docs: vault-k8s 0.13.0 and vault-helm 0.16.0 (#12573)

website/content/docs/platform/k8s/helm/configuration.mdx

@@ -67,6 +67,8 @@ and consider if they're appropriate for your deployment.
 
     - `enabled` (`boolean: true`) - When set to `true`, enables leader election for Vault Agent Injector. This is required when using auto-tls and more than 1 replica.
 
+    - `useContainer` (`boolean: false`) - The deployment of the leader-elector container will soon be removed from this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set `useContainer=true`
+
     - `image` - Values that configure the Vault Agent Injector Leader Election image.
 
       - `repository` (`string: "gcr.io/google_containers/leader-elector"`) - The name of the leader election image for the Vault Agent Injector.
@@ -79,15 +81,15 @@ and consider if they're appropriate for your deployment.
 
     - `repository` (`string: "hashicorp/vault-k8s"`) - The name of the Docker image for Vault Agent Injector.
 
-    - `tag` (`string: "0.12.0"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
+    - `tag` (`string: "0.13.0"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
 
     - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
 
   - `agentImage` - Values that configure the Vault Agent sidecar image.
 
-    - `repository` (`string: "vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image.
+    - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image.
 
-    - `tag` (`string: "1.8.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**.
+    - `tag` (`string: "1.8.2"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**.
 
   - `agentDefaults` - Values that configure the injected Vault Agent containers default values.
 
@@ -240,9 +242,9 @@ and consider if they're appropriate for your deployment.
 
   - `image` - Values that configure the Vault Docker image.
 
-    - `repository` (`string: "vault"`) - The name of the Docker image for the containers running Vault.
+    - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the containers running Vault.
 
-    - `tag` (`string: "1.8.1"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
+    - `tag` (`string: "1.8.2"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
 
     - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
 
@@ -900,6 +902,10 @@ and consider if they're appropriate for your deployment.
         foo: bar
       ```
 
+    - `providersDir` (`string: "/etc/kubernetes/secrets-store-csi-providers"`) - Provider host path (must match the CSI provider's path)
+
+    - `kubeletRootDir` (`string: "/var/lib/kubelet"`) - Kubelet host path
+
   - `pod` - Values that configure the Vault CSI Provider pod.
 
     - `annotations` (`dictionary: {}`) - This value defines additional annotations to

website/content/docs/platform/k8s/helm/enterprise.mdx

@@ -31,7 +31,7 @@ In your chart overrides, set the values of [`server.image`](/docs/platform/k8s/h
 server:
   image:
     repository: hashicorp/vault-enterprise
-    tag: 1.8.0_ent
+    tag: 1.8.2_ent
   enterpriseLicense:
     secretName: vault-ent-license
 ```

website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx

@@ -23,7 +23,7 @@ First, create the primary cluster:
 ```shell
 helm install vault-primary hashicorp/vault \
   --set='server.image.repository=hashicorp/vault-enterprise' \
-  --set='server.image.tag=1.8.1_ent' \
+  --set='server.image.tag=1.8.2_ent' \
   --set='server.ha.enabled=true' \
   --set='server.ha.raft.enabled=true'
 ```
@@ -75,7 +75,7 @@ disaster recovery replication.
 ```shell
 helm install vault-secondary hashicorp/vault \
   --set='server.image.repository=hashicorp/vault-enterprise' \
-  --set='server.image.tag=1.8.1_ent' \
+  --set='server.image.tag=1.8.2_ent' \
   --set='server.ha.enabled=true' \
   --set='server.ha.raft.enabled=true'
 ```

website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx

@@ -23,7 +23,7 @@ First, create the primary cluster:
 ```shell
 helm install vault-primary hashicorp/vault \
   --set='server.image.repository=hashicorp/vault-enterprise' \
-  --set='server.image.tag=1.8.1_ent' \
+  --set='server.image.tag=1.8.2_ent' \
   --set='server.ha.enabled=true' \
   --set='server.ha.raft.enabled=true'
 ```
@@ -74,7 +74,7 @@ With the primary cluster created, next create a secondary cluster.
 ```shell
 helm install vault-secondary hashicorp/vault \
   --set='server.image.repository=hashicorp/vault-enterprise' \
-  --set='server.image.tag=1.8.1_ent' \
+  --set='server.image.tag=1.8.2_ent' \
   --set='server.ha.enabled=true' \
   --set='server.ha.raft.enabled=true'
 ```

website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx

@@ -15,7 +15,7 @@ Integrated storage (raft) can be enabled using the `server.ha.raft.enabled` valu
 ```shell
 helm install vault hashicorp/vault \
   --set='server.image.repository=hashicorp/vault-enterprise' \
-  --set='server.image.tag=1.8.1_ent' \
+  --set='server.image.tag=1.8.2_ent' \
   --set='server.ha.enabled=true' \
   --set='server.ha.raft.enabled=true'
 ```

website/content/docs/platform/k8s/helm/index.mdx

@@ -35,7 +35,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
 
 $ helm search repo hashicorp/vault
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
-hashicorp/vault	0.15.0       	1.8.1      	Official HashiCorp Vault Chart
+hashicorp/vault	0.16.0       	1.8.2      	Official HashiCorp Vault Chart
 ```
 
