Attempted to make the changes and add things that will be needed for the new k8s mode

2026-04-05 15:46:22 -05:00 · 2026-04-05 15:46:22 -05:00 · 1912114d63
commit 1912114d63
parent 9e288e7404
6 changed files with 65 additions and 15 deletions
--- a/templates/vault-statefulset.yaml
+++ b/templates/vault-statefulset.yaml
@ -16,6 +16,10 @@ spec:
      labels:
        app: {{ include "vault.fullname" . }}
    spec:
+      {{- if eq .Values.create.appRole.mode "k8s" }}
+      # If the AppRole mode is set to `k8s`, we need to specify the service account for the Vault pods to use so that it can access the Kubernetes API and specifically manage specific secrets etc...
+      serviceAccountName: {{ include "vault.fullname" . }}-sa
+      {{- end }}
      # Because the Vault process runs with a non-root user inside the container,
      # we need to set the fsGroup to ensure that the mounted volumes have the correct permissions
      securityContext:
@ -49,8 +53,10 @@ spec:
          mountPath: /vault/logs
        - name: vault-creds
          mountPath: /vault/creds
+        {{- if eq .Values.create.appRole.mode "file" }}
        - name: vault-role-vars
          mountPath: /role_vars
+        {{- end }}
        capAdd:
        - IPC_LOCK
      volumes:
@ -63,9 +69,12 @@ spec:
        {{- else }}
        emptyDir: {}
        {{- end }}
+      {{- if eq .Values.create.appRole.mode "file" }}
      - name: vault-role-vars
        persistentVolumeClaim:
          claimName: {{ include "vault.fullname" . }}-role-vars
+      {{- end }}
+
  # To have data consistency across pod restarts, we use a volume claim template
  # We do this instead of a static PVC because we require less control and it's easier to manage
  volumeClaimTemplates: