl .Values.injector.securityContext.pod . | nindent 8 }}
+        {{- else }}
+          {{- toYaml .Values.injector.securityContext.pod | nindent 8 }}
+        {{- end }}
+  {{- else if not .Values.global.openshift }}
+      securityContext:
+        runAsNonRoot: true
+        runAsGroup: {{ .Values.injector.gid | default 1000 }}
+        runAsUser: {{ .Values.injector.uid | default 100 }}
+        fsGroup: {{ .Values.injector.gid | default 1000 }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+securityContext for the injector container level.
+*/}}
+{{- define "injector.securityContext.container" -}}
+  {{- if .Values.injector.securityContext.container}}
+          securityContext:
+            {{- $tp := typeOf .Values.injector.securityContext.container }}
+            {{- if eq $tp "string" }}
+              {{- tpl .Values.injector.securityContext.container . | nindent 12 }}
+            {{- else }}
+              {{- toYaml .Values.injector.securityContext.container | nindent 12 }}
+            {{- end }}
+  {{- else if not .Values.global.openshift }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+  {{- end }}
+{{- end -}}
+
+{{/*
+securityContext for the statefulset pod template.
+*/}}
+{{- define "server.statefulSet.securityContext.pod" -}}
+  {{- if .Values.server.statefulSet.securityContext.pod }}
+      securityContext:
+        {{- $tp := typeOf .Values.server.statefulSet.securityContext.pod }}
+        {{- if eq $tp "string" }}
+          {{- tpl .Values.server.statefulSet.securityContext.pod . | nindent 8 }}
+        {{- else }}
+          {{- toYaml .Values.server.statefulSet.securityContext.pod | nindent 8 }}
+        {{- end }}
+  {{- else if not .Values.global.openshift }}
+      securityContext:
+        runAsNonRoot: true
+        runAsGroup: {{ .Values.server.gid | default 1000 }}
+        runAsUser: {{ .Values.server.uid | default 100 }}
+        fsGroup: {{ .Values.server.gid | default 1000 }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+securityContext for the statefulset vault container
+*/}}
+{{- define "server.statefulSet.securityContext.container" -}}
+  {{- if .Values.server.statefulSet.securityContext.container }}
+          securityContext:
+            {{- $tp := typeOf .Values.server.statefulSet.securityContext.container }}
+            {{- if eq $tp "string" }}
+              {{- tpl .Values.server.statefulSet.securityContext.container . | nindent 12 }}
+            {{- else }}
+              {{- toYaml .Values.server.statefulSet.securityContext.container | nindent 12 }}
+            {{- end }}
+  {{- else if not .Values.global.openshift }}
+          securityContext:
+            allowPrivilegeEscalation: false
+  {{- end }}
+{{- end -}}
+
+
+{{/*
+Sets extra injector service account annotations
+*/}}
+{{- define "injector.serviceAccount.annotations" -}}
+  {{- if and (ne .mode "dev") .Values.injector.serviceAccount.annotations }}
  annotations:
-    {{- $tp := typeOf .Values.injector.webhookAnnotations }}
+    {{- $tp := typeOf .Values.injector.serviceAccount.annotations }}
    {{- if eq $tp "string" }}
-      {{- tpl .Values.injector.webhookAnnotations . | nindent 4 }}
+      {{- tpl .Values.injector.serviceAccount.annotations . | nindent 4 }}
    {{- else }}
-      {{- toYaml .Values.injector.webhookAnnotations | nindent 4 }}
+      {{- toYaml .Values.injector.serviceAccount.annotations | nindent 4 }}
    {{- end }}
  {{- end }}
 {{- end -}}

+{{/*
+Sets extra injector webhook annotations
+*/}}
+{{- define "injector.webhookAnnotations" -}}
+  {{- if or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)  }}
+  annotations:
+    {{- $tp := typeOf (or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)) }}
+    {{- if eq $tp "string" }}
+      {{- tpl (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) . | nindent 4 }}
+    {{- else }}
+      {{- toYaml (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+Set's the injector webhook objectSelector
+*/}}
+{{- define "injector.objectSelector" -}}
+  {{- $v := or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) -}}
+  {{ if $v }}
+    objectSelector:
+    {{- $tp := typeOf $v -}}
+    {{ if eq $tp "string" }}
+      {{ tpl $v . | indent 6 | trim }}
+    {{ else }}
+      {{ toYaml $v | indent 6 | trim }}
+    {{ end }}
+  {{ end }}
+{{ end }}
+
 {{/*
 Sets extra ui service annotations
 */}}
@@ -468,6 +719,33 @@ Sets extra vault server Service annotations
  {{- end }}
 {{- end -}}

+{{/*
+Sets extra vault server Service (active) annotations
+*/}}
+{{- define "vault.service.active.annotations" -}}
+  {{- if .Values.server.service.active.annotations }}
+    {{- $tp := typeOf .Values.server.service.active.annotations }}
+    {{- if eq $tp "string" }}
+      {{- tpl .Values.server.service.active.annotations . | nindent 4 }}
+    {{- else }}
+      {{- toYaml .Values.server.service.active.annotations | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+{{/*
+Sets extra vault server Service annotations
+*/}}
+{{- define "vault.service.standby.annotations" -}}
+  {{- if .Values.server.service.standby.annotations }}
+    {{- $tp := typeOf .Values.server.service.standby.annotations }}
+    {{- if eq $tp "string" }}
+      {{- tpl .Values.server.service.standby.annotations . | nindent 4 }}
+    {{- else }}
+      {{- toYaml .Values.server.service.standby.annotations | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
 {{/*
 Sets PodSecurityPolicy annotations
 */}}
@@ -513,6 +791,21 @@ Sets VolumeClaim annotations for data volume
  {{- end }}
 {{- end -}}

+{{/*
+Sets VolumeClaim labels for data volume
+*/}}
+{{- define "vault.dataVolumeClaim.labels" -}}
+  {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.labels) }}
+  labels:
+    {{- $tp := typeOf .Values.server.dataStorage.labels }}
+    {{- if eq $tp "string" }}
+      {{- tpl .Values.server.dataStorage.labels . | nindent 4 }}
+    {{- else }}
+      {{- toYaml .Values.server.dataStorage.labels | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
 {{/*
 Sets VolumeClaim annotations for audit volume
 */}}
@@ -528,6 +821,21 @@ Sets VolumeClaim annotations for audit volume
  {{- end }}
 {{- end -}}

+{{/*
+Sets VolumeClaim labels for audit volume
+*/}}
+{{- define "vault.auditVolumeClaim.labels" -}}
+  {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.labels) }}
+  labels:
+    {{- $tp := typeOf .Values.server.auditStorage.labels }}
+    {{- if eq $tp "string" }}
+      {{- tpl .Values.server.auditStorage.labels . | nindent 4 }}
+    {{- else }}
+      {{- toYaml .Values.server.auditStorage.labels | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
 {{/*
 Set's the container resources if the user has set any.
 */}}
@@ -558,6 +866,16 @@ Sets the container resources if the user has set any.
  {{ end }}
 {{- end -}}

+{{/*
+Sets the container resources for CSI's Agent sidecar if the user has set any.
+*/}}
+{{- define "csi.agent.resources" -}}
+  {{- if .Values.csi.agent.resources -}}
+          resources:
+{{ toYaml .Values.csi.agent.resources | indent 12}}
+  {{ end }}
+{{- end -}}
+
 {{/*
 Sets extra CSI daemonset annotations
 */}}
@@ -573,6 +891,37 @@ Sets extra CSI daemonset annotations
  {{- end }}
 {{- end -}}

+{{/*
+Sets CSI daemonset securityContext for pod template
+*/}}
+{{- define "csi.daemonSet.securityContext.pod" -}}
+  {{- if .Values.csi.daemonSet.securityContext.pod }}
+      securityContext:
+    {{- $tp := typeOf .Values.csi.daemonSet.securityContext.pod }}
+    {{- if eq $tp "string" }}
+      {{- tpl .Values.csi.daemonSet.securityContext.pod . | nindent 8 }}
+    {{- else }}
+      {{- toYaml .Values.csi.daemonSet.securityContext.pod | nindent 8 }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+Sets CSI daemonset securityContext for container
+*/}}
+{{- define "csi.daemonSet.securityContext.container" -}}
+  {{- if .Values.csi.daemonSet.securityContext.container }}
+          securityContext:
+    {{- $tp := typeOf .Values.csi.daemonSet.securityContext.container }}
+    {{- if eq $tp "string" }}
+      {{- tpl .Values.csi.daemonSet.securityContext.container . | nindent 12 }}
+    {{- else }}
+      {{- toYaml .Values.csi.daemonSet.securityContext.container | nindent 12 }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
+
 {{/*
 Sets the injector toleration for pod placement
 */}}
@@ -588,6 +937,34 @@ Sets the injector toleration for pod placement
  {{- end }}
 {{- end -}}