 -> **Important:** The Helm chart is new and under significant development.
@@ -57,6 +57,7 @@ Installing a specific version of the chart.
 # List the available releases
 $ helm search repo hashicorp/vault -l
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
+hashicorp/vault	0.16.0       	1.8.2      	Official HashiCorp Vault Chart
 hashicorp/vault	0.15.0       	1.8.1      	Official HashiCorp Vault Chart
 hashicorp/vault	0.14.0       	1.8.0      	Official HashiCorp Vault Chart
 hashicorp/vault	0.13.0       	1.7.3      	Official HashiCorp Vault Chart
@@ -64,10 +65,9 @@ hashicorp/vault	0.12.0       	1.7.2      	Official HashiCorp Vault Chart
 hashicorp/vault	0.11.0       	1.7.0      	Official HashiCorp Vault Chart
 hashicorp/vault	0.10.0       	1.7.0      	Official HashiCorp Vault Chart
 hashicorp/vault	0.9.1        	1.6.2      	Official HashiCorp Vault Chart
-hashicorp/vault	0.9.0        	1.6.1      	Official HashiCorp Vault Chart
 
-# Install version 0.15.0
-$ helm install vault hashicorp/vault --version 0.15.0
+# Install version 0.16.0
+$ helm install vault hashicorp/vault --version 0.16.0
 ```
 
 ~> **Security Warning:** By default, the chart runs in standalone mode. This

website/content/docs/platform/k8s/helm/openshift.mdx

@@ -69,7 +69,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
 
 $ helm search repo hashicorp/vault
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
-hashicorp/vault	0.15.0       	1.8.1      	Official HashiCorp Vault Chart
+hashicorp/vault	0.16.0       	1.8.2      	Official HashiCorp Vault Chart
 ```
 
 -> **Important:** The Helm chart is new and under significant development.
@@ -88,6 +88,7 @@ Or install a specific version of the chart.
 # List the available releases
 $ helm search repo hashicorp/vault -l
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
+hashicorp/vault	0.16.0       	1.8.2      	Official HashiCorp Vault Chart
 hashicorp/vault	0.15.0       	1.8.1      	Official HashiCorp Vault Chart
 hashicorp/vault	0.14.0       	1.8.0      	Official HashiCorp Vault Chart
 hashicorp/vault	0.13.0       	1.7.3      	Official HashiCorp Vault Chart
@@ -95,10 +96,9 @@ hashicorp/vault	0.12.0       	1.7.2      	Official HashiCorp Vault Chart
 hashicorp/vault	0.11.0       	1.7.0      	Official HashiCorp Vault Chart
 hashicorp/vault	0.10.0       	1.7.0      	Official HashiCorp Vault Chart
 hashicorp/vault	0.9.1        	1.6.2      	Official HashiCorp Vault Chart
-hashicorp/vault	0.9.0        	1.6.1      	Official HashiCorp Vault Chart
 
-# Install version 0.15.0
-$ helm install vault hashicorp/vault --version 0.15.0
+# Install version 0.16.0
+$ helm install vault hashicorp/vault --version 0.16.0
 ```
 
 The `helm install` command accepts parameters to override default configuration

website/content/docs/platform/k8s/helm/run.mdx

@@ -53,7 +53,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
 
 $ helm search repo hashicorp/vault
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
-hashicorp/vault	0.15.0        	1.8.1     	Official HashiCorp Vault Chart
+hashicorp/vault	0.16.0        	1.8.2     	Official HashiCorp Vault Chart
 ```
 
 -> **Important:** The Helm chart is new and under significant development.
@@ -72,6 +72,7 @@ Or install a specific version of the chart.
 # List the available releases
 $ helm search repo hashicorp/vault -l
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
+hashicorp/vault	0.16.0       	1.8.2      	Official HashiCorp Vault Chart
 hashicorp/vault	0.15.0       	1.8.1      	Official HashiCorp Vault Chart
 hashicorp/vault	0.14.0       	1.8.0      	Official HashiCorp Vault Chart
 hashicorp/vault	0.13.0       	1.7.3      	Official HashiCorp Vault Chart
@@ -79,10 +80,9 @@ hashicorp/vault	0.12.0       	1.7.2      	Official HashiCorp Vault Chart
 hashicorp/vault	0.11.0       	1.7.0      	Official HashiCorp Vault Chart
 hashicorp/vault	0.10.0       	1.7.0      	Official HashiCorp Vault Chart
 hashicorp/vault	0.9.1        	1.6.2      	Official HashiCorp Vault Chart
-hashicorp/vault	0.9.0        	1.6.1      	Official HashiCorp Vault Chart
 
