From 48eebb0b0921a0c274fad532c97288dac2b6398e Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Fri, 10 Dec 2021 17:11:35 -0800 Subject: [PATCH 01/30] Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor --- .github/workflows/acceptance.yaml | 34 +++++++++++++++++++ .../workflows/setup-test-tools/action.yaml | 18 ++++++++++ .github/workflows/tests.yaml | 25 ++++++++++++++ test/acceptance/_helpers.bash | 32 +++++++++-------- test/acceptance/csi.bats | 17 ++++++++-- test/acceptance/server-ha-enterprise-dr.bats | 12 +++---- .../acceptance/server-ha-enterprise-perf.bats | 12 +++---- test/acceptance/server-ha-raft.bats | 8 +++-- test/acceptance/server-ha.bats | 11 +++--- test/acceptance/server.bats | 4 +-- test/kind/config.yaml | 13 +++++++ 11 files changed, 142 insertions(+), 44 deletions(-) create mode 100644 .github/workflows/acceptance.yaml create mode 100644 .github/workflows/setup-test-tools/action.yaml create mode 100644 .github/workflows/tests.yaml diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml new file mode 100644 index 0000000..644875e --- /dev/null +++ b/.github/workflows/acceptance.yaml @@ -0,0 +1,34 @@ +name: Acceptance Tests + +on: + push: + branches: + - main + workflow_dispatch: {} + +jobs: + kind: + strategy: + fail-fast: false + matrix: + kind-k8s-version: [1.14.10, 1.19.11, 1.20.7, 1.21.2, 1.22.4] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Setup test tools + uses: ./.github/workflows/setup-test-tools + + - name: Create K8s Kind Cluster + uses: helm/kind-action@v1.2.0 + with: + config: test/kind/config.yaml + node_image: kindest/node:v${{ matrix.kind-k8s-version }} + + # Skip CSI tests if K8s version < 1.16.x + - run: echo K8S_MINOR=$(kubectl version -o json | jq -r .serverVersion.minor) >> $GITHUB_ENV + - if: ${{ env.K8S_MINOR < 16 }} + run: echo "SKIP_CSI=true" >> $GITHUB_ENV + + - run: bats ./test/acceptance -t + env: + VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }} diff --git a/.github/workflows/setup-test-tools/action.yaml b/.github/workflows/setup-test-tools/action.yaml new file mode 100644 index 0000000..3fa2854 --- /dev/null +++ b/.github/workflows/setup-test-tools/action.yaml @@ -0,0 +1,18 @@ +name: Setup common testing tools +description: Install bats and python-yq + +runs: + using: "composite" + steps: + - uses: actions/setup-node@v2 + with: + node-version: '14' + - run: npm install -g bats@${BATS_VERSION} + shell: bash + env: + BATS_VERSION: '1.5.0' + - run: bats -v + shell: bash + - uses: actions/setup-python@v2 + - run: pip install yq + shell: bash diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml new file mode 100644 index 0000000..0aba6ee --- /dev/null +++ b/.github/workflows/tests.yaml @@ -0,0 +1,25 @@ +name: Tests + +on: [push, workflow_dispatch] + +jobs: + bats-unit-tests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: ./.github/workflows/setup-test-tools + - run: bats ./test/unit -t + + chart-verifier: + runs-on: ubuntu-latest + env: + CHART_VERIFIER_VERSION: '1.2.1' + steps: + - uses: actions/checkout@v2 + - name: Setup test tools + uses: ./.github/workflows/setup-test-tools + - uses: actions/setup-go@v2 + with: + go-version: '1.17.4' + - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} + - run: bats ./test/chart -t diff --git a/test/acceptance/_helpers.bash b/test/acceptance/_helpers.bash index 466a517..db8b051 100644 --- a/test/acceptance/_helpers.bash +++ b/test/acceptance/_helpers.bash @@ -40,35 +40,37 @@ helm_install_ha() { ${BATS_TEST_DIRNAME}/../.. } -# wait for consul to be running +# wait for consul to be ready wait_for_running_consul() { + kubectl wait --for=condition=Ready --timeout=5m pod -l app=consul,component=client +} + +wait_for_sealed_vault() { + POD_NAME=$1 + check() { - # This requests the pod and checks whether the status is running - # and the ready state is true. If so, it outputs the name. Otherwise - # it outputs empty. Therefore, to check for success, check for nonzero - # string length. - kubectl get pods -l component=client -o json | \ - jq -r '.items[0] | select( - .status.phase == "Running" and - ([ .status.conditions[] | select(.type == "Ready" and .status == "True") ] | length) == 1 - ) | .metadata.name' + sealed_status=$(kubectl exec $1 -- vault status -format=json | jq -r '.sealed') + if [ "$sealed_status" == "true" ]; then + return 0 + fi + return 1 } for i in $(seq 60); do - if [ -n "$(check ${POD_NAME})" ]; then - echo "consul clients are ready." + if check ${POD_NAME}; then + echo "Vault on ${POD_NAME} is running." return fi - echo "Waiting for ${POD_NAME} to be ready..." + echo "Waiting for Vault on ${POD_NAME} to be running..." sleep 2 done - echo "consul clients never became ready." + echo "Vault on ${POD_NAME} never became running." return 1 } -# wait for a pod to be ready +# wait for a pod to be running wait_for_running() { POD_NAME=$1 diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index d222ca2..c7c6549 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -2,18 +2,27 @@ load _helpers +check_skip_csi() { + if [ ! -z ${SKIP_CSI} ]; then + skip "Skipping CSI tests" + fi +} + @test "csi: testing deployment" { + check_skip_csi + cd `chart_dir` kubectl delete namespace acceptance --ignore-not-found=true kubectl create namespace acceptance # Install Secrets Store CSI driver - CSI_DRIVER_VERSION=0.2.0 - helm install secrets-store-csi-driver https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/v${CSI_DRIVER_VERSION}/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ + CSI_DRIVER_VERSION=1.0.0 + helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ --wait --timeout=5m \ --namespace=acceptance \ - --set linux.image.pullPolicy="IfNotPresent" + --set linux.image.pullPolicy="IfNotPresent" \ + --set syncSecret.enabled=true # Install Vault and Vault provider helm install vault \ --wait --timeout=5m \ @@ -49,6 +58,8 @@ load _helpers # Clean up teardown() { + check_skip_csi + if [[ ${CLEANUP:-true} == "true" ]] then echo "helm/pvc teardown" diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index ee27518..cdcfabe 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -15,9 +15,7 @@ load _helpers wait_for_running "$(name_prefix)-east-0" # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-east-0 local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | jq -r '.initialized') @@ -50,7 +48,7 @@ load _helpers fi done - # Sealed, not initialized + # Unsealed, initialized local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] @@ -84,9 +82,7 @@ load _helpers wait_for_running "$(name_prefix)-west-0" # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-west-0 local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | jq -r '.initialized') @@ -119,7 +115,7 @@ load _helpers fi done - # Sealed, not initialized + # Unsealed, initialized local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index c359c1c..68830ca 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -15,9 +15,7 @@ load _helpers wait_for_running "$(name_prefix)-east-0" # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-east-0 local init_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | jq -r '.initialized') @@ -50,7 +48,7 @@ load _helpers fi done - # Sealed, not initialized + # Unsealed, initialized local sealed_status=$(kubectl exec "$(name_prefix)-east-0" -- vault status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] @@ -84,9 +82,7 @@ load _helpers wait_for_running "$(name_prefix)-west-0" # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-west-0 local init_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | jq -r '.initialized') @@ -119,7 +115,7 @@ load _helpers fi done - # Sealed, not initialized + # Unsealed, initialized local sealed_status=$(kubectl exec "$(name_prefix)-west-0" -- vault status -format=json | jq -r '.sealed' ) [ "${sealed_status}" == "false" ] diff --git a/test/acceptance/server-ha-raft.bats b/test/acceptance/server-ha-raft.bats index 9f9f3de..f06ca87 100644 --- a/test/acceptance/server-ha-raft.bats +++ b/test/acceptance/server-ha-raft.bats @@ -11,9 +11,7 @@ load _helpers wait_for_running $(name_prefix)-0 # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-0 local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | jq -r '.initialized') @@ -112,6 +110,10 @@ setup() { teardown() { if [[ ${CLEANUP:-true} == "true" ]] then + # If the test failed, print some debug output + if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then + kubectl logs -l app.kubernetes.io/name=vault + fi helm delete vault kubectl delete --all pvc kubectl delete namespace acceptance --ignore-not-found=true diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats index 3d62959..4180f8c 100644 --- a/test/acceptance/server-ha.bats +++ b/test/acceptance/server-ha.bats @@ -10,9 +10,7 @@ load _helpers wait_for_running $(name_prefix)-0 # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-0 local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | jq -r '.initialized') @@ -91,7 +89,7 @@ setup() { helm install consul \ https://github.com/hashicorp/consul-helm/archive/v0.28.0.tar.gz \ - --set 'ui.enabled=false' \ + --set 'ui.enabled=false' wait_for_running_consul } @@ -100,6 +98,11 @@ setup() { teardown() { if [[ ${CLEANUP:-true} == "true" ]] then + # If the test failed, print some debug output + if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then + kubectl logs -l app=consul + kubectl logs -l app.kubernetes.io/name=vault + fi helm delete vault helm delete consul kubectl delete --all pvc diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats index 84a4e7d..1e944a0 100644 --- a/test/acceptance/server.bats +++ b/test/acceptance/server.bats @@ -13,9 +13,7 @@ load _helpers wait_for_running $(name_prefix)-0 # Sealed, not initialized - local sealed_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | - jq -r '.sealed' ) - [ "${sealed_status}" == "true" ] + wait_for_sealed_vault $(name_prefix)-0 local init_status=$(kubectl exec "$(name_prefix)-0" -- vault status -format=json | jq -r '.initialized') diff --git a/test/kind/config.yaml b/test/kind/config.yaml index 2509664..8b18a3a 100644 --- a/test/kind/config.yaml +++ b/test/kind/config.yaml @@ -5,3 +5,16 @@ nodes: - role: worker - role: worker - role: worker +# These apiServer settings are included for running the CSI provider on K8s +# prior to 1.21 +kubeadmConfigPatches: + - | + apiVersion: kubeadm.k8s.io/v1beta2 + kind: ClusterConfiguration + metadata: + name: config + apiServer: + extraArgs: + "service-account-issuer": "https://kubernetes.default.svc.cluster.local" + "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key" + "service-account-api-audiences": "https://kubernetes.default.svc.cluster.local" From 609444d9d9d1c9c569f0edb6b2b3d8f8e60ef6dc Mon Sep 17 00:00:00 2001 From: Eric Miller Date: Tue, 14 Dec 2021 01:38:00 -0600 Subject: [PATCH 02/30] Configurable PodDisruptionBudget for Injector (#653) --- CHANGELOG.md | 3 +++ templates/injector-disruptionbudget.yaml | 20 +++++++++++++++ test/unit/injector-disruptionbudget.bats | 32 ++++++++++++++++++++++++ values.schema.json | 3 +++ values.yaml | 6 +++++ 5 files changed, 64 insertions(+) create mode 100644 templates/injector-disruptionbudget.yaml create mode 100755 test/unit/injector-disruptionbudget.bats diff --git a/CHANGELOG.md b/CHANGELOG.md index c596d51..0aa14de 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Features: +* Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653) + ## 0.18.0 (November 17th, 2021) CHANGES: diff --git a/templates/injector-disruptionbudget.yaml b/templates/injector-disruptionbudget.yaml new file mode 100644 index 0000000..59c9985 --- /dev/null +++ b/templates/injector-disruptionbudget.yaml @@ -0,0 +1,20 @@ +{{- if .Values.injector.podDisruptionBudget }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + component: webhook +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook + {{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }} +{{- end -}} diff --git a/test/unit/injector-disruptionbudget.bats b/test/unit/injector-disruptionbudget.bats new file mode 100755 index 0000000..a0cee27 --- /dev/null +++ b/test/unit/injector-disruptionbudget.bats @@ -0,0 +1,32 @@ +#!/usr/bin/env bats + +load _helpers + +@test "injector/DisruptionBudget: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget maxUnavailable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.maxUnavailable=3' \ + . | tee /dev/stderr | + yq '.spec.maxUnavailable == 3' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + . | tee /dev/stderr | + yq '.spec.minAvailable == 2' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/values.schema.json b/values.schema.json index 26f1367..8e4e076 100644 --- a/values.schema.json +++ b/values.schema.json @@ -320,6 +320,9 @@ "objectSelector": { "type": "object" }, + "podDisruptionBudget": { + "type": "object" + }, "port": { "type": "integer" }, diff --git a/values.yaml b/values.yaml index 5ba57d4..d17ead2 100644 --- a/values.yaml +++ b/values.yaml @@ -199,6 +199,12 @@ injector: # Extra annotations to attach to the injector service annotations: {} + # A disruption budget limits the number of pods of a replicated application + # that are down simultaneously from voluntary disruptions + podDisruptionBudget: {} + # podDisruptionBudget: + # maxUnavailable: 1 + server: # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details enabled: true From b4a92492d096feb4d7cf48c39b23a1d1eba02b9c Mon Sep 17 00:00:00 2001 From: Eric Miller Date: Tue, 14 Dec 2021 01:39:39 -0600 Subject: [PATCH 03/30] Fix spelling error in server disruptionbudget test (#654) --- test/unit/server-ha-disruptionbudget.bats | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index 6cf21f2..9271c01 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -16,7 +16,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-disruptionbudget.yaml \ - --set 'globa.enabled=false' \ + --set 'global.enabled=false' \ --set 'server.ha.enabled=false' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -96,4 +96,4 @@ load _helpers . | tee /dev/stderr | yq '.spec.maxUnavailable' | tee /dev/stderr) [ "${actual}" = "2" ] -} \ No newline at end of file +} From 248397f663f5ceb1bf20ab287deb3fd246a3d593 Mon Sep 17 00:00:00 2001 From: Takumi Sue <23391543+mikutas@users.noreply.github.com> Date: Wed, 15 Dec 2021 11:15:11 +0900 Subject: [PATCH 04/30] Make terminationGracePeriodSeconds configurable (#659) Make terminationGracePeriodSeconds configurable for server pod --- CHANGELOG.md | 1 + templates/server-statefulset.yaml | 2 +- test/unit/server-statefulset.bats | 21 +++++++++++++++++++++ values.schema.json | 24 ++++++++++++++++++------ values.yaml | 4 ++++ 5 files changed, 45 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0aa14de..889aeaa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ Features: * Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653) +* Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659) ## 0.18.0 (November 17th, 2021) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 031b179..cbcda96 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -41,7 +41,7 @@ spec: {{- if .Values.server.priorityClassName }} priorityClassName: {{ .Values.server.priorityClassName }} {{- end }} - terminationGracePeriodSeconds: 10 + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} serviceAccountName: {{ template "vault.serviceAccount.name" . }} {{ if .Values.server.shareProcessNamespace }} shareProcessNamespace: true diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index b939051..65d6d96 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1385,6 +1385,27 @@ load _helpers [[ "${actual}" = *"foobar"* ]] } +#-------------------------------------------------------------------- +# terminationGracePeriodSeconds +@test "server/standalone-StatefulSet: terminationGracePeriodSeconds default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.terminationGracePeriodSeconds' | tee /dev/stderr) + [[ "${actual}" = "10" ]] +} + +@test "server/standalone-StatefulSet: terminationGracePeriodSeconds 30" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.terminationGracePeriodSeconds=30' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.terminationGracePeriodSeconds' | tee /dev/stderr) + [[ "${actual}" = "30" ]] +} + #-------------------------------------------------------------------- # preStop @test "server/standalone-StatefulSet: preStop sleep duration default" { diff --git a/values.schema.json b/values.schema.json index 8e4e076..c3b2a27 100644 --- a/values.schema.json +++ b/values.schema.json @@ -14,6 +14,12 @@ "string" ] }, + "kubeletRootDir": { + "type": "string" + }, + "providersDir": { + "type": "string" + }, "updateStrategy": { "type": "object", "properties": { @@ -24,12 +30,6 @@ "type": "string" } } - }, - "providersDir": { - "type": "string" - }, - "kubeletRootDir": { - "type": "string" } } }, @@ -603,6 +603,9 @@ "labels": { "type": "object" }, + "pathType": { + "type": "string" + }, "tls": { "type": "array" } @@ -728,6 +731,9 @@ "enabled": { "type": "boolean" }, + "externalTrafficPolicy": { + "type": "string" + }, "port": { "type": "integer" }, @@ -781,6 +787,9 @@ } } }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, "tolerations": { "type": [ "null", @@ -823,6 +832,9 @@ "externalPort": { "type": "integer" }, + "externalTrafficPolicy": { + "type": "string" + }, "publishNotReadyAddresses": { "type": "boolean" }, diff --git a/values.yaml b/values.yaml index d17ead2..713b858 100644 --- a/values.yaml +++ b/values.yaml @@ -374,6 +374,10 @@ server: # Number of seconds after which the probe times out. timeoutSeconds: 3 + # Optional duration in seconds the pod needs to terminate gracefully. + # See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 10 + # Used to set the sleep time during the preStop step preStopSleepSeconds: 5 From 0c0b6e34f423c1613c07282f9b8161881f2f7fdb Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 16 Dec 2021 11:21:36 -0800 Subject: [PATCH 05/30] injector: ability to set deployment update strategy (continued) (#661) Co-authored-by: Jason Hancock --- CHANGELOG.md | 1 + templates/_helpers.tpl | 15 +++++++++++++++ templates/injector-deployment.yaml | 1 + test/unit/injector-deployment.bats | 29 +++++++++++++++++++++++++++++ values.schema.json | 6 ++++++ values.yaml | 9 +++++++++ 6 files changed, 61 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 889aeaa..38cb066 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ Features: * Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653) * Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659) +* Added configurable update strategy for injector [GH-661](https://github.com/hashicorp/vault-helm/pull/661) ## 0.18.0 (November 17th, 2021) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 731119a..12afeab 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -308,6 +308,21 @@ Sets the injector node selector for pod placement {{- end }} {{- end -}} +{{/* +Sets the injector deployment update strategy +*/}} +{{- define "injector.strategy" -}} + {{- if .Values.injector.strategy }} + strategy: + {{- $tp := typeOf .Values.injector.strategy }} + {{- if eq $tp "string" }} + {{ tpl .Values.injector.strategy . | nindent 4 | trim }} + {{- else }} + {{- toYaml .Values.injector.strategy | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets extra pod annotations */}} diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index aefbf08..95e2c2d 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -17,6 +17,7 @@ spec: app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook + {{ template "injector.strategy" . }} template: metadata: labels: diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 3bae2af..740c17a 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -721,3 +721,32 @@ load _helpers yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL")) | .[] .value' | tee /dev/stderr) [ "${value}" = "1m" ] } + +@test "injector/deployment: strategy default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.strategy' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/deployment: strategy set as string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set="injector.strategy=testing" \ + . | tee /dev/stderr | + yq -r '.spec.strategy' | tee /dev/stderr) + [ "${actual}" = "testing" ] +} + +@test "injector/deployment: strategy can be set as YAML" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.strategy.rollingUpdate.maxUnavailable=1' \ + . | tee /dev/stderr | + yq -r '.spec.strategy.rollingUpdate.maxUnavailable' | tee /dev/stderr) + [ "${actual}" = "1" ] +} diff --git a/values.schema.json b/values.schema.json index c3b2a27..5ef61e7 100644 --- a/values.schema.json +++ b/values.schema.json @@ -349,6 +349,12 @@ } } }, + "strategy": { + "type": [ + "object", + "string" + ] + }, "tolerations": { "type": [ "null", diff --git a/values.yaml b/values.yaml index 713b858..6f88ff8 100644 --- a/values.yaml +++ b/values.yaml @@ -205,6 +205,15 @@ injector: # podDisruptionBudget: # maxUnavailable: 1 + # strategy for updating the deployment. This can be a multi-line string or a + # YAML map. + strategy: {} + # strategy: | + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + # type: RollingUpdate + server: # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details enabled: true From 0043023c097b22462774e516c71e91ed308a8b46 Mon Sep 17 00:00:00 2001 From: Vadim Grek Date: Wed, 5 Jan 2022 00:10:56 +0200 Subject: [PATCH 06/30] csi: ability to set priorityClassName for csi daemonset pods (#670) --- CHANGELOG.md | 1 + templates/csi-daemonset.yaml | 3 +++ test/unit/csi-daemonset.bats | 23 +++++++++++++++++++++++ values.schema.json | 3 +++ values.yaml | 3 +++ 5 files changed, 33 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 38cb066..a8fa037 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ Features: * Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653) * Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659) * Added configurable update strategy for injector [GH-661](https://github.com/hashicorp/vault-helm/pull/661) +* csi: ability to set priorityClassName for CSI daemonset pods [GH-670](https://github.com/hashicorp/vault-helm/pull/670) ## 0.18.0 (November 17th, 2021) diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index a6461fb..f0bf639 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -27,6 +27,9 @@ spec: app.kubernetes.io/instance: {{ .Release.Name }} {{ template "csi.pod.annotations" . }} spec: + {{- if .Values.csi.priorityClassName }} + priorityClassName: {{ .Values.csi.priorityClassName }} + {{- end }} serviceAccountName: {{ template "vault.fullname" . }}-csi-provider {{- template "csi.pod.tolerations" . }} containers: diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 5cfd8a7..dd88d82 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -30,6 +30,29 @@ load _helpers [ "${actual}" = "false" ] } +# priorityClassName + +@test "csi/daemonset: priorityClassName not set by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq '.spec.template.spec | .priorityClassName? == null' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "csi/daemonset: priorityClassName can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.priorityClassName=armaggeddon' \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq '.spec.template.spec | .priorityClassName == "armaggeddon"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + # serviceAccountName reference name @test "csi/daemonset: serviceAccountName reference name" { cd `chart_dir` diff --git a/values.schema.json b/values.schema.json index 5ef61e7..1544043 100644 --- a/values.schema.json +++ b/values.schema.json @@ -33,6 +33,9 @@ } } }, + "priorityClassName": { + "type": "string" + }, "debug": { "type": "boolean" }, diff --git a/values.yaml b/values.yaml index 6f88ff8..a6704db 100644 --- a/values.yaml +++ b/values.yaml @@ -812,6 +812,9 @@ csi: # in a PodSpec. tolerations: [] + # Priority class for csi pods + priorityClassName: "" + serviceAccount: # Extra annotations for the serviceAccount definition. This can either be # YAML or a YAML-formatted multi-line templated string map of the From c511d300435be9aa7c8b27fd6c54e85cf80947cf Mon Sep 17 00:00:00 2001 From: nikstur <61635709+nikstur@users.noreply.github.com> Date: Fri, 7 Jan 2022 23:37:51 +0100 Subject: [PATCH 07/30] Fixed a small typo (#672) --- values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index a6704db..f4f5e9d 100644 --- a/values.yaml +++ b/values.yaml @@ -538,7 +538,7 @@ server: annotations: {} # This configures the Vault Statefulset to create a PVC for audit - # logs. Once Vault is deployed, initialized and unseal, Vault must + # logs. Once Vault is deployed, initialized and unsealed, Vault must # be configured to use this for audit logs. This will be mounted to # /vault/audit # See https://www.vaultproject.io/docs/audit/index.html to know more From 0a1f8d1457d094d75008c3d364dd0c6304255452 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 11 Jan 2022 11:33:09 -0800 Subject: [PATCH 08/30] Disable unit and acceptance tests in CircleCI (#675) --- .circleci/config.yml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 8de4c83..70c2453 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -85,16 +85,7 @@ jobs: workflows: version: 2 - build_and_test: - jobs: - - bats-unit-test - - chart-verifier - - acceptance: - requires: - - bats-unit-test - filters: - branches: - only: main + # Note: unit and acceptance tests are now being run in GitHub Actions update-helm-charts-index: jobs: - update-helm-charts-index: From d6e1cd08359651515d65fc2c506e1aafecd1e103 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 12 Jan 2022 10:12:19 -0800 Subject: [PATCH 09/30] update CONTRIBUTING.md (#677) Link to the discuss forum instead of the old google group and irc channel. Add info about the CLA. --- CONTRIBUTING.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f1c1600..ad31ac9 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -13,13 +13,14 @@ rules to get in the way of that. That said, if you want to ensure that a pull request is likely to be merged, talk to us! You can find out our thoughts and ensure that your contribution won't clash or be obviated by Vault's normal direction. A great way to do this -is via the [Vault Google Group][2]. Sometimes Vault devs are in `#vault-tool` -on Freenode, too. +is via the [Vault Discussion Forum][1]. This document will cover what we're looking for in terms of reporting issues. By addressing all the points we're looking for, it raises the chances we can quickly merge or address your contributions. +[1]: https://discuss.hashicorp.com/c/vault + ## Issues ### Reporting an Issue @@ -237,3 +238,10 @@ Here are some examples of common test patterns: ``` Here we are check the length of the command output to see if the anything is rendered. This style can easily be switched to check that a file is rendered instead. + +## Contributor License Agreement + +We require that all contributors sign our Contributor License Agreement ("CLA") +before we can accept the contribution. + +[Learn more about why HashiCorp requires a CLA and what the CLA includes](https://www.hashicorp.com/cla) From a84a61fdb6299bc30729ab9ccbb68a26d09ffed6 Mon Sep 17 00:00:00 2001 From: Jacob Mammoliti Date: Fri, 14 Jan 2022 18:19:22 -0500 Subject: [PATCH 10/30] add namespace support for openshift route (#679) --- CHANGELOG.md | 3 +++ templates/server-route.yaml | 1 + 2 files changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a8fa037..47e5c28 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ Features: * Added configurable update strategy for injector [GH-661](https://github.com/hashicorp/vault-helm/pull/661) * csi: ability to set priorityClassName for CSI daemonset pods [GH-670](https://github.com/hashicorp/vault-helm/pull/670) +Improvements: +* Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679) + ## 0.18.0 (November 17th, 2021) CHANGES: diff --git a/templates/server-route.yaml b/templates/server-route.yaml index 63055db..72b8752 100644 --- a/templates/server-route.yaml +++ b/templates/server-route.yaml @@ -9,6 +9,7 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: {{ template "vault.fullname" . }} + namespace: {{ .Release.Namespace }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} From e629dc9d65355a1329ae4535be423d03489317c4 Mon Sep 17 00:00:00 2001 From: "Ethan J. Brown" Date: Wed, 19 Jan 2022 18:55:56 -0800 Subject: [PATCH 11/30] Add volumes and env vars to helm hook test pod (#673) * Fix test typo * Add basic server-test Pod tests - This covers all existing functionality that matches what's present in server-statefulset.bats * Fix server-test helm hook Pod rendering - Properly adhere to the global.enabled flag and the presence of the injector.externalVaultAddr setting, the same way that the servers StatefulSet behaves * Add volumes and env vars to helm hook test pod - Uses the same extraEnvironmentVars, volumes and volumeMounts set on the server statefulset to configure the Vault server test pod used by the helm test hook - This is necessary in situations where TLS is configured, but the certificates are not affiliated with the k8s CA / part of k8s PKI - Fixes GH-665 --- CHANGELOG.md | 1 + templates/tests/server-test.yaml | 15 +- test/unit/server-statefulset.bats | 2 +- test/unit/server-test.bats | 241 ++++++++++++++++++++++++++++++ 4 files changed, 256 insertions(+), 3 deletions(-) create mode 100644 test/unit/server-test.bats diff --git a/CHANGELOG.md b/CHANGELOG.md index 47e5c28..90d4c33 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ Features: Improvements: * Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679) +* Add volumes and env vars to helm hook test pod [GH-673](https://github.com/hashicorp/vault-helm/pull/673) ## 0.18.0 (November 17th, 2021) diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index 66aa178..d983b9d 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -1,4 +1,6 @@ -{{- if .Values.server.enabled }} +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} apiVersion: v1 kind: Pod metadata: @@ -15,6 +17,7 @@ spec: env: - name: VAULT_ADDR value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + {{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }} command: - /bin/sh - -c @@ -35,6 +38,14 @@ spec: fi exit 0 - + volumeMounts: + {{- if .Values.server.volumeMounts }} + {{- toYaml .Values.server.volumeMounts | nindent 8}} + {{- end }} + volumes: + {{- if .Values.server.volumes }} + {{- toYaml .Values.server.volumes | nindent 4}} + {{- end }} restartPolicy: Never {{- end }} +{{- end }} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 65d6d96..0a83ec6 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -537,7 +537,7 @@ load _helpers cd `chart_dir` local object=$(helm template \ --show-only templates/server-statefulset.yaml \ - --set 'server.stanadlone.enabled=true' \ + --set 'server.standalone.enabled=true' \ --set 'server.extraEnvironmentVars.FOO=bar' \ --set 'server.extraEnvironmentVars.FOOBAR=foobar' \ . | tee /dev/stderr | diff --git a/test/unit/server-test.bats b/test/unit/server-test.bats new file mode 100644 index 0000000..5fd65d5 --- /dev/null +++ b/test/unit/server-test.bats @@ -0,0 +1,241 @@ +#!