+{{/*
+Sets the CSI provider nodeSelector for pod placement
+*/}}
+{{- define "csi.pod.nodeselector" -}}
+  {{- if .Values.csi.pod.nodeSelector }}
+      nodeSelector:
+      {{- $tp := typeOf .Values.csi.pod.nodeSelector }}
+      {{- if eq $tp "string" }}
+        {{ tpl .Values.csi.pod.nodeSelector . | nindent 8 | trim }}
+      {{- else }}
+        {{- toYaml .Values.csi.pod.nodeSelector | nindent 8 }}
+      {{- end }}
+  {{- end }}
+{{- end -}}
+{{/*
+Sets the CSI provider affinity for pod placement.
+*/}}
+{{- define "csi.pod.affinity" -}}
+  {{- if .Values.csi.pod.affinity }}
+      affinity:
+        {{ $tp := typeOf .Values.csi.pod.affinity }}
+        {{- if eq $tp "string" }}
+          {{- tpl .Values.csi.pod.affinity . | nindent 8 | trim }}
+        {{- else }}
+          {{- toYaml .Values.csi.pod.affinity | nindent 8 }}
+        {{- end }}
+  {{ end }}
+{{- end -}}
 {{/*
 Sets extra CSI provider pod annotations
 */}}
@@ -705,3 +1082,37 @@ Supported inputs are Values.ui
 {{- end -}}
 {{- end }}
 {{- end -}}
+
+{{/*
+config file from values
+*/}}
+{{- define "vault.config" -}}
+{{- if or (eq .mode "ha") (eq .mode "standalone") }}
+{{- $config := (index .Values.server .mode).config -}}
+{{- if .Values.server.ha.raft.enabled -}}
+{{- $config = .Values.server.ha.raft.config -}}
+{{- end -}}
+{{- $type := typeOf $config -}}
+{{- if eq $type "string" -}}
+{{/* Vault supports both HCL and JSON as its configuration format */}}
+{{- $json := tpl $config . | fromJson -}}
+{{/*
+Helm's fromJson does not behave according to the corresponding sprig function nor Helm docs,
+which claim that it should return empty string on invalid JSON, it actually returns
+a map containing a single 'Error' element.
+https://github.com/helm/helm/blob/50c22ed7f953fadb32755e5881ba95a92da852b2/pkg/engine/funcs.go#L158
+ */}}
+{{- if or (and (eq ($json | len) 1) (hasKey $json "Error")) (eq ($json | len) 0) -}}
+{{- $config = printf "%s\n%s" $config "disable_mlock = true" -}}
+{{- else -}}
+{{- if not (hasKey $json "disable_mlock") -}}
+{{- $_ := set $json "disable_mlock" true -}}
+{{- end -}}
+{{- $config = $json | mustToJson -}}
+{{- end -}}
+{{- else }}
+{{- fail "structured server config is not supported, value must be a string"}}
+{{- end }}
+{{- tpl $config . | nindent 4 | trim }}
+{{- end -}}
+{{- end -}}
--- a/helm/vault/templates/csi-agent-configmap.yaml
+++ b/helm/vault/templates/csi-agent-configmap.yaml
@@ -0,0 +1,34 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.csiEnabled" . -}}
+{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "vault.fullname" . }}-csi-provider-agent-config
+  namespace: {{ include "vault.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+data:
+  config.hcl: |
+    vault {
+        {{- if .Values.global.externalVaultAddr }}
+        "address" = "{{ .Values.global.externalVaultAddr }}"
+        {{- else }}
+        "address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}"
+        {{- end }}
+    }
+
+    cache {}
+
+    listener "unix" {
+        address = "/var/run/vault/agent.sock"
+        tls_disable = true
+    }
+{{- end }}
--- a/helm/vault/templates/csi-clusterrole.yaml
+++ b/helm/vault/templates/csi-clusterrole.yaml
@@ -1,4 +1,10 @@
-{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.csiEnabled" . -}}
+{{- if .csiEnabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
--- a/helm/vault/templates/csi-clusterrolebinding.yaml
+++ b/helm/vault/templates/csi-clusterrolebinding.yaml
@@ -1,4 +1,10 @@
-{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.csiEnabled" . -}}
+{{- if .csiEnabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -14,5 +20,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ template "vault.fullname" . }}-csi-provider
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
 {{- end }}
--- a/helm/vault/templates/csi-daemonset.yaml
+++ b/helm/vault/templates/csi-daemonset.yaml
@@ -1,13 +1,22 @@
-{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.csiEnabled" . -}}
+{{- if .csiEnabled -}}
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: {{ template "vault.fullname" . }}-csi-provider
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- if  .Values.csi.daemonSet.extraLabels -}}
+      {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}}
+    {{- end -}}
  {{ template "csi.daemonSet.annotations" . }}
 spec:
  updateStrategy:
@@ -25,30 +34,57 @@ spec:
      labels:
        app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider
        app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- if  .Values.csi.pod.extraLabels -}}
+          {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}}
+        {{- end -}}
      {{ template "csi.pod.annotations" . }}
    spec:
+      {{ template "csi.daemonSet.securityContext.pod" . }}
      {{- if .Values.csi.priorityClassName }}
      priorityClassName: {{ .Values.csi.priorityClassName }}
      {{- end }}
+      hostNetwork: {{ .Values.csi.hostNetwork }}
      serviceAccountName: {{ template "vault.fullname" . }}-csi-provider
      {{- template "csi.pod.tolerations" . }}
+      {{- template "csi.pod.nodeselector" . }}
+      {{- template "csi.pod.affinity" . }}
      containers:
        - name: {{ include "vault.name" . }}-csi-provider
          {{ template "csi.resources" . }}
+          {{ template "csi.daemonSet.securityContext.container" . }}
          image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}"
          imagePullPolicy: {{ .Values.csi.image.pullPolicy }}
          args:
            - --endpoint=/provider/vault.sock
-            - --debug={{ .Values.csi.debug }}
+            {{- if .Values.csi.debug }}
+            - --log-level=debug
+            {{- else }}
+            - --log-level={{ .Values.csi.logLevel }}
+            {{- end }}
+            {{- if .Values.csi.hmacSecretName }}
+            - --hmac-secret-name={{ .Values.csi.hmacSecretName }}
+            {{- else }}
+            - --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key
+            {{- end }}
            {{- if .Values.csi.extraArgs }}
-              {{- toYaml .Values.csi.extraArgs | nindent 12 }}
+            {{- toYaml .Values.csi.extraArgs | nindent 12 }}
+            {{- end }}
+          env:
+            - name: VAULT_ADDR
+            {{- if eq (.Values.csi.agent.enabled | toString) "true" }}
+              value: "unix:///var/run/vault/agent.sock"
+            {{- else if .Values.global.externalVaultAddr }}
+              value: "{{ .Values.global.externalVaultAddr }}"
+            {{- else }}
+              value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
            {{- end }}
          volumeMounts:
            - name: providervol
              mountPath: "/provider"
-            - name: mountpoint-dir
-              mountPath: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods
-              mountPropagation: HostToContainer
+            {{- if eq (.Values.csi.agent.enabled | toString) "true" }}
+            - name: agent-unix-socket
+              mountPath: /var/run/vault
+            {{- end }}
            {{- if .Values.csi.volumeMounts }}
              {{- toYaml .Values.csi.volumeMounts | nindent 12}}
            {{- end }}
@@ -70,15 +106,57 @@ spec:
            periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }}
            successThreshold: {{ .Values.csi.readinessProbe.successThreshold }}
            timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }}
+        {{- if eq (.Values.csi.agent.enabled | toString) "true" }}
+        - name: {{ include "vault.name" . }}-agent
+          image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}"
+          imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }}
+          {{ template "csi.agent.resources" . }}
+          command:
+            - vault
+          args:
+            - agent
+            - -config=/etc/vault/config.hcl
+            {{- if .Values.csi.agent.extraArgs }}
+            {{- toYaml .Values.csi.agent.extraArgs | nindent 12 }}
+            {{- end }}
+          ports:
+            - containerPort: 8200
+          env:
+            - name: VAULT_LOG_LEVEL
+              value: "{{ .Values.csi.agent.logLevel }}"
+            - name: VAULT_LOG_FORMAT
+              value: "{{ .Values.csi.agent.logFormat }}"
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsUser: 100
+            runAsGroup: 1000
+          volumeMounts:
+            - name: agent-config
+              mountPath: /etc/vault/config.hcl
+              subPath: config.hcl
+              readOnly: true
+            - name: agent-unix-socket
+              mountPath: /var/run/vault
+            {{- if .Values.csi.volumeMounts }}
+            {{- toYaml .Values.csi.volumeMounts | nindent 12 }}
+            {{- end }}
+        {{- end }}
      volumes:
        - name: providervol
          hostPath:
            path: {{ .Values.csi.daemonSet.providersDir }}
-        - name: mountpoint-dir
-          hostPath:
-            path: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods
-       {{- if .Values.csi.volumes }}
-         {{- toYaml .Values.csi.volumes | nindent 8}}
-       {{- end }}
+        {{- if eq (.Values.csi.agent.enabled | toString) "true" }}
+        - name: agent-config
+          configMap:
+            name: {{ template "vault.fullname" . }}-csi-provider-agent-config
+        - name: agent-unix-socket
+          emptyDir:
+            medium: Memory
+        {{- end }}
+        {{- if .Values.csi.volumes }}
+        {{- toYaml .Values.csi.volumes | nindent 8}}
+        {{- end }}
      {{- include "imagePullSecrets" . | nindent 6 }}
 {{- end }}
--- a/helm/vault/templates/csi-role.yaml
+++ b/helm/vault/templates/csi-role.yaml
@@ -0,0 +1,32 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.csiEnabled" . -}}
+{{- if .csiEnabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "vault.fullname" . }}-csi-provider-role
+  namespace: {{ include "vault.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get"]
+  resourceNames:
+    {{- if .Values.csi.hmacSecretName }}
+    - {{ .Values.csi.hmacSecretName }}
+    {{- else }}
+    - {{ include "vault.name" . }}-csi-provider-hmac-key
+    {{- end }}
+# 'create' permissions cannot be restricted by resource name:
+# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
+{{- end }}
--- a/helm/vault/templates/csi-rolebinding.yaml
+++ b/helm/vault/templates/csi-rolebinding.yaml
@@ -0,0 +1,25 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.csiEnabled" . -}}
+{{- if .csiEnabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "vault.fullname" . }}-csi-provider-rolebinding
+  namespace: {{ include "vault.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "vault.fullname" . }}-csi-provider-role
+subjects:
+- kind: ServiceAccount
+  name: {{ template "vault.fullname" . }}-csi-provider
+  namespace: {{ include "vault.namespace" . }}
+{{- end }}
--- a/helm/vault/templates/csi-serviceaccount.yaml
+++ b/helm/vault/templates/csi-serviceaccount.yaml
@@ -1,12 +1,21 @@
-{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.csiEnabled" . -}}
+{{- if .csiEnabled -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ template "vault.fullname" . }}-csi-provider
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- if  .Values.csi.serviceAccount.extraLabels -}}
+      {{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}}
+    {{- end -}}
  {{ template "csi.serviceAccount.annotations" . }}
 {{- end }}
--- a/helm/vault/templates/injector-certs-secret.yaml
+++ b/helm/vault/templates/injector-certs-secret.yaml
@@ -1,10 +1,19 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: vault-injector-certs
+  namespace: {{ include "vault.namespace" . }}
  labels:
    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
+{{- end }}
--- a/helm/vault/templates/injector-clusterrole.yaml
+++ b/helm/vault/templates/injector-clusterrole.yaml
@@ -1,4 +1,10 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -10,9 +16,15 @@ metadata:
 rules:
 - apiGroups: ["admissionregistration.k8s.io"]
  resources: ["mutatingwebhookconfigurations"]
-  verbs: 
+  verbs:
    - "get"
    - "list"
    - "watch"
    - "patch"
+{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs:
+    - "get"
+{{ end }}
 {{ end }}
--- a/helm/vault/templates/injector-clusterrolebinding.yaml
+++ b/helm/vault/templates/injector-clusterrolebinding.yaml
@@ -1,4 +1,10 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -14,5 +20,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ template "vault.fullname" . }}-agent-injector
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
 {{ end }}
--- a/helm/vault/templates/injector-deployment.yaml
+++ b/helm/vault/templates/injector-deployment.yaml
@@ -1,10 +1,16 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
 # Deployment for the injector
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ template "vault.fullname" . }}-agent-injector
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
@@ -30,38 +36,35 @@ spec:
      {{ template "injector.annotations" . }}
    spec:
      {{ template "injector.affinity" . }}
+      {{ template "injector.topologySpreadConstraints" . }}
      {{ template "injector.tolerations" . }}
      {{ template "injector.nodeselector" . }}
      {{- if .Values.injector.priorityClassName }}
      priorityClassName: {{ .Values.injector.priorityClassName }}
      {{- end }}
      serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
+      {{ template "injector.securityContext.pod" . -}}
      {{- if not .Values.global.openshift }}
      hostNetwork: {{ .Values.injector.hostNetwork }}
-      securityContext:
-        runAsNonRoot: true
-        runAsGroup: {{ .Values.injector.gid | default 1000 }}
-        runAsUser: {{ .Values.injector.uid | default 100 }}
      {{- end }}
      containers:
        - name: sidecar-injector
          {{ template "injector.resources" . }}
          image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
          imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
-          {{- if not .Values.global.openshift }}
-          securityContext:
-            allowPrivilegeEscalation: false
-          {{- end }}
+          {{- template "injector.securityContext.container" . }}
          env:
            - name: AGENT_INJECT_LISTEN
              value: {{ printf ":%v" .Values.injector.port  }}
            - name: AGENT_INJECT_LOG_LEVEL
              value: {{ .Values.injector.logLevel | default "info" }}
            - name: AGENT_INJECT_VAULT_ADDR
-            {{- if .Values.injector.externalVaultAddr }}
+            {{- if .Values.global.externalVaultAddr }}
+              value: "{{ .Values.global.externalVaultAddr }}"
+            {{- else if .Values.injector.externalVaultAddr }}
              value: "{{ .Values.injector.externalVaultAddr }}"
            {{- else }}
-              value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
+              value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
            {{- end }}
            - name: AGENT_INJECT_VAULT_AUTH_PATH
              value: {{ .Values.injector.authPath }}
@@ -76,7 +79,7 @@ spec:
            - name: AGENT_INJECT_TLS_AUTO
              value: {{ template "vault.fullname" . }}-agent-injector-cfg
            - name: AGENT_INJECT_TLS_AUTO_HOSTS
-              value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc
+              value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }}.svc
            {{- end }}
            - name: AGENT_INJECT_LOG_FORMAT
              value: {{ .Values.injector.logFormat | default "standard" }}
@@ -106,6 +109,14 @@ spec:
              value: "{{ .Values.injector.agentDefaults.memRequest }}"
            - name: AGENT_INJECT_MEM_LIMIT
              value: "{{ .Values.injector.agentDefaults.memLimit }}"
+            {{- if .Values.injector.agentDefaults.ephemeralRequest }}
+            - name: AGENT_INJECT_EPHEMERAL_REQUEST
+              value: "{{ .Values.injector.agentDefaults.ephemeralRequest }}"
+            {{- end }}
+            {{- if .Values.injector.agentDefaults.ephemeralLimit }}
+            - name: AGENT_INJECT_EPHEMERAL_LIMIT
+              value: "{{ .Values.injector.agentDefaults.ephemeralLimit }}"
+            {{- end }}
            - name: AGENT_INJECT_DEFAULT_TEMPLATE
              value: "{{ .Values.injector.agentDefaults.template }}"
            - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE
@@ -127,21 +138,31 @@ spec:
              path: /health/ready
              port: {{ .Values.injector.port }}
              scheme: HTTPS
-            failureThreshold: 2
-            initialDelaySeconds: 5
-            periodSeconds: 2
-            successThreshold: 1
-            timeoutSeconds: 5
+            failureThreshold: {{ .Values.injector.livenessProbe.failureThreshold }}
+            initialDelaySeconds: {{ .Values.injector.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.injector.livenessProbe.periodSeconds }}
+            successThreshold: {{ .Values.injector.livenessProbe.successThreshold }}
