hashicorp · swenson · Apr 7, 2023 · Apr 7, 2023
@@ -71,7 +71,7 @@ metadata:
     vault-initialized: "true"
     vault-perf-standby: "false"
     vault-sealed: "false"
-    vault-version: 1.3.0
+    vault-version: 1.13.1
 ```
 
 After shutdowns, Vault pods will bear the following labels:
@@ -86,7 +86,7 @@ metadata:
     vault-initialized: "false"
     vault-perf-standby: "false"
     vault-sealed: "true"
-    vault-version: 1.3.0
+    vault-version: 1.13.1
 ```
 
 ## Label Definitions
@@ -102,7 +102,7 @@ metadata:
 - `vault-sealed` `(string: "true"/"false")` – Vault sealed is updated dynamically each
   time Vault's sealed/unsealed status changes. True indicates that Vault is currently sealed. False indicates that Vault
   is currently unsealed.
-- `vault-version` `(string: "1.3.0")` – Vault version is a string that will not change during a pod's lifecycle.
+- `vault-version` `(string: "1.13.1")` – Vault version is a string that will not change during a pod's lifecycle.
 
 ## Working with Vault's Service Discovery Labels
 
@@ -156,7 +156,7 @@ $ vault write -f sys/replication/performance/primary/enable \
 In conjunction with the pod labels and the `OnDelete` upgrade strategy, upgrades are much easier to orchestrate:
 
 ```shell-session
-$ helm upgrade vault --set='server.image.tag=1.12.0'
+$ helm upgrade vault --set='server.image.tag=1.13.1'
 
 $ kubectl delete pod --selector=vault-active=false \
     --selector=vault-version=1.2.3

@@ -77,15 +77,15 @@ and consider if they're appropriate for your deployment.
 
     - `repository` (`string: "hashicorp/vault-k8s"`) - The name of the Docker image for Vault Agent Injector.
 
-    - `tag` (`string: "1.1.0"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
+    - `tag` (`string: "1.2.1"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
 
     - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
 
   - `agentImage` - Values that configure the Vault Agent sidecar image.
 
     - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image.
 
-    - `tag` (`string: "1.12.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**.
+    - `tag` (`string: "1.13.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**.
 
   - `agentDefaults` - Values that configure the injected Vault Agent containers default values.
 
@@ -295,6 +295,42 @@ and consider if they're appropriate for your deployment.
       type: RollingUpdate
     ```
 
+  - `livenessProbe` - Values that configure the liveness probe for the injector.
+
+    - `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes.
+
+    - `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the liveness probe when the container starts.
+
+    - `periodSeconds` (`int: 5`) - When set to a value, configures how often (in seconds) to perform the probe.
+
+    - `successThreshold` (`int: 1`) - When set to a value, configures the minimum consecutive successes for the probe to be considered successful after having failed.
+
+    - `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out.
+
+  - `readinessProbe` - Values that configure the readiness probe for the injector.
+
+    - `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes.
+
+    - `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the readiness probe when the container starts.
+
+    - `periodSeconds` (`int: 5`) - When set to a value, configures how often (in seconds) to perform the probe.
+
+    - `successThreshold` (`int: 1`) - When set to a value, configures the minimum consecutive successes for the probe to be considered successful after having failed.
+
+    - `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out.
+
+  - `startupProbe` - Values that configure the startup probe for the injector.
+
+    - `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes.
+
+    - `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the startup probe when the container starts.
+
+    - `periodSeconds` (`int: 5`) - When set to a value, configures how often (in seconds) to perform the probe.
+
+    - `successThreshold` (`int: 1`) - When set to a value, configures the minimum consecutive successes for the probe to be considered successful after having failed.
+
+    - `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out.
+
 - `server` - Values that configure running a Vault server within Kubernetes.
 
   - `enabled` (`boolean or string: "-"`) - When set to `true`, the Vault server will be created. When set to `"-"`, defaults to the value of `global.enabled`.
@@ -309,7 +345,7 @@ and consider if they're appropriate for your deployment.
 
     - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the containers running Vault.
 
-    - `tag` (`string: "1.12.1"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
+    - `tag` (`string: "1.13.1"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
 
     - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
 
@@ -429,6 +465,8 @@ and consider if they're appropriate for your deployment.
 
     - `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out.
 
+    - `port` (`int: 8200`) - When set to a value, overrides the default port used for the server readiness probe.
+
     ```yaml
     readinessProbe:
       enabled: true
@@ -438,15 +476,16 @@ and consider if they're appropriate for your deployment.
       periodSeconds: 5
       successThreshold: 1
       timeoutSeconds: 3
+      port: 8200
     ```
 
-  - `livenessProbe` - Values that configure the liveliness probe for the Vault pods.
+  - `livenessProbe` - Values that configure the liveness probe for the Vault pods.
 