/usr/bin/env bats + +load _helpers + +#-------------------------------------------------------------------- +# disable / enable server deployment + +@test "server/server-test-Pod: disabled server.enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/server-test-Pod: disabled server.enabled random string" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.enabled=blabla' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/server-test-Pod: enabled server.enabled explicit true" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- + +@test "server/standalone-server-test-Pod: default server.standalone.enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-server-test-Pod: enable with server.standalone.enabled true" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.standalone.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/ha-server-test-Pod: enable with server.ha.enabled true" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-server-test-Pod: disable with global.enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'global.enabled=false' \ + --set 'server.standalone.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/standalone-server-test-Pod: disable with injector.externalVaultAddr" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'server.standalone.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/standalone-server-test-Pod: image defaults to server.image.repository:tag" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.image.repository=foo' \ + --set 'server.image.tag=1.2.3' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].image' | tee /dev/stderr) + [ "${actual}" = "foo:1.2.3" ] + + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.image.repository=foo' \ + --set 'server.image.tag=1.2.3' \ + --set 'server.standalone.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].image' | tee /dev/stderr) + [ "${actual}" = "foo:1.2.3" ] +} + +@test "server/standalone-server-test-Pod: image tag defaults to latest" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.image.repository=foo' \ + --set 'server.image.tag=' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].image' | tee /dev/stderr) + [ "${actual}" = "foo:latest" ] + + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.image.repository=foo' \ + --set 'server.image.tag=' \ + --set 'server.standalone.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].image' | tee /dev/stderr) + [ "${actual}" = "foo:latest" ] +} + +@test "server/standalone-server-test-Pod: default imagePullPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].imagePullPolicy' | tee /dev/stderr) + [ "${actual}" = "IfNotPresent" ] +} + +@test "server/standalone-server-test-Pod: Custom imagePullPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.image.pullPolicy=Always' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].imagePullPolicy' | tee /dev/stderr) + [ "${actual}" = "Always" ] +} + +#-------------------------------------------------------------------- +# resources + +@test "server/standalone-server-test-Pod: default resources" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.standalone.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].resources' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +#-------------------------------------------------------------------- +# volumes + +@test "server/standalone-server-test-Pod: server.volumes adds volume" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.volumes[0].name=plugins' \ + --set 'server.volumes[0].emptyDir=\{\}' \ + . | tee /dev/stderr | + yq -r '.spec.volumes[] | select(.name == "plugins")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.emptyDir' | tee /dev/stderr) + [ "${actual}" = "{}" ] +} + +#-------------------------------------------------------------------- +# volumeMounts + +@test "server/standalone-server-test-Pod: server.volumeMounts adds volumeMount" { + cd `chart_dir` + + # Test that it defines it + local object=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.volumeMounts[0].name=plugins' \ + --set 'server.volumeMounts[0].mountPath=/usr/local/libexec/vault' \ + --set 'server.volumeMounts[0].readOnly=true' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].volumeMounts[] | select(.name == "plugins")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.mountPath' | tee /dev/stderr) + [ "${actual}" = "/usr/local/libexec/vault" ] + + local actual=$(echo $object | + yq -r '.readOnly' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# extraEnvironmentVars + +@test "server/standalone-server-test-Pod: set extraEnvironmentVars" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'server.extraEnvironmentVars.FOO=bar' \ + --set 'server.extraEnvironmentVars.FOOBAR=foobar' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].env' | tee /dev/stderr) + + local name=$(echo $object | + yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "bar" ] + + local name=$(echo $object | + yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "foobar" ] + + local object=$(helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'server.extraEnvironmentVars.FOO=bar' \ + --set 'server.extraEnvironmentVars.FOOBAR=foobar' \ + . | tee /dev/stderr | + yq -r '.spec.containers[0].env' | tee /dev/stderr) + + local name=$(echo $object | + yq -r 'map(select(.name=="FOO")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "bar" ] + + local name=$(echo $object | + yq -r 'map(select(.name=="FOOBAR")) | .[] .value' | tee /dev/stderr) + [ "${name}" = "foobar" ] +} From 92da5125777b87b7475f546e0a7127b9517fe735 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 20 Jan 2022 07:37:26 +0100 Subject: [PATCH 12/30] allow injection of TLS config for OpenShift routes (#686) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker Co-authored-by: Theron Voran --- CHANGELOG.md | 1 + templates/server-route.yaml | 2 +- test/unit/server-route.bats | 38 +++++++++++++++++++++++++++++++++++++ values.yaml | 7 ++++++- 4 files changed, 46 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 90d4c33..d5288ec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ Features: Improvements: * Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679) * Add volumes and env vars to helm hook test pod [GH-673](https://github.com/hashicorp/vault-helm/pull/673) +* Make TLS configurable for OpenShift routes [GH-686](https://github.com/hashicorp/vault-helm/pull/686) ## 0.18.0 (November 17th, 2021) diff --git a/templates/server-route.yaml b/templates/server-route.yaml index 72b8752..e122d93 100644 --- a/templates/server-route.yaml +++ b/templates/server-route.yaml @@ -28,7 +28,7 @@ spec: port: targetPort: 8200 tls: - termination: passthrough + {{- toYaml .Values.server.route.tls | nindent 4 }} {{- end }} {{- end }} {{- end }} diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats index d141fb6..53e1e61 100755 --- a/test/unit/server-route.bats +++ b/test/unit/server-route.bats @@ -141,3 +141,41 @@ load _helpers yq -r '.spec.to.name' | tee /dev/stderr) [ "${actual}" = "RELEASE-NAME-vault" ] } + +@test "server/route: OpenShift - route termination mode set to default passthrough" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.tls.termination' | tee /dev/stderr) + [ "${actual}" = "passthrough" ] +} + +@test "server/route: OpenShift - route termination mode set to edge" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.tls.termination=edge' \ + . | tee /dev/stderr | + yq -r '.spec.tls.termination' | tee /dev/stderr) + [ "${actual}" = "edge" ] +} + +@test "server/route: OpenShift - route custom tls entry" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'server.route.tls.insecureEdgeTerminationPolicy=Redirect' \ + . | tee /dev/stderr | + yq -r '.spec.tls.insecureEdgeTerminationPolicy' | tee /dev/stderr) + [ "${actual}" = "Redirect" ] +} diff --git a/values.yaml b/values.yaml index f4f5e9d..8169411 100644 --- a/values.yaml +++ b/values.yaml @@ -305,7 +305,7 @@ server: # - chart-example.local # OpenShift only - create a route to expose the service - # The created route will be of type passthrough + # By default the created route will be of type passthrough route: enabled: false @@ -316,6 +316,11 @@ server: labels: {} annotations: {} host: chart-example.local + # tls will be passed directly to the route's TLS config, which + # can be used to configure other termination methods that terminate + # TLS at the router + tls: + termination: passthrough # authDelegator enables a cluster role binding to be attached to the service # account. This cluster role binding can be used to setup Kubernetes auth From b0528fce49c529f2c37953ea3a14f30ed651e0d6 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 20 Jan 2022 15:54:24 -0800 Subject: [PATCH 13/30] Release 0.19.0 (#687) --- CHANGELOG.md | 6 ++++++ Chart.yaml | 4 ++-- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 6 +++--- values.yaml | 8 ++++---- 6 files changed, 19 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d5288ec..ea6d367 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ ## Unreleased +## 0.19.0 (January 20th, 2022) + +CHANGES: +* Vault image default 1.9.2 +* Vault K8s image default 0.14.2 + Features: * Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653) * Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659) diff --git a/Chart.yaml b/Chart.yaml index 91565e3..f2d0132 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault -version: 0.18.0 -appVersion: 1.9.0 +version: 0.19.0 +appVersion: 1.9.2 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index cdcfabe..54a310f 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.0_ent' \ + --set='server.image.tag=1.9.2-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.0_ent' \ + --set='server.image.tag=1.9.2-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 68830ca..5ba78c9 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.0_ent' \ + --set='server.image.tag=1.9.2-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.0_ent' \ + --set='server.image.tag=1.9.2-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index afbe1f9..d24ac6e 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -6,13 +6,13 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.14.1-ubi" + tag: "0.14.2-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.9.0-ubi" + tag: "1.9.2-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.9.0-ubi" + tag: "1.9.2-ubi" diff --git a/values.yaml b/values.yaml index 8169411..61af7b2 100644 --- a/values.yaml +++ b/values.yaml @@ -49,7 +49,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.14.1" + tag: "0.14.2" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -57,7 +57,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.9.0" + tag: "1.9.2" # The default values for the injected Vault Agent containers. agentDefaults: @@ -236,7 +236,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.9.0" + tag: "1.9.2" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -764,7 +764,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "0.3.0" + tag: "0.4.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered From a2d9a0144f2f616a48a71a5d011f92e77d7b8a9a Mon Sep 17 00:00:00 2001 From: Michael Schuett Date: Fri, 25 Feb 2022 05:18:45 -0700 Subject: [PATCH 14/30] Add extraLabels for CSI DaemonSet (#690) --- templates/csi-daemonset.yaml | 6 ++++++ templates/csi-serviceaccount.yaml | 3 +++ test/unit/csi-daemonset.bats | 26 ++++++++++++++++++++++++++ test/unit/csi-serviceaccount.bats | 17 ++++++++++++++++- values.schema.json | 9 +++++++++ values.yaml | 13 +++++++++++++ 6 files changed, 73 insertions(+), 1 deletion(-) diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index f0bf639..4308890 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -8,6 +8,9 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.daemonSet.extraLabels -}} + {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}} + {{- end -}} {{ template "csi.daemonSet.annotations" . }} spec: updateStrategy: @@ -25,6 +28,9 @@ spec: labels: app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.csi.pod.extraLabels -}} + {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}} + {{- end -}} {{ template "csi.pod.annotations" . }} spec: {{- if .Values.csi.priorityClassName }} diff --git a/templates/csi-serviceaccount.yaml b/templates/csi-serviceaccount.yaml index ee12748..eb9a784 100644 --- a/templates/csi-serviceaccount.yaml +++ b/templates/csi-serviceaccount.yaml @@ -8,5 +8,8 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.serviceAccount.extraLabels -}} + {{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}} + {{- end -}} {{ template "csi.serviceAccount.annotations" . }} {{- end }} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index dd88d82..ed88643 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -318,6 +318,32 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# Extra Labels + +@test "csi/daemonset: specify csi.daemonSet.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.daemonSet.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "csi/daemonset: specify csi.pod.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.pod.