+            timeoutSeconds: {{ .Values.injector.livenessProbe.timeoutSeconds }}
          readinessProbe:
            httpGet:
              path: /health/ready
              port: {{ .Values.injector.port }}
              scheme: HTTPS
-            failureThreshold: 2
-            initialDelaySeconds: 5
-            periodSeconds: 2
-            successThreshold: 1
-            timeoutSeconds: 5
+            failureThreshold: {{ .Values.injector.readinessProbe.failureThreshold }}
+            initialDelaySeconds: {{ .Values.injector.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.injector.readinessProbe.periodSeconds }}
+            successThreshold: {{ .Values.injector.readinessProbe.successThreshold }}
+            timeoutSeconds: {{ .Values.injector.readinessProbe.timeoutSeconds }}
+          startupProbe:
+            httpGet:
+              path: /health/ready
+              port: {{ .Values.injector.port }}
+              scheme: HTTPS
+            failureThreshold: {{ .Values.injector.startupProbe.failureThreshold }}
+            initialDelaySeconds: {{ .Values.injector.startupProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.injector.startupProbe.periodSeconds }}
+            successThreshold: {{ .Values.injector.startupProbe.successThreshold }}
+            timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }}
 {{- if .Values.injector.certs.secretName }}
          volumeMounts:
            - name: webhook-certs
--- a/helm/vault/templates/injector-disruptionbudget.yaml
+++ b/helm/vault/templates/injector-disruptionbudget.yaml
@@ -1,9 +1,14 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{- if .Values.injector.podDisruptionBudget }}
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
  name: {{ template "vault.fullname" . }}-agent-injector
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    helm.sh/chart: {{ include "vault.chart" . }}
    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
--- a/helm/vault/templates/injector-mutating-webhook.yaml
+++ b/helm/vault/templates/injector-mutating-webhook.yaml
@@ -1,4 +1,10 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
 {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
 apiVersion: admissionregistration.k8s.io/v1
 {{- else }}
@@ -14,30 +20,26 @@ metadata:
  {{- template "injector.webhookAnnotations" . }}
 webhooks:
  - name: vault.hashicorp.com
+    failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }}
+    matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }}
    sideEffects: None
-    admissionReviewVersions:
-    - "v1beta1"
-    - "v1"
+    timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }}
+    admissionReviewVersions: ["v1", "v1beta1"]
    clientConfig:
      service:
        name: {{ template "vault.fullname" . }}-agent-injector-svc
-        namespace: {{ .Release.Namespace }}
+        namespace: {{ include "vault.namespace" . }}
        path: "/mutate"
      caBundle: {{ .Values.injector.certs.caBundle | quote }}
    rules:
-      - operations: ["CREATE", "UPDATE"]
+      - operations: ["CREATE"]
        apiGroups: [""]
        apiVersions: ["v1"]
        resources: ["pods"]
-{{- if .Values.injector.namespaceSelector }}
+        scope: "Namespaced"
+{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }}
    namespaceSelector:
-{{ toYaml .Values.injector.namespaceSelector | indent 6}}
-{{ end }}
-{{- if .Values.injector.objectSelector }}
-    objectSelector:
-{{ toYaml .Values.injector.objectSelector | indent 6}}
-{{ end }}
-{{- with .Values.injector.failurePolicy }}
-    failurePolicy: {{.}}
+{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}}
 {{ end }}
+{{- template "injector.objectSelector" . -}}
 {{ end }}
--- a/helm/vault/templates/injector-network-policy.yaml
+++ b/helm/vault/templates/injector-network-policy.yaml
@@ -1,4 +1,11 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if eq (.Values.global.openshift | toString) "true" }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -19,3 +26,4 @@ spec:
      - port: 8080
        protocol: TCP
 {{ end }}
+{{ end }}
--- a/helm/vault/templates/injector-psp-role.yaml
+++ b/helm/vault/templates/injector-psp-role.yaml
@@ -1,9 +1,16 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if eq (.Values.global.psp.enable | toString) "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ template "vault.fullname" . }}-agent-injector-psp
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
@@ -15,3 +22,4 @@ rules:
  resourceNames:
    - {{ template "vault.fullname" . }}-agent-injector
 {{- end }}
+{{- end }}
--- a/helm/vault/templates/injector-psp-rolebinding.yaml
+++ b/helm/vault/templates/injector-psp-rolebinding.yaml
@@ -1,9 +1,16 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if eq (.Values.global.psp.enable | toString) "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ template "vault.fullname" . }}-agent-injector-psp
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
@@ -16,3 +23,4 @@ subjects:
  - kind: ServiceAccount
    name: {{ template "vault.fullname" . }}-agent-injector
 {{- end }}
+{{- end }}
--- a/helm/vault/templates/injector-psp.yaml
+++ b/helm/vault/templates/injector-psp.yaml
@@ -1,5 +1,12 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
-apiVersion: policy/v1
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if eq (.Values.global.psp.enable | toString) "true" }}
+apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: {{ template "vault.fullname" . }}-agent-injector
@@ -41,3 +48,4 @@ spec:
        max: 65535
  readOnlyRootFilesystem: false
 {{- end }}
+{{- end }}
--- a/helm/vault/templates/injector-role.yaml
+++ b/helm/vault/templates/injector-role.yaml
@@ -1,8 +1,16 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
+  namespace: {{ include "vault.namespace" . }}
  labels:
    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
@@ -23,3 +31,4 @@ rules:
      - "patch"
      - "delete"
 {{- end }}
+{{- end }}
--- a/helm/vault/templates/injector-rolebinding.yaml
+++ b/helm/vault/templates/injector-rolebinding.yaml
@@ -1,8 +1,16 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
+{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding
+  namespace: {{ include "vault.namespace" . }}
  labels:
    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
@@ -14,5 +22,6 @@ roleRef:
 subjects:
  - kind: ServiceAccount
    name: {{ template "vault.fullname" . }}-agent-injector
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "vault.namespace" . }}
 {{- end }}
+{{- end }}
--- a/helm/vault/templates/injector-service.yaml
+++ b/helm/vault/templates/injector-service.yaml
@@ -1,9 +1,15 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "vault.fullname" . }}-agent-injector-svc
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
--- a/helm/vault/templates/injector-serviceaccount.yaml
+++ b/helm/vault/templates/injector-serviceaccount.yaml
@@ -1,11 +1,18 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.injectorEnabled" . -}}
+{{- if .injectorEnabled -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ template "vault.fullname" . }}-agent-injector
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  {{ template "injector.serviceAccount.annotations" . }}
 {{ end }}
--- a/helm/vault/templates/prometheus-prometheusrules.yaml
+++ b/helm/vault/templates/prometheus-prometheusrules.yaml
@@ -0,0 +1,31 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ if and (.Values.serverTelemetry.prometheusRules.rules)
+     (or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) )
+}}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ template "vault.fullname" . }}
+  labels:
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
+    {{- $selectors := .Values.serverTelemetry.prometheusRules.selectors }}
+    {{- if $selectors }}
+    {{- toYaml $selectors | nindent 4 }}
+    {{- else }}
+    release: prometheus
+    {{- end }}
+spec:
+  groups:
+  - name: {{ include "vault.fullname" . }}
+    rules:
+      {{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }}
+{{- end }}
--- a/helm/vault/templates/prometheus-servicemonitor.yaml
+++ b/helm/vault/templates/prometheus-servicemonitor.yaml
@@ -0,0 +1,58 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "vault.mode" . }}
+{{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "vault.fullname" . }}
+  labels:
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
+    {{- $selectors := .Values.serverTelemetry.serviceMonitor.selectors }}
+    {{- if $selectors }}
+    {{- toYaml $selectors | nindent 4 }}
+    {{- else }}
+    release: prometheus
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "vault.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      {{- if eq .mode "ha" }}
+      vault-active: "true"
+      {{- else }}
+      vault-internal: "true"
+      {{- end }}
+  endpoints:
+  - port: {{ include "vault.scheme" . }}
+    interval: {{ .Values.serverTelemetry.serviceMonitor.interval }}
+    scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }}
+    scheme: {{ include "vault.scheme" . | lower }}
+    path: /v1/sys/metrics
+    params:
+      format:
+      - prometheus
+    {{- with .Values.serverTelemetry.serviceMonitor.tlsConfig }}
+    tlsConfig:
+    {{- toYaml . | nindent 6 }}
+    {{- else }}
+    tlsConfig:
+      insecureSkipVerify: true
+    {{- end }}
+    {{- with .Values.serverTelemetry.serviceMonitor.authorization }}
+    authorization:
+    {{- toYaml . | nindent 6 }}
+    {{- end }}
+  namespaceSelector:
+    matchNames:
+      - {{ include "vault.namespace" . }}
+{{ end }}
--- a/helm/vault/templates/server-clusterrolebinding.yaml
+++ b/helm/vault/templates/server-clusterrolebinding.yaml
@@ -1,5 +1,10 @@
-{{ template "vault.mode" . }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true") }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "vault.serverAuthDelegator" . }}
+{{- if .serverAuthDelegator -}}
 {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
 apiVersion: rbac.authorization.k8s.io/v1
 {{- else }}
@@ -20,5 +25,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ template "vault.serviceAccount.name" . }}
-  namespace: {{ .Release.Namespace }}
-{{ end }}
+  namespace: {{ include "vault.namespace" . }}
+{{ end }}
--- a/helm/vault/templates/server-config-configmap.yaml
+++ b/helm/vault/templates/server-config-configmap.yaml
@@ -1,38 +1,31 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}}
+{{- if .serverEnabled -}}
+{{- if ne .mode "dev" -}}
 {{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ template "vault.fullname" . }}-config
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    helm.sh/chart: {{ include "vault.chart" . }}
    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.server.includeConfigAnnotation }}
+  annotations:
+    vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }}
+{{- end }}
 data:
  extraconfig-from-values.hcl: |-
-  {{- if or (eq .mode "ha") (eq .mode "standalone") }}
-  {{- $type := typeOf (index .Values.server .mode).config }}
-  {{- if eq $type "string" }}
-    disable_mlock = true
-  {{- if eq .mode "standalone" }}
-    {{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
-  {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }}
-    {{ tpl .Values.server.ha.config . | nindent 4 | trim }}
-  {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
-    {{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }}
-  {{ end }}
-  {{- else }}
-  {{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
-{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }}
-  {{- else }}
-{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }}
-  {{- end }}
-  {{- end }}
-  {{- end }}
+    {{ template "vault.config" . }}
+{{- end }}
 {{- end }}
 {{- end }}
 {{- end }}
--- a/helm/vault/templates/server-discovery-role.yaml
+++ b/helm/vault/templates/server-discovery-role.yaml
@@ -1,10 +1,16 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{ template "vault.mode" . }}
-{{- if ne .mode "external" }}
-{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- if .serverEnabled -}}
+{{- if eq .mode "ha" }}
+{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  name: {{ template "vault.fullname" . }}-discovery-role
  labels:
    helm.sh/chart: {{ include "vault.chart" . }}
@@ -17,3 +23,4 @@ rules:
  verbs: ["get", "watch", "list", "update", "patch"]
 {{ end }}
 {{ end }}
+{{ end }}
--- a/helm/vault/templates/server-discovery-rolebinding.yaml
+++ b/helm/vault/templates/server-discovery-rolebinding.yaml
@@ -1,6 +1,12 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{ template "vault.mode" . }}
-{{- if ne .mode "external" }}
-{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- if .serverEnabled -}}
+{{- if eq .mode "ha" }}
+{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
 {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
 apiVersion: rbac.authorization.k8s.io/v1
 {{- else }}
@@ -9,7 +15,7 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: {{ template "vault.fullname" . }}-discovery-rolebinding
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    helm.sh/chart: {{ include "vault.chart" . }}
    app.kubernetes.io/name: {{ include "vault.name" . }}
@@ -22,6 +28,7 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ template "vault.serviceAccount.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
+{{ end }}
 {{ end }}
 {{ end }}
--- a/helm/vault/templates/server-disruptionbudget.yaml
+++ b/helm/vault/templates/server-disruptionbudget.yaml
@@ -1,13 +1,19 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" -}}
-{{- if and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
+{{- if .serverEnabled -}}
+{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
 # PodDisruptionBudget to prevent degrading the server cluster through
 # voluntary cluster changes.
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
  name: {{ template "vault.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    helm.sh/chart: {{ include "vault.chart" . }}
    app.kubernetes.io/name: {{ include "vault.name" . }}
@@ -22,3 +28,4 @@ spec:
      component: server
 {{- end -}}
 {{- end -}}
+{{- end -}}
--- a/helm/vault/templates/server-ha-active-service.yaml
+++ b/helm/vault/templates/server-ha-active-service.yaml
@@ -1,42 +1,64 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
+{{- if eq .mode "ha" }}
+{{- if eq (.Values.server.service.active.enabled | toString) "true" }}
 # Service for active Vault pod
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "vault.fullname" . }}-active
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    helm.sh/chart: {{ include "vault.chart" . }}
    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    vault-active: "true"
  annotations:
-{{ template "vault.service.annotations" .}}
+{{- template "vault.service.active.annotations" . }}
+{{- template "vault.service.annotations" . }}
 spec:
  {{- if .Values.server.service.type}}
  type: {{ .Values.server.service.type }}
  {{- end}}
+  {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
+  {{- if .Values.server.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.server.service.ipFamilies }}
+  ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
  {{- if .Values.server.service.clusterIP }}
  clusterIP: {{ .Values.server.service.clusterIP }}
  {{- end }}
  {{- include "service.externalTrafficPolicy" .Values.server.service }}
-  publishNotReadyAddresses: true
+  publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
  ports:
    - name: {{ include "vault.scheme" . }}
      port: {{ .Values.server.service.port }}
      targetPort: {{ .Values.server.service.targetPort }}
-      {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
-      nodePort: {{ .Values.server.service.nodePort }}
+      {{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
+      nodePort: {{ .Values.server.service.activeNodePort }}
      {{- end }}
    - name: https-internal
      port: 8201
      targetPort: 8201
  selector:
    app.kubernetes.io/name: {{ include "vault.name" . }}
+    {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- end }}
    component: server
    vault-active: "true"
 {{- end }}
 {{- end }}
+{{- end }}
+{{- end }}
--- a/helm/vault/templates/server-ha-standby-service.yaml
+++ b/helm/vault/templates/server-ha-standby-service.yaml
@@ -1,42 +1,63 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
+{{- if eq .mode "ha" }}
+{{- if eq (.Values.server.service.standby.enabled | toString) "true" }}
 # Service for standby Vault pod
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "vault.fullname" . }}-standby
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    helm.sh/chart: {{ include "vault.chart" . }}
    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
  annotations:
-{{ template "vault.service.annotations" .}}
+{{- template "vault.service.standby.annotations" . }}
+{{- template "vault.service.annotations" . }}
 spec:
  {{- if .Values.server.service.type}}
  type: {{ .Values.server.service.type }}
  {{- end}}
+  {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