-# Install version 0.15.0
-$ helm install vault hashicorp/vault --version 0.15.0
+# Install version 0.16.0
+$ helm install vault hashicorp/vault --version 0.16.0
 ```
 
 The `helm install` command accepts parameters to override default configuration

website/content/docs/platform/k8s/injector/annotations.mdx

@@ -28,7 +28,7 @@ them, optional commands to run, etc.
 
 - `vault.hashicorp.com/agent-image` - name of the Vault docker image to use. This
   value overrides the default image configured in the controller and is usually
-  not needed. Defaults to `hashicorp/vault:1.8.1`.
+  not needed. Defaults to `hashicorp/vault:1.8.2`.
 
 - `vault.hashicorp.com/agent-init-first` - configures the pod to run the Vault Agent
   init container first if `true` (last if `false`). This is useful when other init
@@ -184,6 +184,8 @@ them, optional commands to run, etc.
   container and mounts them to the Vault Agent containers. The service account volume is
   ignored.
 
+- `vault.hashicorp.com/agent-service-account-token-volume-name` - the optional name of a projected volume containing a service account token for use with auto-auth against Vault's Kubernetes auth method. If the volume is mounted to another container in the deployment, the token volume will be mounted to the same location in the vault-agent containers. Otherwise it will be mounted at the default location of `/var/run/secrets/vault.hashicorp.com/serviceaccount/`.
+
 ## Vault Annotations
 
 Vault annotations change how the Vault Agent containers communicate with Vault. For

website/content/docs/platform/k8s/injector/installation.mdx

@@ -20,7 +20,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
 
 $ helm search repo hashicorp/vault
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
-hashicorp/vault	0.15.0       	1.8.1      	Official HashiCorp Vault Chart
+hashicorp/vault	0.16.0       	1.8.2      	Official HashiCorp Vault Chart
 ```
 
 Then install the chart and enable the injection feature by setting the
@@ -67,31 +67,23 @@ For more information on configuring manual TLS, see the [Vault Helm cert values]
 ## Multiple Replicas and TLS
 
 The Vault Agent Injector can be run with multiple replicas if using [Manual
-TLS](#manual-tls), and as of v0.7.0 multiple replicas are also supported with
+TLS](#manual-tls) or [cert-manager](/docs/platform/k8s/helm/examples/injector-tls-cert-manager), and as of v0.7.0 multiple replicas are also supported with
 [Auto TLS](#auto-tls). The number of replicas is controlled in the Vault Helm
 chart by the [injector.replicas
 value](/docs/platform/k8s/helm/configuration#replicas).
 
-With Auto TLS and multiple replicas, a leader-elector sidecar container is
-deployed with each replica. These sidecars determine which injector replica is
-the "leader" in charge of generating the CA and patching the webhook caBundle in
-Kubernetes, and also generating and distributing the certificate and key to the
-"followers". The followers read the certificate and key needed for the webhook
-service listener from a Kubernetes Secret, which is updated by the leader when a
-certificate is near expiration.
-
-The leader-elector sidecar in use is described in detail [here][k8s-blog]. For
-more information on configuring leader election, see the [Vault Helm
-leaderElector values](/docs/platform/k8s/helm/configuration#leaderelector).
+With Auto TLS and multiple replicas, a leader replica is determined by ownership
+of a ConfigMap named `vault-k8s-leader`. Another replica can become the leader
+once the current leader replica stops running, and the Kubernetes garbage
+collector deletes the ConfigMap. The leader replica is in charge of generating
+the CA and patching the webhook caBundle in Kubernetes, and also generating and
+distributing the certificate and key to the "followers". The followers read the
+certificate and key needed for the webhook service listener from a Kubernetes
+Secret, which is updated by the leader when a certificate is near expiration.
 
 With Manual TLS and multiple replicas,
 [injector.leaderElector.enabled](/docs/platform/k8s/helm/configuration#enabled-2)
-should be set to `false` since leader-election is not necessary in this case.
-
-If there is only one replica set (regardless of other TLS or leaderElector
-settings), no leader-elector containers will be deployed.
-
-[k8s-blog]: https://kubernetes.io/blog/2016/01/simple-leader-election-with-kubernetes/ 'Simple leader election with Kubernetes and Docker'
+can be set to `false` since leader determination is not necessary in this case.
 
 ## Namespace Selector