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + + #-------------------------------------------------------------------- # volumes diff --git a/test/unit/csi-serviceaccount.bats b/test/unit/csi-serviceaccount.bats index 22ba06d..0d61bc3 100644 --- a/test/unit/csi-serviceaccount.bats +++ b/test/unit/csi-serviceaccount.bats @@ -56,4 +56,19 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "bar" ] -} \ No newline at end of file +} + +# serviceAccount extraLabels + +@test "csi/serviceAccount: specify csi.serviceAccount.extraLabels" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set 'csi.enabled=true' \ + --set 'csi.serviceAccount.extraLabels.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.labels.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + + diff --git a/values.schema.json b/values.schema.json index 1544043..b42e152 100644 --- a/values.schema.json +++ b/values.schema.json @@ -14,6 +14,9 @@ "string" ] }, + "extraLabels": { + "type": "object" + }, "kubeletRootDir": { "type": "string" }, @@ -88,6 +91,9 @@ "string" ] }, + "extraLabels": { + "type": "object" + }, "tolerations": { "type": [ "null", @@ -128,6 +134,9 @@ "object", "string" ] + }, + "extraLabels": { + "type": "object" } } }, diff --git a/values.yaml b/values.yaml index 61af7b2..22f97bb 100644 --- a/values.yaml +++ b/values.yaml @@ -805,6 +805,9 @@ csi: providersDir: "/etc/kubernetes/secrets-store-csi-providers" # Kubelet host path kubeletRootDir: "/var/lib/kubelet" + # Extra labels to attach to the vault-csi-provider daemonSet + # This should be a YAML map of the labels to apply to the csi provider daemonSet + extraLabels: {} pod: # Extra annotations for the provider pods. This can either be YAML or a @@ -817,6 +820,12 @@ csi: # in a PodSpec. tolerations: [] + # Extra labels to attach to the vault-csi-provider pod + # This should be a YAML map of the labels to apply to the csi provider pod + extraLabels: {} + + + # Priority class for csi pods priorityClassName: "" @@ -826,6 +835,10 @@ csi: # annotations to apply to the serviceAccount. annotations: {} + # Extra labels to attach to the vault-csi-provider serviceAccount + # This should be a YAML map of the labels to apply to the csi provider serviceAccount + extraLabels: {} + # Used to configure readinessProbe for the pods. readinessProbe: # When a probe fails, Kubernetes will try failureThreshold times before giving up From b447a92bd73d90e34f9a5a6caa69e355e86721cb Mon Sep 17 00:00:00 2001 From: Troy Fluegge Date: Fri, 25 Feb 2022 06:29:30 -0600 Subject: [PATCH 15/30] Updated hashicorp/vault-csi-provider image to v1.0.0 (#689) --- values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index 22f97bb..2dba917 100644 --- a/values.yaml +++ b/values.yaml @@ -764,7 +764,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "0.4.0" + tag: "1.0.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered From 19b417cbaaf5bfd26b281d4976d542f7c2834b18 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Fri, 25 Feb 2022 19:01:04 +0000 Subject: [PATCH 16/30] Fix unit test assertions (#693) --- test/unit/csi-clusterrole.bats | 2 +- test/unit/csi-clusterrolebinding.bats | 4 ++-- test/unit/csi-daemonset.bats | 2 +- test/unit/csi-serviceaccount.bats | 2 +- test/unit/injector-deployment.bats | 4 ++-- test/unit/server-ha-statefulset.bats | 2 +- test/unit/server-ingress.bats | 10 +++++----- test/unit/server-route.bats | 8 ++++---- test/unit/server-serviceaccount.bats | 2 +- test/unit/server-statefulset.bats | 2 +- 10 files changed, 19 insertions(+), 19 deletions(-) diff --git a/test/unit/csi-clusterrole.bats b/test/unit/csi-clusterrole.bats index 68ea7ce..2bed541 100644 --- a/test/unit/csi-clusterrole.bats +++ b/test/unit/csi-clusterrole.bats @@ -29,5 +29,5 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ] + [ "${actual}" = "release-name-vault-csi-provider-clusterrole" ] } \ No newline at end of file diff --git a/test/unit/csi-clusterrolebinding.bats b/test/unit/csi-clusterrolebinding.bats index cff3a36..ccd98c5 100644 --- a/test/unit/csi-clusterrolebinding.bats +++ b/test/unit/csi-clusterrolebinding.bats @@ -29,7 +29,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.roleRef.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider-clusterrole" ] + [ "${actual}" = "release-name-vault-csi-provider-clusterrole" ] } # ClusterRoleBinding service account name @@ -40,5 +40,5 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.subjects[0].name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] + [ "${actual}" = "release-name-vault-csi-provider" ] } \ No newline at end of file diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index ed88643..61ef1ef 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -61,7 +61,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] + [ "${actual}" = "release-name-vault-csi-provider" ] } # Image diff --git a/test/unit/csi-serviceaccount.bats b/test/unit/csi-serviceaccount.bats index 0d61bc3..41c1734 100644 --- a/test/unit/csi-serviceaccount.bats +++ b/test/unit/csi-serviceaccount.bats @@ -29,7 +29,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-csi-provider" ] + [ "${actual}" = "release-name-vault-csi-provider" ] } @test "csi/serviceAccount: specify annotations" { diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 740c17a..93f8a0f 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -157,7 +157,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "RELEASE-NAME-vault-agent-injector-cfg" ] + [ "${value}" = "release-name-vault-agent-injector-cfg" ] # helm template does uses current context namespace and ignores namespace flags, so # discover the targeted namespace so we can check the rendered value correctly. @@ -165,7 +165,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TLS_AUTO_HOSTS")) | .[] .value' | tee /dev/stderr) - [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.${namespace:-default},RELEASE-NAME-vault-agent-injector-svc.${namespace:-default}.svc" ] + [ "${value}" = "release-name-vault-agent-injector-svc,release-name-vault-agent-injector-svc.${namespace:-default},release-name-vault-agent-injector-svc.${namespace:-default}.svc" ] } @test "injector/deployment: manual TLS adds volume mount" { diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index cc77e7e..6034cb5 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -428,7 +428,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = 'https://$(HOSTNAME).RELEASE-NAME-vault-internal:8201' ] + [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] } #-------------------------------------------------------------------- diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 4132c16..aade5d5 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -165,7 +165,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-active" ] + [ "${actual}" = "release-name-vault-active" ] } @test "server/ingress: uses regular service when configured with ha - yaml" { @@ -180,7 +180,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: uses regular service when not ha - yaml" { @@ -194,7 +194,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: k8s 1.18.3 uses regular service when not ha - yaml" { @@ -209,7 +209,7 @@ load _helpers --kube-version 1.18.3 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.serviceName' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: uses regular service when not ha and activeService is true - yaml" { @@ -224,7 +224,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/ingress: pathType is added to Kubernetes version == 1.19.0" { diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats index 53e1e61..51b1a30 100755 --- a/test/unit/server-route.bats +++ b/test/unit/server-route.bats @@ -99,7 +99,7 @@ load _helpers --set 'server.route.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/route: OpenShift - route points to main service when not ha and activeService is true" { @@ -112,7 +112,7 @@ load _helpers --set 'server.route.activeService=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/route: OpenShift - route points to active service by when HA by default" { @@ -125,7 +125,7 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault-active" ] + [ "${actual}" = "release-name-vault-active" ] } @test "server/route: OpenShift - route points to general service by when HA when configured" { @@ -139,7 +139,7 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } @test "server/route: OpenShift - route termination mode set to default passthrough" { diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index 29e18b5..fbc2b94 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -26,7 +26,7 @@ load _helpers --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 0a83ec6..6a8d451 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1640,7 +1640,7 @@ load _helpers --set 'server.serviceAccount.create=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) - [ "${actual}" = "RELEASE-NAME-vault" ] + [ "${actual}" = "release-name-vault" ] } From a7e56d8741a6d1dbeb416215d4677ecf3a8f2a2e Mon Sep 17 00:00:00 2001 From: lion24 Date: Wed, 2 Mar 2022 02:30:07 +0100 Subject: [PATCH 17/30] vault: bump image to 1.9.3 (#695) Signed-off-by: Lionel H --- CHANGELOG.md | 4 ++++ Chart.yaml | 2 +- test/acceptance/server-ha-enterprise-dr.bats | 4 ++-- test/acceptance/server-ha-enterprise-perf.bats | 4 ++-- values.openshift.yaml | 4 ++-- values.yaml | 4 ++-- 6 files changed, 13 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ea6d367..26e2c2e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ ## Unreleased +CHANGES: +* Vault default image to 1.9.3 +* CSI provider default image to 1.0.0 + ## 0.19.0 (January 20th, 2022) CHANGES: diff --git a/Chart.yaml b/Chart.yaml index f2d0132..20e05bc 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vault version: 0.19.0 -appVersion: 1.9.2 +appVersion: 1.9.3 kubeVersion: ">= 1.14.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io diff --git a/test/acceptance/server-ha-enterprise-dr.bats b/test/acceptance/server-ha-enterprise-dr.bats index 54a310f..05873fe 100644 --- a/test/acceptance/server-ha-enterprise-dr.bats +++ b/test/acceptance/server-ha-enterprise-dr.bats @@ -7,7 +7,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.9.3-ent' \ --set='injector.enabled=false' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.9.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/test/acceptance/server-ha-enterprise-perf.bats b/test/acceptance/server-ha-enterprise-perf.bats index 5ba78c9..c7821cf 100644 --- a/test/acceptance/server-ha-enterprise-perf.bats +++ b/test/acceptance/server-ha-enterprise-perf.bats @@ -8,7 +8,7 @@ load _helpers helm install "$(name_prefix)-east" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.9.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . @@ -75,7 +75,7 @@ load _helpers helm install "$(name_prefix)-west" \ --set='injector.enabled=false' \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.9.2-ent' \ + --set='server.image.tag=1.9.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' \ --set='server.enterpriseLicense.secretName=vault-license' . diff --git a/values.openshift.yaml b/values.openshift.yaml index d24ac6e..17861a4 100644 --- a/values.openshift.yaml +++ b/values.openshift.yaml @@ -10,9 +10,9 @@ injector: agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.9.2-ubi" + tag: "1.9.3-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.9.2-ubi" + tag: "1.9.3-ubi" diff --git a/values.yaml b/values.yaml index 2dba917..88b40af 100644 --- a/values.yaml +++ b/values.yaml @@ -57,7 +57,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.9.2" + tag: "1.9.3" # The default values for the injected Vault Agent containers. agentDefaults: @@ -236,7 +236,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.9.2" + tag: "1.9.3" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent From 4f5c01f50bb9213dd5c0dd0277e894785caaf971 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Wed, 2 Mar 2022 16:45:11 +0000 Subject: [PATCH 18/30] changelog++ (#699) --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 26e2c2e..db815eb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,9 @@ CHANGES: * Vault default image to 1.9.3 * CSI provider default image to 1.0.0 +Improvements: +* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) + ## 0.19.0 (January 20th, 2022) CHANGES: From a81a992b1472d6cae316eec61553f7a38a08b45f Mon Sep 17 00:00:00 2001 From: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Date: Thu, 3 Mar 2022 13:10:42 -0500 Subject: [PATCH 19/30] change helm trigger branch from master to main (#700) --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 70c2453..7582bdc 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -77,7 +77,7 @@ jobs: -X POST \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ - -d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ + -d "{\"branch\": \"main\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" - slack/status: fail_only: true From f59f3d4b1336b86724d7dd4d4b6bca57ee8ad36a Mon Sep 17 00:00:00 2001 From: Christian Date: Wed, 16 Mar 2022 23:31:59 +0100 Subject: [PATCH 20/30] Add namespace to injector-leader-elector role, rolebinding and secret (#683) --- CHANGELOG.md | 1 + templates/injector-certs-secret.yaml | 1 + templates/injector-role.yaml | 1 + templates/injector-rolebinding.yaml | 1 + test/unit/injector-leader-elector.bats | 33 ++++++++++++++++++++++++++ 5 files changed, 37 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index db815eb..7b90f48 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ CHANGES: Improvements: * CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) +* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683) ## 0.19.0 (January 20th, 2022) diff --git a/templates/injector-certs-secret.yaml b/templates/injector-certs-secret.yaml index 78363be..e0d96b2 100644 --- a/templates/injector-certs-secret.yaml +++ b/templates/injector-certs-secret.