+  {{- if .Values.server.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.server.service.ipFamilies }}
+  ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
  {{- if .Values.server.service.clusterIP }}
  clusterIP: {{ .Values.server.service.clusterIP }}
  {{- end }}
  {{- include "service.externalTrafficPolicy" .Values.server.service }}
-  publishNotReadyAddresses: true
+  publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
  ports:
    - name: {{ include "vault.scheme" . }}
      port: {{ .Values.server.service.port }}
      targetPort: {{ .Values.server.service.targetPort }}
-      {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
-      nodePort: {{ .Values.server.service.nodePort }}
+      {{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
+      nodePort: {{ .Values.server.service.standbyNodePort }}
      {{- end }}
    - name: https-internal
      port: 8201
      targetPort: 8201
  selector:
    app.kubernetes.io/name: {{ include "vault.name" . }}
+    {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- end }}
    component: server
    vault-active: "false"
 {{- end }}
 {{- end }}
+{{- end }}
+{{- end }}
--- a/helm/vault/templates/server-headless-service.yaml
+++ b/helm/vault/templates/server-headless-service.yaml
@@ -1,20 +1,35 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
 # Service for Vault cluster
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "vault.fullname" . }}-internal
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    helm.sh/chart: {{ include "vault.chart" . }}
    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    vault-internal: "true"
  annotations:
 {{ template "vault.service.annotations" .}}
 spec:
+  {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
+  {{- if .Values.server.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.server.service.ipFamilies }}
+  ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
  clusterIP: None
  publishNotReadyAddresses: true
  ports:
--- a/helm/vault/templates/server-ingress.yaml
+++ b/helm/vault/templates/server-ingress.yaml
@@ -1,26 +1,27 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{- if not .Values.global.openshift }}
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
 {{- if .Values.server.ingress.enabled -}}
 {{- $extraPaths := .Values.server.ingress.extraPaths -}}
 {{- $serviceName := include "vault.fullname" . -}}
-{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.ingress.activeService | toString) "true") }}
+{{- template "vault.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
+{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }}
 {{- $serviceName = printf "%s-%s" $serviceName "active" -}}
 {{- end }}
 {{- $servicePort := .Values.server.service.port -}}
 {{- $pathType := .Values.server.ingress.pathType -}}
 {{- $kubeVersion := .Capabilities.KubeVersion.Version }}
-{{ if semverCompare ">= 1.19.0-0" $kubeVersion }}
 apiVersion: networking.k8s.io/v1
-{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
-apiVersion: networking.k8s.io/v1beta1
-{{ else }}
-apiVersion: extensions/v1beta1
-{{ end }}
 kind: Ingress
 metadata:
  name: {{ template "vault.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    helm.sh/chart: {{ include "vault.chart" . }}
    app.kubernetes.io/name: {{ include "vault.name" . }}
@@ -54,21 +55,15 @@ spec:
 {{- end }}
        {{- range (.paths | default (list "/")) }}
          - path: {{ . }}
-            {{ if semverCompare ">= 1.19.0-0" $kubeVersion }}
            pathType: {{ $pathType }}
-            {{ end }}
            backend:
-              {{ if semverCompare ">= 1.19.0-0" $kubeVersion }}
              service:
                name: {{ $serviceName }}
                port:
                  number: {{ $servicePort }}
-              {{ else }}
-              serviceName: {{ $serviceName }}
-              servicePort: {{ $servicePort }}
-              {{ end }}
        {{- end }}
  {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}
+{{- end }}
--- a/helm/vault/templates/server-network-policy.yaml
+++ b/helm/vault/templates/server-network-policy.yaml
@@ -1,3 +1,8 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{- if eq (.Values.server.networkPolicy.enabled | toString) "true"  }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -11,14 +16,7 @@ spec:
    matchLabels:
      app.kubernetes.io/name: {{ template "vault.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
-  ingress:
-    - from:
-        - namespaceSelector: {}
-      ports:
-      - port: 8200
-        protocol: TCP
-      - port: 8201
-        protocol: TCP
+  ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }}
  {{- if .Values.server.networkPolicy.egress }}
  egress:
  {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }}
--- a/helm/vault/templates/server-psp-role.yaml
+++ b/helm/vault/templates/server-psp-role.yaml
@@ -1,10 +1,16 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{ template "vault.mode" . }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
+{{- if .serverEnabled -}}
+{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ template "vault.fullname" . }}-psp
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
@@ -16,3 +22,4 @@ rules:
  resourceNames:
    - {{ template "vault.fullname" . }}
 {{- end }}
+{{- end }}
--- a/helm/vault/templates/server-psp-rolebinding.yaml
+++ b/helm/vault/templates/server-psp-rolebinding.yaml
@@ -1,10 +1,16 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{ template "vault.mode" . }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
+{{- if .serverEnabled -}}
+{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ template "vault.fullname" . }}-psp
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
@@ -17,3 +23,4 @@ subjects:
  - kind: ServiceAccount
    name: {{ template "vault.fullname" . }}
 {{- end }}
+{{- end }}
--- a/helm/vault/templates/server-psp.yaml
+++ b/helm/vault/templates/server-psp.yaml
@@ -1,6 +1,12 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{ template "vault.mode" . }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
-apiVersion: policy/v1
+{{- if .serverEnabled -}}
+{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
+apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: {{ template "vault.fullname" . }}
@@ -45,3 +51,4 @@ spec:
        max: 65535
  readOnlyRootFilesystem: false
 {{- end }}
+{{- end }}
--- a/helm/vault/templates/server-route.yaml
+++ b/helm/vault/templates/server-route.yaml
@@ -1,3 +1,8 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{- if .Values.global.openshift }}
 {{- if ne .mode "external" }}
 {{- if .Values.server.route.enabled -}}
@@ -9,7 +14,7 @@ kind: Route
 apiVersion: route.openshift.io/v1
 metadata:
  name: {{ template "vault.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    helm.sh/chart: {{ include "vault.chart" . }}
    app.kubernetes.io/name: {{ include "vault.name" . }}
--- a/helm/vault/templates/server-service.yaml
+++ b/helm/vault/templates/server-service.yaml
@@ -1,12 +1,18 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+{{- template "vault.serverServiceEnabled" . -}}
+{{- if .serverServiceEnabled -}}
 # Service for Vault cluster
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "vault.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    helm.sh/chart: {{ include "vault.chart" . }}
    app.kubernetes.io/name: {{ include "vault.name" . }}
@@ -18,13 +24,21 @@ spec:
  {{- if .Values.server.service.type}}
  type: {{ .Values.server.service.type }}
  {{- end}}
+  {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
+  {{- if .Values.server.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.server.service.ipFamilies }}
+  ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
  {{- if .Values.server.service.clusterIP }}
  clusterIP: {{ .Values.server.service.clusterIP }}
  {{- end }}
  {{- include "service.externalTrafficPolicy" .Values.server.service }}
  # We want the servers to become available even if they're not ready
  # since this DNS is also used for join operations.
-  publishNotReadyAddresses: true
+  publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
  ports:
    - name: {{ include "vault.scheme" . }}
      port: {{ .Values.server.service.port }}
@@ -37,7 +51,9 @@ spec:
      targetPort: 8201
  selector:
    app.kubernetes.io/name: {{ include "vault.name" . }}
+    {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- end }}
    component: server
 {{- end }}
 {{- end }}
--- a/helm/vault/templates/server-serviceaccount-secret.yaml
+++ b/helm/vault/templates/server-serviceaccount-secret.yaml
@@ -0,0 +1,21 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "vault.serverServiceAccountSecretCreationEnabled" . }}
+{{- if .serverServiceAccountSecretCreationEnabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "vault.serviceAccount.name" . }}-token
+  namespace: {{ include "vault.namespace" . }}
+  annotations:
+    kubernetes.io/service-account.name: {{ template "vault.serviceAccount.name" . }}
+  labels:
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+type: kubernetes.io/service-account-token
+{{ end }}
--- a/helm/vault/templates/server-serviceaccount.yaml
+++ b/helm/vault/templates/server-serviceaccount.yaml
@@ -1,16 +1,22 @@
-{{ template "vault.mode" . }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
-{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }}
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{ template "vault.serverServiceAccountEnabled" . }}
+{{- if .serverServiceAccountEnabled -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ template "vault.serviceAccount.name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    helm.sh/chart: {{ include "vault.chart" . }}
    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- if  .Values.server.serviceAccount.extraLabels -}}
+      {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}}
+    {{- end -}}
  {{ template "vault.serviceAccount.annotations" . }}
 {{ end }}
-{{ end }}
--- a/helm/vault/templates/server-statefulset.yaml
+++ b/helm/vault/templates/server-statefulset.yaml
@@ -1,12 +1,18 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
+{{- if ne .mode "" }}
+{{- if .serverEnabled -}}
 # StatefulSet to run the actual vault server cluster.
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: {{ template "vault.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
@@ -18,6 +24,9 @@ spec:
  replicas: {{ template "vault.replicas" . }}
  updateStrategy:
    type: {{ .Values.server.updateStrategyType }}
+  {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }}
+  persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }}
+  {{- end }}
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ template "vault.name" . }}
@@ -36,6 +45,7 @@ spec:
      {{ template "vault.annotations" . }}
    spec:
      {{ template "vault.affinity" . }}
+      {{ template "vault.topologySpreadConstraints" . }}
      {{ template "vault.tolerations" . }}
      {{ template "vault.nodeselector" . }}
      {{- if .Values.server.priorityClassName }}
@@ -46,17 +56,18 @@ spec:
      {{ if  .Values.server.shareProcessNamespace }}
      shareProcessNamespace: true
      {{ end }}
+      {{- template "server.statefulSet.securityContext.pod" . }}
      {{- if not .Values.global.openshift }}
-      securityContext:
-        runAsNonRoot: true
-        runAsGroup: {{ .Values.server.gid | default 1000 }}
-        runAsUser: {{ .Values.server.uid | default 100 }}
-        fsGroup: {{ .Values.server.gid | default 1000 }}
+      hostNetwork: {{ .Values.server.hostNetwork }}
      {{- end }}
      volumes:
        {{ template "vault.volumes" . }}
        - name: home
          emptyDir: {}
+      {{- if .Values.server.hostAliases }}
+      hostAliases:
+        {{ toYaml .Values.server.hostAliases | nindent 8}}
+      {{- end }}
      {{- if .Values.server.extraInitContainers }}
      initContainers:
        {{ toYaml .Values.server.extraInitContainers | nindent 8}}
@@ -70,10 +81,7 @@ spec:
          - "/bin/sh"
          - "-ec"
          args: {{ template "vault.args" . }}
-          {{- if not .Values.global.openshift }}
-          securityContext:
-            allowPrivilegeEscalation: false
-          {{- end }}
+          {{- template "server.statefulSet.securityContext.container" . }}
          env:
            - name: HOST_IP
              valueFrom:
@@ -108,7 +116,11 @@ spec:
                fieldRef:
                  fieldPath: metadata.name
            - name: VAULT_CLUSTER_ADDR
+              {{- if .Values.server.ha.clusterAddr }}
+              value: {{ .Values.server.ha.clusterAddr | quote }}
+              {{- else }}
              value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201"
+              {{- end }}
            {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }}
            - name: VAULT_RAFT_NODE_ID
              valueFrom:
@@ -143,12 +155,15 @@ spec:
              name: https-internal
            - containerPort: 8202
              name: {{ include "vault.scheme" . }}-rep
+          {{- if .Values.server.extraPorts -}}
+          {{ toYaml .Values.server.extraPorts | nindent 12}}
+          {{- end }}
          {{- if .Values.server.readinessProbe.enabled }}
          readinessProbe:
            {{- if .Values.server.readinessProbe.path }}
            httpGet:
              path: {{ .Values.server.readinessProbe.path | quote }}
-              port: 8200
+              port: {{ .Values.server.readinessProbe.port }}
              scheme: {{ include "vault.scheme" . | upper }}
            {{- else }}
            # Check status; unsealed vault servers return 0
@@ -167,10 +182,18 @@ spec:
          {{- end }}
          {{- if .Values.server.livenessProbe.enabled }}
          livenessProbe:
+            {{- if .Values.server.livenessProbe.execCommand }}
+            exec:
+              command:
+                {{- range (.Values.server.livenessProbe.execCommand) }}
+                - {{ . | quote }}
+                {{- end }}
+            {{- else }}
            httpGet:
              path: {{ .Values.server.livenessProbe.path | quote }}
-              port: 8200
+              port: {{ .Values.server.livenessProbe.port }}
              scheme: {{ include "vault.scheme" . | upper }}
+            {{- end }}
            failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }}
            initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }}
            periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }}
@@ -206,3 +229,4 @@ spec:
  {{ template "vault.volumeclaims" . }}
 {{ end }}
 {{ end }}
+{{ end }}
--- a/helm/vault/templates/tests/server-test.yaml
+++ b/helm/vault/templates/tests/server-test.yaml
@@ -1,11 +1,16 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
+{{- if .serverEnabled -}}
 apiVersion: v1
 kind: Pod
 metadata:
-  name: "{{ .Release.Name }}-server-test"
-  namespace: {{ .Release.Namespace }}
+  name: {{ template "vault.fullname" . }}-server-test
+  namespace: {{ include "vault.namespace" . }}
  annotations:
    "helm.sh/hook": test
 spec:
@@ -16,7 +21,7 @@ spec:
      imagePullPolicy: {{ .Values.server.image.pullPolicy }}
      env:
        - name: VAULT_ADDR
-          value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
+          value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
        {{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }}
      command:
        - /bin/sh
--- a/helm/vault/templates/ui-service.yaml
+++ b/helm/vault/templates/ui-service.yaml
@@ -1,12 +1,18 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
-{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
-{{- if eq (.Values.ui.enabled | toString) "true" }}
+{{- template "vault.uiEnabled" . -}}
+{{- if .uiEnabled -}}
+
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "vault.fullname" . }}-ui
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "vault.namespace" . }}
  labels:
    helm.sh/chart: {{ include "vault.chart" . }}
    app.kubernetes.io/name: {{ include "vault.name" . }}-ui
@@ -14,6 +20,14 @@ metadata:
    app.kubernetes.io/managed-by: {{ .Release.Service }}
  {{- template "vault.ui.annotations" . }}
 spec:
+  {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
+  {{- if .Values.ui.serviceIPFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.ui.serviceIPFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.ui.serviceIPFamilies }}
+  ipFamilies: {{ .Values.ui.serviceIPFamilies | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
  selector:
    app.kubernetes.io/name: {{ include "vault.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
@@ -34,4 +48,3 @@ spec:
  {{- include "service.loadBalancer" .Values.ui }}
 {{- end -}}
 {{- end }}
-{{- end }}
--- a/helm/vault/values-external.yaml
+++ b/helm/vault/values-external.yaml
--- a/helm/vault/values.openshift.yaml
+++ b/helm/vault/values.openshift.yaml
@@ -1,3 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 # These overrides are appropriate defaults for deploying this chart on OpenShift

