Updated chart so that it worked better as a subchart, is more configurable and better documented

templates/_helpers.tpl

@@ -0,0 +1,16 @@
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "vault.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}

templates/vault-creds-persistant-volume-claim.yaml

@@ -1,15 +1,15 @@
-{{- if .Values.vault.create.enabled -}}
+{{- if .Values.create.enabled -}}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ .Release.Name }}-vault-creds
+  name: {{ include "vault.fullname" . }}-creds
   labels:
-    app: {{ .Release.Name }}-vault
+    app: {{ include "vault.fullname" . }}
 spec:
-  storageClassName: vault-role-vars-rook-cephfs
+  storageClassName: {{ .Values.create.snapshotServer.vaultCredsPVC.storageClassName }}
   accessModes:
     - ReadWriteMany
   resources:
     requests:
-      storage: 512Mi
+      storage: {{ .Values.create.snapshotServer.vaultCredsPVC.size }}
 {{- end -}}

templates/vault-hashicorp-secret.yaml

@@ -1,24 +1,24 @@
-{{- if and (.Values.vault.enabled) (eq .Values.vault.type "hashicorp") -}}
+{{- if and (.Values.enabled) (eq .Values.type "hashicorp") -}}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Release.Name }}-vault-secret
+  name: {{ include "vault.fullname" . }}-secret
 type: opaque
 data:
   {{- if .Values.vault.create.enabled }}
   # Because we create the Hashicorp Vault instance as part of the Helm chart, 
   # we can use the name of the created resource (utilizing k8s built-in container connections) 
   # to connect to the Vault instance without having to hard-code the Vault name.
-  vault-name: {{ printf "%s-vault" .Release.Name | b64enc }}
+  vault-name: {{ include "vault.fullname" . | b64enc }}
   # Because we create the Hashicorp Vault instance as part of the Helm chart,
   # We know the port that the Vault instance is running on.
   vault-port: {{ printf "%d" 80 | b64enc }}
   {{- else }}
   # Because the Vault wasn't created as part of the Helm chart,
   # we need the deployer to specify the name of the Vault instance to connect to.
-  vault-name: {{ .Values.vault.vaultName | b64enc }}
+  vault-name: {{ .Values.vaultName | b64enc }}
   # Because the Vault wasn't created as part of the Helm chart,
   # we need the deployer to specify the port that the Vault instance is running on.
-  vault-port: {{ .Values.vault.vaultPort | b64enc }}
+  vault-port: {{ .Values.vaultPort | b64enc }}
   {{- end }}
 {{- end -}}

templates/vault-ingress.yaml

@@ -1,21 +1,21 @@
-{{- if .Values.vault.create.ingress.enabled -}}
+{{- if .Values.create.ingress.enabled -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: {{ .Release.Name }}-vault-ingress
+  name: {{ include "vault.fullname" . }}-ingress
   labels:
-    app: {{ .Release.Name }}-vault
+    app: {{ include "vault.fullname" . }}
 spec:
   ingressClassName: nginx
   rules:
-    - host: {{ .Values.vault.create.ingress.host }}
+    - host: {{ .Values.create.ingress.host }}
       http:
         paths:
         - path: /
           pathType: Prefix
           backend:
             service:
-              name: {{ .Release.Name }}-vault
+              name: {{ include "vault.fullname" . }}
               port:
                 number: 80
 {{- end -}}

templates/vault-keyvault-secret.yaml

@@ -1,12 +1,12 @@
-{{- if and (.Values.vault.enabled) (eq .Values.vault.type "azure") -}}
+{{- if and (.Values.enabled) (eq .Values.vault.type "azure") -}}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Release.Name }}-vault-secret
+  name: {{ include "vault.fullname" . }}-secret
 type: opaque
 data:
-  client-id: {{ .Values.vault.clientId | b64enc }}
-  client-secret: {{ .Values.vault.clientSecret | b64enc}}
-  name: {{ .Values.vault.vaultName | b64enc }}
-  tenant-id: {{ .Values.vault.tenantId | b64enc }}
+  client-id: {{ .Values.clientId | b64enc }}
+  client-secret: {{ .Values.clientSecret | b64enc}}
+  name: {{ .Values.vaultName | b64enc }}
+  tenant-id: {{ .Values.tenantId | b64enc }}
 {{- end -}}

templates/vault-role-vars-persistant-volume-claim.yaml

@@ -1,15 +1,15 @@
-{{- if .Values.vault.create.enabled -}}
+{{- if .Values.create.enabled -}}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ .Release.Name }}-vault-role-vars
+  name: {{ include "vault.fullname" . }}-role-vars
   labels:
-    app: {{ .Release.Name }}-vault
+    app: {{ include "vault.fullname" . }}
 spec:
-  storageClassName: vault-role-vars-rook-cephfs
+  storageClassName: {{ .Values.create.roleVarsPVC.storageClassName }}
   accessModes:
     - ReadWriteMany
   resources:
     requests:
-      storage: 512Mi
+      storage: {{ .Values.create.roleVarsPVC.size }}
 {{- end -}}

templates/vault-service.yaml

@@ -1,19 +1,19 @@
-{{- if .Values.vault.create.enabled -}}
+{{- if .Values.create.enabled -}}
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ .Release.Name }}-vault
+  name: {{ include "vault.fullname" . }}
   labels:
-    app: {{ .Release.Name }}-vault
+    app: {{ include "vault.fullname" . }}
 spec:
   selector:
-    app: {{ .Release.Name }}-vault
+    app: {{ include "vault.fullname" . }}
   ports:
-    {{- if .Values.vault.create.snapshotServer.enabled }}
+    {{- if .Values.create.snapshotServer.enabled }}
     - name: custom-snapshot-server
       protocol: TCP
-      port: {{ .Values.vault.create.snapshotServer.externalPort }}
-      targetPort: {{ .Values.vault.create.snapshotServer.internalPort }}
+      port: {{ .Values.create.snapshotServer.externalPort }}
+      targetPort: {{ .Values.create.snapshotServer.internalPort }}
     {{- end }}
     - name: http
       protocol: TCP

templates/vault-snapshot-server-configmap.yaml

@@ -1,8 +1,8 @@
-{{- if .Values.vault.create.snapshotServer.enabled -}}
+{{- if .Values.create.snapshotServer.enabled -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ .Release.Name }}-vault-snapshot-config
+  name: {{ include "vault.fullname" . }}-snapshot-config
 data:
-  port: {{ .Values.vault.create.snapshotServer.externalPort | quote }}
+  port: {{ .Values.create.snapshotServer.externalPort | quote }}
 {{- end -}}

templates/vault-statefulset.yaml

@@ -1,44 +1,44 @@
-{{- if and (.Values.vault.create.enabled) (eq .Values.vault.type "hashicorp") -}}
+{{- if and (.Values.create.enabled) (eq .Values.type "hashicorp") -}}
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  name: {{ .Release.Name }}-vault
+  name: {{ include "vault.fullname" . }}
   labels:
-    app: {{ .Release.Name }}-vault
+    app: {{ include "vault.fullname" . }}
 spec:
-  serviceName: {{ .Release.Name }}-vault
+  serviceName: {{ include "vault.fullname" . }}
   replicas: 1
   selector:
     matchLabels:
-      app: {{ .Release.Name }}-vault
+      app: {{ include "vault.fullname" . }}
   template:
     metadata:
       labels:
-        app: {{ .Release.Name }}-vault
+        app: {{ include "vault.fullname" . }}
     spec:
       # Because the Vault process runs with a non-root user inside the container,
       # we need to set the fsGroup to ensure that the mounted volumes have the correct permissions
       securityContext:
         fsGroup: 1000
       containers:
-      - name: {{ .Release.Name }}-vault
-        image: {{ .Values.vault.create.image.repository }}:{{ .Values.vault.create.image.tag }}
+      - name: {{ include "vault.fullname" . }}
+        image: {{ .Values.create.image.repository }}:{{ .Values.create.image.tag }}
         ports:
         - containerPort: 8200
         - containerPort: 8201
-        {{- if .Values.vault.create.snapshotServer.enabled }}
-        - containerPort: {{ .Values.vault.create.snapshotServer.internalPort }}
+        {{- if .Values.create.snapshotServer.enabled }}
+        - containerPort: {{ .Values.create.snapshotServer.internalPort }}
         {{- end }}
         env:
         - name: VAULT_ADDR
           value: http://0.0.0.0:8200
         - name: ROLE_ID_SECRET_NAME
-          value: USER_PASSWORD_DEFAULT_VAULT_ROLE_ID
+          value: {{ .Values.create.appRole.roleIDSecretName }}
         - name: SECRET_ID_SECRET_NAME
-          value: USER_PASSWORD_DEFAULT_VAULT_SECRET_ID
-        {{- if .Values.vault.create.snapshotServer.enabled }}
+          value: {{ .Values.create.appRole.secretIDSecretName }}
+        {{- if .Values.create.snapshotServer.enabled }}
         - name: SNAPSHOT_SERVER_PORT
-          value: {{ .Values.vault.create.snapshotServer.internalPort | quote }}
+          value: {{ .Values.create.snapshotServer.internalPort | quote }}
         {{- end }}
         volumeMounts:
         - name: vault-data
@@ -55,24 +55,24 @@ spec:
       - name: vault-log
         emptyDir: {}
       - name: vault-creds
-        {{- if .Values.vault.create.snapshotServer.enabled }}
+        {{- if .Values.create.snapshotServer.enabled }}
         persistentVolumeClaim:
-          claimName: {{ .Release.Name }}-vault-creds
+          claimName: {{ include "vault.fullname" . }}-creds
         {{- else }}
         emptyDir: {}
         {{- end }}
       - name: vault-role-vars
         persistentVolumeClaim:
-          claimName: {{ .Release.Name }}-vault-role-vars
+          claimName: {{ include "vault.fullname" . }}-role-vars
   # To have data consistency across pod restarts, we use a volume claim template
   # We do this instead of a static PVC because we require less control and it's easier to manage
   volumeClaimTemplates:
   - metadata:
       name: vault-data
     spec:
-      storageClassName: rook-ceph-block
-      accessModes: [ "ReadWriteOnce" ]
+      storageClassName: {{ .Values.create.vaultData.storageClassName }}
+      accessModes: {{ .Values.create.vaultData.accessModes }}
       resources:
         requests:
-          storage: 2Gi
+          storage: {{ .Values.create.vaultData.size }}
 {{- end -}}