-    - `enabled` (`boolean: false`) - When set to `true`, a liveliness probe will be applied to the Vault pods.
+    - `enabled` (`boolean: false`) - When set to `true`, a liveness probe will be applied to the Vault pods.
 
     - `path` (`string: "/v1/sys/health?standbyok=true"`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controlled by the `tlsDisable` value.
 
-    - `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the liveliness probe when the container starts.
+    - `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the liveness probe when the container starts.
 
     - `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes.
 
@@ -456,15 +495,18 @@ and consider if they're appropriate for your deployment.
 
     - `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out.
 
+    - `port` (`int: 8200`) - When set to a value, overrides the default port used for the server liveness probe.
+
     ```yaml
-    livelinessProbe:
+    livenessProbe:
       enabled: true
       path: /v1/sys/health?standbyok=true
       initialDelaySeconds: 60
       failureThreshold: 2
       periodSeconds: 5
       successThreshold: 1
       timeoutSeconds: 3
+      port: 8200
     ```
 
   - `terminationGracePeriodSeconds` (`int: 10`) - Optional duration in seconds the pod needs to terminate gracefully. See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
@@ -509,6 +551,14 @@ and consider if they're appropriate for your deployment.
     extraArgs: '-config=/path/to/extra/config.hcl -log-format=json'
     ```
 
+  - `extraPorts` (`array: []`) - additional ports to add to the server statefulset
+
+  ```yaml
+  extraPorts:
+    - containerPort: 8300
+      name: http-monitoring
+  ```
+
   - `extraSecretEnvironmentVars` (`array: []`) - The extra environment variables populated from a secret to be applied to the Vault server.
 
     - `envName` (`string: required`) -
@@ -978,7 +1028,7 @@ and consider if they're appropriate for your deployment.
 
     - `repository` (`string: "hashicorp/vault-csi-provider"`) - The name of the Docker image for the Vault CSI Provider.
 
-    - `tag` (`string: "1.2.1"`) - The tag of the Docker image for the Vault CSI Provider.. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your CSI provider.
+    - `tag` (`string: "1.3.0"`) - The tag of the Docker image for the Vault CSI Provider.. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your CSI provider.
 
     - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists locally.
 
@@ -1091,9 +1141,9 @@ and consider if they're appropriate for your deployment.
 
     - `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out.
 
-  - `livenessProbe` - Values that configure the liveliness probe for the Vault CSI Provider pods.
+  - `livenessProbe` - Values that configure the liveness probe for the Vault CSI Provider pods.
 
-    - `initialDelaySeconds` (`int: 5`) - Sets the initial delay of the liveliness probe when the container starts.
+    - `initialDelaySeconds` (`int: 5`) - Sets the initial delay of the liveness probe when the container starts.
 
     - `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes.
 
@@ -1105,7 +1155,31 @@ and consider if they're appropriate for your deployment.
 
   - `debug` (`bool: false`) - When set to true, enables debug logging on the Vault CSI Provider daemonset.
 
-  - `extraArgs` (`string: array`) - The extra arguments to be applied to the CSI pod startup command. See [here](/vault/docs/platform/k8s/csi/configurations#command-line-arguments) for available flags.
+  - `extraArgs` (`array: []`) - The extra arguments to be applied to the CSI pod startup command. See [here](/vault/docs/platform/k8s/csi/configurations#command-line-arguments) for available flags.
+
+  - `agent` - Configures the Vault Agent sidecar for the CSI Provider
+    - `enabled` (`bool: true`) - whether to enable the agent sidecar for the CSI provider
+    - `extraArgs` (`array: []`) - The extra arguments to be applied to the agent startup command.
+
+    - `image` - Values that configure the Vault Agent sidecar image for the CSI Provider.
+      - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for agent image. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
+
+      - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image.
+
+      - `tag` (`string: "1.13.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar.
+
+    - `logFormat` (`string: "standard"`) -
+    - `logLevel` (`string: "info"`) -
+    - `resources` (`dictionary: {}`) - The resource requests and limits (CPU, memory, etc.) for the agent. This should be a YAML dictionary of a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core) object.
+    ```yaml
+    resources:
+      requests:
+        memory: '256Mi'
+        cpu: '250m'
+      limits:
+        memory: '256Mi'
+        cpu: '250m'
+    ```
 
 - `serverTelemetry` - Values the configure metrics and telemetry. Enabling these features requires setting
   the `telemetry {}` stanza in the Vault configuration. See the [telemetry](/vault/docs/configuration/telemetry)

@@ -33,7 +33,7 @@ In your chart overrides, set the values of [`server.image`](/vault/docs/platform
 server:
   image:
     repository: hashicorp/vault-enterprise
-    tag: 1.12.1-ent
+    tag: 1.13.1-ent
   enterpriseLicense:
     secretName: vault-ent-license
 ```