 global:
@@ -6,13 +9,16 @@ global:
 injector:
  image:
    repository: "registry.connect.redhat.com/hashicorp/vault-k8s"
-    tag: "0.14.2-ubi"
+    tag: "1.5.0-ubi"

  agentImage:
    repository: "registry.connect.redhat.com/hashicorp/vault"
-    tag: "1.9.2-ubi"
+    tag: "1.18.1-ubi"

 server:
  image:
    repository: "registry.connect.redhat.com/hashicorp/vault"
-    tag: "1.9.2-ubi"
+    tag: "1.18.1-ubi"
+
+  readinessProbe:
+    path: "/v1/sys/health?uninitcode=204"
--- a/helm/vault/values.schema.json
+++ b/helm/vault/values.schema.json
@@ -5,6 +5,40 @@
        "csi": {
            "type": "object",
            "properties": {
+                "agent": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "extraArgs": {
+                            "type": "array"
+                        },
+                        "image": {
+                            "type": "object",
+                            "properties": {
+                                "pullPolicy": {
+                                    "type": "string"
+                                },
+                                "repository": {
+                                    "type": "string"
+                                },
+                                "tag": {
+                                    "type": "string"
+                                }
+                            }
+                        },
+                        "logFormat": {
+                            "type": "string"
+                        },
+                        "logLevel": {
+                            "type": "string"
+                        },
+                        "resources": {
+                            "type": "object"
+                        }
+                    }
+                },
                "daemonSet": {
                    "type": "object",
                    "properties": {
@@ -14,12 +48,32 @@
                                "string"
                            ]
                        },
+                        "extraLabels": {
+                            "type": "object"
+                        },
                        "kubeletRootDir": {
                            "type": "string"
                        },
                        "providersDir": {
                            "type": "string"
                        },
+                        "securityContext": {
+                            "type": "object",
+                            "properties": {
+                                "container": {
+                                    "type": [
+                                        "object",
+                                        "string"
+                                    ]
+                                },
+                                "pod": {
+                                    "type": [
+                                        "object",
+                                        "string"
+                                    ]
+                                }
+                            }
+                        },
                        "updateStrategy": {
                            "type": "object",
                            "properties": {
@@ -33,18 +87,24 @@
                        }
                    }
                },
-                "priorityClassName": {
-                    "type": "string"
-                },
                "debug": {
                    "type": "boolean"
                },
                "enabled": {
-                    "type": "boolean"
+                    "type": [
+                        "boolean",
+                        "string"
+                    ]
                },
                "extraArgs": {
                    "type": "array"
                },
+                "hmacSecretName": {
+                    "type": "string"
+                },
+                "hostNetwork": {
+                    "type": "boolean"
+                },
                "image": {
                    "type": "object",
                    "properties": {
@@ -79,15 +139,35 @@
                        }
                    }
                },
+                "logLevel": {
+                    "type": "string"
+                },
                "pod": {
                    "type": "object",
                    "properties": {
+                        "affinity": {
+                            "type": [
+                              "null",
+                              "object",
+                              "string"
+                            ]
+                        },
                        "annotations": {
                            "type": [
                                "object",
                                "string"
                            ]
                        },
+                        "extraLabels": {
+                            "type": "object"
+                        },
+                        "nodeSelector": {
+                            "type": [
+                              "null",
+                              "object",
+                              "string"
+                            ]
+                        },
                        "tolerations": {
                            "type": [
                                "null",
@@ -97,6 +177,9 @@
                        }
                    }
                },
+                "priorityClassName": {
+                    "type": "string"
+                },
                "readinessProbe": {
                    "type": "object",
                    "properties": {
@@ -128,6 +211,9 @@
                                "object",
                                "string"
                            ]
+                        },
+                        "extraLabels": {
+                            "type": "object"
                        }
                    }
                },
@@ -151,9 +237,15 @@
                "enabled": {
                    "type": "boolean"
                },
+                "externalVaultAddr": {
+                    "type": "string"
+                },
                "imagePullSecrets": {
                    "type": "array"
                },
+                "namespace": {
+                    "type": "string"
+                },
                "openshift": {
                    "type": "boolean"
                },
@@ -171,6 +263,14 @@
                        }
                    }
                },
+                "serverTelemetry": {
+                    "type": "object",
+                    "properties": {
+                        "prometheusOperator": {
+                            "type": "boolean"
+                        }
+                    }
+                },
                "tlsDisable": {
                    "type": "boolean"
                }
@@ -200,6 +300,12 @@
                        "memRequest": {
                            "type": "string"
                        },
+                        "ephemeralLimit": {
+                            "type": "string"
+                        },
+                        "ephemeralRequest": {
+                            "type": "string"
+                        },
                        "template": {
                            "type": "string"
                        },
@@ -257,7 +363,10 @@
                    }
                },
                "enabled": {
-                    "type": "boolean"
+                    "type": [
+                        "boolean",
+                        "string"
+                    ]
                },
                "externalVaultAddr": {
                    "type": "string"
@@ -296,6 +405,26 @@
                        }
                    }
                },
+                "livenessProbe": {
+                    "type": "object",
+                    "properties": {
+                        "failureThreshold": {
+                            "type": "integer"
+                        },
+                        "initialDelaySeconds": {
+                            "type": "integer"
+                        },
+                        "periodSeconds": {
+                            "type": "integer"
+                        },
+                        "successThreshold": {
+                            "type": "integer"
+                        },
+                        "timeoutSeconds": {
+                            "type": "integer"
+                        }
+                    }
+                },
                "logFormat": {
                    "type": "string"
                },
@@ -321,7 +450,10 @@
                    ]
                },
                "objectSelector": {
-                    "type": "object"
+                    "type": [
+                        "object",
+                        "string"
+                    ]
                },
                "podDisruptionBudget": {
                    "type": "object"
@@ -332,6 +464,26 @@
                "priorityClassName": {
                    "type": "string"
                },
+                "readinessProbe": {
+                    "type": "object",
+                    "properties": {
+                        "failureThreshold": {
+                            "type": "integer"
+                        },
+                        "initialDelaySeconds": {
+                            "type": "integer"
+                        },
+                        "periodSeconds": {
+                            "type": "integer"
+                        },
+                        "successThreshold": {
+                            "type": "integer"
+                        },
+                        "timeoutSeconds": {
+                            "type": "integer"
+                        }
+                    }
+                },
                "replicas": {
                    "type": "integer"
                },
@@ -341,6 +493,23 @@
                "revokeOnShutdown": {
                    "type": "boolean"
                },
+                "securityContext": {
+                    "type": "object",
+                    "properties": {
+                        "container": {
+                            "type": [
+                                "object",
+                                "string"
+                            ]
+                        },
+                        "pod": {
+                            "type": [
+                                "object",
+                                "string"
+                            ]
+                        }
+                    }
+                },
                "service": {
                    "type": "object",
                    "properties": {
@@ -352,6 +521,37 @@
                        }
                    }
                },
+                "serviceAccount": {
+                    "type": "object",
+                    "properties": {
+                        "annotations": {
+                            "type": [
+                                "object",
+                                "string"
+                            ]
+                        }
+                    }
+                },
+                "startupProbe": {
+                    "type": "object",
+                    "properties": {
+                        "failureThreshold": {
+                            "type": "integer"
+                        },
+                        "initialDelaySeconds": {
+                            "type": "integer"
+                        },
+                        "periodSeconds": {
+                            "type": "integer"
+                        },
+                        "successThreshold": {
+                            "type": "integer"
+                        },
+                        "timeoutSeconds": {
+                            "type": "integer"
+                        }
+                    }
+                },
                "strategy": {
                    "type": [
                        "object",
@@ -365,6 +565,42 @@
                        "string"
                    ]
                },
+                "topologySpreadConstraints": {
+                    "type": [
+                        "null",
+                        "array",
+                        "string"
+                    ]
+                },
+                "webhook": {
+                    "type": "object",
+                    "properties": {
+                        "annotations": {
+                            "type": [
+                                "object",
+                                "string"
+                            ]
+                        },
+                        "failurePolicy": {
+                            "type": "string"
+                        },
+                        "matchPolicy": {
+                            "type": "string"
+                        },
+                        "namespaceSelector": {
+                            "type": "object"
+                        },
+                        "objectSelector": {
+                            "type": [
+                                "object",
+                                "string"
+                            ]
+                        },
+                        "timeoutSeconds": {
+                            "type": "integer"
+                        }
+                    }
+                },
                "webhookAnnotations": {
                    "type": [
                        "object",
@@ -406,6 +642,12 @@
                                "string"
                            ]
                        },
+                        "labels": {
+                            "type": [
+                                "object",
+                                "string"
+                            ]
+                        },
                        "mountPath": {
                            "type": "string"
                        },
@@ -446,6 +688,12 @@
                                "string"
                            ]
                        },
+                        "labels": {
+                            "type": [
+                                "object",
+                                "string"
+                            ]
+                        },
                        "mountPath": {
                            "type": "string"
                        },
@@ -472,7 +720,10 @@
                    }
                },
                "enabled": {
-                    "type": "boolean"
+                    "type": [
+                        "boolean",
+                        "string"
+                    ]
                },
                "enterpriseLicense": {
                    "type": "object",
@@ -506,6 +757,12 @@
                "extraLabels": {
                    "type": "object"
                },
+                "extraPorts": {
+                    "type": [
+                        "null",
+                        "array"
+                    ]
+                },
                "extraSecretEnvironmentVars": {
                    "type": "array"
                },
@@ -521,8 +778,17 @@
                                "string"
                            ]
                        },
+                        "clusterAddr": {
+                            "type": [
+                                "null",
+                                "string"
+                            ]
+                        },
                        "config": {
-                            "type": "string"
+                            "type": [
+                                "string",
+                                "object"
+                            ]
                        },
                        "disruptionBudget": {
                            "type": "object",
@@ -545,7 +811,10 @@
                            "type": "object",
                            "properties": {
                                "config": {
-                                    "type": "string"
+                                    "type": [
+                                        "string",
+                                        "object"
+                                    ]
                                },
                                "enabled": {
                                    "type": "boolean"
@@ -560,6 +829,12 @@
                        }
                    }
                },
+                "hostAliases": {
+                    "type": "array"
+                },
+                "hostNetwork": {
+                    "type": "boolean"
+                },
                "image": {
                    "type": "object",
                    "properties": {
@@ -574,6 +849,9 @@
                        }
                    }
                },
+                "includeConfigAnnotation": {
+                    "type": "boolean"
+                },
                "ingress": {
                    "type": "object",
                    "properties": {
@@ -626,6 +904,9 @@
                        "enabled": {
                            "type": "boolean"
                        },
+                        "execCommand": {
+                            "type": "array"
+                        },
                        "failureThreshold": {
                            "type": "integer"
                        },
@@ -638,6 +919,9 @@
                        "periodSeconds": {
                            "type": "integer"
                        },
+                        "port": {
+                            "type": "integer"
+                        },
                        "successThreshold": {
                            "type": "integer"
                        },
@@ -660,6 +944,9 @@
                        },
                        "enabled": {
                            "type": "boolean"
+                        },
+                        "ingress": {
+                            "type": "array"
                        }
                    }
                },
@@ -670,6 +957,17 @@
                        "string"
                    ]
                },
+                "persistentVolumeClaimRetentionPolicy": {
+                    "type": "object",
+                    "properties": {
+                        "whenDeleted": {
+                            "type": "string"
+                        },
+                        "whenScaled": {
+                            "type": "string"
+                        }
+                    }
+                },
                "postStart": {
                    "type": "array"
                },
@@ -694,6 +992,9 @@
                        "periodSeconds": {
                            "type": "integer"
                        },
+                        "port": {
+                            "type": "integer"
+                        },
                        "successThreshold": {
                            "type": "integer"
                        },
@@ -725,12 +1026,32 @@
                        },
                        "labels": {
                            "type": "object"
+                        },
+                        "tls": {
+                            "type": "object"
                        }
                    }
                },
                "service": {
                    "type": "object",
                    "properties": {
+                        "active": {
+                            "type": "object",
+                            "properties": {
+                                "annotations": {
+                                    "type": [
+                                        "object",
+                                        "string"
+                                    ]
+                                },
+                                "enabled": {
+                                    "type": "boolean"
+                                }
+                            }
+                        },
+                        "activeNodePort": {
+                            "type": "integer"
+                        },
                        "annotations": {
                            "type": [
                                "object",
@@ -743,9 +1064,46 @@
                        "externalTrafficPolicy": {
                            "type": "string"
                        },
+                        "instanceSelector": {
+                            "type": "object",
+                            "properties": {
+                                "enabled": {
+                                    "type": "boolean"
+                                }
+                            }
+                        },
+                        "ipFamilies": {
+                            "type": "array"
+                        },
+                        "ipFamilyPolicy": {
+                            "type": "string"
+                        },
+                        "nodePort": {
+                            "type": "integer"
+                        },
                        "port": {
                            "type": "integer"
                        },
+                        "publishNotReadyAddresses": {
+                            "type": "boolean"
+                        },
+                        "standby": {
+                            "type": "object",
+                            "properties": {
+                                "annotations": {
+                                    "type": [
+                                        "object",
+                                        "string"
+                                    ]
+                                },
+                                "enabled": {
+                                    "type": "boolean"
+                                }
+                            }
+                        },
+                        "standbyNodePort": {
+                            "type": "integer"
+                        },
                        "targetPort": {
                            "type": "integer"
                        }
@@ -763,8 +1121,22 @@
                        "create": {
                            "type": "boolean"
                        },
+                        "createSecret": {
+                            "type": "boolean"
+                        },
+                        "extraLabels": {
+                            "type": "object"
+                        },
                        "name": {
                            "type": "string"
+                        },
+                        "serviceDiscovery": {
+                            "type": "object",
+                            "properties": {
+                                "enabled": {
+                                    "type": "boolean"
+                                }
+                            }
                        }
                    }
                },
@@ -775,7 +1147,10 @@
                    "type": "object",
                    "properties": {
                        "config": {
-                            "type": "string"
+                            "type": [
+                                "string",
+                                "object"
+                            ]
                        },
                        "enabled": {
                            "type": [
@@ -793,6 +1168,23 @@
                                "object",
                                "string"
                            ]
+                        },
+                        "securityContext": {
+                            "type": "object",
+                            "properties": {
+                                "container": {
+                                    "type": [
+                                        "object",
+                                        "string"
+                                    ]
+                                },
+                                "pod": {
+                                    "type": [
+                                        "object",
+                                        "string"
+                                    ]
+                                }
+                            }
                        }
                    }
                },
@@ -806,6 +1198,13 @@
                        "string"
                    ]
                },
+                "topologySpreadConstraints": {
+                    "type": [
+                        "null",
+                        "array",
+                        "string"
+                    ]
+                },
                "updateStrategyType": {
                    "type": "string"
                },
@@ -823,6 +1222,48 @@
                }
            }
        },
+        "serverTelemetry": {
+            "type": "object",
+            "properties": {
+                "prometheusRules": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "rules": {
+                            "type": "array"
+                        },
+                        "selectors": {
+                            "type": "object"
+                        }
+                    }
+                },
+                "serviceMonitor": {
+                    "type": "object",
+                    "properties": {
+                        "authorization": {
+                            "type": "object"
+                        },
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "interval": {
+                            "type": "string"
+                        },
+                        "scrapeTimeout": {
+                            "type": "string"
+                        },
+                        "selectors": {
+                            "type": "object"
+                        },
+                        "tlsConfig": {
+                            "type": "object"
+                        }
+                    }
+                }
+            }
+        },
        "ui": {
            "type": "object",
            "properties": {
@@ -836,7 +1277,10 @@
                    ]
                },
                "enabled": {
-                    "type": "boolean"
+                    "type": [
+                        "boolean",
+                        "string"
+                    ]
                },
                "externalPort": {
                    "type": "integer"
@@ -847,6 +1291,12 @@
                "publishNotReadyAddresses": {
                    "type": "boolean"
                },
+                "serviceIPFamilies": {
+                    "type": "array"
+                },
+                "serviceIPFamilyPolicy": {
+                    "type": "string"
+                },
                "serviceNodePort": {
                    "type": [
                        "null",
--- a/helm/vault/values.yaml
+++ b/helm/vault/values.yaml
@@ -1,3 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 # Available parameters and their default values for the Vault chart.