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: vault-injector-certs + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index e7e383d..c8ecfdd 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -3,6 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-rolebinding.yaml b/templates/injector-rolebinding.yaml index aa81794..401873f 100644 --- a/templates/injector-rolebinding.yaml +++ b/templates/injector-rolebinding.yaml @@ -3,6 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/test/unit/injector-leader-elector.bats b/test/unit/injector-leader-elector.bats index b6fa4ae..bbd4829 100644 --- a/test/unit/injector-leader-elector.bats +++ b/test/unit/injector-leader-elector.bats @@ -87,6 +87,17 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/certs-secret: namespace is set" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-certs-secret.yaml \ + --set "injector.replicas=2" \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"foo\"" ] +} + @test "injector/role: created/skipped as appropriate" { cd `chart_dir` local actual=$( (helm template \ @@ -127,6 +138,17 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/role: namespace is set" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-role.yaml \ + --set "injector.replicas=2" \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"foo\"" ] +} + @test "injector/rolebinding: created/skipped as appropriate" { cd `chart_dir` local actual=$( (helm template \ @@ -166,3 +188,14 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "injector/rolebinding: namespace is set" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-rolebinding.yaml \ + --set "injector.replicas=2" \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"foo\"" ] +} From 549d9b87b28c1dd193d3a93f993ab2008f704e9b Mon Sep 17 00:00:00 2001 From: Viacheslav Vasilyev Date: Thu, 17 Mar 2022 18:52:53 +0100 Subject: [PATCH 21/30] allow to configure publishNotReadyAddresses on server services (#694) --- templates/server-ha-active-service.yaml | 2 +- templates/server-ha-standby-service.yaml | 2 +- templates/server-headless-service.yaml | 2 +- templates/server-service.yaml | 2 +- test/unit/server-ha-active-service.bats | 17 +++++++++++++++++ test/unit/server-ha-standby-service.bats | 17 +++++++++++++++++ test/unit/server-headless-service.bats | 19 +++++++++++++++++++ test/unit/server-service.bats | 7 +++++++ values.schema.json | 3 +++ values.yaml | 3 +++ 10 files changed, 70 insertions(+), 4 deletions(-) create mode 100644 test/unit/server-headless-service.bats diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index c2a4f02..88ad806 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -22,7 +22,7 @@ spec: clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} {{- include "service.externalTrafficPolicy" .Values.server.service }} - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index fef92a1..014d6b5 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -22,7 +22,7 @@ spec: clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} {{- include "service.externalTrafficPolicy" .Values.server.service }} - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index a37c639..7e564c0 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -16,7 +16,7 @@ metadata: {{ template "vault.service.annotations" .}} spec: clusterIP: None - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: "{{ include "vault.scheme" . }}" port: {{ .Values.server.service.port }} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 00996aa..b1dc3c3 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -24,7 +24,7 @@ spec: {{- include "service.externalTrafficPolicy" .Values.server.service }} # We want the servers to become available even if they're not ready # since this DNS is also used for join operations. - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index a835c9d..80e26dd 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -197,3 +197,20 @@ load _helpers [ "${actual}" = "null" ] } +@test "server/ha-active-Service: publishNotReadyAddresses can be changed" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 7dfd5d7..df0f907 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -208,3 +208,20 @@ load _helpers [ "${actual}" = "null" ] } +@test "server/ha-standby-Service: publishNotReadyAddresses can be changed" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats new file mode 100644 index 0000000..4e2d135 --- /dev/null +++ b/test/unit/server-headless-service.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/headless-Service: publishNotReadyAddresses can be changed" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 4695f2f..5208f6e 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -175,6 +175,13 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.publishNotReadyAddresses=false' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] } @test "server/Service: type empty by default" { diff --git a/values.schema.json b/values.schema.json index b42e152..40e3dd8 100644 --- a/values.schema.json +++ b/values.schema.json @@ -749,6 +749,9 @@ "enabled": { "type": "boolean" }, + "publishNotReadyAddresses": { + "type": "boolean" + }, "externalTrafficPolicy": { "type": "string" }, diff --git a/values.yaml b/values.yaml index 88b40af..db7c484 100644 --- a/values.yaml +++ b/values.yaml @@ -506,6 +506,9 @@ server: # or NodePort. #type: ClusterIP + # Do not wait for pods to be ready + publishNotReadyAddresses: true + # The externalTrafficPolicy can be set to either Cluster or Local # and is only valid for LoadBalancer and NodePort service types. # The default value is Cluster. From 56a253ba97369ee96cf4da4a20fe8fb6342e27f6 Mon Sep 17 00:00:00 2001 From: Remco Buddelmeijer Date: Fri, 18 Mar 2022 15:15:43 +0100 Subject: [PATCH 22/30] Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692) * Prepare default values for MutatingWebhookConfiguration #691 * Add values.yaml values to injector-mutating-webhook.yaml #691 * Duplicate and deprecate top-level webhook settings and put them in a webhook object * Made the new values default with the fallback to the old values.yaml * Fix _helpers.tpl to support both old and new webhook annotations * Add new tests and deprecate old ones for injector webhook configuration * Old tests now work with old values.yaml * Add all new fields showing that they have priority over old ones * Add deprecation note to injector.failurePolicy #691 --- templates/_helpers.tpl | 8 +- templates/injector-mutating-webhook.yaml | 18 +- test/unit/injector-mutating-webhook.bats | 293 ++++++++++++++++++----- values.schema.json | 26 ++ values.yaml | 65 ++++- 5 files changed, 328 insertions(+), 82 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 12afeab..9452698 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -372,13 +372,13 @@ Sets extra injector service annotations Sets extra injector webhook annotations */}} {{- define "injector.webhookAnnotations" -}} - {{- if .Values.injector.webhookAnnotations }} + {{- if or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations) }} annotations: - {{- $tp := typeOf .Values.injector.webhookAnnotations }} + {{- $tp := typeOf (or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)) }} {{- if eq $tp "string" }} - {{- tpl .Values.injector.webhookAnnotations . | nindent 4 }} + {{- tpl (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) . | nindent 4 }} {{- else }} - {{- toYaml .Values.injector.webhookAnnotations | nindent 4 }} + {{- toYaml (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) | nindent 4 }} {{- end }} {{- end }} {{- end -}} diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index de7dd56..b0a6ac0 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -14,10 +14,11 @@ metadata: {{- template "injector.webhookAnnotations" . }} webhooks: - name: vault.hashicorp.com + failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }} + matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }} sideEffects: None - admissionReviewVersions: - - "v1beta1" - - "v1" + timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }} + admissionReviewVersions: ["v1", "v1beta1"] clientConfig: service: name: {{ template "vault.fullname" . }}-agent-injector-svc @@ -29,15 +30,12 @@ webhooks: apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] -{{- if .Values.injector.namespaceSelector }} +{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }} namespaceSelector: -{{ toYaml .Values.injector.namespaceSelector | indent 6}} +{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}} {{ end }} -{{- if .Values.injector.objectSelector }} +{{- if or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) }} objectSelector: -{{ toYaml .Values.injector.objectSelector | indent 6}} -{{ end }} -{{- with .Values.injector.failurePolicy }} - failurePolicy: {{.}} +{{ toYaml (((.Values.injector.webhook)).objectSelector | default .Values.injector.objectSelector) | indent 6}} {{ end }} {{ end }} diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats index 1e6e150..ef9bf83 100755 --- a/test/unit/injector-mutating-webhook.bats +++ b/test/unit/injector-mutating-webhook.bats @@ -53,18 +53,191 @@ load _helpers [ "${actual}" = "\"\"" ] } -@test "injector/MutatingWebhookConfiguration: namespaceSelector empty by default" { +@test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) + [ "${actual}" = "\"Ignore\"" ] +} + +@test "injector/MutatingWebhookConfiguration: can set failurePolicy (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + --set 'injector.failurePolicy=Fail' \ + . | tee /dev/stderr | + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) + + [ "${actual}" = "\"Fail\"" ] +} + +@test "injector/MutatingWebhookConfiguration: webhook.failurePolicy 'Ignore' by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.failurePolicy=Invalid' \ + . | tee /dev/stderr | + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) + + [ "${actual}" = "\"Ignore\"" ] +} + +@test "injector/MutatingWebhookConfiguration: can set webhook.failurePolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.failurePolicy=Fail' \ + --set 'injector.failurePolicy=Invalid' \ + . | tee /dev/stderr | + yq '.webhooks[0].failurePolicy' | tee /dev/stderr) + + [ "${actual}" = "\"Fail\"" ] +} + +@test "injector/MutatingWebhookConfiguration: webhook.matchPolicy 'Exact' by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + . | tee /dev/stderr | + yq '.webhooks[0].matchPolicy' | tee /dev/stderr) + + [ "${actual}" = "\"Exact\"" ] +} + +@test "injector/MutatingWebhookConfiguration: can set webhook.matchPolicy" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.matchPolicy=Equivalent' \ + . | tee /dev/stderr | + yq '.webhooks[0].matchPolicy' | tee /dev/stderr) + + [ "${actual}" = "\"Equivalent\"" ] +} + +@test "injector/MutatingWebhookConfiguration: timeoutSeconds by default 30" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + . | tee /dev/stderr | + yq '.webhooks[0].timeoutSeconds' | tee /dev/stderr) + + [ "${actual}" = "30" ] +} + +@test "injector/MutatingWebhookConfiguration: can set webhook.timeoutSeconds" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.timeoutSeconds=50' \ + . | tee /dev/stderr | + yq '.webhooks[0].timeoutSeconds' | tee /dev/stderr) + + [ "${actual}" = "50" ] +} + +#-------------------------------------------------------------------- +# annotations + +@test "injector/MutatingWebhookConfiguration: default webhookAnnotations (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: specify webhookAnnotations yaml (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + --set 'injector.webhookAnnotations.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "injector/MutatingWebhookConfiguration: specify webhookAnnotations yaml string (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + --set 'injector.webhookAnnotations=foo: bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "injector/MutatingWebhookConfiguration: default webhook.annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: specify webhook.annotations yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.annotations.foo=bar' \ + --set 'injector.webhookAnnotations.invalid=invalid' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "injector/MutatingWebhookConfiguration: specify webhook.annotations yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.annotations=foo: bar' \ + --set 'injector.webhookAnnotations=invalid: invalid' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +#-------------------------------------------------------------------- +# namespaceSelector + +@test "injector/MutatingWebhookConfiguration: namespaceSelector empty by default (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ --namespace foo \ . | tee /dev/stderr | yq '.webhooks[0].namespaceSelector' | tee /dev/stderr) [ "${actual}" = "null" ] } -@test "injector/MutatingWebhookConfiguration: can set namespaceSelector" { +@test "injector/MutatingWebhookConfiguration: can set namespaceSelector (deprecated)" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ @@ -76,7 +249,59 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/MutatingWebhookConfiguration: objectSelector empty by default" { +@test "injector/MutatingWebhookConfiguration: webhook.namespaceSelector empty by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].namespaceSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set set webhook.namespaceSelector" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook.namespaceSelector.matchLabels.injector=true' \ + --set 'injector.namespaceSelector.matchLabels.injector=false' \ + . | tee /dev/stderr | + yq '.webhooks[0].namespaceSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# objectSelector + +@test "injector/MutatingWebhookConfiguration: objectSelector empty by default (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: can set objectSelector (deprecated)" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.webhook=null' \ + --set 'injector.objectSelector.matchLabels.injector=true' \ + . | tee /dev/stderr | + yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + +@test "injector/MutatingWebhookConfiguration: webhook.objectSelector empty by default" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ @@ -87,69 +312,15 @@ load _helpers [ "${actual}" = "null" ] } -@test "injector/MutatingWebhookConfiguration: can set objectSelector" { +@test "injector/MutatingWebhookConfiguration: can set webhook.objectSelector" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ --set 'injector.enabled=true' \ - --set 'injector.objectSelector.matchLabels.injector=true' \ + --set 'injector.webhook.objectSelector.matchLabels.injector=true' \ + --set 'injector.objectSelector.matchLabels.injector=false' \ . | tee /dev/stderr | yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr) [ "${actual}" = "true" ] -} - -@test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-mutating-webhook.yaml \ - --set 'injector.enabled=true' \ - --namespace foo \ - . | tee /dev/stderr | - yq '.webhooks[0].failurePolicy' | tee /dev/stderr) - [ "${actual}" = "\"Ignore\"" ] -} - -@test "injector/MutatingWebhookConfiguration: can set failurePolicy" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-mutating-webhook.yaml \ - --set 'injector.enabled=true' \ - --set 'injector.failurePolicy=Fail' \ - . | tee /dev/stderr | - yq '.webhooks[0].failurePolicy' | tee /dev/stderr) - - [ "${actual}" = "\"Fail\"" ] -} - -#-------------------------------------------------------------------- -# annotations - -@test "injector/MutatingWebhookConfiguration: default annotations" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-mutating-webhook.yaml \ - . | tee /dev/stderr | - yq -r '.metadata.annotations' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - -@test "injector/MutatingWebhookConfiguration: specify annotations yaml" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-mutating-webhook.yaml \ - --set 'injector.webhookAnnotations.foo=bar' \ - . | tee /dev/stderr | - yq -r '.metadata.annotations.foo' | tee /dev/stderr) - [ "${actual}" = "bar" ] -} - -@test "injector/MutatingWebhookConfiguration: specify annotations yaml string" { - cd `chart_dir` - local actual=$(helm template \ - --show-only templates/injector-mutating-webhook.yaml \ - --set 'injector.webhookAnnotations=foo: bar' \ - . | tee /dev/stderr | - yq -r '.metadata.annotations.foo' | tee /dev/stderr) - [ "${actual}" = "bar" ] -} +} \ No newline at end of file diff --git a/values.schema.json b/values.schema.json index 40e3dd8..981bb7c 100644 --- a/values.schema.json +++ b/values.schema.json @@ -374,6 +374,32 @@ "string" ] }, + "webhook": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "failurePolicy": { + "type": "string" + }, + "matchPolicy": { + "type": "string" + }, + "namespaceSelector": { + "type": "object" + }, + "objectSelector": { + "type": "object" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, "webhookAnnotations": { "type": [ "object", diff --git a/values.yaml b/values.yaml index db7c484..20d85d5 100644 --- a/values.yaml +++ b/values.yaml @@ -90,6 +90,61 @@ injector: # Configures all Vault Agent sidecars to revoke their token when shutting down revokeOnShutdown: false + webhook: + # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the + # API Version of the WebHook. + # To block pod creation while webhook is unavailable, set the policy to `Fail` below. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy + # + failurePolicy: Ignore + + # matchPolicy specifies the approach to accepting changes based on the rules of + # the MutatingWebhookConfiguration. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy + # for more details. + # + matchPolicy: Exact + + # timeoutSeconds is the amount of seconds before the webhook request will be ignored + # or fails. + # If it is ignored or fails depends on the failurePolicy + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts + # for more details. + # + timeoutSeconds: 30 + + # namespaceSelector is the selector for restricting the webhook to only + # specific namespaces. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # Example: + # namespaceSelector: + # matchLabels: + # sidecar-injector: enabled + namespaceSelector: {} + + # objectSelector is the selector for restricting the webhook to only + # specific labels. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector + # for more details. + # Example: + # objectSelector: + # matchLabels: + # vault-sidecar-injector: enabled + objectSelector: {} + + # Extra annotations to attach to the webhook + annotations: {} + + # Deprecated: please use 'webhook.failurePolicy' instead + # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the + # API Version of the WebHook. + # To block pod creation while webhook is unavailable, set the policy to `Fail` below. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy + # + failurePolicy: Ignore + + # Deprecated: please use 'webhook.namespaceSelector' instead # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector @@ -99,6 +154,8 @@ injector: # matchLabels: # sidecar-injector: enabled namespaceSelector: {} + + # Deprecated: please use 'webhook.objectSelector' instead # objectSelector is the selector for restricting the webhook to only # specific labels. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector @@ -109,13 +166,7 @@ injector: # vault-sidecar-injector: enabled objectSelector: {} - # Configures failurePolicy of the webhook. The "unspecified" default behaviour deoends on the - # API Version of the WebHook. - # To block pod creation while webhook is unavailable, set the policy to `Fail` below. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy - # - failurePolicy: Ignore - + # Deprecated: please use 'webhook.annotations' instead # Extra annotations to attach to the webhook webhookAnnotations: {} From 710915952e78ab7fb6a1a9ce7b1e96f6d29c7934 Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Mon, 21 Mar 2022 09:50:23 -0700 Subject: [PATCH 23/30] VAULT-571 Matching documented behavior and consul (#703) VAULT-571 Matching documented behavior and consul Consul's helm template defaults most of the enabled to the special value `"-"`, which means to inherit from global. This is what is implied should happen in Vault as well according to the documentation for the helm chart: > [global.enabled] The master enabled/disabled configuration. If this is > true, most components will be installed by default. If this is false, > no components will be installed by default and manually opting-in is > required, such as by setting server.enabled to true. (https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled) We also simplified the chart logic using a few template helpers. Co-authored-by: Theron Voran --- CHANGELOG.md | 2 + templates/_helpers.tpl | 47 ++++++++++++++++++++- templates/csi-clusterrole.yaml | 3 +- templates/csi-clusterrolebinding.yaml | 3 +- templates/csi-daemonset.yaml | 3 +- templates/csi-serviceaccount.yaml | 3 +- templates/injector-certs-secret.yaml | 5 ++- templates/injector-clusterrole.yaml | 5 ++- templates/injector-clusterrolebinding.yaml | 3 +- templates/injector-deployment.yaml | 3 +- templates/injector-mutating-webhook.yaml | 3 +- templates/injector-network-policy.yaml | 5 ++- templates/injector-psp-role.yaml | 5 ++- templates/injector-psp-rolebinding.yaml | 5 ++- templates/injector-psp.yaml | 5 ++- templates/injector-role.yaml | 5 ++- templates/injector-rolebinding.yaml | 5 ++- templates/injector-service.yaml | 3 +- templates/injector-serviceaccount.yaml | 3 +- templates/server-clusterrolebinding.yaml | 5 ++- templates/server-config-configmap.yaml | 5 ++- templates/server-discovery-role.yaml | 5 ++- templates/server-discovery-rolebinding.yaml | 5 ++- templates/server-disruptionbudget.yaml | 5 ++- templates/server-ha-active-service.yaml | 5 ++- templates/server-ha-standby-service.yaml | 5 ++- templates/server-headless-service.yaml | 3 +- templates/server-ingress.yaml | 5 ++- templates/server-psp-role.yaml | 5 ++- templates/server-psp-rolebinding.yaml | 5 ++- templates/server-psp.yaml | 5 ++- templates/server-service.yaml | 3 +- templates/server-serviceaccount.yaml | 3 +- templates/server-statefulset.yaml | 5 ++- templates/tests/server-test.yaml | 3 +- templates/ui-service.yaml | 6 +-- test/unit/csi-daemonset.bats | 2 +- test/unit/injector-deployment.bats | 12 +++++- test/unit/injector-psp-role.bats | 4 +- test/unit/injector-psp-rolebinding.bats | 4 +- test/unit/injector-psp.bats | 4 +- test/unit/injector-service.bats | 2 +- test/unit/schema.bats | 16 +++---- test/unit/server-test.bats | 13 +++++- test/unit/ui-service.bats | 12 ++++++ values.schema.json | 20 +++++++-- values.yaml | 10 +++-- 47 files changed, 229 insertions(+), 64 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7b90f48..ffa45d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,8 @@ ## Unreleased CHANGES: +* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703) +* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703) * Vault default image to 1.9.3 * CSI provider default image to 1.0.0 diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 9452698..144008e 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -31,6 +31,50 @@ Expand the name of the chart. {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Compute if the csi driver is enabled. +*/}} +{{- define "vault.csiEnabled" -}} +{{- $_ := set . "csiEnabled" (or + (eq (.Values.csi.enabled | toString) "true") + (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the injector is enabled. +*/}} +{{- define "vault.injectorEnabled" -}} +{{- $_ := set . "injectorEnabled" (or + (eq (.Values.injector.enabled | toString) "true") + (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server is enabled. +*/}} +{{- define "vault.serverEnabled" -}} +{{- $_ := set . "serverEnabled" (or + (eq (.Values.server.enabled | toString) "true") + (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server service is enabled. +*/}} +{{- define "vault.serverServiceEnabled" -}} +{{- template "vault.serverEnabled" . -}} +{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}} +{{- end -}} + +{{/* +Compute if the ui is enabled. +*/}} +{{- define "vault.uiEnabled" -}} +{{- $_ := set . "uiEnabled" (or + (eq (.Values.ui.enabled | toString) "true") + (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + {{/* Compute the maximum number of unavailable replicas for the PodDisruptionBudget. This defaults to (n/2)-1 where n is the number of members of the server cluster. @@ -51,9 +95,10 @@ Set the variable 'mode' to the server mode requested by the user to simplify template logic. */}} {{- define "vault.mode" -}} + {{- template "vault.serverEnabled" . -}} {{- if .Values.injector.externalVaultAddr -}} {{- $_ := set . "mode" "external" -}} - {{- else if ne (.Values.server.enabled | toString) "true" -}} + {{- else if not .serverEnabled -}} {{- $_ := set . "mode" "external" -}} {{- else if eq (.Values.server.dev.enabled | toString) "true" -}} {{- $_ := set . "mode" "dev" -}} diff --git a/templates/csi-clusterrole.yaml b/templates/csi-clusterrole.yaml index a19e520..ec6a3d2 100644 --- a/templates/csi-clusterrole.yaml +++ b/templates/csi-clusterrole.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/templates/csi-clusterrolebinding.yaml b/templates/csi-clusterrolebinding.yaml index 63d69c7..d5b62a5 100644 --- a/templates/csi-clusterrolebinding.yaml +++ b/templates/csi-clusterrolebinding.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 4308890..5c21752 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: apps/v1 kind: DaemonSet metadata: diff --git a/templates/csi-serviceaccount.yaml b/templates/csi-serviceaccount.yaml index eb9a784..8d6fa53 100644 --- a/templates/csi-serviceaccount.yaml +++ b/templates/csi-serviceaccount.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/templates/injector-certs-secret.yaml b/templates/injector-certs-secret.yaml index e0d96b2..e88685b 100644 --- a/templates/injector-certs-secret.yaml +++ b/templates/injector-certs-secret.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: v1 kind: Secret metadata: @@ -9,3 +11,4 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-clusterrole.yaml b/templates/injector-clusterrole.yaml index 4ff25ab..6a0d6be 100644 --- a/templates/injector-clusterrole.yaml +++ b/templates/injector-clusterrole.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -10,7 +11,7 @@ metadata: rules: - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] - verbs: + verbs: - "get" - "list" - "watch" diff --git a/templates/injector-clusterrolebinding.yaml b/templates/injector-clusterrolebinding.yaml index 35d30b3..4c193f8 100644 --- a/templates/injector-clusterrolebinding.yaml +++ b/templates/injector-clusterrolebinding.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 95e2c2d..9a50c7d 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} # Deployment for the injector apiVersion: apps/v1 kind: Deployment diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index b0a6ac0..f873f61 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} apiVersion: admissionregistration.k8s.io/v1 {{- else }} diff --git a/templates/injector-network-policy.yaml b/templates/injector-network-policy.yaml index 7a399a5..68892d2 100644 --- a/templates/injector-network-policy.yaml +++ b/templates/injector-network-policy.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.openshift | toString) "true" }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -19,3 +21,4 @@ spec: - port: 8080 protocol: TCP {{ end }} +{{ end }} diff --git a/templates/injector-psp-role.yaml b/templates/injector-psp-role.yaml index 20c87bb..5d23c75 100644 --- a/templates/injector-psp-role.yaml +++ b/templates/injector-psp-role.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -15,3 +17,4 @@ rules: resourceNames: - {{ template "vault.fullname" . }}-agent-injector {{- end }} +{{- end }} diff --git a/templates/injector-psp-rolebinding.yaml b/templates/injector-psp-rolebinding.yaml index d6d0d5e..4f6b0a8 100644 --- a/templates/injector-psp-rolebinding.yaml +++ b/templates/injector-psp-rolebinding.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -16,3 +18,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-agent-injector {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-psp.yaml b/templates/injector-psp.yaml index c024ac1..1eee2fc 100644 --- a/templates/injector-psp.yaml +++ b/templates/injector-psp.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -41,3 +43,4 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index c8ecfdd..08c8264 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -24,3 +26,4 @@ rules: - "patch" - "delete" {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-rolebinding.yaml b/templates/injector-rolebinding.yaml index 401873f..ea0db11 100644 --- a/templates/injector-rolebinding.yaml +++ b/templates/injector-rolebinding.yaml @@ -1,4 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -17,3 +19,4 @@ subjects: name: {{ template "vault.fullname" . }}-agent-injector namespace: {{ .Release.Namespace }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/injector-service.yaml b/templates/injector-service.yaml index 3138b7a..5e747d6 100644 --- a/templates/injector-service.yaml +++ b/templates/injector-service.