@@ -23,7 +23,7 @@ First, create the primary cluster:
 ```shell
 helm install vault-primary hashicorp/vault \
   --set='server.image.repository=hashicorp/vault-enterprise' \
-  --set='server.image.tag=1.12.1-ent' \
+  --set='server.image.tag=1.13.1-ent' \
   --set='server.ha.enabled=true' \
   --set='server.ha.raft.enabled=true'
 ```
@@ -75,7 +75,7 @@ disaster recovery replication.
 ```shell
 helm install vault-secondary hashicorp/vault \
   --set='server.image.repository=hashicorp/vault-enterprise' \
-  --set='server.image.tag=1.12.1-ent' \
+  --set='server.image.tag=1.13.1-ent' \
   --set='server.ha.enabled=true' \
   --set='server.ha.raft.enabled=true'
 ```

@@ -23,7 +23,7 @@ First, create the primary cluster:
 ```shell
 helm install vault-primary hashicorp/vault \
   --set='server.image.repository=hashicorp/vault-enterprise' \
-  --set='server.image.tag=1.12.1-ent' \
+  --set='server.image.tag=1.13.1-ent' \
   --set='server.ha.enabled=true' \
   --set='server.ha.raft.enabled=true'
 ```
@@ -74,7 +74,7 @@ With the primary cluster created, next create a secondary cluster.
 ```shell
 helm install vault-secondary hashicorp/vault \
   --set='server.image.repository=hashicorp/vault-enterprise' \
-  --set='server.image.tag=1.12.1-ent' \
+  --set='server.image.tag=1.13.1-ent' \
   --set='server.ha.enabled=true' \
   --set='server.ha.raft.enabled=true'
 ```

@@ -15,7 +15,7 @@ Integrated Storage (raft) can be enabled using the `server.ha.raft.enabled` valu
 ```shell
 helm install vault hashicorp/vault \
   --set='server.image.repository=hashicorp/vault-enterprise' \
-  --set='server.image.tag=1.12.1-ent' \
+  --set='server.image.tag=1.13.1-ent' \
   --set='server.ha.enabled=true' \
   --set='server.ha.raft.enabled=true'
 ```

@@ -409,14 +409,14 @@ Next, list the Helm versions and choose the desired version to install.
 ```bash
 $ helm search repo hashicorp/vault
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
-hashicorp/vault	0.23.0       	1.12.1     	Official HashiCorp Vault Chart
+hashicorp/vault	0.24.0       	1.13.1     	Official HashiCorp Vault Chart
 ```
 
 Next, test the upgrade with `--dry-run` first to verify the changes sent to the
 Kubernetes cluster.
 
 ```shell-session
-$ helm upgrade vault hashicorp/vault --version=0.23.0 \
+$ helm upgrade vault hashicorp/vault --version=0.24.0 \
     --set='server.image.repository=vault' \
     --set='server.image.tag=123.456' \
     --dry-run

@@ -2,15 +2,15 @@
 # List the available releases
 $ helm search repo hashicorp/vault -l
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
+hashicorp/vault	0.24.0       	1.13.1     	Official HashiCorp Vault Chart
 hashicorp/vault	0.23.0       	1.12.1     	Official HashiCorp Vault Chart
 hashicorp/vault	0.22.1       	1.12.0     	Official HashiCorp Vault Chart
 hashicorp/vault	0.22.0       	1.11.3     	Official HashiCorp Vault Chart
 hashicorp/vault	0.21.0       	1.11.2     	Official HashiCorp Vault Chart
 hashicorp/vault	0.20.1       	1.10.3     	Official HashiCorp Vault Chart
 hashicorp/vault	0.20.0       	1.10.3     	Official HashiCorp Vault Chart
-hashicorp/vault	0.19.0       	1.9.2      	Official HashiCorp Vault Chart
 ...
 
-# Install version 0.23.0
-$ helm install vault hashicorp/vault --version 0.23.0
+# Install version 0.24.0
+$ helm install vault hashicorp/vault --version 0.24.0
 ```
@@ -4,5 +4,5 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
 
 $ helm search repo hashicorp/vault
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
-hashicorp/vault	0.23.0       	1.12.1     	Official HashiCorp Vault Chart
+hashicorp/vault	0.24.0       	1.13.1     	Official HashiCorp Vault Chart
 ```