 global:
@@ -5,6 +8,9 @@ global:
  # will enable or disable all the components within this chart by default.
  enabled: true

+  # The namespace to deploy to. Defaults to the `helm` installation namespace.
+  namespace: ""
+
  # Image pull secret to use for registry authentication.
  # Alternatively, the value may be specified as an array of strings.
  imagePullSecrets: []
@@ -32,10 +38,15 @@ global:
      seccomp.security.alpha.kubernetes.io/defaultProfileName:  runtime/default
      apparmor.security.beta.kubernetes.io/defaultProfileName:  runtime/default

+  serverTelemetry:
+    # Enable integration with the Prometheus Operator
+    # See the top level serverTelemetry section below before enabling this feature.
+    prometheusOperator: false
+
 injector:
  # True if you want to enable vault agent injection.
  # @default: global.enabled
-  enabled: true
+  enabled: "-"

  replicas: 1

@@ -57,7 +68,7 @@ injector:
  # image sets the repo and tag of the vault-k8s image to use for the injector.
  image:
    repository: "hashicorp/vault-k8s"
-    tag: "0.17.0"
+    tag: "1.5.0"
    pullPolicy: IfNotPresent

  # agentImage sets the repo and tag of the Vault image to use for the Vault Agent
@@ -65,7 +76,7 @@ injector:
  # required.
  agentImage:
    repository: "hashicorp/vault"
-    tag: "1.11.2"
+    tag: "1.18.1"

  # The default values for the injected Vault Agent containers.
  agentDefaults:
@@ -75,6 +86,8 @@ injector:
    cpuRequest: "250m"
    memLimit: "128Mi"
    memRequest: "64Mi"
+    # ephemeralLimit: "128Mi"
+    # ephemeralRequest: "64Mi"

    # Default template type for secrets when no custom template is specified.
    # Possible values include: "json" and "map".
@@ -85,6 +98,43 @@ injector:
      exitOnRetryFailure: true
      staticSecretRenderInterval: ""

+  # Used to define custom livenessProbe settings
+  livenessProbe:
+    # When a probe fails, Kubernetes will try failureThreshold times before giving up
+    failureThreshold: 2
+    # Number of seconds after the container has started before probe initiates
+    initialDelaySeconds: 5
+    # How often (in seconds) to perform the probe
+    periodSeconds: 2
+    # Minimum consecutive successes for the probe to be considered successful after having failed
+    successThreshold: 1
+    # Number of seconds after which the probe times out.
+    timeoutSeconds: 5
+  # Used to define custom readinessProbe settings
+  readinessProbe:
+    # When a probe fails, Kubernetes will try failureThreshold times before giving up
+    failureThreshold: 2
+    # Number of seconds after the container has started before probe initiates
+    initialDelaySeconds: 5
+    # How often (in seconds) to perform the probe
+    periodSeconds: 2
+    # Minimum consecutive successes for the probe to be considered successful after having failed
+    successThreshold: 1
+    # Number of seconds after which the probe times out.
+    timeoutSeconds: 5
+  # Used to define custom startupProbe settings
+  startupProbe:
+    # When a probe fails, Kubernetes will try failureThreshold times before giving up
+    failureThreshold: 12
+    # Number of seconds after the container has started before probe initiates
+    initialDelaySeconds: 5
+    # How often (in seconds) to perform the probe
+    periodSeconds: 5
+    # Minimum consecutive successes for the probe to be considered successful after having failed
+    successThreshold: 1
+    # Number of seconds after which the probe times out.
+    timeoutSeconds: 5
+
  # Mount Path of the Vault Kubernetes Auth Method.
  authPath: "auth/kubernetes"