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: v1 kind: Service metadata: diff --git a/templates/injector-serviceaccount.yaml b/templates/injector-serviceaccount.yaml index a28d38f..ebc57b5 100644 --- a/templates/injector-serviceaccount.yaml +++ b/templates/injector-serviceaccount.yaml @@ -1,4 +1,5 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index e5e0f5f..2db23a5 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,5 +1,7 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true") }} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.server.authDelegator.enabled | toString) "true") }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} @@ -22,3 +24,4 @@ subjects: name: {{ template "vault.serviceAccount.name" . }} namespace: {{ .Release.Namespace }} {{ end }} +{{ end }} diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index b8093ad..969dcf3 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} +{{- if ne .mode "dev" -}} {{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}} apiVersion: v1 kind: ConfigMap @@ -36,3 +38,4 @@ data: {{- end }} {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index 4a39cec..3e8544c 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} +{{- if eq .mode "ha" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -17,3 +19,4 @@ rules: verbs: ["get", "watch", "list", "update", "patch"] {{ end }} {{ end }} +{{ end }} \ No newline at end of file diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 4752665..8ceb482 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} +{{- if eq .mode "ha" }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} @@ -25,3 +27,4 @@ subjects: namespace: {{ .Release.Namespace }} {{ end }} {{ end }} +{{ end }} \ No newline at end of file diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index 3c45cc0..60fc844 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" -}} -{{- if and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} +{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} # PodDisruptionBudget to prevent degrading the server cluster through # voluntary cluster changes. apiVersion: policy/v1beta1 @@ -22,3 +24,4 @@ spec: component: server {{- end -}} {{- end -}} +{{- end -}} \ No newline at end of file diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 88ad806..525fc8c 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if eq .mode "ha" }} # Service for active Vault pod apiVersion: v1 kind: Service @@ -40,3 +42,4 @@ spec: vault-active: "true" {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 014d6b5..03260ff 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if eq .mode "ha" }} # Service for standby Vault pod apiVersion: v1 kind: Service @@ -40,3 +42,4 @@ spec: vault-active: "false" {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index 7e564c0..fffaaac 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} # Service for Vault cluster apiVersion: v1 kind: Service diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 48c76a8..c81e5f5 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -4,7 +4,9 @@ {{- if .Values.server.ingress.enabled -}} {{- $extraPaths := .Values.server.ingress.extraPaths -}} {{- $serviceName := include "vault.fullname" . -}} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.ingress.activeService | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }} {{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- end }} {{- $servicePort := .Values.server.service.port -}} @@ -72,3 +74,4 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-psp-role.yaml b/templates/server-psp-role.yaml index fd12e1e..608624b 100644 --- a/templates/server-psp-role.yaml +++ b/templates/server-psp-role.yaml @@ -1,5 +1,7 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -16,3 +18,4 @@ rules: resourceNames: - {{ template "vault.fullname" . }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-psp-rolebinding.yaml b/templates/server-psp-rolebinding.yaml index b2a43c8..f6255eb 100644 --- a/templates/server-psp-rolebinding.yaml +++ b/templates/server-psp-rolebinding.yaml @@ -1,5 +1,7 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -17,3 +19,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-psp.yaml b/templates/server-psp.yaml index 2d94268..cca6883 100644 --- a/templates/server-psp.yaml +++ b/templates/server-psp.yaml @@ -1,5 +1,7 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -45,3 +47,4 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/server-service.yaml b/templates/server-service.yaml index b1dc3c3..3a9b0e7 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} # Service for Vault cluster apiVersion: v1 kind: Service diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index 925b166..4ff73a6 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -1,5 +1,6 @@ {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} {{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }} apiVersion: v1 kind: ServiceAccount diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index cbcda96..7deea5e 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -1,6 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- if ne .mode "" }} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} # StatefulSet to run the actual vault server cluster. apiVersion: apps/v1 kind: StatefulSet @@ -206,3 +208,4 @@ spec: {{ template "vault.volumeclaims" . }} {{ end }} {{ end }} +{{ end }} \ No newline at end of file diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index d983b9d..ef1aae8 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -1,6 +1,7 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverEnabled" . -}} +{{- if .serverEnabled -}} apiVersion: v1 kind: Pod metadata: diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index ea27de2..d45afdd 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -1,7 +1,8 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} -{{- if eq (.Values.ui.enabled | toString) "true" }} +{{- template "vault.uiEnabled" . -}} +{{- if .uiEnabled -}} + apiVersion: v1 kind: Service metadata: @@ -34,4 +35,3 @@ spec: {{- include "service.loadBalancer" .Values.ui }} {{- end -}} {{- end }} -{{- end }} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 61ef1ef..23b43cc 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -27,7 +27,7 @@ load _helpers --set "global.enabled=false" \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } # priorityClassName diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 93f8a0f..bfbd3eb 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -26,12 +26,22 @@ load _helpers local actual=$( (helm template \ --show-only templates/injector-deployment.yaml \ --set 'global.enabled=false' \ - --set 'injector.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } +@test "injector/deployment: enable with injector.enabled true and global.enabled false" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'global.enabled=false' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "injector/deployment: image defaults to injector.image" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/injector-psp-role.bats b/test/unit/injector-psp-role.bats index c6dc522..8e7acd7 100644 --- a/test/unit/injector-psp-role.bats +++ b/test/unit/injector-psp-role.bats @@ -22,7 +22,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/PodSecurityPolicy-Role: disable with global.enabled" { +@test "injector/PodSecurityPolicy-Role: ignore global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/injector-psp-role.yaml \ @@ -31,5 +31,5 @@ load _helpers --set 'global.psp.enable=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } diff --git a/test/unit/injector-psp-rolebinding.bats b/test/unit/injector-psp-rolebinding.bats index f8a8255..88bfe79 100644 --- a/test/unit/injector-psp-rolebinding.bats +++ b/test/unit/injector-psp-rolebinding.bats @@ -22,7 +22,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/PodSecurityPolicy-RoleBinding: disable with global.enabled" { +@test "injector/PodSecurityPolicy-RoleBinding: ignore global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/injector-psp-rolebinding.yaml \ @@ -31,5 +31,5 @@ load _helpers --set 'global.psp.enable=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } diff --git a/test/unit/injector-psp.bats b/test/unit/injector-psp.bats index fa14b0f..a415358 100644 --- a/test/unit/injector-psp.bats +++ b/test/unit/injector-psp.bats @@ -22,7 +22,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/PodSecurityPolicy: disable with global.enabled" { +@test "injector/PodSecurityPolicy: ignore global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/injector-psp.yaml \ @@ -31,7 +31,7 @@ load _helpers --set 'global.psp.enable=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } @test "injector/PodSecurityPolicy: annotations are templated correctly by default" { diff --git a/test/unit/injector-service.bats b/test/unit/injector-service.bats index ad48009..027eaa0 100755 --- a/test/unit/injector-service.bats +++ b/test/unit/injector-service.bats @@ -52,7 +52,7 @@ load _helpers --set 'injector.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } @test "injector/Service: generic annotations" { diff --git a/test/unit/schema.bats b/test/unit/schema.bats index a42614b..9a61d7d 100644 --- a/test/unit/schema.bats +++ b/test/unit/schema.bats @@ -7,9 +7,9 @@ load _helpers # schema, setting it as a string fails 'helm template'. @test "schema: csi enabled datatype" { cd `chart_dir` - run helm template . --set csi.enabled="nope" + run helm template . --set csi.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set csi.enabled=true [ "$status" -eq 0 ] @@ -17,9 +17,9 @@ load _helpers @test "schema: injector enabled datatype" { cd `chart_dir` - run helm template . --set injector.enabled="nope" + run helm template . --set injector.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set injector.enabled=true [ "$status" -eq 0 ] @@ -27,9 +27,9 @@ load _helpers @test "schema: server enabled datatype" { cd `chart_dir` - run helm template . --set server.enabled="nope" + run helm template . --set server.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set server.enabled=true [ "$status" -eq 0 ] @@ -37,9 +37,9 @@ load _helpers @test "schema: ui enabled datatype" { cd `chart_dir` - run helm template . --set ui.enabled="nope" + run helm template . --set ui.enabled="123" [ "$status" -eq 1 ] - [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: boolean, given: string" ] + [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: [boolean,string], given: integer" ] run helm template . --set ui.enabled=true [ "$status" -eq 0 ] diff --git a/test/unit/server-test.bats b/test/unit/server-test.bats index 5fd65d5..de82f84 100644 --- a/test/unit/server-test.bats +++ b/test/unit/server-test.bats @@ -66,12 +66,23 @@ load _helpers [ "${actual}" = "true" ] } +@test "server/standalone-server-test-Pod: not disabled with global.enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/tests/server-test.yaml \ + --set 'global.enabled=false' \ + --set 'server.enabled=true' \ + --set 'server.standalone.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "server/standalone-server-test-Pod: disable with global.enabled" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/tests/server-test.yaml \ --set 'global.enabled=false' \ - --set 'server.standalone.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index 0603303..384098f 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -53,6 +53,18 @@ load _helpers [ "${actual}" = "false" ] } +@test "ui/Service: 'disable with global, enable with ui.enabled'" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'global.enabled=false' \ + --set 'server.enabled=true' \ + --set 'ui.enabled=true' \ + . | tee /dev/stderr | + yq -r 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "ui/Service: disable with injector.externalVaultAddr" { cd `chart_dir` local actual=$( (helm template \ diff --git a/values.schema.json b/values.schema.json index 981bb7c..5237848 100644 --- a/values.schema.json +++ b/values.schema.json @@ -43,7 +43,10 @@ "type": "boolean" }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "extraArgs": { "type": "array" @@ -266,7 +269,10 @@ } }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "externalVaultAddr": { "type": "string" @@ -507,7 +513,10 @@ } }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "enterpriseLicense": { "type": "object", @@ -874,7 +883,10 @@ ] }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "externalPort": { "type": "integer" diff --git a/values.yaml b/values.yaml index 20d85d5..4d967f8 100644 --- a/values.yaml +++ b/values.yaml @@ -26,7 +26,8 @@ global: injector: # True if you want to enable vault agent injection. - enabled: true + # @default: global.enabled + enabled: "-" replicas: 1 @@ -266,8 +267,9 @@ injector: # type: RollingUpdate server: - # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details - enabled: true + # If true, or "-" with global.enabled true, Vault server will be installed. + # See vault.mode in _helpers.tpl for implementation details. + enabled: "-" # [Enterprise Only] This value refers to a Kubernetes secret that you have # created that contains your enterprise license. If you are not using an @@ -878,7 +880,7 @@ csi: # This should be a YAML map of the labels to apply to the csi provider pod extraLabels: {} - + # Priority class for csi pods priorityClassName: "" From 460b5e1b65404f82e2d1200d34e4772716cac03f Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 21 Mar 2022 10:29:03 -0700 Subject: [PATCH 24/30] Update k8s versions (#706) * tests: updating the four most recent k8s versions * bump oldest version to 1.16 * docs, Chart.yaml, and changelog for 1.14 -> 1.16 --- .github/workflows/acceptance.yaml | 2 +- CHANGELOG.md | 1 + Chart.yaml | 2 +- README.md | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml index 644875e..2261ea6 100644 --- a/.github/workflows/acceptance.yaml +++ b/.github/workflows/acceptance.yaml @@ -11,7 +11,7 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.14.10, 1.19.11, 1.20.7, 1.21.2, 1.22.4] + kind-k8s-version: [1.16.15, 1.20.15, 1.21.10, 1.22.7, 1.23.4] runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/CHANGELOG.md b/CHANGELOG.md index ffa45d8..1a93fac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ CHANGES: * Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703) * Vault default image to 1.9.3 * CSI provider default image to 1.0.0 +* Earliest Kubernetes version tested is now 1.16 Improvements: * CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) diff --git a/Chart.yaml b/Chart.yaml index 20e05bc..34fdd4d 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: vault version: 0.19.0 appVersion: 1.9.3 -kubeVersion: ">= 1.14.0-0" +kubeVersion: ">= 1.16.0-0" description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png diff --git a/README.md b/README.md index f95b26f..637f68b 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ The versions required are: * **Helm 3.0+** - This is the earliest version of Helm tested. It is possible it works with earlier versions but this chart is untested for those versions. - * **Kubernetes 1.14+** - This is the earliest version of Kubernetes tested. + * **Kubernetes 1.16+** - This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is untested. From 4da0638f3efa5e72ba518d49273bced134bda99e Mon Sep 17 00:00:00 2001 From: gw0 Date: Mon, 28 Mar 2022 13:20:36 +0200 Subject: [PATCH 25/30] Fix values schema to support config in YAML (#684) --- values.schema.json | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/values.schema.json b/values.schema.json index 5237848..39d0765 100644 --- a/values.schema.json +++ b/values.schema.json @@ -566,7 +566,10 @@ ] }, "config": { - "type": "string" + "type": [ + "string", + "object" + ] }, "disruptionBudget": { "type": "object", @@ -589,7 +592,10 @@ "type": "object", "properties": { "config": { - "type": "string" + "type": [ + "string", + "object" + ] }, "enabled": { "type": "boolean" @@ -822,7 +828,10 @@ "type": "object", "properties": { "config": { - "type": "string" + "type": [ + "string", + "object" + ] }, "enabled": { "type": [ From 12444bffb6c9a5fb5651530306a637f675e86066 Mon Sep 17 00:00:00 2001 From: Stephen Herd Date: Mon, 4 Apr 2022 22:26:16 -0700 Subject: [PATCH 26/30] Support policy/v1 