@@ -101,7 +151,7 @@ injector:
  webhook:
    # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
    # API Version of the WebHook.
-    # To block pod creation while webhook is unavailable, set the policy to `Fail` below.
+    # To block pod creation while the webhook is unavailable, set the policy to `Fail` below.
    # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
    #
    failurePolicy: Ignore
@@ -192,7 +242,7 @@ injector:

    # caBundle is a base64-encoded PEM-encoded certificate bundle for the CA
    # that signed the TLS certificate that the webhook serves. This must be set
-    # if secretName is non-null, unless an external service like cert-manager is
+    # if secretName is non-null unless an external service like cert-manager is
    # keeping the caBundle updated.
    caBundle: ""

@@ -232,7 +282,7 @@ injector:
    # KUBERNETES_SERVICE_HOST: kubernetes.default.svc

  # Affinity Settings for injector pods
-  # This can either be multi-line string or YAML matching the PodSpec's affinity field.
+  # This can either be a multi-line string or YAML matching the PodSpec's affinity field.
  # Commenting out or setting as empty the affinity variable, will allow
  # deployment of multiple replicas to single node services such as Minikube.
  affinity: |
@@ -307,7 +357,7 @@ injector:
 server:
  # If true, or "-" with global.enabled true, Vault server will be installed.
  # See vault.mode in _helpers.tpl for implementation details.
-  enabled: true
+  enabled: "-"

  # [Enterprise Only] This value refers to a Kubernetes secret that you have
  # created that contains your enterprise license. If you are not using an
@@ -327,7 +377,7 @@ server:

  image:
    repository: "hashicorp/vault"
-    tag: "1.11.2"
+    tag: "1.18.1"
    # Overrides the default Image Pull Policy
    pullPolicy: IfNotPresent

@@ -395,6 +445,12 @@ server:
    #    hosts:
    #      - chart-example.local

+  # hostAliases is a list of aliases to be added to /etc/hosts. Specified as a YAML list.
+  hostAliases: []
+  # - ip: 127.0.0.1
+  #   hostnames:
+  #     - chart-example.local
+
  # OpenShift only - create a route to expose the service
  # By default the created route will be of type passthrough
  route:
@@ -415,7 +471,7 @@ server:

  # authDelegator enables a cluster role binding to be attached to the service
  # account.  This cluster role binding can be used to setup Kubernetes auth
-  # method.  https://www.vaultproject.io/docs/auth/kubernetes.html
+  # method. See https://developer.hashicorp.com/vault/docs/auth/kubernetes
  authDelegator:
    enabled: true

@@ -442,18 +498,26 @@ server:
  extraContainers: null

  # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
-  # This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation
+  # This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation
  shareProcessNamespace: false

  # extraArgs is a string containing additional Vault server arguments.
  extraArgs: ""

+  # extraPorts is a list of extra ports. Specified as a YAML list.
+  # This is useful if you need to add additional ports to the statefulset in dynamic way.
+  extraPorts: null
+    # - containerPort: 8300
+    #   name: http-monitoring
+
  # Used to define custom readinessProbe settings
  readinessProbe:
    enabled: true
    # If you need to use a http path instead of the default exec
    # path: /v1/sys/health?standbyok=true

+    # Port number on which readinessProbe will be checked.
+    port: 8200
    # When a probe fails, Kubernetes will try failureThreshold times before giving up
    failureThreshold: 2
    # Number of seconds after the container has started before probe initiates
@@ -467,7 +531,15 @@ server:
  # Used to enable a livenessProbe for the pods
  livenessProbe:
    enabled: false
+    # Used to define a liveness exec command. If provided, exec is preferred to httpGet (path) as the livenessProbe handler.
+    execCommand: []
+    # - /bin/sh
+    # - -c
+    # - /vault/userconfig/mylivenessscript/run.sh
+    # Path for the livenessProbe to use httpGet as the livenessProbe handler
    path: "/v1/sys/health?standbyok=true"
+    # Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler
+    port: 8200
    # When a probe fails, Kubernetes will try failureThreshold times before giving up
    failureThreshold: 2
    # Number of seconds after the container has started before probe initiates
@@ -575,6 +647,14 @@ server:
    #   ports:
    #   - protocol: TCP
    #     port: 443
+    ingress:
+      - from:
+        - namespaceSelector: {}
+        ports:
+        - port: 8200
+          protocol: TCP
+        - port: 8201
+          protocol: TCP

  # Priority class for server pods
  priorityClassName: ""
@@ -588,14 +668,42 @@ server:
  # of the annotations to apply to the server pods
  annotations: {}

+  # Add an annotation to the server configmap and the statefulset pods,
+  # vaultproject.io/config-checksum, that is a hash of the Vault configuration.
+  # This can be used together with an OnDelete deployment strategy to help
+  # identify which pods still need to be deleted during a deployment to pick up
+  # any configuration changes.
+  includeConfigAnnotation: false
+
  # Enables a headless service to be used by the Vault Statefulset
  service:
    enabled: true
+    # Enable or disable the vault-active service, which selects Vault pods that
+    # have labeled themselves as the cluster leader with `vault-active: "true"`.
+    active:
+      enabled: true
+      # Extra annotations for the service definition. This can either be YAML or a
+      # YAML-formatted multi-line templated string map of the annotations to apply
+      # to the active service.
+      annotations: {}
+    # Enable or disable the vault-standby service, which selects Vault pods that
+    # have labeled themselves as a cluster follower with `vault-active: "false"`.
+    standby:
+      enabled: true
+      # Extra annotations for the service definition. This can either be YAML or a
+      # YAML-formatted multi-line templated string map of the annotations to apply
+      # to the standby service.
+      annotations: {}
+    # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}`
+    # When disabled, services may select Vault pods not deployed from the chart.
+    # Does not affect the headless vault-internal service with `ClusterIP: None`
+    instanceSelector:
+      enabled: true
    # clusterIP controls whether a Cluster IP address is attached to the
-    # Vault service within Kubernetes.  By default the Vault service will
+    # Vault service within Kubernetes.  By default, the Vault service will
    # be given a Cluster IP address, set to None to disable.  When disabled
    # Kubernetes will create a "headless" service.  Headless services can be
-    # used to communicate with pods directly through DNS instead of a round robin
+    # used to communicate with pods directly through DNS instead of a round-robin
    # load balancer.
    # clusterIP: None

@@ -603,7 +711,24 @@ server:
    # or NodePort.
    #type: ClusterIP

-    # Do not wait for pods to be ready
+    # The IP family and IP families options are to set the behaviour in a dual-stack environment.
+    # Omitting these values will let the service fall back to whatever the CNI dictates the defaults
+    # should be.
+    # These are only supported for kubernetes versions >=1.23.0
+    #
+    # Configures the service's supported IP family policy, can be either:
+    #     SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range.
+    #     PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service.
+    #     RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges.
+    ipFamilyPolicy: ""
+
+    # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well.
+    # Can be IPv4 and/or IPv6.
+    ipFamilies: []
+
+    # Do not wait for pods to be ready before including them in the services'
+    # targets. Does not apply to the headless service, which is used for
+    # cluster-internal communication.
    publishNotReadyAddresses: true

    # The externalTrafficPolicy can be set to either Cluster or Local
@@ -637,11 +762,11 @@ server:

  # This configures the Vault Statefulset to create a PVC for data
  # storage when using the file or raft backend storage engines.
-  # See https://www.vaultproject.io/docs/configuration/storage/index.html to know more
+  # See https://developer.hashicorp.com/vault/docs/configuration/storage to know more
  dataStorage:
    enabled: true
    # Size of the PVC created
-    size: 1Gi
+    size: 10Gi
    # Location where the PVC will be mounted.
    mountPath: "/vault/data"
    # Name of the storage class to use.  If null it will use the
@@ -651,12 +776,22 @@ server:
    accessMode: ReadWriteOnce
    # Annotations to apply to the PVC
    annotations: {}
+    # Labels to apply to the PVC
+    labels: {}
+
+  # Persistent Volume Claim (PVC) retention policy
+  # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
+  # Example:
+  # persistentVolumeClaimRetentionPolicy:
+  #   whenDeleted: Retain
+  #   whenScaled: Retain
+  persistentVolumeClaimRetentionPolicy: {}

  # This configures the Vault Statefulset to create a PVC for audit
-  # logs.  Once Vault is deployed, initialized and unsealed, Vault must
+  # logs.  Once Vault is deployed, initialized, and unsealed, Vault must
  # be configured to use this for audit logs.  This will be mounted to
  # /vault/audit
-  # See https://www.vaultproject.io/docs/audit/index.html to know more
+  # See https://developer.hashicorp.com/vault/docs/audit to know more
  auditStorage:
    enabled: false
    # Size of the PVC created
@@ -670,12 +805,14 @@ server:
    accessMode: ReadWriteOnce
    # Annotations to apply to the PVC
    annotations: {}
+    # Labels to apply to the PVC
+    labels: {}

  # Run Vault in "dev" mode. This requires no further setup, no state management,
  # and no initialization. This is useful for experimenting with Vault without
  # needing to unseal, store keys, et. al. All data is lost on restart - do not
  # use dev mode for anything other than experimenting.
-  # See https://www.vaultproject.io/docs/concepts/dev-server.html to know more
+  # See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more
  dev:
    enabled: false

@@ -692,19 +829,23 @@ server:
    # config is a raw string of default configuration when using a Stateful
    # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
    # and store data there. This is only used when using a Replica count of 1, and
-    # using a stateful set. This should be HCL.
+    # using a stateful set. Supported formats are HCL and JSON.

    # Note: Configuration files are stored in ConfigMaps so sensitive data
    # such as passwords should be either mounted through extraSecretEnvironmentVars
-    # or through a Kube secret.  For more information see:
-    # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
-    config: |
+    # or through a Kube secret. For more information see:
+    # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
+    config: |-
      ui = true

      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
+        # Enable unauthenticated metrics access (necessary for Prometheus Operator)
+        #telemetry {
+        #  unauthenticated_metrics_access = "true"
+        #}
      }
      storage "file" {
        path = "/vault/data"
@@ -720,22 +861,28 @@ server:
      #   crypto_key  = "vault-helm-unseal-key"
      #}

-  # Run Vault in "HA" mode. There are no storage requirements unless audit log
+      # Example configuration for enabling Prometheus metrics in your config.
+      #telemetry {
+      #  prometheus_retention_time = "30s"
+      #  disable_hostname = true
+      #}
+
+  # Run Vault in "HA" mode. There are no storage requirements unless the audit log
  # persistence is required.  In HA mode Vault will configure itself to use Consul
  # for its storage backend.  The default configuration provided will work the Consul
  # Helm project by default.  It is possible to manually configure Vault to use a
  # different HA backend.
  ha:
-    enabled: true
+    enabled: false
    replicas: 3

    # Set the api_addr configuration for Vault HA
-    # See https://www.vaultproject.io/docs/configuration#api_addr
+    # See https://developer.hashicorp.com/vault/docs/configuration#api_addr
    # If set to null, this will be set to the Pod IP Address
    apiAddr: null

-    # Set the cluster_addr confuguration for Vault HA
-    # See https://www.vaultproject.io/docs/configuration#cluster_addr
+    # Set the cluster_addr configuration for Vault HA
+    # See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr
    # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201
    clusterAddr: null

@@ -746,14 +893,15 @@ server:
    raft:

      # Enables Raft integrated storage
-      enabled: true
+      enabled: false
      # Set the Node Raft ID to the name of the pod
      setNodeId: false

      # Note: Configuration files are stored in ConfigMaps so sensitive data
      # such as passwords should be either mounted through extraSecretEnvironmentVars
      # or through a Kube secret.  For more information see:
-      # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
+      # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
+      # Supported formats are HCL and JSON.
      config: |
        ui = true

@@ -761,6 +909,10 @@ server:
          tls_disable = 1
          address = "[::]:8200"
          cluster_address = "[::]:8201"
+          # Enable unauthenticated metrics access (necessary for Prometheus Operator)
+          #telemetry {
+          #  unauthenticated_metrics_access = "true"
+          #}
        }

        storage "raft" {
@@ -771,12 +923,12 @@ server:

    # config is a raw string of default configuration when using a Stateful
    # deployment. Default is to use a Consul for its HA storage backend.
-    # This should be HCL.
+    # Supported formats are HCL and JSON.

    # Note: Configuration files are stored in ConfigMaps so sensitive data
    # such as passwords should be either mounted through extraSecretEnvironmentVars
-    # or through a Kube secret.  For more information see:
-    # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
+    # or through a Kube secret. For more information see:
+    # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
    config: |
      ui = true

@@ -802,6 +954,14 @@ server:
      #   crypto_key  = "vault-helm-unseal-key"
      #}

+      # Example configuration for enabling Prometheus metrics.
+      # If you are using Prometheus Operator you can enable a ServiceMonitor resource below.
+      # You may wish to enable unauthenticated metrics in the listener block above.
+      #telemetry {
+      #  prometheus_retention_time = "30s"
+      #  disable_hostname = true
+      #}
+
    # A disruption budget limits the number of pods of a replicated application
    # that are down simultaneously from voluntary disruptions
    disruptionBudget:
@@ -820,10 +980,24 @@ server:
    # The name of the service account to use.
    # If not set and create is true, a name is generated using the fullname template
    name: ""
+    # Create a Secret API object to store a non-expiring token for the service account.
+    # Prior to v1.24.0, Kubernetes used to generate this secret for each service account by default.
+    # Kubernetes now recommends using short-lived tokens from the TokenRequest API or projected volumes instead if possible.
+    # For more details, see https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets
+    # serviceAccount.create must be equal to 'true' in order to use this feature.
+    createSecret: false
    # Extra annotations for the serviceAccount definition. This can either be
    # YAML or a YAML-formatted multi-line templated string map of the
    # annotations to apply to the serviceAccount.
    annotations: {}
+    # Extra labels to attach to the serviceAccount
+    # This should be a YAML map of the labels to apply to the serviceAccount
+    extraLabels: {}
+    # Enable or disable a service account role binding with the permissions required for
+    # Vault's Kubernetes service_registration config option.
+    # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes
+    serviceDiscovery:
+      enabled: true

  # Settings for the statefulSet used to run Vault.
  statefulSet:
@@ -839,16 +1013,18 @@ server:
    #   runAsGroup: {{ .Values.server.gid | default 1000 }}
    #   runAsUser: {{ .Values.server.uid | default 100 }}
    #   fsGroup: {{ .Values.server.gid | default 1000 }}
-    # container: {}
+    # container:
+    #   allowPrivilegeEscalation: false
    #
    # If not set, these will default to, and for OpenShift:
    # pod: {}
-    # container:
-    #   allowPrivilegeEscalation: false
+    # container: {}
    securityContext:
      pod: {}
      container: {}

+  # Should the server pods run on the host network
+  hostNetwork: false

 # Vault UI
 ui:
@@ -866,6 +1042,21 @@ ui:
  externalPort: 8200
  targetPort: 8200

+  # The IP family and IP families options are to set the behaviour in a dual-stack environment.
+  # Omitting these values will let the service fall back to whatever the CNI dictates the defaults
+  # should be.
+  # These are only supported for kubernetes versions >=1.23.0
+  #
+  # Configures the service's supported IP family, can be either:
+  #     SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range.
+  #     PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service.
+  #     RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges.
+  serviceIPFamilyPolicy: ""
+
+  # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well
+  # Can be IPv4 and/or IPv6.
+  serviceIPFamilies: []
+
  # The externalTrafficPolicy can be set to either Cluster or Local
  # and is only valid for LoadBalancer and NodePort service types.
  # The default value is Cluster.
@@ -897,7 +1088,7 @@ csi:

  image:
    repository: "hashicorp/vault-csi-provider"
-    tag: "1.2.0"
+    tag: "1.5.0"
    pullPolicy: IfNotPresent

  # volumes is a list of volumes made available to all containers. These are rendered
@@ -925,6 +1116,14 @@ csi:
  #     cpu: 50m
  #     memory: 128Mi

+  # Override the default secret name for the CSI Provider's HMAC key used for
+  # generating secret versions.
+  hmacSecretName: ""
+
+  # Allow modification of the hostNetwork parameter to avoid the need of a
+  # dedicated pod ip
+  hostNetwork: false
+
  # Settings for the daemonSet used to run the provider.
  daemonSet:
    updateStrategy:
@@ -957,11 +1156,41 @@ csi:
    # in a PodSpec.
    tolerations: []

+    # nodeSelector labels for csi pod assignment, formatted as a multi-line string or YAML map.
+    # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+    # Example:
+    # nodeSelector:
+    #   beta.kubernetes.io/arch: amd64
+    nodeSelector: {}
+
+    # Affinity Settings
+    # This should be either a multi-line string or YAML matching the PodSpec's affinity field.
+    affinity: {}
+
    # Extra labels to attach to the vault-csi-provider pod
    # This should be a YAML map of the labels to apply to the csi provider pod
    extraLabels: {}

+  agent:
+    enabled: true
+    extraArgs: []

+    image:
+      repository: "hashicorp/vault"
+      tag: "1.18.1"
+      pullPolicy: IfNotPresent
+
+    logFormat: standard
+    logLevel: info
+
+    resources: {}
+    # resources:
+    #   requests:
+    #     memory: 256Mi
+    #     cpu: 250m
+    #   limits:
+    #     memory: 256Mi
+    #     cpu: 250m

  # Priority class for csi pods
  priorityClassName: ""
@@ -1001,10 +1230,116 @@ csi:
    # Number of seconds after which the probe times out.
    timeoutSeconds: 3

-  # Enables debug logging.
+  # Configures the log level for the Vault CSI provider.
+  # Supported log levels include: trace, debug, info, warn, error, and off
+  logLevel: "info"
+
+  # Deprecated, set logLevel to debug instead.
+  # If set to true, the logLevel will be set to debug.
  debug: false

  # Pass arbitrary additional arguments to vault-csi-provider.
-  # See https://www.vaultproject.io/docs/platform/k8s/csi/configurations#command-line-arguments
+  # See https://developer.hashicorp.com/vault/docs/platform/k8s/csi/configurations#command-line-arguments
  # for the available command line flags.
  extraArgs: []
+
+# Vault is able to collect and publish various runtime metrics.
+# Enabling this feature requires setting adding `telemetry{}` stanza to
+# the Vault configuration. There are a few examples included in the `config` sections above.
+#
+# For more information see:
+# https://developer.hashicorp.com/vault/docs/configuration/telemetry
+# https://developer.hashicorp.com/vault/docs/internals/telemetry
+serverTelemetry:
+  # Enable support for the Prometheus Operator. If authorization is not set for authenticating
+  # to Vault's metrics endpoint, the following Vault server `telemetry{}` config must be included
+  # in the `listener "tcp"{}` stanza
+  #  telemetry {
+  #    unauthenticated_metrics_access = "true"
+  #  }
+  #
+  # See the `standalone.config` for a more complete example of this.
+  #
+  # In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration:
+  #
+  # example:
+  #  telemetry {
+  #    prometheus_retention_time = "30s"
+  #    disable_hostname = true
+  #  }
+  #
+  # Configuration for monitoring the Vault server.
+  serviceMonitor:
+    # The Prometheus operator *must* be installed before enabling this feature,
+    # if not the chart will fail to install due to missing CustomResourceDefinitions
+    # provided by the operator.
+    #
+    # Instructions on how to install the Helm chart can be found here:
+    #  https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
+    # More information can be found here:
+    #  https://github.com/prometheus-operator/prometheus-operator
+    #  https://github.com/prometheus-operator/kube-prometheus
+
+    # Enable deployment of the Vault Server ServiceMonitor CustomResource.
+    enabled: false
+
+    # Selector labels to add to the ServiceMonitor.
+    # When empty, defaults to:
+    #  release: prometheus
+    selectors: {}
+
+    # Interval at which Prometheus scrapes metrics
+    interval: 30s
+
+    # Timeout for Prometheus scrapes
+    scrapeTimeout: 10s
+
+    # tlsConfig used for scraping the Vault metrics API.
+    # See API reference: https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.TLSConfig
+    # example:
+    # tlsConfig:
+    #   ca:
+    #     secret:
+    #       name: vault-metrics-client
+    #       key: ca.crt
+    tlsConfig: {}
+
+    # authorization used for scraping the Vault metrics API.
+    # See API reference: https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.SafeAuthorization
+    # example:
+    # authorization:
+    #   credentials:
+    #     name: vault-metrics-client
+    #     key: token
+    authorization: {}
+
+  prometheusRules:
+      # The Prometheus operator *must* be installed before enabling this feature,
+      # if not the chart will fail to install due to missing CustomResourceDefinitions
+      # provided by the operator.
+
+      # Deploy the PrometheusRule custom resource for AlertManager based alerts.
+      # Requires that AlertManager is properly deployed.
+      enabled: false
+
+      # Selector labels to add to the PrometheusRules.
+      # When empty, defaults to:
+      #  release: prometheus
+      selectors: {}
+
+      # Some example rules.
+      rules: []
+      #  - alert: vault-HighResponseTime
+      #    annotations:
+      #      message: The response time of Vault is over 500ms on average over the last 5 minutes.
+      #    expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
+      #    for: 5m
+      #    labels:
+      #      severity: warning
+      #  - alert: vault-HighResponseTime
+      #    annotations:
+      #      message: The response time of Vault is over 1s on average over the last 5 minutes.
+      #    expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
+      #    for: 5m
+      #    labels:
+      #      severity: critical
--- a/psql/docker-compose.yaml
+++ b/psql/docker-compose.yaml
@@ -0,0 +1,23 @@
+version: '3.8'
+services:
+  psql:
+    image: postgres:11-alpine
+    container_name: postgres
+    restart: always
+    environment:
+      POSTGRES_USER: testuser
+      POSTGRES_PASSWORD: password
+      POSTGRES_DB: testdb1
+    volumes:
+      - pgdata:/var/lib/postgresql/data
+    expose:
+      - 5432
+    networks:
+      - vault_net
+
+networks:
+  vault_net:
+    name: vault_net
+
+volumes:
+  pgdata:
Author	SHA1	Message	Date
Vassiliy Yegorov	55e333f0de	up ver vault, add bank-vavult examples	2025-01-27 14:25:50 +07:00
Vassiliy Yegorov	a6e9e7ca09	add metrics	2022-08-26 16:48:25 +07:00
Vassiliy Yegorov	34c56193bc	fix	2022-08-26 13:48:39 +07:00
Vassiliy Yegorov	5a0392a3f5	add backups md	2022-08-26 13:38:37 +07:00
Vassiliy Yegorov	20c3ce3466	fix	2022-08-25 15:13:58 +07:00
Vassiliy Yegorov	7267b23309	fix	2022-08-25 14:18:07 +07:00
Vassiliy Yegorov	d53d6acc83	fix	2022-08-25 14:13:12 +07:00
Vassiliy Yegorov	5cc8cd3321	fix	2022-08-25 14:10:23 +07:00
Vassiliy Yegorov	1e6377dc46	fix	2022-08-25 13:47:36 +07:00
Vassiliy Yegorov	722091fdb4	add adminer	2022-08-25 13:37:25 +07:00
Vassiliy Yegorov	09cc7e765c	fix	2022-08-25 13:21:20 +07:00
Vassiliy Yegorov	e0776401c8	fix	2022-08-25 13:11:11 +07:00
Vassiliy Yegorov	7ac0b8aa1f	fix	2022-08-25 13:10:17 +07:00
Vassiliy Yegorov	48ede00946	fix	2022-08-25 13:07:48 +07:00
Vassiliy Yegorov	085fb5d21c	fix	2022-08-25 12:44:43 +07:00
Vassiliy Yegorov	78d9169720	fix	2022-08-25 12:40:58 +07:00
Vassiliy Yegorov	65ed2e594c	fix	2022-08-25 12:33:24 +07:00
Vassiliy Yegorov	328220c103	add psql md	2022-08-25 12:30:49 +07:00
Vassiliy Yegorov	34a541a1a1	add psql	2022-08-25 12:25:38 +07:00