disruptionbudget beyond kube 1.21 (#710) Issue #667, adding updates to the disruptionbudget to support new non beta spec beyond kube 1.21 --- CHANGELOG.md | 1 + templates/injector-disruptionbudget.yaml | 2 +- templates/server-disruptionbudget.yaml | 2 +- test/unit/injector-disruptionbudget.bats | 26 +++++++++++++++++++++-- test/unit/server-ha-disruptionbudget.bats | 24 +++++++++++++++++++++ 5 files changed, 51 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1a93fac..f02bb83 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ CHANGES: Improvements: * CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) * Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683) +* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710) ## 0.19.0 (January 20th, 2022) diff --git a/templates/injector-disruptionbudget.yaml b/templates/injector-disruptionbudget.yaml index 59c9985..b44fd73 100644 --- a/templates/injector-disruptionbudget.yaml +++ b/templates/injector-disruptionbudget.yaml @@ -1,5 +1,5 @@ {{- if .Values.injector.podDisruptionBudget }} -apiVersion: policy/v1beta1 +apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }}-agent-injector diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index 60fc844..fd94ada 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -5,7 +5,7 @@ {{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} # PodDisruptionBudget to prevent degrading the server cluster through # voluntary cluster changes. -apiVersion: policy/v1beta1 +apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }} kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }} diff --git a/test/unit/injector-disruptionbudget.bats b/test/unit/injector-disruptionbudget.bats index a0cee27..2f8f50a 100755 --- a/test/unit/injector-disruptionbudget.bats +++ b/test/unit/injector-disruptionbudget.bats @@ -11,6 +11,16 @@ load _helpers [ "${actual}" = "false" ] } +@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + . | tee /dev/stderr | + yq '.spec.minAvailable == 2' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "injector/DisruptionBudget: configure with injector.podDisruptionBudget maxUnavailable" { cd `chart_dir` local actual=$(helm template \ @@ -21,12 +31,24 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" { +@test "injector/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-disruptionbudget.yaml \ --set 'injector.podDisruptionBudget.minAvailable=2' \ + --kube-version 1.19.5 \ . | tee /dev/stderr | - yq '.spec.minAvailable == 2' | tee /dev/stderr) + yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "injector/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + --kube-version 1.22.5 \ + . | tee /dev/stderr | + yq '.apiVersion == "policy/v1"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} \ No newline at end of file diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index 9271c01..c98bc66 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -97,3 +97,27 @@ load _helpers yq '.spec.maxUnavailable' | tee /dev/stderr) [ "${actual}" = "2" ] } + +@test "server/DisruptionBudget: test is apiVersion is set correctly < version 1.21 of kube" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=1' \ + --kube-version 1.19.5 \ + . | tee /dev/stderr | + yq '.apiVersion == "policy/v1beta1"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/DisruptionBudget: test is apiVersion is set correctly >= version 1.21 of kube" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.replicas=1' \ + --kube-version 1.22.5 \ + . | tee /dev/stderr | + yq '.apiVersion == "policy/v1"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} \ No newline at end of file From 4ae52c8bd3d3f4d303196ecb455ae07d9a943ba8 Mon Sep 17 00:00:00 2001 From: "Ethan J. Brown" Date: Tue, 12 Apr 2022 22:54:54 -0700 Subject: [PATCH 27/30] Remove unncessary template calls (#712) - As part of VAULT-571 / #703 in 7109159, a new vault.serverEnabled template was added (and included in vault.mode) Various templates were updated accordingly, but those that were already calling vault.mode had an additonal call to vault.serverEnabled made which was unnecessary Remove those --- templates/server-clusterrolebinding.yaml | 1 - templates/server-config-configmap.yaml | 3 +-- templates/server-discovery-role.yaml | 3 +-- templates/server-discovery-rolebinding.yaml | 3 +-- templates/server-disruptionbudget.yaml | 3 +-- templates/server-ha-active-service.yaml | 2 +- templates/server-psp-role.yaml | 3 +-- templates/server-psp-rolebinding.yaml | 3 +-- templates/server-psp.yaml | 3 +-- templates/server-serviceaccount.yaml | 1 - templates/server-statefulset.yaml | 3 +-- templates/tests/server-test.yaml | 1 - 12 files changed, 9 insertions(+), 20 deletions(-) diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index 2db23a5..e045b9e 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,5 +1,4 @@ {{ template "vault.mode" . }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.server.authDelegator.enabled | toString) "true") }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index 969dcf3..f40c696 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -1,6 +1,5 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} {{- if ne .mode "dev" -}} {{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}} @@ -38,4 +37,4 @@ data: {{- end }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index 3e8544c..9ca23dd 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -1,6 +1,5 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} apiVersion: rbac.authorization.k8s.io/v1 @@ -19,4 +18,4 @@ rules: verbs: ["get", "watch", "list", "update", "patch"] {{ end }} {{ end }} -{{ end }} \ No newline at end of file +{{ end }} diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 8ceb482..6e22e4c 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -1,6 +1,5 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} @@ -27,4 +26,4 @@ subjects: namespace: {{ .Release.Namespace }} {{ end }} {{ end }} -{{ end }} \ No newline at end of file +{{ end }} diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index fd94ada..d940fa4 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -1,6 +1,5 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" -}} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} {{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} # PodDisruptionBudget to prevent degrading the server cluster through @@ -24,4 +23,4 @@ spec: component: server {{- end -}} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 525fc8c..90761a4 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -42,4 +42,4 @@ spec: vault-active: "true" {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/server-psp-role.yaml b/templates/server-psp-role.yaml index 608624b..b8eb897 100644 --- a/templates/server-psp-role.yaml +++ b/templates/server-psp-role.yaml @@ -1,5 +1,4 @@ {{ template "vault.mode" . }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 @@ -18,4 +17,4 @@ rules: resourceNames: - {{ template "vault.fullname" . }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/server-psp-rolebinding.yaml b/templates/server-psp-rolebinding.yaml index f6255eb..fded9fb 100644 --- a/templates/server-psp-rolebinding.yaml +++ b/templates/server-psp-rolebinding.yaml @@ -1,5 +1,4 @@ {{ template "vault.mode" . }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 @@ -19,4 +18,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/server-psp.yaml b/templates/server-psp.yaml index cca6883..d210af3 100644 --- a/templates/server-psp.yaml +++ b/templates/server-psp.yaml @@ -1,5 +1,4 @@ {{ template "vault.mode" . }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: policy/v1beta1 @@ -47,4 +46,4 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index 4ff73a6..2d1a104 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -1,5 +1,4 @@ {{ template "vault.mode" . }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} {{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }} apiVersion: v1 diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 7deea5e..5cf1597 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -1,7 +1,6 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if ne .mode "" }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} # StatefulSet to run the actual vault server cluster. apiVersion: apps/v1 @@ -208,4 +207,4 @@ spec: {{ template "vault.volumeclaims" . }} {{ end }} {{ end }} -{{ end }} \ No newline at end of file +{{ end }} diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index ef1aae8..56dbee7 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -1,6 +1,5 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverEnabled" . -}} {{- if .serverEnabled -}} apiVersion: v1 kind: Pod From 87e456754b7ee5578c17d04ed0622b586182357c Mon Sep 17 00:00:00 2001 From: Stephen Herd Date: Thu, 14 Apr 2022 15:16:39 -0700 Subject: [PATCH 28/30] =?UTF-8?q?Issue=20629:=20updated=20to=20allow=20cus?= =?UTF-8?q?tomization=20of=20the=20CLUSTER=5FADDR=20the=20same=E2=80=A6=20?= =?UTF-8?q?(#709)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Issue #629 Updates to allow customization of the CLUSTER_ADDR and unit tests to go with it * Issue-#629 removing extra whitespace I added accidently. * Issue-#629 fixing extra whitespace added. * Update values.yaml Co-authored-by: Joaco Muleiro Beltran * Issue #629 adding changelog Co-authored-by: Joaco Muleiro Beltran --- CHANGELOG.md | 1 + templates/server-statefulset.yaml | 4 +++ test/unit/server-ha-statefulset.bats | 47 +++++++++++++++++++++++++++- values.yaml | 5 +++ 4 files changed, 56 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f02bb83..8454d28 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ Improvements: * CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) * Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683) * Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710) +* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709) ## 0.19.0 (January 20th, 2022) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 5cf1597..2cae84f 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -109,7 +109,11 @@ spec: fieldRef: fieldPath: metadata.name - name: VAULT_CLUSTER_ADDR + {{- if .Values.server.ha.clusterAddr }} + value: {{ .Values.server.ha.clusterAddr }} + {{- else }} value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" + {{- end }} {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }} - name: VAULT_RAFT_NODE_ID valueFrom: diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 6034cb5..0722c26 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -417,7 +417,7 @@ load _helpers #-------------------------------------------------------------------- # VAULT_CLUSTER_ADDR renders -@test "server/ha-StatefulSet: cluster addr renders" { +@test "server/ha-StatefulSet: clusterAddr not set" { cd `chart_dir` local object=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -431,6 +431,51 @@ load _helpers [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] } +@test "server/ha-StatefulSet: clusterAddr set to null" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set 'server.ha.clusterAddr=null' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] +} + +@test "server/ha-StatefulSet: clusterAddr set to custom url" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set 'server.ha.clusterAddr=https://test.example.com:8201' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'https://test.example.com:8201' ] +} + +@test "server/ha-StatefulSet: clusterAddr set to custom url with environment variable" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.raft.enabled=true' \ + --set 'server.ha.clusterAddr=http://$(HOSTNAME).release-name-vault-internal:8201' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) + [ "${value}" = 'http://$(HOSTNAME).release-name-vault-internal:8201' ] +} + #-------------------------------------------------------------------- # VAULT_RAFT_NODE_ID renders diff --git a/values.yaml b/values.yaml index 4d967f8..ed4f80f 100644 --- a/values.yaml +++ b/values.yaml @@ -680,6 +680,11 @@ server: # If set to null, this will be set to the Pod IP Address apiAddr: null + # Set the cluster_addr confuguration for Vault HA + # See https://www.vaultproject.io/docs/configuration#cluster_addr + # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201 + clusterAddr: null + # Enables Vault's integrated Raft storage. Unlike the typical HA modes where # Vault's persistence is external (such as Consul), enabling Raft mode will create # persistent volumes for Vault to store data according to the configuration under server.dataStorage. From 230bba4706eaf5b4b305392e6eb7f87a948a0cf2 Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Wed, 27 Apr 2022 09:22:50 -0700 Subject: [PATCH 29/30] VAULT-5838 Update CSI provider to 1.1.0 (#721) * VAULT-5838 Update CSI provider to 1.1.0 * Update test/acceptance/csi.bats Co-authored-by: Theron Voran Co-authored-by: Theron Voran --- CHANGELOG.md | 2 +- test/acceptance/csi.bats | 2 +- values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8454d28..52cab27 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ CHANGES: * `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703) * Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703) * Vault default image to 1.9.3 -* CSI provider default image to 1.0.0 +* CSI provider default image to 1.1.0 * Earliest Kubernetes version tested is now 1.16 Improvements: diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index c7c6549..57b5070 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -17,7 +17,7 @@ check_skip_csi() { kubectl create namespace acceptance # Install Secrets Store CSI driver - CSI_DRIVER_VERSION=1.0.0 + CSI_DRIVER_VERSION=1.1.2 helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ --wait --timeout=5m \ --namespace=acceptance \ diff --git a/values.yaml b/values.yaml index ed4f80f..891129e 100644 --- a/values.yaml +++ b/values.yaml @@ -825,7 +825,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "1.0.0" + tag: "1.1.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered From 9b43054901c47f2523eaf5dab574c7c7218d1793 Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Wed, 27 Apr 2022 09:58:56 -0700 Subject: [PATCH 30/30] VUALT-5838 Restore Secrets Store CSI driver to 1.0.0 (#722) 1.0.1+ seems to only support Kubernetes 1.19+, so we break support for 1.16 if we upgrade --- test/acceptance/csi.bats | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index 57b5070..c7c6549 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -17,7 +17,7 @@ check_skip_csi() { kubectl create namespace acceptance # Install Secrets Store CSI driver - CSI_DRIVER_VERSION=1.1.2 + CSI_DRIVER_VERSION=1.0.0 helm install secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts/secrets-store-csi-driver-${CSI_DRIVER_VERSION}.tgz?raw=true \ --wait --timeout=5m \ --namespace=acceptance \